"/apps/files" blocked due to MIME type [Solved]

Ginn · December 13, 2019, 11:05am

Hello,

Icons an other objects in “apps/files” are blocked with the following message:

The resource from “https://SERVER_DOMAIN/apps/files/” was blocked due to MIME type (“text/html”) mismatch (X-Content-Type-Options: nosniff).

I have also the following single error:

Content Security Policy: The page settings have prevented a resource from being loaded to inline (« script-src »). 2 content-script.js:40:65

My server configuration:

Nextcloud 17.0.1
Nginx 1.16.1
PHP 7.3.12

My client configuration:

Firefox 71.0

/etc/nginx/conf.d/nextcloud.conf

upstream php-handler {
server unix:/var/run/php-fpm/nextcloud.sock;
}

server {
server_name SERVER_DOMAIN;

listen 80 default_server;
listen [::]:80 default_server;

# redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;

}

server {
server_name SERVER_DOMAIN;

# Starting Mozilla SSL configuration
# https://ssl-config.mozilla.org/#server=nginx&config=modern
# ==================================

listen 443 ssl http2;
listen [::]:443 ssl http2;

# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/pki/tls/certs/nextcloud.crt;
ssl_certificate_key /etc/pki/tls/private/nextcloud.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
ssl_session_tickets off;

# modern configuration
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/pki/tls/certs/nextcloud.trust.crt;

# replace with the IP address of your resolver
resolver 127.0.0.1;

# BEGIN SITE SPECIFIC CONFIGURATION
# Starting Nextcloud configuration
# https://docs.nextcloud.com/server/17/admin_manual/installation/nginx.html
# ==============================================

add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;

# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;

# Path to the root of your installation
root /var/www/nextcloud;

location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}

# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

# The following rule is only needed for the Social app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/webfinger /public.php?service=webfinger last;

location = /.well-known/carddav {
  return 301 $scheme://$host:$server_port/remote.php/dav;
}
location = /.well-known/caldav {
  return 301 $scheme://$host:$server_port/remote.php/dav;
}

# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;

# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;

location / {
    rewrite ^ /index.php;
}

location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
    deny all;
}
location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
    deny all;
}

location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
    fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
    set $path_info $fastcgi_path_info;
    try_files $fastcgi_script_name =404;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $path_info;
    fastcgi_param HTTPS on;
    # Avoid sending the security headers twice
    fastcgi_param modHeadersAvailable true;
    # Enable pretty urls
    fastcgi_param front_controller_active true;
    fastcgi_pass php-handler;
    fastcgi_intercept_errors on;
    fastcgi_request_buffering off;
}

location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
    try_files $uri/ =404;
    index index.php;
}

# Adding the cache control header for js, css and map files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
    try_files $uri /index.php$request_uri;
    add_header Cache-Control "public, max-age=15778463";
    # Add headers to serve security related headers (It is intended to
    # have those duplicated to the ones above)
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;" always;
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Optional: Don't log access to assets
    access_log off;
}

location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
    try_files $uri /index.php$request_uri;
    # Optional: Don't log access to other assets
    access_log off;
}
# END SITE SPECIFIC CONFIGURATION

}

/etc/nginx/nginx.conf

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.

include /usr/share/nginx/modules/*.conf;

events {
worker_connections 1024;
}

http {
client_body_buffer_size 1k;
client_max_body_size 1k;
server_tokens off;
log_format main '$remote_addr - $remote_user [$time_local] “$request” ’
'$status $body_bytes_sent “$http_referer” ’
‘“$http_user_agent” “$http_x_forwarded_for”’;
access_log  /var/log/nginx/access.log  main;

sendfile            on;
tcp_nopush          on;
tcp_nodelay         on;
keepalive_timeout 5 5;
types_hash_max_size 4096;

include             /etc/nginx/mime.types;
default_type        application/octet-stream;

# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
}

Thanks

Ginn · January 6, 2020, 6:50pm

This was not a Nginx or web configuration issue, but a missing execute access right on the apps folder.

b0rt · April 17, 2020, 1:23pm

Hey @Ginn,

i am facing the same situation and fiddled with nginx setting without success…
could you possibly remember and tell us more specifics of your resolution?

and / or do you see anything wrong in my apps/text folder based on your experience?

