core icon indicating copy to clipboard operation
core copied to clipboard
verified publisher icon owncloud

Feature Request: Support for reverse-proxy-only SSL deployments in header validation checks

Open GuyOxford-com opened this issue 1 month ago • 0 comments

Problem

ownCloud currently performs internal HTTP(S) requests to validate security headers (e.g., X-Frame-Options, X-Content-Type-Options). In reverse-proxy-only SSL setups — where HTTPS is terminated at the proxy and the backend serves plain HTTP — these internal checks fail, even when headers are correctly injected and externally visible.

Expected Behavior

ownCloud should support deployments where:

  • SSL is terminated at a reverse proxy
  • The backend (e.g., Apache) serves HTTP only
  • All required headers are injected at the proxy or backend
  • External clients and curl confirm header presence

Actual Behavior

ownCloud reports missing headers in the admin UI, despite:

  • Headers being present on /status.php and /index.php
  • Verified via curl and browser
  • overwrite.cli.url, overwritehost, and overwriteprotocol set
  • trusted_proxies and forwarded_for_headers configured

Suggested Solution

  • Allow disabling internal header validation via config.php
  • Or, allow specifying a custom internal endpoint for header checks
  • Or, detect and trust headers from overwriteprotocol and trusted_proxies context

Environment

  • ownCloud version: 10.15.3.0
  • Reverse proxy: CloudPanel-managed Nginx
  • Backend: Apache (HTTP only)
  • OS: Ubuntu 22.04

GuyOxford-com avatar Nov 14 '25 15:11 GuyOxford-com