Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nginx add header issue #11989

Closed
AIrSkycc opened this issue Oct 23, 2018 · 2 comments
Closed

nginx add header issue #11989

AIrSkycc opened this issue Oct 23, 2018 · 2 comments

Comments

@AIrSkycc
Copy link

Steps to reproduce

  1. login to admin "settings" page
  2. open "overview" page
  3. 1

this is my NGINX Config:
`limit_conn_zone $server_name zone=appnode_sitemgr_site_conn_airsky.space:100k;
limit_req_zone $server_name zone=appnode_sitemgr_site_req_airsky.space:100k rate=10000r/m;

server {
listen 80;
listen 443 ssl http2;
server_name airsky.space;
ssl_certificate /data/GvwlwGXS/sites/airsky.space/ssl/site.crt;
ssl_certificate_key /data/GvwlwGXS/sites/airsky.space/ssl/site.key;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 5m;
keepalive_timeout 75s;
keepalive_requests 100;
access_log /data/GvwlwGXS/sites/airsky.space/log/nginx/access.log;
error_log /data/GvwlwGXS/sites/airsky.space/log/nginx/error.log;
root /data/GvwlwGXS/sites/airsky.space/www;

if ($scheme = http) {
    return  301 https://$host$request_uri;
}

gzip                       on;
gzip_comp_level            6;
gzip_min_length            1k;
gzip_types                 application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
brotli                     on;
brotli_comp_level          6;
brotli_min_length          1k;
brotli_types               application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
client_max_body_size       1024M;
limit_conn                 appnode_sitemgr_site_conn_airsky.space 1000;

add_header           X-Content-Type-Options nosniff;
add_header           X-XSS-Protection '1; mode=block';
add_header           X-Robots-Tag none;
add_header           X-Download-Options noopen;
add_header           X-Permitted-Cross-Domain-Policies none;
add_header           Referrer-Policy no-referrer;
add_header           Strict-Transport-Security 'max-age=31536000; includeSubDomains' always;
fastcgi_hide_header  X-Powered-By;
fastcgi_buffers      64 4K;

location / {
    index    index.html index.htm index.php;
    rewrite  ^ /index.php$request_uri;
}

location = /robots.txt {
    allow          all;
    log_not_found  off;
    access_log     off;
}

location = /.well-known/carddav {
    return  301 $scheme://$host/remote.php/dav;
}

location = /.well-known/caldav {
    return  301 $scheme://$host/remote.php/dav;
}

location ~ ^/.+\.php(/|$) {
    include                  conf.sitemgr.d/global/conf/fastcgi_params;
    fastcgi_index            index.php;
    fastcgi_param            SCRIPT_FILENAME /data/GvwlwGXS/sites/airsky.space/www$fastcgi_script_name;
    fastcgi_split_path_info  ^(.+\.php)(/.*)$;
    fastcgi_param            PATH_INFO $fastcgi_path_info;
    fastcgi_param            PATH_TRANSLATED $document_root$fastcgi_path_info;
    fastcgi_param            HOSTNAME $HOSTNAME;
    fastcgi_param            PATH /usr/local/bin:/usr/bin:/bin;
    fastcgi_param            TMP /tmp;
    fastcgi_param            TMPDIR /tmp;
    fastcgi_param            TEMP /tmp;
    fastcgi_read_timeout     300s;
    fastcgi_pass             unix:/data/GvwlwGXS/sites/airsky.space/php-pool/php-fpm.sock;
    limit_req                zone=appnode_sitemgr_site_req_airsky.space burst=1000 nodelay;
}

location ~ ^/(?:updater|ocs-provider)(?:$|/) {
    try_files  $uri/ =404;
    index      index.php;
}

location ~ \.(?:css|js|woff|svg|gif)$ {
    try_files   $uri /index.php$request_uri;
    add_header  Cache-Control 'public, max-age=15778463';
    add_header  X-Content-Type-Options nosniff;
    add_header  X-XSS-Protection '1; mode=block';
    add_header  X-Robots-Tag none;
    add_header  X-Download-Options noopen;
    add_header  X-Permitted-Cross-Domain-Policies none;
    add_header  Referrer-Policy no-referrer;
    access_log  off;
}

location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
    try_files   $uri /index.php$request_uri;
    access_log  off;
}

}`

Expected behaviour

I have added add_header to the nginx configuration, but the detection is still not added.

