csrf.go: ErrBadReferer due to empty r.URL.Host

[slysandwich]

Context
Currently installing GoPhish, which is using Gorilla CSRF, on an AWS EC2 instance behind an Application Load Balancer.

Describe the bug
When trying to log on GoPhish, the ErrBadReferer error is triggered. It appears to come from the ServeHTTP function from csrf.go. Further debugging showed that parameter "valid" at line 261 is false because r.URL.Host is empty. However r.Host has the correct value.

Versions
go version go1.15.3 linux/amd64
csrf@v1.6.2

Expected behavior
Checking both r.URL.Host and r.Host if there is a non-empty value to use.

Screenshots

[stale]

This issue has been automatically marked as stale because it hasn't seen a recent update. It'll be automatically closed in a few days.