HTTP Headers in Docker

ℹ️ Support 📦 Appliances (Docker, Snappy, VM, NCP, AIO)
, , , ,
1

Hello everyone,

I wanted to say this has been going on for a while and is extrememly annoying.

I am trying to set up Nextcloud behind a Nginx reverse proxy (Homebrewed not nginx-proxy).
I put all my headers in the Nginx instance as a good practice. Unfortunately then Nextcloud spits out 2 headers for

The “X-Content-Type-Options” HTTP header is not set to “nosniff”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The “X-Frame-Options” HTTP header is not set to “SAMEORIGIN”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

So they are set - however I would like these to go away, is there any way to have nextcloud stop sending these headers?
Is it insecure to have 2 sets of headers?

Thank you.

1 Like
2

if you use apache as the web server for nextcloud look at .htaccess in /var/www/nextcloud (or where ever nextcloud is installed to.)

3

Even with this disabled the headers are still sent for some reason.

I restarted the docker compose instance and still it puts the headers.

4

could you specify “they” and “these”?

if you set the headers correct the warning will go away. or?

5

As you can see in my previous post with the image.

I am receiving two sets of headers. One from my reverse proxy setting them and then one from my NextCloud instance. Is there a way to prevent Nextcloud from sending them because .htaccess doesn’t seem to work in the apache image.

However, if I can’t I will just ignore them I just don’t want it to be an issue if there is some flaw due to there being two headers.

6

nextcloud is a php program. it doesn’t send headers.
headers are typically send by web server and/or reverse proxy.

and headers are defined in web server/reverse proxy config file.

did you try egrep -r "SAMEORIGIN|nosniff" /? (may take a while.)
if you use docker we have to use another approach. but similar.

7

I apologize for the confusion, yes that’s why I keep saying “Nextcloud.”

I am using the docker instance of it. I thought I posted this thread in the (Docker, Snappy…) sub-forum.

I have restarted the docker instance after editing the .htaccess and it still is sending the headers through the reverse proxy.

8

Proxy settings from the docker-compose

mariadb:
          depends_on:
                  - reverseproxy
          image: mariadb:latest
          container_name: mariadb
          command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
          restart: always
          expose:
                  - "3306"
          volumes:
                  - ./cloud/db/:/var/lib/mysql
          environment:
                  - MYSQL_ROOT_PASSWORD=test123
                  - MYSQL_PASSWORD=test12
                  - MYSQL_DATABASE=nextcloud
                  - MYSQL_USER=nextcloud
          networks:
                  - proxy


  nextcloud:
          depends_on:
                  - reverseproxy
                  - mariadb
          image: nextcloud
          container_name: nextcloud
          restart: always
          expose:
                  - "80"
          volumes:
                  - ./cloud/www/:/var/www/html
                    #                  - ./cloud/apache/:/etc/apache2/
          environment:
                  - NEXTCLOUD_TRUSTED_DOMAINS=tld.domain.com
                  - NEXTCLOUD_OVERWRITEPROTOCOL=https
                  - NEXTCLOUD_OVERWRITEWEBROOT=/cloud
          networks:
                  - proxy
9

the apache in the nextcloud container and the nginx reverse proxy have there own config files in the image.

i think it’s not a good idea to change the apache conf file. seems that you tried it here:

#                  - ./cloud/apache/:/etc/apache2/

the reverseproxy part of the docker-compose is missing.

10

I didn’t feel it important, as I said I have my homebrewed system. It is not the one that nextcloud uses on their github readme.

I did try it but it also didn’t work so I scrapped it, as you can see by the # symbol. I will grab my reverse-proxy conf for the nextcloud instance so you can see what headers I am putting on.

11

Nginx.conf (The main config) the common*.conf (s) add http headers

user nginx;
worker_processes 1;

error_log  /var/run/nginx/error_log.log warn;
pid        /var/run/nginx.pid;

events{
        worker_connections  1024;
}

http{
include common.conf;
include common_location.conf;
include ssl.conf;
include /etc/nginx/static/*;
include /etc/nginx/upstream/*;
sendfile on;
}

the common.conf

add_header Strict-Transport-Security    "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options              "SAMEORIGIN" always;
add_header X-Content-Type-Options       "nosniff" always;
add_header X-XSS-Protection             "1; mode=block" always;

common_location.conf

proxy_set_header    X-Real-IP           $remote_addr;
proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
proxy_set_header    X-Forwarded-Proto   $scheme;
proxy_set_header    Host                $host;
proxy_set_header    X-Forwarded-Host    $host;
proxy_set_header    X-Forwarded-Port    $server_port;

the nextcloud.conf

upstream nextcloud {
        server nextcloud:80;
}

server {
  listen        443 ssl;
  server_name   tld.domain.com;


  location / {
        proxy_pass http://nextcloud;
  }
}
12

if you comment this out one pair of header disappears?

13

This did fix it, I will need to adjust I guess how my headers are set. See if I can only add the ones to the other micro-services. It’s strange that these other ones never get an issue about double headers.

Thank you. I apologize for using this as a rubber ducky.

14

Apparently, you have to declare headers Nextcloud is missing outside of it but you cannot undeclare headers Nextcloud is trying to do itself.

Just a heads up.

15

did you look at traefik.io to replace your nginx reverse proxy?

used here https://github.com/ReinerNippes/nextcloud_on_docker or here https://github.com/ReinerNippes/selfhosted_on_docker

1 Like
16

just for my understanding, you doing this against what folders?

may this helps: https://github.com/nextcloud/server/issues/8207

17

all folders. brute force.
(and yes that sounds senseless if you can narrow down the location of the config. → /etc + /var/www. But here are people using snap or having **** ideas where to put things.)