Nagvis iFrame content blocked

Troubleshooting
,
1

CMK version: Checkmk Raw Edition 2.2.0p7
Operating System: Debian GNU/Linux 12 (bookworm)
OS version: 12.1
Kernel: Linux 6.1.0-10-amd64
Nagvis verson : 1.9.36
PHP Version : 8.2.7
Apache Version : 2.4.57

Error message: This content is blocked. Contact the site owner to fix the issue.

Hello :slight_smile:

I need some help to understand how to configure nagvis to display a map from another Check_MK :confused:

Old Check_MK

Our current configuration run on CentOS 8 and Check_MK 1.5.0p12. We use Nagvis on each server (6) to display an overview of the local IT infrastructure with trafficlights like this :

2023-08-10_16h48_27
2023-08-10_16h48_271444Ɨ679 81.1 KB

We also setup a map with an overview of all sites with this map : (As new user, I canā€™t upload a file yet)

Everythings works fine.

New Check_MK

Our new setup will be configured with the versions describ at the top of this post.

When I try to display the overview of all site, only the overview of my local site is displaying and I get a blank square for all others one with the message ā€œThis content is blocked. Contact the site owner to fix the issue.ā€

(I use Chrome)

Anyone know how to get this fixed ?

Best Regards,

2

I assume it is a mixed content issue and the following posts may be relevant:

3

This might also have to do with CSP. Maybe this helps: Working with HTTP(s) Iframes in Checkmk - Checkmk Knowledge Base - Checkmk Knowledge Base

4

Thanks Yggy !

Like CLiX said, I try to add the command ā€œchild-src *.mydomain.comā€ at the end of the ā€œHeader always set Content-Security-Policyā€ but I canā€™t restart omd service after that.

File : /opt/omd/sites/ā€œOMD-SITEā€/etc/apache/conf.d/security.conf

I disabled all Header in this file and its seems to worked (half)

I try know to understand how this file works but Iā€™m little confused, I disabled the old line 'Header always set Content-Securit-Policy" and created a new one :

Old :

Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' ssh: rdp:; img-src 'self' data: https://*.tile.openstreetmap.org/ ; connect-src 'self' https://crash.checkmk.com/ https://license.checkmk.com/api/verify; frame-ancestors 'self' ; base-uri 'self'; form-action 'self' javascript: 'unsafe-inline'; object-src 'self'; worker-src 'self' blob:" "expr=%{REQUEST_STATUS} != 200"

New :

Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' ssh: rdp:; img-src 'self' data: https://*.tile.openstreetmap.org/ ; connect-src 'self' https://crash.checkmk.com/ https://license.checkmk.com/api/verify; frame-ancestors 'self' ; base-uri 'self'; form-action 'self' javascript: 'unsafe-inline'; object-src 'self'; worker-src 'self' blob:; frame-src 'self' 'unsafe-inline' 'unsafe-eval' *."MYDOMAIN".local"

I had to delete "expr=%{REQUEST_STATUS} != 200" and add frame-src 'self' 'unsafe-inline' 'unsafe-eval' *."MYDOMAIN".local"

Now the iFrame is displaying on the nagvis but the autologin doensā€™t work and when I type the login/password, Iā€™m completly redirect on the iFrameā€™s URL instead of displaying the URL in the iFrame of nagvis

Here is the link I use with iFrame :

https://HOSTNAME.domain.local/"OMD-SITE"/check_mk/login.py?_origtarget=/"OMD-SITE"/nagvis/frontend/nagvis-js/index.php?mod=Map%26act=view%26show=Overview&_username=monitoring&_password=monitoring&_login=1

Iā€™ve this error on Chrome :

login.py?_origtarget=%2F"OMD-SITE"%2Fnagvis%2Ffrontend%2Fnagvis-js%2Findex.php%3Fmod%3DMap%26act%3Dview%26show%3DOverview:6 
Unsafe attempt to initiate navigation for frame with origin 'http://"LOCALHOST" from frame with URL 'https://"REMOTEHOST"."MYDOMAIN".local/"OMD-SITE"/check_mk/login.py?_origtarget=%2F"OMD-SITE"%2Fnagvis%2Ffrontend%2Fnagvis-js%2Findex.php%3Fmod%3DMap%26act%3Dview%26show%3DOverview'. The frame attempting navigation is targeting its top-level window, but is neither same-origin with its target nor has it received a user gesture. See https://www.chromestatus.com/feature/5851021045661696.

(anonymous) @ login.py?_origtarget=%2F"OMD-SITE"%2Fnagvis%2Ffrontend%2Fnagvis-js%2Findex.php%3Fmod%3DMap%26act%3Dview%26show%3DOverview:6

Uncaught DOMException: Failed to set the 'href' property on 'Location': The current window does not have permission to navigate the target frame to 'https://"REMOTEHOST"."MYDOMAIN".local/"OMD-SITE"/check_mk/login.py?_origtarget=%2F"OMD-SITE"ā€¦rontend%2Fnagvis-js%2Findex.php%3Fmod%3DMap%26act%3Dview%26show%3DOverview'.
    at https://"REMOTEHOST"."MYDOMAIN".local/"OMD-SITE"/check_mk/login.py?_origtarget=%2F"OMD-SITE"ā€¦nd%2Fnagvis-js%2Findex.php%3Fmod%3DMap%26act%3Dview%26show%3DOverview:6:30
(anonymous)	@	login.py?_origtargetā€¦26show%3DOverview:6

Someone have a clue on this ?

Best Regards,

5

Thanks Robin !

I will look into it !

Best Regards,

6

Hi Robin,

When I use this kind of URL :

http: //cmkadmin :cmk@localhost /test/check_mk/view .py?view_name=allhosts

Chrome say : Subresource requests whose URLs contain embedded credentials (e.g. https://user:pass@host/`) are blocked. See Chrome Platform Status for more details.`

I keep digging and let you know :slight_smile:

Best Regards,