SearchThese examples cover various TLS and CSRF related settings.
The Controller-UI runs in plaintext-mode as a default, but it assumes running behind a
TLS-terminating reverse proxy or dedicated TLS terminator such as Hitch.
As a result, HTTPS-specific CSRF checks are active as long as they are not turned off with the
-no-tls parameter.
If you use a plaintext connection without the -no-tls parameter, any login attempt will fail with
a Forbidden - origin invalid error message.
The start command of the Controller-UI should look like this:
varnish-controller-ui -api-hosts=http://api-gw:8002 -no-tls
Forbidden - origin invalid message when using HTTPSIf you run the Controller-UI behind Varnish or any other reverse proxy and get the Forbidden - origin invalid error message when trying to log in, make sure that the reverse proxy does not
modify the Host header.
Host header in VarnishIn Varnish (both Varnish Enterprise and the open source Varnish Cache), do not modify the
req.http.host variable in your VCL.
Host header in nginxIf you run the Controller-UI behind nginx and get the Forbidden - origin invalid error message,
add the following configuration directive behind your proxy_pass ... entry:
proxy_set_header Host $http_host;