How to set up correctly x-frame-options in nginx?

Discussion in 'Server Operation' started by Hanz1711, Jun 4, 2021.

  1. Hanz1711

    Hanz1711 New Member

    Hi,

    I found out that on my NGINX server, Facebook reports that I have set x-frame-options to Deny. I modified the nginx configuration according to the instructions, but to no avail.

    Can I ask for advice on how to set this up correctly?
    Thanks,
    Jan

    Nginx conf
    Code:
    user www-data;
    worker_processes auto;
    pid /run/nginx.pid;
    include /etc/nginx/modules-enabled/*.conf;
    
    events {
        worker_connections 768;
        # multi_accept on;
    }
    
    http {
    client_max_body_size 20M;
    map $remote_addr $ip_anonym1 {
    default 0.0.0;
    "~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
    "~(?P<ip>[^:]+:[^:]+):" $ip;
    }
    
    map $remote_addr $ip_anonym2 {
    default .0;
    "~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
    "~(?P<ip>[^:]+:[^:]+):" ::;
    }
    
    map $ip_anonym1$ip_anonym2 $ip_anonymized {
    default 0.0.0.0;
    "~(?P<ip>.*)" $ip;
    }
    
    log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
    '"$request" $status $body_bytes_sent '
    '"$http_referer" "$http_user_agent"';
    
    
        ##
        # Basic Settings
        ##
    
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;
    
        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;
    
        include /etc/nginx/mime.types;
        default_type application/octet-stream;
    
        ##
        # SSL Settings
        ##
    
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;
    
        ##
        # Logging Settings
        ##
    
        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;
    
        ##
        # Gzip Settings
        ##
    
        gzip on;
    
        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
    
        ##
        # Virtual Host Configs
        ##
    
        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
        add_header X-Frame-Options "sameorigin" always;
    }
    
    
    #mail {
    #    # See sample authentication script at:
    #    # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
    #
    #    # auth_http localhost/auth.php;
    #    # pop3_capabilities "TOP" "USER";
    #    # imap_capabilities "IMAP4rev1" "UIDPLUS";
    #
    #    server {
    #        listen     localhost:110;
    #        protocol   pop3;
    #        proxy      on;
    #    }
    #
    #    server {
    #        listen     localhost:143;
    #        protocol   imap;
    #        proxy      on;
    #    }
    #}
    
     
  2. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I think that seems correct.

    Mine is something like this:
    Code:
            ##
            # Basic Settings
            ##
    
            sendfile on;
            tcp_nopush on;
            tcp_nodelay on;
            keepalive_timeout 65;
            types_hash_max_size 2048;
            server_tokens off;
    
            # server_names_hash_bucket_size 64;
            # server_name_in_redirect off;
    
            include /etc/nginx/mime.types;
            default_type application/octet-stream;
    
            ##
            # SSL Settings
            ##
    
            ssl_protocols TLSv1.2 TLSv1.3;
            ssl_prefer_server_ciphers on;
            ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ARIA256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384';
            ssl_dhparam /etc/ssl/private/dhparam4096.pem;
            ssl_buffer_size 4k;
    
            # SSL session cache
            ssl_session_cache shared:SSL:10m;
            ssl_session_timeout 10m;
            ssl_session_tickets on;
    
            # OCSP Stapling ---
            ssl_stapling on;
            ssl_stapling_verify on;
            ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
            resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=300s;
            resolver_timeout 10s;
    
            ##
            # Header
            ##
    
            add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
            add_header X-Content-Type-Options nosniff;
            add_header X-Frame-Options DENY;
            add_header X-XSS-Protection "1; mode=block";
    
            ##
            # Logging Settings
            ##
    
            access_log /var/log/nginx/access.log;
            error_log /var/log/nginx/error.log;
    
            ##
            # Gzip Settings
            ##
    
            gzip on;
            gzip_vary on;
            gzip_proxied any;
            gzip_comp_level 6;
            gzip_buffers 16 8k;
            gzip_http_version 1.1;
            gzip_types application/json application/javascript application/x-javascript application/x-font-ttf
                    application/xml application/xml+rss application/atom+xml application/vnd.ms-fontobject
                    text/javascript text/x-javascript text/xml text/plain text/css font/opentype image/svg+xml image/x-icon;
            gzip_min_length 0;
            gzip_static on;
            gzip_disable "msie6";
            gunzip on;
    
            ##
            # Virtual Host Configs
            ##
    
            include /etc/nginx/sites-enabled/*;
            # include /etc/nginx/conf.d/*.conf;
            # include /etc/letsencrypt/options-ssl-nginx.conf;
    
     
  3. Hanz1711

    Hanz1711 New Member

    I'm getting this error

    Code:
    The loading of “https://www.facebook.com/v10.0/plugins/comments.php?app_id=xxxx&channel=https%3A%2F%2Fstaticxx.facebook.com%2Fx%2Fconnect%2Fxd_arbiter%2F%3Fversion%3D46%23cb%3Df7cc68a6c2afaa%26domain%3Dwww.trendista.cz%26origin%3Dhttps%253A%252F%252Fwww.trendista.cz%252Ff126abe2e8e82ea%26relation%3Dparent.parent&container_width=970&height=100&href=https%3A%2F%2Fwww.trendista.cz%2F%3Fpost_type%3Dpost%26p%3D49720&locale=cs_CZ&numposts=10&order_by=time&sdk=joey&version=v10.0&width=” in a frame is denied by “X-Frame-Options“ directive set to “DENY“.

    Do you need any settings for each site separately? Isn't it possible that this is a bug on Facebook?
     
  4. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    That's not bugs from facebook but your nginx conf as you added "add_header X-Frame-Options DENY" that works exactly as you configured.
     
  5. Hanz1711

    Hanz1711 New Member

    But I don't have it in nginx.conf
    add_header X-Frame-Options DENY
    but
    add_header X-Frame-Options "sameorigin" always;
     
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    It either in your nginx.conf which work for all websites under your server or in the website individual vhost. Since you claimed it is not in the former, it could be in the latter.
     
  7. Hanz1711

    Hanz1711 New Member

    I found that the settings in nginx.conf apply to all internal queries:
    upload_2021-6-7_10-48-27.png

    but does not apply to Facebook calls.
    upload_2021-6-7_10-50-23.png

    There is no x-frame-options setting in the vhost setting. How should I set it up, please? Should I send the current settings here?
     
  8. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I could have read it wrongly. It could have been set in the remote website server you are trying to put in your server website iframe. In that case, there is nothing you can do.
     
  9. Hanz1711

    Hanz1711 New Member

  10. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    That shows Facebook set x-frame-options: deny, not your server.
     

Share This Page