Black screen for Nextcloud, Airsonic due to X-Frame SAMEORIGIN

[solarchemist]

I'm glad to have discovered Muximux, and my first impression is that Muximux will make introducing self-hosted webapps much easier to non-technical users.

My setup uses HTTPS for all services, including the Muximux page. Each service has its own sub-domain (all on the same domain, *.example.com) with each service sitting behind an Apache reverse proxy that also takes care of the SSL/TLS setup. So far, I've created links for Emby, Deluge, TinyTinyRSS, Wallabag, Calibre, and Ampache that all work without any issues in Muximux. Nice! As a sidenote: this confirms that the closed issue re SAMEORIGIN for Emby is resolved.

The problem is Nextcloud and Airsonic, that both display just a black screen, and for both of them the browser console log shows:

Refused to display <URL> in a frame because it set 'X-Frame-Options' to 'sameorigin'.

So I think we have pretty much nailed down the problem. But what's the solution? I'm afraid I only feel certain what I should not do, that is, hacking the Nextcloud config files or disabling HTTPS. Pointers in the right direction would be much appreciated.

[mescon]

Hey,

This is basically the same issue as this: https://github.com/mescon/Muximux/issues/58#issuecomment-195121950

In short: There's nothing Muximux can do to fix this.

However, if you are serving Nextcloud and Airsonic via nginx, you can strip these headers from the output. You request something from nginx, nginx asks Nextcloud which sets a header saying "dont embed me!" and some data. Nginx takes the data, ignores the "dont embed me!" header and serves it to your browser. If the browser doesn't get that header, it will embed the data just fine :) Look up some examples using the proxy_set_header directive in nginx, or the equivalent in apache if that's what you're using.

Hope that helps you in the right direction.

EDIT: Also see this comment to help you on your way: https://github.com/mescon/Muximux/issues/58#issuecomment-303736774

[solarchemist]

You're right on the money. Thanks for the pointers! I'll just put up the work-around for Nextcloud that I ended up using, in case it helps someone else.

So it turns out the Nextcloud devs have chosen to hard-code X-Frame-Options SAMEORIGIN in PHP, rather than allowing the site admin to set this policy in Apache/Nginx vhost config. This Nextcloud server issue discusses pros and cons of this, and also identifies the PHP file in question.

So in my Nextcloud www-root, I opened that file (lib/private/legacy/response.php) and changed the line header('X-Frame-Options: SAMEORIGIN'); into header('X-Frame-Options: ALLOW-FROM https://muximux.example.com');. This specifically allows my Muximux domain to embed Nextcloud, while disallowing all other domains. As far as I can tell this setting is respected by all major browsers. And it works as expected so far :-)

Of course, this might have security implications, so please consider your options carefully before deciding to disable or relax the SAMEORIGIN policy. Also, the way this is handled means the setting might be overwritten on minor or major Nextcloud updates.