Need help, adding header for psono

first : i know i shouldnt redact the URLs but this is about security for a password manager and dont want to call for hackers to try and attack it… i hope you guys understand.

  1. Caddy Version?
    v2.4.6

  2. My Caddyfile config

fs01.example.com {
        reverse_proxy /* {
                to 192.168.168.248:443
                transport http {
                        tls
                        tls_insecure_skip_verify
                }
        }
} 

2a.how do i run Caddy?
i run Proxmox with a VM running Debian 11 runnning Caddy.

2b. Command used ?

service caddy restart

&

vi /etc/caddy/Caddyfile

  1. The problem i need help with

I recently have setup a PSONO.PW server and experianced some issues uploading files to the fileserver(file upload in the webclient gets stuck at 75%)
Ive contacted the developer of PSONO and after troubleshooting, we found that it Caddy needs to add a header to the traffic, but he wasnt able to tell me how to do this in Caddy but gave me a hint how to on NGINX.

NGINX config

add_header Content-Security-Policy "default-src 'none';  manifest-src 'self'; connect-src 'self' https://static.psono.com https://api.pwnedpasswords.com https://storage.googleapis.com https://*.digitaloceanspaces.com https://*.blob.core.windows.net https://*.s3.amazonaws.com; font-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'self'";
  1. The error messages.
    it is not really giving errors, the file upload just gets stuck at 75%.
    inspecting the webclient network traffic does give me a
Content Security Policy: The page’s settings blocked the loading of a resource at https://fs01.example.com/fileserver/upload/ (“connect-src”). angular.js:13692:6
  1. What i came up after lots of reading the Caddy Docs and Forum.
header / {
        Content-Security-Policy "default-src 'none';
                manifest-src 'self';
                connect-src 'self' https://static.psono.com https://api.pwnedpasswords.com https://storage.googleapis.com https://*.digitaloceanspaces.com https://*.blob.core.windows.net https://*.s3.amazonaws.com;
                font-src    'self';
                img-src   'self' data:;
                script-src 'self';
                style-src 'self' 'unsafe-inline';
                object-src  'none';"
        }
        reverse_proxy /* {
                to 192.168.168.248:443
                transport http {
                        tls
                        tls_insecure_skip_verify
                }
        }
} 
  1. Link to what im trying to get to work
https://doc.psono.com/admin/installation/install-reverse-proxy.html#reverse-proxy-with-nginx

Yet, what i have in step 5. does not resolve my issue,anybody out there having experiance adding headers ? anybody able to help me with this ?

You’re using a / matcher here, which means “match only requests to exactly / and nothing else”. Path matching in Caddy is exact. So, remove the / here so that this applies to all requests.

Also, you should probably avoid newlines and spaces in your header value here, just put it all on one line. I’m not sure browsers will accept the value properly if it includes newlines.

You can remove the /* here, it’s redundant because all request paths start with a / anyways. See the request matcher docs for more details:

You can simplify it to this:

	reverse_proxy https://192.168.168.248 {
		transport http {
			tls_insecure_skip_verify
		}
	}
2 Likes

Hi Francis,

Thank you for your response.
i went thru your feedback or advise and narrowed it down to:

fs01.example.com {
header {Content-Security-Policy "default-src 'none';manifest-src 'self';connect-src 'self' https://static.psono.com https://api.pwnedpasswords.com https://storage.googleapis.com https://*.digitaloceanspaces.com https://*.blob.core.windows.net https://*.s3.amazonaws.com;font-src 'self';img-src 'self' data:;script-src 'self';style-src 'self' 'unsafe-inline';object-src 'self'";}
        reverse_proxy https://192.168.168.248 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}

Yet, no worky … by now i figured out this is CORS related…

so what i have is the following…(restructured as youve adviced)

#PSONO Password Manager
pass.example.com {
        reverse_proxy https://192.168.168.248 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}

fs01.example.com {
        reverse_proxy https://192.168.168.248 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}

what the developer told me exactly after troubleshooting was :
You need to modify the content security policy for pass.example.com and allow in your connect-src the connection to fs01.example.com.

so after reading that again i figured i might be doing this the wrong way around and so placed the header (restructured on your advice :D) in the pass.example.com part

header {Content-Security-Policy "default-src 'none';manifest-src 'self';connect-src 'self' https://static.psono.com https://api.pwnedpasswords.com https://storage.googleapis.com https://*.digitaloceanspaces.com https://*.blob.core.windows.net https://*.s3.amazonaws.com;font-src 'self';img-src 'self' data:;script-src 'self';style-src 'self' 'unsafe-inline';object-src 'self'";}

Yet, no worky … oof this last bit of getting it to work is getting hard …

any thoughts on how to proceed ? im stuck, i dont know how to do this… this header thing…

any advice is welcome, thank you all for thinkin with me !

Remove those { } braces. You should only use them if you’re writing a “block”, i.e. a multi-line block of config. Also, remove the ; semicolon, the Caddyfile format doesn’t use those.

again thank you for your time and quick response.
ive adjusted the line,

header Content-Security-Policy "default-src 'none' manifest-src 'self' connect-src 'self' https://static.psono.com https://api.pwnedpasswords.com https://storage.googleapis.com https://*.digitaloceanspaces.com https://*.blob.core.windows.net https://*.s3.amazonaws.com font-src 'self' img-src 'self' data: script-src 'self' style-src 'self' 'unsafe-inline' object-src 'self'"

tryed the line in both sections like in the pass.example.com (restart caddy) and in the fs01.example.com (restart caddy), hell i even tried putting the header line in both sections simultaniously(restart caddy)… yet no worky …

so maybe if i fill you in on whats happinging maybe you have a better picture ? iunno.

so i access the pass.example.com part and log in on a web iterface being a password manager, in there i have the option to upload a file and when i click upload it would upload it the a fileserver at fs01.example.com… i dont know maybe this helps explaining what im trying to achive here…

anyway THANKS for your support up to now !

Make requests with curl -v to see if you do get the header back in the response as you expect.

Past that, I can’t really say what’s wrong with the header if you do see the value as expected, the CSP headers are very app-specific.

I finally got it working !
Thank you for your support, this one can be closed.

1 Like

What was the problem?

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.