portainer: Cannot have Portainer work behind nginx due to CSP

Question:

How can I deploy Portainer behind a nginx reverse proxy ?

I’ve used the following directives found in the documentation

location /portainer/ {
      proxy_http_version 1.1;
      proxy_set_header Connection "";
      proxy_pass http://portainer/;
  }
  location /portainer/ws/ {
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_http_version 1.1;
      proxy_pass http://portainer/ws/;
  }

It’s working fine except an issue with the Content-Security-Policy as Portainer calls matomo cdn though http instead of https.

Browser is not happy if I use “http://cdn.matomo.cloud” in the CSP header (This page has a non-HTTPS secure origin.)

Portainer is not happy is I use “httpS://cdn.matomo.cloud” as this is not the one it calls internally.

Any thoughts ?

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 32 (12 by maintainers)

Most upvoted comments

Hum… from what I saw the ui cannot be loaded because it used http instead https to get matomo assets. When you updated to https it was working fine though. I guess using https by default should be safer no ? Sorry, I’m not able to test it right now, I’ve just moved to Traefik instead of nginx (not linked to Portainer though 😃 ).

On Sun, Jan 17, 2021 at 10:24 PM Anthony Lapenna notifications@github.com wrote:

Update on this topic:

I can reproduce your issue @lucj https://github.com/lucj with the following Nginx/Portainer setup: https://github.com/portainer/portainer-compose/tree/nginx-csp-pr4556/nginx-proxy

Note that this issue is raised in my browser console because of the following header in the Nginx configuration:

add_header                Content-Security-Policy "default-src 'self'; script-src https://*.matomo.cloud https://*.sentry.io https://sentry.io https://nominatim.openstreetmap.org 'self' 'unsafe-inline' 'unsafe-eval'; style-src https://fonts.googleapis.com 'self' 'unsafe-inline'; font-src https://fonts.gstatic.com https://fonts.googleapis.com 'self' data:; connect-src https://*.matomo.cloud 'self' ws://* wss://* https://*.sentry.io https://sentry.io https://*.googleapis.com; object-src 'self'; img-src https://*.google.com https://api.mapbox.com 'self' blob: data:;";

It do not prevent the application from loading/working properly from my basic testing so far.

Updating this header configuration to the one below will not show this error in my browser:

add_header                Content-Security-Policy "default-src 'self'; script-src http://*.matomo.cloud https://*.sentry.io https://sentry.io https://nominatim.openstreetmap.org 'self' 'unsafe-inline' 'unsafe-eval'; style-src https://fonts.googleapis.com 'self' 'unsafe-inline'; font-src https://fonts.gstatic.com https://fonts.googleapis.com 'self' data:; connect-src https://*.matomo.cloud 'self' ws://* wss://* https://*.sentry.io https://sentry.io https://*.googleapis.com; object-src 'self'; img-src https://*.google.com https://api.mapbox.com 'self' blob: data:;";

I basically just changed https://.matomo.cloud to http://.matomo.cloud.

Although I also tested the original header configuration (with https) in combination with portainerci/portainer:pr4556 and the issue it not present as well.

I wonder if there is an actual need for us to patch this or if it could just be solved by using the proper Nginx configuration. Do you have any input on that side?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/portainer/portainer/issues/4545#issuecomment-761882562, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABMRBWOTJKHLO7ZLIJBZA3S2NIR7ANCNFSM4UKVJLCQ .

+1
lucj on Jan 20, 2021

@deviantony Sorry for not coming back to you before. I’m currently using the custom image which works fine. I’ll test once again with 2.0.0 instead to be sure the cdn over https fixed the thing (but I’m pretty sure it did as CSP was raising an error when it was on http).

Le 9 déc. 2020 à 22:54, Anthony Lapenna notifications@github.com a écrit :

@lucj ping for confirmation, did you use the custom image or a simple nginx configuration change was enough?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

+1
lucj on Dec 9, 2020

Seems it’s much better adding the upgrade-insecure-requests instruction to the CSP header 👍

+1
lucj on Dec 3, 2020
Read more comments on GitHub
← portainer: Cannot edit/duplicate a container when registry is not registered in Portainer
portainer: Cannot see worker containers →