From bfc9d46d0644d45fbe8daf447c4b8e2fc09699fc Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Mon, 1 May 2023 22:09:02 +0200
Subject: [PATCH] install_nextcloud.sh: fix error in vhost configuration for
 collabora online service. Adjust vhost configiuration for nextclod service
 (secure http header).

---
 install_nextcloud.sh | 233 ++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 206 insertions(+), 27 deletions(-)

diff --git a/install_nextcloud.sh b/install_nextcloud.sh
index 762500b..79c1f21 100755
--- a/install_nextcloud.sh
+++ b/install_nextcloud.sh
@@ -1851,7 +1851,7 @@ EOF
    ProxyPassReverse    /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities
 
    # Main websocket
-   ProxyPassMatch      "/cool/(.*)/ws$"      wss://127.0.0.1:9980/cool/$1/ws nocanon
+   ProxyPassMatch      "/cool/(.*)/ws$"      wss://127.0.0.1:9980/cool/\$1/ws nocanon
 
 
    # Admin Console websocket
@@ -4611,6 +4611,211 @@ if $apache2_installed ; then
       Options FollowSymLinks MultiViews
    </Directory>
 
+   # - X-Frame-Options
+   # - 
+   # - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options
+   # - 
+   # - X-Frame-Options tells the browser whether you want to 
+   # - allow your site to be framed or not. By preventing a 
+   # - browser from framing your site you can defend against 
+   # - attacks like clickjacking
+   # -
+   # - The X-Frame-Options header (RFC), or XFO header, protects your visitors 
+   # - against clickjacking attacks. An attacker can load up an iframe on their 
+   # - site and set your site as the source, it's quite easy: 
+   # -
+   # -    <iframe src="https://scotthelme.co.uk"></iframe>
+   # -
+   # - Using some crafty CSS they can hide your site in the background and create some 
+   # - genuine looking overlays. When your visitors click on what they think is a harmless 
+   # - link, they're actually clicking on links on your website in the background. That 
+   # - might not seem so bad until we realise that the browser will execute those requests 
+   # - in the context of the user, which could include them being logged in and authenticated 
+   # - to your site!
+   # -
+   # - Troy Hunt has a great blog on 'Clickjack attack – the hidden threat right in front :
+   # - of you':
+   # -
+   # -    http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html
+   # -
+   # - Valid values:
+   # -
+   # -    DENY meaning your site can't be framed
+   # -
+   # -    SAMEORIGIN which allows you to frame your own site
+   # -
+   # -    ALLOW-FROM https://example.com/ which lets you specify 
+   # -               sites that are permitted to frame your own site.
+   # -
+   # - Note:
+   # - For Apache 2.2 use
+   # -    Header always set X-Frame-Options "SAMEORIGIN"
+   # -
+   Header always append X-Frame-Options "SAMEORIGIN"
+   # -  X-Xss-Protection
+   # - 
+   # - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection
+   # - 
+   # - X-XSS-Protection sets the configuration for the cross-site
+   # - scripting filters built into most browsers. The best 
+   # - configuration is "X-XSS-Protection: 1; mode=block".
+   # -
+   # - This header is used to configure the built in reflective XSS protection found 
+   # - in Internet Explorer, Chrome and Safari (Webkit). 
+   # -
+   # - Valid settings for the header are:
+   # -
+   # -    0 which disables the protection, 
+   # -
+   # -    1 which enables the protection 
+   # -
+   # -    1; mode=block which tells the browser to block the response 
+   # -                  if it detects an attack rather than sanitising 
+   # -                  the script.
+   # -
+   Header always set X-Xss-Protection "1; mode=block"
+
+   # - X-Content-Type-Options
+   # - 
+   # - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options
+   # - 
+   # - X-Content-Type-Options stops a browser from trying to MIME-sniff
+   # - the content type and forces it to stick with the declared 
+   # - content-type.
+   # -
