Op zaterdag 12 oktober 2024 03:12:11 CEST schreef David C. Rankin:
On 10/11/24 6:20 AM, Freek de Kruijf wrote:
I got the suggestion to use F12 in Firefox to see error messages. It revealed that the Content-Security-Policy was set too strict. But even setting all to 'self' is too strict. Still trying to figure out what the right setting is.
I explains why using localhost does not give the problem. I do not have a Content-Security-Policy for localhost.
That makes sense.
My web-servers are on Arch, which simply sets all access restrictions through the conf files (and file ownership/permissions). If you are using a self-signed certificate, it makes sense to go ahead and get an actual ssl certificate from "Let's Encrypt" (it's free) and then you can use "certbot" to update it before it's 90 day expiration (they send you e-mail notices)
If you run a mail-host, you can use the same ssl certificate for dovecot, etc..
That eliminates a lot of "nanny programs" that now refuse to talk to servers with self-signed certs. Up until about 5 years ago or so, self-signed certs are fine.
I already have such things (Let's Encrypt) for quite some times. The Content-Security-Policy is something that can be enabled in the web server (apache) and has nothing to do with the use of http or https. It controls a.o. the use of CSS in a web page, even the use of CSS which is embedded in the web page (seems silly/unnecessary to me). It is required when you want a high rating on security on your web server. -- fr.gr. member openSUSE Freek de Kruijf