lobe-chat
lobe-chat copied to clipboard
lobehub
[Bug] 使用 Docker 部署,使用域名访问报错
💻 系统环境 | Operating System
Windows
🌐 浏览器 | Browser
Chrome
🐛 问题描述 | Bug Description
环境信息
- Docker 部署
- Web 服务器 NGINX
- 域名访问
- CDN cloudflare 报错内容:
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'".
at Function (<anonymous>)
at a (0fab221e.2e81d7bf95577bbb.js?__WB_REVISION__=2e81d7bf95577bbb:15:2714)
at 0fab221e.2e81d7bf95577bbb.js?__WB_REVISION__=2e81d7bf95577bbb:15:3068
at 0fab221e.2e81d7bf95577bbb.js?__WB_REVISION__=2e81d7bf95577bbb:15:3470
at 0fab221e.2e81d7bf95577bbb.js?__WB_REVISION__=2e81d7bf95577bbb:1:745
at 44022 (0fab221e.2e81d7bf95577bbb.js?__WB_REVISION__=2e81d7bf95577bbb:6251:23945)
at i (webpack-550db4c573dd5429.js?__WB_REVISION__=MyKnlZIxmmAlPYNfzG2FK:1:167)
at 11499 (1499.fb859b2f2e8fb4ea.js?__WB_REVISION__=fb859b2f2e8fb4ea:1:164)
at Function.i (webpack-550db4c573dd5429.js?__WB_REVISION__=MyKnlZIxmmAlPYNfzG2FK:1:167)
使用域名访问会有上方报错,使用 IP+端口访问正常,想问下代码中不安全的部分未来是否有修改的可能?
🚦 期望结果 | Expected Behavior
访问正常
📷 复现步骤 | Recurrence Steps
使用问题描述中的环境信息复现即可
📝 补充信息 | Additional Information
No response
👀 @macreee
Thank you for raising an issue. We will investigate into the matter and get back to you as soon as possible.
Please make sure you have given us as much context as possible.
非常感谢您提交 issue。我们会尽快调查此事,并尽快回复您。 请确保您已经提供了尽可能多的背景信息。
Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑🤝🧑👫🧑🏿🤝🧑🏻👩🏾🤝👨🏿👬🏿
There should be no unsafe scripts in the code. Is there any solution to reproduce your case?
代码中应该没有不安全的脚本,有什么方案可以复现你的 case 的么
忘记更新这个问题了,后来用 GPT 查了下是nginx 安全策略的问题,后来改了一下配置就可以了,具体修改内容晚点我贴上来。
Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑🤝🧑👫🧑🏿🤝🧑🏻👩🏾🤝👨🏿👬🏿
There should be no unsafe scripts in the code. Is there any solution to reproduce your case?
I forgot to update this issue. Later I used GPT to check that it was an issue with the nginx security policy. Then I just changed the configuration and it worked. I will post the specific changes later.
✅ @macreee
This issue is closed, If you have any questions, you can comment and reply.
此问题已经关闭。如果您有任何问题,可以留言并回复。
代码中应该没有不安全的脚本,有什么方案可以复现你的 case 的么
当反向代理nginx包含了以下安全内容时可触发,发往服务端的聊天请求全部被浏览器本地拦截: security.conf
# security headers add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always; add_header Permissions-Policy "interest-cohort=()" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# . files location ~ /.(?!well-known) { deny all; }
另外,以上内容是nginxconfig.io网站默认生成的安全配置文件的内容。我在注释掉了该配置文件的导入后修复了问题。
Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑🤝🧑👫🧑🏿🤝🧑🏻👩🏾🤝👨🏿👬🏿
There should be no unsafe scripts in the code. Is there any solution to reproduce your case?
It can be triggered when the reverse proxy nginx contains the following security content, and all chat requests sent to the server are intercepted locally by the browser: security.conf `# security headers add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always; add_header Permissions-Policy "interest-cohort=()" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
.files
location ~ /.(?!well-known) { deny all; } ` In addition, the above content is the content of the security configuration file generated by the nginxconfig.io website by default. I fixed the problem after commenting out the import of that config file.
代码中应该没有不安全的脚本,有什么方案可以复现你的 case 的么
我再次进行了测试,问题出在: add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑🤝🧑👫🧑🏿🤝🧑🏻👩🏾🤝👨🏿👬🏿
There should be no unsafe scripts in the code. Is there any solution to reproduce your case?
I tested again and the problem is: add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;