guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zer0Cool <melin3...@gmail.com>
Subject Nginx Content_Security_Policy?
Date Fri, 03 May 2019 19:17:21 GMT
CentOS/RHEL 7.6
Nginx 1.16.0
OpenSSL 1.0.2k-fips
Guac 1.0.0

I have SSL working just fine with a Lets Encrypt cert. I am attempting to
add a CSP line to the nginx conf and its causing the login page to look odd
and not actually logging in (I will explain further).

The line I am adding is:

add_header Content-Security-Policy "default-src 'none'; script-src 'self';
connect-src 'self'; img-src 'self'; style-src 'self'; frame-ancestors
'none';" always;

If I add the above, restart nginx and clear browser cache the login page
loads but the title reads as "{{'APP.NAME' | translate}}" and within the
fields "{{getFieldHeader() | translate}}" and the login button reads
"{{'LOGIN.ACTION_LOGIN' |".

Clicking login after entering credentials seems to fail (red banner at top
of page) and shows what seems to then just be a white page with a blankish
button. tail -f /var/log/messages says authentication was a success.

If I comment out the CSP line, restart nginx and clear browser cache, it
works as expected. I have tried starting with just default-src only but same
issue.

Anyone have CSP in Nginx working with Guac 1.0.0 and/or know if its plain
not able to work with it?

I have been trying to research the matter but have not found anything
specific to Guac + CSP. Any help would be greatly appreciated. Thanks



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Mime
View raw message