nginx under SSL converts header (both name/value) to lower case #2293
Description
Nextcloud community help+174d6e8e9980005bf8996a3042b011d5@nextcloud.com refers.
Steps to reproduce
- My case - Apache behind a nginx proxy server; others nginx with SSL
- Default setup
- Admin screen reports that various headers (e.g. X-XSS-Protection) are not set up. Yet it is part of default configuration, .htaccess sets this.
"The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting."
Expected behaviour
Admin panel does not complain of missing X-XSS-Protection and other headers
Actual behaviour
Headers received are:
x-content-type-options:nosniff
x-content-type-options:nosniff
x-download-options:noopen
x-download-options:noopen
x-frame-options:SAMEORIGIN
x-frame-options:Sameorigin
x-permitted-cross-domain-policies:none
x-permitted-cross-domain-policies:none
x-proxy-cache:MISS
x-robots-tag:none
x-robots-tag:none
x-xss-protection:1; mode=block
x-xss-protection:1; mode=block
Several are doubled because:
a) nginx converts name to lower case
b) nextcloud tests headers for presence of X-XSS-Protection header
c) does not find it (as name has been case converted, so "belt and braces" processing adds another one;
d) nginx converts that to lower case as well.
Nextcloud code does a case sensitive match for the header NAME, and then a a case insensitive match on VALUE. Due to nginx converting case, the header is not found. It is, of course, actually present.
When I raised a support request with the ISP, they reviewed the headers coming from Apache.
They include:
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: Sameorigin
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Frame-Options: SAMEORIGIN
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Server configuration
Operating system:
Linux es22.siteground.eu 64-bit #3 SMP
Web server:
Apache (though this appears not to be relevant)
Database:
MySQL 5.6.28
PHP version:
7.0 (but happens with 5.6 as well)
Nextcloud version: (see Nextcloud admin page)
10.0(stable)
Updated from an older Nextcloud/ownCloud or fresh install:
Fresh install
Where did you install Nextcloud from:
Nextcloud.com
Signing status:
Signing status
Login as admin user into your Nextcloud and access
Security & setup warnings
Some files have not passed the integrity check. Further information on how to resolve this issue can be found in our documentation. (List of invalid files… / Rescan…)
The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Download-Options" HTTP header is not configured to equal to "noopen". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Permitted-Cross-Domain-Policies" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.
No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our documentation.
Please double check the installation guides ↗, and check for any errors or warnings in the log.
**List of activated apps:**
<details>
<summary>App list</summary>
Default set
The content of config/config.php:
'ock5ny9oo6ps', 'passwordsalt' => '', 'secret' => '', 'trusted_domains' => array ( 0 => 'files.lionsheraldic78.org', 1 => 'lionsheraldic78.org', ), 'datadirectory' => '/home/lionsher/lcyhowndata', 'overwrite.cli.url' => 'https://files.lionsheraldic78.org', 'overwriteprotocol' => 'https', 'dbtype' => 'mysql', 'version' => '9.1.0.16', 'dbname' => '', 'dbhost' => 'localhost', 'dbport' => '', 'dbtableprefix' => 'oc_', 'dbuser' => '', 'dbpassword' => '', 'logtimezone' => 'UTC', 'installed' => true, 'forcessl' => true, 'enable_certificate_management' => false, 'mail_domain' => 'lionsheraldic78.org', 'mail_smtpmode' => 'php', 'mail_from_address' => 'website', 'appcodechecker' => false, 'appstore.experimental.enabled' => true, ); ``` If you have access to your command line run e.g.: sudo -u www-data php occ config:list system from within your Nextcloud installation folder or Insert your config.php content here (Without the database password, passwordsalt and secret) ``` **Are you using external storage, if yes which one:** local/smb/sftp/... No **Are you using encryption:** yes/no Only SSL **Are you using an external user-backend, if yes which one:** LDAP/ActiveDirectory/Webdav/... No #### LDAP configuration (delete this part if not used)