On Fri, Nov 26, 2021 at 08:43:58AM -0300, Daniel Armando Rodriguez wrote: Hi there,
> One of them is a NextCloud + WOPI based LibreOffice Online Solution, as such > it needs to access resources in WOPI server subdomain. What I need is my > nginx to allow X-Frame-Options for WOPI server subdomain. It sounds like you want a request from the client, to have a specific header with a specific value in the response when being proxy_pass'ed through nginx. Can you show one request that you make, and the response that you get, and the response that you want to get instead? Possibly the browser "developer tools" console can show the network requests and responses; I suspect that you only care about the http response headers, not the response body. > My /etc/nginx/snippets/ssl-params.conf have the X-Frame-Options set to > SAMEORIGIN. > > I've tried adding following line to NC conf file with no luck: > > proxy_hide_header X-Frame-Options > > Also tried adding this line, with no luck either > > add_header X-Frame-Options "allow-from https://WOPI-DOMAIN";; What does "no luck" mean, here? I suspect it is "the browser did not end up doing what I want"; but from an nginx perspective it would be easier if you could say "I want *this* response but I get *that* response". (What the browser does with the response is less interesting, from this viewpoint.) When it comes to nginx directives, adding things in one part of the config can "hide" or "override" things written elsewhere, for one request. "proxy_hide_header" means "if the proxy_pass response includes this header, do not send it to the client". "add_header" means "for certain response codes, send this header name/value in the response". However... https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options suggests that "ALLOW-FROM" is in the set "Don't use it". You can have DENY or SAMEORIGIN, or you can use Content-Security-Policy instead. Whether your browser would do anything with an X-Frame-Options header, is entirely up to your browser. (If it would not do anything, then spending time configuring your nginx to send the header will not benefit the browser.) If you can show a complete-minimal config that shows the problem that you see, it may become clearer what changes are needed on the nginx side. Cheers, f -- Francis Daly fran...@daoine.org _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
