400 Bad Request behind nginx reverse proxy

[mlabuhn]

I am running changedetection.io in my homelab Docker environment, and both it and many other services are running behind an nginx reverse proxy running on the same host.

I have followed the instructions in the wiki (cf. Running changedetection.io behind a reverse proxy ), but whenever I try to make any changes (e.g. adding a new watch, changing settings), I get a 400 Bad Request error, telling me that "The referrer header is missing".

Tweaking the various headers in the nginx config (e.g. setting proxy_set_header Host to "localhost", FQDN of the service, $host) changes the specific error in some cases (I get "referrer does not match host", instead), but no combination I have tried seems to actually work.

I have set USE_X_SETTINGS=1 and BASE_URL=<FQDN> in the docker compose file, and am running out of ideas of what else to try.

Hoping someone reading this might have some more suggestions. Full (redacted) nginx site config below:

upstream changes {
    server localhost:5000;
}

server {
    # server port and name
    server_name  changes.<mydomain>;

    access_log  /var/log/nginx/changes/access.log;
    error_log   /var/log/nginx/changes/error.log;

    location / {
        proxy_pass          http://changes;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
        proxy_set_header    Host                "localhost";
        proxy_set_header    X-Forwarded-Proto   $scheme;
    }

    ssl_stapling on;
    ssl_stapling_verify on;

    resolver <local DNS server>;

    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/changes.<mydomain>/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/changes.<mydomain>/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = changes.<mydomain>) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name  changes.<mydomain>;
    listen       80;
    listen       [::]:80;
    return 404; # managed by Certbot
}

I had a suspicion that it may be a problem with IPv6, as attempting to connect directly to port 5000 on the server fails unless I force the hostname to only resolve to the IPv4 address. Also, everything works as expected when bypassing the nginx proxy, so I am fairly certain that is the culprit here.

[th0mcat]

Also seeing this issue, but no IPv6 in my stack.

docker-compose:

  changedetection:
    image: ghcr.io/dgtlmoon/changedetection.io:latest
    container_name: changedetection
    hostname: changedetection
    networks:
      dockerapps:
        ipv4_address: 172.18.0.15
    restart: always
    env_file:
     - /opt/changedetection/.docker.env
    volumes:
      - /opt/changedetection:/datastore
    labels:
      - "com.centurylinklabs.watchtower.enable=true"

.docker.env

HTTP_PROXY=socks5h://<lol>@<ip:port>
USE_X_SETTINGS=1
BASE_URL=https://my.domain>/changedetection
HIDE_REFERER=true
NO_PROXY="localhost,192.168.0.0/24,172.18.0.0/24,10.27.7.0/24,browser-chrome"
WEBDRIVER_URL="http://browser-chrome:4444/wd/hub"

nginx

server {
    listen 80;
    server_name my.domain;
    return 301 https://$host$request_uri;
}
server {
    listen 443 ssl;
    server_name my.domain;;
    ssl_certificate /etc/letsencrypt/live/my.domain;/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/my.domain;/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    client_max_body_size 1024M;

    access_log /var/log/nginx/access.log main;
    error_log /var/log/nginx/error.log;
    location /changedetection/ {
        proxy_pass http://172.18.0.15:5000/;
        proxy_set_header X-Forwarded-Prefix /changedetection;
        proxy_pass_request_headers on;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
    }
}

[th0mcat]

@mlabuhn I figured it out, modify your config similarly. I changed my location stanza to:

    location /changedetection/ {
        proxy_pass http://172.18.0.15:5000/;
        proxy_set_header Host $http_host; <--- changed this from "localhost"
        proxy_set_header X-Forwarded-Prefix /changedetection/; <--- added a trailing forward-slash
        proxy_set_header X-Forwarded-Proto $scheme;
    }

and I changed HIDE_REFERER in my environment variables to "false"

[mlabuhn]

Thanks @th0mcat , that did the trick!

With hindsight, I can't believe I didn't think to change HIDE_REFERER to troubleshoot what was obviously a problem with the referer header.

[masterwishx]

i have same problem but after login to main page (after password entered) - > 400 Bad Request behind nginx reverse proxy
and this is after enabled HIDE_REFERER , if disabled then all Fine ....

is anyway to have HIDE_REFERER= true without problems ?

[masterwishx]

#1322 (comment)

[ptman]

For me this was fixed by setting the HTTP header Referrer-Policy to "same-origin"

[masterwishx]

Thanks will check it

[masterwishx]

For me this was fixed by setting the HTTP header Referrer-Policy to "same-origin"

Thanks, its Working,
but im using now "no-referrer, strict-origin-when-cross-origin" and forgot to enable in container to check if it working with it...
and interesting if this really work with monitored websites in my case