Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved Site embedding (X-Frame-Options) partially broken since Cloudron 4.1.3

    Roundcube
    nginx nextcloud roundcube
    2
    6
    681
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • subven
      subven last edited by girish

      Since 4.1.3 I have a hard time embedding sites to Nextcloud when using the "External Sites" plugin.

      My domain is domain.com and the embedded site is sub.domain.com. For example it's working for Rocket.Chat but fails for Roundcube or Etherpad.

      # Chromium 74
Refused to display 'sub.domain.com' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

# Firefox 67
Load denied by X-Frame-Options: sub.domain.com does not permit cross-origin framing.

      curl -v domain.com says < x-frame-options: SAMEORIGIN but I can't find this entry in any of the nginx config files. Does it come from PHP directly?

      I tried to set proxy_hide_header X-Frame-Options; without success. Then I went full crazy mode and added add_header Content-Security-Policy 'frame-src https://sub.domain.com'; but it gets overwritten by the X-Frame-Options 😞

      Nextcloud 16 Documentation --> Linking external sites

      girish 1 Reply Last reply Reply Quote 0
      • girish
        girish Staff @subven last edited by

        @subven said in Site embedding (X-Frame-Options) partially broken since Cloudron 4.1.3:

        curl -v domain.com says < x-frame-options: SAMEORIGIN but I can't find this entry in any of the nginx config files. Does it come from PHP directly?

        Indeed, this is the mystery. The Cloudron nginx config does not set these variables anymore (since they are obsolete) ie. we removed this in Cloudron 4.1.3. I am pretty sure it doesn't come from the app either. This can only mean that maybe the nginx on Cloudron is not "reloaded" with the latest configuration. Can you try systemctl reload nginx or systemctl restart nginx on Cloudron? Does curl then respond without the X-Frame-Options?

        1 Reply Last reply Reply Quote 0
        • girish
          girish Staff last edited by

          FWIW, you can also restart nginx from System -> Services.

          subven 1 Reply Last reply Reply Quote 0
          • subven
            subven @girish last edited by subven

            @girish the nginx configuration is fine and I have reloaded it correctly each time. I guess it's the app, maybe the apache2 inside the container. I'll dig a little deeper.

            Is someone able to reproduce my problem?

            Edit: It's not the apache2.

            root@9cff92f2-cf59-4a7e-9455-5261ee1fe533:/etc/apache2/conf-enabled# cat security.conf | grep sameorigin
#Header set X-Frame-Options: "sameorigin"

            OK I figured it out. It's the Roundcube app itself and it's a little bit sketchy. I do some research and update this post.
            Because I initially wrote that it's happening for roundcube AND etherpad...the mistake was on my side. I embedded etherpad from another domain what clearly could not work in this case. So it was just roundcube from the beginning.

            So the (temporary) fix for me is to add proxy_hide_header X-Frame-Options; to the roundcube app nginx config.

            root@v22019044939886250:/etc/nginx/applications# cat 211a9c92-26e4-456a-a28e-e6c550bf611b.conf | grep proxy
    proxy_hide_header X-XSS-Protection;
    proxy_hide_header X-Download-Options;
    proxy_hide_header X-Content-Type-Options;
    proxy_hide_header X-Permitted-Cross-Domain-Policies;
    proxy_hide_header Referrer-Policy;
    proxy_http_version 1.1;
    proxy_intercept_errors on;
    proxy_read_timeout       3500;
    proxy_connect_timeout    3250;
    proxy_set_header   Host               $host;
    proxy_set_header   X-Forwarded-For    $remote_addr;
    proxy_set_header   X-Forwarded-Host   $host;
    proxy_set_header   X-Forwarded-Port   $server_port;
    proxy_set_header   X-Forwarded-Proto  https;
    proxy_set_header   X-Forwarded-Ssl    on;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_hide_header X-Frame-Options;
    # only serve up the status page if we get proxy gateway errors
        # increase the proxy buffer sizes to not run into buffer issues (http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers)
        proxy_buffer_size       128k;
        proxy_buffers           4 256k;
        proxy_busy_buffers_size 256k;
        proxy_max_temp_file_size 0;
        proxy_pass http://127.0.0.1:46363;
            1 Reply Last reply Reply Quote 0
            • girish
              girish Staff last edited by

              @subven For roundcube, you can set $config['x_frame_options'] = false; as per https://github.com/roundcube/roundcubemail/blob/f6807bcc4c60def86e82a6c36914f0d55af04a33/config/defaults.inc.php#L509

              For cloudron, you can set it in /app/data/customconfig.php

              1 Reply Last reply Reply Quote 1
              • subven
                subven last edited by

                Changed 🙂 As it is the default configuration for Roundcube it is working like intended and we could leave it like this? I don't think its a rare use case but maybe it could be added to the documentation (which I always found very helpful).

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Powered by NodeBB