ubuntu-nginx-web-server icon indicating copy to clipboard operation
ubuntu-nginx-web-server copied to clipboard
verified publisher icon VirtuBox

Nginx security setting issue with " view details" of plugins

Open alexlii1971 opened this issue 6 years ago • 5 comments

Hello @VirtuBox

I got an issue as below:

On subsite, when I click “view details” of installed plugins , it just show:”myrootdomain.com refused to connect, please check the screenshot:http://prntscr.com/m89wo1

That means I can not view details of plugins on a subsite.

But, I am sure my account is supper administrator with the capibility of network plugin management as the screenshot: http://prntscr.com/m89vh5

Here is the setting in nginx.conf:

    ##Common headers for security
    more_set_headers "X-Frame-Options : SAMEORIGIN";
    more_set_headers "X-Xss-Protection : 1; mode=block";
    more_set_headers "X-Content-Type-Options : nosniff";
    more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";

I tried to comment both "more_set_headers "X-Frame-Options : SAMEORIGIN"; " and "more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";"

but the issue is still there.

I read an article at https://enable-cors.org/server_nginx.html

but it seems quite different, what should I do to enable "view details" on subsite please?

Thanks so much.

alexlii1971 avatar Aug 23 '19 06:08 alexlii1971

Hello, it's the header X-Frame-Options the issue. Have you reload Nginx after commenting the header?

VirtuBox avatar Aug 23 '19 11:08 VirtuBox

Hello @VirtuBox ,

Yes, I cleaned all cache and restart nginx by:

root@101:~# ee clean --all root@101:~# service nginx restart

root@101:~# sudo grep -R SAMEORIGIN /etc/nginx/

there is only one setting of SAMEORIGIN in nginx.conf

In this situation, I found there are actually two issues:

1.# sometimes, it will show "view details", but sometimes, it will show " Visit plugin site" 2# the issue still show header X-Frame-Options /SAMEORIGIN

So, is there any other place related to X-Frame-Options setting please?

alexlii1971 avatar Aug 23 '19 15:08 alexlii1971

No there is no other configuration containing this directive. Try to replace it with X-Frame-Options: ALLOWALL

VirtuBox avatar Aug 24 '19 06:08 VirtuBox

Hi @VirtuBox ,

Yes, it will show the interface of plugins description content, and there will be a security hint:

http://prntscr.com/ox3twh

any suggestion on this situation please?

alexlii1971 avatar Aug 24 '19 23:08 alexlii1971

Hello @alexlii1971,

I have no idea why there are insecure requests performed by this plugin. You will probably get more information by contacting the developer of this plugin, because it doesn't seems to be related to Nginx security headers.

VirtuBox avatar Aug 25 '19 20:08 VirtuBox