CSPR Errors when running passbolt behing reverse proxy

could not find anything that solved the problem

I am running passbolt (newest current version september 30th 2019) on a CentOs 7 (7.7.1908) in a LXC container on a Proxmox server sitting behind a pfsense router with haproxy to offload ssl.

Passbolt is a clean install, finished the installation pointing me to the webui to finish setup. when I access the webui I get an error:

Refused to load the image ‘XXXX’ because it violates the following Content Security Policy directive: “img-src ‘self’”.

The same goes for the css file.

I have tried some different settings (have not tried altering core.php yet as suggested in some other posts because i want to keep passbolt install as clean/standard as possible), but none have solved the problem.

the pfsense router needs to do ssl offloading, receiving the http request and send it as ans http request to the server. this is actually working, except that the install page looks like 1980’s pre rainbow colored letters markup because it will not load images and css due to the error mentioned above. the content sent back from the passbolt server is sent as http (until it passes the router) so all the links that were generated in php have http:// in front of them instead of https:// which is causing the problems. I have tried adding name: X-Forwarded-Proto, fmt: https to the haproxy settings but it doesn’t fix the problem.

None of the posts about running this in docker gave me any info that fixed this problem. is there anyone here who knows what to change in passbolt to make it all work?

Hi @mokozuki,

I tried to reproduced your Passbolt setup with a similar configuration of yours using HAProxy to offload SSL. In my scenario it works.

In order to help you with your issue, can you provide in a first time:

  • your HAProxy configuration
  • the output of the bin/cake passbolt healthcheck command

It will help us to figure out what is not doing its job correctly.



hi maxime,
thanks for taking the time to help me out. here are the configs


# Automaticaly generated, dont edit manually.
# Generated on: 2019-10-03 01:36
        maxconn                 5000
        log                     192.168.x.6   syslog  info
        stats socket /tmp/haproxy.socket level admin 
        gid                     80
        nbproc                  1
        hard-stop-after         15m
        chroot                          /tmp/haproxy_chroot
        tune.ssl.default-dh-param       2048
        log-send-hostname               HaProxy
        server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
        bind name localstats
        mode http
        stats enable
        stats admin if TRUE
        stats show-legends
        stats uri /haproxy/haproxy_stats.php?haproxystats=1
        timeout client 5000
        timeout connect 5000
        timeout server 5000

frontend HttpToHttps
        bind           name   
        bind           name   
        mode                    http
        log                     global
        option                  dontlog-normal
        option                  http-keep-alive
        timeout client          30000
        acl                     acme    var(txn.txnpath) -m beg -i /.well-known/acme-challenge
        http-request set-var(txn.txnpath) path
        http-request redirect scheme https 

frontend HTTPS-Offloading-83
        bind           name   ssl crt-list /var/etc/haproxy/HTTPS-Offloading-wanip2.crt_list  
        mode                    http
        log                     global
        option                  http-keep-alive
        option                  forwardfor
        acl https               ssl_fc
        http-request set-header X-Forwarded-Proto http if !https
        http-request set-header X-Forwarded-Proto https if https
        timeout client          30000
        acl                     passbolt   var(txn.txnhost) -m str -i passbolt.example.com
        http-request set-var(txn.txnhost) hdr(host)
        default_backend         PassboltServer_ipvANY

backend PassboltServer_ipvANY
        mode                    http
        id                      100
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        http-request add-header X-Forwarded-Proto https 
        server                  passbolt 192.168.x.7:80 id 101 check inter 1000 

bin/cake output:

[root@passbolt bin]# su -s /bin/bash -c "/var/www/passbolt/bin/cake passbolt healthcheck" nginx
Warning Error: SplFileInfo::openFile(/var/www/passbolt/tmp/cache/persistent/myapp_cake_core_translations_cake_console_en__u_s): failed to open stream: Permission denied in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php, line 406]

Warning Error: SplFileInfo::openFile(/var/www/passbolt/tmp/cache/persistent/myapp_cake_core_translations_cake_console_en__u_s): failed to open stream: Permission denied in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php, line 406]

     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
 Healthcheck shell.....Exception: SQLSTATE[HY000] [2002] No such file or directory in [/var/www/passbolt/vendor/cakephp/cakephp/src/Database/Driver.php, line 92]

healthcheck is giving these errors because i haven’t done the install wizard from the webpage yet probably. the install webpage is already giving the cspr errors so i wanted to have that work properly before i continue and complete the installation wizard of passbolt. in case this problem causes other problems.

i did not install mariadb while running the cli install script of passbolt, i have mariadb running in another container.

thanks for helping out.


Hey Mokozuki,

I made multiple tests to understand what is going there. I took your config file and replace the URLS that you provided with my container hostnames. (I am running a docker stack with a haproxy container, and each service on a different container)

Scenario 1: with existing installation
It works. I can use Passbolt normally without CSP errors.

Scenario 2: without existing installation and define URL with https scheme
It works. No CSP errors. Images and CSS are loading normally until the end of the process install.

Scenario 3: without existing installation and define URL with http scheme
I ran into CSP errors. Images and CSS are not loaded but I can still go to the end of the process install.

I run into the same result with your haproxy config and mine. So I think that we can say that your haproxy configuration is correct.

You might be in the Scenario 3. What was the URL that you provided during the setup? If it was with http, can you change it to ‘https’ during the setup? (Step 5 - Options)


Just so you know, if you have already done the full setup and don’t want to do this again, you can still change it afterward. You have different manners to do this:

  • Set the environment variable APP_FULL_BASE_URL to your URL with a https scheme
  • Override the value ‘fullBaseUrl’ in your passbolt.php file.


Let us know if it works for you! if not we will try to work on it together!


1 Like

Thanks for the help. I managed to get everything in stalled and working now.

i added 192.168.x.7 to the nginx config, then connected to the passbolt server using the ip instead of the hostname, that way i no longer got the cspr errors. the rest of the install went (i used https://passbolt.example.com as base url) fine until i had to set up the passbolt extension. the extension was already installed, so it went directly to it’s setup screen and had prefilled http:192.168.x.7 and could not be changed. but i just closed the tab and reopened one using https://passbolt.example.com and now it is working.

thanks for the help!

1 Like