Nextcloud version: 15.0.4 (but previous as well)
Operating system and version: debian stretch (openmediavault 4.x)
Apache or nginx version: nginx 1.10.3
PHP version: 7.2
Hello,
I have an installation of nextcloud on my personal home server, started with nextcloud 13 and now on the latest release. About three weeks ago I have changed the domain pointing to nextcloud (not the actual installation directory in the system) from xxx.yyy.zz/cloud to aaa.bbb.cc and in doing that I have edited the nginx configuration (following the nextcloud documentation). Since then, I’m getting weird http headers errors from the nextcloud security scan website and from nextcloud itself. In particular, the scanner says that some http security headers are not set and my nextcloud installation is particularly referring to the fact that the “X-Frame-Options” is not set to sameorigin. The problem is that all these http headers are configured (I think) in the right way.
This is my nginx configuration (XXX to replace sensitive data):
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate XXX;
ssl_certificate_key XXX;
server_name cloud.iacchi.casa;
set $root_path "XXX";
root $root_path;
index index.php;
set $socket "XXX";
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass $socket;
}
access_log XXX;
error_log XXX;
large_client_header_buffers 4 8k;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
add_header X-Frame-Options "SAMEORIGIN";
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
location = /robots.txt {
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /\n";
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
location ~ /\.well-known/acme-challenge {
allow all;
}
client_max_body_size 3072M;
fastcgi_buffers 64 4K;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
location / {
rewrite ^ /index.php$request_uri;
}
location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
deny all;
}
location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+)\.php(?:$|\/) {
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass $socket;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^\/(?:updater|ocs-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff2?|svg|gif)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to have those duplicated to the ones above)
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
add_header X-Frame-Options "SAMEORIGIN";
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}
}
And if I check my website (https://cloud.iacchi.casa) on a http header checker like this one: https://www.webconfs.com/http-header-check.php I can see the all http headers are correctly sent. Despite this, the nextcloud security scan website (any my installation itself) says that all these headers are not set: https://scan.nextcloud.com/results/a12e2dea-a1fb-4205-b838-1090c5ef7585
What is going on here?