Question Where is the place to specify X-Content-Type-Options for Plesk?

[Zoo3]

I'm looking for a place to set the following items.

add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;​

I'm using Nextcloud with nginx. It seems that these items are duplicated set in Nextcloud. When I set that item, Nextcloud warns me. If I don't set that, I will pass the examination of Nextcloud.
I can't find those items by looking in /etc/nginx/nginx.conf or /var/www/vhosts/system/MY-DOMAINs/nginx.conf - vhost_nginx.cof - last_nginx.conf.

Although I didn't wrote it by myself, if I examine it using the web browser development tool, those items are set up. That is, they are set somewhere. Is there a setting method unique to Plesk?

 

[UFHH01]

Hi Zoo3,

add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

pls. see some previous suggestions and examples at: => #2

 

[Zoo3]

Hi Zoo3,
pls. see some previous suggestions and examples at: => #2

Thank you for reply.
In the "/etc/nginx/conf.d/ssl.conf" introduced in #2 there is an instruction of the first plesk command.
However, items starting with X were not described in ssl.conf.

 

[UFHH01]

Hi Zoo3,

if you desire to search for existing definitions at configuration files, I always suggest to use a "find" command, as for example:

find /etc/nginx -type f -name "*.conf" -exec grep --color -Hni "add_header" {} \;
find /etc/apache2 -type f -name "*.conf" -exec grep --color -Hni "Header " {} \;

find /var/www/vhosts/system/*/conf -type f -name "*.conf" -exec grep --color -Hni "add_header" {} \;
find /var/www/vhosts/system/*/conf -type f -name "*.conf" -exec grep --color -Hni "Header " {} \;

find /usr/local/psa/admin/conf/templates -type f -name "*.php" -exec grep --color -Hni "add_header" {} \;
find /usr/local/psa/admin/conf/templates -type f -name "*.php" -exec grep --color -Hni "Header " {} \;

 

[Zoo3]

Hi Zoo3,

if you desire to search for existing definitions at configuration files, I always suggest to use a "find" command, as for example:

find /etc/nginx -type f -name "*.conf" -exec grep --color -Hni "add_header" {} \;
find /etc/apache2 -type f -name "*.conf" -exec grep --color -Hni "Header " {} \;

find /var/www/vhosts/system/*/conf -type f -name "*.conf" -exec grep --color -Hni "add_header" {} \;
find /var/www/vhosts/system/*/conf -type f -name "*.conf" -exec grep --color -Hni "Header " {} \;

find /usr/local/psa/admin/conf/templates -type f -name "*.php" -exec grep --color -Hni "add_header" {} \;
find /usr/local/psa/admin/conf/templates -type f -name "*.php" -exec grep --color -Hni "Header " {} \;

After all it seems that there are only things entered in the nginx additional directive.
Next I commented out all the items extracted with that find command. Even so, all items starting with X are recognized. Where are they set up?

 

[UFHH01]

Hi Zoo3,

I already gave you all relevant paths with my above suggestions, according to Plesk configuration files. Pls. be aware, that you shouldn't consider to edit/modify DEFAULT templates ( *.php ) from Plesk at "/usr/local/psa/admin/conf/templates/default"

 

[Zoo3]

I didn't explicitly specify them(X headers), I found them defined.
Does Plesk have a setting method unique to Plesk?

 

[mr-wolf]

I didn't explicitly specify them(X headers), I found them defined.
Does Plesk have a setting method unique to Plesk?

With "nginx -T | less" you can search for "X-" and find out where certain directives are configured.

You can place site's directives in the section "Apache and Nginx settings".
I have no idea if you want to set directives for 1 site or for all.

I prefer to have a central place to place directives server-wide. To achieve this I wrote a cronjob script that will place a vhost_nginx.conf in /var/www/vhosts/system/*/conf/ in each directory where there is none.

This file will only contain an include of /var/www/vhosts/system/conf/vhost_nginx.conf
In that file I will put my server-wide settings.

Each domain will get a vhost_nginx.conf after the subscription is created.
It will have this content:
cat /var/www/vhosts/system/client.com/conf/vhost_nginx.conf

include /var/www/vhosts/system/conf/vhost_nginx.conf;

You can still add custom commands using the Plesk interface or even remove the "include entry".


If you only need to do this for 1 or 2 sites, I would just enter them in "Apache & nginx Settings"



cat /var/www/vhosts/system/conf/vhost_nginx.conf

add_header Referrer-Policy strict-origin-when-cross-origin;

add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;

The script is comprehensive because it does a lot of checks and has the ability to revert its actions.
Because it runs each hour in the background this is necessary.
I would only use this scipt if you are a hosting provider that adds and removes clients on a regular basis.
If you don't I would just run it on the command-line or use the "Apache & nginx Settings".

