Portainer and x-frame

DavidFW1960 · September 25, 2018, 12:12am

Hi there,

I’m getting an error trying to use Portainer in an iFrame.

In chrome it’s just blank but in Edge I get this error displayed:

I also think it’s something to do with the x-frame-options detailed here: Allow disable X-Frame-Options: deny dashboard response header · Issue #2279 · portainer/portainer · GitHub

My Caddyfile looks like this:

my-domain.duckdns.org {
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "SAMEORIGIN"
    Referrer-Policy "same-origin"
}
    proxy / localhost:8123 {
        websocket
        transparent
    }
}

portainer.my-domain.duckdns.org {
    proxy / localhost:9000 {
        websocket
        transparent
    }
}

I can load portainer via https://portainer.my-domain.duckdns.org:xxxxx just not in a frame.

Anyone have a suggestion?

Whitestrake · September 25, 2018, 12:26am

Yeah, the X-Frame-Options header will cause that issue, but I don’t think it’s your header that’s doing it. It’s the one coming from Portainer itself, which you’re proxying to.

From the linked issue, it looks like Portainer sends X-Frame-Options: deny, which completely disallows iframes. The suggestion is made to use proxy_hide_header X-Frame-Options;, for which Caddy has an equivalent you can add to your proxy directive for Portainer: header_downstream -X-Frame-Options.

https://caddyserver.com/docs/proxy

DavidFW1960 · September 25, 2018, 12:32am

Are you able to show me how to do that? Looked at the doc but it’s not clear to me what I should do.

Whitestrake · September 25, 2018, 12:34am

Have a look at the advanced syntax section, where it shows the form of the directive with the braced block ( { and } ) and the subdirectives inside.

header_downstream is one of the subdirectives listed there. Put it inside the brace block, similarly to the subdirectives in the examples:

https://caddyserver.com/docs/proxy#examples

DavidFW1960 · September 25, 2018, 12:39am

So…

my-domain.duckdns.org {
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "SAMEORIGIN"
    Referrer-Policy "same-origin"
}
    proxy / localhost:8123 {
        websocket
        transparent
    }
}

portainer.my-domain.duckdns.org {
    proxy / localhost:9000 {
        websocket
        transparent
        header_downstream -X-Frame-Options
    }
}

Is that all or is it in the right place?

EDIT: OK I did that and it fixed it.

Whitestrake · September 25, 2018, 2:36am

Looks good to me, give it a shot and see what happens.

system · December 24, 2018, 2:36am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.