Nextcloud version: 25.0.13
Operating system and version: Debian 11
Apache: 2.4.56-1~deb11u2
PHP: 7.4
Hi all,
i have the problem that i use a out of support version of nextcloud on debian 11. Debian has only php7.4 and i can’t update to a newer version of nextcloud. The next three month i have no time to update to debian 12 and therefor i want to secure nextcloud for a few month.
I thought about using htaccess in front of the nextcloud link but simple authentication does not work.
This is my new apache2 config
Alias /nextcloud "/var/www/html/nextcloud/"
<Directory /var/www/html/nextcloud/>
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
AllowOverride All
Options FollowSymLinks MultiViews
<IfModule mod_dav.c>
Dav off
</IfModule>
</Directory>
The password authentication with htaccess works, but then i got the nextcloud landing page with a simple “Error” string.
The following config works but is without authentication.
Alias /nextcloud "/var/www/html/nextcloud/"
<Directory /var/www/html/nextcloud/>
Satisfy Any
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
<IfModule mod_dav.c>
Dav off
</IfModule>
</Directory>
Is there a way to make this work or is there a better way to secure an outdated version of nextcloud?
there are some options especially reverseproxy which can be used to add another security layer. ssocould be another option. both options are pretty complex so I don’t think you can add one of them faster than Nextcloud upgrade (I don’t use native install but from discussions regarding php74 I’m under impression is not hard to install php8 on Debian 11).
Maybe the simplest option would be to block external access and use vpn - I started with Docker Wireguard container in minutes and now it’s integrated into fritzbox. If you block external access beware of letsencrypt certificates if any - access from the internet required to refresh the cert!
I will, but i search for a quick fix since i have no time in the next three month and i though that htaccess is one.
I have a test environment that i setup with ansible. I tried php8 on Debian 11 but you quickly land in a php hell. I also run other things like Roundcube that i get from the distribution and need php7.4. I stopped trying to get it running after a few hours.
The right path would be, changing my ansible scripts to Debian 12, getting a new server on hetzner, testing the migration, migrate, switching the dns to the new server. But the server is not only nextcloud and most server switches i did in the past needed 100+ Hours in preparation and testing that i don’t have in the moment. Maybe i test to upgrade my Debian 11 to Debian 12 but then i lose my ansible scripts as a point of truth.
This would be a solution for myself but i run nextcloud for 100 Users. I could get them to use a htpasswd password before the nextcloud login page but clearly not more then this.
I feel your pain. But at the end there is no mercy - both PHP and Nextcloud communicate their EOL dates clear and it’s no surprise Nextcloud 25 ended support now and PHP 7.4 is out of support since a year… Supporting bigger system requires an admin to take care of such important dates and plan upgrades ahead of time.
You are in very bad situation but I don’t think you can bypass it somehow. You point the problem yourself - the system you run is too complicated and hurts from complexity. My recommendation would be to start separating things using some kind of virtualization ASAP. once you cut the system into smaller parts it gives you a chance to move faster and upgrade single applications as soon it’s needed rather once you get 100+ hours available and every single application has adopted to some level of prerequisites (which may never happen).
My personal favorite is docker but you can use virtual machines or snap as well. In my docker-compose setup it takes around 30 Minutes to perform an Nextcloud update including basic tests - for two installations test and productive - I think it’s manageable and affordable to do this 1-2 times a year for major updates… minor updates I don’t even really test - just upgrade login once and go further.
sounds like good plan. If you can afford - setup a new server in parallel and move/upgrade the applications one by one. If I would be in your position I would focus on upgrade rather trying to further ride a dead horse.
I have no idea about htaccess… but definitely many maybe all reverse proxies e.g. traefik or nginx have integrated basic auth support and you can put this in front of the system. I would expect such double auth will brake everything beside web client - desktop client, mobile client, webdav…