+   # - Nice and easy to configure, this header only has one valid value, nosniff. 
+   # - It prevents Google Chrome and Internet Explorer from trying to mime-sniff 
+   # - the content-type of a response away from the one being declared by the server. 
+   # - It reduces exposure to drive-by downloads and the risks of user uploaded content 
+   # - that, with clever naming, could be treated as a different content-type, like 
+   # - an executable.
+   # -
+   # - The only valid value for this header is 
+   # -
+   # -    "X-Content-Type-Options: nosniff".
+   # -
+   Header always set X-Content-Type-Options "nosniff"
+
+   # - Referrer-Policy
+   # - 
+   # - See: https://scotthelme.co.uk/a-new-security-header-referrer-policy/
+   # -      https://www.w3.org/TR/referrer-policy/
+   # -
+   # - Referrer Policy is a new header that allows a site to control how 
+   # - much information the browser includes with navigations away from 
+   # - a document and should be set by all sites.
+   # -
+   # - The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header 
+   # - field that identifies the address of the webpage (i.e. the URI or IRI) that 
+   # - linked to the resource being requested. By checking the referrer, the new 
+   # - webpage can see where the request originated.
+   # -
+   # - For a complete list and explanation of values, see urls above
+   # -
+   # - Example: "no-referrer-when-downgrade"
+   # -          The browser will not send the referrer header when navigating 
+   # -          from HTTPS to HTTP, but will always send the full URL in the 
+   # -          referrer header when navigating from HTTP to any origin. It 
+   # -          doesn't matter whether the source and destination are the same 
+   # -          site or not, only the scheme.
+   # - 
+   Header always set Referrer-Policy "no-referrer"
+
+   # - Permissions-Policy
+   # -
+   # - see also:
+   # -   https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy
+   # -
+   # - Browser bieten einige Features und APIs, auf die wir Entwickler zugreifen können.
+   # - Das beinhaltet etwa Kamera und Mikrofon des Endgeräts. Mit einer Permissions Policy
+   # - können wir diese Funktionen für unsere Seite aktivieren, deaktivieren oder auf eine
+   # - Quelle begrenzen. Wenn ihr ein Feature abschaltet, können auch keine Dritten darauf
+   # - zugreifen, etwa per eingebettetem <iframe>. Ihr könnt jedes Feature über eine eigene
+   # - Direktive individuell einrichten.
+   # -
+   # - This specification defines a mechanism that allows developers to selectively enable
+   # - and disable use of various browser features and APIs.
+   # -
+   #Header always set Permissions-Policy: "usb=()"
+   Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
+
+   # - Feature-Policy
+   # -
+   # - Feature-Policy is an HTTP header that can allow website owners to toggle on or off certain
+   # - of those web browser features and API.
+   # -
+   # - The Feature-Policy standard & header is being renamed to Permissions-Policy.
+   # -
+   Header always set Feature-Policy "microphone 'none'; camera 'none'; geolocation 'none'"
+
+   # - Set-Cookie
+   # -
+   # - The Set-Cookie HTTP response header is used to send a cookie from the server to the
+   # - user agent, so that the user agent can send it back to the server later. To send
+   # - multiple cookies, multiple Set-Cookie headers should be sent in the same response.
+   # -
+   # - You can mitigate most of the common Cross Site Scripting attack using HttpOnly
+   # - and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible
+   # - to steal or manipulate web application session and cookies and it’s dangerous.
+   # -
+   # -    Header always edit Set-Cookie (.*) "\$1;HttpOnly;Secure"
+   # -
+   # -
+   # - best possible cookie:
+   # -    Header set Set-Cookie: "__Host-sess=a92fe1; path=/; Secure; HttpOnly; SameSite=Strict"
+   #
+   Header set Set-Cookie: "sess=joh3Ao4e; path=/; HttpOnly; Secure"
+
+   # - X-Permitted-Cross-Domain-Policies
