I have apache 2.4 and mattermost 5.2. Both of them are on the same server. I have configured a virtual host for pointing to mattermost on port 8065. Following is my conf file.
<VirtualHost *:80>
ServerName subdomain.domain.in
#ServerAdmin [email protected]
ProxyPreserveHost On
# Set web sockets
RewriteEngine On
RewriteCond %{REQUEST_URI} /api/v[0-9]+/(users/)?websocket [NC,OR]
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR]
RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
RewriteRule .* wss://127.0.0.1:8065%{REQUEST_URI} [P,QSA,L]
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
<LocationMatch "^/api/v(?<apiversion>[0-9]+)/(?<apiusers>users/)?websocket">
Require all granted
ProxyPass ws://127.0.0.1:8065/api/v%{env:MATCH_APIVERSION}/%{env:MATCH_APIUSERS}websocket
ProxyPassReverse ws://127.0.0.1:8065/api/v%{env:MATCH_APIVERSION}/%{env:MATCH_APIUSERS}websocket
ProxyPassReverseCookieDomain 127.0.0.1 subdomain.domain.in
</LocationMatch>
<Location />
Require all granted
ProxyPass http://127.0.0.1:8065/
ProxyPassReverse http://127.0.0.1:8065/
ProxyPassReverseCookieDomain 127.0.0.1 subdomain.domain.in
</Location>
</VirtualHost>
I am trying to load iframe in following way from anothersubdomain.domain.in/mattermost in Django application
<iframe src="http://subdomain.domain.in"></iframe>
I am getting
Refused to display 'http://subdomain.domain.in/' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'"
I do not want to change in mattermost code. Is there a way to complete this?
After spending some days with this problem, I have come to solution to edit the request headers of Content-Security-Policy and X-Frame-Options. Following is my edited virtual host.
<VirtualHost *:80>
ServerName subdomain.domain.in
#ServerAdmin [email protected]
ProxyPreserveHost On
# Set web sockets
RewriteEngine On
RewriteCond %{REQUEST_URI} /api/v[0-9]+/(users/)?websocket [NC,OR]
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR]
RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
RewriteRule .* wss://127.0.0.1:8065%{REQUEST_URI} [P,QSA,L]
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
Header edit Content-Security-Policy: "frame-ancestors 'self'" "frame-ancestors http://*.domain.in"
Header edit X-Frame-Options "SAMEORIGIN" "allow-from http://*.domain.in"
<LocationMatch "^/api/v(?<apiversion>[0-9]+)/(?<apiusers>users/)?websocket">
Require all granted
ProxyPass ws://127.0.0.1:8065/api/v%{env:MATCH_APIVERSION}/%{env:MATCH_APIUSERS}websocket
ProxyPassReverse ws://127.0.0.1:8065/api/v%{env:MATCH_APIVERSION}/%{env:MATCH_APIUSERS}websocket
ProxyPassReverseCookieDomain 127.0.0.1 subdomain.domain.in
</LocationMatch>
<Location />
Require all granted
ProxyPass http://127.0.0.1:8065/
ProxyPassReverse http://127.0.0.1:8065/
ProxyPassReverseCookieDomain 127.0.0.1 subdomain.domain.in
</Location>
</VirtualHost>
Here, I have edited the headers to be allowed for all subdomain of my domain only.