Howto add special headers such as the X-Frame-Options header?

**bglaessn** · Oct 19th 2017

Hi,

is it possible to configure special/extended headers, f.e. X-Frame-options, content security policies, etc in i-mscp ?

Regards
Bjoern

**f4Nm1Z9k2P** · Oct 21st 2017

This should probably be done and is possible at the PHP script level.

**Nuxwin** · Oct 21st 2017

See also: https://github.com/i-MSCP/imsc…ache2_security_headers.pl

Warning, the listener operate globally (for all sites...). You should improve it a bit if you want make the security headers apply only for specific sites.

**bglaessn** · Jan 9th 2018

Hi,

For my i-mscp 1.3.6 I have done the follwing:

Downloaded the listener-version 1.3.x from GitHub (https://github.com/i-MSCP/imsc…ache2_security_headers.pl) and placed the file to /etc/imscp/listeners.d/40_apache2_security_headers.pl

After this, I triggered the installer with "perl imscp-autoinstall -d" and choosed "automatic".
The installer runs fine and completed successfully.

But https://securityheaders.io still reports, that no security headers are active.

Restart of apache and php-5fpm didn´t solve the problem.

TeX

# apache2ctl -M
Loaded Modules:
core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
unixd_module (static)
access_compat_module (shared)
actions_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authn_socache_module (shared)
authz_core_module (shared)
authz_groupfile_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
cgid_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
filter_module (shared)
headers_module (shared) <---- active
mime_module (shared)
mpm_worker_module (shared)
negotiation_module (shared)
fastcgi_module (shared)
proxy_module (shared)
proxy_http_module (shared)
rewrite_module (shared)
setenvif_module (shared)
socache_shmcb_module (shared)
ssl_module (shared)
status_module (shared)
suexec_module (shared)

Display More

**bglaessn** · Jan 9th 2018

Update:

Have tried listener versions 1.4, 1.5 also... Nothing changed.
Listener version 1.6 give the following error while starting the installer:

Shell-Script

[FATAL] iMSCP::EventManager::_init: "getBlocByRef" is not exported by the iMSCP::TemplateParser module
"replaceBlocByRef" is not exported by the iMSCP::TemplateParser module
Can't continue after import errors at /etc/imscp/listeners.d/40_apache2_security_headers.pl line 30.
BEGIN failed--compilation aborted at /etc/imscp/listeners.d/40_apache2_security_headers.pl line 30, <$fh> line 370.
Compilation failed in require at /root/Downloads/imscp-1.3.16/engine/PerlLib/iMSCP/EventManager.pm line 174, <$fh> line 370.

**bglaessn** · Jan 9th 2018

Update:

I have added some lines to the 40_apache2_security_headers.pl

Perl

...package Listener::Apache2::Security::Headers;use iMSCP::EventManager;use iMSCP::TemplateParser;use strict;use warnings;my $filename = '/tmp/listener.txt';open(my $fh, '>', $filename) or die "Could not open file '$filename' $!";print $fh "Listener started.\n";close $fh;iMSCP::EventManager->getInstance()->register( 'beforeHttpdBuildConf',...

and restarted the installer.

After this

Shell-Script

# cat /tmp/listener.txt
Listener started.

So I guess, that everything is fine with the installation itself.

**bglaessn** · Jan 9th 2018

Is this correct ?

HTML

# grep "X-Content-Type" /etc/* -R/etc/apache2/conf-enabled/security.conf:#Header set X-Content-Type-Options: "nosniff"/etc/apache2/conf-available/security.conf:#Header set X-Content-Type-Options: "nosniff"/etc/imscp/listeners.d/40_apache2_security_headers.pl: Header always set X-Content-Type-Options "nosniff"

HTML

/var/www/imscp# grep "X-Content-Type" . -R
./gui/public/tools/pma/file_echo.php: header('X-Content-Type-Options: nosniff');
./gui/public/tools/pma/file_echo.php: header('X-Content-Type-Options: nosniff');
./gui/public/tools/pma/libraries/core.lib.php: header('X-Content-Type-Options: nosniff');
./gui/public/tools/pma/libraries/Header.php: 'X-Content-Type-Options: nosniff'

Display More

**Nuxwin** · Jan 9th 2018

Quote from bglaessn

Listener version 1.6 give the following error while starting the installer:

[FATAL] iMSCP::EventManager::_init: "getBlocByRef" is not exported by the iMSCP::TemplateParser module
"replaceBlocByRef" is not exported by the iMSCP::TemplateParser module
Can't continue after import errors at /etc/imscp/listeners.d/40_apache2_security_headers.pl line 30.
BEGIN failed--compilation aborted at /etc/imscp/listeners.d/40_apache2_security_headers.pl line 30, <$fh> line 370.
Compilation failed in require at /root/Downloads/imscp-1.3.16/engine/PerlLib/iMSCP/EventManager.pm line 174, <$fh> line 370.

Display More

You shoud avoid to make use of listeners from an i-MSCP serie other than the Serie that you use. If you use the 1.3.x Serie, you must use the listeners from the contrib directory of your i-MSCP version (archive), or those from the 1.3.x branch on github.

**bglaessn** · Jan 9th 2018

Hi Laurent,

as you can see, I have tried the 1.3.x version already and got stucked in issues.

"Downloaded the listener-version 1.3.x from GitHub..."

Because of the problems mentioned above, I tried the other versions also...

Howto add special headers such as the X-Frame-Options header?

Share

Daily visitors