Since I installed version 1.6.0p9, I can’t access external URLs in checkmk with Firefox or Edge. Only IE works. I experience this issue in the dashlets and bookmarks. Nothing appears on the page.
Firefox Network Trace says “blocked”, but I don’t know why.
Does anybody have the same Problem?
It looks like a Mixed Content problem.
Can you give some information how your setup looks like - HTTPS/HTTP and how your called links look like?
Hi andreas-doehler,
I have tested it with some different sites (internal, external - http, https). No site works after this checkmk update. So you can take any site you want. For example I tried https://checkmk.de.
In your marked entry you see “CSP” - Content Security Policy - that means that your request is blocked because it violates this policy.
You can modify the content security settings inside the file
~/etc/apache/conf.d/security.conf or disable the config completely, what i not recommend.
In my test environment without HTTPS i can access the most external pages as long as they have no own security settings preventing the page from loading inside a iframe.
If i try to access something like heise.de from my bookmarks then i becomes blocked but not by my Apache.
If the remote site blocks you - you will see something like
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
inside the response headers.
Hi andreas-doehler,
If I try https://heise.de as bookmark, nothing happens in Firefox.
I don’t understand the difference between the old and the new checkmk version.
Did you mean the apache config of the checkmk server?
For testing I have another checkmk server with 1.6.0p8.
It looks different:
1.6.0p8:
1.6.0p9:
CheckMK 1.5 had no Content Security Policy - 1.6 has
This files is the security settings of your Apache instance inside your CMK site.
Are booth of your sites secured with HTTPS?
Yes, both sites are secured with https.
What should I define in ~/etc/apache/conf.d/security.conf, so that I can allow some sites?
I copied the old security.conf (from 1.6.0p8) file to the new 1.6.0p9 location and restart the server. It is still not working.
The security.conf is different between p8 and p9.
Inside p8 the Header was set an different way than in p9
p9
# default-src: Default policy for all not configured ones
# Allow custom URL handlers "ssh://" and "rdp://". These are used by some
# users for some custom icons for directory connecting to the monitored hosts.
# img-src: Allow local images and data URLs e.g. from CSS files
# Allow access to openstreetmap tile server for NagVis Worldmap
# connect-src: Allow AJAX calls to current scheme/url/port and the crash report API
# frame-ancestors: Only allow to include the pages served by this site in frames of same URLs
# base-uri: <base>-Tag is limited to current scheme/url/port
# form-action: Form submissions are limited to current scheme/url/port
# "javascript: 'unsafe-inline'" have been added for NagVis (Options > ... forms)
# object-src: Disallow arbitrary plugins like flash or java, but allow PDF open e.g. in chrome
Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' ssh: rdp:; img-src 'self' data: https://*.tile.openstreetmap.org/ ; connect-src 'self' https://crash.checkmk.com/ ; frame-ancestors 'self' ; base-uri 'self'; form-action 'self' javascript: 'unsafe-inline'; object-src 'self'"
p8
# Default policy for all not configured ones
Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'"
# Allow local images and data URLs e.g. from CSS files
# Allow access to openstreetmap tile server for NagVis Worldmap
Header always set Content-Security-Policy "img-src 'self' data: https://*.tile.openstreetmap.org/"
# Allow AJAX calls to current scheme/url/port and the crash report API
Header always append Content-Security-Policy "connect-src 'self' https://crash.checkmk.com"
# Only allow to include the pages served by this site in frames of same URLs
Header always append Content-Security-Policy "frame-ancestors 'self'"
# <base>-Tag is limited to current scheme/url/port
Header always append Content-Security-Policy "base-uri 'self'"
# Form submissions are limited to current scheme/url/port
# "javascript: 'unsafe-inline'" have been added for NagVis (Options > ... forms)
Header always append Content-Security-Policy "form-action 'self' javascript: 'unsafe-inline'"
# Disallow arbitrary plugins like flash or java, but allow PDF open e.g. in chrome
Header always append Content-Security-Policy "object-src 'self'"
I think also that i see what was wrong with the policy in p8. There are two line with “Header always set” the second one is overwriting the first one and the first line is like it is written the default policy for all the content not configured below.
Yes, you are right.
Now I added “child-src *.mydomain.com” at the end of the “Header always set Content-Security-Policy”. That works for me. My “external” sites are now displayed.
Thank you very much for your help!
Even adding “child-src * .mydomain.com” didn’t work for me.
thanks