外部 nginx pagespeed モジュールがセキュリティポリシー違反を引き起こす

34563463456 · 2019 年 6 月 25 日午後 11:59

I have posted the detail question on Stack Overflow: discourse email activation no longer works due to Content Security Policy violation - Stack Overflow

I boostrapped discourse using my custom app.yml which uses the cloudflare template like so:

templates:
  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/web.template.yml"
  - "templates/web.ratelimited.template.yml"
  - "templates/web.socketed.template.yml"
  - "templates/sshd.template.yml"
  - "templates/cloudflare.template.yml"

Then I bootstrapped the image like so:

./launcher bootstrap app &&\
./launcher start app

I then register my account, and try clicking on the activation link on my discourse page, and NOTHING happens. Looking at dev tools, I see this error:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'report-sample' http://myfancydomain.com/logs/ http://myfancydomain.com/sidekiq/ http://myfancydomain.com/mini-profiler-resources/ http://myfancydomain.com/assets/ http://myfancydomain.com/brotli_asset/ http://myfancydomain.com/extra-locales/ http://myfancydomain.com/highlight-js/ http://myfancydomain.com/javascripts/ http://myfancydomain.com/plugins/ http://myfancydomain.com/theme-javascripts/ http://myfancydomain.com/svg-sprite/". Either the 'unsafe-inline' keyword, a hash ('sha256-T1n9N/v2ZUyCGncqaO0MgcESijK4iDg9nXYaamEO+bY='), or a nonce ('nonce-...') is required to enable inline execution.

I have NO clue what this error means - any clues as to how to solve it would be great.

supermathie · 2019 年 6 月 26 日午前 12:44

You’ve included the cloudflare template which probably means you’re using it for SSL.

But your CSP has all http schemes instead of https. If you access via https but the CSP says http, that’s a mismatch.

You need to tell Discourse that it’s behind https if that’s the case. Try:

SiteSetting.force_https = true

at the rails console.

pfaffman · 2019 年 6 月 26 日午前 2:07

I would leave cloudflare of the mix until you get everything else up and running.

34563463456 · 2019 年 6 月 26 日午後 5:30

@supermathie: I have tried this approach now and I can confirm that it does not change the situation.

@pfaffman: iI can confirm that it works fine without the CF template…, but not with it… is this a bug?

pfaffman · 2019 年 6 月 26 日午後 5:33

Do you have it working with https and without the orange cloud?

34563463456 · 2019 年 6 月 26 日午後 5:53

@pfaffman: yes it works with https without the orange cloud. So, the first time I set it up, it worked out of the box and since I did not use the cloudflare template I had no CSP issues.

I just saw a post which mentioned: DISCORSE_ENABLE_CORS: true should be set. I havent tried it yet however (will try in few mins)

BTW: I have an nginx front end with https (letsencrypt) serving a reverse proxy discourse instance. Thus I had commented out templates/web.ssl.template.yml - do you think should include this now that I have the cloudflare template on?

pfaffman · 2019 年 6 月 26 日午後 6:11

That would have been good to mention in the OP.

You should probably have a look at the topics about running with an external nginx and look carefully at the stuff that sees that Discourse sees the user IP and then look at the cloudflare template and see that it should still work with your config.

No. I am pretty sure that you don’t want web.ssl.template.yml.

supermathie · 2019 年 6 月 26 日午後 8:34

it should have changed the situation since now the CSP should be different

34563463456 · 2019 年 6 月 27 日午前 10:46

This is a bit embarrassing - but I have found out why this was.

Once everything was working without cloudflare, I added the nginx pagespeed module to my nginx config (pagespeed on;)

This was the reason for this error I found this out browsing through the console within DevTools.

I apologise for wasting your time.

Just to add: I had also asked pagespeed to honourCSP, but this creates the same problems. At this moment, I have removed pagsepeed and everything works great.

pfaffman · 2019 年 6 月 27 日午後 12:29

それは私にとって新しいケースですね！同じ問題に直面する他の人のために、タイトルを変更しました。

34563463456 · 2019 年 6 月 27 日午後 12:43

@pfaffman: ええ、自分も驚きました。
通常はデフォルトで pagespeed on; にしています。
これで問題が起きるとは知りませんでした。

誰か調査してくれることを願っています。自分にはこの問題をデバッグするスキルがありません（CSP という用語も数日前まで聞いたことがありませんでした）：frowning:
確認できた限りでは、pagespeed がキャッシュしていた ember.js に関連しているようでした。

Falco · 2019 年 6 月 27 日午後 3:24

それは現代では悪い考えです:

34563463456 · 2019 年 6 月 30 日午後 9:04

@Falco: この件について教えていただき、ありがとうございます。
Discourse には pagespeed は必須ではないことを理解しました。
迅速なサポートをありがとうございます！

トピック		返信	表示
Keyboard and mouse stopped working + content-security-policy error Self-hosting nginx	7	491	2023 年 11 月 6 日
Refused to load the script 'site.com/cdn-cgi/speculation' because it violates the following Content Security Policy directive Support content-security-policy	4	8418	2024 年 10 月 22 日
Mitigate XSS Attacks with Content Security Policy Site Management content-security-policy , how-to	32	24812	2023 年 6 月 13 日
Fresh Discourse install on digitalocean, cannot activate account Self-hosting	15	1534	2019 年 1 月 21 日
Using Discourse with Cloudflare: Best Practices Self-Hosting how-to , cloudflare	28	5166	2026 年 4 月 26 日

外部 nginx pagespeed モジュールがセキュリティポリシー違反を引き起こす

関連トピック