Aryamanz29
commented
1 year ago I have tested with the edge tagged version and found no errors with the monitoring charts (see below).
Closed Bixilon closed 3 months ago
Aryamanz29
commented
1 year ago I have tested with the edge tagged version and found no errors with the monitoring charts (see below).
Bixilon
commented
1 year ago What version of chromium are you using? I assume it is pretty new, so that should fit.
If you look at the network tab, from what url are the metrics loaded and what security header is present?
Aryamanz29
commented
1 year ago I'm using google chrome:
➜ ~ google-chrome --version
Google Chrome 111.0.5563.64 Request URL
https://api.openwisp.org/api/v1/monitoring/device/870a7bfe-1377-4f85-80ae-6ee9344ed36d/?key=e5896973a12f0390737125e3d642c3a2&timezone=Asia/Calcutta&time=1d
Response headers
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://dashboard.openwisp.org
Allow: GET, POST, HEAD, OPTIONS
Connection: keep-alive
Content-Encoding: gzip
Content-Security-Policy: default-src http: https: data: blob: 'unsafe-inline'; script-src 'unsafe-eval' https: 'unsafe-inline' 'self'; frame-ancestors 'self'; connect-src *.openwisp.org wss: 'self'; worker-src https://api.openwisp.org blob: 'self';
Content-Type: application/json
Cross-Origin-Opener-Policy: same-origin
Date: Tue, 21 Mar 2023 11:29:10 GMT
Permissions-Policy: interest-cohort=()
Referrer-Policy: same-origin
Referrer-Policy: same-site
Server: nginx
Strict-Transport-Security: max-age=31536000
Transfer-Encoding: chunked
Vary: Accept, Cookie, Origin
X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=blockRequest headers
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cache-Control: no-cache
Connection: keep-alive
DNT: 1
Host: api.openwisp.org
Origin: https://dashboard.openwisp.org
Pragma: no-cache
sec-ch-ua: "Google Chrome";v="111", "Not(A:Brand";v="8", "Chromium";v="111"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36That is interesing, because the response differs:
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 21 Mar 2023 11:51:08 GMT
Content-Type: application/json
Content-Length: 8246
Connection: keep-alive
Vary: Accept, Cookie, Origin
Allow: GET, POST, HEAD, OPTIONS
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Referrer-Policy: same-site
Content-Security-Policy: default-src http: https: data: blob: 'unsafe-inline';
script-src 'unsafe-eval' https: 'unsafe-inline' 'self';
frame-ancestors 'self'; connect-src *. wss: 'self';
worker-src https://openwisp-api.xxx.muc blob: 'self';
Permissions-Policy: interest-cohort=()
Strict-Transport-Security: max-age=31536000I don't have the following options:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://dashboard.openwisp.organd the security header differs:
Content-Security-Policy: default-src http: https: data: blob: 'unsafe-inline'; script-src 'unsafe-eval' https: 'unsafe-inline' 'self'; frame-ancestors 'self'; connect-src *.openwisp.org wss: 'self'; worker-src https://api.openwisp.org blob: 'self';especially the broken connect-src (*. vs *.openwisp.org)
Bixilon
commented
1 year ago my domain is in the format openwisp.xx-xx.muc, maybe the setup script fails with a dash?
Device charts refuse to load, because of:
jquery.min.8fb8fee4fcc3.js:2 Refused to connect to 'https://openwisp-api.xx.muc/api/v1/monitoring/device/886d42ca-7fc6-4282-b6e5-a4a5b5e17c7f/?key=key&timezone=Europe/Berlin&time=7d' because it violates the following Content Security Policy directive: "connect-src *. wss: 'self'"Adding a security policy header to nginx should fix that issue
We need to add the dashboard domain in
/images/common/utils.sh+ add it to the config if needed, see/etc/nginx/openwisp.ssl.template.conf