2.27.1 New data source page not working

ktiits · May 28, 2025, 7:06pm

Hi,

Just installed 2.27.1 and have problems with some pages in Admin UI.

Login does not forward to the “normal” page. I have to click for example Layer preview to get all the admin items visible.
On New data source page not any of the data type specific links work.

In console I can see some errors:

Log in:
Refused to send form data to ‘https://paituli-test.csc.fi/geoserver/j_spring_security_check’ because it violates the following Content Security Policy directive: “form-action ‘self’”.

New data source:
wicket-ajax-jquery-ver-8FBF37ACEFA139878F1F4590E87D62F8.js:1767 Refused to send form data to ‘https://paituli-test.csc.fi/geoserver/web/wicket/bookmarkable/org.geoserver.web.data.store.NewDataPage?13-1.-storeForm’ because it violates the following Content Security Policy directive: “form-action ‘self’”.

The installation was done using war and we have ~10 extensions installed also.

With 2.26.2 and exactly similar installation, same problems do not exist.

Has anybody else similar problems?

Kylli Ek

roarbra · May 28, 2025, 7:40pm

Hi,

The Content Security Policy were introduced with 2.27. It seems quite strange that you’re url isn’t allowed by default, but you can fix it in the Admin module. It might seem rather complex to configure and the most used “fix” I have seen is to disable it.

Here is a link to the user documentation.

Best regards,
Roar Brænden

Peter · May 29, 2025, 5:26am

Welcome @ktiits

Please also refer to the Upgrade documentation (on CSP).

Peter

sikeoka · May 29, 2025, 4:49pm

If https://paituli-test.csc.fi is GeoServer’s proxy base URL but that is not the URL in your browser’s address bar, then you can try setting Inject proxy base URL into header to true. Otherwise, the easy options available with 2.27 would be to set Report violations without enforcement to true to see CSP violations without blocking anything or to set Enabled Content-Security-Policy header to false to completely disable CSP.

ktiits · May 30, 2025, 7:08am

Big thanks for all the answers.

With disabling CSP I get it working, but would rather fix our settings.

We have proxy_url in use and it is https://paituli-test.csc.fi/geoserver
Also in the browser I see paituli-test.csc.fi/geoserver (https is hidden, but it is https)

We have nginx proxy in use with relevant settings being:

# Send all http requests to https
  server {
      listen 80;

      server_name _;

      return 301 https://$host$request_uri;

  }

# Send all geoserver request to right port internally. Internally it is http.
server {
        listen 443 default_server ssl;

...

		
        proxy_set_header Host $host;
		proxy_pass_header Set-Cookie;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;		
        proxy_set_header X-Forwarded-Host $host;
		
        # Redirect to GeoServer Tomcat		
        location /geoserver/ {
            proxy_pass http://127.0.0.1:8080/geoserver/;	
		}

While disabling CSP I can see 3 requests happening in both cases:

https://paituli-test.csc.fi/geoserver/web/wicket/bookmarkable/org.geoserver.web.data.store.NewDataPage?9-1.-storeForm

POST
302 → redirects to http://paituli-test.csc.fi/geoserver/web/wicket/page?10

host paituli-test.csc.fi
origin https://paituli-test.csc.fi

http://paituli-test.csc.fi/geoserver/web/wicket/page?10

GET
200

host paituli-test.csc.fi
(no origin visible)

(Does not have any response, I can see that it is redirected, but not in the same way as first request.)

https://paituli-test.csc.fi/geoserver/web/wicket/page?10

GET
200

origin https://paituli-test.csc.fi
(no host visible)

Response as expected.

If CSP is enabled, then only first of these requests happens.

My understanding of these is very limited, but seems to me that login page and new data source page are not following the proxy_url setting?

Kylli

KristianM · May 30, 2025, 10:57am

I had similar issues. Geoserver is also behind a proxy.
I ended up using the same example as sikeoka suggested to set Report violations without enforcement to false.
In my case Inject proxy base URL into header did not correct my CSP issue.

I am using the official docker image and tried mitigating with adding
org.geoserver.web.csp.strict=false to the environment. Assuming that would do the same as the change in GUI. But it had no effect.
I also tried adding geoserver.csp.formAction='self' https://my.domain.com
Which also did not help in my case.

This is beyond my type of expertice, just want to report that I had she samme issue as ktiits and how i temporarily fixed it.

sikeoka · May 30, 2025, 3:19pm

Your particular scenario has been discussed previously but I don’t know what the decision was from that since I can’t test this setup. Unfortunately, the https to http redirect on form submissions is considered to be insecure and blocked by CSP even when it is the same host (http to https redirects are okay).

The issue is that when the proxy uses http to pass the request to geoserver, geoserver will use http in the Location response header. You could either configure the proxy to modify the Location header or to use https to pass the request to geoserver. A quick search suggested something like proxy_redirect http:// https://; but I’ve never used nginx so I can’t confirm that this works.

geoserver.csp.formAction wasn’t backported to 2.27.x so it will only be available with the next geoserver version but I could try to backport it into 2.27.2.

ktiits · June 2, 2025, 4:47am

Hi,

Thanks for comments.

It seems that changing the geoserver forwarding like this fixes the problem.

        location /geoserver/ {
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header X-Forwarded-Scheme https;
            proxy_pass http://127.0.0.1:8080/geoserver/;
                }

Kylli

Peter · June 3, 2025, 7:01am

Hi Kylli, great that you could find a solution to the problem.

Do you think that others could benefit from your findings? Do you have time to contribute a quick enhancement to the documentation that might save others days/weeks of frustration?

I would love it if you could update the documentation (upgrade link above) with your suggestion - all it takes is a GitHub account and following these instructions: Quickfix — GeoServer 2.28.x Documentation Guide

Peter

ktiits · June 3, 2025, 8:37am

Hi,

This is very specific usecase. Geoserver documentation does not mention even using nginx as proxy, less having such https/http redirects. So I do not think there is any good place for this in GeoServer documentation.

I hope people who need, would find it with some search engine. Just tried google and it found already this page.

Kylli

jive · June 4, 2025, 9:16pm

Kylli, … open source does not work by suggestion - it is a participation game

So if you found this thread valuable please read the here how to add to the GeoServer documentation (perhaps this page?)

TLDR: Every page has an edit button, add a heading for NginX tips to share what you have learned please.