install_nextcloud.sh: fix error in vhost configuration for collabora online service. Adjust vhost configiuration for nextclod service (secure http header).

2023-05-01 22:09:02 +02:00 · 2023-05-01 22:09:02 +02:00 · bfc9d46d06
commit bfc9d46d06
parent 25073c8c82
1 changed files with 206 additions and 27 deletions
--- a/install_nextcloud.sh
+++ b/install_nextcloud.sh
@ -1851,7 +1851,7 @@ EOF
   ProxyPassReverse    /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities
   # Main websocket
-   ProxyPassMatch      "/cool/(.*)/ws$"      wss://127.0.0.1:9980/cool/$1/ws nocanon
+   ProxyPassMatch      "/cool/(.*)/ws$"      wss://127.0.0.1:9980/cool/\$1/ws nocanon
   # Admin Console websocket
@ -4611,6 +4611,211 @@ if $apache2_installed ; then
      Options FollowSymLinks MultiViews
   </Directory>
   # - X-Frame-Options
   # - 
   # - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options
   # - 
   # - X-Frame-Options tells the browser whether you want to 
   # - allow your site to be framed or not. By preventing a 
   # - browser from framing your site you can defend against 
   # - attacks like clickjacking
   # -
   # - The X-Frame-Options header (RFC), or XFO header, protects your visitors 
   # - against clickjacking attacks. An attacker can load up an iframe on their 
   # - site and set your site as the source, it's quite easy: 
   # -
   # -    <iframe src="https://scotthelme.co.uk"></iframe>
   # -
   # - Using some crafty CSS they can hide your site in the background and create some 
   # - genuine looking overlays. When your visitors click on what they think is a harmless 
   # - link, they're actually clicking on links on your website in the background. That 
   # - might not seem so bad until we realise that the browser will execute those requests 
   # - in the context of the user, which could include them being logged in and authenticated 
   # - to your site!
   # -
   # - Troy Hunt has a great blog on 'Clickjack attack – the hidden threat right in front :
   # - of you':
   # -
   # -    http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html
   # -
   # - Valid values:
   # -
   # -    DENY meaning your site can't be framed
   # -
   # -    SAMEORIGIN which allows you to frame your own site
   # -
   # -    ALLOW-FROM https://example.com/ which lets you specify 
   # -               sites that are permitted to frame your own site.
   # -
   # - Note:
   # - For Apache 2.2 use
   # -    Header always set X-Frame-Options "SAMEORIGIN"
   # -
   Header always append X-Frame-Options "SAMEORIGIN"
   # -  X-Xss-Protection
   # - 
   # - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection
   # - 
   # - X-XSS-Protection sets the configuration for the cross-site
   # - scripting filters built into most browsers. The best 
   # - configuration is "X-XSS-Protection: 1; mode=block".
   # -
   # - This header is used to configure the built in reflective XSS protection found 
   # - in Internet Explorer, Chrome and Safari (Webkit). 
   # -
   # - Valid settings for the header are:
   # -
   # -    0 which disables the protection, 
   # -
   # -    1 which enables the protection 
   # -
   # -    1; mode=block which tells the browser to block the response 
   # -                  if it detects an attack rather than sanitising 
   # -                  the script.
   # -
   Header always set X-Xss-Protection "1; mode=block"
   # - X-Content-Type-Options
   # - 
   # - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options
   # - 
   # - X-Content-Type-Options stops a browser from trying to MIME-sniff
   # - the content type and forces it to stick with the declared 
   # - content-type.
   # -
   # - Nice and easy to configure, this header only has one valid value, nosniff. 
   # - It prevents Google Chrome and Internet Explorer from trying to mime-sniff 
   # - the content-type of a response away from the one being declared by the server. 
   # - It reduces exposure to drive-by downloads and the risks of user uploaded content 
   # - that, with clever naming, could be treated as a different content-type, like 
   # - an executable.
   # -
   # - The only valid value for this header is 
   # -
   # -    "X-Content-Type-Options: nosniff".
   # -
   Header always set X-Content-Type-Options "nosniff"
   # - Referrer-Policy
   # - 
   # - See: https://scotthelme.co.uk/a-new-security-header-referrer-policy/
   # -      https://www.w3.org/TR/referrer-policy/
   # -
   # - Referrer Policy is a new header that allows a site to control how 
   # - much information the browser includes with navigations away from 
   # - a document and should be set by all sites.
   # -
   # - The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header 
   # - field that identifies the address of the webpage (i.e. the URI or IRI) that 
   # - linked to the resource being requested. By checking the referrer, the new 
   # - webpage can see where the request originated.
   # -
   # - For a complete list and explanation of values, see urls above
   # -
   # - Example: "no-referrer-when-downgrade"
   # -          The browser will not send the referrer header when navigating 
   # -          from HTTPS to HTTP, but will always send the full URL in the 
   # -          referrer header when navigating from HTTP to any origin. It 
   # -          doesn't matter whether the source and destination are the same 
   # -          site or not, only the scheme.
   # - 
   Header always set Referrer-Policy "no-referrer"