In practice it will only execute on newly created subscriptions as they start without any vhost_nginx.conf file.
The "plesk repair web ${DOMAIN}" it executes has therefore no ill-effect on the other sites,

ln -s /usr/local/sbin/vhost_nginx /etc/cron.hourly/
cat /usr/local/sbin/vhost_nginx

#!/bin/bash

INCLUDE=/var/www/vhosts/system/conf/vhost_nginx.conf
HEADLESS=
tty >/dev/null || HEADLESS=true

THISSCRIPT="`readlink -f $0`"
SCRIPTNAME=${THISSCRIPT##*/}
[ -z "${SCRIPTNAME}" ] && SCRIPTNAME=${0##*/}

LOG=/var/log/${SCRIPTNAME}.log
PLESKBIN=/usr/local/psa/bin/domain

if [ ! -f ${INCLUDE} ] ; then
  echo "There is no file ${INCLUDE}" >&2
  exit 1
fi

if ! nginx -t 2>/dev/null ; then
  echo "The Nginx configuration is not valid, abort" >&2
  exit 1
fi

TMPDIR=`mktemp -t -d ${0//*\/}.XXXXXXXXXX`

CREATED=
TMPLOG=${TMPDIR}/log

echo "`date`  **** Found new domain(s) to add a new vhost_nginx.conf" >${TMPLOG}
find /var/www/vhosts/system/ -mindepth 2 -maxdepth 2 -type d -name conf >${TMPDIR}/confs
while read CONF ; do
  NGINXCONF=${CONF}/vhost_nginx.conf

  if [ ! -e ${NGINXCONF} ] ; then
    CREATED=true
    DOMAIN="`echo ${CONF} | sed 's/.*system\///g;s/\/.*//g'`"    # extract DOMAIN out of folder name

    echo "Create ${NGINXCONF}" | tee -a ${TMPLOG}

    # create a vhost_nginx.conf in the conf of the domain system space
    echo "#######################################################################"  >${NGINXCONF}
    echo "# server-wide directives are included from the file ${INCLUDE}"          >>${NGINXCONF}
    echo "# This file is maintained by your provider and can NOT be edited by you" >>${NGINXCONF}
    echo "# You can of course edit the content here upon your liking"              >>${NGINXCONF}
    echo "#######################################################################" >>${NGINXCONF}
    echo "# Upon creation of the domain this file (${INCLUDE}) contained:"  >>${NGINXCONF}
    echo "# "                         >>${NGINXCONF}
    sed 's/.*/#   &/g' ${INCLUDE}     >>${NGINXCONF}
    echo -e "\ninclude ${INCLUDE};\n" >>${NGINXCONF}

    # Modify permissions of this new file
    chmod 600 ${NGINXCONF}
    chown root:nginx ${NGINXCONF}
    # Although the file is created it is not added in the nginx config, I will use "plesk repair" for this
    plesk repair web ${DOMAIN} -y -v

    if ! nginx -t 2>/dev/null ; then  # check if the nginx config is still valid
      echo "Somehow the Nginx config became invalid after adding this include to ${INCLUDE}" | tee -a ${TMPLOG} >&2
      echo "I will remove the file I just created (${NGINXCONF})" | tee -a ${TMPLOG} >&2
      rm ${NGINXCONF}                   # remove the vhost_nginx.conf of this domain
      plesk repair web ${DOMAIN} -y -v  # let plesk repair fix this (tested this)

      if ! nginx -t 2>/dev/null ; then  # check the nginx config AGAIN to make sure it got fixed
        nginx -t 2>&1 | tee -a ${TMPLOG} >&2
        echo "plesk repair did not fix this" | tee -a ${TMPLOG} >&2
        echo "We now have an invalid nginx config, I will abort the script" | tee -a ${TMPLOG} >&2
        break
      fi
    fi

  fi
done<${TMPDIR}/confs

echo "`date`  **** Finished adding vhost_nginx.conf" >>${TMPLOG}
[ ${CREATED} ] && cat ${TMPLOG} >>${LOG}

rm -r ${TMPDIR}

 

[Zoo3]

I checked with that command(nginx -t | less), but nginx.conf and every vhost_nginx.conf didn't describe X headers.
Excuse me, Is the attached part of your post (upload_2017_10-23_9-49-22.png) an important image? I can't see it.

I see your post comprehensively. Basically, the X header of the problem is automatically defined by the server as an initial value, even if I don't intentionally describe it. Is this my recognition correct?

 

[mr-wolf]

I checked with that command(nginx -t | less), but nginx.conf and every vhost_nginx.conf didn't describe X headers.
Excuse me, Is the attached part of your post (upload_2017_10-23_9-49-22.png) an important image? I can't see it.

