Describe the bug
When DASHBOARD_DOMAIN is set to an IP address (e.g. 192.168.1.22) or a local hostname without a real TLD (e.g. dharmikhomelab), the dashboard appears to load but login is completely broken. Every form submission returns a CSRF verification failure with no useful indication of why.
This affects anyone running docker-openwisp on a homelab, internal server, or any setup without a public domain name.
In settings.py inside the dashboard image, the following code runs at startup:
ROOT_DOMAIN = "." + tldextract.extract(os.environ["DASHBOARD_DOMAIN"]).registered_domain
CSRF_COOKIE_DOMAIN = ROOT_DOMAIN
SESSION_COOKIE_DOMAIN = ROOT_DOMAIN
tldextract is designed to parse real public TLDs. When given a raw IP or a local hostname, registered_domain returns an empty string, so ROOT_DOMAIN becomes ".".
There are no errors in any logs pointing to this. The dashboard loads, the login page renders, but every login attempt fails with CSRF verification failed. Request aborted.
Steps To Reproduce
- Set
DASHBOARD_DOMAIN=192.168.1.22 (or any raw IP / local hostname)
in .env
- Run
make start
- Navigate to
https://192.168.1.22/admin/login/
- Try to log in and it gives CSRF error every time
You can confirm the issue by running inside the dashboard container:
docker exec docker-openwisp-dashboard-1 bash -c \
"DJANGO_SETTINGS_MODULE=openwisp.settings python3 -c \
'from django.conf import settings; print(settings.CSRF_COOKIE_DOMAIN)'"
It will print . instead of a real domain.
Expected behavior
When DASHBOARD_DOMAIN is a raw IP or local hostname, OpenWISP should either fall back gracefully so login still works, or raise a clear error at startup explaining the domain is invalid, not silently corrupt cookie
settings and make the whole dashboard unusable.
System Informatioon:
- docker-openwisp: latest / edge
- Deployed on: Ubuntu 24.04 homelab server running CasaOS
DASHBOARD_DOMAIN values tested: raw IP 192.168.1.22, local
hostname dharmikhomelab
Describe the bug
When
DASHBOARD_DOMAINis set to an IP address (e.g.192.168.1.22) or a local hostname without a real TLD (e.g.dharmikhomelab), the dashboard appears to load but login is completely broken. Every form submission returns a CSRF verification failure with no useful indication of why.This affects anyone running docker-openwisp on a homelab, internal server, or any setup without a public domain name.
In
settings.pyinside the dashboard image, the following code runs at startup:tldextractis designed to parse real public TLDs. When given a raw IP or a local hostname,registered_domainreturns an empty string, soROOT_DOMAINbecomes".".There are no errors in any logs pointing to this. The dashboard loads, the login page renders, but every login attempt fails with
CSRF verification failed. Request aborted.Steps To Reproduce
DASHBOARD_DOMAIN=192.168.1.22(or any raw IP / local hostname)in
.envmake starthttps://192.168.1.22/admin/login/You can confirm the issue by running inside the dashboard container:
It will print
.instead of a real domain.Expected behavior
When
DASHBOARD_DOMAINis a raw IP or local hostname, OpenWISP should either fall back gracefully so login still works, or raise a clear error at startup explaining the domain is invalid, not silently corrupt cookiesettings and make the whole dashboard unusable.
System Informatioon:
DASHBOARD_DOMAINvalues tested: raw IP192.168.1.22, localhostname
dharmikhomelab