Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net::ERR_SPDY_PROTOCOL_ERROR on a fresh install #27

Open
supermamie opened this issue Aug 7, 2019 · 14 comments
Open

net::ERR_SPDY_PROTOCOL_ERROR on a fresh install #27

supermamie opened this issue Aug 7, 2019 · 14 comments

Comments

@supermamie
Copy link

I just installed lufi on my YunoHost instance and when I am connected, everything is fine. (I set it as private)
But when I send a link to someone else, no js or css are loaded.

The Content Security Policy 'default-src https: data: 'unsafe-inline' 'unsafe-eval'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
k2kGh2c3RO:19 GET https://upload.myserver.fr/js/ie-detection.js net::ERR_SPDY_PROTOCOL_ERROR
k2kGh2c3RO:18 GET https://upload.myserver.fr/css/lufi.css net::ERR_SPDY_PROTOCOL_ERROR
k2kGh2c3RO:25 GET https://upload.myserver.fr/img/lufi-min.png net::ERR_SPDY_PROTOCOL_ERROR
k2kGh2c3RO:76 GET https://upload.myserver.fr/js/jquery-2.2.4.min.js net::ERR_SPDY_PROTOCOL_ERROR
k2kGh2c3RO:17 GET https://upload.myserver.fr/css/materialize.min.css net::ERR_SPDY_PROTOCOL_ERROR
k2kGh2c3RO:78 GET https://upload.myserver.fr/js/lufi-common.js net::ERR_SPDY_PROTOCOL_ERROR
k2kGh2c3RO:96 GET https://upload.myserver.fr/js/filesize.min.js net::ERR_SPDY_PROTOCOL_ERROR
k2kGh2c3RO:104 GET https://upload.myserver.fr/js/sidenav.js net::ERR_SPDY_PROTOCOL_ERROR
k2kGh2c3RO:98 GET https://upload.myserver.fr/js/lufi-down.js net::ERR_SPDY_PROTOCOL_ERROR
k2kGh2c3RO:97 GET https://upload.myserver.fr/js/sjcl.js net::ERR_SPDY_PROTOCOL_ERROR
k2kGh2c3RO:103 GET https://upload.myserver.fr/js/materialize.js net::ERR_SPDY_PROTOCOL_ERROR
/img/favicon.png:1 GET https://upload.myserver.fr/img/favicon.png net::ERR_SPDY_PROTOCOL_ERROR
/img/lufi128.png:1 GET https://upload.myserver.fr/img/lufi128.png net::ERR_SPDY_PROTOCOL_ERROR
/img/lufi196.png:1 GET https://upload.myserver.fr/img/lufi196.png net::ERR_SPDY_PROTOCOL_ERROR

side note : I have my TLS configuration to modern (if it can have some impact)
@kay0u
Copy link
Member

kay0u commented Aug 7, 2019

Hi, thank you for your report.

I can't reproduce this bug, can you try with another browser please?

@supermamie
Copy link
Author

Both tests were done in Chrome and Chromium.
I didn't test in Firefox because I was connected but I opened a private session and it works.
I also tried in Firefox Focus on my phone and it works too.

So the problem is just Chrom*

(and maybe some other Chromium implementations)

@supermamie
Copy link
Author

Tested also on Vivaldi (which uses Chromium), and it fails too.

@kay0u
Copy link
Member

kay0u commented Aug 9, 2019
edited
Loading

Are you using an old version of Chrom*?

https://blog.chromium.org/2016/02/transitioning-from-spdy-to-http2.html

Update: To better align with Chrome's release cycle, SPDY and NPN support will be removed with the release of Chrome 51.

I'll try to install Vivaldi I can't reproduce with Vivaldi either.

@supermamie
Copy link
Author

I'm using Chromium Version 76.0.3809.87 (no idea about the chrome version used for the other test)

@kay0u
Copy link
Member

kay0u commented Aug 9, 2019

@ldidry maybe? Do you have any idea about that?

@ldidry
Copy link
Contributor

ldidry commented Aug 9, 2019

Seems more a problem with web server or browser than Lufi to me. @supermamie, can you provide us a copy of the Content-Security-Header sent by your Lufi, please?

@supermamie
Copy link
Author

In chrome I can not show them, no idea why.
In Firefox, here are the headers received, for /css/materialize.min.css (the same one are send for the other files)

HTTP/2.0 200 OK
server: nginx
date: Mon, 12 Aug 2019 12:15:47 GMT
content-type: image/x-icon
content-length: 15086
x-sso-wat: You've just been SSOed
set-cookie: SSOwAuthRedirect=;; Path=/yunohost/sso/; Expires=Thu, 01 Jan 1970 00:00:00 UTC; Secure; HttpOnly; SameSite=Lax ;;
x-content-type-options: nosniff
accept-ranges: bytes
last-modified: Mon, 06 Aug 2018 23:15:41 GMT
cache-control: max-age=2592000, must-revalidate
content-security-policy: upgrade-insecure-requests
etag: "23bca2ed764885d1b39000246367dfe6"
x-xss-protection: 1; mode=block
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=63072000; includeSubDomains; preload
content-security-policy-report-only: default-src https: data: 'unsafe-inline' 'unsafe-eval'
x-download-options: noopen
x-permitted-cross-domain-policies: none
X-Firefox-Spdy: h2

@ldidry
Copy link
Contributor

ldidry commented Aug 12, 2019 

content-security-policy: upgrade-insecure-requests

This is not what Lufi itself send by default. So I guess there is a problem with YNH Nginx configuration or with SSOwat (I have no idea of how it works).

@supermamie
Copy link
Author

I just had a look in /etc/nginx/conf.d/lufi.myserver.fr.conf and there is

    # Ciphers with modern compatibility
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern
    # The following configuration use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...)
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:EC$
    ssl_prefer_server_ciphers on;


    # Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners
    # https://wiki.mozilla.org/Security/Guidelines/Web_Security
    # https://observatory.mozilla.org/

    more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload";

    more_set_headers "Content-Security-Policy : upgrade-insecure-requests";
    more_set_headers "Content-Security-Policy-Report-Only : default-src https: data: 'unsafe-inline' 'unsafe-eval'";
    more_set_headers "X-Content-Type-Options : nosniff";
    more_set_headers "X-XSS-Protection : 1; mode=block";
    more_set_headers "X-Download-Options : noopen";
    more_set_headers "X-Permitted-Cross-Domain-Policies : none";
    more_set_headers "X-Frame-Options : SAMEORIGIN";

All of this is linked to the modern configuration in https://yunohost.org/#/security_en

@ldidry
Copy link
Contributor

ldidry commented Aug 12, 2019

Those two lines are the problem:

more_set_headers "Content-Security-Policy : upgrade-insecure-requests";
more_set_headers "Content-Security-Policy-Report-Only : default-src https: data: 'unsafe-inline' 'unsafe-eval'";

@kay0u
Copy link
Member

kay0u commented Aug 12, 2019

Thank you @ldidry !!

@supermamie could you please comment these lines (with a #) and do:

systemctl reload nginx

And tell me if that fixes your problem.

@supermamie
Copy link
Author

Same error in chrome (due to some cache ?).

@HugoPoi
Copy link
Contributor

HugoPoi commented Mar 23, 2020

I have the same issue, I think there is conflict when sub-folder url is used for lufi

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@supermamie @ldidry @HugoPoi @kay0u