Modify x-frame-options in apache2 - iframe

I want to use an iframe in my localhost web server (wamp).
This iframe loads a form from a remote web server.
I have access to the remote web server, it uses apache2 (https://help.ubuntu.com/lts/serverguide/httpd.html), and i modify its security.conf file and i load the module 'headers'.
I modify security.conf by this line (the ip is the ip of my local computer):
Header append X-Frame-Options "ALLOW-FROM http://localhost, http://172.18.48.120, 172.18.48.120"
But when i test the changes, always says the same:
Refused to display 'http://externalURL.net/form.php' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
Any idea? Where's the problem?

Just for completeness:
Here are the lines to add to your apache2/conf-available/security.conf file to make your iframed content available in browsers supporting either or both X-Frame-Options and Content-Security-Policy header options (as stated on this survey site)
Header set X-Frame-Options: "ALLOW_FROM https://www.example.com"
Header set Content-Security-Policy: "frame-ancestors
https://www.example.com"
Make sure that header module is enabled
a2enmod headers
restart apache
service apache2 restart
That's it !

Finally i solved it, the solution is:
Load module headers in apache2.
Modify file security.conf, you have to append this line:
Header set X-Frame-Options 'ALLOW-FROM http://externalURL.net'
(it's a valid option if you use a local web server, e.g. wamp:
Header set X-Frame-Options 'ALLOW-FROM http://localhost')
Reload service apache2.
If you want to test it, don't use Google Chrome, it ignores x-frame-options directive and it always says the same message:
Refused to display 'http://externalURL.net/form.php' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
It's ok with Firefox.

Related

How to rewrite URL in NGINX with location parameter?

i have a Application (Openproject) on a Webserver.
this is Reachable under http://10.0.0.1:8000/
Behind my users and the Webserver is a NGinx on which i need to publish under a specific URL: https://ngrp.com/openproject
so i made the following changes in my Nginx Configuaion (in this NGINX instance multiple Websites are published with the "location" settings):
location /openproject/ {
proxy_pass http://10.0.0.1:8000/;
include /etc/nginx/conf.d/proxy.conf;
}
But when i open the page through the Reverseproxy, the Webbrowser displays only a White Page.
In the Webbrowser Debugger i see, that some paths are wrong, so the browser couldn´t load it. Example:
https://ngrp.com/assets/frontend/styles.c3a5e7705d6c5db9cfc1.css
(/openproject/ is missing in the URL)
Correct would be:
https://ngrp.com/openproject/assets/frontend/styles.c3a5e7705d6c5db9cfc1.css
So can somebody please tell me, which configuration is needed, so i can Openproject under the URL https://ngrp.com/openproject/ successfully?
Thank you very much.
When you proxy_pass you proxy the entire HTTP request meaning that you are actually requesting GET /openproject on http://10.0.0.1:8000/ rather than just GET /
You can add this line before the proxy_pass to fix this and remove the /openproject prefix :
rewrite /openproject/(.*) /$1 break;
This changes the requested URL from /openproject/... to /...

How to add HTTP header in uwsgi logs

I have a nginx as proxy, and uWSGI as app server. And I want to add any http headers to uwsgi logs. I can add some var.VAR_NAME to logs.
By docs (http://uwsgi-docs.readthedocs.io/en/latest/LogFormat.html):
%(var.XXX) -> the content of request variable XXX (like var.PATH_INFO, available from
1.9.21)
But this worked only for uwsgi_param from nginx, not for proxy_set_header or smt. like this.
I found answer in uwsgi github issues - https://github.com/unbit/uwsgi/issues/1407#issuecomment-326605267 and updated the docs (http://uwsgi-docs.readthedocs.io/en/latest/LogFormat.html):
%(var.XXX) -> the content of request variable XXX (like var.PATH_INFO
or var.HTTP_X_MY_HEADER for headers from request, available from
1.9.21)

Apache set Access-Control-Allow-Origin from http to https

I have a basic bitnami wordpress installation. I followed their guide and setup https and automatic http to https redirection.
However when I tried to load external scripts I get the following error:
Failed to load https://external-script.com/: The 'Access-Control-Allow-Origin'
header has a value 'http://my-site.io' that is not equal to the supplied origin.
Origin 'https://my-site.io' is therefore not allowed access.
Which file should I edit and what should I add?
Thanks
Bitnami Engineer here.
You need to enable CORS in WordPress. To achieve that, you will need to set this line in the installdir/apps/wordpress/conf/httpd-app.conf file
...
<Directory /opt/bitnami/apps/wordpress/htdocs/>
...
Header set Access-Control-Allow-Origin "*"
...
</Directory>
After that, you will need to restart the Apache server to load this configuration.
installdir/ctlscript.sh restart apache
You will also find different ways to enable CORS by following our documentation guide.
Regards,
Jota

Varnish + Nginx proxy configuration on plesk

I followed the official tuto for the Varnish via Docker configuration on plesk. https://www.plesk.com/blog/product-t...cker-container
i have a VPS Ubuntu with plesk and many domains.
I followed all steps :
I created a domain test.monserveur.com
I use the Docker image million12/varnish
On the Docker container setting, the mapping redirect the 80 port to the 32780
On plesk for the hosting parameters, the option “SSL/TLS support” and “Permanent SEO-safe 301 redirect from HTTP to HTTPS” are deactivated
I deactived also the security mod for this domain
On the proxy rules of the docker container (/etc/varnish/default.vcl), i put fo the .host test.monserveur.com and .port 7080
On the function sub vcl_deliver, i put :
if (obj.hits > 0) {
set resp.http.X-Cache = "HIT";
} else {
set resp.http.X-Cache = "MISS";
}
I still have a 503 page with a MISS on the header for the page on test.monserveur.com
I can't understand where is the problem. I tried to put on the .host the serveur IP and with a link to another domain of the server. I think it's a problem with a setting but i don't know where.
Thanks in advance
A 503 error response from Varnish means that your Docker container is not configured properly. You should check whether the container and Varnish within the container are running properly. Additionally, the configuration file must have valid syntax and the correct port and IP address of the server have to be set in the configuration file.
Without knowing what you've entered, I cannot give you a better advice! If you follow the tutorial completely, it will work. I've created over 10 working instances while I wrote the text!
PS: Please use the official Plesk forum with more information (also add your configuration file) if you still cannot solve your problem - https://talk.plesk.com/
Have success!

How can remove Nginx from http response header?

I want to remove Nginx from http response header. I can Hide my Nginx version but I want to hide Nginx too.
Thanks
Use the ngx_headers_more module - see http://wiki.nginx.org/NginxHttpHeadersMoreModule.
It allows you to configure any arbitrary headers you'd like - both request and response headers. Once you've installed it (and thus recompiled your version of Nginx), use the following configuration:
more_set_headers 'Server: my-server';
Alternatively, if you don't want a Server header at all, then clear it using:
more_clear_headers 'Server';

Resources