Kibana will not start behind reverse proxy with X-Content-Type-Options: nosniff

We have an urgent problem in moving Kibana to a production environment where the proxy adds X-Content-Type-Options: nosniff to the response headers.
If we run the kibana instance directly to bypass the proxy environment it starts and runs fine. But through the proxy we get the following line in the console:

The resource from “https://netefatsa.drdlr.gov.za/bundles/app/kibana/bootstrap.js” was blocked due to MIME type (“text/html”) mismatch (X-Content-Type-Options: nosniff). This is in Firefox.

In Chrome 1. Request URL: https://netefatsa.drdlr.gov.za/bundles/app/kibana/bootstrap.js, 2. Request Method: GET 3. Status Code: 404 Not Found. The console shows the following message
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-SbBSU7MfZFnVMq4PuE/jbBz7pPIfXUTYDrdHl7Ckchc='), or a nonce ('nonce-...') is required to enable inline execution.

The Reverse proxy environment runs nginx behind a corporate proxy server.

As a result we cannot start Kibana at all. Please point us to some way. Please advise

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Hi @WillemvdW sorry for the very late reply (the topic was also automatically closed) but I'm wondering if you was able to solve this issue or not.

The bootstrap.js file should be sent from the server with the correct mimetype application/javascript but If you are getting the text/html seems there is an issue in the proxy configuration that doesn't proxy correctly the response headers.

One CSP error in the console, as written in the subsequent console log, is fine. There should be another issue in chrome that block you from showing Kibana