Nextcloud version : 15.0.7
Operating system and version : Ubuntu 18.04
Apache version :2.4.38
PHP version : 7.1.29

I have problem with

The “X-Content-Type-Options” HTTP header is not set to “nosniff”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

and

The “X-Frame-Options” HTTP header is not set to “SAMEORIGIN”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

as well as

• Your web server is not properly set up to resolve “/.well-known/caldav”.

• Your web server is not properly set up to resolve “/.well-known/carddav”.

in my nextcloud directory (/var/www/nextcloud) i have my htaccess looking like this:

SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1 RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1 # Add security and privacy related headers Header set X-Content-Type-Options "nosniff" Header set X-XSS-Protection "1; mode=block" Header set X-Robots-Tag "none" Header set X-Download-Options "noopen" Header set X-Permitted-Cross-Domain-Policies "none" Header set Referrer-Policy "no-referrer" SetEnv modHeadersAvailable true

Add cache control for static resources

<FilesMatch “.(css|js|svg|gif)$”>
Header set Cache-Control “max-age=15778463”

Let browsers cache WOFF files for a week

<FilesMatch “.woff2?$”>
Header set Cache-Control “max-age=604800”



php_value upload_max_filesize 511M
php_value post_max_size 511M
php_value memory_limit 512M
php_value mbstring.func_overload 0
php_value always_populate_raw_post_data -1
php_value default_charset ‘UTF-8’
php_value output_buffering 0

SetEnv htaccessWorking true



php_value upload_max_filesize 511M
php_value post_max_size 511M
php_value memory_limit 512M
php_value mbstring.func_overload 0
php_value default_charset ‘UTF-8’
php_value output_buffering 0

SetEnv htaccessWorking true



RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} DavClnt
RewriteRule ^$ /remote.php/webdav/ [L,R=302]
RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteRule ^.well-known/host-meta /public.php?service=host-meta [QSA,L]
RewriteRule ^.well-known/host-meta.json /public.php?service=host-meta-json [QSA,L]
RewriteRule ^.well-known/webfinger /public.php?service=webfinger [QSA,L]
RewriteRule ^.well-known/carddav /remote.php/dav/ [R=301,L]
RewriteRule ^.well-known/caldav /remote.php/dav/ [R=301,L]
RewriteRule ^remote/(.) remote.php [QSA,L]
RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/. - [R=404,L]
RewriteCond %{REQUEST_URI} !^/.well-known/(acme-challenge|pki-validation)/.*
RewriteRule ^(?:.|autotest|occ|issue|indie|db_|console).* - [R=404,L]


AddType image/svg+xml svg svgz
AddEncoding gzip svgz


DirectoryIndex index.php index.html

AddDefaultCharset utf-8
Options -Indexes

ModPagespeed Off

And in my apache2 settings i have it set to:

Directory
Options FollowSymLinks
AllowOverride None
Require all denied
Directory

Directory /usr/share
AllowOverride None
Require all granted
Directory

Directory /var/www/
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
Directory

Regardless how i try to set these, i can’t seem to control these issues.

Any help would be appreciated

Thanks

Hello,

the mime is managed directly by apache2 via conf files OR via htaccess.

your apache2 settings look good so far, except maybe on allowoveride set to all, mine is set to None for security purpose.

Check your apache2 conf to be sure mod_headers.so is enabled !

In my case ( debian 10.0 php7.3.5 mariadb10.1 ) i have the following setting ( no large files, several conf/load others vhost conf ):

Here is my breakthrough for my nextcloud vhost

/etc/apache2/apache2.conf

Global configuration

ServerName YOURSERVERNAMEHERE
# server wide global conf for HTTP2 over http/https could be set also in vhost
Protocols h2c http/1.1
Protocols h2 http/1.1
ServerTokens Prod
ServerSignature Off
DefaultRuntimeDir ${APACHE_RUN_DIR}
PidFile ${APACHE_PID_FILE}
Timeout 800
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 20
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
# logging ip needed for fail2ban parsing
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf

# better security enable in vhost files
<Directory />
    Options FollowSymLinks
    AllowOverride None
    Require all denied
</Directory>

<Directory /usr/share>
    AllowOverride None
    Require all granted
</Directory>

<Directory /var/www/>
    Options Indexes FollowSymLinks
#        Options FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

AccessFileName .htaccess

<FilesMatch "^\.ht">
    Require all denied
</FilesMatch>

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf
# EOF

Then

/etc/apache2/mods-enabled/headers.load
LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so

and in */etc/apache2/conf-available/security.conf
add the line:
Header set X-Content-Type-Options: "nosniff"

NOW, the htaccess of your site is maybee in charge !

