After Upgrading to 3.3.0p2 - login working, but no menus, logoff button not working

I just updated to 3.3.0p2 on one of my servers. After update I can login to admin interface but there's only logo, search field and logoff button.
Also phpmyadmin does only show logo, no content.
ispconfig.log empty since last night 02:07
ispconfig.vhost (last modified today by installer):

server {
listen 8080 ssl http2;
listen [::]:8080 ssl http2 ipv6only=on;

ssl_protocols TLSv1.2;
ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt;
ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256HE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHAHE-RSA-AES128-SHA256HE-RSA-AES128-SHAHE-RSA-AES256-SHA256HE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHAES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;

# redirect to https if accessed with http
error_page 497 https://$host:8080$request_uri;

server_name _;

root /usr/local/ispconfig/interface/web/;

client_max_body_size 20M;

location / {
index index.php index.html;
}

# serve static files directly
location ~* ^.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt)$ {
access_log off;
}

location ~ \.php$ {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/lib/php8.2-fpm/ispconfig.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#fastcgi_param PATH_INFO $fastcgi_script_name;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 4k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_read_timeout 1200;
fastcgi_param HTTP_PROXY "";
}

location ~ /\. {
deny all;
}

location ~* \.lng$ {
deny all;
}

# location /phpmyadmin {
# root /usr/share/;
# index index.php index.html index.htm;
# location ~ ^/phpmyadmin/(.+\.php)$ {
# try_files $uri =404;
# root /usr/share/;
# include /etc/nginx/fastcgi_params;
# fastcgi_pass unix:/var/lib/php8.2-fpm/ispconfig.sock;
# fastcgi_param HTTPS on;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME $request_filename;
# }
# location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
# root /usr/share/;
# }
# }
# location /phpMyAdmin {
# rewrite ^/* /phpmyadmin last;
# }
#
# location /squirrelmail {
# root /usr/share/;
# index index.php index.html index.htm;
# location ~ ^/squirrelmail/(.+\.php)$ {
# try_files $uri =404;
# root /usr/share/;
# include /etc/nginx/fastcgi_params;
# fastcgi_pass unix:/var/lib/php8.2-fpm/ispconfig.sock;
# fastcgi_param HTTPS on;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME $request_filename;
# }
# location ~* ^/squirrelmail/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
# root /usr/share/;
# }
# }
# location /webmail {
# rewrite ^/* /squirrelmail last;
# }
}




Env: vps, Debian 12; PHP 8.2, 8.3, 8.4.; nginx; mariadb

 

Hi Till,
thanks for your quick response.
This server including ispconfig and phpmyadmin is running without issues for roundabout two years.
There was no os update before the last ISPConfig update, phpmyadmin and admin surface didn't have any problems until yesterday.

All websites are healthy, neither php, nor nginx error log is listing any error. nginx access log only shows access to admin surface.
Login screen appears, 2fa as well, login completes, but then no content, except search field, logo and a useless logoff button

80.187.74.147 - - [15/Oct/2025:08:44:28 +0200] "GET / HTTP/2.0" 200 10404 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36"
80.187.74.147 - - [15/Oct/2025:08:44:28 +0200] "GET /js/scrigo.js.php HTTP/2.0" 200 1677 "https://flip.keck-it-service.de:8080/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36"

 

Hi Till,
nginx error.log didn't contain anything about that issue. But I found the culprit.

I had to comment out the following line from nginx.conf:
add_header Content-Security-Policy "object-src 'none'; base-uri 'none'; require-trusted-types-for 'script'; frame-ancestors 'self';";


I am operating another server, which isn't updated. On this server the add_header line is missing. But I'll do the counter test and update the second server and looking then for the line.

Update done, but there is still no line "add_header Content-Security-Policy "object-src 'none'; base-uri 'none'; require-trusted-types-for 'script'; frame-ancestors 'self';";"

Anyway: issue solved.
Thanks!

 

Have had this once in the past. Also after having done an ISPC update.
Clearing temporary internet files and cookies in the browser solved it for me.