After upgrading to MAAS 3.6.0 the other day I noticed that the “Log out” button in the web interface did not log me out anymore. Nothing seemed to happen when clicking on the button. Digging a bit deeper in the web browser debug console I found an error message: CSRF verification failed, and as a result a HTTP 403 error.
In our setup we have Apache running as reverse proxy in order to access MAAS over SSL and using certbot for automatic certificate renewal. After finding this comment and doing some more debugging with ngrep I manged to confirm what is happening. The MAAS snap uses Nginx to handle connections, and that sets the header X-Forwarded-Proto to http, because SSL terminates already in Apache. Because of that MAAS expects the Origin header to be http://FQDN and not https://FQDN (as Apache sets it).
Long story short, I added this line to my Apache configuration:
RequestHeader edit Origin ^https:// http://
and now I can log out from the web interface again. Unsetting the header works as well. Hope this saves others some time that run into the same problem.
Or maybe someone has a better suggestion how to fix the issue? Well I suppose the best would be to enable TLS in MAAS, but I didn’t feel like opening a new can of worms right now.