Firefly on Cloudflare Tunnel have CSP Error

[dinutek]

Support guidelines

• I've read the support guidelines

I've found a bug and checked that ...

• ... the documentation does not mention anything about my problem
• ... there are no open or closed issues that are related to my problem
• ... it's definitely a Firefly III issue, not me

Description

Firefly iii on local server is working fine. but when i tunnel it through cloudflare it cannot able to load js properly because of violation of the Content Security Policy error. error log attached for your informaiton.

Debug information

Refused to load the font '<FONT_URL>' because it violates the following Content Security Policy directive: "font-src 'self' data:".

Refused to load the script 'https://budget.mydomain.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js' due to a violation of the Content Security Policy directive: "script-src 'unsafe-eval' 'strict-dynamic' 'self' 'unsafe-inline' 'nonce-fyvJqbqlpypENfOL53xNDA=='". Note that 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

app.js?v=6.1.7:2 Refused to connect to 'http://budget.mydomain.com/chart/account/frontpage' because it violates the following Content Security Policy directive: "connect-src 'self'".

app.js?v=6.1.7:2 Refused to connect to 'http://budget.mydomain.com/chart/account/expense' due to a violation of the Content Security Policy directive: "connect-src 'self'".

app.js?v=6.1.7:2 Refused to connect to 'http://budget.mydomain.com/chart/account/revenue' because it violates the following Content Security Policy directive: "connect-src 'self'".

app.js?v=6.1.7:2 Refused to connect to 'http://budget.mydomain.com/json/frontpage/piggy-banks' due to a violation of the Content Security Policy directive: "connect-src 'self'".

Expected behaviour

it should load all the graphs even when we tunnel.

Steps to reproduce

Tunnel local firefly iii to a remote website using Cloudflare Tunnel.

Additional info

No response

[JC5]

That's not a bug I'm afraid, that's a configuration error. Firefly III does not know you're using a TLS connection.

I'm not sure how it works in Cloudflare, but these are the nginx/Apache instructions:

https://docs.firefly-iii.org/references/faq/install/#how-do-i-set-tls-in-firefly-iii-or-the-data-importer

[juanriestra]

I was having the same problem and i was able to solve it by disabling the Always HTTPS in the cloudflare dashboard. Im able to access remotly with http. im going to try this https://docs.firefly-iii.org/references/faq/install/#how-do-i-set-tls-in-firefly-iii-or-the-data-importer but i don´t know if that should be adding that to the .env file or somewhere else.

[nwalke]

Did you set https://budget.mydomain.com as your APP_URL or http://budget.mydomain.com? I'm using Cloudflare funnels and have no issue. I wouldn't recommend disabling https :/

[juanriestra]

I've tried both with no success, disabling https was only a temporary solution until im able to fix this, also have modified TRUSTED_PROXIES=**
After every change i restart the container.

[juanriestra]

i've currently configured in the .env file
TRUSTED_PROXIES=**
APP_URL:https://budget.mydomain.com

In cloudflare assign the subdomain budget.mydomain.com
and http://10.10.1.1:8080
By having enable the "always use https" does not show me any graphs and got these errors

app.js?v=6.1.7:2 Refused to connect to 'http://budget.mydomain.com/chart/account/frontpage' because it violates the following Content Security Policy directive: "connect-src 'self'".

If i disable "Always use HTTPS" and change the .env file to APP_URL:http://budget.mydomain.com it's able to show the graphs but have an insecure subdomain.
Also have tried to change the subdomain config to https but it does not work with any .env config.

Sorry to bother with these rookie mistakes, but i've tried everything i could before asking and read every post i've encountered.