Mattermost X-Frame-Options and Content-Security-Policy for apache



  • Because it took me some time. This is my apache2 proxy vhost configuration for the mattermost iframe inside Kopano.
    Relates to this article: https://documentation.kopano.io/kopano_mattermost_manual/first_steps.html#configuration-for-kopano-webapp-deskapp

    # # #
    # Kopano Mattermost
    Header set Content-Security-Policy "frame-ancestors 'self' https://your.kopano.webapp.host.local"
    Header set X-Frame-Options "ALLOW-FROM 'https://your.kopano.webapp.host.local'"
    # # #
    

  • Kopano

    Hi @_r9,

    Can you explain the function difference to the setting from the linked manual?



  • @fbartels The only difference is that this is for the apache2 server instead of nginx. I changed the hostname inside the configuration from my first post to prevent further misconceptions.

    To explain my configuration. I’m testing the Kopano-Docker installation at the moment. I also use the kweb server which does already operate as a proxy. My problem is, that I use an apache2 proxy in front of this server. Besides the proxy server configuration I had to add following configuration inside my apache2 vhost configuration. But I’m still testing this configuration.

    RewriteEngine On
    RewriteCond %{REQUEST_URI} /api/v[0-9]+/(users/)?websocket [NC,OR]
    RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR]
    RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
    RewriteRule .* wss://$MATTERMOSTSERVER:$MATTERMOSTPORT%{REQUEST_URI} [P,QSA,L]
    
    # # #
    # Kopano Mattermost
    Header set Content-Security-Policy "frame-ancestors 'self' https://your.kopano.webapp.host.local"
    Header set X-Frame-Options "ALLOW-FROM 'https://your.kopano.webapp.host.local'"
    # # #
    
    

  • Kopano

    @_r9 said in Mattermost X-Frame-Options and Content-Security-Policy for apache:

    Header append Content-Security-Policy “frame-ancestors ‘self’ https://your.kopano.webapp.host.local
    Header unset Content-Security-Policy

    Why do you first append something to a header and then remove that header completely in the next line? Makes no sense to me and this setup cannot be recommended since security relevant headers are removed.

    Kweb might eventually get a setting to enhance the default CSP header values.



  • Hey @longsleep thanks for your response and help.

    1. I added this because without it I’m always getting following error messages inside my browser
    Content Security Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive.
    
    1. I googled about the configuration inside the linked article
    proxy_hide_header X-Frame-Options;
    proxy_hide_header Content-Security-Policy;
    

    There are several articles like this one https://zinoui.com/blog/remove-http-response-headers which explains that proxy_hide_header for nginx is the same as header unset for apache2.

    As explained in my 2nd post this server configuration is for an apache2 proxy that sits in front of the Kweb server. The mattermost server is available through a specific port and host.



  • @longsleep But you were right about this. When I remove the Header append configuration I’m having the same results. I thought about it that this makes no sense. Sorry for the wrong lead.



  • This post is deleted!


  • @longsleep Okay it looks like that I found the right configuration. I changed my first and second post. Looks like that the browser caches made me crazy about this xD


  • Kopano

    @_r9 thanks for sharing. The documentation I was referring to was the included Apache vhost in our Mattermost packages, but since you’re running in Docker you are probably not using these.

    These had already something quite similar to your code, except it used a header edit. But on the other hand since we both consulted the same apache documentation it also had the same unset.


Log in to reply