search

ONLYOFFICE / onlyoffice-nextcloud

The app which enables the users to edit office documents from Nextcloud using ONLYOFFICE Document Server, allows multiple users to collaborate in real time and to save back those changes to Nextcloud
GNU Affero General Public License v3.0
567 stars 161 forks source link

Content Security Policy frame-src forbids nextcloud to load onlyoffice #54

Closed gldhnchn closed 5 years ago

gldhnchn commented 5 years ago

Hi, I installed Onlyoffice with docker on my Ubuntu 18.10 server alongside my Nextcloud (15.0.0.10) installation. The installation of Onlyoffice and the Onlyoffice Nextcloud app worked well. I'm getting the welcome message at https://onlyoffice.mydomain.net.

When I'm trying to open a document with Onlyoffice in Nextcloud I'm getting this error message from the developer tools in firefox (sorry for german):

Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf http://onlyoffice.mydomain.net/v5.2.6-3//web-apps/apps/documenteditor/main/index.html?_dc=5.2.6-3&lang=de&customer=ONLYOFFICE&frameEditorId=iframeEditor blockiert ("frame-src").

I''m running nginx as webserver.

nginx -v
nginx version: nginx/1.15.5 (Ubuntu)

I tried to put something like add_header Content-Security-Policy "frame-src 'self' https://onlyoffice.mydomain.net;"; somewhere, but I didn't make it work yet. What can I do?

Edit: I started Onlyoffice with docker run --name=ONLYOFFICEDOCKER -i -t -d -p 8080:80 --restart=always -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data -v /app/onlyoffice/DocumentServer/logs:/var/log/onlyoffice -v /app/onlyoffice/DocumentServer/lib:/var/lib/onlyoffice -v /app/onlyoffice/DocumentServer/db:/var/lib/postgresql onlyoffice/documentserver

This is my gateway nginx config:

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    root /var/www;
    server_name nextcloud.mydomain.net onlyoffice.mydomain.net;

    location ^~ /.well-known/acme-challenge {
        proxy_pass http://127.0.0.1:82;
        proxy_redirect off;
    }
    location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
    }
    location / {
        # Enforce HTTPS
        return 301 https://$server_name$request_uri;
        return 301 https://$server_addr$request_uri;
    }       
}

server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    server_name _;
    root /var/www;

    # Configure SSL
    # not used in newer versions of nginx? warning if on
    # ssl on;
    # Certificates used
    ssl_certificate /etc/letsencrypt/live/xxx/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/xxx/privkey.pem;

    # Not using TLSv1 will break:
    #   Android <= 4.4.40
    #   IE <= 10
    #   IE mobile <=10
    # Removing TLSv1.1 breaks nothing else!
        # There are not many clients using TLSv1.3 so far, but this can be activated with nginx v1.13
    ssl_protocols TLSv1.2;

    # Using the recommended cipher suite from: https://wiki.mozilla.org/Security/Server_Side_TLS
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/nginx/ssl/dhparams.pem;

    # Specifies a curve for ECDHE ciphers.
    # High security, but will not work with Chrome:
    #ssl_ecdh_curve secp521r1;  
    # Works with Windows (Mobile), but not with Android (DavDroid):
    #ssl_ecdh_curve secp384r1;
    # Works with Android (DavDroid):
    ssl_ecdh_curve prime256v1; 

    # Server should determine the ciphers, not the client
    ssl_prefer_server_ciphers on;

    # OCSP Stapling
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/xxx/fullchain.pem;
resolver 192.168.178.1;

    # SSL session handling
    ssl_session_timeout 24h;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Add headers to serve security related headers
    # HSTS (ngx_http_headers_module is required)
    # In order to be recoginzed by SSL test, there must be an index.hmtl in the server's root
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
    add_header X-Content-Type-Options "nosniff" always;
    # Usually this should be "DENY", but when hosting sites using frames, it has to be "SAMEORIGIN"
    add_header Referrer-Policy "same-origin" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    location ^~ / {
        client_max_body_size 10G;
        proxy_connect_timeout 3600;
        proxy_send_timeout 3600;
        proxy_read_timeout 3600;
        send_timeout 3600;
        proxy_buffering off;
        proxy_request_buffering off;
        proxy_max_temp_file_size 10240;
        proxy_set_header Host $host;
        proxy_redirect off;
        # Following 2 options are needed when using web sockets
        proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
        proxy_pass http://127.0.0.1:81;
    }   
}

This is my nextcloud nginx config:

upstream php-handler {
    server unix:/run/php/php7.2-fpm.sock;
}

server {
    listen 127.0.0.1:81;
    server_name nextcloud.mydomain.net;
    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    # add_header Strict-Transport-Security "max-age=15768000;
    # includeSubDomains; preload;";
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    proxy_set_header X-Content-Type-Options nosniff;
    proxy_set_header X-XSS-Protection "1; mode=block";
    proxy_set_header X-Robots-Tag none;
    proxy_set_header X-Download-Options noopen;
    proxy_set_header X-Permitted-Cross-Domain-Policies none;
    proxy_set_header Referrer-Policy no-referrer;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # Path to the root of your installation
    root /var/www/nextcloud/;

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
    # last;

    location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }

    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    location / {
        rewrite ^ /index.php$request_uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        #Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff2?|svg|gif)$ {
        try_files $uri /index.php$request_uri;
        proxy_set_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
        #
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        proxy_set_header X-Content-Type-Options nosniff;
        proxy_set_header X-XSS-Protection "1; mode=block";
        proxy_set_header X-Robots-Tag none;
        proxy_set_header X-Download-Options noopen;
        proxy_set_header X-Permitted-Cross-Domain-Policies none;
        proxy_set_header Referrer-Policy no-referrer;

        # Optional: Don't log access to assets
        access_log off;
    }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
        try_files $uri /index.php$request_uri;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

My Onlyoffice nginx config:

server {
        listen localhost:81;
        server_name onlyoffice.mydomain.net

        #
        # Configuration for OnlyOffice
        #
        location / {
                proxy_pass http://localhost:8080;
                proxy_redirect off;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Host $server_name;
                proxy_set_header X-Forwarded-Proto $scheme;
        }
}
LinneyS commented 5 years ago

Are you setting https address ONLYOFFICE?

gldhnchn commented 5 years ago

In the settings of onlyoffice nextcloud app I put https://onlyoffice.mydomain.net at "service address for document server" (Entering http: there is not allowed by the app).

LinneyS commented 5 years ago

Very strange Access is allowed at https://github.com/ONLYOFFICE/onlyoffice-nextcloud/blob/v2.1.2/controller/editorcontroller.php#L385 And your error message:

Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf http://

gldhnchn commented 5 years ago

I solved this. Was a similar issue to this one and solved it with this. Here is my new onlyoffice nginx config:

map $http_host $this_host {
    "" $host;
    default $http_host;
}
map $http_x_forwarded_proto $the_scheme {
     default $http_x_forwarded_proto;
     "" $scheme;
}
map $http_x_forwarded_host $the_host {
    default $http_x_forwarded_host;
    "" $this_host;
}
map $http_upgrade $proxy_connection {
  default upgrade;
  "" close;
}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Forwarded-Host $the_host;
proxy_set_header X-Forwarded-Proto $the_scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

server {
        listen localhost:81;
        server_name onlyoffice.mydomain.com;
    server_tokens off;

        location / {
                proxy_pass http://localhost:8080;
            proxy_http_version 1.1;
        }
}
lstellway commented 3 years ago

I was also able to solve this by forcing https:// on my CDN. Thanks for the help!