HTTP Header warning - nextcloud @ subfolder & apache config

Andre39 · May 5, 2020, 4:36pm

Hi,

after the update from nc17 to nc18, the http header warning reappeared.

>         The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
>     The "X-Robots-Tag" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
>     The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
>     The "X-Download-Options" HTTP header is not set to "noopen". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
>     The "X-Permitted-Cross-Domain-Policies" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
>     The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the W3C Recommendation ↗.

The messages are in the standard file /var/www/nextcloud/.htaccess

<IfModule mod_env.c>
# Add security and privacy related headers
Header always set Referrer-Policy "no-referrer"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Download-Options "noopen"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Permitted-Cross-Domain-Policies "none"
Header always set X-Robots-Tag "none"
Header always set X-XSS-Protection "1; mode=block"
SetEnv modHeadersAvailable true
</IfModule>

And in /etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:443>
   DocumentRoot /var/www   
   ServerName Nextcloud
   SSLEngine on
   SSLCertificateFile	/etc/apache2/ssl/server.crt
   SSLCertificateKeyFile	/etc/apache2/ssl/server.key
   Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"

  <IfModule mod_env.c>
    # Add security and privacy related headers
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Robots-Tag "none"
    Header set X-Download-Options "noopen"
    Header set X-Permitted-Cross-Domain-Policies "none"
    Header set Referrer-Policy "no-referrer"
    Header set X-Frame-Options "SAMEORIGIN"
    Header always set Feature-Policy "autoplay 'none';camera 'none';fullscreen 'self';geolocation 'none';microphone 'none';payment 'none'"
    Header set Content-Security-Policy "none"
    SetEnv modHeadersAvailable true
  </IfModule>

</VirtualHost>

And the /etc/apache2/sites-enabled/nextcloud.conf

#    Alias /nextcloud /var/www/nextcloud/

<Directory /var/www/nextcloud/>

    SSLRenegBufferSize 10486000

    Options +FollowSymlinks
    AllowOverride All

<IfModule mod_dav.c>
  Dav off
</IfModule>

    SetEnv HOME /var/www/nextcloud
    SetEnv HTTP_HOME /var/www/nextcloud
    SSLRequireSSL
</Directory>

   Redirect 301 /.well-known/carddav https://DOMAIN/nextcloud/remote.php/dav
   Redirect 301 /.well-known/caldav https://DOMAIN/nextcloud/remote.php/dav

What is wrong configured?

Thank you!

j-ed · May 5, 2020, 4:52pm

Have you tried to use the search function of the forum to find an answer on your question?!:

https://help.nextcloud.com/search?q=http%20header%20warning

Andre39 · May 5, 2020, 5:15pm

Yes, I searched. Did I miss something?

sudo a2enmod env 
Module env already enabled

I noticed that mod_headers is not loaded. Even if I add this to the apache.conf.

But actually, only the nextcloud version changed, since these messages reappeared.

The test with curl shows:

curl -vvvv -k https://DOMAIN
* Rebuilt URL to: https://DOMAIN/
*   Trying IP...
* TCP_NODELAY set
* Connected to DOMAIN (IP) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd; CN=DOMAIN
*  start date: Apr 30 09:33:07 2016 GMT
*  expire date: Apr 28 09:33:07 2026 GMT
*  issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd; CN=DOMAIN
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> GET / HTTP/1.1
> Host: DOMAIN
> User-Agent: curl/7.58.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< HTTP/1.1 200 OK
< Date: Tue, 05 May 2020 17:05:40 GMT
< Server: Apache
< Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
< Feature-Policy: autoplay 'none';camera 'none';fullscreen 'self';geolocation 'none';microphone 'none';payment 'none'
< Last-Modified: Fri, 27 Feb 2015 09:46:48 GMT
< ETag: "b1-5100ebf436c66"
< Accept-Ranges: bytes
< Content-Length: 177
< Vary: Accept-Encoding
< Referrer-Policy: no-referrer
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Robots-Tag: none
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< X-Frame-Options: SAMEORIGIN
< Content-Security-Policy: none
< Content-Type: text/html
< 
<html><body><h1>It works!</h1>
<p>This is the default web page for this server.</p>
<p>The web server software is running but no content has been added, yet.</p>
</body></html>
* Connection #0 to host DOMAIN left intact


curl -vvvv -k https://DOMAIN/nextcloud
*   Trying IP...
* TCP_NODELAY set
* Connected to DOMAIN (IP) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd; CN=DOMAIN
*  start date: Apr 30 09:33:07 2016 GMT
*  expire date: Apr 28 09:33:07 2026 GMT
*  issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd; CN=DOMAIN
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> GET /nextcloud HTTP/1.1
> Host: DOMAIN
> User-Agent: curl/7.58.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< HTTP/1.1 302 Found
< Date: Tue, 05 May 2020 17:07:21 GMT
< Server: Apache
< Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
< Feature-Policy: autoplay 'none';camera 'none';fullscreen 'self';geolocation 'none';microphone 'none';payment 'none'
< Referrer-Policy: no-referrer
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: none
< X-XSS-Protection: 1; mode=block
< Location: /nextcloud/
< Referrer-Policy: no-referrer
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Robots-Tag: none
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< X-Frame-Options: SAMEORIGIN
< Content-Security-Policy: none
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< 
* Connection #0 to host DOMAIN left intact

As far as I can see, the options are correctly setup?

But why nextcloud criticize this in the admin panel?

But at https://scan.nextcloud.com the headers are all red marked with x, which indicates a wrong configuration ?

@j-ed
I hope someone can help me because I don’t know where to look for solutions.

Andre39 · May 7, 2020, 8:27am

The Error message apparently appears because the Options are send twice for
https://DOMAIN/nextcloud

But they are only in the 000-default.conf and in the nextcloud/.htaccess file.

If I remove it from the config, there are no (global) settings for https://DOMAIN .
I need to remove these options from the .htaccess any time/nc-update?
What would be the preferred configuration with a nextcloud subfolder?

FvdLaar · May 25, 2020, 5:44pm

I’ve got the same issue on my production server, but I don’t have this on my mirror server. Both are Ubuntu 18.04 server and configured almost identical.

I have tried to find differences in the Apache2 settings, but did not find any difference yet.

Production server is sending the X-header options also at the end (hence a second time!). Mirror server is sending the X-header options only once at the beginning. I tested this with “curl -I” to both of my servers.

This must be pointing to a configuration difference, but where?

It shows that it is not a Nextcloud issue alone. (Besides “not excepting X-headers twice” )

And therefore I checked the contents of the Apache2 config-files, beginning with security.conf. Bingo: /etc/apache2/conf-enabled/security.conf was causing the “double” setting of X-headers.

I’ve chosen to use the security.conf instead of the .htaccess version.