From cc22ea5d0b9775817f406368c909a05d851ff397 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sat, 24 Jun 2023 20:35:40 -0500 Subject: [PATCH 1/2] Nextcloud header adjustments Signed-off-by: Eric Nemchik --- nextcloud.subdomain.conf.sample | 9 +++++++-- nextcloud.subfolder.conf.sample | 15 +++++++++++---- 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/nextcloud.subdomain.conf.sample b/nextcloud.subdomain.conf.sample index 3e03083..afb4a00 100644 --- a/nextcloud.subdomain.conf.sample +++ b/nextcloud.subdomain.conf.sample @@ -1,4 +1,4 @@ -## Version 2023/06/06 +## Version 2023/06/24 # make sure that your nextcloud container is named nextcloud # make sure that your dns has a cname set for nextcloud # assuming this container is called "swag", edit your nextcloud container's config @@ -32,8 +32,13 @@ server { set $upstream_proto https; proxy_pass $upstream_proto://$upstream_app:$upstream_port; - # Uncomment X-Frame-Options directive in ssl.conf to pass security checks. + # Hide proxy response headers from Nextcloud that conflict with ssl.conf + proxy_hide_header Referrer-Policy; + proxy_hide_header X-Content-Type-Options; proxy_hide_header X-Frame-Options; + proxy_hide_header X-XSS-Protection; + + # Disable proxy buffering proxy_buffering off; } } diff --git a/nextcloud.subfolder.conf.sample b/nextcloud.subfolder.conf.sample index 44a672b..2ad882e 100644 --- a/nextcloud.subfolder.conf.sample +++ b/nextcloud.subfolder.conf.sample @@ -1,4 +1,4 @@ -## Version 2023/06/06 +## Version 2023/06/24 # make sure that your nextcloud container is named nextcloud # make sure that nextcloud is set to work with the base url /nextcloud/ # Assuming this container is called "swag", edit your nextcloud container's config @@ -34,10 +34,17 @@ location ^~ /nextcloud/ { proxy_pass $upstream_proto://$upstream_app:$upstream_port; rewrite /nextcloud(.*) $1 break; - # Uncomment X-Frame-Options directive in ssl.conf to pass security checks. - proxy_hide_header X-Frame-Options; - proxy_buffering off; + proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_ssl_session_reuse off; + + # Hide proxy response headers from Nextcloud that conflict with ssl.conf + proxy_hide_header Referrer-Policy; + proxy_hide_header X-Content-Type-Options; + proxy_hide_header X-Frame-Options; + proxy_hide_header X-XSS-Protection; + + # Disable proxy buffering + proxy_buffering off; } From f6d6c030801355b1a6264920cce0f6b733f303cc Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sat, 24 Jun 2023 20:43:42 -0500 Subject: [PATCH 2/2] Re-include comment about NC security scans Signed-off-by: Eric Nemchik --- nextcloud.subdomain.conf.sample | 1 + nextcloud.subfolder.conf.sample | 1 + 2 files changed, 2 insertions(+) diff --git a/nextcloud.subdomain.conf.sample b/nextcloud.subdomain.conf.sample index afb4a00..5fb72f8 100644 --- a/nextcloud.subdomain.conf.sample +++ b/nextcloud.subdomain.conf.sample @@ -33,6 +33,7 @@ server { proxy_pass $upstream_proto://$upstream_app:$upstream_port; # Hide proxy response headers from Nextcloud that conflict with ssl.conf + # Uncomment the Optional additional headers in SWAG's ssl.conf to pass Nextcloud's security scan proxy_hide_header Referrer-Policy; proxy_hide_header X-Content-Type-Options; proxy_hide_header X-Frame-Options; diff --git a/nextcloud.subfolder.conf.sample b/nextcloud.subfolder.conf.sample index 2ad882e..ca259da 100644 --- a/nextcloud.subfolder.conf.sample +++ b/nextcloud.subfolder.conf.sample @@ -40,6 +40,7 @@ location ^~ /nextcloud/ { proxy_ssl_session_reuse off; # Hide proxy response headers from Nextcloud that conflict with ssl.conf + # Uncomment the Optional additional headers in SWAG's ssl.conf to pass Nextcloud's security scan proxy_hide_header Referrer-Policy; proxy_hide_header X-Content-Type-Options; proxy_hide_header X-Frame-Options;