I am trying to login to the admin panel of a Django application via another server (say 123.123.123.123). I have a ssh tunnel open like ssh -L 3000:my.website.com:443 user@123.123.123.123. I can then go to https://localhost:3000/admin/login/ and see the login page for the Django admin of the server running on my.website.com. Whatever credentials I put in, results in a HTTP 403 'CSRF verification failed. Request aborted.` error page.
I do not get this error when going directly to my.website.com/admin/login/. What settings might help to allow login via an SSH tunnel? I have already tried adding 'localhost' to ALLOWED_HOSTS. The CSRF cookies are secure (only available via HTTPS, which I'm always using) and have the HTTPOnly flag set.
Django will see that you're trying to access my.website.com domain and it will send back to you cookie for that domain.
But your browser is actually accessing localhost domain, so cookies for my.website.com won't be valid for it and browser won't send them back to Django server.
One way to fix it is to point my.website.com to 127.0.0.1 using /etc/hosts, change your tunnel port to 443 and connect to my.website.com instead.
Another approach is to set any server in between you and your django server that will rewrite cookies and other paths from one domain to another.