On Fri, May 3, 2019 at 3:17 PM Zer0Cool <[email protected]> wrote: > CentOS/RHEL 7.6 > Nginx 1.16.0 > OpenSSL 1.0.2k-fips > Guac 1.0.0 > > I have SSL working just fine with a Lets Encrypt cert. I am attempting to > add a CSP line to the nginx conf and its causing the login page to look odd > and not actually logging in (I will explain further). > > The line I am adding is: > > add_header Content-Security-Policy "default-src 'none'; script-src 'self'; > connect-src 'self'; img-src 'self'; style-src 'self'; frame-ancestors > 'none';" always; > > If I add the above, restart nginx and clear browser cache the login page > loads but the title reads as "{{'APP.NAME' | translate}}" and within the > fields "{{getFieldHeader() | translate}}" and the login button reads > "{{'LOGIN.ACTION_LOGIN' |". > > Clicking login after entering credentials seems to fail (red banner at top > of page) and shows what seems to then just be a white page with a blankish > button. tail -f /var/log/messages says authentication was a success. >
It's likely that this security policy is impacting things between the AngularJS application (running in the web browser) and the web server. I would expect if you open the Developer Console for whatever browser you're using that you'll see some error message or another. I'm not familiar enough with the Content-Security-Policy header to know what each of those items do, but, if that header applies a policy to the browser then it's likely that setting everything to self is disabling some of the conversation between the JavaScript application in the browser and the Nginx server, causing things to fail. I'd have to do some more testing to validate, but that's just by guess. -Nick
