Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
I
ISPConfig 3
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 489
    • Issues 489
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 25
    • Merge Requests 25
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • ISPConfig
  • ISPConfig 3
  • Issues
  • #5815

Closed
Open
Opened Oct 09, 2020 by Peter Müller@pmueller

GoAccess stats blocked by Content Security Policy (nginx)

short description

Loading GoAccess resources is blocked by Content Security Policy in current Firefox and partial in Edge.

correct behavior

Should not be blocked.

environment

Server OS: ubuntu

Server OS version: 20.04.1 (focal)

ISPConfig version: 3.2dev20201006

nginx version: nginx/1.18.0 (Ubuntu)

proposed fix

change header Content-Security-Policy in server/conf/nginx_vhost.conf.master for location /stats/ from

add_header Content-Security-Policy "default-src * 'self' 'unsafe-inline';";

to

add_header Content-Security-Policy "default-src * 'self' 'unsafe-inline' 'unsafe-eval' data:;";

references

https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/server/conf/nginx_vhost.conf.master#L172

screenshots

csp-blocked

workaround

Add the following to nginx directives in the website options to overwrite the defaults:

location /stats/ {
  index index.html index.php;
  auth_basic "Members Only";
  auth_basic_user_file {DOCROOT}stats/.htpasswd_stats;
  add_header Content-Security-Policy "default-src * 'self' 'unsafe-inline' 'unsafe-eval' data:;";
}
Edited Oct 09, 2020 by Peter Müller
Assignee
Assign to
3.2
Milestone
3.2
Assign milestone
Time tracking
None
Due date
None
Reference: ispconfig/ispconfig3#5815