Hi,
I am using using meteor 1.8 on digitalocean with nginx, with route-splitting.
The app works fine on my development machine (localhost).
In the production environment the clients fail with this console error
1c0885fc8105202f1a4d9f3aa488051f85fe3435.js?meteor_js_resource=true:25 Refused to connect to 'http://localhost/__meteor__/dynamic-import/fetch' because it violates the following Content Security Policy directive: "default-src wss: https: data: 'unsafe-inline' 'unsafe-eval' *.google-analytics.com *.googleapis.com *.gstatic.com *.ggpht.com". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
My systemctl env has the following environment variables:
NODE_ENV=production
MONGO_URL=mongodb://xxxxx:yyyyy@localhost:27017/zzzzzz?authSource=admin
ROOT_URL=http://localhost
PORT=8080
My nginx server block is
server { # the app virtual server
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name app.METEOR_FQDN; # was server_name _;
root /var/www/html; # fallback root, if location has no root
access_log /var/log/nginx/app.METEOR_NAME.log;
error_log /var/log/nginx/app.METEOR_NAME.error.log error;
include snippets/ssl-METEOR_FQDN.conf;
include snippets/ssl-params.conf;
location ~ /.well-known { # case sensitive regular expression mathc; let's encrypt validation
allow all;
}
location = /favicon.ico { # exact match
root /var/www/app.METEOR_FQDN/html/bundle/programs/web.browser/app;
access_log off;
expires 1w;
}
location ~* "^/[a-z0-9]{40}\.(css|js)$" { # case-insensitive regular expression match
root /var/www/app.METEOR_FQDN/html/bundle/programs/web.browser;
access_log off;
expires max;
}
location ~ "^/packages" { # case sensitive regular expression match
root /var/www/app.METEOR_FQDN/html/bundle/programs/web.browser;
access_log off;
}
location / { # prefix match
# redirect all HTTP traffic to localhost:8080
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# WebSocket support (nginx 1.4)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# allow for stripe webhooks or model uploads (5Mb too big?)
client_max_body_size 5M;
}
}
It appears that the client is trying to dynamically fetch portions of the app from the incorrect domain ‘localhost’. The nginx’s content-security-policy however correctly blocks the ‘localhost’ domain.
So somehow the client needs to know that it should not fetch from localhost, but from https://app.METEOR_FQDN
Any advice?
Also do we need to do ‘meteor add dynamic-import’ for meteor v1.8 or was this only required for v1.5?