Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • I ISPConfig 3
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 587
    • Issues 587
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 48
    • Merge requests 48
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISPConfig
  • ISPConfig 3
  • Issues
  • #5815
Closed
Open
Issue created Oct 09, 2020 by Peter Müller@pmueller

GoAccess stats blocked by Content Security Policy (nginx)

short description

Loading GoAccess resources is blocked by Content Security Policy in current Firefox and partial in Edge.

correct behavior

Should not be blocked.

environment

Server OS: ubuntu

Server OS version: 20.04.1 (focal)

ISPConfig version: 3.2dev20201006

nginx version: nginx/1.18.0 (Ubuntu)

proposed fix

change header Content-Security-Policy in server/conf/nginx_vhost.conf.master for location /stats/ from

add_header Content-Security-Policy "default-src * 'self' 'unsafe-inline';";

to

add_header Content-Security-Policy "default-src * 'self' 'unsafe-inline' 'unsafe-eval' data:;";

references

https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/server/conf/nginx_vhost.conf.master#L172

screenshots

csp-blocked

workaround

Add the following to nginx directives in the website options to overwrite the defaults:

location /stats/ {
  index index.html index.php;
  auth_basic "Members Only";
  auth_basic_user_file {DOCROOT}stats/.htpasswd_stats;
  add_header Content-Security-Policy "default-src * 'self' 'unsafe-inline' 'unsafe-eval' data:;";
}
Edited Oct 09, 2020 by Peter Müller
Assignee
Assign to
Time tracking