Nextcloud 17 alters headers

Been trying to set a nextcloud instance. Had a problem that might be related to another problem.

First the easy one. Been getting that strict-transport doesn’t have a long enough max-age. However, the htaccess has a line for almost twice that. Turns out that nextcloud mangles the headers.

If i curl to an nonexistent page (cloud.server.com/error.php), I get the following, that shows the strict-transport line

< HTTP/1.1 404 Not Found
< Date: Tue, 08 Oct 2019 00:09:11 GMT
< Server: Apache
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< Referrer-Policy: no-referrer
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: none
< X-XSS-Protection: 1; mode=block
< Content-Length: 315
< Content-Type: text/html; charset=iso-8859-1

However, if i curl to the root (cloud.server.com/index.php), the strict-transport doesn’t show up, but nextcloud adds some headers

< HTTP/1.1 302 Found
< Date: Tue, 08 Oct 2019 00:19:58 GMT
< Server: Apache
< X-Powered-By: PHP/7.1.32
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Content-Security-Policy: default-src ‘self’; script-src ‘self’ ‘nonce-…=’; style-src ‘self’ ‘unsafe-inline’; frame-src *; img-src * data: blob:; font-src ‘self’ data:; media-src *; connect-src *; object-src ‘none’; base-uri ‘self’;
< Referrer-Policy: no-referrer
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: none
< X-XSS-Protection: 1; mode=block

My second issue might just be related to the same problem. Even though nextcloud sets up a htaccess file, it probably is ignoring it. When I try to upload a file to a shared folder (with file drop and hide download), it pops a login window (seems like a htaccess request, and not a password request from nextcloud).

Any idea on how to make nextcloud not alter the headers?

1 Like

You should set this on the virtual host.

If you go to settings where it runs the best practices checks, one if the things it will warn you about is if the htaccess isn’t working.

Just curious – what program or method are you using to get the headers?

I’m using curl (eg curl -s -vvv https://cloud.myserver.com/error.php) to peek into what the server reports

Not sure it is a problem with the vm. If that was the case the nonexistent page would also have trouble. It is when nextcloud serves the page that I have trouble.

The headers from the nonexistent page (one that nextcloud doesn’t modify) is what I would expect to see. However, when nextcloud serves the page, it adds headers and changes others (ie the strict-transport and probably the Authorization)

The admin:overview reports this:

There are some warnings regarding your setup.

  • The PHP memory limit is below the recommended value of 512MB.

  • The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips :arrow_upper_right:.

  • No memory cache has been configured. To enhance performance, please configure a memcache, if available. Further information can be found in the documentation.

Since myserver.com has the includeSubDomains clause, it probably is more an annoyance than an issue. Guess nextcloud doesn’t check if the base domain is correct.

My biggest concern isn’t the strict-transport, but the trouble with Authorization. It pops up a login window when I try to upload a file to a public dropbox folder. Guess both are related to what nextcloud is doing to the headers.

If I search the code, I find 18 instances of Content-Security-Policy. So nextcould is modifying the headers. These header items are not provided by the server, but nextcloud, and the strict-transport is gone

< Server: Apache
< X-Powered-By: PHP/7.1.32
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Content-Security-Policy: default-src ‘self’; script-src ‘self’ ‘nonce-…=’; style-src ‘self’ ‘unsafe-inline’; frame-src *; img-src * data: blob:; font-src ‘self’ data:; media-src *; connect-src *; object-src ‘none’; base-uri ‘self’;

Turns out there is some problem with the htaccess file that nextcloud creates. I added the following lines to the file, and at least now I can upload files without a login window popping up

Seems that the conditions for the original code weren’t being met, and these lines never got executed. Added the AuthBasicAuthoritative just for good measure

AuthBasicAuthoritative Off
SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1

Still not getting the strict-transport line to appear, since nextcloud is mangling it somehow when it sets the headers. However, don’t think it is an issue, since the main domain has includeSubDomains

What are your using to see the headers?

