MRatWork Forum by Mustafa Ramadhan

Sawo Project - Kloxo-MR Discussions => Kloxo-MR Technical Helps => Topic started by: lenawaii on 2016-08-22, 12:07:10

Title: X-Frame-Options Kloxo MR 7
Post by: lenawaii on 2016-08-22, 12:07:10

Hi Mustapha,

I'm discovering Kloxo MR 7 and I have several questions, can you please inform me:

1/ Where to set/unset X-Frame-Options? I would like to allow iframes for a domain.

2/ What is the difference between PHP Used and PHP Branch in Configure for pserver-localhost?

3/ Is it possible to set a PHP version only for a client or is it apparently set for all clients?

4/ Which lxcenter conf is used by kloxo MR 7?
- /etc/httpd/conf.d/~lxcenter.conf ?
- /opt/configs/apache/conf.d/~lxcenter.conf ?

5/ It's impossible to modify hostmaster email in DNS templates > mytemplate.dnst > General Settings > Hostmaster Email. There is a bug to fix, I guess.

Thanks for your help.

Title: Re: X-Frame-Options Kloxo MR 7
Post by: MRatWork on 2016-08-22, 12:51:30

• For security reasons (check via https://securityheaders.io/). every domains will be set 'x-frame-options: SAMEORIGIN' (that mean only possible iframe from the same address).
  
  But, you can modified certain domains for this purpose. Copy /opt/configs/apache/conf/domains/yourdomain.com to /opt/configs/apache/conf/customs/yourdomain.com. Modified yourdomain.com in customs dir where change:
  

Code: [Select]

Include /opt/configs/apache/conf/globals/header_base.confto:

Code: [Select]

<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1;mode=block"
#Header always set X-Frame-Options "SAMEORIGIN"
Header always set Access-Control-Allow-Origin "*"
#Header always set Content-Security-Policy: script-src "self"
Header always set X-Supported-By "Kloxo-MR 7.0"

## MR -- ref: https://www.howtoforge.com/tutorial/httpoxy-protect-your-server/
RequestHeader unset Proxy early
</IfModule>

• Php branch is standard php where install with 'yum install'. Multiple php are php where install with 'special' install (only KLoxo-MR implementing this trick). And 'php used' is select 'default' php for all domains where you can choose 'php branch' or one of 'multiple php'
• All phps (branch and multiple php) will be show for all clients
• Kloxo (also Kloxo-MR) using /etc/httpd/conf.d/~lxcenter.conf where /opt/configs/apache/conf.d/~lxcenter.conf is 'default' ~lxcenter.conf. Set 'apache optimize' in 'webserver configure' will be change /opt/configs/apache/conf.d/~lxcenter.conf content based on /opt/configs/apache/tpl/~lxcenter.conf.tpl
• Yes

Title: Re: X-Frame-Options Kloxo MR 7
Post by: lenawaii on 2016-08-22, 13:26:00

thanks for all :-)

Title: Re: X-Frame-Options Kloxo MR 7
Post by: lenawaii on 2016-08-22, 13:51:41

If you uncomment:
Header always set Content-Security-Policy: script-src "self"
apache doesn't work anymore do you know how to fix this ?

thanks

Title: Re: X-Frame-Options Kloxo MR 7
Post by: MRatWork on 2016-08-22, 14:02:18

Need 'sh /script/fixweb; sh /script/restart-web' after this step.

Title: Re: X-Frame-Options Kloxo MR 7
Post by: lenawaii on 2016-08-26, 02:15:54

Hi,

ISSUE 1: Even after "sh /script/fixweb; sh /script/restart-web" I still can't uncomment:
#Header always set Content-Security-Policy: script-src "self"

Here is the error:
Stopping httpd:                                            [FAILED]
Starting httpd: Syntax error on line 6 of /opt/configs/apache/conf/globals/header_base.conf:
error: envclause should be in the form env=envar
                                                           [FAILED]

ISSUE 2: I have Qmail issue since last yum update. There is a problem when I test the mail server on mxtoolsbox. SMTP banner doesn't match Reverse DNS. PTR Record is ok and server mail name is ok :

[root@server3 ~]# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 mail3.mydomain.eu - Welcome to Qmail ESMTP
ehlo localhost
250-mail3.mydomain.eu - Welcome to Qmail
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE 20971520
250 AUTH LOGIN PLAIN


HERE IS MXTOOLSBOX result:

smtp:51.25x.xx.xxx   Monitor This    smtp 
Timeout waiting for response after 15 seconds. : Completed Connect

Test   Result   
   SMTP Banner Check   Reverse DNS does not match SMTP Banner    More Info
   SMTP TLS   Warning - Does not support TLS.    More Info
   SMTP Transaction Time   15.423 seconds - Not good! on Transaction Time    More Info
   SMTP Reverse DNS Mismatch   OK - 51.25x.xx.xxx resolves to mail3.mydomain.eu   
   SMTP Valid Hostname   OK - Reverse DNS is a valid Hostname   
   SMTP Connection Time   0 seconds - Good on Connection time   
   SMTP Open Relay   OK - Not an open relay.

Thanks for your help :-)

Title: Re: X-Frame-Options Kloxo MR 7
Post by: MRatWork on 2016-08-26, 03:15:57

Inform here 'cat  /opt/configs/apache/conf/globals/header_base.conf'. Something wrong with the content.

Doesn't care about 'SMTP Banner Check   Reverse DNS does not match SMTP Banner', but better make 'My Name (Domain Name)' in 'mail server settings' as the same as rdns

Title: Re: X-Frame-Options Kloxo MR 7
Post by: lenawaii on 2016-09-06, 23:06:42

thanks I found the solution, it was a syntax issue, here is what you need to write to make it work proprely:

Header always set Content-Security-Policy "script-src=self"

Another requirement from me, how to hide Server Signature, I modified /opt/configs/apache/etc/conf/httpd.conf with:

ServerSignature Off
ServerTokens Prod

and Apache restart but I didn't work, any idea?

Title: Re: X-Frame-Options Kloxo MR 7
Post by: lenawaii on 2016-09-07, 15:59:38

is /opt/configs/apache/etc/conf/httpd.conf used for Apache ?

I had this:
ServerSignature Off
ServerTokens Prod

But I still see Apache/2.2.31 (CentOS), any idea? Thanks for all your help :-)

Title: Re: X-Frame-Options Kloxo MR 7
Post by: MRatWork on 2016-09-07, 16:16:18

To hidden this header info is useless.

Title: Re: X-Frame-Options Kloxo MR 7
Post by: lenawaii on 2016-09-07, 17:33:52

For security reasons, it is better to hide server information, don't you agree with this?

For anyone interested, I finally found the solution in Kloxo MR, we need to add:
ServerSignature Off
ServerTokens Prod
in /etc/httpd/conf/httpd.conf
and then restart apache

Thanks :-)

For your information: I don't know why but in your forum website, I often have an Internal Error 500 when I tried to access your site (I use Google Chrome), I need to refresh several times to load a page.

Title: Re: X-Frame-Options Kloxo MR 7
Post by: MRatWork on 2016-09-07, 17:49:23

1. For this forum, remove browser cache and history
2. Hacker clever enough to try to attach to target without identify web server type and version. So, hidden server information (name and version) is useless.

Title: Re: X-Frame-Options Kloxo MR 7
Post by: lenawaii on 2016-09-16, 11:43:00

Hi Mustapha,

There were some changes in apache conf since your last update, header_base.conf is not used anymore. Before, I could modify X-Frame-Options for all domains.

Now even I modify /opt/configs/apache/conf/domains/mydomain.com.conf in <IfModule mod_headers.c> part or use a custom config in /opt/configs/apache/conf/customs/mydomain.com.conf, no change in the headers.

1/ So now how to modify X-Frame-Options? It is important to be able to use iframes in the websites.

2/ For my own config, please, where is the template of /etc/httpd/conf/httpd.conf file?

Thanks for helping

Title: Re: X-Frame-Options Kloxo MR 7
Post by: MRatWork on 2016-09-16, 12:00:58

Make sure using last update and after cleanup go to 'web features' and then remove 'X-Frame-Options' line in 'general header'.

Title: Re: X-Frame-Options Kloxo MR 7
Post by: lenawaii on 2016-09-16, 14:40:53

Well thanks, I see this new web features, It works great :-)