Closed BlockListed closed 1 year ago
I've done lots of combinations testing the configs to figure out what makes the most sense.
Ref: https://github.com/linuxserver/reverse-proxy-confs/pull/501#issuecomment-1318806213
The issue here is:
If we leave out
# nextcloud.subdomain.conf.sample in swag
proxy_hide_header X-Frame-Options;
and comment out
# ssl.conf.sample in swag
#add_header X-Frame-Options "SAMEORIGIN" always;
If we uncomment
# ssl.conf.sample in swag
add_header X-Frame-Options "SAMEORIGIN" always;
So the reason to add
# nextcloud.subdomain.conf.sample in swag
proxy_hide_header X-Frame-Options;
Is because there are valid reasons to include the X-Frame-Options
header in swag so it can work on anything being served or proxied via swag, and without using the proxy_hide_header
it causes nextcloud's check to fail.
It wouldn't hurt for us to include a comment in the nextcloud proxy instructing users to enable the header line in ssl.conf
though.
Is there an existing issue for this?
Current Behavior
The default Nextcloud proxy configuration does not pass the Nextcloud security checker. In the current version of Nextcloud contrary to PR #501, the
proxy_hide_header X-Frame-Options
directive causes the security checks to fail. If this is commented out the security check pass, since the current version of Nextcloud seems to send that header to SWAG already. This would remove the need to uncomment theadd_header X-Frame-Options "SAMEORIGIN" always;
directive inssl.conf
and provide a secure Nextcloud experience Out of the box.Expected Behavior
No response
Steps To Reproduce
/settings/admin/overview