So you need to managed it !

Here is mine
Now, beware as i used http2/brotli and other modules ans stuff:!
…/nextcloud/ and vi/vim/nano ./htaccess

Apache2 restart needed after modifications

<IfModule mod_headers.c>
      <IfModule mod_setenvif.c>
        <IfModule mod_fcgid.c>
           SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
           RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
        </IfModule>
        <IfModule mod_proxy_fcgi.c>
           SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
        </IfModule>
      </IfModule>

      <IfModule mod_env.c>
        # Add security and privacy related headers related to nextcloud
        Header set X-Content-Type-Options "nosniff"
        Header set X-XSS-Protection "1; mode=block"
        Header set X-Robots-Tag "none"
        Header set X-Download-Options "noopen"
        Header set X-Permitted-Cross-Domain-Policies "none"
        Header set Referrer-Policy "no-referrer"
        SetEnv modHeadersAvailable true
      </IfModule>

      # Add cache control for static resources
      <FilesMatch "\.(css|js|svg|gif)$">
        Header set Cache-Control "max-age=15778463"
      </FilesMatch>

      # Let browsers cache WOFF files for a week
      <FilesMatch "\.woff2?$">
        Header set Cache-Control "max-age=604800"
      </FilesMatch>
    </IfModule>
    <IfModule mod_php7.c>
      php_value mbstring.func_overload 0
      php_value default_charset 'UTF-8'
      php_value output_buffering 0
      <IfModule mod_env.c>
        SetEnv htaccessWorking true
      </IfModule>
    </IfModule>
    # check needed for my snity (january 2019)
    <IfModule mod_rewrite.c>
      RewriteEngine on
      RewriteCond %{HTTP_USER_AGENT}  DavClnt
      RewriteRule ^$         /remote.php/webdav/          [L,R=302]
      RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
      RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
      RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
      RewriteRule ^\.well-known/webfinger /public.php?service=webfinger [QSA,L]
      RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
      RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
      RewriteRule ^remote/(.*) remote.php [QSA,L]
     RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
      RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
      RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
    </IfModule>
    <IfModule mod_mime.c>
     # Brotli check needed
      AddType image/svg+xml svg svgz
      AddEncoding gzip svgz
    </IfModule>
    <IfModule mod_dir.c>
      DirectoryIndex index.php index.html
    </IfModule>
    AddDefaultCharset utf-8
    Options -Indexes
    <IfModule pagespeed_module>
      ModPagespeed Off
    </IfModule>
    #### vhost nextcloud ####
    # TBD needed
    ErrorDocument 403 //
    ErrorDocument 404 //

Hello and thanks for the reply

I modified my /etc/apache2/apache2.conf and switched the override to none. This didnt seem to change anything except i now have a new error : The PHP memory limit is below the recommended value of 512MB.

I assume that the htaccess file located in /var/www/nextcloud is now in control? I cross checked that one with yours and it is basiclly the same. i have a htaccess at /var/www/ and one at /var/www/nextcloud

When i try to run the two commands:
/etc/apache2/mods-enabled/headers.load
LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so

i get permission denied running as my normal user or root.

thanks

hello,
maybe i was too fast …

/etc/apache2/mods-enabled/headers.load
LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
ARE NOT COMMAND LINE !!!

/etc/apache2/mods-enabled/headers.load is the location ( /etc/apache2/mods-enabled/ ) of the file called mod_headers.so

And then, you need to ADD the line:
LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so

Then, you need to restart your apache server.

depending of your php version and linux version, you may need to modify your php.ini

on my system, i have several php running serving several vhosts.
5.6 / 7.0 / 7.1 / 7.2 / 7.3

As my vhost for nextcloud depends on the 7.3 i usually modify the following php.ini
…/php/7.3/apache2
…/php/7.3/cgi
…/php/7.3/cli
…/php/7.3/fpm

i usually create on solid config, and copy accross the directorie in a local.ini file

also, a server reboot may be needed !!!

ok that makes more sense

i looked in that location and i already have that line in there. any other ideas?

Thanks

ok i will put this issue to the back burner and try to resolve that other one first since that seems to be a security issue rather then a performance issue