add_header conflicts with owncloud
AndreyPnm opened this issue · comments
Hello. There is a nginx.conf file where multiple add_header options are set in server block. So these settings apply to both location /, which are intended to proxy to the owncloud service, and location ~* ^/ds-vpath/ for the onlyoffice server.
With this configuration of owncloud, under General "Security & setup warnings" a warning appears saying that with these headers there is a "potential security or privacy risk". (Screenshot attached)
Maybe add_header settings should be moved inside location ~* ^/ds-vpath/?
Like this
location ~* ^/ds-vpath/ {
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
rewrite /ds-vpath/(.*) /$1 break;
proxy_pass http://onlyoffice-document-server;
proxy_redirect off;
client_max_body_size 100m;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $the_host/ds-vpath;
proxy_set_header X-Forwarded-Proto $the_scheme;
}
Owncloud version is 10.12.1.3
Onlyoffice version is current latest
