diff --git a/apps/authentication/backends/drf.py b/apps/authentication/backends/drf.py
index f669a2cf5..985e521c9 100644
--- a/apps/authentication/backends/drf.py
+++ b/apps/authentication/backends/drf.py
@@ -1,5 +1,6 @@
 # -*- coding: utf-8 -*-
 #
+import os
 
 from django.contrib.auth import get_user_model
 from django.core.cache import cache
@@ -111,10 +112,12 @@ class SessionAuthentication(authentication.SessionAuthentication):
         if not user or not user.is_active or not user.is_valid:
             return None
 
-        try:
-            self.enforce_csrf(request)
-        except exceptions.AuthenticationFailed:
-            return None
+        ignore_csrf_check = os.environ.get("DOMAINS", "") == "*"
+        if not ignore_csrf_check:
+            try:
+                self.enforce_csrf(request)
+            except exceptions.AuthenticationFailed:
+                return None
 
         # CSRF passed with authenticated user
         return user, None
diff --git a/apps/jumpserver/middleware.py b/apps/jumpserver/middleware.py
index 9c6113b3a..4db0c7666 100644
--- a/apps/jumpserver/middleware.py
+++ b/apps/jumpserver/middleware.py
@@ -198,5 +198,6 @@ class SafeRedirectMiddleware:
 class CsrfCheckMiddleware(CsrfViewMiddleware):
     def _origin_verified(self, request):
         if IGNORE_CSRF_CHECK:
+            request._dont_enforce_csrf_checks = True
             return True
         return super()._origin_verified(request)
diff --git a/apps/jumpserver/settings/libs.py b/apps/jumpserver/settings/libs.py
index 75ad6121e..e9503713a 100644
--- a/apps/jumpserver/settings/libs.py
+++ b/apps/jumpserver/settings/libs.py
@@ -118,6 +118,7 @@ BOOTSTRAP3 = {
 REDIS_LAYERS_HOST = {
     'db': CONFIG.REDIS_DB_WS,
 }
+USE_X_FORWARDED_HOST = True
 
 REDIS_LAYERS_SSL_PARAMS = {}
 if REDIS_USE_SSL: