Problem
ownCloud currently performs internal HTTP(S) requests to validate security headers (e.g., X-Frame-Options, X-Content-Type-Options). In reverse-proxy-only SSL setups — where HTTPS is terminated at the proxy and the backend serves plain HTTP — these internal checks fail, even when headers are correctly injected and externally visible.
Expected Behavior
ownCloud should support deployments where:
- SSL is terminated at a reverse proxy
- The backend (e.g., Apache) serves HTTP only
- All required headers are injected at the proxy or backend
- External clients and curl confirm header presence
Actual Behavior
ownCloud reports missing headers in the admin UI, despite:
- Headers being present on
/status.php and /index.php
- Verified via curl and browser
overwrite.cli.url, overwritehost, and overwriteprotocol settrusted_proxies and forwarded_for_headers configured
Suggested Solution
- Allow disabling internal header validation via config.php
- Or, allow specifying a custom internal endpoint for header checks
- Or, detect and trust headers from
overwriteprotocol and trusted_proxies context
Environment
- ownCloud version: 10.15.3.0
- Reverse proxy: CloudPanel-managed Nginx
- Backend: Apache (HTTP only)
- OS: Ubuntu 22.04
Problem
ownCloud currently performs internal HTTP(S) requests to validate security headers (e.g., X-Frame-Options, X-Content-Type-Options). In reverse-proxy-only SSL setups — where HTTPS is terminated at the proxy and the backend serves plain HTTP — these internal checks fail, even when headers are correctly injected and externally visible.
Expected Behavior
ownCloud should support deployments where:
Actual Behavior
ownCloud reports missing headers in the admin UI, despite:
/status.phpand/index.phpoverwrite.cli.url,overwritehost, andoverwriteprotocolsettrusted_proxiesandforwarded_for_headersconfiguredSuggested Solution
overwriteprotocolandtrusted_proxiescontextEnvironment