Nginx proxy - missing headers X-Frame-Options, X-Content-Type-Options and __Host prefix on https://scan.nextcloud.com

DanSman · March 11, 2025, 7:36am

Hi

I’ve AIO running on a debian server behind nginx proxy. So far, everything seems to work fine apart of the scan.

Below is the nginx config I use:

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

server {
        listen 80;
        listen [::]:80;
        server_name domain www.domain;

        location / {
                rewrite ^ https://$host$request_uri? permanent;
        }
}

server {
        listen 443 ssl;
        listen [::]:443 ssl;
        server_name domain www.domain;

        ssl_certificate /etc/nginx/ssl/domain.cer;
        ssl_certificate_key /etc/nginx/ssl/domain.key;
        include /etc/nginx/ssl/ssl-options.conf;

        proxy_buffering off;
        proxy_request_buffering off;

        client_max_body_size 0;
        client_body_buffer_size 512k;
        # http3_stream_buffer_size 512k; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
        proxy_read_timeout 86400s;

        location / {
                proxy_pass http://127.0.0.1:11000$request_uri;

                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Port $server_port;
                proxy_set_header X-Forwarded-Scheme $scheme;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Host $host;
                proxy_set_header Early-Data $ssl_early_data;

                # Websocket
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
        }
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options nosniff always;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
add_header Referrer-Policy same-origin;
add_header Expect-CT 'enforce, max-age=3600';
add_header expect-staple 'max-age=31536000; includeSubdomains; preload';
#}
}

Is there anything else I’m missing?

Thanks

saettel.beifuss0 · March 11, 2025, 8:18am

Some things are missing, some are too much IMHO.

Could you share your scan results?

For comparison:
This is a NGINX proxy config in front of an Apache NextCloud that gets no warnings in scan and in the admin overview.

DanSman · March 11, 2025, 8:30am

Thanks! I will take a look at your link tomorrow (late here).

Here the outcome. It’s A. Only those three are missing.

saettel.beifuss0 · March 11, 2025, 8:43am

here was something very wrong.

wwe · March 11, 2025, 7:47pm

Content-Security-Policy is dynamically added by NC itself, you should not mangle with it.
did you check AiO reverse proxy?

saettel.beifuss0 · March 11, 2025, 8:26pm

good catch.

For some strange reasons, my instance now also gets this ___Host_Prefix error. I did not get that one in the past. Will try to figure it out.

SysKeeper · March 11, 2025, 10:19pm

It’s a regression from a change that was meant to optimise accessing status.php. IIRC it should be fixed in the next release. It only affects the test.

The __host one that is.

DanSman · March 11, 2025, 11:13pm

Oh, seems to be not supported that way - all-in-one/reverse-proxy.md at main · nextcloud/all-in-one · GitHub

It’s a new installation of AIO. So might be better to have nextcloud on bare metal. I have more running on that server behind nginx (port 80/443).

DanSman · March 13, 2025, 12:52am

https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#nginx-proxy

Can someone explain the following a bit more?

Unfortunately, it is not possible to configure Nginx-proxy in a way that works because it completely relies on environmental variables of the docker containers itself. Providing these variables does not work as stated above.

If you really want to use AIO, we recommend you to switch to caddy. It is simply amazing!

Caddy is able to do use environmental variables for docker? I never used caddy.

Edit:
Caddy as a docker container but not on bare metal, right?

szaimen · March 13, 2025, 7:47am

Hi, you are confusing things. In your case you need to use this section: all-in-one/reverse-proxy.md at main · nextcloud/all-in-one · GitHub

DanSman · March 13, 2025, 8:04am

Hi!

Thanks for that!

Now everything is fine apart from __Host-Prefix.

szaimen · March 13, 2025, 8:16am

The Host Prefix problem was a bug in 31.0.0 and will be fixed with 31.0.1.