[Solved] Issues running behind nginx reverse proxy

Unimus support forum
tslytsly
Posts: 14
Joined: Mon Jun 01, 2020 7:57 am

Mon Jun 01, 2020 8:03 am

Hi,

I have recently moved access to our Unimus server to be via an Nginx Reverse Proxy.

It works in Firefox, but not in Chrome.

In Chrome I just see the loading animation.

In the console there is this error message:

Code: Select all

VM28:1 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'".
Here is my RP config for that route:

Code: Select all

     location /configs/ {
                allow <ALLOWEDIPS>;
                allow <ALLOWEDIPS>;
                deny all;
                proxy_pass http://<IP_OF_UNIMUS>:8085/;
                include nginxconfig.io/proxy.conf;
        }
and here is the proxy.conf file:

Code: Select all

proxy_http_version      1.1;
proxy_cache_bypass      $http_upgrade;

proxy_set_header Upgrade                        $http_upgrade;
proxy_set_header Connection             "upgrade";
proxy_set_header Host                           $host;
proxy_set_header X-Real-IP                      $remote_addr;
proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto      $scheme;
proxy_set_header X-Forwarded-Host       $host;
proxy_set_header X-Forwarded-Port       $server_port;
Any ideas?

Thanks
Last edited by tslytsly on Thu Jun 11, 2020 4:59 pm, edited 2 times in total.
User avatar
Tomas
Posts: 1206
Joined: Sat Jun 25, 2016 12:33 pm

Mon Jun 01, 2020 10:32 am

Hi,

Mapping across different roots is a little painful ("/config/" on nginx -> "/" on Unimus).
If possible, I would recommend changing the context root on Unimus to match the context root on nginx, that should solve all the issues.

You can do this by adding a config parameter on Unimus:
"/etc/default/unimus" add "-Dserver.contextPath=/configs"
Then just restart service, and everything should work.

If this is not possible, you will need to declare multiple location blocks on nginx.
Unimus normally uses WebSockets, but it allows fallback to Long Polling, so multiple locations are needed to handle things:

Code: Select all

location ~ /configs/.* {
    ....
    proxy_pass http://<IP_OF_UNIMUS>:8085/$1;
    proxy_redirect default;
}

location /VAADIN/.* {
    ....
    proxy_pass http://<IP_OF_UNIMUS>:8085/VAADIN/$1;
    proxy_redirect default;
}

location /WS/.* {
    ....
    proxy_pass http://<IP_OF_UNIMUS>:8085/WS/$1;
    proxy_redirect default;
}

location /PUSH/.* {
    ....
    proxy_pass http://<IP_OF_UNIMUS>:8085/PUSH/$1;
    proxy_redirect default;
}
tslytsly
Posts: 14
Joined: Mon Jun 01, 2020 7:57 am

Mon Jun 01, 2020 11:01 am

Thanks for the quick reply @Tomas.

I have added the "-Dserver.contextPath=/configs" line to the config and updated my nginx config, but I still have the same error in Chrome.
Not in Firefox, that still works as expected.
Get similar errors in Edge too (I don't use Edge, just for testing):

Code: Select all

SCRIPT5: SCRIPT5: Blocked by Content Security Policy
configs (1,1)

CSP14312: Resource violated directive ‘default-src 'self' http: https: data: blob: 'unsafe-inline'’ in Content-Security-Policy: script eval. Resource will be blocked.
Is it a header that is getting set or not set?

Thanks

Tom
User avatar
Tomas
Posts: 1206
Joined: Sat Jun 25, 2016 12:33 pm

Mon Jun 01, 2020 11:05 am

You shouldn't do both changes described in my post.

Option 1:
Set "-Dserver.contextPath=/configs" and do a single location block:

Code: Select all

location ~ /configs/.* {
    ....
    proxy_pass http://<IP_OF_UNIMUS>:8085/configs/$1;
    proxy_redirect default;
}
Option 2:
Don't set "-Dserver.contextPath=/configs" and do all the location blocks :)

The additional location blocks are only needed if the context roots don't match.
If context roots do match (which "-Dserver.contextPath=/configs" sets), the only a single proxy location is needed.
tslytsly
Posts: 14
Joined: Mon Jun 01, 2020 7:57 am

Mon Jun 01, 2020 11:11 am

Tomas wrote:
Mon Jun 01, 2020 11:05 am
You shouldn't do both changes described in my post.

...

The additional location blocks are only needed if the context roots don't match.
If context roots do match (which "-Dserver.contextPath=/configs" sets), the only a single proxy location is needed.
Sorry, I was not clear.

I had my nginx location block setup to work around the diference in URL context.
So, after having added the "-Dserver.contextPath=/configs" option, I updated the location block:

Code: Select all

        location /configs/ {
                allow <HIDDEN>;
                allow <HIDDEN>;
                deny all;
                proxy_pass <HIDDEN>:8085/configs/;
                include nginxconfig.io/proxy.conf;
        }
 
(Note, I have also tried it with the Regex match as you have, but that does not work)

As I said, configured like this it works on Firefox, but not Chrome or Edge.
tslytsly
Posts: 14
Joined: Mon Jun 01, 2020 7:57 am

Mon Jun 01, 2020 5:54 pm

Removed the Solved header because the same issue remains.
User avatar
Tomas
Posts: 1206
Joined: Sat Jun 25, 2016 12:33 pm

Mon Jun 01, 2020 7:28 pm

Sorry for the delays, today was crazy busy.

I will spin up nginx and Unimus containers tomorrow and try to replicate the issue you are having.
Will update as soon as I have a working config for you :)
tslytsly
Posts: 14
Joined: Mon Jun 01, 2020 7:57 am

Tue Jun 02, 2020 6:51 am

Thanks Tomas,
If you need any logs from my install let me know.
tslytsly
Posts: 14
Joined: Mon Jun 01, 2020 7:57 am

Thu Jun 11, 2020 7:57 am

Hi Tomas,

Just a friendly bump to see if you made any progress with this?

Tom
ccummings-coeur
Posts: 5
Joined: Mon May 18, 2020 4:08 pm

Thu Jun 11, 2020 3:47 pm

Here is our nginx rev proxy config:

Code: Select all

server {
    listen 80;

    server_name unimus.foo.com;
    return 301 https://$server_name$request_uri;
}
server {
    listen 443 ssl;

    include snippets/ssl.conf;
    include snippets/ssl-params.conf;

    server_name unimus.foo.com;

    client_max_body_size 25m;

    location / {
        proxy_pass http://1.1.1.1:8085;
        proxy_redirect off;
        proxy_set_header X-Forwarded-Host $server_name;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        add_header P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"';
    }
}
We run nginx on a separate server, running Ubuntu 20.04, and unimus also runs on Ubuntu 20.04. Glad to share any other configs if you would like.
Post Reply