Hi, I found out that on my NGINX server, Facebook reports that I have set x-frame-options to Deny. I modified the nginx configuration according to the instructions, but to no avail. Can I ask for advice on how to set this up correctly? Thanks, Jan Nginx conf Code: user www-data; worker_processes auto; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; events { worker_connections 768; # multi_accept on; } http { client_max_body_size 20M; map $remote_addr $ip_anonym1 { default 0.0.0; "~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip; "~(?P<ip>[^:]+:[^:]+):" $ip; } map $remote_addr $ip_anonym2 { default .0; "~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0; "~(?P<ip>[^:]+:[^:]+):" ::; } map $ip_anonym1$ip_anonym2 $ip_anonymized { default 0.0.0.0; "~(?P<ip>.*)" $ip; } log_format anonymized '$ip_anonymized - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ## # SSL Settings ## ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Gzip Settings ## gzip on; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; add_header X-Frame-Options "sameorigin" always; } #mail { # # See sample authentication script at: # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript # # # auth_http localhost/auth.php; # # pop3_capabilities "TOP" "USER"; # # imap_capabilities "IMAP4rev1" "UIDPLUS"; # # server { # listen localhost:110; # protocol pop3; # proxy on; # } # # server { # listen localhost:143; # protocol imap; # proxy on; # } #}
I think that seems correct. Mine is something like this: Code: ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ## # SSL Settings ## ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ARIA256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384'; ssl_dhparam /etc/ssl/private/dhparam4096.pem; ssl_buffer_size 4k; # SSL session cache ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_session_tickets on; # OCSP Stapling --- ssl_stapling on; ssl_stapling_verify on; ssl_ecdh_curve secp521r1:secp384r1:prime256v1; resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=300s; resolver_timeout 10s; ## # Header ## add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY; add_header X-XSS-Protection "1; mode=block"; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Gzip Settings ## gzip on; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types application/json application/javascript application/x-javascript application/x-font-ttf application/xml application/xml+rss application/atom+xml application/vnd.ms-fontobject text/javascript text/x-javascript text/xml text/plain text/css font/opentype image/svg+xml image/x-icon; gzip_min_length 0; gzip_static on; gzip_disable "msie6"; gunzip on; ## # Virtual Host Configs ## include /etc/nginx/sites-enabled/*; # include /etc/nginx/conf.d/*.conf; # include /etc/letsencrypt/options-ssl-nginx.conf;
I'm getting this error Code: The loading of “https://www.facebook.com/v10.0/plugins/comments.php?app_id=xxxx&channel=https%3A%2F%2Fstaticxx.facebook.com%2Fx%2Fconnect%2Fxd_arbiter%2F%3Fversion%3D46%23cb%3Df7cc68a6c2afaa%26domain%3Dwww.trendista.cz%26origin%3Dhttps%253A%252F%252Fwww.trendista.cz%252Ff126abe2e8e82ea%26relation%3Dparent.parent&container_width=970&height=100&href=https%3A%2F%2Fwww.trendista.cz%2F%3Fpost_type%3Dpost%26p%3D49720&locale=cs_CZ&numposts=10&order_by=time&sdk=joey&version=v10.0&width=” in a frame is denied by “X-Frame-Options“ directive set to “DENY“. Do you need any settings for each site separately? Isn't it possible that this is a bug on Facebook?
That's not bugs from facebook but your nginx conf as you added "add_header X-Frame-Options DENY" that works exactly as you configured.
But I don't have it in nginx.conf add_header X-Frame-Options DENY but add_header X-Frame-Options "sameorigin" always;
It either in your nginx.conf which work for all websites under your server or in the website individual vhost. Since you claimed it is not in the former, it could be in the latter.
I found that the settings in nginx.conf apply to all internal queries: but does not apply to Facebook calls. There is no x-frame-options setting in the vhost setting. How should I set it up, please? Should I send the current settings here?
I could have read it wrongly. It could have been set in the remote website server you are trying to put in your server website iframe. In that case, there is nothing you can do.
This looks like a Facebook bug https://developers.facebook.com/support/bugs/854001531875629/?join_id=f3265be5480336
