Default Content Security Policy prevents login after upgrade to 3.0.13

[paulholden]

Describe the bug
I upgraded to version 3.0.13 today (from 3.0.12), and found I am unable to login to the site - checking the Chromium browser console, the following error is printed:

Refused to send form data to 'http://{RUNDECK}/' because it violates the following Content Security Policy directive: "form-action 'self'".

My Rundeck detail

• Rundeck version: 3.0.13
• install type: rpm
• OS Name/version: Ubuntu 16.04.5
• DB Type/version: MySQL 5.7

Seems related to the changes introduced in #4405 - note I haven't made any changes to the rundeck configuration since upgrading, as I expected the defaults would at least not break the site

[padraiglennon]

Same here.. Had to rollback to 3.0.12

[sjrd218]

@paulholden I was able to replicate this behavior if I configured ssl for my Rundeck instance, but left the grails.serverURL in rundeck-config.properties pointed to the non ssl(http) endpoint of my Rundeck. As soon as I updated the grails.serverURL to point to the https endpoint I stopped seeing that error and it let me log in.

[paulholden]

Hi @sjrd218, I've checked the grails.serverURL value in rundeck-config.properties and it is already set correctly to the public HTTPS address of the site

My Rundeck instance is bound to 127.0.0.1:4440 (HTTP) and I use Apache as an SSL terminating proxy by adding the following to the RDECK_JVM variable in profile (as per documentation):

      -Drundeck.jetty.connector.forwarded=true \
      -Dserver.http.host=127.0.0.1 \

[gschueler]

Note: you can disable or modify the CSP headers if you are having issues, without downgrading rundeck:

rundeck.security.httpHeaders.provider.csp.enabled=false

You can also try just enabling the URL that doesn't seem to work by modifying the form-action directive:

rundeck.security.httpHeaders.provider.csp.config.form-action=self https://my-rundeck-host

[SergeyBear]

Hi! Got same issue with rundeck behind proxy with terminating ssl on it.

Solving:

1. Ensure that your proxy server set header 'X-Forwarded-Proto' to scheme and pass it all way down to rundeck. If don't, then rundeck login script will use 'http' (see Always reroute to http://somewhere/rundeck/user/login, when using apache with reverse proxy for https #4201) and you'll get CSP check error.

NOTICE: Don't forget that when you terminating ssl in proxy, then your scheme becomes 'http' on next hop, so this is where 'X-Forwarded-Proto' becomes handy and you can pass its value to the next hop instead of scheme.

2. Ensure that you set 'https' in 'grails.serverURL' in 'rundeck-config.properties' config and added '-Drundeck.jetty.connector.forwarded=true' to 'RDECK_JVM' in 'profile' config.

NOTE: If '-Drundeck.jetty.connector.forwarded=true' not helping, then try to set 'server.useForwardHeaders=true' in rundeck-config.properties' config (see #4201)

All this steps ensures that you'll successfully pass CSP checks ;-)

[paulholden]

Thank you @SergeyBear, that seems to have resolved this 👍 - for reference, here is the additional line I've added to my vhost config:

RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}

The following suggestions by you were already set:

2. Ensure that you set 'https' in 'grails.serverURL' in 'rundeck-config.properties' config and added '-Drundeck.jetty.connector.forwarded=true' to 'RDECK_JVM' in 'profile' config.

I guess this issue can be closed then.

[ds3783]

I meet this problem. I fixed it by alter "framework.server.url" in /etc/rundeck/framework.properties and "grails.serverURL" in /etc/rundeck/rundeck-config.properties .

[jeffdyke]

I hit this today, responses here were helpful. Especially @gschueler, personally i think rundeck.security.httpHeaders.provider.csp.enabled=false should be the default. Though i am not sure how many people are using behind a proxy, in my case nginx. Disabling this and setting the proper content-src to the https url, and grails.serverUrl to that same https url.

Hope this helps someone.

[7aklhz]

For those using docker, you need to add the following to your variables:
RUNDECK_SERVER_FORWARDED=true

[rajendrapopuri]

I tried with nginx as a reverse proxy server with two rundeck CE instances running on different VM's getting the error though I follow the above recommendations.

nginx configuration:

===============
upstream rd {
server rundeck1.server.com:4443
server rundeck1.server.com:4443
}
server {
listen 9443 ssl;
server_name nginx.server.com;
ssl_certificate sslcert.crt;
ssl_certificate_key sslkey.key
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

location /rundeck {
proxy_pass https://rd/rundeck;
}
}

Rundeck Configuration:
RDECK_JVM=-Dserver.web.context=/rundeck -Drundeck.jetty.connector.forwarded=true

grails.server.url=htps://nginx1.server.com:4443
grails.server.url=htps://nginx2.server.com:4443

Rundeck application is loading with nginx url but authentication is not happening notice the below error on browser console.

Refused to send form data to 'https://nginx1.server.com:4443/' because it violates the following Content Security Policy directive: "form-action 'self'".

Actually authentication is happening in rundeck but some issue with nginx response not sure exactly.
Suppose if I point rundeck instance in nginx with out upstream block then it is working fine however I see the following messages on the browser console.

proxy_pass https://nginx1.server.com:4443/rundeck;

Error is:
chunk-vendors.js:146391 Refused to connect to 'https://nginx1.server.com:4443/rundeck/tour/listAll' because it violates the following Content Security Policy directive: "connect-src 'self' https://api.rundeck.com ".

Need to tweak nginx configuration? Please advise. Thanks, Raj

[tristanlatr]

We ran into this issue after upgrading to version 4.x, rolling back to 3.4.10 fixed it.
It seems that all my nginx and rundeck configuration are correct.
So you might want to consider re-opening this issue and investigate what's happening here.

[williamhargrove]

To fix this I believe you need to set:

RUNDECK_SECURITY_HTTPHEADERS_PROVIDER_CSP_CONFIG_FORMACTION="self https://my-rundeck.domain"

However, if you do that - due to #6960 it will fail. I don't understand why that issue has been marked as stale as it is a trivial fix to resolve.

To work-around that issue, I have set:

RUNDECK_SECURITY_HTTPHEADERS_PROVIDER_CSP_ENABLED="false" .. for the time-being. It's not great.

[gschueler]

@williamhargrove I submitted a pr to fix #6960 - #7680

[tristanlatr]

FYI, I’m not using docker, so your patch @gschueler will not solve the issue.

Setting RUNDECK_SECURITY_HTTPHEADERS_PROVIDER_CSP_ENABLED="false" does not seem like a reasonable workaround, though.