-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix security header setting in .htaccess by adding 'onsuccess unset' #19002
Conversation
f7e14c9
to
0cb622b
Compare
@zertrin
|
The goal in the previous change was to make manipulations harder. I think this is okay for production.
There is no comparable option in nginx.
Where/How would you like to change them?
It just checks a 2xx response form PHP. |
@J0WI Some admins might want to frame pages from their instance on remote sites e.g. or similar. Of course edge cases as well. Okay I thought the admin panel checks headers via regular request to CLI URL, hence check headers finally sent from webserver. |
The .htaccess doesn't depend on PHP. I don't see what is the argument here.
The Nextcloud admin might not have control on the HTTP server settings (managed by another sysadmin with root access to the server). It is not so uncommon to set security headers in a global config file which applies to all VHosts. (http server hardening config) In any case, if a server admin already has set security headers, there is no point in Nextcloud duplicating them in the response. So |
Ah sorry, I just re-read the apache documentation.
I see the difference. Without |
I have updated the PR accordingly 😉 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we require compatibility with Apache 2.2?
For information, according to https://httpd.apache.org/ Apache 2.2 is EOL since 2 years.
|
Ah actually that on shared hostings admins have no control of server-wide headers actually IS and argument to allow overriding them (e.g. if set weaker) with .htaccess, I didn't think about this. Headers on the same table (always and non-always) override each others and are not set doubled. Doubled headers are AFAIK only present if the same header is once set without "always" and once with "always" on Apache, which then leads to warning in admin panel and headers shown twice on e.g. curl -D responses. About Apache 2.2, currently the .htaccess files that prevent access to config and data dir contain 2.2-specific parts. |
Well then if you really want nextcloud to have the last word about the headers, you need to do:
for each header, both in the If that's what Nextcloud prefer, then the server admin will not be able to override the value anymore. We have to choose one way or another anyway: either we only set things if not already set XOR we override everything always. I can update the PR accordingly if that's what wanted by nextcloud core devs. (PS: this two tables shenanigan is really confusing if one doesn't read the apache doc in details...) |
@zertrin And yes, the Apache two-table solution for headers is not only confusing but simply ugly. It does not make any sense to allow sending the same header from two different tables. This raises effort and even creates an impossibility: How can you assure that a specific header is sent exactly once, while preserving the existing one from any table. I assume that |
The headers might already be set by the system administrator at the http server level (apache or nginx) for some or all virtualhosts. Using "always set" in the .htaccess of Nextcloud leads to the situation where the headers might be set twice (once in the default 'onsuccess' table and once in the 'always' table)! Which leads to warnings in the admin area. Adding "onsuccess unset" solves the problem, and forces the header in the 'onsucess' table to be unset, and the header in the 'always' table to be set. NOTE: with this change, Nextcloud overrides whatever the system administrator might have already set See github issues nextcloud#16893 nextcloud#16476 nextcloud#16938 nextcloud#18017 and discussion in PR nextcloud#19002 Signed-off-by: zertrin <zertrin@gmail.com>
9167f02
to
17e6485
Compare
The headers might already be set by the system administrator at the http server level (apache or nginx) for some or all virtualhosts. Using "always set" in the .htaccess of Nextcloud leads to the situation where the headers might be set twice (once in the default 'onsuccess' table and once in the 'always' table)! Which leads to warnings in the admin area. Adding "onsuccess unset" solves the problem, and forces the header in the 'onsucess' table to be unset, and the header in the 'always' table to be set. NOTE: with this change, Nextcloud overrides whatever the system administrator might have already set See github issues nextcloud#16893 nextcloud#16476 nextcloud#16938 nextcloud#18017 and discussion in PR nextcloud#19002 Signed-off-by: zertrin <zertrin@gmail.com>
Sorry for the delay. I have updated the PR title, description and patch according to the latest discussion. Please review! |
It looks like too much/overhead, but AFAIK the only way to guarantee that all wanted headers are set exactly once on every kind response. |
