ERROR: Blocked by X-Frame-Options Policy

akash47 · May 13, 2020, 9:11am

Hi everyone,

I’m getting the below error:

The reason is because I’m running a reverse proxy (using Cloudflare workers) to proxy all traffic
from: blog.wowclub.com/*
to: wowclub.com/blog/*

And it works well for the most part. It is fully usable. But these are the other things that aren’t working:

Search
Appending a /edit to the end of a blog post to edit it

I think it has something to do with the content API
auth_fail

Would really appreciate some help to point me in the right direction.

Thank you!

akash47 · May 14, 2020, 9:36am

@vikaspotluri123 Would you know?

I read your reply here, and I’m not sure if I need to change anything in my Nginx configuration.
After all, I have set up cloudflare to do all the re-directing.

thanks!

vikaspotluri123 · May 14, 2020, 8:37pm

If you’re running the admin panel on a different domain, try setting the admin url (search for admin on this page):

https://ghost.org/faq/change-configured-site-url/

akash47 · May 15, 2020, 4:57pm

Hi @vikaspotluri123,
I suppose that does apply to me. I’m technically running the admin panel on Ghost Admin

So I ran the command ghost config admin.url https:// blog.wowclub.com/blog

But, unfortunately I’m now in a 502 error that I can’t resolve.
502 Bad Gateway
nginx/1.10.3 (Ubuntu)

I’ve tried to re-setup nginx, restart ghost - to no avail.

ghost log -f shows that ghost is running fine on production & no error.

Bit stumped. Anything I could try?
Is there a way to revert my changes?

vikaspotluri123 · May 15, 2020, 6:22pm

I don’t think it’s possible to remove a config key. You’ll have to manually edit the config file and remove the

,
"admin": {
    "url": ""
}

section

The bad gateway error makes me think something is messed up in the DNS / IP level in terms of how you configured your domain / proxy

akash47 · May 16, 2020, 4:23am

As soon as I removed that config key, it started to work again
Thanks!

Though, I’m still where i was w.r.t to the original problem - but at least things are back up and running!

vikaspotluri123 · May 16, 2020, 5:22pm

did you add any custom headers to the blog response?

akash47 · May 19, 2020, 8:34am

I haven’t added any custom headers.
But, we do use Cloudflare workers to proxy traffic - so I don’t know if that is adding something to the response.

vikaspotluri123 · May 19, 2020, 3:45pm

I have a feeling this might be a limitation of the default nginx configuration. If you set up SSL, it adds this line by default:

github.com

TryGhost/Ghost-CLI/blob/66bac960deadc6a82f0117dbf4677bf62368c99f/extensions/nginx/templates/ssl-params.conf#L12


      
          ssl_prefer_server_ciphers on;
          ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
          ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
          ssl_session_cache shared:SSL:10m;
          ssl_session_tickets off; # Requires nginx >= 1.5.9
          ssl_stapling on; # Requires nginx >= 1.3.7
          ssl_stapling_verify on; # Requires nginx => 1.3.7
          resolver 8.8.8.8 8.8.4.4 valid=300s;
          resolver_timeout 5s;
          add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload';
          add_header X-Frame-Options SAMEORIGIN;
          add_header X-Content-Type-Options nosniff;
          
          
ssl_dhparam <%= dhparam %>;

The workaround is to comment that line out, or add logic to send the allow header if you’re on the Admin origin

akash47 · May 22, 2020, 8:19am

Thanks!
I’ll check that out, but when I’ve I understand nginx better.
I’m bit worried I’ll break things again

themeix · October 20, 2022, 6:03am

add_header X-Frame-Options "allow-from https://newwebsiteurl.com/";

Sometime we may need to give x-frame access to a specific domain… above code may help for that.

Topic		Replies	Views
502 Error Please Help Installation	2	478	October 1, 2020
Overwrite X-Frame-Option on Ghost Site Developer help	2	1996	May 16, 2020
Login redirect "There was a problem on the server." Installation	1	902	July 20, 2018
502 Bad Gateway nginx error Installation	3	5681	June 26, 2018
Sorry, Ghost is currently undergoing maintenance, please wait a moment then try again Developer help	2	1350	February 5, 2020

ERROR: Blocked by X-Frame-Options Policy

Related topics