Unrecognized Content-Security-Policy directive 'prefetch-src'. #627

ramesh8830 · 2023-06-28T13:46:08Z

Deployed the server in production environment with metallb load balancer. But having issues with CORS.

Below are my CSP headers in webapp values.yaml

CSP_EXTRA_CONNECT_SRC: "https://*.example.com, wss://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_IMG_SRC: "https://*.example.com, wss://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_SCRIPT_SRC: "https://*.example.com, wss://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_DEFAULT_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_FONT_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_FRAME_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_MANIFEST_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_OBJECT_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_MEDIA_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_PREFETCH_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_STYLE_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_WORKER_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"

CORS Errors on the browser console

Unrecognized Content-Security-Policy directive 'prefetch-src'.

Access to XMLHttpRequest at 'https://api.example.com/api-version' from origin 'https://app.example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
GET https://api.example.com/api-version net::ERR_FAILED 200

Kubernetes Version

:~# kubectl version
Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.7", GitCommit:"1dd5338295409edcfff11505e7bb246f0d325d15", GitTreeState:"clean", BuildDate:"2021-01-13T13:23:52Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.7", GitCommit:"1dd5338295409edcfff11505e7bb246f0d325d15", GitTreeState:"clean", BuildDate:"2021-01-13T13:15:20Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"linux/amd64"}

Wire Webapp Image used

image:
  repository: quay.io/wire/webapp
  tag: "2023-04-11-production.0-v0.31.13-0-bb91157"

Please help me fix the CORS issue.

The text was updated successfully, but these errors were encountered:

supersven · 2023-06-28T13:55:40Z

@ramesh8830 The Access-Control-Allow-Origin header is set by nginz (and cannon's nginx in some special cases.)

Could you please check these Values:

nginz.nginx_conf.allowlisted_origins
nginz.nginx_conf.nginx_conf.external_env_domain

ramesh8830 · 2023-06-28T13:58:09Z

@supersven I am sorry, I am new to kubernetes and this wire server deployment.

Please guide me how to and where to check these values.

supersven · 2023-06-28T14:08:46Z

@ramesh8830 You should have some yaml file or files where you put all config values. The dots (.) refer to nodes in this yaml file.

E.g. Link to nginz.nginx_conf.nginx_conf.external_env_domain if you are using the demo setup values.

I think you need to set:

allowlisted_origins: app (as your webapp is served there)
external_env_domain: example.com (as this is your domain)

This should give you Access-Control-Allow-Origin headers, when a requests origin is https://app.example.com.

Hope this helps 😃

ramesh8830 · 2023-06-28T14:16:13Z

allowlisted_origins: app (as your webapp is served there) added this to the values.yaml files but getting below error when deployed.

nginz:
  replicaCount: 3
  config:
    ws:
      useProxyProtocol: false
#  images:
#    nginz:
#      tag: some-tag (only override if you want a newer/different version than what is in the chart)
  nginx_conf:
    # using prod means mostly that some internal endpoints are not exposed
    env: prod
    allowlisted_origins: app
    external_env_domain: example.com
    deeplink:
      endpoints:
        backendURL: "https://api.example.com"
        backendWSURL: "https://wss.example.com"
        teamsURL: "https://teams.example.com"
        accountsURL: "https://account.example.com"
        blackListURL: "https://clientblacklist.example.com/prod"
        websiteURL: "https://example.com"
      title: "My Custom example Backend"

bash-5.1# helm upgrade --install --namespace production wire-server wire/wire-server -f values/wire-server/values.yaml -f values/wire-server/secrets.yaml --wait
Error: UPGRADE FAILED: template: wire-server/charts/nginz/templates/deployment.yaml:27:31: executing "wire-server/charts/nginz/templates/deployment.yaml" at <include (print .Template.BasePath "/configmap.yaml") .>: error calling include: template: wire-server/charts/nginz/templates/configmap.yaml:4:4: executing "wire-server/charts/nginz/templates/configmap.yaml" at <include "nginz_nginx.conf" .>: error calling include: template: wire-server/charts/nginz/templates/conf/_nginx.conf.tpl:131:31: executing "nginz_nginx.conf" at <.Values.nginx_conf.allowlisted_origins>: range can't iterate over app

supersven · 2023-06-28T14:22:28Z

Ah, sorry, it's a list in yaml. E.g.

nginz:
  replicaCount: 3
  config:
    ws:
      useProxyProtocol: false
#  images:
#    nginz:
#      tag: some-tag (only override if you want a newer/different version than what is in the chart)
  nginx_conf:
    # using prod means mostly that some internal endpoints are not exposed
    env: prod
    allowlisted_origins: 
      - app
...

The default values.yaml file of the Helm chart provides some documentation: https://github.com/wireapp/wire-server/blob/develop/charts/nginz/values.yaml#L71

ramesh8830 · 2023-06-28T14:26:44Z

@supersven It worked. Thank you so much for your help

Have a great day ahead.

supersven · 2023-06-28T14:39:21Z

@ramesh8830 Welcome 😄

BTW, there are more web application you may want to use (e.g. account-pages.) If you run into the same issue with one of them, you'll have to add them to the same list.

May I close this ticket?

ramesh8830 · 2023-06-28T14:45:10Z

Yeah. I have used the app, teams and account in there. but I am not getting Pro account creation like we have in the older version.

Old version like below and able to create Pro accounts.

Please let me know if you have any idea about how to activate that.

supersven · 2023-06-28T15:27:24Z

According to @julialongtin this is only a change in the label.

ramesh8830 · 2023-06-28T15:37:15Z

In the old version of wire, url for pro account is https://app.exacmple.com/auth/#createteam

But in the new version it is redirecting to https://teams.example.com/register/email which lead me to 404 error

ramesh8830 · 2023-06-28T20:05:55Z

unable to send connection request. getting below error.

Request URL:
https://api.example.com/v3/connections/example.com/55cdabbf-720e-4b2b-878a-ca2a974e4bca
Request Method:
POST
Status Code:
500
Remote Address:
external_ip:443
Referrer Policy:
same-origin
Access-Control-Allow-Origin:
https://app.example.com
Access-Control-Expose-Headers:
Request-Id, Location
Content-Encoding:
gzip
Content-Type:
application/json
Date:
Wed, 28 Jun 2023 19:54:53 GMT
Request-Id:
9957b8036d02b7955c3e2e8c0d0d3906
Strict-Transport-Security:
max-age=15724800; includeSubDomains
Vary:
Accept-Encoding
:Authority:
api.example.com
:Method:
POST
:Path:
/v3/connections/example.com/55cdabbf-720e-4b2b-878a-ca2a974e4bca
:Scheme:
https
Accept:
application/json, text/plain, */*
Accept-Encoding:
gzip, deflate, br
Accept-Language:
en-US,en;q=0.9,cy;q=0.8
Authorization:
Bearer CEevU7mqc3SMH-XhmxqM8zCfZ2MHF0uhSCkpFEgeNJGaeG_F-SGIGdLAlrvrnQLtzwWWvcORd-8o10VvNWF3Aw==.v=1.k=1.d=1687982745.t=a.l=.u=34d4acb7-dc58-4263-a802-58877e60dfc6.i=5d16c30a1c40226d.c=18361318061627808208
Content-Length:
0
Origin:
https://app.example.com
Sec-Ch-Ua:
"Not.A/Brand";v="8", "Chromium";v="114", "Microsoft Edge";v="114"
Sec-Ch-Ua-Mobile:
?0
Sec-Ch-Ua-Platform:
"Windows"
Sec-Fetch-Dest:
empty
Sec-Fetch-Mode:
cors
Sec-Fetch-Site:
same-site
User-Agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.58

ramesh8830 · 2023-06-28T21:56:18Z

Please help me on the above. I did not enable federation and legalhold

akshaymankar · 2023-06-29T08:39:54Z

I haven't tested this, but I think you can set this environment variable in the webapp helm chart to restore the previous behaviour:

URL_TEAMS_CREATE:  https://app.example.com/auth/#createteam

ramesh8830 · 2023-06-29T09:59:45Z

unable to send connection request. getting below error.

Request URL:
https://api.example.com/v3/connections/example.com/55cdabbf-720e-4b2b-878a-ca2a974e4bca
Request Method:
POST
Status Code:
500
Remote Address:
external_ip:443
Referrer Policy:
same-origin
Access-Control-Allow-Origin:
https://app.example.com
Access-Control-Expose-Headers:
Request-Id, Location
Content-Encoding:
gzip
Content-Type:
application/json
Date:
Wed, 28 Jun 2023 19:54:53 GMT
Request-Id:
9957b8036d02b7955c3e2e8c0d0d3906
Strict-Transport-Security:
max-age=15724800; includeSubDomains
Vary:
Accept-Encoding
:Authority:
api.example.com
:Method:
POST
:Path:
/v3/connections/example.com/55cdabbf-720e-4b2b-878a-ca2a974e4bca
:Scheme:
https
Accept:
application/json, text/plain, */*
Accept-Encoding:
gzip, deflate, br
Accept-Language:
en-US,en;q=0.9,cy;q=0.8
Authorization:
Bearer CEevU7mqc3SMH-XhmxqM8zCfZ2MHF0uhSCkpFEgeNJGaeG_F-SGIGdLAlrvrnQLtzwWWvcORd-8o10VvNWF3Aw==.v=1.k=1.d=1687982745.t=a.l=.u=34d4acb7-dc58-4263-a802-58877e60dfc6.i=5d16c30a1c40226d.c=18361318061627808208
Content-Length:
0
Origin:
https://app.example.com
Sec-Ch-Ua:
"Not.A/Brand";v="8", "Chromium";v="114", "Microsoft Edge";v="114"
Sec-Ch-Ua-Mobile:
?0
Sec-Ch-Ua-Platform:
"Windows"
Sec-Fetch-Dest:
empty
Sec-Fetch-Mode:
cors
Sec-Fetch-Site:
same-site
User-Agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.58

@akshaymankar any idea about this issue. I am unable to send request to any person. When I click on the connect button, I am getting above error in the network and console of browser.

Please let me know

akshaymankar · 2023-06-29T10:51:22Z

I think only logs from brig can tell us why it is throwing a 500.

ramesh8830 · 2023-06-29T11:01:01Z

Please find the brig when I tried to hit the connect button.

{"level":"Error","message":"RPCException {remote = \"galley\", path = \"/i/conversations/connect\", headers = [(\"Z-User\",\"774463e5-cf67-4863-8825-86981f601d0c\"),(\"Z-Connection\",\"8890799891330291274\"),(\"Content-Type\",\"application/json\"),(\"Request-Id\",\"d87678b0d65c342f135924e7678ad277\")], cause = HttpExceptionRequest Request {\n  host                 = \"galley\"\n  port                 = 8080\n  secure               = False\n  requestHeaders       = [(\"Z-User\",\"774463e5-cf67-4863-8825-86981f601d0c\"),(\"Z-Connection\",\"8890799891330291274\"),(\"Content-Type\",\"application/json\"),(\"Request-Id\",\"d87678b0d65c342f135924e7678ad277\")]\n  path                 = \"/i/conversations/connect\"\n  queryString          = \"\"\n  method               = \"POST\"\n  proxy                = Nothing\n  rawBody              = False\n  redirectCount        = 10\n  responseTimeout      = ResponseTimeoutDefault\n  requestVersion       = HTTP/1.1\n}\n (StatusCodeException (Response {responseStatus = Status {statusCode = 500, statusMessage = \"Internal Server Error\"}, responseVersion = HTTP/1.1, responseHeaders = [(\"Transfer-Encoding\",\"chunked\"),(\"Date\",\"Thu, 29 Jun 2023 10:56:27 GMT\"),(\"Server\",\"Warp/3.3.23\"),(\"Content-Encoding\",\"gzip\"),(\"Content-Type\",\"application/json\"),(\"Vary\",\"Accept-Encoding\")], responseBody = (), responseCookieJar = CJ {expose = []}, responseClose' = ResponseClose}) \"{\\\"code\\\":500,\\\"label\\\":\\\"federation-not-implemented\\\",\\\"message\\\":\\\"Federation is not yet implemented for this endpoint\\\"}\")}","msgs":["IO Exception occurred"],"request":"d87678b0d65c342f135924e7678ad277"}
{"code":"500","label":"server-error","level":"Error","msgs":["\"Server Error\""],"request":"d87678b0d65c342f135924e7678ad277"}

ramesh8830 · 2023-06-29T11:57:09Z

I found the problem. I had a bad url for fedaration domain for gally pod values.

Thanks..

ramesh8830 · 2023-06-29T11:58:34Z

I haven't tested this, but I think you can set this environment variable in the webapp helm chart to restore the previous behaviour:
URL_TEAMS_CREATE:  https://app.example.com/auth/#createteam

this is not working

keeps redirecting to https://teams.example.com/register/email

ramesh8830 · 2023-06-29T13:55:29Z

Ah, sorry, it's a list in yaml. E.g.

nginz:
  replicaCount: 3
  config:
    ws:
      useProxyProtocol: false
#  images:
#    nginz:
#      tag: some-tag (only override if you want a newer/different version than what is in the chart)
  nginx_conf:
    # using prod means mostly that some internal endpoints are not exposed
    env: prod
    allowlisted_origins: 
      - app
...

The default values.yaml file of the Helm chart provides some documentation: https://github.com/wireapp/wire-server/blob/develop/charts/nginz/values.yaml#L71

Even after add these values, getting CORS issues with GIF's

/#/conversation/9b1a0e40-aa0d-498f-8106-54a76b0508c6/federator.example.com:1 Access to XMLHttpRequest at 'https://api.example.com/v3/proxy/giphy/v1/gifs/search?limit=100&offset=0&q=Hello' from origin 'https://app.example.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

nginz:
  replicaCount: 3
  config:
    ws:
      useProxyProtocol: false
#  images:
#    nginz:
#      tag: some-tag (only override if you want a newer/different version than what is in the chart)
  nginx_conf:
    # using prod means mostly that some internal endpoints are not exposed
    env: prod
    allowlisted_origins:
      - app
      - teams
      - wss
      - account  
      - clientblacklist
      - api    
    external_env_domain: example.com
    deeplink:
      endpoints:
        backendURL: "https://api.example.com"
        backendWSURL: "https://wss.example.com"
        teamsURL: "https://teams.example.com"
        accountsURL: "https://account.example.com"
        blackListURL: "https://clientblacklist.example.com/prod"
        websiteURL: "https://example.com"
      title: "My Custom example Backend"

ramesh8830 · 2023-06-30T10:41:45Z

Ah, sorry, it's a list in yaml. E.g.
nginz:
  replicaCount: 3
  config:
    ws:
      useProxyProtocol: false
#  images:
#    nginz:
#      tag: some-tag (only override if you want a newer/different version than what is in the chart)
  nginx_conf:
    # using prod means mostly that some internal endpoints are not exposed
    env: prod
    allowlisted_origins: 
      - app
...
The default values.yaml file of the Helm chart provides some documentation: https://github.com/wireapp/wire-server/blob/develop/charts/nginz/values.yaml#L71
Even after add these values, getting CORS issues with GIF's

/#/conversation/9b1a0e40-aa0d-498f-8106-54a76b0508c6/federator.example.com:1 Access to XMLHttpRequest at 'https://api.example.com/v3/proxy/giphy/v1/gifs/search?limit=100&offset=0&q=Hello' from origin 'https://app.example.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
nginz:
  replicaCount: 3
  config:
    ws:
      useProxyProtocol: false
#  images:
#    nginz:
#      tag: some-tag (only override if you want a newer/different version than what is in the chart)
  nginx_conf:
    # using prod means mostly that some internal endpoints are not exposed
    env: prod
    allowlisted_origins:
      - app
      - teams
      - wss
      - account  
      - clientblacklist
      - api    
    external_env_domain: example.com
    deeplink:
      endpoints:
        backendURL: "https://api.example.com"
        backendWSURL: "https://wss.example.com"
        teamsURL: "https://teams.example.com"
        accountsURL: "https://account.example.com"
        blackListURL: "https://clientblacklist.example.com/prod"
        websiteURL: "https://example.com"
      title: "My Custom example Backend"

@julialongtin @akshaymankar @supersven any help on this please?

/#/conversation/9b1a0e40-aa0d-498f-8106-54a76b0508c6/federator.example.com:1 Access to XMLHttpRequest at 'https://api.example.com/v3/proxy/giphy/v1/gifs/search?limit=100&offset=0&q=Hello' from origin 'https://app.example.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

julialongtin · 2023-06-30T15:01:56Z

look at the extra CSP headers that are being handed out by the webapp.

https://github.com/wireapp/wire-server-deploy/blob/master/values/wire-server/prod-values.example.yaml#L250

ramesh8830 · 2023-06-30T15:20:06Z

Deployed the server in production environment with metallb load balancer. But having issues with CORS.

Below are my CSP headers in webapp values.yaml

CSP_EXTRA_CONNECT_SRC: "https://*.example.com, wss://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_IMG_SRC: "https://*.example.com, wss://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_SCRIPT_SRC: "https://*.example.com, wss://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_DEFAULT_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_FONT_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_FRAME_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_MANIFEST_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_OBJECT_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_MEDIA_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_PREFETCH_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_STYLE_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_WORKER_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"

I have added the necessary headers already. But still having issues with only GIF's. All others are working fine.

julialongtin · 2023-06-30T15:50:12Z

can you drop your values.yml file here?

…

On Fri, Jun 30, 2023 at 4:20 PM ramesh8830 ***@***.***> wrote: Deployed the server in production environment with metallb load balancer. But having issues with CORS. Below are my CSP headers in webapp values.yaml CSP_EXTRA_CONNECT_SRC: "https://*.example.com, wss://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_IMG_SRC: "https://*.example.com, wss://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_SCRIPT_SRC: "https://*.example.com, wss://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_DEFAULT_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_FONT_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_FRAME_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_MANIFEST_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_OBJECT_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_MEDIA_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_PREFETCH_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_STYLE_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_WORKER_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CORS Errors on the browser console Unrecognized Content-Security-Policy directive 'prefetch-src'. Access to XMLHttpRequest at 'https://api.example.com/api-version' from origin 'https://app.example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. GET https://api.example.com/api-version net::ERR_FAILED 200 Kubernetes Version :~# kubectl version Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.7", GitCommit:"1dd5338295409edcfff11505e7bb246f0d325d15", GitTreeState:"clean", BuildDate:"2021-01-13T13:23:52Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.7", GitCommit:"1dd5338295409edcfff11505e7bb246f0d325d15", GitTreeState:"clean", BuildDate:"2021-01-13T13:15:20Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"linux/amd64"} Wire Webapp Image used image: repository: quay.io/wire/webapp tag: "2023-04-11-production.0-v0.31.13-0-bb91157" Please help me fix the CORS issue. I have added the necessary headers already. But still having issues with only GIF's. All others are working fine. — Reply to this email directly, view it on GitHub <#627 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEAMAATSKGBRQ2SJ5IJYT4DXN3VDDANCNFSM6AAAAAAZXFA3QI> . You are receiving this because you were mentioned.Message ID: ***@***.***>

ramesh8830 · 2023-06-30T16:46:55Z

# CHANGEME-PROD: All values here should be changed/reviewed
tags:
  proxy: true # enable if you want/need giphy/youtube/etc proxying
  account-pages: true
  team-settings: false # enable if you need team-settings. Requires a pullSecret
  legalhold: false # Enable if you need legalhold
  federator: false # Enable to use federation
  sftd: true

sftd:
  host: sftd.example.com # Replace example.com with your domain
  allowOrigin: https://app.example.com # Should be the address you used for the webapp deployment

cassandra-migrations:
#  images:
#    tag: some-tag (only override if you want a newer/different version than what is in the chart)
  cassandra:
    host: cassandra-external
    replicationFactor: 3

elasticsearch-index:
  elasticsearch:
    host: elasticsearch-external
  cassandra:
    host: cassandra-external
brig:
  replicaCount: 3
#  image:
#    tag: some-tag (only override if you want a newer/different version than what is in the chart)
  config:
    cassandra:
      host: cassandra-external
    elasticsearch:
      host: elasticsearch-external
    useSES: false
    # Set to false if you want to hand out DynamoDB to store prekeys
    randomPrekeys: true
    aws:
      # change if using real AWS
      region: "us-east-1"
      sqsEndpoint: https://sqs.us-east-1.amazonaws.com
      # dynamoDBEndpoint: http://fake-aws-dynamodb:4567

      # these must match the table names created on fake or real AWS services
      internalQueue: example-brig-events-internal
      prekeyTable: integration-brig-prekeys
    externalUrls:
      nginz: https://api.example.com # change this
      teamSettings: https://teams.example.com # change this (or unset if team settings are not used)
      teamCreatorWelcome: https://teams.example.com/login # change this
      teamMemberWelcome: https://welcome.example.com/download # change this
    optSettings:
      #setCookieDomain: example.com
      setFederationDomain: federator.example.com # change this
      # Sync the domain with the 'host' variable in the sftd chart
      # Comment the next line (by adding '#' before it) if conference calling is not used
      setSftStaticUrl: "https://sftd.example.com:443"
    emailSMS:
      general:
        emailSender: [email protected] # change this
        smsSender: "+11234567890" # change this if SMS support is desired
        templateBranding: # change all of these, they are used in emails
          brand: example
          brandUrl: https://example.com
          brandLabel: example.com
          brandLabelUrl: https://example.com
          brandLogoUrl: https://example.com/example_logo_email.png
          brandService: example
          copyright: © example
          misuse: [email protected]
          legal: https://example.com/legal/
          forgot: https://account.example.com/forgot/
          support: https://support.example.com/
      user:
        passwordResetUrl: https://account.example.com/reset/?key=${key}&code=${code}
        activationUrl: https://account.example.com/verify/?key=${key}&code=${code}
        smsActivationUrl: https://account.example.com/v/${code}
        deletionUrl: https://account.example.com/d/?key=${key}&code=${code}
        invitationUrl: https://account.example.com/i/${code}
    smtp:
      host: example.com # change this if you want to use your own SMTP server
      port: 465       # change this
      connType: ssl # change this. Possible values: plain|ssl|tls
      username: [email protected]
#    proxy:
#      httpProxy: "http://proxy.example.com"
#      httpsProxy: "https://proxy.example.com"
#      noProxyList:
#        - "local.example.com"
#        - "10.23.0.0/16"
  turnStatic:
    v1: []
    v2:
      - "turn:turn01.example.com:80"
      - "turn:turn02.example.com:80"
      - "turn:turn03.example.com:80"
      - "turn:turn01.example.com:80?transport=tcp"
      - "turn:turn02.example.com:80?transport=tcp"
      - "turn:turn03.example.com:80?transport=tcp"
      - "turns:turn01.example.com:443?transport=tcp"
      - "turns:turn02.example.com:443?transport=tcp"                                           
      - "turns:turn03.example.com:443?transport=tcp"


proxy:
  replicaCount: 3
#  image:
#    tag: some-tag (only override if you want a newer/different version than what is in the chart)
#  config:
#    proxy:
#      httpProxy: "http://proxy.example.com"
#      httpsProxy: "https://proxy.example.com"
#      noProxyList:
#        - "local.example.com"
#        - "10.23.0.0/16"

cannon:
  replicaCount: 3
#  image:
#    tag: some-tag (only override if you want a newer/different version than what is in the chart)
  # For demo mode only, we don't need to keep websocket connections open on chart upgrades
  #drainTimeout: 10
  nginx_conf:
    # using prod means mostly that some internal endpoints are not exposed
    env: prod
    allowlisted_origins:
      - app
      - teams
      - account
    external_env_domain: example.com

cargohold:
  replicaCount: 3
#  image:
#    tag: some-tag (only override if you want a newer/different version than what is in the chart)
  config:
    aws:
      # change if using real AWS
      region: "us-east-1"
      s3Bucket: example-assets
      s3Endpoint: https://s3.us-east-1.amazonaws.com
      s3DownloadEndpoint: https://s3.us-east-1.amazonaws.com
      s3Version: latest
      s3Signature: v4
    settings:
      federationDomain: federator.example.com # change this
#    proxy:
#      httpProxy: "http://proxy.example.com"
#      httpsProxy: "https://proxy.example.com"
#      noProxyList:
#        - "local.example.com"
#        - "10.23.0.0/16"

galley:
  replicaCount: 3
#  image:
#    tag: some-tag (only override if you want a newer/different version than what is in the chart)
  config:
    cassandra:
      host: cassandra-external
    settings:
      # prefix URI used when inviting users to a conversation by link
      conversationCodeURI: https://account.example.com/conversation-join/ # change this
      federationDomain: federator.example.com # change this
      # see #RefConfigOptions in `/docs/reference` (https://github.com/wireapp/wire-server/)
      featureFlags:
        sso: disabled-by-default
        # NOTE: Change this to "disabled-by-default" for legalhold support
        # legalhold: disabled-by-default
        legalhold: disabled-permanently
        teamSearchVisibility: enabled-by-default
    aws:
      region: "us-east-1"
#    proxy:
#      httpProxy: "http://proxy.example.com"
#      httpsProxy: "https://proxy.example.com"
#      noProxyList:
#        - "local.example.com"
#        - "10.23.0.0/16"

gundeck:
  replicaCount: 3
#  image:
#    tag: some-tag (only override if you want a newer/different version than what is in the chart)
  config:
    cassandra:
      host: cassandra-external
    aws:
      # change if using real AWS
      account: "11234567890"
      region: "us-east-1"
      arnEnv: example
      queueName: example-gundeck-events
      sqsEndpoint: https://sqs.us-east-1.amazonaws.com
      snsEndpoint: https://sns.us-east-1.amazonaws.com
#    proxy:
#      httpProxy: "http://proxy.example.com"
#      httpsProxy: "https://proxy.example.com"
#      noProxyList:
#        - "local.example.com"
#        - "10.23.0.0/16"

nginz:
  replicaCount: 3
  config:
    ws:
      useProxyProtocol: false
#  images:
#    nginz:
#      tag: some-tag (only override if you want a newer/different version than what is in the chart)
  nginx_conf:
    # using prod means mostly that some internal endpoints are not exposed
    env: prod
    allowlisted_origins:
      - app
      - teams
      - account
    external_env_domain: example.com
    deeplink:
      endpoints:
        backendURL: "https://api.example.com"
        backendWSURL: "https://wss.example.com"
        teamsURL: "https://teams.example.com"
        accountsURL: "https://account.example.com"
        blackListURL: "https://clientblacklist.example.com/prod"
        websiteURL: "https://example.com"
      title: "My Custom example Backend"
      # Optional -- Uncomment these if you want to direct all of your mobile users to use the same proxy.
      #apiProxy:
        #host: "socks5.proxy.com"
        #port: 1080
        #needsAuthentication: true
  # For demo mode only, we don't need to keep websocket connections open on upgrade:
  #drainTimeout: 10
  #terminationGracePeriodSeconds: 30

spar:
  replicaCount: 3
#  image:
#    tag: some-tag (only override if you want a newer/different version than what is in the chart)
  config:
    cassandra:
      host: cassandra-external
    logLevel: Debug
    domain: example.com
    appUri: https://api.example.com
    ssoUri: https://api.example.com/sso
    maxttlAuthreq: 28800
    maxttlAuthresp: 28800
    # maxScimTokens: 16 # uncomment this if you want to use SCIM provisioning
    contacts:
    - type: ContactSupport
      company: example
      email: email:[email protected]
#    proxy:
#      httpProxy: "http://proxy.example.com"
#      httpsProxy: "https://proxy.example.com"
#      noProxyList:
#        - "local.example.com"
#        - "10.23.0.0/16"

webapp:
  replicaCount: 3
#  image:
#    tag: some-tag (only override if you want a newer/different version than what is in the chart)
  config:
    externalUrls:
      backendRest: api.example.com
      backendWebsocket: wss.example.com
      backendDomain: example.com
      backendTeamSettings: teams.example.com
      appHost: app.example.com
  # See full list of available environment variables: https://github.com/wireapp/wire-webapp/blob/dev/server/config.ts
  envVars:
    APP_NAME: "example Webapp"
    ENFORCE_HTTPS: "true"
    FEATURE_CHECK_CONSENT: "false"
    FEATURE_ENABLE_ACCOUNT_REGISTRATION: "true"
    FEATURE_ENABLE_DEBUG: "false"
    FEATURE_ENABLE_PHONE_LOGIN: "true"
    FEATURE_ENABLE_SSO: "false"
    FEATURE_SHOW_LOADING_INFORMATION: "false"
    URL_ACCOUNT_BASE: "https://account.example.com"
    #URL_MOBILE_BASE: "https://wire-pwa-staging.zinfra.io" # TODO: is this needed?
    URL_PRIVACY_POLICY: "https://www.example.com/terms-conditions"
    URL_SUPPORT_BASE: "https://www.example.com/support"
    URL_TEAMS_BASE: "https://teams.example.com"
    URL_TEAMS_CREATE: "https://app.example.com/auth/#createteam"
    URL_TERMS_OF_USE_PERSONAL: "https://www.example.com/terms-conditions"
    URL_TERMS_OF_USE_TEAMS: "https://www.example.com/terms-conditions"
    URL_WEBSITE_BASE: "https://www.example.com"
    CSP_EXTRA_CONNECT_SRC: "https://*.example.com, wss://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
    CSP_EXTRA_IMG_SRC: "https://*.example.com, wss://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
    CSP_EXTRA_SCRIPT_SRC: "https://*.example.com, wss://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
    CSP_EXTRA_DEFAULT_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
    CSP_EXTRA_FONT_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
    CSP_EXTRA_FRAME_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
    CSP_EXTRA_MANIFEST_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
    CSP_EXTRA_OBJECT_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
    CSP_EXTRA_MEDIA_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
    CSP_EXTRA_PREFETCH_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
    CSP_EXTRA_STYLE_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
    CSP_EXTRA_WORKER_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"

# NOTE: Only relevant if you want team-settings
team-settings:
  replicaCount: 1
#  image:
#    tag: some-tag (only override if you want a newer/different version than what is in the chart)
  config:
    externalUrls:
      backendRest: api.example.com
      backendWebsocket: wss.example.com
      backendDomain: example.com
      appHost: teams.example.com
  # See full list of available environment variables: https://github.com/wireapp/wire-team-settings/blob/dev/server/config.ts
  envVars:
    APP_NAME: "Team Settings"
    ENFORCE_HTTPS: "true"
    FEATURE_CHECK_CONSENT: "false"
    FEATURE_ENABLE_DEBUG: "false"
    FEATURE_ENABLE_NEW_TEAM: "true"
    # NOTE: Uncomment this for legalhold support in the Team-settings UI
    # FEATURE_ENABLE_LEGAL_HOLD: "true"
    URL_ACCOUNT_BASE: "https://account.example.com"
    URL_WEBAPP_BASE: "https://app.example.com"
    URL_WEBSITE_BASE: "https://www.example.com"
    WEBSITE_LABEL: "www.example.com"
    CSP_EXTRA_CONNECT_SRC: "https://*.example.com, wss://*.example.com"
    CSP_EXTRA_IMG_SRC: "https://*.example.com"
    CSP_EXTRA_SCRIPT_SRC: "https://*.example.com"
    CSP_EXTRA_DEFAULT_SRC: "https://*.example.com"
    CSP_EXTRA_FONT_SRC: "https://*.example.com"
    CSP_EXTRA_FRAME_SRC: "https://*.example.com"
    CSP_EXTRA_MANIFEST_SRC: "https://*.example.com"
    CSP_EXTRA_OBJECT_SRC: "https://*.example.com"
    CSP_EXTRA_MEDIA_SRC: "https://*.example.com"
    CSP_EXTRA_PREFETCH_SRC: "https://*.example.com"
    CSP_EXTRA_STYLE_SRC: "https://*.example.com"
    CSP_EXTRA_WORKER_SRC: "https://*.example.com"
    IS_SELF_HOSTED: "true"

# NOTE: Only relevant if you want account-pages
account-pages:
  replicaCount: 1
#  image:
#    tag: some-tag (only override if you want a newer/different version than what is in the chart)
  config:
    externalUrls:
      backendRest: api.example.com
      backendDomain: example.com
      appHost: account.example.com
  # See full list of available environment variables: https://github.com/wireapp/wire-account/blob/dev/server/config.ts
  envVars:
    APP_NAME: "example Account Management"
    COMPANY_NAME: "example"
    FEATURE_ENFORCE_HTTPS: "true"
    FEATURE_ENABLE_DEBUG: "false"
    URL_SUPPORT_BASE: "https://www.example.com/support"
    URL_TEAMS_BASE: "https://teams.example.com"
    URL_WEBAPP_BASE: "https://app.example.com"
    URL_WEBSITE_BASE: "https://www.example.com"
    CSP_EXTRA_CONNECT_SRC: "https://*.example.com, wss://*.example.com"
    CSP_EXTRA_IMG_SRC: "https://*.example.com"
    CSP_EXTRA_SCRIPT_SRC: "https://*.example.com"
    CSP_EXTRA_DEFAULT_SRC: "https://*.example.com"
    CSP_EXTRA_FONT_SRC: "https://*.example.com"
    CSP_EXTRA_FRAME_SRC: "https://*.example.com"
    CSP_EXTRA_MANIFEST_SRC: "https://*.example.com"
    CSP_EXTRA_OBJECT_SRC: "https://*.example.com"
    CSP_EXTRA_MEDIA_SRC: "https://*.example.com"
    CSP_EXTRA_PREFETCH_SRC: "https://*.example.com"
    CSP_EXTRA_STYLE_SRC: "https://*.example.com"
    CSP_EXTRA_WORKER_SRC: "https://*.example.com"
    IS_SELF_HOSTED: "true"

# Only needed when legalhold is enabled
legalhold:
  host: "legalhold.example.com"
  wireApiHost: "https://api.example.com"

# Only needed when federation is enabled
federator:
  tls:
    useSharedFederatorSecret: true

ramesh8830 · 2023-07-03T11:22:06Z

@julialongtin anything wrong with my values.yaml?

julialongtin · 2023-07-03T14:58:17Z

nothing sticks out to me. I'll load it up into an environment and poke it here, but it will take me a few days. other priorities, etc.

ramesh8830 · 2023-07-03T21:46:58Z

Looking for your help @julialongtin.

Please help me

ramesh8830 · 2023-07-10T10:54:36Z

nothing sticks out to me. I'll load it up into an environment and poke it here, but it will take me a few days. other priorities, etc.

Hi @julialongtin

have you tried it?

Please help me

ramesh8830 · 2023-07-19T10:39:59Z

any update?

ramesh8830 mentioned this issue Aug 9, 2023

Why legal hold is getting activated on ios app when we didn't opt for legal hold feature #639

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unrecognized Content-Security-Policy directive 'prefetch-src'. #627

Unrecognized Content-Security-Policy directive 'prefetch-src'. #627

ramesh8830 commented Jun 28, 2023

supersven commented Jun 28, 2023

ramesh8830 commented Jun 28, 2023

supersven commented Jun 28, 2023

ramesh8830 commented Jun 28, 2023 •

edited

Loading

supersven commented Jun 28, 2023

ramesh8830 commented Jun 28, 2023

supersven commented Jun 28, 2023

ramesh8830 commented Jun 28, 2023 •

edited

Loading

supersven commented Jun 28, 2023

ramesh8830 commented Jun 28, 2023

ramesh8830 commented Jun 28, 2023

ramesh8830 commented Jun 28, 2023

akshaymankar commented Jun 29, 2023

ramesh8830 commented Jun 29, 2023

akshaymankar commented Jun 29, 2023

ramesh8830 commented Jun 29, 2023

ramesh8830 commented Jun 29, 2023

ramesh8830 commented Jun 29, 2023 •

edited

Loading

ramesh8830 commented Jun 29, 2023

ramesh8830 commented Jun 30, 2023 •

edited

Loading

julialongtin commented Jun 30, 2023

ramesh8830 commented Jun 30, 2023 •

edited

Loading

julialongtin commented Jun 30, 2023 via email

ramesh8830 commented Jun 30, 2023

ramesh8830 commented Jul 3, 2023

julialongtin commented Jul 3, 2023

ramesh8830 commented Jul 3, 2023

ramesh8830 commented Jul 10, 2023

ramesh8830 commented Jul 19, 2023

Unrecognized Content-Security-Policy directive 'prefetch-src'. #627

Unrecognized Content-Security-Policy directive 'prefetch-src'. #627

Comments

ramesh8830 commented Jun 28, 2023

supersven commented Jun 28, 2023

ramesh8830 commented Jun 28, 2023

supersven commented Jun 28, 2023

ramesh8830 commented Jun 28, 2023 • edited Loading

supersven commented Jun 28, 2023

ramesh8830 commented Jun 28, 2023

supersven commented Jun 28, 2023

ramesh8830 commented Jun 28, 2023 • edited Loading

supersven commented Jun 28, 2023

ramesh8830 commented Jun 28, 2023

ramesh8830 commented Jun 28, 2023

ramesh8830 commented Jun 28, 2023

akshaymankar commented Jun 29, 2023

ramesh8830 commented Jun 29, 2023

akshaymankar commented Jun 29, 2023

ramesh8830 commented Jun 29, 2023

ramesh8830 commented Jun 29, 2023

ramesh8830 commented Jun 29, 2023 • edited Loading

ramesh8830 commented Jun 29, 2023

ramesh8830 commented Jun 30, 2023 • edited Loading

julialongtin commented Jun 30, 2023

ramesh8830 commented Jun 30, 2023 • edited Loading

julialongtin commented Jun 30, 2023 via email

ramesh8830 commented Jun 30, 2023

ramesh8830 commented Jul 3, 2023

julialongtin commented Jul 3, 2023

ramesh8830 commented Jul 3, 2023

ramesh8830 commented Jul 10, 2023

ramesh8830 commented Jul 19, 2023

ramesh8830 commented Jun 28, 2023 •

edited

Loading

ramesh8830 commented Jun 28, 2023 •

edited

Loading

ramesh8830 commented Jun 29, 2023 •

edited

Loading

ramesh8830 commented Jun 30, 2023 •

edited

Loading

ramesh8830 commented Jun 30, 2023 •

edited

Loading