Hay varios avisos relativos a su configuración.
La cabecera HTTP "X-Content-Type-Options" no está configurada como "nosniff". Esto es un riesgo potencial de seguridad o privacidad, y se recomienda ajustar esta configuración de forma adecuada.
La cabecera HTTP "X-Robots-Tag" no está configurada como "noindex, nofollow". Esto es un riesgo potencial de seguridad o privacidad, y se recomienda ajustar esta configuración de forma adecuada.
La cabecera HTTP "X-Frame-Options" no está configurada como "SAMEORIGIN". Esto es un riesgo potencial de seguridad o privacidad, y se recomienda ajustar esta configuración de forma adecuada.
Nextcloud version: 26.0.7
Operating system and version: Debian 11
Apache version: Apache 2.4.56
PHP version: 8.1
It was uploaded from 24.x version, but this issue was already present.
The output of your config.php:
{
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"localhost",
"nube.unau.edu.ar"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"0": "skeletondiretory\u2019 => \u2018\/var\/www\/nube\/core\/skeleton",
"dbtype": "mysql",
"version": "26.0.7.0",
"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
"overwritehost": "nube.unau.edu.ar",
"overwriteprotocol": "https",
"overwritecondaddr": "^192\\.168\\.8\\.17$",
"overwrite.cli.url": "https:\/\/nube.unau.edu.ar",
"htaccess.RewriteBase": "\/",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"instanceid": "***REMOVED SENSITIVE VALUE***",
"loglevel": 0,
"maintenance": false,
"theme": "",
"force_language": "es",
"force_locale": "es",
"default_phone_region": "ar",
"mysql.utf8mb4": true,
"mail_smtpmode": "smtp",
"mail_smtpsecure": "tls",
"mail_sendmailmode": "smtp",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtpauth": 1,
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "587",
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"memcache.local": "\\OC\\Memcache\\APCu",
"app_install_overwrite": [
"epubreader"
],
"preview_max_x": "512",
"preview_max_y": "512",
"jpeg_quality": "60",
"memcache.distributed": "\\OC\\Memcache\\Redis",
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 6379
}
}
As this instance is behind a reverse proxy, here’s corresponding setup
server {
listen 443 ssl http2;
server_name DOMAIN;
include /etc/nginx/snippets/location-letsencrypt.conf;
include /etc/nginx/snippets/ssl-params.conf;
ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem;
client_max_body_size 0;
underscores_in_headers on;
location / {
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
proxy_hide_header Upgrade;
proxy_hide_header X-Powered-By;
add_header Content-Security-Policy "upgrade-insecure-requests";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Download-Options "noopen" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Cache-Control "no-transform" always;
add_header Referrer-Policy no-referrer always;
add_header X-Robots-Tag "noindex, nofollow";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 64;
proxy_buffering off;
proxy_redirect off;
proxy_max_temp_file_size 0;
#Timeout para archivos grandes
proxy_connect_timeout 1000;
proxy_send_timeout 1000;
proxy_read_timeout 1000;
send_timeout 1000;
proxy_pass http://INTERNAL-IP/;
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
}
location /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
access_log /var/log/nginx/DOMAIN/access.log;
error_log /var/log/nginx/DOMAIN/error.log;
}