Page 1 of 2
[Solved] Issues running behind nginx reverse proxy
Posted: Mon Jun 01, 2020 8:03 am
by tslytsly
Hi,
I have recently moved access to our Unimus server to be via an Nginx Reverse Proxy.
It works in Firefox, but not in Chrome.
In Chrome I just see the loading animation.
In the console there is this error message:
Code: Select all
VM28:1 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'".
Here is my RP config for that route:
Code: Select all
location /configs/ {
allow <ALLOWEDIPS>;
allow <ALLOWEDIPS>;
deny all;
proxy_pass http://<IP_OF_UNIMUS>:8085/;
include nginxconfig.io/proxy.conf;
}
and here is the proxy.conf file:
Code: Select all
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
Any ideas?
Thanks
Re: Issues running behind nginx reverse proxy
Posted: Mon Jun 01, 2020 10:32 am
by Tomas
Hi,
Mapping across different roots is a little painful ("/config/" on nginx -> "/" on Unimus).
If possible, I would recommend changing the context root on Unimus to match the context root on nginx, that should solve all the issues.
You can do this by adding a config parameter on Unimus:
"/etc/default/unimus" add "-Dserver.contextPath=/configs"
Then just restart service, and everything should work.
If this is not possible, you will need to declare multiple location blocks on nginx.
Unimus normally uses WebSockets, but it allows fallback to Long Polling, so multiple locations are needed to handle things:
Code: Select all
location ~ /configs/.* {
....
proxy_pass http://<IP_OF_UNIMUS>:8085/$1;
proxy_redirect default;
}
location /VAADIN/.* {
....
proxy_pass http://<IP_OF_UNIMUS>:8085/VAADIN/$1;
proxy_redirect default;
}
location /WS/.* {
....
proxy_pass http://<IP_OF_UNIMUS>:8085/WS/$1;
proxy_redirect default;
}
location /PUSH/.* {
....
proxy_pass http://<IP_OF_UNIMUS>:8085/PUSH/$1;
proxy_redirect default;
}
Re: [Solved] Issues running behind nginx reverse proxy
Posted: Mon Jun 01, 2020 11:01 am
by tslytsly
Thanks for the quick reply @Tomas.
I have added the "-Dserver.contextPath=/configs" line to the config and updated my nginx config, but I still have the same error in Chrome.
Not in Firefox, that still works as expected.
Get similar errors in Edge too (I don't use Edge, just for testing):
Code: Select all
SCRIPT5: SCRIPT5: Blocked by Content Security Policy
configs (1,1)
CSP14312: Resource violated directive ‘default-src 'self' http: https: data: blob: 'unsafe-inline'’ in Content-Security-Policy: script eval. Resource will be blocked.
Is it a header that is getting set or not set?
Thanks
Tom
Re: [Solved] Issues running behind nginx reverse proxy
Posted: Mon Jun 01, 2020 11:05 am
by Tomas
You shouldn't do both changes described in my post.
Option 1:
Set "-Dserver.contextPath=/configs" and do a single location block:
Code: Select all
location ~ /configs/.* {
....
proxy_pass http://<IP_OF_UNIMUS>:8085/configs/$1;
proxy_redirect default;
}
Option 2:
Don't set "-Dserver.contextPath=/configs" and do all the location blocks
The additional location blocks are only needed if the context roots don't match.
If context roots do match (which "-Dserver.contextPath=/configs" sets), the only a single proxy location is needed.
Re: [Solved] Issues running behind nginx reverse proxy
Posted: Mon Jun 01, 2020 11:11 am
by tslytsly
Tomas wrote: ↑Mon Jun 01, 2020 11:05 am
You shouldn't do both changes described in my post.
...
The additional location blocks are only needed if the context roots don't match.
If context roots do match (which "-Dserver.contextPath=/configs" sets), the only a single proxy location is needed.
Sorry, I was not clear.
I had my nginx location block setup to work around the diference in URL context.
So, after having added the "-Dserver.contextPath=/configs" option, I updated the location block:
Code: Select all
location /configs/ {
allow <HIDDEN>;
allow <HIDDEN>;
deny all;
proxy_pass <HIDDEN>:8085/configs/;
include nginxconfig.io/proxy.conf;
}
(Note, I have also tried it with the Regex match as you have, but that does not work)
As I said, configured like this it works on Firefox, but not Chrome or Edge.
Re: Issues running behind nginx reverse proxy
Posted: Mon Jun 01, 2020 5:54 pm
by tslytsly
Removed the Solved header because the same issue remains.
Re: Issues running behind nginx reverse proxy
Posted: Mon Jun 01, 2020 7:28 pm
by Tomas
Sorry for the delays, today was crazy busy.
I will spin up nginx and Unimus containers tomorrow and try to replicate the issue you are having.
Will update as soon as I have a working config for you
Re: Issues running behind nginx reverse proxy
Posted: Tue Jun 02, 2020 6:51 am
by tslytsly
Thanks Tomas,
If you need any logs from my install let me know.
Re: Issues running behind nginx reverse proxy
Posted: Thu Jun 11, 2020 7:57 am
by tslytsly
Hi Tomas,
Just a friendly bump to see if you made any progress with this?
Tom
Re: Issues running behind nginx reverse proxy
Posted: Thu Jun 11, 2020 3:47 pm
by ccummings-coeur
Here is our nginx rev proxy config:
Code: Select all
server {
listen 80;
server_name unimus.foo.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
include snippets/ssl.conf;
include snippets/ssl-params.conf;
server_name unimus.foo.com;
client_max_body_size 25m;
location / {
proxy_pass http://1.1.1.1:8085;
proxy_redirect off;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
add_header P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"';
}
}
We run nginx on a separate server, running Ubuntu 20.04, and unimus also runs on Ubuntu 20.04. Glad to share any other configs if you would like.