Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nginx security setting issue with " view details" of plugins #37

Open
alexlii1971 opened this issue Aug 23, 2019 · 5 comments
Open

Nginx security setting issue with " view details" of plugins #37

alexlii1971 opened this issue Aug 23, 2019 · 5 comments

Comments

@alexlii1971
Copy link

Hello @VirtuBox

I got an issue as below:

On subsite, when I click “view details” of installed plugins , it just show:”myrootdomain.com refused to connect, please check the screenshot:http://prntscr.com/m89wo1

That means I can not view details of plugins on a subsite.

But, I am sure my account is supper administrator with the capibility of network plugin management as the screenshot: http://prntscr.com/m89vh5

Here is the setting in nginx.conf:

    ##Common headers for security
    more_set_headers "X-Frame-Options : SAMEORIGIN";
    more_set_headers "X-Xss-Protection : 1; mode=block";
    more_set_headers "X-Content-Type-Options : nosniff";
    more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";

I tried to comment both "more_set_headers "X-Frame-Options : SAMEORIGIN";
" and "more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";"

but the issue is still there.

I read an article at https://enable-cors.org/server_nginx.html

but it seems quite different, what should I do to enable "view details" on subsite please?

Thanks so much.
@VirtuBox
Copy link
Owner

Hello, it's the header X-Frame-Options the issue. Have you reload Nginx after commenting the header?

@alexlii1971
Copy link
Author

Hello @VirtuBox ,

Yes, I cleaned all cache and restart nginx by:

root@101:~# ee clean --all
root@101:~# service nginx restart

root@101:~# sudo grep -R SAMEORIGIN /etc/nginx/

there is only one setting of SAMEORIGIN in nginx.conf

In this situation, I found there are actually two issues:

1.# sometimes, it will show "view details", but sometimes, it will show " Visit plugin site"
2# the issue still show header X-Frame-Options /SAMEORIGIN

So, is there any other place related to X-Frame-Options setting please?

@VirtuBox
Copy link
Owner

No there is no other configuration containing this directive. Try to replace it with X-Frame-Options: ALLOWALL

@alexlii1971
Copy link
Author

Hi @VirtuBox ,

Yes, it will show the interface of plugins description content, and there will be a security hint:

http://prntscr.com/ox3twh

any suggestion on this situation please?

@VirtuBox
Copy link
Owner

Hello @alexlii1971,

I have no idea why there are insecure requests performed by this plugin.
You will probably get more information by contacting the developer of this plugin, because it doesn't seems to be related to Nginx security headers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@VirtuBox @alexlii1971