Yunohost services through tunnels, issue with Cryptpad Content Security Policy (CSP)

For the past months, I’ve been exposing my home server running yunohost to the internet using zerotier tunnels connected to nginx reverse proxies on a VPS. (my exact configuration is described here)

This has been working well for me for most apps, without having to do any port forwarding or dynamic dns.

However Cryptpad is not working for me and displays a warning when I open a document. In chrome in the iframe it says its unable to connect to sandbox-crypt.commoninternet.net. In firefox I see this warning:

I’ve created https certificates and reverse proxies to the tunnel for both crypt.commoninternet.net and sandbox-crypt.commoninternet.net, and they both independently load and show a valid certificate… but I guess still won’t play nicely together via iframes?

I also had an issue with OnlyOffice in NextCloud which seemed like some type of iframe issue – this was fixable by installing Ignore-X-Frame firefox extension, but I still haven’t figured out how to make it work without the extension.

I did a fresh install of Cryptpad directly on the VPS, without any of the tunelling, and it worked fine like that, which is making me think I am not understanding something about the reverse proxy and tunneling, that is actually causing problems with iframes (and maybe something about CSP or x-frame options), even though I had the impression that since there is an HTTPs certificate on the VPS, it would be identical. But maybe its something about the details of HTTPs I don’t understand?

If anyone has any ideas what it could be or how to fix it, any ideas appreciated.

I love having the home server accessible to the internet without having to do port forwarding or reveal its home IP address, so I would hate to have to ditch this setup because of this iframe issue.

Here is the nginx config on the VPS for redirecting requests to https://crypt.commoninternet.net to the tunnel (b1.net is locally assigned to the IP address of the tunnel via /etc/hosts).

location @reverseproxy__9--proxy {
  proxy_pass        https://b1.net;
  proxy_redirect    off;
  proxy_set_header  Host crypt.commoninternet.net;
  proxy_set_header  X-Real-IP $remote_addr;
  proxy_set_header  X-Forwarded-Proto $scheme;
  proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header  X-Forwarded-Host $server_name;
  proxy_set_header  X-Forwarded-Port $server_port;
  
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";

  more_clear_input_headers 'Accept-Encoding';
}

# Support relative URLs
# Not needed for webroot

location / {
    # Include SSOWAT user panel.
   # include conf.d/yunohost_panel.conf.inc;

    # No static files to serve
    try_files /dev/null @reverseproxy__9--proxy;
}

I also made this repo with all the relevant nginx configs for cryptpad

The nginx configs on the yunohost homeserver were completely unmodified from what is autogenerated from a crpytpad yunohost install

The nginx configs on the yunohost vps are based on a reverse proxy (but with one small change to pass the hostname)

although I’m starting to suspect that using narrowlink might be a better route at this point

solution is here: notplants: "@forestjohnson@pixie.town your intuition about so…" - Sunbeam City 🌻