For some reason, adding a user to a group, or adding a group to a user will not work.

When the /admin/groups/view?name=developers page first loads, there is a post to the following resource which fails:

"NetworkError: 403 Forbidden - https://mydomain.com:8083/rest/webResources/1.0/resources"
XSRF check failed

Then when I submit the form to add a user to the group, it fails with the same status (403) and message: XSRF check failed

The atl_token is not submitted with the ajax requests, even though it is submitted on other pages. Post data only contains:

#!json
{"group":"developers","users":["bob"]}

Bitbucket v4.3.2
Tested on FireFox and Chrome

Requests are on:
https://mydomain.com:8083 (port open on firewall)

In the apache httpd.conf, we accept the request using a Comodo SSL certificate (works fine). We then forward the request to Bitbucket listening on port 7990

    ProxyPreserveHost On
    ProxyRequests Off
    ProxyPass / http://localhost:7990/
    ProxyPassReverse / http://localhost:7990/

Most of the other bitbucket admin pages work fine over https: sign in, saving server settings, etc. I confirmed that the browser is sending the HTTP referrer.

I am not sure why the "add user to group" page does not send the CSRF token. Even when I craft an ajax post with the token in the query string and/or the post data, it still gives a CSRF failure.