Sponsor:

Server and Web Integrator
Link:
Kloxo-MR logo
6.5.0 or 7.0.0
Click for "How to install"
Donation/Sponsorship:
Kloxo-MR is open-source.
Donate and or Sponsorship always welcome.
Click to:
Click Here
Please login or register. 2024-03-28, 22:40:37

Author Topic: X-Frame-Options Kloxo MR 7  (Read 7337 times)

0 Members and 1 Guest are viewing this topic.

Offline lenawaii

  • Valuable Member
  • *
  • Posts: 102
  • Karma: +0/-0
    • View Profile
X-Frame-Options Kloxo MR 7
« on: 2016-08-22, 12:07:10 »
Hi Mustapha,

I'm discovering Kloxo MR 7 and I have several questions, can you please inform me:

1/ Where to set/unset X-Frame-Options? I would like to allow iframes for a domain.

2/ What is the difference between PHP Used and PHP Branch in Configure for pserver-localhost?

3/ Is it possible to set a PHP version only for a client or is it apparently set for all clients?

4/ Which lxcenter conf is used by kloxo MR 7?
- /etc/httpd/conf.d/~lxcenter.conf ?
- /opt/configs/apache/conf.d/~lxcenter.conf ?

5/ It's impossible to modify hostmaster email in DNS templates > mytemplate.dnst > General Settings > Hostmaster Email. There is a bug to fix, I guess.

Thanks for your help.

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: X-Frame-Options Kloxo MR 7
« Reply #1 on: 2016-08-22, 12:51:30 »
  • For security reasons (check via https://securityheaders.io/). every domains will be set 'x-frame-options: SAMEORIGIN' (that mean only possible iframe from the same address).

    But, you can modified certain domains for this purpose. Copy /opt/configs/apache/conf/domains/yourdomain.com to /opt/configs/apache/conf/customs/yourdomain.com. Modified yourdomain.com in customs dir where change:
Code: [Select]
Include /opt/configs/apache/conf/globals/header_base.confto:
Code: [Select]
<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1;mode=block"
#Header always set X-Frame-Options "SAMEORIGIN"
Header always set Access-Control-Allow-Origin "*"
#Header always set Content-Security-Policy: script-src "self"
Header always set X-Supported-By "Kloxo-MR 7.0"

## MR -- ref: https://www.howtoforge.com/tutorial/httpoxy-protect-your-server/
RequestHeader unset Proxy early
</IfModule>
  • Php branch is standard php where install with 'yum install'. Multiple php are php where install with 'special' install (only KLoxo-MR implementing this trick). And 'php used' is select 'default' php for all domains where you can choose 'php branch' or one of 'multiple php'
  • All phps (branch and multiple php) will be show for all clients
  • Kloxo (also Kloxo-MR) using /etc/httpd/conf.d/~lxcenter.conf where /opt/configs/apache/conf.d/~lxcenter.conf is 'default' ~lxcenter.conf. Set 'apache optimize' in 'webserver configure' will be change /opt/configs/apache/conf.d/~lxcenter.conf content based on /opt/configs/apache/tpl/~lxcenter.conf.tpl
  • Yes
« Last Edit: 2016-08-22, 12:56:45 by MRatWork »
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline lenawaii

  • Valuable Member
  • *
  • Posts: 102
  • Karma: +0/-0
    • View Profile
Re: X-Frame-Options Kloxo MR 7
« Reply #2 on: 2016-08-22, 13:26:00 »
thanks for all :-)

Offline lenawaii

  • Valuable Member
  • *
  • Posts: 102
  • Karma: +0/-0
    • View Profile
Re: X-Frame-Options Kloxo MR 7
« Reply #3 on: 2016-08-22, 13:51:41 »
If you uncomment:
Header always set Content-Security-Policy: script-src "self"
apache doesn't work anymore do you know how to fix this ?

thanks

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: X-Frame-Options Kloxo MR 7
« Reply #4 on: 2016-08-22, 14:02:18 »
Need 'sh /script/fixweb; sh /script/restart-web' after this step.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline lenawaii

  • Valuable Member
  • *
  • Posts: 102
  • Karma: +0/-0
    • View Profile
Re: X-Frame-Options Kloxo MR 7
« Reply #5 on: 2016-08-26, 02:15:54 »
Hi,

ISSUE 1: Even after "sh /script/fixweb; sh /script/restart-web" I still can't uncomment:
#Header always set Content-Security-Policy: script-src "self"

Here is the error:
Stopping httpd:                                            [FAILED]
Starting httpd: Syntax error on line 6 of /opt/configs/apache/conf/globals/header_base.conf:
error: envclause should be in the form env=envar
                                                           [FAILED]

ISSUE 2: I have Qmail issue since last yum update. There is a problem when I test the mail server on mxtoolsbox. SMTP banner doesn't match Reverse DNS. PTR Record is ok and server mail name is ok :

