Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add hint about duplicated headers #674

Closed
wants to merge 2 commits into from
Closed

Add hint about duplicated headers #674

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d58f3dc
Add hint about duplicated headers
J0WI Feb 9, 2018
7b17bc9
Add fastcgi_hide_header to examples
J0WI Feb 10, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 32 additions & 11 deletions admin_manual/installation/nginx.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,12 @@ server. This page is community-maintained. (Thank you, contributors!)
**ssl_certificate_key** to suit your needs.
- Make sure your SSL certificates are readable by the server (see `nginx HTTP
SSL Module documentation <http://wiki.nginx.org/HttpSslModule>`_).
- ``add_header`` statements are only taken from the current level and are not
cascaded from or to a different level. All necessary ``add_header``
statements must be defined in each level needed. For better readability it
is possible to move *common* add header statements into a separate file
and include that file wherever necessary. However, each ``add_header``
statement must be written in a single line to prevent connection problems
with sync clients.
- The ``add_header`` directives are only inherited from the previous level if
there are no ``add_header`` directives defined on the current level. For
better readability it is possible to move *common* add header statements
into a separate file and include that file wherever necessary. However,
each ``add_header`` statement must be written in a single line to prevent
connection problems with sync clients.
- Be careful about line breaks if you copy the examples, as long lines may be
broken for page formatting.
- Some environments might need a ``cgi.fix_pathinfo`` set to ``1`` in their
Expand Down Expand Up @@ -61,8 +60,7 @@ webroot of your nginx installation. In this example it is
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
Expand All @@ -74,12 +72,17 @@ webroot of your nginx installation. In this example it is
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
fastcgi_hide_header X-Content-Type-Options;
fastcgi_hide_header X-XSS-Protection;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should not remove them by default, because then it could be that those are not set by the web server as well and causing a security problem.

fastcgi_hide_header X-Robots-Tag;
fastcgi_hide_header X-Download-Options;
fastcgi_hide_header X-Permitted-Cross-Domain-Policies;

# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;

# Path to the root of your installation
root /var/www/nextcloud/;
root /var/www/nextcloud;

location = /robots.txt {
allow all;
Expand Down Expand Up @@ -219,12 +222,17 @@ your nginx installation.
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
fastcgi_hide_header X-Content-Type-Options;
fastcgi_hide_header X-XSS-Protection;
fastcgi_hide_header X-Robots-Tag;
fastcgi_hide_header X-Download-Options;
fastcgi_hide_header X-Permitted-Cross-Domain-Policies;

# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;

# Path to the root of your installation
root /var/www/;
root /var/www;

location = /robots.txt {
allow all;
Expand Down Expand Up @@ -363,3 +371,16 @@ block shown above not located **below** the:

block. Other custom configurations like caching JavaScript (.js)
or CSS (.css) files via gzip could also cause such issues.

Duplicated headers in response
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

NextCloud sets some security headers within PHP by default. If they are also
set by nginx this will cause duplicated headers and the NectCloud status
check may display some errors, that the headers are not configured as recommend.

To avoid duplicated headers in responses, use the ``fastcgi_hide_header`` option:

.. code-block:: nginx

fastcgi_hide_header X-XSS-Protection;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this separate section, that we maybe also could link from the admin settings, so that admins directly know where it is coming from and how to fix it in their environment.