Category Archives: Linux

Nextcloud: The “X-Frame-Options” HTTP header is not configured as “SAMEORIGIN” (even if it is)

Linux, ,

An interesting anecdote from my work with Nextcloud. In the backend, they offer a “Security- and configuration check” which proposes some tips and recommendations to take with your Nextcloud server instance.

After completing all tasks listed, one persisted:

The “X-Frame-Options” HTTP header is not configured as “SAMEORIGIN”. This is a potential security or privacy risk, and we recommend changing this setting.

Nextcloud Admin Backend -> Overview

As this is an easy check, I opened the developer console of my browser and checked if the header was set. And it was. Weird? At that point, I was pretty certain that something with the detection of that header was wrong, but I could not point it out immediately.

After researching online and fiddling with this for at least an hour, likely more, I decided to utilize the scan.nextcloud.com security scanner to ensure the warning is also shown there. Now the fun part: The scanner showed the warning too, but with cached data from last year. After re-scanning and getting an A+ on the scanner, the warning also disappeared in the Nextcloud backend.

Likely the Nextcloud backend check relies on the same dataset that scan.nextcloud.com uses and by re-doing the security check manually on scan.nextcloud.com, the warning disappeared. No need to fiddle with any webserver-configs, since Nextcloud in all newer versions sets the X-Frame-Options header correctly by itself.

How I run small websites in Docker-containers separated from each other on a small VPS

Linux, , ,

Since I rarely give insights on how websites such as this one are run, I decided it would be a great time to share one very simplistic and efficient approach to host several small websites, separated from each other, on a cheap VPS.

When we talk websites, I mean WordPress instances. WordPress has a few basic requirements:

  • the PHP scripting-language
  • a MySQL database
  • possiblity to use sendmail or a similar software to send mails

To achieve these basic requirements, I employ:

  • one docker-compose stack bundling the MySQL-database as well as the phpMyAdmin-webinterface
  • multiple docker-compose stacks bundling PHP-FPM, nginx as well as exim4 to act as a mailrelay
  • one nginx instance on the VPS (uncontainered as of now) that does the SSL-offloading and acts as a reverse proxy in front of the different docker-compose stacks for WordPress

The setup is:

  • simple
  • easy to handle (upgrades, PHP-version switching etc.)
  • efficient (especially towards RAM usage)
  • easily migrateable to a different machine
Continue reading How I run small websites in Docker-containers separated from each other on a small VPS

Sync time on Linux via GSM

Linux, , , , , , , , ,

The RaspberryPi and many similar single-board computers do not have an RTC or “Real Time Clock” and without internet connectivity cannot retain their time setting. Therefore most RaspberryPi Linux-distributions employ NTP to sync the time right after boot. If you are not able to use an internet connection and therefore no NTP, but have a GSM modem or phone and a valid sim card at hand, this guide may be suitable for your needs.

Continue reading Sync time on Linux via GSM

Securing the RabbitMQ Management Console with SSL before version 3.7.10

Linux

This article was previously posted on gettingcirrius.com, a blog of Richard Clayton, who released it under Attribution 3.0 Unported (CC-BY 3.0). His old blog recently went offline, therefore I am reposting this useful how-to on setting up SSL for the RabbitMQ management console.

This is an article in the RabbitMQ Configuration and Management Series.  For more articles like this, please visit the series’ index.

Continue reading Securing the RabbitMQ Management Console with SSL before version 3.7.10

Change Plesk spam-settings in bulk

Linux, , , , ,

Since Plesk per default uses the static userdb-driver of Dovecot, it may seem difficult to easily iterate through all mailboxes on the server, for example in order to change the spam-settings of all mailboxes on the systems at once while keeping the “individual settings per-mailbox” functionality enabled.

The following one-liner may be helpful in such case:

while read domain; do (while read user; do plesk bin spamassassin --update $user@$domain -status true -personal-conf true -action move -hits 6; done < <(ls -1 /var/qmail/mailnames/$domain)); done < <(ls -1 /var/qmail/mailnames/)

In this case, the domains and mailboxes are placed in/var/qmail due to a previous upgrade from qmail to Dovecot. If the directory in your case differs, make sure to change it in the one-liner, too.