My version of HedgeDoc is: 1.9.9 , on debian bookworm. (we are trying to copy the instance in prod to upgrade to trixie in the test vm first).
What I expected to happen:
HedgeDoc should display the css and load the scripts properly, the links should be working.
What actually happened:
So the homepage load with a lot of errors in the web console :
Setting the document's base URI to 'https://myDomain:3000/' violates the following Content Security Policy directive: "base-uri 'self'". The action has been blocked.Loading the stylesheet '<URL>' violates the following Content Security Policy directive: "style-src <URL> <URL> 'unsafe-inline' <URL>". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback. The action has been blocked.Loading the script '<URL>' violates the following Content Security Policy directive: "script-src <URL> <URL> <URL> <URL> <URL> <URL> 'unsafe-inline' 'nonce-8fc1cfc3-db2d-48ee-8a7b-8cad3c98f4d4' 'sha256-81acLZNZISnyGYZrSuoYhpzwDTTxi7vC1YM4uNxqWaM='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback. The action has been blocked.
Also, I see a lot of links in the HTML head and in the body who have a :3000 port , and other links who don’t. When I delete manually the :3000 in the url, it load the page (still without styles or scripts though).
<base href="myDomain:3000/">
<button type="submit" class="btn btn-default" formaction="myDomain:3000/register">Register</button>
I already tried:
I already tried what was said in the FAQ, I followed the steps in the reverse-proxy guide : https://docs.hedgedoc.org/faq/#why-does-my-interface-look-weird
Here is my config.json file :
{
"production": {
"domain": "myDomain",
"loglevel": "info",
"protocolUseSSL": "true",
"urlAddPort": "false",
"cookiePolicy": "lax",
"sessionSecret": "Nope",
"db": {
"username": "hedgedoc",
"password": "Nope",
"database": "hedgedoc",
"host": "127.0.0.1",
"port": "3306",
"dialect": "mariadb"
}
}
}
And my Nginx file :
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
server_name myDomain;
location / {
rewrite ^ https://$host$request_uri? permanent;
}
}
server {
server_name myDomain;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /socket.io/ {
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
listen [::]:443 ssl http2;
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/myDomain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myDomain/privkey.pem;
#include options-ssl-nginx.conf;
# ssl_dhparam ssl-dhparams.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "same-origin";
}