mirrors
/
nextcloud
mirror of https://github.com/nextcloud/server.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 1008 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
28317 Commits
412 Branches
Tree: a95d4c2b22
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a95d4c2b22'
${ noResults }
nextcloud/core/js/setupchecks.js

setupchecks.js 8.6KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228 
  1. /*

  2.  * Copyright (c) 2014

  3.  *

  4.  * This file is licensed under the Affero General Public License version 3

  5.  * or later.

  6.  *

  7.  * See the COPYING-README file.

  8.  *

  9.  */

  10. 

  11. (function() {

  12. 	OC.SetupChecks = {

  13. 

  14. 		/* Message types */

  15. 		MESSAGE_TYPE_INFO:0,

  16. 		MESSAGE_TYPE_WARNING:1,

  17. 		MESSAGE_TYPE_ERROR:2,

  18. 

  19. 		/**

  20. 		 * Check whether the WebDAV connection works.

  21. 		 *

  22. 		 * @return $.Deferred object resolved with an array of error messages

  23. 		 */

  24. 		checkWebDAV: function() {

  25. 			var deferred = $.Deferred();

  26. 			var afterCall = function(xhr) {

  27. 				var messages = [];

  28. 				if (xhr.status !== 207 && xhr.status !== 401) {

  29. 					messages.push({

  30. 						msg: t('core', 'Your web server is not yet set up properly to allow file synchronization because the WebDAV interface seems to be broken.'),

  31. 						type: OC.SetupChecks.MESSAGE_TYPE_ERROR

  32. 					});

  33. 				}

  34. 				deferred.resolve(messages);

  35. 			};

  36. 

  37. 			$.ajax({

  38. 				type: 'PROPFIND',

  39. 				url: OC.linkToRemoteBase('webdav'),

  40. 				data: '<?xml version="1.0"?>' +

  41. 						'<d:propfind xmlns:d="DAV:">' +

  42. 						'<d:prop><d:resourcetype/></d:prop>' +

  43. 						'</d:propfind>',

  44. 				complete: afterCall

  45. 			});

  46. 			return deferred.promise();

  47. 		},

  48. 

  49. 		/**

  50. 		 * Runs setup checks on the server side

  51. 		 *

  52. 		 * @return $.Deferred object resolved with an array of error messages

  53. 		 */

  54. 		checkSetup: function() {

  55. 			var deferred = $.Deferred();

  56. 			var afterCall = function(data, statusText, xhr) {

  57. 				var messages = [];

  58. 				if (xhr.status === 200 && data) {

  59. 					if (!data.serverHasInternetConnection) {

  60. 						messages.push({

  61. 							msg: t('core', 'This server has no working Internet connection. This means that some of the features like mounting external storage, notifications about updates or installation of third-party apps will not work. Accessing files remotely and sending of notification emails might not work, either. We suggest to enable Internet connection for this server if you want to have all features.'),

  62. 							type: OC.SetupChecks.MESSAGE_TYPE_WARNING

  63. 						});

  64. 					}

  65. 					if(!data.dataDirectoryProtected) {

  66. 						messages.push({

  67. 							msg: t('core', 'Your data directory and your files are probably accessible from the Internet. The .htaccess file is not working. We strongly suggest that you configure your web server in a way that the data directory is no longer accessible or you move the data directory outside the web server document root.'),

  68. 							type: OC.SetupChecks.MESSAGE_TYPE_ERROR

  69. 						});

  70. 					}

  71. 					if(!data.isMemcacheConfigured) {

  72. 						messages.push({

  73. 							msg: t('core', 'No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our <a href="{docLink}">documentation</a>.', {docLink: data.memcacheDocs}),

  74. 							type: OC.SetupChecks.MESSAGE_TYPE_INFO

  75. 						});

  76. 					}

  77. 					if(!data.isUrandomAvailable) {

  78. 						messages.push({

  79. 							msg: t('core', '/dev/urandom is not readable by PHP which is highly discouraged for security reasons. Further information can be found in our <a href="{docLink}">documentation</a>.', {docLink: data.securityDocs}),

  80. 							type: OC.SetupChecks.MESSAGE_TYPE_WARNING

  81. 						});

  82. 					}

  83. 					if(data.isUsedTlsLibOutdated) {

  84. 						messages.push({

  85. 							msg: data.isUsedTlsLibOutdated,

  86. 							type: OC.SetupChecks.MESSAGE_TYPE_WARNING

  87. 						});

  88. 					}

  89. 					if(data.phpSupported && data.phpSupported.eol) {

  90. 						messages.push({

  91. 							msg: t('core', 'Your PHP version ({version}) is no longer <a href="{phpLink}">supported by PHP</a>. We encourage you to upgrade your PHP version to take advantage of performance and security updates provided by PHP.', {version: data.phpSupported.version, phpLink: 'https://secure.php.net/supported-versions.php'}),

  92. 							type: OC.SetupChecks.MESSAGE_TYPE_INFO

  93. 						});

  94. 					}

  95. 					if(!data.forwardedForHeadersWorking) {

  96. 						messages.push({

  97. 							msg: t('core', 'The reverse proxy headers configuration is incorrect, or you are accessing ownCloud from a trusted proxy. If you are not accessing ownCloud from a trusted proxy, this is a security issue and can allow an attacker to spoof their IP address as visible to ownCloud. Further information can be found in our <a href="{docLink}">documentation</a>.', {docLink: data.reverseProxyDocs}),

  98. 							type: OC.SetupChecks.MESSAGE_TYPE_WARNING

  99. 						});

  100. 					}

  101. 					if(!data.isCorrectMemcachedPHPModuleInstalled) {

  102. 						messages.push({

  103. 							msg: t('core', 'Memcached is configured as distributed cache, but the wrong PHP module "memcache" is installed. \\OC\\Memcache\\Memcached only supports "memcached" and not "memcache". See the <a href="{wikiLink}">memcached wiki about both modules</a>.', {wikiLink: 'https://code.google.com/p/memcached/wiki/PHPClientComparison'}),

  104. 							type: OC.SetupChecks.MESSAGE_TYPE_WARNING

  105. 						});

  106. 					}

  107. 				} else {

  108. 					messages.push({

  109. 						msg: t('core', 'Error occurred while checking server setup'),

  110. 						type: OC.SetupChecks.MESSAGE_TYPE_ERROR

  111. 					});

  112. 				}

  113. 				deferred.resolve(messages);

  114. 			};

  115. 