+   # -
+   # - Der HTTP-Header X-Permitted-Cross-Domain-Policies schützt vor unerwünschten Einbetten
+   # - der eigenen Webseiteninhalte in PDF-Dokumente und Adobe-Flash-Anwendungen auf anderen
+   # - Webseiten.
+   # -
+   # - Der einfachste Anwendungsfall verbietet jegliches Einbetten außerhalb der eigenen Webseite:
+   # -
+   # -      X-Permitted-Cross-Domain-Policies: none
+   # -
+   Header always set X-Permitted-Cross-Domain-Policies "none"
+
+   # - X-Download-Options
+   # -
+   # - The X-Download-Options HTTP header has only one option: X-Download-Options: noopen.
+   # -
+   # - This is for Internet Explorer from version 8 on to instruct the browser not to open
+   # - a download directly in the browser but instead to provide only the �Save� option.
+   # - The user has to first save it and then open it in an application
+   # -
+   Header always set X-Download-Options "noopen"
+
+   # - X-Robots-Tag
+   # -
+   # - X-Robots-Tag ist eine Art HTTP-Header, mit dem Webmaster steuern können, wie ihre Seiten
+   # - indiziert und von Suchmaschinen bereitgestellt werden. Dies kann nützlich sein, um
+   # - bestimmte Seiten aus den Suchergebnissen auszuschließen oder um anzugeben, dass eine
+   # - Seite auf eine bestimmte Weise indiziert werden soll.
+   # -
+   # - Der X-Robots-Tag-HTTP-Header kann verwendet werden, um eine Reihe verschiedener
+   # - Anweisungen anzugeben, darunter:
+   # -
+   # -      noindex: Diese Direktive weist Suchmaschinen an, die Seite nicht zu indizieren.
+   # -
+   # -      nofollow: Diese Direktive weist Suchmaschinen an, den Links auf der Seite nicht zu
+   # -                folgen.
+   # -
+   # -      none: Diese Anweisung ist eine Kombination aus noindex und nofollow und weist
+   # -            Suchmaschinen an, die Seite nicht zu indizieren oder den Links auf der Seite
+   # -            zu folgen.
+   # -
+   # -      nosnippet: Diese Direktive weist Suchmaschinen an, kein Snippet oder keine
+   # -                 Beschreibung für die Seite in den Suchergebnissen anzuzeigen.
+   # -
+   # -      noarchive: Diese Direktive weist Suchmaschinen an, keine zwischengespeicherte Kopie
+   # -                 der Seite zu speichern.
+   # -
+   Header always set X-Robots-Tag "noindex, noarchive, nosnippet, nofollow"
+
+
    # - HTTP Strict Transport Security (HSTS)
    # -
    # - HSTS tells a browser that the website should only be accessed through
@@ -4619,34 +4824,8 @@ if $apache2_installed ; then
    # -
    # - Remember this settings for 1/2 year
    # -
-   #Header add Strict-Transport-Security "max-age=15768000"
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
 
-   # - Referrer-Policy
-   # -
-   # - See: https://scotthelme.co.uk/a-new-security-header-referrer-policy/
-   # -      https://www.w3.org/TR/referrer-policy/
-   # -
-   # - Referrer Policy is a new header that allows a site to control how
-   # - much information the browser includes with navigations away from
-   # - a document and should be set by all sites.
-   # -
-   # - The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header
-   # - field that identifies the address of the webpage (i.e. the URI or IRI) that
-   # - linked to the resource being requested. By checking the referrer, the new
-   # - webpage can see where the request originated.
-   # -
-   # - For a complete list and explanation of values, see urls above
-   # -
-   # - Example: "no-referrer-when-downgrade"
-   # -          The browser will not send the referrer header when navigating
-   # -          from HTTPS to HTTP, but will always send the full URL in the
-   # -          referrer header when navigating from HTTP to any origin. It
-   # -          doesn't matter whether the source and destination are the same
-   # -          site or not, only the scheme.
-   # -
-   Header always set Referrer-Policy "strict-origin-when-cross-origin"
-
    SSLEngine on
 
    SSLCertificateFile /var/lib/dehydrated/certs/${WEBSITE}/fullchain.pem