Trouble with security config using LetsEncrypt

help

#1

Please help us by providing the following info. Before posting please also check the pinned "Known issues" threads and make sure that you're running the latest available version for your oC release: https://owncloud.org/changelog/

Background
I am running a Docker image for LetsEncrypt, a mySQL Docker, and OwnCloud on a Ubuntu 16.10 VM. The local OC works as expected, http:// localhost/owncloud as well as externally via https:// domain.net/owncloud. The issue is that I am getting the following security errors:

The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.

I have added the following lines in various places:
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;

Including server and location blocks

location /owncloud {
	 #rewrite /owncloud/(.*) /$1 break;
	 #rewrite ^/owncloud$ /owncloud/ permanent;
	 proxy_pass http://10.0.0.54:80;
	 #proxy_redirect / /owncloud/;
	 proxy_set_header Host $host;
	 proxy_buffering off;
		 proxy_set_header X-Real-IP $remote_addr;
	 location /owncloud/owncloud {
		return 301 https://domain.net/owncloud;

	add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
	add_header X-Content-Type-Options nosniff;
	add_header X-Frame-Options "SAMEORIGIN";
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Robots-Tag none;
}

Steps to reproduce
1. Login and go to admin page
2.
3.

Expected behaviour
I would like for the security warnings to be addressed

Actual behaviour
In the admin page I am getting the following warning
The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.

Server configuration
Operating system: Ubuntu
Web server:Apache locally running http and externally facing LetsEncrypt/Nginx
Database: mySQL
PHP version: whatever is bundled with OC 9.1.x
ownCloud version (see ownCloud admin page): current 9.1.x
Updated from an older ownCloud or fresh install:
Special configuration (external storage, external authentication, reverse proxy, server-side-encryption):

Integrity status for oC9+

Thanks for any help you can offer!


#2

Most likely that your webserver and ownCloud are both sending the headers. If the headers are sent twice this message will pop up.

Make sure that you're using the following in your nginx config:

fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice

-> https://doc.owncloud.org/server/latest/admin_manual/installation/nginx_examples.html


#3

Thank you. That helped me make some progress until I found that the fastcgi libraries are not included in my docker image for letsencrypt. I will look at some other options like installing it on my Ubuntu VM. I appreciate the help!