MIR/nextcloud
0
0
Fork 0
forked from coop-cloud/nextcloud
Code Pull Requests Activity

add headers to embed nextcloud in frame on external site (#28)

Browse Source 
This introduces new env variables to configure nextloud to be embedded via
iframe on an external site.
Setting X_FRAME_OPTIONS_ENABLED=1 will configure nginx and nextcloud to
set X-Frame-Options and CSP headers to allow the domain configured in
X_FRAME_OPTIONS_ALLOW_FROM.

I created a PR because I'm not sure if this is helpful for other people or just a custom hack that bloats the recipe :D

Co-authored-by: Philipp Rothmann <philipprothmann@posteo.de>
Reviewed-on: coop-cloud/nextcloud#28
This commit is contained in:
yksflip
2022-09-02 14:32:04 +00:00
parent daa57eece9
commit 16ad6c22ea
5 changed files with 36 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.env.sample
View File

@ -16,3 +16,6 @@ SECRET_DB_PASSWORD_VERSION=v1
SECRET_ADMIN_PASSWORD_VERSION=v1
EXTRA_VOLUME=/dev/null:/tmp/.dummy
# X_FRAME_OPTIONS_ENABLED=1
# X_FRAME_OPTIONS_ALLOW_FROM=embedding-site.example.org

3
abra.sh
View File

@ -1,6 +1,7 @@
export FPM_TUNE_VERSION=v4
export NGINX_CONF_VERSION=v2
export NGINX_CONF_VERSION=v3
export MY_CNF_VERSION=v4
export ENTRYPOINT_VERSION=v1
NC_APP_DIR="app:/var/www/html"

14
compose.yml
View File

@ -6,6 +6,8 @@ services:
- source: nginx_conf
target: /etc/nginx/nginx.conf
environment:
- X_FRAME_OPTIONS_ALLOW_FROM
- X_FRAME_OPTIONS_ENABLED
- DOMAIN
- STACK_NAME
volumes:
@ -39,10 +41,16 @@ services:
configs:
- source: fpm_tune
target: /usr/local/etc/php-fpm.d/fpm-tune.conf
- source: entrypoint
target: /custom-entrypoint.sh
mode: 555
entrypoint: /custom-entrypoint.sh
secrets:
- db_password
- admin_password
environment:
- X_FRAME_OPTIONS_ALLOW_FROM
- X_FRAME_OPTIONS_ENABLED
- DOMAIN
- STACK_NAME
- NEXTCLOUD_ADMIN_USER=${ADMIN_USER}
@ -73,7 +81,6 @@ services:
- "backupbot.backup=true"
- "backupbot.backup.path=/var/www/html/config/,/var/www/html/data/,/var/www/html/custom_apps/"
cron:
image: nextcloud:24.0.3-fpm
volumes:
@ -111,6 +118,7 @@ volumes:
nextconfig:
redis:
configs:
nginx_conf:
name: ${STACK_NAME}_nginx_${NGINX_CONF_VERSION}
@ -119,6 +127,10 @@ configs:
fpm_tune:
name: ${STACK_NAME}_fpm_tune_${FPM_TUNE_VERSION}
file: fpm-tune.ini
entrypoint:
name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
file: entrypoint.sh.tmpl
template_driver: golang
networks:
proxy:

9
entrypoint.sh.tmpl Normal file
View File

@ -0,0 +1,9 @@
#!/bin/bash
{{ if eq (env "X_FRAME_OPTIONS_ENABLED") "1" }}
if ! [[ $(grep {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }} lib/public/AppFramework/Http/ContentSecurityPolicy.php) ]]; then
sed -i "91 a\\\t\t'{{ env "X_FRAME_OPTIONS_ALLOW_FROM" }}', " lib/public/AppFramework/Http/ContentSecurityPolicy.php
fi
{{ end }}
/entrypoint.sh php-fpm

10
nginx.conf.tmpl
View File

@ -41,6 +41,7 @@ http {
# could take several months.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
@ -61,11 +62,18 @@ http {
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
{{ if eq (env "X_FRAME_OPTIONS_ENABLED") "1" }}
add_header X-Frame-Options "{{ env "X_FRAME_OPTIONS_ALLOW_FROM" }}" always;
add_header Content-Security-Policy "frame-ancestors {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }}";
{{ else }}
add_header X-Frame-Options "SAMEORIGIN" always;
{{ end }}
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;