Correct loading Softaculous content

Discussion in 'Installation/Configuration' started by mymmo73, Jan 27, 2021.

  1. mymmo73

    mymmo73 Member

    Hi, I have installed Softaculous on ispconfig 3.2.2 debian 10, the problem is that it does not load the contents correctly so I contacted the support and they answered me like this: "It seems the Content Security Policy of your web server is not allowing to load contents from our mirror servers where the screenshots, ratings, reviews, etc are served from.

    Can you please check the Content Security Policy of your web server and allow loading content from all our mirror servers :
    softaculous.com
    api.softaculous.com
    s0.softaculous.com
    s1.softaculous.com
    s2.softaculous.com
    s3.softaculous.com
    s4.softaculous.com
    s5.softaculous.com
    s7.softaculous.com

    Please do let us know if the issue still persist."
    how can I allow the loading of contents to these links?
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    The content security policy is set in install and server templates. Does that run in the control panel or in a vhost? And is this apache or nginx? If apache you could probably overwrite the header in a .htaccess file, which might easier to maintain than a custom template.
     
  3. mymmo73

    mymmo73 Member

    it is apache2, so is it worth overwriting the hatccess file? If yes, how do you do it?
     
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    See https://content-security-policy.com/examples/htaccess/ for an example, and https://httpd.apache.org/docs/current/howto/htaccess.html for general htaccess info. You didn't say if softaculous runs in the control panel or in a vhost, but if the former, you may be able to to change the CSP only for the softaculous pages, not the entire control panel. And if you come up with a simple "drop in" htaccess file that you put into a softaculous directory to fix this, you might share it with them and ask that they distribute it to others.
     
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Some links that might be useful, if you're running softaculous in a vhost, the current CSP is set here; if running inside the control panel, it is set here; and if you're running it in the apps vhost, it will be set here.
     
  6. mymmo73

    mymmo73 Member

    ok, my case is number 2 softaculous is installed in the ispconfig control panel, so if I understand correctly I have to create the directory with the file apache_ispconfig.vhost.master, and then insert inside the content <IfModule mod_headers.c> it's correct?
     
  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You could copy the .master file to /usr/local/ispconfig/server/conf-custom/install/, make your changes to that file, then rerun the installer to configure services, or set the header in a .htaccess file.
     
  8. mymmo73

    mymmo73 Member

    can I ask you if the file configuration is correct?
    Code:
    <IfModule mod_headers.c>
        # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
        Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'"
        <tmpl_var name="ssl_comment">Header set Content-Security-Policy "default-src softaculous.com api.softaculous.com s0.softaculous.com s1.softaculous.com s2.softaculous.com s3.softaculous.com s4.softaculous.com s5.softaculous.com s7.softaculous.com 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
        Header set X-Content-Type-Options: nosniff
        Header set X-Frame-Options: SAMEORIGIN
        Header set X-XSS-Protection: "1; mode=block"
        Header always edit Set-Cookie (.*) "$1; HTTPOnly"
        <tmpl_var name="ssl_comment">Header always edit Set-Cookie (.*) "$1; Secure"
        <IfVersion >= 2.4.7>
            Header setifempty Strict-Transport-Security "max-age=15768000"
        </IfVersion>
        <IfVersion < 2.4.7>
            Header set Strict-Transport-Security "max-age=15768000"
        </IfVersion>
        RequestHeader unset Proxy early
      </IfModule>
    
     
  9. mymmo73

    mymmo73 Member

    I know not I have tried and it does not work:confused:
     
  10. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Softaculous is commercial software, why don't you contact their support and ask them to provide the content security settings that their system needs?
     
  12. mymmo73

    mymmo73 Member

    in fact I told them my problem but they answered what you see in post # 1
     
  13. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    In your CSP, you are using "default", but that should be "default-src"
     
  14. mymmo73

    mymmo73 Member

    I have made many attempts but it does not work the last configuration was this
    Code:
    <IfModule mod_headers.c>
        # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
        Header set Content-Security-Policy: default-src 'self' api.softaculous.com; connect-src 'none';
        default-src 'self' softaculous.com; connect-src 'none';
        default-src 'self' s0.softaculous.com; connect-src 'none';
        default-src 'self' s1.softaculous.com; connect-src 'none';
        default-src 'self' s2.softaculous.com; connect-src 'none';
        default-src 'self' s3.softaculous.com; connect-src 'none';
        default-src 'self' s4.softaculous.com; connect-src 'none';
        default-src 'self' s5.softaculous.com; connect-src 'none';
        default-src 'self' s7.softaculous.com; connect-src 'none';
        <tmpl_var name="ssl_comment">Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
        Header set X-Content-Type-Options: nosniff
        Header set X-Frame-Options: SAMEORIGIN
        Header set X-XSS-Protection: "1; mode=block"
        Header always edit Set-Cookie (.*) "$1; HTTPOnly"
        <tmpl_var name="ssl_comment">Header always edit Set-Cookie (.*) "$1; Secure"
        <IfVersion >= 2.4.7>
            Header setifempty Strict-Transport-Security "max-age=15768000"
        </IfVersion>
        <IfVersion < 2.4.7>
            Header set Strict-Transport-Security "max-age=15768000"
        </IfVersion>
        RequestHeader unset Proxy early
      </IfModule>
    i made many attempts but it doesn't work the last configuration was this but it doesn't work
     
  15. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    It seems like quite a mess.

    Use this:
    Code:
    # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
    Header set Content-Security-Policy "default-src
    softaculous.com api.softaculous.com s0.softaculous.com s1.softaculous.com s2.softaculous.com s3.softaculous.com s4.softaculous.com s5.softaculous.com s7.softaculous.com 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'"
    <tmpl_var name="ssl_comment">Header set Content-Security-Policy "default-src
    softaculous.com api.softaculous.com s0.softaculous.com s1.softaculous.com s2.softaculous.com s3.softaculous.com s4.softaculous.com s5.softaculous.com s7.softaculous.com 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
    Remember that changes will be overwritten when doing a ISPConfig update.
     
  16. mymmo73

    mymmo73 Member

    nothing, it doesn't work, I'll describe what I'm doing: 1. I went to this directory / usr / local / ispconfig / server / conf-custom / install / 2. I created a file and renamed it "apache_ispconfig.vhost. master "then I put in the content you suggested.
     
  17. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    That does not work as the vhost is only updated when you update ISPConfig and reconfigure services.
    Either run a forced updated now and reconfigure apache:
    Code:
    ispconfig_update.sh --force
    or change the vhost directly and restart apache2 after.
     
  18. mymmo73

    mymmo73 Member

    I forced the reconfiguration of the services, and I redid the procedure of post # 16 but it doesn't work
     
  19. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Alright, then let softaculous know it did not solve your issue so they can see what is wrong.
     
  20. mymmo73

    mymmo73 Member

    ok I'll let you know, for the memento thanks to everyone
     

Share This Page