nemchik
commented
1 year ago I've done lots of combinations testing the configs to figure out what makes the most sense.
Ref: https://github.com/linuxserver/reverse-proxy-confs/pull/501#issuecomment-1318806213
The issue here is:
If we leave out
# nextcloud.subdomain.conf.sample in swag
proxy_hide_header X-Frame-Options;and comment out
# ssl.conf.sample in swag
#add_header X-Frame-Options "SAMEORIGIN" always;the test will pass
If we uncomment
# ssl.conf.sample in swag
add_header X-Frame-Options "SAMEORIGIN" always;the test will fail
So the reason to add
# nextcloud.subdomain.conf.sample in swag
proxy_hide_header X-Frame-Options;Is because there are valid reasons to include the X-Frame-Options header in swag so it can work on anything being served or proxied via swag, and without using the proxy_hide_header it causes nextcloud's check to fail.
It wouldn't hurt for us to include a comment in the nextcloud proxy instructing users to enable the header line in ssl.conf though.
Is there an existing issue for this?
Current Behavior
The default Nextcloud proxy configuration does not pass the Nextcloud security checker. In the current version of Nextcloud contrary to PR #501, the
proxy_hide_header X-Frame-Optionsdirective causes the security checks to fail. If this is commented out the security check pass, since the current version of Nextcloud seems to send that header to SWAG already. This would remove the need to uncomment theadd_header X-Frame-Options "SAMEORIGIN" always;directive inssl.confand provide a secure Nextcloud experience Out of the box.Expected Behavior
No response
Steps To Reproduce
/settings/admin/overview