Security and setup warnings - impossible to solve everything

🚧 Installation
#1

Hello,
I am using NC12 for a week now and it is working like a charm but i would like to have a proper install, that’s why i am trying to find how to remove the last warnings of my install. I am not able to remove the remainings :
The “X-Frame-Options” HTTP header is not configured to equal to “SAMEORIGIN”. This is a potential security or privacy risk and we recommend adjusting this setting.

No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our documentation.
The PHP Opcache is not properly configured. For better performance we recommend ↗ to use following settings in the php.ini:

opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1

I am running NC12, on ubuntu 16 using nginx and MariaDB, i have follow many howto to make sure to don’t miss something but it seems that i am definitively missing something …

For the first one :
The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.

I don’t understand why i have this error as my nextcloud.conf file in /etc/nginx/site-enabled/nextcloud/conf should be correctly configured (including the X-Frame-Options), it is the following :

server {
    listen 80;
    server_name nextcloud.xx.top;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name nextcloud.xx.top;
 
    ssl_certificate /etc/letsencrypt/live/nextcloud.xx.top/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/nextcloud.xx.top/privkey.pem;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    add_header Strict-Transport-Security "max-age=15768000;preload" always;
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    # Path to the root of your installation
    root /var/www/nextcloud/;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
    # last;

    location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
       return 301 $scheme://$host/remote.php/dav;
    }

    location ~ /.well-known/acme-challenge {
      allow all;
    }

    # set max upload size
    client_max_body_size 7512M;
    fastcgi_buffers 64 4K;

    # Disable gzip to avoid the removal of the ETag header
    gzip off;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;

    location / {
       rewrite ^ /index.php$uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
       deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
       deny all;
     }

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
       include fastcgi_params;
       fastcgi_split_path_info ^(.+\.php)(/.*)$;
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
       fastcgi_param PATH_INFO $fastcgi_path_info;
       #Avoid sending the security headers twice
       fastcgi_param modHeadersAvailable true;
       fastcgi_param front_controller_active true;
       fastcgi_pass unix:/run/php/php7.0-fpm.sock;
       fastcgi_intercept_errors on;
       fastcgi_request_buffering off;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
       try_files $uri/ =404;
       index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~* \.(?:css|js)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=7200";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        add_header Strict-Transport-Security "max-age=15768000;preload" always;
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
   }

   location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
   }
}

Can you tell if my config file is good ? I don’t see anything wrong but i am not expert as you can guess.

For the last issue (i will deal with the cache yet, i want to correct the existing before) :

The PHP Opcache is not properly configured. For better performance we recommend ↗ to use following settings in the php.ini:

I have applied the recommended setting in my php.ini file. Normally i am using php7 (I have also php5 on my system i don’t know why… i don’t know how i can check which version is used to make sure )
Here is the requested content which should be fine :

root@nuci5:~#  /etc/php/7.0/cli/php.ini
[opcache]
    ; Determines if Zend OPCache is enabled
opcache.enable=1

; Determines if Zend OPCache is enabled for the CLI version of PHP
opcache.enable_cli=1

; The OPcache shared memory storage size.
opcache.memory_consumption=128

; The amount of memory for interned strings in Mbytes.
opcache.interned_strings_buffer=8

; The maximum number of keys (scripts) in the OPcache hash table.
; Only numbers between 200 and 100000 are allowed.
opcache.max_accelerated_files=10000

; The maximum percentage of "wasted" memory until a restart is scheduled.
;opcache.max_wasted_percentage=5

; When this directive is enabled, the OPcache appends the current working
; directory to the script key, thus eliminating possible collisions between
; files with the same name (basename). Disabling the directive improves
; performance, but may break existing applications.
;opcache.use_cwd=1

; When disabled, you must reset the OPcache manually or restart the
; webserver for changes to the filesystem to take effect.
;opcache.validate_timestamps=1

; How often (in seconds) to check file timestamps for changes to the shared
; memory storage allocation. ("1" means validate once per second, but only
; once per request. "0" means always validate)
opcache.revalidate_freq=1

; Enables or disables file search in include_path optimization
;opcache.revalidate_path=0

; If disabled, all PHPDoc comments are dropped from the code to reduce the
; size of the optimized code.
opcache.save_comments=1

Even after reboot i still having the warning on the admin page.
If you have few minutes and comments to help me i’ll appreciate it :slight_smile:

Thanks

#2

On the latter, applying to CLI won’t usually work. I believe creating a php info file in the root of your webserver will tell you what you’re needing to know about PHP.

#3

good idea, after some googling i can confirm that i am using php7 as i expected.

Configuration File (php.ini) Path 	/etc/php/7.0/fpm
Loaded Configuration File 	/etc/php/7.0/fpm/php.ini
Scan this dir for additional .ini files 	/etc/php/7.0/fpm/conf.d

So now i need to understand how to solve the opcache issue and my xframe.

EDIT : One thing, as mentionned in the howto that i have followed i should be modify the /etc/php/cli/php.ini and in the phpinfo i see that loaded configuration file is /etc/php/7.0/fpm/php.ini. It could be an explanation but i am not sure why i should modify this one and not the other one.

#4

Add the opcache to the fpm ini file.

PHP runs in 2 ways; on the commandline (CLI) and with your webserver (FPM).

#5

I got the same issue after upgrading from NC11 to NC12. I was able to take care of opcache part by un-commenting appropriate lines in php.ini. file. However, the X-Frame-Options error still exists. I’m using Ubuntu 16.04 with nginx as web server. The file in sites-availabe folder has all necessary configuration notes, similar to shown by itsme2501. I did not have that errror with NC11, therefore believe the configuration is correct. I also added (just in case) the X-Frame-Options statement in .htaccess file, even though nginx does not care about this file. The error message still persists. Any advice is appreciated.

#6

@LukasReschke one for you possibly?

#7

Hello,
After editing the php.ini of the fpm folder the warning message for opcache dissapeared, so it was the solution :slight_smile:
I still have to work on the xframe-options like nigerag to remove the warning