From d58f3dc2c3c4fb63f1a8688d56b5fa03333393ba Mon Sep 17 00:00:00 2001
From: J0WI <J0WI@users.noreply.github.com>
Date: Fri, 9 Feb 2018 03:05:17 +0100
Subject: [PATCH 1/2] Add hint about duplicated headers

See issue described in https://github.com/nextcloud/server/issues/8207
---
 admin_manual/installation/nginx.rst | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/admin_manual/installation/nginx.rst b/admin_manual/installation/nginx.rst
index a24a31bf38d..3448379145e 100644
--- a/admin_manual/installation/nginx.rst
+++ b/admin_manual/installation/nginx.rst
@@ -363,3 +363,16 @@ block shown above not located **below** the:
 
 block. Other custom configurations like caching JavaScript (.js)
 or CSS (.css) files via gzip could also cause such issues.
+
+Duplicated headers in response
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+NextCloud sets some security headers within PHP by default. If they are also 
+set by nginx this will cause duplicated headers and the NectCloud status 
+check may display some errors, that the headers are not configured as recommend.
+
+To avoid duplicated headers in responses, use the ``fastcgi_hide_header`` option:
+
+.. code-block:: nginx
+
+        fastcgi_hide_header X-XSS-Protection;

From 7b17bc96babbbd1e35a47e4a01ed5b3bfc1d2777 Mon Sep 17 00:00:00 2001
From: J0WI <J0WI@users.noreply.github.com>
Date: Sat, 10 Feb 2018 15:30:41 +0100
Subject: [PATCH 2/2] Add fastcgi_hide_header to examples

---
 admin_manual/installation/nginx.rst | 30 ++++++++++++++++++-----------
 1 file changed, 19 insertions(+), 11 deletions(-)

diff --git a/admin_manual/installation/nginx.rst b/admin_manual/installation/nginx.rst
index 3448379145e..2fc0eacdbf1 100644
--- a/admin_manual/installation/nginx.rst
+++ b/admin_manual/installation/nginx.rst
@@ -10,13 +10,12 @@ server. This page is community-maintained. (Thank you, contributors!)
    **ssl_certificate_key** to suit your needs.
 -  Make sure your SSL certificates are readable by the server (see `nginx HTTP
    SSL Module documentation <http://wiki.nginx.org/HttpSslModule>`_).
--  ``add_header`` statements are only taken from the current level and are not
-   cascaded from or to a different level. All necessary ``add_header``
-   statements must be defined in each level needed. For better readability it
-   is possible to move *common* add header statements into a separate file
-   and include that file wherever necessary. However, each ``add_header``
-   statement must be written in a single line to prevent connection problems
-   with sync clients.
+-  The ``add_header`` directives are only inherited from the previous level if 
+   there are no ``add_header`` directives defined on the current level. For 
+   better readability it is possible to move *common* add header statements 
+   into a separate file and include that file wherever necessary. However, 
+   each ``add_header`` statement must be written in a single line to prevent 
+   connection problems with sync clients.
 -  Be careful about line breaks if you copy the examples, as long lines may be
    broken for page formatting.
 -  Some environments might need a ``cgi.fix_pathinfo`` set to ``1`` in their
@@ -61,8 +60,7 @@ webroot of your nginx installation. In this example it is
       # Add headers to serve security related headers
       # Before enabling Strict-Transport-Security headers please read into this
       # topic first.
-      # add_header Strict-Transport-Security "max-age=15768000;
-      # includeSubDomains; preload;";
+      # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
       #
       # WARNING: Only add the preload option once you read about
       # the consequences in https://hstspreload.org/. This option
@@ -74,12 +72,17 @@ webroot of your nginx installation. In this example it is
       add_header X-Robots-Tag none;
       add_header X-Download-Options noopen;
       add_header X-Permitted-Cross-Domain-Policies none;
+      fastcgi_hide_header X-Content-Type-Options;
+      fastcgi_hide_header X-XSS-Protection;
+      fastcgi_hide_header X-Robots-Tag;
+      fastcgi_hide_header X-Download-Options;
+      fastcgi_hide_header X-Permitted-Cross-Domain-Policies;
 
       # Remove X-Powered-By, which is an information leak
       fastcgi_hide_header X-Powered-By;
 
       # Path to the root of your installation
-      root /var/www/nextcloud/;
+      root /var/www/nextcloud;
 
       location = /robots.txt {
           allow all;
@@ -219,12 +222,17 @@ your nginx installation.
       add_header X-Robots-Tag none;
       add_header X-Download-Options noopen;
       add_header X-Permitted-Cross-Domain-Policies none;
+      fastcgi_hide_header X-Content-Type-Options;
+      fastcgi_hide_header X-XSS-Protection;
+      fastcgi_hide_header X-Robots-Tag;
+      fastcgi_hide_header X-Download-Options;
+      fastcgi_hide_header X-Permitted-Cross-Domain-Policies;
 
       # Remove X-Powered-By, which is an information leak
       fastcgi_hide_header X-Powered-By;
 
       # Path to the root of your installation
-      root /var/www/;
+      root /var/www;
 
       location = /robots.txt {
           allow all;