My installation is on Ubuntu 16.04 using nginx (also as a reverse proxy) and I manually upgraded from 11.0.5 to 12.0.3. Everything works, except this one error message:
Der „X-Frame-Options“-HTTP-Header ist nicht so konfiguriert, dass er „SAMEORIGIN“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
This is the VServer-conf from nginx (which contains this SAMEORIGIN setting):
upstream php-handler {
server unix:/run/php/php7.0-fpm.sock;
}server {
listen 127.0.0.1:82;
server_name 127.0.0.1;# Add headers to serve security related headers # Use 'proxy_set_header' (not 'add_header') as the headers have to be passed through a proxy. proxy_set_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; proxy_set_header X-Content-Type-Options nosniff; proxy_set_header X-Frame-Options "SAMEORIGIN"; proxy_set_header X-XSS-Protection "1; mode=block"; proxy_set_header X-Robots-Tag none; proxy_set_header X-Download-Options noopen; proxy_set_header X-Permitted-Cross-Domain-Policies none; # Path to the root of your installation root /var/www/; location = /robots.txt { allow all; log_not_found off; access_log off; } # The following 2 rules are only needed for the user_webfinger app. # Uncomment it if you're planning to use this app. #rewrite ^/.well-known/host-meta /owncloud/public.php?service=host-meta last; #rewrite ^/.well-known/host-meta.json /owncloud/public.php?service=host-meta-json last; location = /.well-known/carddav { return 301 $scheme://$host/nextcloud/remote.php/dav; } location = /.well-known/caldav { return 301 $scheme://$host/nextcloud/remote.php/dav; } location /.well-known/acme-challenge { } location ^~ /nextcloud { # set max upload size client_max_body_size 1G; fastcgi_buffers 64 4K; # Disable gzip to avoid the removal of the ETag header gzip off; # Uncomment if your server is build with the ngx_pagespeed module # This module is currently not supported. #pagespeed off; error_page 403 /nextcloud/core/templates/403.php; error_page 404 /nextcloud/core/templates/404.php; location /nextcloud { rewrite ^ /nextcloud/index.php$uri; } location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/ { deny all; } location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } location ~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) { include fastcgi_params; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; # Important: disable HTTPS, otherwise no log in will be possible! #fastcgi_param HTTPS on; fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice fastcgi_param front_controller_active true; fastcgi_pass php-handler; fastcgi_intercept_errors on; # Raise timeout values. # This is especially important when the ownCloud setup runs into timeouts (504 gateway errors) fastcgi_read_timeout 300; fastcgi_send_timeout 300; fastcgi_connect_timeout 300; # Pass PHP variables directly to PHP. # This is usually done in the php.ini. For more flexibility, these variables are configured in the nginx config. # All the PHP parameters have to be set in one fastcgi_param. When using more 'fastcgi_param PHP_VALUE' directives, the last one will override all the others. fastcgi_param PHP_VALUE "open_basedir=/var/www:/tmp/:/var/clouddata:/dev/urandom upload_max_filesize = 1G post_max_size = 1G max_execution_time = 3600"; # Make sure that the real IP of the remote host is passed to PHP. fastcgi_param REMOTE_ADDR $http_x_real_ip; } location ~ ^/nextcloud/(?:updater|ocs-provider)(?:$|/) { try_files $uri/ =404; index index.php; } # Adding the cache control header for js and css files # Make sure it is BELOW the PHP block location ~* \.(?:css|js)$ { try_files $uri /nextcloud/index.php$uri$is_args$args; proxy_set_header Cache-Control "public, max-age=7200"; # Add headers to serve security related headers # Again use 'proxy_set_header' (not 'add_header') as the headers have to be passed through a proxy. proxy_set_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; proxy_set_header X-Content-Type-Options nosniff; proxy_set_header X-Frame-Options "SAMEORIGIN"; proxy_set_header X-XSS-Protection "1; mode=block"; proxy_set_header X-Robots-Tag none; proxy_set_header X-Download-Options noopen; proxy_set_header X-Permitted-Cross-Domain-Policies none; # Optional: Don't log access to assets access_log off; } location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ { try_files $uri /nextcloud/index.php$uri$is_args$args; # Optional: Don't log access to other assets access_log off; } }
}
Here is my config.php:
?php
$CONFIG = array (
‘instanceid’ => ‘hereisinstanceid’,
‘passwordsalt’ => ‘hereisapassword/l’,
‘secret’ => ‘hereissecret’,
‘trusted_domains’ =>
array (
0 => ‘mydomain.com’,
1 => ‘192.168.40.132’,
),
‘datadirectory’ => ‘/var/clouddata’,
‘overwrite.cli.url’ => ‘https://mydomain.com/nextcloud’,
‘dbtype’ => ‘mysql’,
‘version’ => ‘12.0.3.3’,
‘dbname’ => ‘nextcloud_db’,
‘dbhost’ => ‘localhost’,
‘dbport’ => ‘’,
‘dbtableprefix’ => ‘oc_’,
‘dbuser’ => ‘nextcloud_db_user’,
‘dbpassword’ => ‘myDBpassword’,
‘logtimezone’ => ‘Europe/Berlin’,
‘installed’ => true,
‘memcache.local’ => ‘\OC\Memcache\APCu’,
‘maintenance’ => false,
‘mail_smtpmode’ => ‘smtp’,
‘mail_smtpsecure’ => ‘ssl’,
‘mail_from_address’ => ‘noreply’,
‘mail_domain’ => ‘mydomain.com’,
‘mail_smtpauth’ => 1,
‘mail_smtpauthtype’ => ‘LOGIN’,
‘mail_smtpname’ => ‘noreply@mydomain.com’,
‘mail_smtppassword’ => ‘smtppasswort’,
‘mail_smtphost’ => ‘smtp.mailserver.com’,
‘mail_smtpport’ => ‘465’,
‘loglevel’ => 2,
‘updater.release.channel’ => ‘production’,
);
Maybe the reverse-proxy is the culprit? What do I have to change?