Nginx allow secure websocket connections
This changes the nginx configuration so the HTTP response headers
for the phosphor-webui web applicaton will allow wss (secure
WebSocket) connections back to the host. This is needed for the
Serial Over Lan (SOL) function.
A recent fix used Content-Security-Policy default-src 'self'
which unfortunately does not allow to wss connections. For
details see https://github.com/openbmc/openbmc/issues/3409
Tested: The web app SOL function works
Resolves: openbmc/openbmc#3409
(From meta-ibm rev: ba115c67c50b8e9691bbdbc4132dfef563c327c0)
Change-Id: Ic46693c1c17ce83f422bc388ef1338894eeadb4d
Signed-off-by: Joseph Reynolds <jrey@us.ibm.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
diff --git a/meta-ibm/recipes-httpd/nginx/files/nginx.conf b/meta-ibm/recipes-httpd/nginx/files/nginx.conf
index be7faf9..befe986 100644
--- a/meta-ibm/recipes-httpd/nginx/files/nginx.conf
+++ b/meta-ibm/recipes-httpd/nginx/files/nginx.conf
@@ -88,7 +88,7 @@
add_header X-Frame-Options deny;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
- add_header Content-Security-Policy "frame-ancestors 'none'; default-src 'self' 'unsafe-eval' 'unsafe-inline'";
+ add_header Content-Security-Policy "frame-ancestors 'none'; default-src 'self' wss: 'unsafe-eval' 'unsafe-inline'";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header Cache-Control "no-store,no-cache";
add_header Pragma "no-cache";