0

I want to expose a local web server through a remote webs server. The remote host has already an Nginx and a web application (webmail). The remote server works as a gateway for the local webserver who's forwarding the port 80 to the remote 8080. This is working.

Now I want to forward the subdomain (e.g., bridge.mydomain.co) requests to the forwarded port. I tried using this:

server { listen 80; listen [::]:80; server_name bridge.mydomain.co; location / { proxy_set_header Host $host; proxy_pass http://127.0.0.1:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }

The local webserver is running a complex PHP application so it is complaining:

40 errors like:

Refused to load the stylesheet '' because it violates the following Content Security Policy directive: "default-src https: data: 'unsafe-inline' 'unsafe-eval'". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.

and 56 of:

Refused to load the script '' because it violates the following Content Security Policy directive: "default-src https: data: 'unsafe-inline' 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback.

I know I could expose the forwarded port directly, this works flawlessly. But I want to use (eventually) nginx for TLS termination and then forwarding.

Reading about this issue seems that the local webserver in PHP is refusing the requests. Yet, I don't know how to fix it.

Any help?

Improve this question
1
  • are you sure that the PHP server is not requesting HTTPS instead of HTTP? Commented Apr 12, 2022 at 17:36

1 Answer 1

Reset to default
0

Figure it out at the end. I needed to pass/add the following headers:

server { listen 80; listen [::]:80; server_name bridge.mydomain.co; proxy_pass_header server; location / { proxy_set_header Host $host; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://bridge.mydomain.co http://bridge.mydomain.co:8080 http://bridge.mydomain.co/core/img/favicon-touch.png; img-src 'self' http://bridge.mydomain.co http://bridge.mydomain.co:8080;"; proxy_pass http://bridge.mydomain.co:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }

I believe the port version is not needed and there are some headers missing that are covered by the "default". So there is room for improvement.

If you want to read an explanation here there is some material from people more knowledgeable than me: https://stackoverflow.com/questions/33300111/how-to-override-content-security-policy-of-site-a-while-using-nginx-proxy-pass-o

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.