Latest Nextcloud X-Frame-Options and Opcache warnings in admin panel

NethServer Version: 7.3.1611
Module: nethserver-nextcloud

After an update to the nextcloud version 12 module, a couple new errors show up in the nextcloud admin page.

The first is a warning that the X-Frame-Options is not set to “SAMEORIGIN” in the .htaccess file, yet if I check the file, I can see that the setting is correctly set. Both the admin panel and the scan tool at scan.nextcloud.com report this issue.

cat /usr/share/nextcloud/.htaccess

<IfModule mod_env.c>
    # Add security and privacy related headers
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Robots-Tag "none"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-Download-Options "noopen"
    Header set X-Permitted-Cross-Domain-Policies "none"
    SetEnv modHeadersAvailable true
  </IfModule>

There are also the following opcache warnings. I tried to set them in /etc/php.ini, but they had no effect (possibly the wrong php file i need to edit?)

The PHP Opcache is not properly configured. For better performance we recommend ↗ to use following settings in the php.ini:
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1

Note that none of this issues were ever present in 11.0.0.3 or other nextcloud versions.

The mod_env module is loaded by default, I didn’t check why the config is not applied.
Could you please try to check if AllowOverride is enabled?

Try to edit this file /etc/opt/rh/rh-php56/php-fpm.d/www.conf but it’s common to all applications which use php5.6. I don’t know if these configurations are safe for every software.

The php-fpm is not using .htaccess but .user.ini file (correct me if I’m wrong).

@giacomo

I went ahead and check for AllowOverride, and it is not listed in .htaccess.
I also tried to add the options for opcache to into /etc/opt/rh/rh-php56/php-fpm.d/www.conf, but upon restarting using systemctl restart rh-php56-php-fpm , the service fails. Applying globally is not the correct solution anyways.

I also tried adding the options to .user.ini like @dnutan suggested, but nextcloud still says the options are not set correctly.

Scratch that, it’s not completely true. What Nextcloud manual says is:

Nextcloud comes with its own nextcloud/.htaccess file. Because php-fpm can’t read PHP settings in .htaccess these settings and permissions must be set in the nextcloud/.user.ini file.

Do you have an .htaccess.rpmnew in the nextcloud folder?
I had it and replaced the old version with the newer one: no more X-Frame-Options warning.

Checking the http headers before and after the change:

  • With the old file, which contains the X-Frame-Options directive, the response header option was being sent twice and the warning showed up.
  • With the new .htaccess file, only one X-Frame-Options is returned by the http response header, and no warning on Nextcloud’s admin page.

Maybe you are facing the same issue.


To enable opcache we need an additional package:

yum install rh-php56-php-opcache

opcache settings will be located at /etc/opt/rh/rh-php56/php.d/10-opcache.ini

It works either by editing that file with the recommended settings or, otherwise, adding the values to /etc/opt/rh/rh-php56/php-fpm.d/www.conf with the correct format:

php_value[opcache.enable_cli]=1
php_value[opcache.max_accelerated_files]=10000
php_value[opcache.save_comments]=1
php_value[opcache.revalidate_freq]=1

(recommended settings matching default values were omitted.)

After changing any of the files restart the php-fpm service for the changes to be applied:

systemctl restart rh-php56-php-fpm

It does not work on .htaccess or .user.ini as most of the recommended values are system settings (PHP_INI_SYSTEM).

Still don’t know the right way to make the settings available only to a specific virtualhost (eg. nextcloud). But a workaround could be to disable opcache by setting opcache.enable in the .htaccess file of any other virtualhost.

2 Likes

I did not have that file in my nextcloud folder.

Following your instructions to install rh-php56-php-opcache and editing the necessary options in the 10-opcache.ini file however worked for the opcache settings.

Strangely enough, after a full server reboot, the origins error has disappeared. Not sure why, because I have restarted httpd several times from command and still had that error.

For the first problem of .htaccess file I’ve proposed a solution with 2 PR:

  1. https://github.com/nextcloud/server-packages/pull/16
  2. https://github.com/NethServer/nethserver-nextcloud/pull/24

Nextcloud does a code integrity check. The update of the package does not overwrite .htaccess but create a .htaccess.rpmnew, so nextcloud notices that the code is different from the original and shows the security warning message.

1 Like

PR has been merged and here is the testing package.
Is there anyone who has the problem and can test it ?
@Christopher_Suttles do you still have the problem ?

1 Like

I havent had the issue for some months after doing a clean install of Nethserver 7.4, but I think it still remains for those doing upgrades from Nextcloud 11 > 12.

1 Like

Exactly: clean installation of the latest nc release does not have the problem.