[root@server3 ~]# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 mail3.mydomain.eu - Welcome to Qmail ESMTP
ehlo localhost
250-mail3.mydomain.eu - Welcome to Qmail
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE 20971520
250 AUTH LOGIN PLAIN


HERE IS MXTOOLSBOX result:

smtp:51.25x.xx.xxx   Monitor This    smtp 
Timeout waiting for response after 15 seconds. : Completed Connect

Test   Result   
   SMTP Banner Check   Reverse DNS does not match SMTP Banner    More Info
   SMTP TLS   Warning - Does not support TLS.    More Info
   SMTP Transaction Time   15.423 seconds - Not good! on Transaction Time    More Info
   SMTP Reverse DNS Mismatch   OK - 51.25x.xx.xxx resolves to mail3.mydomain.eu   
   SMTP Valid Hostname   OK - Reverse DNS is a valid Hostname   
   SMTP Connection Time   0 seconds - Good on Connection time   
   SMTP Open Relay   OK - Not an open relay.

Thanks for your help :-)



Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: X-Frame-Options Kloxo MR 7
« Reply #6 on: 2016-08-26, 03:15:57 »
Inform here 'cat  /opt/configs/apache/conf/globals/header_base.conf'. Something wrong with the content.

Doesn't care about 'SMTP Banner Check   Reverse DNS does not match SMTP Banner', but better make 'My Name (Domain Name)' in 'mail server settings' as the same as rdns
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline lenawaii

  • Valuable Member
  • *
  • Posts: 102
  • Karma: +0/-0
    • View Profile
Re: X-Frame-Options Kloxo MR 7
« Reply #7 on: 2016-09-06, 23:06:42 »
thanks I found the solution, it was a syntax issue, here is what you need to write to make it work proprely:

Header always set Content-Security-Policy "script-src=self"

Another requirement from me, how to hide Server Signature, I modified /opt/configs/apache/etc/conf/httpd.conf with:

ServerSignature Off
ServerTokens Prod

and Apache restart but I didn't work, any idea?

Offline lenawaii

  • Valuable Member
  • *
  • Posts: 102
  • Karma: +0/-0
    • View Profile
Re: X-Frame-Options Kloxo MR 7
« Reply #8 on: 2016-09-07, 15:59:38 »
is /opt/configs/apache/etc/conf/httpd.conf used for Apache ?

I had this:
ServerSignature Off
ServerTokens Prod

But I still see Apache/2.2.31 (CentOS), any idea? Thanks for all your help :-)

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: X-Frame-Options Kloxo MR 7
« Reply #9 on: 2016-09-07, 16:16:18 »
To hidden this header info is useless.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline lenawaii

  • Valuable Member
  • *
  • Posts: 102
  • Karma: +0/-0
    • View Profile
Re: X-Frame-Options Kloxo MR 7
« Reply #10 on: 2016-09-07, 17:33:52 »
For security reasons, it is better to hide server information, don't you agree with this?

For anyone interested, I finally found the solution in Kloxo MR, we need to add:
ServerSignature Off
ServerTokens Prod
in /etc/httpd/conf/httpd.conf
and then restart apache

Thanks :-)

For your information: I don't know why but in your forum website, I often have an Internal Error 500 when I tried to access your site (I use Google Chrome), I need to refresh several times to load a page.

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: X-Frame-Options Kloxo MR 7
« Reply #11 on: 2016-09-07, 17:49:23 »
1. For this forum, remove browser cache and history
2. Hacker clever enough to try to attach to target without identify web server type and version. So, hidden server information (name and version) is useless.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline lenawaii

  • Valuable Member
  • *
  • Posts: 102
  • Karma: +0/-0
    • View Profile
Re: X-Frame-Options Kloxo MR 7
« Reply #12 on: 2016-09-16, 11:43:00 »
Hi Mustapha,

There were some changes in apache conf since your last update, header_base.conf is not used anymore. Before, I could modify X-Frame-Options for all domains.

Now even I modify /opt/configs/apache/conf/domains/mydomain.com.conf in <IfModule mod_headers.c> part or use a custom config in /opt/configs/apache/conf/customs/mydomain.com.conf, no change in the headers.

1/ So now how to modify X-Frame-Options? It is important to be able to use iframes in the websites.

2/ For my own config, please, where is the template of /etc/httpd/conf/httpd.conf file?

Thanks for helping


Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: X-Frame-Options Kloxo MR 7
« Reply #13 on: 2016-09-16, 12:00:58 »
Make sure using last update and after cleanup go to 'web features' and then remove 'X-Frame-Options' line in 'general header'.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline lenawaii

  • Valuable Member
  • *
  • Posts: 102
  • Karma: +0/-0
    • View Profile
Re: X-Frame-Options Kloxo MR 7
« Reply #14 on: 2016-09-16, 14:40:53 »
Well thanks, I see this new web features, It works great :-)

 


Top 4 Global Search Engines:    Google    Bing    Baidu    Yahoo
Click Here

Page created in 0.059 seconds with 18 queries.

web stats analysis