  116. 			$.ajax({

  117. 				type: 'GET',

  118. 				url: OC.generateUrl('settings/ajax/checksetup')

  119. 			}).then(afterCall, afterCall);

  120. 			return deferred.promise();

  121. 		},

  122. 

  123. 		/**

  124. 		 * Runs generic checks on the server side, the difference to dedicated

  125. 		 * methods is that we use the same XHR object for all checks to save

  126. 		 * requests.

  127. 		 *

  128. 		 * @return $.Deferred object resolved with an array of error messages

  129. 		 */

  130. 		checkGeneric: function() {

  131. 			var self = this;

  132. 			var deferred = $.Deferred();

  133. 			var afterCall = function(data, statusText, xhr) {

  134. 				var messages = [];

  135. 				messages = messages.concat(self._checkSecurityHeaders(xhr));

  136. 				messages = messages.concat(self._checkSSL(xhr));

  137. 				deferred.resolve(messages);

  138. 			};

  139. 

  140. 			$.ajax({

  141. 				type: 'GET',

  142. 				url: OC.generateUrl('heartbeat')

  143. 			}).then(afterCall, afterCall);

  144. 

  145. 			return deferred.promise();

  146. 		},

  147. 

  148. 		/**

  149. 		 * Runs check for some generic security headers on the server side

  150. 		 *

  151. 		 * @param {Object} xhr

  152. 		 * @return {Array} Array with error messages

  153. 		 */

  154. 		_checkSecurityHeaders: function(xhr) {

  155. 			var messages = [];

  156. 

  157. 			if (xhr.status === 200) {

  158. 				var securityHeaders = {

  159. 					'X-XSS-Protection': '1; mode=block',

  160. 					'X-Content-Type-Options': 'nosniff',

  161. 					'X-Robots-Tag': 'none',

  162. 					'X-Frame-Options': 'SAMEORIGIN'

  163. 				};

  164. 

  165. 				for (var header in securityHeaders) {

  166. 					if(!xhr.getResponseHeader(header) || xhr.getResponseHeader(header).toLowerCase() !== securityHeaders[header].toLowerCase()) {

  167. 						messages.push({

  168. 							msg: t('core', 'The "{header}" HTTP header is not configured to equal to "{expected}". This is a potential security or privacy risk and we recommend adjusting this setting.', {header: header, expected: securityHeaders[header]}),

  169. 							type: OC.SetupChecks.MESSAGE_TYPE_WARNING

  170. 						});

  171. 					}

  172. 				}

  173. 			} else {

  174. 				messages.push({

  175. 					msg: t('core', 'Error occurred while checking server setup'),

  176. 					type: OC.SetupChecks.MESSAGE_TYPE_ERROR

  177. 				});

  178. 			}

  179. 

  180. 			return messages;

  181. 		},

  182. 

  183. 		/**

  184. 		 * Runs check for some SSL configuration issues on the server side

  185. 		 *

  186. 		 * @param {Object} xhr

  187. 		 * @return {Array} Array with error messages

  188. 		 */

  189. 		_checkSSL: function(xhr) {

  190. 			var messages = [];

  191. 

  192. 			if (xhr.status === 200) {

  193. 				if(OC.getProtocol() === 'https') {

  194. 					// Extract the value of 'Strict-Transport-Security'

  195. 					var transportSecurityValidity = xhr.getResponseHeader('Strict-Transport-Security');

  196. 					if(transportSecurityValidity !== null && transportSecurityValidity.length > 8) {

  197. 						var firstComma = transportSecurityValidity.indexOf(";");

  198. 						if(firstComma !== -1) {

  199. 							transportSecurityValidity = transportSecurityValidity.substring(8, firstComma);

  200. 						} else {

  201. 							transportSecurityValidity = transportSecurityValidity.substring(8);

  202. 						}

  203. 					}

  204. 

  205. 					var minimumSeconds = 15768000;

  206. 					if(isNaN(transportSecurityValidity) || transportSecurityValidity <= (minimumSeconds - 1)) {

  207. 						messages.push({

  208. 							msg: t('core', 'The "Strict-Transport-Security" HTTP header is not configured to least "{seconds}" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="{docUrl}">security tips</a>.', {'seconds': minimumSeconds, docUrl: '#admin-tips'}),

  209. 							type: OC.SetupChecks.MESSAGE_TYPE_WARNING

  210. 						});

  211. 					}

  212. 				} else {

  213. 					messages.push({

  214. 						msg: t('core', 'You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead as described in our <a href="{docUrl}">security tips</a>.', {docUrl: '#admin-tips'}),

  215. 						type: OC.SetupChecks.MESSAGE_TYPE_WARNING

  216. 					});

  217. 				}

  218. 			} else {

  219. 				messages.push({

  220. 					msg: t('core', 'Error occurred while checking server setup'),

  221. 					type: OC.SetupChecks.MESSAGE_TYPE_ERROR

  222. 				});

  223. 			}

  224. 

  225. 			return messages;

  226. 		}

  227. 	};

  228. })();