I see your post comprehensively. Basically, the X header of the problem is automatically defined by the server as an initial value, even if I don't intentionally describe it. Is this my recognition correct?

No, I don't think so.
If it's not in the Nginx configuration (nginx -T gives all) it's not there.
You did use a capital T?

Nginx is not the only one that can add headers. Apache can do this too.
The headers can be defined in your website.

 

[OverWolf]

I have a similar problem that I have comment in this thread : -->
It seems that I can "only" put X-directive in the single domain because if I put them in ssl.conf they aren't active

 

[Zoo3]

No, I don't think so.
If it's not in the Nginx configuration (nginx -T gives all) it's not there.
You did use a capital T?

Nginx is not the only one that can add headers. Apache can do this too.
The headers can be defined in your website.

I surely ran nginx -T | less.

I can't use Apache.
I saw httpd.conf, but there was no description in the X header, too.

For example, I will not extract even if I search by the following command.
find / -type f -name "*.conf" -exec grep --color -Hni "nosniff" {} \;

I didn't change when I restarted the server.
I have HTTP/2 enabled with Plesk command. Does Plesk have a specification that forces the X header to be enable in that case? This is the only special operation I did.

 

[mr-wolf]

I have a similar problem that I have comment in this thread : -->
It seems that I can "only" put X-directive in the single domain because if I put them in ssl.conf they aren't active

It is not a similar problem.
He's seeing directives he claims that are nowhere defined.
You are having the opposite. You're defining a directive and it isn't applied.

The script I wrote enables you to configure X-directives serverwide.
Because of the include directive they will in fact be activated within the specific site.

 

[mr-wolf]

I have HTTP/2 enabled with Plesk command. Does Plesk have a specification that forces the X header to be enable in that case? This is the only special operation I did.

You didn't react on my suggestion that the site itself is introducing these headers.
Have you searched your site or just moved it to another folder replacing it with a simple single index.php ?

 

[Zoo3]

Sorry, maybe the purpose was a bit different.

What I want to know is "Why is the X header defined?"
Roughly speaking, I don't want to define X headers on the site I manage. But I don't want intentional invalid declaration. I'm pursuing this cause. Because I needed to specify them when I started using this server.

Excuse me, http/2 seems to be irrelevant. I disabled it, but it didn't change.

 

[mr-wolf]

@Zoo3

Sorry, maybe the purpose was a bit different.
What I want to know is "Why is the X header defined?"

Well.... The question should be "Why is the X header defined on your system?"
I (we) don't have these headers defined.

Which makes me think... "Is the X-header defined at all?" How are you testing this?
How do you make sure it is NOT the site that is adding these headers?

Nginx "says" it's not adding these headers...
It must be the site then....

What are you using? I think it's Plesk 17.5.3
Is Plesk installed by you or did you rent a server with Plesk pre-installed?
Are you testing your site and seeing those headers?
Have you configured a new empty site and is that showing these same headers?

 

[Zoo3]

I'm using Plesk 17.0.17. *I can/will not update to 17.5.3.
I can see that those headers are defined in Firefox and Vivaldi development tools.
It is strange. I have not defined them, but they are defined in some way.

Have you configured a new empty site and is that showing these same headers?

I can't a new domain, so I made a site in the subdomain. The initial screen of Plesk displayed at this time. Basically it seems that X headers are not defined. It seems that it is requesting web fonts, but as much as that part of the X header is defined. I put HTML files and PHP files there and accessed it. Then the X header is not defined. (Tried SSL/non-SSL)

In other words, are X headers defined by specific Plesk site settings?
Or is it possible to define an X header by a file such as php or html?

I changed some of the settings of this new subdomain in Plesk, but X header was never defined. In other words, is not it Plesk's problem?
I have been able to isolate the problem a little.

 

[UFHH01]

Hi Zoo3,

In other words, is not it Plesk's problem?

Answering to your previous investigations: No.

If a "find" - search for

For example, I will not extract even if I search by the following command.
find / -type f -name "*.conf" -exec grep --color -Hni "nosniff" {} \;

didn't result in any result, pls. consider the fact, that your content might define settings. Pls. adjust your search for *.php/*.html - files and just search at your depending domain - root: => /var/www/vhosts/YOUR-DOMAIN.COM/

Pls. note as well, that it is pretty useless to search with "/", as configuration files for apache and nginx are not located at "/etc/postfix" for example. Pls. see again: => #4 , where I already defined ALL webserver - related paths ( If you are on a RHEL/CentOS - based system, the "/etc/apache2" - path is certainly "/etc/httpd" ).

 

[mr-wolf]

Or is it possible to define an X header by a file such as php or html?
.

That's what I have been telling you all this time.....
You never reacted on any of the statements I made in this respect.
Read better next time!!!

...and read again now to see how many times I pointed you that way.