Nginx + Reverse Proxy

[captainepoch]

Hi there! Thank you for making this project, I tried with a friend and it's awesome!

I'm trying to install it in my server. I got 2 VMs, one which serves Nginx and the other is where FreshRSS (among other stuff) is set up.

When I try to configure the user, I got problems.

This is my Nginx configuration for the Reverse Proxy of FreshRSS.

server {
        listen 80;
        server_name URL;

        return 301 https://$host$request_uri;
}

server {
        listen 443 ssl http2;
        server_name URL;

        # Certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
        ssl_certificate .../fullchain.pem;
        ssl_certificate_key .../privkey.pem;
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;

        # Modern configuration. tweak to your needs.
        ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1;
        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20$
        ssl_prefer_server_ciphers on;

        # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
        add_header Strict-Transport-Security max-age=15768000;

        # OCSP Stapling ---
        # fetch OCSP records from URL in ssl_certificate and cache them
        ssl_stapling on;
        ssl_stapling_verify on;

        ## Verify chain of trust of OCSP response using Root CA and Intermediate certs
        ssl_trusted_certificate .../cert.pem;

        resolver 8.8.8.8;

        location / {
                proxy_pass http://10.0.7.106/freshrss/p/;
                add_header X-Frame-Options SAMEORIGIN;
                add_header X-Content-Type-Options nosniff;
                add_header X-XSS-Protection "1; mode=block";
                proxy_redirect http://10.0.7.106/ URL;
                proxy_buffering off;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_pass_header X-XSRF-TOKEN;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_read_timeout 90;
        }
}

This is the configuration for the FreshRSS Nginx.

server {
        listen 80;
        server_name _;

        root /var/www;
        index index.php index.html index.htm;

        location ~ ^.+?\.php(/.*)?$ {
                fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
                fastcgi_split_path_info ^(.+\.php)(/.*)$;
                # By default, the variable PATH_INFO is not set under PHP-FPM
                # But FreshRSS API greader.php need it. If you have a “Bad Request” 
                # error, double check this var!
                fastcgi_param PATH_INFO $fastcgi_path_info;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        }

        location / {
                try_files $uri $uri/ index.php;
        }
}

And, when I try to set up the user, I got this:

Do you have any idea of why? It may be about the CSP...

[mirabellette]

Hello,

You are right, it is about Content Security Policy.

It forbad to use script which are not from the domain url set in NXGINX.

Your NGIX script doesn't include a part about CSP. I guess you have another file where you can read "default-src".

I guess if you access your webste directly from the $url it should work but if you try to access to it from http://10.0.7.106/freshrss/p/ this error will rise in the console log. Not sure :/

I do not know a lot about NGINX but why do you need to have a google resolver in your configuration? :o

[captainepoch]

I changed to Apache and everything started to work, I don't know why.

It is not a Google resolver but an OpenNIC resolver. It is put while testing a thing not related with this issue, I copied the config from another vhost.

[mirabellette]

Probably because Apache2 doesn't enable Content Security Policy by default. If you have time, you can made some research to enable it. I add this parameter to enable some Content Security Policy in a FreshRss instance and it works well.

Header set Content-Security-Policy "object-src 'self'; img-src 'self'; font-src 'self'; media-src 'self'; connect-src 'self'; frame-ancestors 'none'; block-all-mixed-content;"

Happy you fix it :)