Forward HTTP request through NGINX using subdomain to a specific port violates Content Security Policy

Question

I want to expose a local web server through a remote webs server. The remote host has already an Nginx and a web application (webmail). The remote server works as a gateway for the local webserver who's forwarding the port 80 to the remote 8080. This is working.

Now I want to forward the subdomain (e.g., bridge.mydomain.co) requests to the forwarded port. I tried using this:

server {
    listen 80;
    listen [::]:80;
    server_name bridge.mydomain.co;

    location / {
        proxy_set_header Host $host;
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

The local webserver is running a complex PHP application so it is complaining:

40 errors like:

Refused to load the stylesheet '' because it violates the following Content Security Policy directive: "default-src https: data: 'unsafe-inline' 'unsafe-eval'". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.

E.g.: ( not the URL is not httpS although the error is )

Refused to load the image 'http://bridge.mydomain.co/core/img/favicon-touch.png' because it violates the following Content Security Policy directive: "default-src https: data: 'unsafe-inline' 'unsafe-eval'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

and 56 of:

Refused to load the script '' because it violates the following Content Security Policy directive: "default-src https: data: 'unsafe-inline' 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback.

I know I could expose the forwarded port directly, this works flawlessly. But I want to use (eventually) nginx for TLS termination and then forwarding.

Reading about this issue seems that the local webserver in PHP is refusing the requests. Yet, I don't know how to fix it.

Any help?

---

UPDATE

Thanks to @BrunoMirchevski I notice that the error refers to HTTPS, but the errors are pointing to HTTP URLs, so no idea why HTTPS errors are happening there. The server can be accessed in the local network using HTTP just fine.

Answer 1

Figure it out at the end. Thanks to the hint of the user @user973254. I needed to pass/add the following headers:

server {
    listen 80;
    listen [::]:80;
    server_name bridge.mydomain.co;

    proxy_pass_header server;

    location / {
        proxy_set_header Host $host;
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://bridge.mydomain.co http://bridge.mydomain.co:8080  http://bridge.mydomain.co/core/img/favicon-touch.png; img-src 'self' http://bridge.mydomain.co http://bridge.mydomain.co:8080;";
        proxy_pass http://bridge.mydomain.co:8080;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

}

I believe the port version is not needed and there are some headers missing that are covered by the "default". So there is room for improvement.

If you want to read an explanation here there is some material from people more knowledgeable than me: How to Override Content-Security-Policy of Site A while using nginx proxy_pass on Site B for serving content?

Answer 2

If you read closely, the policy is all about the usage of HTTPS in plain words. The issue here is that the policy expects the content to be loaded through HTTPS, but you are accessing the website through non-SSL ( http ) connection. Please make a vhost for 443, cover your subdomain with an SSL Certificate and try to visit the HTTPS:// version instead.

If you still experience difficulties with that, I recommend signing up for a web hosting provider and using a low-cost plan for dev purposes. They usually can also help with any SSL configuration and deployment. You can check for some good hosts here: https://hostadvice.com/managed-hosting/