Zabbix, Nginx and Content Security Policies
Hi all 
First of all - I'm pretty new to Zabbix but I thought I'd give it a shot. Sadly, it's been a bit harder than I expected so I'm reaching out to the community in the hope that I'm not the only one that have come across this
I've set up a fairly basic configuration of Zabbix on Ubuntu 20.04 LTS with PostgreSQL and Nginx on Azure (no reverse proxy) but I'm running into issues when hardening the setup for online availability.
Following the documentation found here I've enabled CSP to block XSS++ but doing so makes the site misbehave something fierce.
For example, as the doc outlines, I've set up /etc/zabbix/nginx.conf with the CSP below
Using this causes Dashboard to have 0 graphs, the loader icon on Hosts just spins and a bunch of buttons are missing from all over the place.
The dev tools on FireFox isn't that helpful here all I get is
I tried a more granular approach to hopefully see what's being blocked. This is a basic Nginx starter policy (as recommended by https://content-security-policy.com/).
This gives the same functional results as previous attempts in Zabbix but debugging in FireFox is a bit more detailed
This of course explains why the site looks weird and the graphs are missing as neither scripts nor styles are being loaded. Question is though - why?
Anyone got any thoughts?
/Egil
First of all - I'm pretty new to Zabbix but I thought I'd give it a shot. Sadly, it's been a bit harder than I expected so I'm reaching out to the community in the hope that I'm not the only one that have come across this
I've set up a fairly basic configuration of Zabbix on Ubuntu 20.04 LTS with PostgreSQL and Nginx on Azure (no reverse proxy) but I'm running into issues when hardening the setup for online availability.
Following the documentation found here I've enabled CSP to block XSS++ but doing so makes the site misbehave something fierce.
For example, as the doc outlines, I've set up /etc/zabbix/nginx.conf with the CSP below
Code:
add_header Content-Security-Policy "default-src 'self';";
The dev tools on FireFox isn't that helpful here all I get is
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”).
Code:
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';base-uri 'self';form-action 'self';";
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).
Anyone got any thoughts?
/Egil
Comment