I am running passbolt (newest current version september 30th 2019) on a CentOs 7 (7.7.1908) in a LXC container on a Proxmox server sitting behind a pfsense router with haproxy to offload ssl.
Passbolt is a clean install, finished the installation pointing me to the webui to finish setup. when I access the webui I get an error:
Refused to load the image ‘XXXX’ because it violates the following Content Security Policy directive: “img-src ‘self’”.
The same goes for the css file.
I have tried some different settings (have not tried altering core.php yet as suggested in some other posts because i want to keep passbolt install as clean/standard as possible), but none have solved the problem.
the pfsense router needs to do ssl offloading, receiving the http request and send it as ans http request to the server. this is actually working, except that the install page looks like 1980’s pre rainbow colored letters markup because it will not load images and css due to the error mentioned above. the content sent back from the passbolt server is sent as http (until it passes the router) so all the links that were generated in php have http:// in front of them instead of https:// which is causing the problems. I have tried adding name: X-Forwarded-Proto, fmt: https to the haproxy settings but it doesn’t fix the problem.
None of the posts about running this in docker gave me any info that fixed this problem. is there anyone here who knows what to change in passbolt to make it all work?
hi maxime,
thanks for taking the time to help me out. here are the configs
haproxy.cfg:
# Automaticaly generated, dont edit manually.
# Generated on: 2019-10-03 01:36
global
maxconn 5000
log 192.168.x.6 syslog info
stats socket /tmp/haproxy.socket level admin
gid 80
nbproc 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
log-send-hostname HaProxy
server-state-file /tmp/haproxy_server_state
listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats admin if TRUE
stats show-legends
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000
frontend HttpToHttps
bind 1.2.3.1:80 name 1.2.3.1:80
bind 1.2.3.4:80 name 1.2.3.4:80
mode http
log global
option dontlog-normal
option http-keep-alive
timeout client 30000
acl acme var(txn.txnpath) -m beg -i /.well-known/acme-challenge
http-request set-var(txn.txnpath) path
http-request redirect scheme https
frontend HTTPS-Offloading-83
bind 1.2.3.4:443 name 1.2.3.4:443 ssl crt-list /var/etc/haproxy/HTTPS-Offloading-wanip2.crt_list
mode http
log global
option http-keep-alive
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
timeout client 30000
acl passbolt var(txn.txnhost) -m str -i passbolt.example.com
http-request set-var(txn.txnhost) hdr(host)
default_backend PassboltServer_ipvANY
backend PassboltServer_ipvANY
mode http
id 100
log global
timeout connect 30000
timeout server 30000
retries 3
http-request add-header X-Forwarded-Proto https
server passbolt 192.168.x.7:80 id 101 check inter 1000
bin/cake output:
[root@passbolt bin]# su -s /bin/bash -c "/var/www/passbolt/bin/cake passbolt healthcheck" nginx
Warning Error: SplFileInfo::openFile(/var/www/passbolt/tmp/cache/persistent/myapp_cake_core_translations_cake_console_en__u_s): failed to open stream: Permission denied in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php, line 406]
Warning Error: SplFileInfo::openFile(/var/www/passbolt/tmp/cache/persistent/myapp_cake_core_translations_cake_console_en__u_s): failed to open stream: Permission denied in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php, line 406]
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
---------------------------------------------------------------
Healthcheck shell.....Exception: SQLSTATE[HY000] [2002] No such file or directory in [/var/www/passbolt/vendor/cakephp/cakephp/src/Database/Driver.php, line 92]
healthcheck is giving these errors because i haven’t done the install wizard from the webpage yet probably. the install webpage is already giving the cspr errors so i wanted to have that work properly before i continue and complete the installation wizard of passbolt. in case this problem causes other problems.
i did not install mariadb while running the cli install script of passbolt, i have mariadb running in another container.
I made multiple tests to understand what is going there. I took your config file and replace the URLS that you provided with my container hostnames. (I am running a docker stack with a haproxy container, and each service on a different container)
Scenario 1: with existing installation
It works. I can use Passbolt normally without CSP errors.
Scenario 2: without existing installation and define URL with https scheme
It works. No CSP errors. Images and CSS are loading normally until the end of the process install.
Scenario 3: without existing installation and define URL with http scheme
I ran into CSP errors. Images and CSS are not loaded but I can still go to the end of the process install.
I run into the same result with your haproxy config and mine. So I think that we can say that your haproxy configuration is correct.
You might be in the Scenario 3. What was the URL that you provided during the setup? If it was with http, can you change it to ‘https’ during the setup? (Step 5 - Options)
Just so you know, if you have already done the full setup and don’t want to do this again, you can still change it afterward. You have different manners to do this:
Set the environment variable APP_FULL_BASE_URL to your URL with a https scheme
Override the value ‘fullBaseUrl’ in your passbolt.php file.
Let us know if it works for you! if not we will try to work on it together!
Thanks for the help. I managed to get everything in stalled and working now.
i added 192.168.x.7 to the nginx config, then connected to the passbolt server using the ip instead of the hostname, that way i no longer got the cspr errors. the rest of the install went (i used https://passbolt.example.com as base url) fine until i had to set up the passbolt extension. the extension was already installed, so it went directly to it’s setup screen and had prefilled http:192.168.x.7 and could not be changed. but i just closed the tab and reopened one using https://passbolt.example.com and now it is working.
