Closed nemchik closed 1 year ago
I still get the same warning as your "Before:" screenshot after this commit update. I end up having to enable add_header X-Frame-Options "SAMEORIGIN" always in swag-docker's ssl.conf file to get rid of the warning. Am I doing this right?
I still get the same warning as your "Before:" screenshot after this commit update. I end up having to enable add_header X-Frame-Options "SAMEORIGIN" always in swag-docker's ssl.conf file to get rid of the warning. Am I doing this right?
Yes, you need that as well. It's not universally required in every use case that swag could be used for, but it is ideal to use that setting with nextcloud.
I've also added add_header X-Frame-Options "SAMEORIGIN" always
in swag-docker's ssl.conf and disabled
#proxy_hide_header X-Frame-Options;
in nextcloud.subdomain.conf.
When enabled i get the warning In Nextcloud's admin overview.
On my end, "Before" and "After" are the opposite—I get the warning when proxy_hide_header X-Frame-Options;
is specified, otherwise I don't. My Nextcloud container's site-confs/default.conf
has (as per default)
add_header X-Frame-Options "SAMEORIGIN" always;
Is this not the expected behavior?
Ok, I did a little more testing, and here is what I have found.
We ship https://github.com/linuxserver/docker-baseimage-alpine-nginx/blob/1cf9b27a72ac8e0787b577e9bc88767723b8615d/root/defaults/nginx/ssl.conf.sample#L37 commented out, and if you leave it commented out then nextcloud works because it is handling that header. The issue arises when you want other things being proxied by swag to also have that header included, in which case you would uncomment that line, which causes nextcloud to NOT work correctly unless you add proxy_hide_header X-Frame-Options;
to the nextcloud proxy conf (as this PR does).
Documenting that in comments within the configs might be a bit confusing and verbose, so I'll have to think through it a bit, but for now the way to get it working would be to do one of the following:
add_header X-Frame-Options "SAMEORIGIN" always;
commented in ssl.conf
and remove proxy_hide_header X-Frame-Options;
from the nextcloud proxyadd_header X-Frame-Options "SAMEORIGIN" always;
in ssl.conf
and include proxy_hide_header X-Frame-Options;
in the nextcloud proxyOk, I did a little more testing, and here is what I have found.
We ship https://github.com/linuxserver/docker-baseimage-alpine-nginx/blob/1cf9b27a72ac8e0787b577e9bc88767723b8615d/root/defaults/nginx/ssl.conf.sample#L37 commented out, and if you leave it commented out then nextcloud works because it is handling that header. The issue arises when you want other things being proxied by swag to also have that header included, in which case you would uncomment that line, which causes nextcloud to NOT work correctly unless you add
proxy_hide_header X-Frame-Options;
to the nextcloud proxy conf (as this PR does).Documenting that in comments within the configs might be a bit confusing and verbose, so I'll have to think through it a bit, but for now the way to get it working would be to do one of the following:
* keep `add_header X-Frame-Options "SAMEORIGIN" always;` commented in `ssl.conf` and remove `proxy_hide_header X-Frame-Options;` from the nextcloud proxy * uncomment `add_header X-Frame-Options "SAMEORIGIN" always;` in `ssl.conf` and include `proxy_hide_header X-Frame-Options;` in the nextcloud proxy
Weird because it's working for me with:
uncommented add_header X-Frame-Options "SAMEORIGIN" always
in swag-docker's ssl.conf
and commented #proxy_hide_header X-Frame-Options;
in nextcloud.subdomain.conf
@nemchik thanks a lot for the very quick response! For now I will leave ssl.conf as per default (#add_header X-Frame-Options "SAMEORIGIN" always;
commented) and remove proxy_hide_header
from nextcloud.subdomain.conf.
Weird because it's working for me with: uncommented
add_header X-Frame-Options "SAMEORIGIN" always
in swag-docker's ssl.conf and commented#proxy_hide_header X-Frame-Options;
in nextcloud.subdomain.conf
@zedocrob that is actually not the case on my end. Perhaps it has to do with your Nextcloud image being too old and the site-confs/default.conf thereof not handling the header itself? The version of that file on my end is "Version 2022/08/20", which you should be able to obtain running this in your host (assuming you're using Docker and your Nextcloud container is named nextcloud
):
docker exec -it nextcloud sed -r '1!d;s/## (Version [0-9/]+).+/\1/' /config/nginx/site-confs/default.conf
I've used this guide to optimize Nextcloud
https://virtualize.link/nextcloud/
(now using :latest
instead of:php8
of course) i'm on latest version.
My ssl.conf is the latest:
https://privatebin.net/?2cc71d7dfd2e302a#8V8b5eJSjoHMj9bHBbZXdjkvK9URAzbtAW5Kto7YPDbV
default.conf is latest too:
https://privatebin.net/?cf7559a8dfd0f394#5vP3qmP6AK26FiUcPo1zC3RzcKsnqSFyMwJLvhh7GBkP
and nextcloud.subdomain.conf too Version 2022/10/28 with:
#proxy_hide_header X-Frame-Options;
proxy_max_temp_file_size 2048m;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload";
(i've added this one as recommended so maybe not necessary?)
And here's my stack in portainer:
https://privatebin.net/?d7ed5f5629ee6cae#9qh48v9FFGnP6to4GMGxmR2gHegTNqoKh8ZDciMNyZMG
Perhaps I wasn't too clear, but I was looking for site-confs/default.conf in the Nextcloud container, not in the SWAG container
I see! Sorry my mistake Ok i found it in /config/nginx/site-confs/default.conf https://privatebin.net/?8a973e7353f3ef55#Bbaa5ZPuBJ2wycrB4DVVRoGTS3kTSeRT4qvGFqj1WieP
It doesn't seem to be the latest, but I'm not sure if that's the reason for the behavior you're observing, perhaps you can try to pull the latest image and re-create the container?
in /defaults/nginx/site-confs/default.conf.sample
inside the container i have version 2022/08/20
https://privatebin.net/?b5be3f2f59904848#6PSAMZyaE6hkhSgd4PtmxiuwRbhj9av8HiFLBy3UC2hW
in /config/nginx/site-confs/default.conf
inside the container i have this:
https://privatebin.net/?8a973e7353f3ef55#Bbaa5ZPuBJ2wycrB4DVVRoGTS3kTSeRT4qvGFqj1WieP
default.conf.sample
and default.conf
looks different yes, is it normal?
nextcloud container version is : Linuxserver.io version:- 25.0.1-ls211 Build-date:- 2022-11-13T09:37:13-06:00 I use Diun to update all my containers everyday so should be the latest.
*.conf.sample
files are replaced by their latest versions upon update, but *.conf
files are not. If you did not modify default.conf
yourself, you can delete it and restart the container, and you'll get a fresh default.conf
which will be the same as default.conf.sample
. But again, I'm not sure this is the reason for the behavior you're observing.
Thanks, good to know.
i did remove default.conf, recreate the container and went with this error:
nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /config/nginx/site-confs/default.conf:9
So i added to the new default.conf
:
servername ;
ssl_certificate /config/keys/cert.crt;
ssl_certificate_key /config/keys/cert.key;
Also i changed:
client_max_body_size 512M;
to client_max_body_size 10G;
as my previous defaul.conf
So far so good i'm logged in without any error. Is there another .conf file i should renew other than default.conf in container maybe?
There are nginx.conf
and ssl.conf
, you can do the same with those if you haven't modified them
In Nextcloud's admin overview.
Before:
After: