New NextCloud 15 installation pdf viewing does not work

Hello,

I’ve just installed nextcloud for the first time

the installation seems to have gone ok and I have created a first user

but when I log in to nextcloud as either the admin user or my first test user I am unable to view any of the sample pdf documents such as NextCloud Manual.pdf

If I use chrome as the browser I get the message my.site.name refused to connect

if I use internet explorer I simply get a blank page

I’m using version 15

on Ubuntu 18.04 lts

Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-10-10T18:59:25

apache modules loaded are

Loaded Modules:
core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
unixd_module (static)
access_compat_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authz_core_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
filter_module (shared)
headers_module (shared)
mime_module (shared)
mpm_prefork_module (shared)
negotiation_module (shared)
php7_module (shared)
reqtimeout_module (shared)
rewrite_module (shared)
setenvif_module (shared)
socache_shmcb_module (shared)
ssl_module (shared)
status_module (shared)
unique_id_module (shared)
wsgi_module (shared)

PHP 7.2.10-0ubuntu0.18.04.1 (cli) (built: Sep 13 2018 13:45:02) ( NTS )
Copyright © 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright © 1998-2018 Zend Technologies
with Zend OPcache v7.2.10-0ubuntu0.18.04.1, Copyright © 1999-2018, by Zend Technologies

There is nothing to help debug things in either the apache access or error log

could someone please advise a new user where to start looking for what the fault could be

from some googling other people seem to have had issues with

X-Frame-Options: DENY
and
X-Frame-Options: SAMEORIGIN

Looking at Security & Setup warnings I see the following messages

  • The “X-Content-Type-Options” HTTP header is not set to “nosniff”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
  • The “X-Frame-Options” HTTP header is not set to “SAMEORIGIN”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
  • The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips :arrow_upper_right:.

but in the .htaccess file the following is set

# Add security and privacy related headers Header set X-Content-Type-Options "nosniff" Header set X-XSS-Protection "1; mode=block" Header set X-Robots-Tag "none" Header set X-Download-Options "noopen" Header set X-Permitted-Cross-Domain-Policies "none" Header set Referrer-Policy "no-referrer" SetEnv modHeadersAvailable true

nosniff is set there yet I get a warning about !!

I have tried setiing SAMEORIGIN in this file but it does not change anything

curl -v http://rahane.ddns.net//nextcloud/index.php/apps/files_pdfviewer/?file=%2Fnextcloud%2Fremote.php%2Fwebdav%2FNextcloud%20Manual.pdf

  • Trying 192.168.0.105…
  • TCP_NODELAY set
  • Connected to rahane.ddns.net (192.168.0.105) port 80 (#0)

GET //nextcloud/index.php/apps/files_pdfviewer/?file=%2Fnextcloud%2Fremote.php%2Fwebdav%2FNextcloud%2520Manual.pdf HTTP/1.1
Host: rahane.ddns.net
User-Agent: curl/7.58.0
Accept: /

< HTTP/1.1 200 OK
< Date: Sat, 22 Dec 2018 01:20:58 GMT
< Server: Apache
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< Set-Cookie: ocuor6tl53lc=h6crj5rsmios3m54t1pvlevhfk; path=/nextcloud; HttpOnly
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-cache, no-store, must-revalidate
< Pragma: no-cache
< Set-Cookie: oc_sessionPassphrase=i0gJuDDQu01lq4%2F8pFz%2F5Gc8zm06M3JLqcdRe0sVmT4DkNsTooH8asDbBWPywiNtcvTKQ0USor79fyjSqbAufX1OsrJqC9w50seEkEjV9OfS83BnH0QcJ58zdqFIRbB5; path=/nextcloud; HttpOnly
< Content-Security-Policy: default-src ‘none’;base-uri ‘none’;manifest-src ‘self’;script-src ‘self’;style-src ‘self’ ‘unsafe-inline’;img-src ‘self’ data: blob: *;font-src ‘self’ data:;connect-src ‘self’;media-src ‘self’;child-src ‘self’
< Set-Cookie: nc_sameSiteCookielax=true; path=/nextcloud; httponly;expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
< Set-Cookie: nc_sameSiteCookiestrict=true; path=/nextcloud; httponly;expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
< Content-Length: 20251
< Vary: Accept-Encoding
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Robots-Tag: none
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Referrer-Policy: no-referrer
< Content-Type: text/html; charset=UTF-8
<

Any help gratefully received

Found issue eventually

I had to comment out the line

Header always set X-Frame-Options DENY

in the file /etc/apache2/conf-enabled/ssl-params.conf

then restart apache2