commit ec4d724f2995e130054a981c0a9ccb654a98d0e9
author Joseph Reynolds <jrey@us.ibm.com> Wed Oct 17 11:24:06 2018 -0500
committer Brad Bishop <bradleyb@fuzziesquirrel.com> Tue Oct 23 13:29:40 2018 -0400
tree 3cf59e51c23dae985103d39c87c699ba165860a4
parent 12fca02687b481cc263ffeac707bb239a5780cca

Nginx allow secure websocket connections

This changes the nginx configuration so the HTTP response headers
for the phosphor-webui web applicaton will allow wss (secure
WebSocket) connections back to the host.  This is needed for the
Serial Over Lan (SOL) function.

A recent fix used Content-Security-Policy default-src 'self'
which unfortunately does not allow to wss connections.  For
details see https://github.com/openbmc/openbmc/issues/3409

Tested: The web app SOL function works

Resolves: openbmc/openbmc#3409

(From meta-ibm rev: ba115c67c50b8e9691bbdbc4132dfef563c327c0)

Change-Id: Ic46693c1c17ce83f422bc388ef1338894eeadb4d
Signed-off-by: Joseph Reynolds <jrey@us.ibm.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>

meta-ibm/recipes-httpd/nginx/files/nginx.conf

diff --git a/meta-ibm/recipes-httpd/nginx/files/nginx.conf b/meta-ibm/recipes-httpd/nginx/files/nginx.conf
index be7faf9..befe986 100644
--- a/meta-ibm/recipes-httpd/nginx/files/nginx.conf
+++ b/meta-ibm/recipes-httpd/nginx/files/nginx.conf
@@ -88,7 +88,7 @@
                 add_header X-Frame-Options deny;
                 add_header X-XSS-Protection "1; mode=block";
                 add_header X-Content-Type-Options nosniff;
-                add_header Content-Security-Policy "frame-ancestors 'none'; default-src 'self' 'unsafe-eval' 'unsafe-inline'";
+                add_header Content-Security-Policy "frame-ancestors 'none'; default-src 'self' wss: 'unsafe-eval' 'unsafe-inline'";
                 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
                 add_header Cache-Control "no-store,no-cache";
                 add_header Pragma "no-cache";