Graeme's picture
Graeme - Mon, 2024/04/29 - 14:46

Hi all you great peoples,

I have just installed my first turnkey "debian-12-turnkey-nextcloud_18.0-1_amd64.tar.gz" from the Proxmox turnkey templates and am having a few issues regarding 2 security risks.

  • The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
  • The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS

The problem that i have noticed is that following the nextcloud docs, everything that they suggest to do is already done in the config.php etc.

Any help would be greatly appreciated.

Thanks in advance

Makaone

Forum: 
Support
Tags: 
nextcloud
apache
security
Jeremy Davis's picture

Jeremy Davis - Tue, 2024/04/30 - 02:07

We do set the "Strict-Transport-Security" HTTP header (albeit to 63072000 secs). We also include config for the "X-Frame-Options" HTTP header in our default Apache security config. Although that it is disabled by default.

So I was going to suggest adjusting the Apache config, to enable "X-Frame-Options" (remove leading '#' from line 74 of /etc/apache2/conf-available/security.conf) and tighten "Strict-Transport-Security" (adjust line 98 of /etc/apache2/mods-available/ssl.conf).

Although looking at our Nextcloud default Apache config. I realized that we ARE explicitly setting the HSTS header to 15552000 seconds!? So I'm not sure why that isn't working?

Further, after doing some quick research, I discovered that Nextcloud itself sets "X-Frame-Options" header to "SAMEORIGIN". They recommend that it is NOT set in the webserver config (see this comment from a NC dev).

I double checked the claim in their codebase and discovered that they actually set it (and other headers) twice! Once in their PHP code (see line line 100 for "X-Frame-Options"). And another time in their htaccess file (an Apache config snippet - see line 27).

So I'm not at all sure what's going on. For starters, why you think that they're not set? What tests and/or where are you seeing that reported? Perhaps that might assist me to understand what/where the actual issue might be and I could do some testing on my end.

A couple of other thoughts/questions off the top of my head:

  • Are you using a reverse proxy? Perhaps that is stripping the headers?
  • Do you have a "proper" (CA signed) SSL/TLS certificate? I wouldn't expect that to affect the "X-Frame-Options" header, but it almost certainly will affect the HSTS config.

Regardless, even though it's unlikely to be any value to you, your post has prompted me to consider enabling "X-Frame-Options" by default. It'd also be good to include some other security related headers too, although probably disabled by default. So I've opened an issue relating to them.

Graeme's picture

Graeme - Tue, 2024/04/30 - 05:14

Hi, 

Thanks for your quick reply.

  • Are you using a reverse proxy? Perhaps that is stripping the headers?

I am running Nextcloud with HAProxy on pfsense 

  • Do you have a "proper" (CA signed) SSL/TLS certificate?

Yes i have "proper" CA cert

  • So I'm not at all sure what's going on. For starters, why you think that they're not set? What tests and/or where are you seeing that reported? Perhaps that might assist me to understand what/where the actual issue might be and I could do some testing on my end.

Security & setup warnings

It's important for the security and performance of your instance that everything is configured correctly. To help you with that we are doing some automatic checks. Please see the linked documentation for more information.

There are some warnings regarding your setup.

  • The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
  • The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.
  • You have not set or verified your email server configuration, yet. Please head over to the Basic settings in order to set them. Afterwards, use the "Send email" button below the form to verify your settings.
  • Your installation has no default phone region set. This is required to validate phone numbers in the profile settings without a country code. To allow numbers without a country code, please add "default_phone_region" with the respective ISO 3166-1 code ↗ of the region to your config file.

Please double check the installation guides ↗, and check for any errors or warnings in the log.

Check the security of your Nextcloud over our security scan ↗.

 

I hope this helps in some way.

Cheers

Makaone

Jeremy Davis's picture

Jeremy Davis - Tue, 2024/04/30 - 08:11

TBH, I'm not at all familiar with HAProxy, so I can't really give any specific advice, but hopefully I can point you in the right direction.

My first guess is that HAProxy is stripping the Header/s or possibly overriding them.

Or perhaps it's just a false positive from Nextcloud because your server is behind HAProxy?

To diagnose where this is going wrong, check what headers your Nextcloud and HAProxy servers are sending.

Checking Nextcloud will require a direct connection (i.e. not via HAProxy), so will probably only be possible within your LAN.

Depending on how things work on your network, you may be able to route through HAProxy locally too, or perhaps you'll need need to connect externally (i.e. over the internet - I often use my phone as a hotspot to do that).

You can see the headers in your web browser. I'm using Firefox, but google says that it should essentially be the same for other browses too. So, open your web browser, then open "Web Developer tools". Select the "Network" tab and then load Nextcloud via direct link. In the network traffic results, find the and look for the headers button and check for the relevant headers. Then rinse and repeat via HAProxy.

FWIW please see below for a screenshot of the dev tools console looking at this website's headers. I loaded the forums page, but I would expect it to be the same for any page. FWIW I can see that we're setting the x-content-type-options header twice - I should look into that!

Graeme's picture

Graeme - Wed, 2024/05/01 - 04:33

Hi Jeremy,

 

Thankyou for the information. I did what you said and it seemed to be loading in chrome, so i then downloaded Firefox and it does not produce the errors regarding the headers... It must be a false positive within Chrome.

Jeremy Davis's picture

Jeremy Davis - Wed, 2024/05/01 - 07:31

Thanks for posting back with your good news. It's still not ideal, but at least we know now.

Graeme's picture

Graeme - Wed, 2024/05/01 - 04:35

Hi Jeremy,

 

Just a quick question. Can i update the turnkey Nextcloud using the updater within nextcloud or do i need to wait until the turnkey is updated?

Hope that makes sense.

Makaone

Jeremy Davis's picture

Jeremy Davis - Wed, 2024/05/01 - 08:20

You should be able to update via the Nextcloud updater. But if you hit any issues, please let me know. Probably better to start a new thread though.

Eventually, you'll need to migrate to a new server (or do a Debian "in place" upgrade) because Nextcloud will almost certainly need a newer version of PHP at some point.

It is possible to update PHP via a third party apt repo, but at that point it would probably be better to migrate your data to a new TurnKey version (assuming one is available then). Whilst the 3rd party is trustworthy (he's also a PHP maintainer for Debian and Ubuntu) it's still not ideal as you will need to manually update to resolve security issues, which may leave security issues unpatched until you update (the Debian security updates are auto installed daily).

Regardless, it's worth keeping in mind that until Nextcloud (or a module/app) needs an update, there is no need to update PHP. Even if Nextcloud starts whinging that the version of PHP is EOL (end of life) and potentially a security risk, you can safely ignore those security concerns. That is because on TurnKey PHP comes from Debian. TurnKey v18.x is based on Debian 12/Bookworm and despite whether PHP is supported by it's upstream developers (i.e. PHP themselves) or not, PHP v8.2 in Debian, will be supported with security updates until at least June 30th, 2028.

I hope that helps.

Add new comment