How to get this moving further? (get tags and a milestone maybe?) |
@zertrin Generally the changes do what we want or need to prevent doubled headers. However since Another wish might be to reduce the amount of additional lines, e.g. strip the empty lines and reduce the comment to a bare minimum, e.g.:
When someone takes care request performance on Apache, then it would be better anyway to disable |
The headers might already be set by the system administrator at the http server level (apache or nginx) for some or all virtualhosts. Using "always set" in the .htaccess of Nextcloud leads to the situation where the headers might be set twice (once in the default 'onsuccess' table and once in the 'always' table)! Which leads to warnings in the admin area. Adding "onsuccess unset" solves the problem, and forces the header in the 'onsucess' table to be unset, and the header in the 'always' table to be set. NOTE: with this change, Nextcloud overrides whatever the system administrator might have already set See github issues nextcloud#16893 nextcloud#16476 nextcloud#16938 nextcloud#18017 and discussion in PR nextcloud#19002 Signed-off-by: zertrin <zertrin@gmail.com>
Ah sorry forgot about the DCO. I took the opportunity to squash and rebase on top of current master. EDIT: and also included your suggestion about the reducing the size of the comment |
The headers might already be set by the system administrator at the http server level (apache or nginx) for some or all virtualhosts. Using "always set" in the .htaccess of Nextcloud leads to the situation where the headers might be set twice (once in the default 'onsuccess' table and once in the 'always' table)! Which leads to warnings in the admin area. Adding "onsuccess unset" solves the problem, and forces the header in the 'onsucess' table to be unset, and the header in the 'always' table to be set. NOTE: with this change, Nextcloud overrides whatever the system administrator might have already set See github issues nextcloud#16893 nextcloud#16476 nextcloud#16938 nextcloud#18017 and discussion in PR nextcloud#19002 Signed-off-by: zertrin <zertrin@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reasonable 👍
Thanks for your first pull request and welcome to the community! Feel free to keep them coming! If you are looking for issues to tackle then have a look at this selection: https://github.com/nextcloud/server/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22 |
I've been wondering, would this kind of fix be considered for a stable backport? And if yes, what is the proper way to propose and do this? |
/backport to stable18 |
The headers might already be set by the system administrator at the http server level (apache or nginx) for some or all virtualhosts. Using "always set" in the .htaccess of Nextcloud leads to the situation where the headers might be set twice (once in the default 'onsuccess' table and once in the 'always' table)! Which leads to warnings in the admin area. Adding "onsuccess unset" solves the problem, and forces the header in the 'onsucess' table to be unset, and the header in the 'always' table to be set. NOTE: with this change, Nextcloud overrides whatever the system administrator might have already set See github issues #16893 #16476 #16938 #18017 and discussion in PR #19002 Signed-off-by: zertrin <zertrin@gmail.com>
backport to stable18 in #20647 |
This is inspired by Nextcloud’s approach.† We want to prevent duplicate headers because Apache HTTP Server basically keeps two independent tables with headers: onsuccess and always. We have to use “always” for HSTS and no-sniff headers because without it, mod_rewrite ignores the header. But there is a possibility that something else sets the same header in “onsuccess” table. We do not have to care about other headers because we do not use “always” table for them. Firstly, it’s probably OK to set them only for successful requests. Secondly, “always” table is also used to override headers set by scripts which we do not have which is why we are not using it. † nextcloud/server#19002
The headers might already be set by the system administrator at the http server
level (apache or nginx) for some or all virtualhosts.
Using
always set
in the .htaccess of Nextcloud leads to the situation wherethe headers might be set twice (once in the default
onsuccess
table and oncein the
always
table)! Which leads to warnings in the admin area.Adding
onsuccess unset
solves the problem, and forces the header inthe
onsucess
table to be unset, and the header in thealways
table to be set.NOTE: with this change, Nextcloud overrides whatever the system administrator
might have already set
See github issues #16893 #16476 #16938 #18017