Apache2 default page instead of NC HTTPS

ℹ️ Support
1

[/details]

Nextcloud version (eg, 12.0.2): 16.0.5
Operating system and version (eg, Ubuntu 17.04): Ubuntu 18.04.3
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.41
PHP version (eg, 7.1): 7.3

The issue you are facing:
I´m running an nextcloud behind a reverse proxy on ports 880 und 10240. Access via http works just fine for both localhost and DDNS. But when I´m trying to access the site via https I´m getting
to the apache2 default site. Any ideas why this happens?

Is this the first time you’ve seen this error? (Y/N): Y

The output of your config.php file in /path/to/nextcloud :

<?php
$CONFIG = array (
  'instanceid' => '',
  'passwordsalt' => '',
  'secret' => '',
  'trusted_domains' =>
  array (
    0 => 'domain.com',
    1 => 'IP',
  ),
  'datadirectory' => '/home/rock64/nextcloud_data',
  'dbtype' => 'mysql',
  'version' => '16.0.5.1',
  'overwrite.cli.url' => 'https://domain.com',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => '',
  'dbpassword' => '',
  'installed' => true,
  'filesystem_check_changes' => 0,
  'filelocking.enabled' => 'true',
  'htaccess.RewriteBase' => '/',
  'overwriteprotocol' => 'https',
  'integrity.check.disabled' => false,
  'knowledgebaseenabled' => false,
  'logfile' => '/var/nc_data/nextcloud.log',
  'loglevel' => 2,
  'logtimezone' => 'Europe/Berlin',
  'log_rotate_size' => 104857600,
  'maintenance' => false,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'overwriteprotocol' => 'http',
  'preview_max_x' => 1024,
  'preview_max_y' => 768,
  'preview_max_scale_factor' => 1,
  'redis' =>
  array (
    'host' => '/var/run/redis/redis-server.sock',
    'port' => 0,
    'timeout' => 0.0,
  ),
  'updater.secret' => '',
  'theme' => '',
);
2

You need two virtual hosts in apache: one for port 80, one for port 443. If you want strict https, you redirect 80 to 443. Did you do this?

3

I´ve edited the 000-default.conf the following:
<VirtualHost *:880>

    ServerName domain.com

    ServerAdmin admin@domain.com
    DocumentRoot /var/www/html/nextcloud
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    RewriteEngine on
    RewriteCond %{SERVER_NAME} = domain.com
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
    #Redirect 301 /.well-known/carddav turtlenextcloud.ddnsfree.com/nextcloud/remote.php/dav
    #Redirect 301 /.well-known/caldav turtlenextcloud.ddnsfree.com/nextcloud/remote.php/dav
4

That looks like a VHost for nextcloud, if you want to access it via http port 880. Following your scheme, you need to set up another for https port 8443. Mind you these are not standard ports.

5

My default ssl conf goes like this :

    <VirtualHost *:10240>

            SSLEngine on
            SSLOptions +StrictRequire
            LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
            LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
            ServerAdmin admin@domain.com
            DocumentRoot /var/www/html/nextcloud
            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined
            ServerName domain.com

etc.

So does this mean I´ve to set up another vhost for port 10240? The reverse proxy conf is on the other machine ( same ssl certificates also there) is a seperate vhost for ports 880 and 10240 like this:

<VirtualHost *:80>

  ProxyPreserveHost On
  ProxyPass / http://IP:880/
  ProxyPassReverse / http://IP:880/
  ServerName mydomain.com

</VirtualHost>

Or do I have to write this in the vhost for port 80 which is already existing?

6

So this seems to be the SSL Virtual Host. Why are you using such strange port numbers?

The VHost for port 10240 does not have any keys in it.

Each VHost declaration must end with </VirtualHost>.

are the VHosts enabled? There should be symlinks in /etc/apache2/sites-enabled pointing to the actual files in /etc/apache2/sites-available.

What is the output of
sudo apache2ctl -S
?

