NGINX Security Headers

Discussion in 'Proxmox VE: Installation and configuration' started by Xela, Oct 26, 2017.

  1. Xela

    Xela Member
    Proxmox Subscriber

    Joined:
    Oct 12, 2017
    Messages:
    39
    Likes Received:
    0
    Hi there,
    I implemented today successful the security headers for:

    • X-Content-Type-Options
    • X-XSS-Protection
    • Referrer-Policy
    • Strict-Transport-Security

    But the last two headers Content-Security-Policy and X-Frame-Options break my head all afternoon.
    For X-Frame-Options I tried all possibilities but it seems while setting this the shell is not working anymore, the same for the Content-Security-Policy. Is there a recommendation for these two headers for Proxmox?
     
  2. Xela

    Xela Member
    Proxmox Subscriber

    Joined:
    Oct 12, 2017
    Messages:
    39
    Likes Received:
    0
    X-Frame-Options
    SAMEORIGIN the shell is gray nothing happens
    ALLOW-FROM https://example.com/
    I tried localhost, localhost:8006, 127.0.0.1, 127.0.0.1:8006, also port 5900, URL, Public IP etc.
    Everytime when I enable that header the shell in Proxmox stays gray, have to disable that header again.
     
  3. Roger Kunz

    Roger Kunz New Member

    Joined:
    Apr 18, 2019
    Messages:
    1
    Likes Received:
    0
    Hey,

    I know it's a little bit late but in case anyone is seeing this who is having the same problem:
    I had the same problem today and found a Solution. When defining the 'Content-Security-Policy' you have to make sure you're setting the two values 'unsafe-eval' and 'unsafe-inline' in order to access Proxmox.

    My Complete CSP String:
    default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' fonts.gstatic.com data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';

    From this point on you should be able to access Proxmox.
    The next problem I had was: I couldn't connect to the NoVNC Consoles.
    Make sure you've set these 3 Parameters in your location{} part:
    proxy_set_header Host $host;
    proxy_set_header Connection "";
    proxy_set_header Upgrade $http_upgrade;

    If anyone needs some more help or wants to see my complete NGINX Configuration, please let me know.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice