perfSONAR User Q&A and Other Discussion

[Michael Johnson <>]

Hi John,

I should have mentioned this approach, I'm glad you figured it out!

Thansk for reporting the issue, also.

- Michael


On Fri, Jul 28, 2017 at 06:48:37PM -0700, John Hess wrote:
> hi Michael,
>
> thanks for the response… but i am not grok'ing how in the maddash config i 
> would implement your suggested work-around.   could you elaborate?
>
> meanwhile, i updated the Content-Security-Policy in 
> apache-perfsonar-graphs.conf to whitelist https://ps-ma-lax.cenic.net (and, 
> ironically, ’self’, as well) , as in:
>
> Header set Content-Security-Policy “default-src 'self' ;  connect-src 'self' 
> https://ps-ma-lax.cenic.net ; img-src 'self' 'unsafe-inline' data: ; style-src 
> 'self' 'unsafe-inline' "
>
> and the time-series graphs are working again, for now :-)
>
> thanks,
>
> john
>
>
>
> > On Jul 28, 2017, at 10:21 AM, Michael Johnson 
> > <>
> >  wrote:
> >
> > Hi John,
> >
> > Thanks for the detailed report.
> >
> > It does look like this is related to some HTTP headers we changed recently. 
> > We made some changes to tighten up security by only allowing things to be 
> > embedded in specific ways we allow.
> >
> > It appears that this means it's not working for you in this use case. What 
> > you can do to make it work is, point your Maddash config at 
> > https://ps-ma-lax.cenic.net/perfsonar-graphs/ rather than 
> > https://ps-dashboard.cenic.net/perfsonar/graphs/
> >
> > This may mean we need to rethink our header restrictions to accommodate this 
> > use case. Currently, /perfsonar-graphs has to be on the same host as the MA, 
> > which is why you're seeing this error. We'll give it some more consideration.
> >
> > Thanks,
> > Michael
> >
> > On Fri, Jul 28, 2017 at 09:37:00AM -0700, John Hess wrote:
> > > hi,
> > >
> > > i recently separated our central esmond MA to a distinct physical server, 
> > > ps-ma-lax.cenic.net, from the host (VM) on which our pS MaDDash is running, 
> > > ps-dashboard.cenic.net.   the time-series graphs had been working well — up 
> > > until they stopped working a day or two ago.
> > >
> > > i am tracking perfsonar-staging on both systems w/auto-updates enabled.   the 
> > > dashboard VM has pulled in perfsonar-graphs 4.0.1 v0.1.rc1.el6.   (after 
> > > clearing browser data) within the browser -> Graph pane, the region which 
> > > would otherwise display the graphs now displays this error:
> > >
> > > Error loading data
> > > Error retrieving data
> > > Can’t connect to ps-ma-lax.cenic.net:443 (connect: Network is unreachable)
> > >
> > > the (Chrome browser) javascript console log has these entries:
> > >
> > > dojo.js:15 [Deprecation] Synchronous XMLHttpRequest on the main thread is 
> > > deprecated because of its detrimental effects to the end user's experience. 
> > > For more help, check https://xhr.spec.whatwg.org/.
> > > req.getText @ dojo.js:15
> > > jquery.min.js:6 Refused to connect to 
> > > 'https://ps-ma-lax.cenic.net/esmond/perfsonar/archive/?source=ps-svl-10g.cenic.net&destination=melange.noc.ucdavis.edu'
> > >  because it violates the following Content Security Policy directive: "default-src 
> > > 'self' ". Note that 'connect-src' was not explicitly set, so 'default-src' is used as 
> > > a fallback.
> > >
> > > send @ jquery.min.js:6
> > > jquery.min.js:6 Refused to connect to 
> > > 'https://ps-ma-lax.cenic.net/esmond/perfsonar/archive/?source=melange.noc.ucdavis.edu&destination=ps-svl-10g.cenic.net'
> > >  because it violates the following Content Security Policy directive: "default-src 
> > > 'self' ". Note that 'connect-src' was not explicitly set, so 'default-src' is used as 
> > > a fallback.
> > >
> > > send @ jquery.min.js:6
> > > /perfsonar-graphs/cgi-bin/graphData.cgi?action=ma_data&url=https%3A%2F%2Fps-ma-lax.cenic.net%2Fesmond%2Fperfsonar%2Farchive%2F%3Fsource%3Dps-svl-10g.cenic.net%26destination%3Dmelange.noc.ucdavis.edu
> > >  Failed to load resource: the server responded with a status of 500 (Internal 
> > > Server Error)
> > > /perfsonar-graphs/cgi-bin/graphData.cgi?action=ma_data&url=https%3A%2F%2Fps-ma-lax.cenic.net%2Fesmond%2Fperfsonar%2Farchive%2F%3Fsource%3Dmelange.noc.ucdavis.edu%26destination%3Dps-svl-10g.cenic.net
> > >  Failed to load resource: the server responded with a status of 500 (Internal 
> > > Server Error)
> > > bundle.js:10315 Warning: Each child in an array or iterator should have a unique 
> > > "key" prop. Check the render method of `ChartHeader`. See 
> > > https://fb.me/react-warning-keys for more information.
> > > warning @ bundle.js:10315
> > >
> > > ——
> > >
> > > i did not find a good match for the symptom among the open perfsonar/graphs 
> > > issues on GitHub:
> > >
> > >         https://github.com/perfsonar/graphs/issues
> > >
> > > though closed issue #85 ‘Add security headers for graphs’ looked interesting.
> > >
> > >
> > > thanks,
> > >
> > > john
> >
> > --
> > Michael Johnson
> > GlobalNOC Software Engineering
> > Indiana University
> >
> > 812-856-2771



--
Michael Johnson
GlobalNOC Software Engineering
Indiana University

812-856-2771