Hi @kevdog

You can use curl to see the headers:
curl -v https://your.server.tld

From the page that the server served

curl -v https://cloud.myserver.com/error.php

  • Trying ip:443…
  • TCP_NODELAY set
  • Connected to cloud.myserver.com (ip) port 443 (#0)
  • ALPN, offering http/1.1
  • TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • Server certificate: cloud.myserver.com
  • Server certificate: cPanel, Inc. Certification Authority
  • Server certificate: COMODO RSA Certification Authority

GET /error.php HTTP/1.1
Host: cloud.myserver.com
User-Agent: curl/7.66.0
Accept: /

  • Mark bundle as not supporting multiuse
    < HTTP/1.1 404 Not Found
    < Date: Thu, 10 Oct 2019 21:49:23 GMT
    < Server: Apache
    < Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    < Referrer-Policy: no-referrer
    < X-Content-Type-Options: nosniff
    < X-Download-Options: noopen
    < X-Permitted-Cross-Domain-Policies: none
    < X-Robots-Tag: none
    < X-XSS-Protection: 1; mode=block
    < Content-Length: 315
    < Content-Type: text/html; charset=iso-8859-1
    <
404 Not Found

Not Found

The requested URL was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

* Connection #0 to host cloud.myserver.com left intact

From the page that nextcloud served

curl -v https://cloud.myserver.com

  • Trying ip:443…
  • TCP_NODELAY set
  • Connected to cloud.myserver.com (ip) port 443 (#0)
  • ALPN, offering http/1.1
  • TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • Server certificate: cloud.myserver.com
  • Server certificate: cPanel, Inc. Certification Authority
  • Server certificate: COMODO RSA Certification Authority

GET / HTTP/1.1
Host: cloud.myserver.com
User-Agent: curl/7.66.0
Accept: /

  • Mark bundle as not supporting multiuse
    < HTTP/1.1 302 Found
    < Date: Thu, 10 Oct 2019 21:49:08 GMT
    < Server: Apache
    < X-Powered-By: PHP/7.1.32
    < Expires: Thu, 19 Nov 1981 08:52:00 GMT
    < Cache-Control: no-store, no-cache, must-revalidate
    < Pragma: no-cache
    < Content-Security-Policy: default-src ‘self’; script-src ‘self’ ‘nonce-…=’; style-src ‘self’ ‘unsafe-inline’; frame-src *; img-src * data: blob:; font-src ‘self’ data:; media-src *; connect-src *; object-src ‘none’; base-uri ‘self’;
    < Referrer-Policy: no-referrer
    < X-Content-Type-Options: nosniff
    < X-Download-Options: noopen
    < X-Frame-Options: SAMEORIGIN
    < X-Permitted-Cross-Domain-Policies: none
    < X-Robots-Tag: none
    < X-XSS-Protection: 1; mode=block
  • Added cookie ocohj1jpvnud="…" for domain cloud.myserver.com, path /, expire 0
    < Set-Cookie: ocohj1jpvnud=…; path=/; secure; HttpOnly
  • Added cookie oc_sessionPassphrase="…" for domain cloud.myserver.com, path /, expire 0
    < Set-Cookie: oc_sessionPassphrase=… path=/; secure; HttpOnly
  • Added cookie __Host-nc_sameSiteCookielax=“true” for domain cloud.myserver.com, path /, expire 4133980799
    < Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
  • Added cookie __Host-nc_sameSiteCookiestrict=“true” for domain cloud.myserver.com, path /, expire 4133980799
    < Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
    < Location: https://cloud.myserver.com/index.php/login
    < Transfer-Encoding: chunked
    < Content-Type: text/html; charset=UTF-8

Don’t think there is much difference between these and what I had posted before. Also included all the transaction, maybe that was what you were looking for, though the part that showed how nextcould changes the headers was shown before

Also aren’t cookies lasting till Dec-2100 a bit extravagant?