7 
<IfModule mod_ssl.c>

    <VirtualHost *:10240>

            SSLEngine on
            SSLOptions +StrictRequire
            LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
            LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
            ServerAdmin admin@domain.com
            DocumentRoot /var/www/html/nextcloud
            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined
            ServerName domain.com
            SSLCertificateFile /etc/apache2/ssl/domain.cer
            SSLCACertificateFile /etc/apache2/ssl/ca.cer
            SSLCertificateKeyFile /etc/apache2/ssl/domain.key
    <Directory /var/www/html/nextcloud/>

            Options +FollowSymlinks
            AllowOverride All

            <IfModule mod_dav.c>
                    Dav off
            </IfModule>

            SetEnv HOME /var/www/html/nextcloud
            SetEnv HTTP_HOME /var/www/html/nextcloud

    </Directory>

    <IfModule mod_headers.c>

            Header always set Strict-Transport-Security "max-age=15768000; preload"
            Header set Referrer-Policy "strict-origin-when-cross-origin"
            Header set X-Content-Type-Options "nosniff"
            #Header always set X-Frame-Options "SAMEORIGIN"

    </IfModule>

    </VirtualHost>

    SSLProtocol -all +TLSv1.3 +TLSv1.2
    SSLCipherSuite TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder on
    SSLCompression off
    SSLSessionTickets off
    SSLUseStapling on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingCache shmcb:/var/run/ocsp(128000)
    SSLOpenSSLConfCmd Curves X448:secp521r1:secp384r1:prime256v1
    SSLOpenSSLConfCmd ECDHParameters secp384r1
    SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

This is my complete SSL conf behind the proxy.
apache2ctl -S yields

VirtualHost configuration:
*:10240               domain.com (/etc/apache2/sites-enabled/001-nextcloud-le-ssl.conf:3)
*:880                  domain.com (/etc/apache2/sites-enabled/001-nextcloud.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
8

The proxy vhosts on the other machine are the following:

<VirtualHost *:80>

  ProxyPreserveHost On
  ProxyPass / http://IP:880/
  ProxyPassReverse / http://IP:880/
  ServerName mydomain.com


</VirtualHost>

SSL:

<VirtualHost *:443>

  ProxyPreserveHost On
  ProxyPass / http://IP:10240/
  ProxyPassReverse / http://IP:10240/
  ServerName mydomain.com

  SSLEngine on
  SSLCertificateFile /etc/apache2/ssl/mydomain.cer
  SSLCACertificateFile /etc/apache2/ssl/ca.cer
  SSLCertificateKeyFile /etc/apache2/ssl/mydomain.key



</VirtualHost>
9

Should not the ProxyPass and ProxyPassReverse refer to

https://IP:10240/

To rule out problems with the proxy, can you access the server directly in the local network like

https://IP:10240
from a browser?

10

Ah yes this I´ll have to set right.

11

Edited that. Now I´m getting
Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at [no address given] to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.
Apache/2.4.25 (Raspbian) Server at domain.com Port 443
12

error.log says:

[ssl:error] [pid 7364] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=domain.com / issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US / serial: 0471C17D5D026EC107B190F4387A4E693$

[Sun Nov 03 14:33:21.083870 2019] [ssl:error] [pid 7364] AH02604: Unable to configure certificate domain.com:443:0 for stapling

Sun Nov 03 14:33:21.120744 2019] [ssl:error] [pid 7367] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=domain.com / issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US / serial: 0471C17D5D026EC107B190F4387A4E693$

13

So there is something wrong with the certificate. Maybe you check this in a Let’s Encrypt support forum.

14

Now having edited the reverse ssl conf I´m getting the firefox error

Error: Redirection error

The website accessed redirects the request in such a way that it can never be terminated.

This problem can sometimes occur when cookies are disabled or rejected.
15

The certificate error this seems to be a OCSP stapling issue in general with self signed certificates.

16

If I have to use the reverse proxy wouldn´t it make sense to run the SSL stuff at the proxy server and tunnel from there via http?

17

It’s a real bad practice use the webroot directory to deploy nextcloud.
Use /var/www/nextcloud or /opt/nextcloud instead, and apache virtualhost to manage it

BR

1 Like
18

Yes, this is fine. Just make sure that your ProxyPass directives are consistent with however you decide to do it.

That last Firefox error you posted sounds like a faulty redirect rule, but I didn’t see that in the vhosts above.

19

Something about the redirects didn´t work, I´m now accessing it on localhost via VPN. Thanks