www-data@510d0d2578b0:~/html/apps$ ls -la text/
total 116
drwxr-xr-x  9 www-data root  4096 Apr 17 12:11 .
drwxr-xr-x 43 www-data root  4096 Apr  3 11:44 ..
-rw-r--r--  1 www-data root    11 Apr 17 12:11 .eslintignore
-rw-r--r--  1 www-data root   680 Apr 17 12:11 .stylelintrc.js
-rw-r--r--  1 www-data root  1212 Apr 17 12:11 CHANGELOG.md
-rw-r--r--  1 www-data root 34520 Apr 17 12:11 COPYING
drwxr-xr-x  2 www-data root  4096 Apr 17 13:06 appinfo
-rw-r--r--  1 www-data root   300 Apr 17 12:11 babel.config.js
-rw-r--r--  1 www-data root   396 Apr 17 12:11 composer.json
-rw-r--r--  1 www-data root 17327 Apr 17 12:11 composer.lock
drwxr-xr-x  2 www-data root  4096 Apr 17 12:11 css
drwxr-xr-x  3 www-data root  4096 Apr 17 12:11 img
drwxr-xr-x  3 www-data root  4096 Apr 17 12:11 js
-rw-r--r--  1 www-data root   390 Apr 17 12:11 krankerl.toml
drwxr-xr-x  2 www-data root  4096 Apr 17 12:11 l10n
drwxr-xr-x 11 www-data root  4096 Apr 17 12:11 lib
drwxr-xr-x  2 www-data root  4096 Apr 17 12:11 templates

context: i am using nextcloud 18.0.3 in a docker container

Ginn · April 29, 2020, 9:13am

Mine directory looks like:

drwxr-x--x. 1 nextcloud nextcloud   264 24 avril 07:27 .
drwxr-x--x. 1 nextcloud nextcloud  1208 29 avril 08:07 ..
drwxr-x--x. 1 nextcloud nextcloud    78 24 avril 07:27 appinfo
-rwxr-x--x. 1 nextcloud nextcloud   300 24 avril 07:27 babel.config.js
-rwxr-x--x. 1 nextcloud nextcloud  1212 24 avril 07:27 CHANGELOG.md
-rwxr-x--x. 1 nextcloud nextcloud   396 24 avril 07:27 composer.json
-rwxr-x--x. 1 nextcloud nextcloud 17327 24 avril 07:27 composer.lock
-rwxr-x--x. 1 nextcloud nextcloud 34520 24 avril 07:27 COPYING
drwxr-x--x. 1 nextcloud nextcloud    72 24 avril 07:27 css
-rwxr-x--x. 1 nextcloud nextcloud    11 24 avril 07:27 .eslintignore
drwxr-x--x. 1 nextcloud nextcloud   734 24 avril 07:27 img
drwxr-x--x. 1 nextcloud nextcloud  1450 24 avril 07:27 js
-rwxr-x--x. 1 nextcloud nextcloud   390 24 avril 07:27 krankerl.toml
drwxr-x--x. 1 nextcloud nextcloud  1784 24 avril 07:27 l10n
drwxr-x--x. 1 nextcloud nextcloud   322 24 avril 07:27 lib
-rwxr-x--x. 1 nextcloud nextcloud   680 24 avril 07:27 .stylelintrc.js
drwxr-x--x. 1 nextcloud nextcloud    16 24 avril 07:27 templates

I basically applied chmod +x -R on the full apps folder. It should be possible to have more precise mode settings, but this may be a good start to see if the issue is related to this.

robinmetral · June 1, 2020, 10:39am

Thanks for sharing @Ginn! Could changing the permissions of all files not be a security issue?

As far as I could find, file permissions should be 640, so without execute rights. See for example point 11 in the manual upgrade guide (or this thread).

Ginn · June 1, 2020, 12:24pm

Yes, too broad permission may be a security issue. I admit that I mainly attempted to the issue with a very limited amount of time, but I am also interested to have a better permission setting.

Looking the doc you linked, I see that the recommendation is 640 for files, but 750 for directories. This sound like a better start that adding +x to everything.

I assume some files may also need the execute permission like the occ command.

The issue of this topic was fixed by adding extra execute permission, but maybe it was simply missing in one sub-directory.

I set 640 to files and 750 to directories, I’ll see if this causes issues.

robinmetral · June 1, 2020, 2:38pm

Thank you! Please keep us updated