Latest Nextcloud X-Frame-Options and Opcache warnings in admin panel

nextcloud
v7

(Christopher Suttles) #1

NethServer Version: 7.3.1611
Module: nethserver-nextcloud

After an update to the nextcloud version 12 module, a couple new errors show up in the nextcloud admin page.

The first is a warning that the X-Frame-Options is not set to “SAMEORIGIN” in the .htaccess file, yet if I check the file, I can see that the setting is correctly set. Both the admin panel and the scan tool at scan.nextcloud.com report this issue.

cat /usr/share/nextcloud/.htaccess

<IfModule mod_env.c>
    # Add security and privacy related headers
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Robots-Tag "none"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-Download-Options "noopen"
    Header set X-Permitted-Cross-Domain-Policies "none"
    SetEnv modHeadersAvailable true
  </IfModule>

There are also the following opcache warnings. I tried to set them in /etc/php.ini, but they had no effect (possibly the wrong php file i need to edit?)

The PHP Opcache is not properly configured. For better performance we recommend ↗ to use following settings in the php.ini:
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1

Note that none of this issues were ever present in 11.0.0.3 or other nextcloud versions.


Nextcloud 12 warnings on Admin page
(Giacomo Sanchietti) #2

The mod_env module is loaded by default, I didn’t check why the config is not applied.
Could you please try to check if AllowOverride is enabled?

Try to edit this file /etc/opt/rh/rh-php56/php-fpm.d/www.conf but it’s common to all applications which use php5.6. I don’t know if these configurations are safe for every software.


(Marc) #3

The php-fpm is not using .htaccess but .user.ini file (correct me if I’m wrong).


(Christopher Suttles) #4

@giacomo

I went ahead and check for AllowOverride, and it is not listed in .htaccess.
I also tried to add the options for opcache to into /etc/opt/rh/rh-php56/php-fpm.d/www.conf, but upon restarting using systemctl restart rh-php56-php-fpm , the service fails. Applying globally is not the correct solution anyways.

I also tried adding the options to .user.ini like @dnutan suggested, but nextcloud still says the options are not set correctly.


(Marc) #5

Scratch that, it’s not completely true. What Nextcloud manual says is:

Nextcloud comes with its own nextcloud/.htaccess file. Because php-fpm can’t read PHP settings in .htaccess these settings and permissions must be set in the nextcloud/.user.ini file.


(Marc) #6

Do you have an .htaccess.rpmnew in the nextcloud folder?
I had it and replaced the old version with the newer one: no more X-Frame-Options warning.

Checking the http headers before and after the change:

  • With the old file, which contains the X-Frame-Options directive, the response header option was being sent twice and the warning showed up.
  • With the new .htaccess file, only one X-Frame-Options is returned by the http response header, and no warning on Nextcloud’s admin page.

Maybe you are facing the same issue.


To enable opcache we need an additional package:

yum install rh-php56-php-opcache

opcache settings will be located at /etc/opt/rh/rh-php56/php.d/10-opcache.ini

It works either by editing that file with the recommended settings or, otherwise, adding the values to /etc/opt/rh/rh-php56/php-fpm.d/www.conf with the correct format:

php_value[opcache.enable_cli]=1
php_value[opcache.max_accelerated_files]=10000
php_value[opcache.save_comments]=1
php_value[opcache.revalidate_freq]=1

(recommended settings matching default values were omitted.)

After changing any of the files restart the php-fpm service for the changes to be applied:

systemctl restart rh-php56-php-fpm

It does not work on .htaccess or .user.ini as most of the recommended values are system settings (PHP_INI_SYSTEM).

Still don’t know the right way to make the settings available only to a specific virtualhost (eg. nextcloud). But a workaround could be to disable opcache by setting opcache.enable in the .htaccess file of any other virtualhost.


Nextcloud 12 warnings on Admin page
Cannot configure PHP Opcache
NetxCloud12, Docker, SSL, Collabora > Last Step Error?
(Christopher Suttles) #7

I did not have that file in my nextcloud folder.

Following your instructions to install rh-php56-php-opcache and editing the necessary options in the 10-opcache.ini file however worked for the opcache settings.

Strangely enough, after a full server reboot, the origins error has disappeared. Not sure why, because I have restarted httpd several times from command and still had that error.


(Alessandro Polidori) #8

For the first problem of .htaccess file I’ve proposed a solution with 2 PR:

  1. https://github.com/nextcloud/server-packages/pull/16
  2. https://github.com/NethServer/nethserver-nextcloud/pull/24

Nextcloud does a code integrity check. The update of the package does not overwrite .htaccess but create a .htaccess.rpmnew, so nextcloud notices that the code is different from the original and shows the security warning message.


(Alessandro Polidori) #9

PR has been merged and here is the testing package.
Is there anyone who has the problem and can test it ?
@Christopher_Suttles do you still have the problem ?


(Christopher Suttles) #10

I havent had the issue for some months after doing a clean install of Nethserver 7.4, but I think it still remains for those doing upgrades from Nextcloud 11 > 12.


(Alessandro Polidori) #11

Exactly: clean installation of the latest nc release does not have the problem.