After an update to the nextcloud version 12 module, a couple new errors show up in the nextcloud admin page.
The first is a warning that the X-Frame-Options is not set to “SAMEORIGIN” in the .htaccess file, yet if I check the file, I can see that the setting is correctly set. Both the admin panel and the scan tool at scan.nextcloud.com report this issue.
# Add security and privacy related headers
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Robots-Tag "none"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Download-Options "noopen"
Header set X-Permitted-Cross-Domain-Policies "none"
SetEnv modHeadersAvailable true
There are also the following opcache warnings. I tried to set them in /etc/php.ini, but they had no effect (possibly the wrong php file i need to edit?)
The PHP Opcache is not properly configured. For better performance we recommend ↗ to use following settings in the php.ini:
Note that none of this issues were ever present in 18.104.22.168 or other nextcloud versions.
I went ahead and check for AllowOverride, and it is not listed in .htaccess.
I also tried to add the options for opcache to into /etc/opt/rh/rh-php56/php-fpm.d/www.conf, but upon restarting using systemctl restart rh-php56-php-fpm , the service fails. Applying globally is not the correct solution anyways.
I also tried adding the options to .user.ini like @dnutan suggested, but nextcloud still says the options are not set correctly.
(recommended settings matching default values were omitted.)
After changing any of the files restart the php-fpm service for the changes to be applied:
systemctl restart rh-php56-php-fpm
It does not work on .htaccess or .user.ini as most of the recommended values are system settings (PHP_INI_SYSTEM).
Still don’t know the right way to make the settings available only to a specific virtualhost (eg. nextcloud). But a workaround could be to disable opcache by setting opcache.enable in the .htaccess file of any other virtualhost.
Nextcloud does a code integrity check. The update of the package does not overwrite .htaccess but create a .htaccess.rpmnew, so nextcloud notices that the code is different from the original and shows the security warning message.