   # - Permissions-Policy
   # -
   # - see also:
   # -   https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy
   # -
   # - Browser bieten einige Features und APIs, auf die wir Entwickler zugreifen können.
   # - Das beinhaltet etwa Kamera und Mikrofon des Endgeräts. Mit einer Permissions Policy
   # - können wir diese Funktionen für unsere Seite aktivieren, deaktivieren oder auf eine
   # - Quelle begrenzen. Wenn ihr ein Feature abschaltet, können auch keine Dritten darauf
   # - zugreifen, etwa per eingebettetem <iframe>. Ihr könnt jedes Feature über eine eigene
   # - Direktive individuell einrichten.
   # -
   # - This specification defines a mechanism that allows developers to selectively enable
   # - and disable use of various browser features and APIs.
   # -
   #Header always set Permissions-Policy: "usb=()"
   Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
   # - Feature-Policy
   # -
   # - Feature-Policy is an HTTP header that can allow website owners to toggle on or off certain
   # - of those web browser features and API.
   # -
   # - The Feature-Policy standard & header is being renamed to Permissions-Policy.
   # -
   Header always set Feature-Policy "microphone 'none'; camera 'none'; geolocation 'none'"
   # - Set-Cookie
   # -
   # - The Set-Cookie HTTP response header is used to send a cookie from the server to the
   # - user agent, so that the user agent can send it back to the server later. To send
   # - multiple cookies, multiple Set-Cookie headers should be sent in the same response.
   # -
   # - You can mitigate most of the common Cross Site Scripting attack using HttpOnly
   # - and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible
   # - to steal or manipulate web application session and cookies and it’s dangerous.
   # -
   # -    Header always edit Set-Cookie (.*) "\$1;HttpOnly;Secure"
   # -
   # -
   # - best possible cookie:
   # -    Header set Set-Cookie: "__Host-sess=a92fe1; path=/; Secure; HttpOnly; SameSite=Strict"
   #
   Header set Set-Cookie: "sess=joh3Ao4e; path=/; HttpOnly; Secure"
   # - X-Permitted-Cross-Domain-Policies
   # -
   # - Der HTTP-Header X-Permitted-Cross-Domain-Policies schützt vor unerwünschten Einbetten
   # - der eigenen Webseiteninhalte in PDF-Dokumente und Adobe-Flash-Anwendungen auf anderen
   # - Webseiten.
   # -
   # - Der einfachste Anwendungsfall verbietet jegliches Einbetten außerhalb der eigenen Webseite:
   # -
   # -      X-Permitted-Cross-Domain-Policies: none
   # -
   Header always set X-Permitted-Cross-Domain-Policies "none"
   # - X-Download-Options
   # -
   # - The X-Download-Options HTTP header has only one option: X-Download-Options: noopen.
   # -
   # - This is for Internet Explorer from version 8 on to instruct the browser not to open
   # - a download directly in the browser but instead to provide only the <20>Save<76> option.
   # - The user has to first save it and then open it in an application
   # -
   Header always set X-Download-Options "noopen"
   # - X-Robots-Tag
   # -
   # - X-Robots-Tag ist eine Art HTTP-Header, mit dem Webmaster steuern können, wie ihre Seiten
   # - indiziert und von Suchmaschinen bereitgestellt werden. Dies kann nützlich sein, um
   # - bestimmte Seiten aus den Suchergebnissen auszuschließen oder um anzugeben, dass eine
   # - Seite auf eine bestimmte Weise indiziert werden soll.
   # -
   # - Der X-Robots-Tag-HTTP-Header kann verwendet werden, um eine Reihe verschiedener
   # - Anweisungen anzugeben, darunter:
   # -
   # -      noindex: Diese Direktive weist Suchmaschinen an, die Seite nicht zu indizieren.
   # -
   # -      nofollow: Diese Direktive weist Suchmaschinen an, den Links auf der Seite nicht zu
   # -                folgen.
   # -
   # -      none: Diese Anweisung ist eine Kombination aus noindex und nofollow und weist
   # -            Suchmaschinen an, die Seite nicht zu indizieren oder den Links auf der Seite
   # -            zu folgen.
   # -
   # -      nosnippet: Diese Direktive weist Suchmaschinen an, kein Snippet oder keine
   # -                 Beschreibung für die Seite in den Suchergebnissen anzuzeigen.
   # -
   # -      noarchive: Diese Direktive weist Suchmaschinen an, keine zwischengespeicherte Kopie
   # -                 der Seite zu speichern.
   # -
   Header always set X-Robots-Tag "noindex, noarchive, nosnippet, nofollow"
   # - HTTP Strict Transport Security (HSTS)
   # -
   # - HSTS tells a browser that the website should only be accessed through
@ -4619,34 +4824,8 @@ if $apache2_installed ; then
   # -
   # - Remember this settings for 1/2 year
   # -
   #Header add Strict-Transport-Security "max-age=15768000"
   Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
   # - Referrer-Policy
   # -
   # - See: https://scotthelme.co.uk/a-new-security-header-referrer-policy/
   # -      https://www.w3.org/TR/referrer-policy/
   # -
   # - Referrer Policy is a new header that allows a site to control how
   # - much information the browser includes with navigations away from
   # - a document and should be set by all sites.
   # -
   # - The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header
   # - field that identifies the address of the webpage (i.e. the URI or IRI) that
   # - linked to the resource being requested. By checking the referrer, the new
   # - webpage can see where the request originated.
   # -
   # - For a complete list and explanation of values, see urls above
   # -
   # - Example: "no-referrer-when-downgrade"
   # -          The browser will not send the referrer header when navigating
   # -          from HTTPS to HTTP, but will always send the full URL in the
   # -          referrer header when navigating from HTTP to any origin. It
   # -          doesn't matter whether the source and destination are the same
   # -          site or not, only the scheme.
   # -
   Header always set Referrer-Policy "strict-origin-when-cross-origin"
   SSLEngine on
   SSLCertificateFile /var/lib/dehydrated/certs/${WEBSITE}/fullchain.pem