guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zer0Cool <>
Subject Nginx Content_Security_Policy?
Date Fri, 03 May 2019 19:17:21 GMT
CentOS/RHEL 7.6
Nginx 1.16.0
OpenSSL 1.0.2k-fips
Guac 1.0.0

I have SSL working just fine with a Lets Encrypt cert. I am attempting to
add a CSP line to the nginx conf and its causing the login page to look odd
and not actually logging in (I will explain further).

The line I am adding is:

add_header Content-Security-Policy "default-src 'none'; script-src 'self';
connect-src 'self'; img-src 'self'; style-src 'self'; frame-ancestors
'none';" always;

If I add the above, restart nginx and clear browser cache the login page
loads but the title reads as "{{'APP.NAME' | translate}}" and within the
fields "{{getFieldHeader() | translate}}" and the login button reads

Clicking login after entering credentials seems to fail (red banner at top
of page) and shows what seems to then just be a white page with a blankish
button. tail -f /var/log/messages says authentication was a success.

If I comment out the CSP line, restart nginx and clear browser cache, it
works as expected. I have tried starting with just default-src only but same

Anyone have CSP in Nginx working with Guac 1.0.0 and/or know if its plain
not able to work with it?

I have been trying to research the matter but have not found anything
specific to Guac + CSP. Any help would be greatly appreciated. Thanks

Sent from:

View raw message