Actual behaviour

Should check out my configured http header

Server configuration

Operating system:CentOS7

Web server:NGINX 1.15.3

Database:MySQL 5.7.21

PHP version: 7.2.8

Nextcloud version:14.0.3 (see Nextcloud admin page)

Updated from an older Nextcloud/ownCloud or fresh install: Fresh Install

Where did you install Nextcloud from: The NextCloud Website

Signing status:

No errors have been found. 
Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.

List of activated apps:

Accessibility Activity Auditing / Logging Collaborative tags Comments Deleted files Federation File sharing Files automated tagging First run wizard Gallery Log Reader Monitoring Nextcloud announcements Notifications Password policy PDF viewer Share by mail Support Text editor Theming Update notification Usage survey Versions Video player Default encryption module External storage support External user support LDAP user and group backend 
If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder

Nextcloud configuration:

'XXX', 'passwordsalt' => 'XXX', 'secret' => 'XXX', 'trusted_domains' => array ( 0 => 'XXX', ), 'datadirectory' => 'XXX', 'dbtype' => 'mysql', 'version' => '14.0.3.0', 'overwrite.cli.url' => 'XXX', 'dbname' => 'nextcloud', 'dbhost' => 'localhost', 'dbport' => '', 'dbtableprefix' => 'oc_', 'mysql.utf8mb4' => true, 'dbuser' => 'XXX', 'dbpassword' => 'XXX', 'installed' => true, 'mail_smtpmode' => 'smtp', 'mail_smtphost' => 'in.mailjet.com', 'mail_smtpport' => '2525', 'mail_smtpauthtype' => 'LOGIN', 'mail_smtpauth' => 1, 'mail_smtpname' => 'XXX', 'mail_smtppassword' => 'XXX', 'mail_domain' => 'XXX', 'mail_from_address' => 'system', 'filelocking.enabled' => true, 'memcache.local' => '\OC\Memcache\Redis', 'memcache.locking' => '\OC\Memcache\Redis', 'redis' => array( 'host' => 'localhost', 'port' => 6379, 'timeout' => 0.0, 'password' => 'XXX', ), ); 
If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or 

Insert your config.php content here. 
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)

Are you using external storage, if yes which one: LOCAL local/smb/sftp/...

Are you using encryption: NO yes/no

Are you using an external user-backend, if yes which one: NO LDAP/ActiveDirectory/Webdav/...

Client configuration

Browser: Chrome 70.0.3538.67

Operating system: Windows10 18262.1000

Logs

Web server error log

[error.log](https://github.com/nextcloud/server/files/2504908/error.log) 
Insert your webserver log here

Nextcloud log (data/nextcloud.log)

[nextcloud.log](https://github.com/nextcloud/server/files/2504904/nextcloud.log) 
Insert your Nextcloud log here

Browser log

Error parsing header X-XSS-Protection: 1; mode=block, 1; mode=block: expected semicolon at character position 13. The default protections will be applied. core.js?v=6124ab1d-2:7 JQMIGRATE: Migrate is installed, version 1.4.0 DevTools failed to parse SourceMap: https://airsky.space/apps/updatenotification/js/updatenotification.js.map DevTools failed to parse SourceMap: https://airsky.space/apps/notifications/js/notifications.js.map 
Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...
@nextcloud-bot
Copy link
Member

GitMate.io thinks possibly related issues are #6673 (Issue because enforcing security header), #9316 (Add Support for Link headers), #2898 (Upgrade Issue), #3225 (Header layout issue on narrow screens), and #6035 (HSTS - nginx).

@MorrisJobke
Copy link
Member

As this seems to be a setup issue I would like to ask you to raise your question in the forums: https://help.nextcloud.com

If you wish support with setup issues from Nextcloud GmbH we offer this as part of the Nextcloud subscription. Learn more about this at https://nextcloud.com/enterprise/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@MorrisJobke @AIrSkycc @nextcloud-bot