I then register my account, and try clicking on the activation link on my discourse page, and NOTHING happens. Looking at dev tools, I see this error:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'report-sample' http://myfancydomain.com/logs/ http://myfancydomain.com/sidekiq/ http://myfancydomain.com/mini-profiler-resources/ http://myfancydomain.com/assets/ http://myfancydomain.com/brotli_asset/ http://myfancydomain.com/extra-locales/ http://myfancydomain.com/highlight-js/ http://myfancydomain.com/javascripts/ http://myfancydomain.com/plugins/ http://myfancydomain.com/theme-javascripts/ http://myfancydomain.com/svg-sprite/". Either the 'unsafe-inline' keyword, a hash ('sha256-T1n9N/v2ZUyCGncqaO0MgcESijK4iDg9nXYaamEO+bY='), or a nonce ('nonce-...') is required to enable inline execution.
I have NO clue what this error means - any clues as to how to solve it would be great.
@pfaffman: yes it works with https without the orange cloud. So, the first time I set it up, it worked out of the box and since I did not use the cloudflare template I had no CSP issues.
I just saw a post which mentioned: DISCORSE_ENABLE_CORS: true should be set. I havent tried it yet however (will try in few mins)
BTW: I have an nginx front end with https (letsencrypt) serving a reverse proxy discourse instance. Thus I had commented out templates/web.ssl.template.yml - do you think should include this now that I have the cloudflare template on?
You should probably have a look at the topics about running with an external nginx and look carefully at the stuff that sees that Discourse sees the user IP and then look at the cloudflare template and see that it should still work with your config.
No. I am pretty sure that you don’t want web.ssl.template.yml.
This is a bit embarrassing - but I have found out why this was.
Once everything was working without cloudflare, I added the nginx pagespeed module to my nginx config (pagespeed on;)
This was the reason for this error I found this out browsing through the console within DevTools.
I apologise for wasting your time.
Just to add: I had also asked pagespeed to honourCSP, but this creates the same problems. At this moment, I have removed pagsepeed and everything works great.
@pfaffman: Yea, I was surprised myself.
I normally have pagespeed on; by default.
Did not know this would cause trouble.
Hopefully, someone can look into it - I dont really have the skills to debug this (never heard of CSP until a few days ago)
From what I could see, it was related to ember.js which pagespeed was caching.