Detailed Instructions for Hardening and Security

Hey!

I’m looking for detailed instructions on HOW to do this:

https://docs.nextcloud.com/server/latest/admin_manual/installation/harden_server.html#use-https-label

Much of the documentation for NC assumes you’re already a Linux guru and just says “do this, LOL” but doesn’t tell you HOW to do it.

Do you guys have links that cover the details of getting https working?

I’m running an Ubuntu server at home with NC installed via Snap.

I don’t think that’s really a fair assessment.

HTTPS is hardly Linux-specific. What step did you have a question about?

When I go to the passwords app I get this:
http://localhost/index.php/apps/passwords/?https=false

This application requires HTTPS in order to work safely.

You can try to reload this page the page with HTTPS.

  1. This is NOT a bug. Visit our forum if you need help.
  2. Review the HTTPS report below to debug the issue.
  3. Read this documentation to configure your server to use HTTPS.
  4. Read this documentation if you are using any kind of proxy.
  5. Go to Let’s Encrypt to ge a free HTTPS certificate if you need one.

When I follow the link I get this:

When using Apache this can be achieved by a setting such as the following in the Apache VirtualHosts configuration:
<VirtualHost *:80>
ServerName cloud.nextcloud.com
Redirect permanent / https://cloud.nextcloud.com/

I’m using a server in my house. So should I be using “cloud.nextcloud.com”? Does this apply to my situation? If so, how do I do this? It just says “set it” but not how to set it… Where is this configuration file? Is it in the root folder I can’t open?

Okay, so a few points here:

  • No, you should not use cloud.nextcloud.com. Substitute your own FQDN.
  • This is specifically referencing Apache which is not Nextcloud. In other words, whatever web server you are using to run NC (be it Apache or Nginx or whatever else) needs to be properly configured.
  • The example you posted is one method of redirecting HTTP to HTTPS, but you need to have HTTPS set up before doing this. Redirecting to something that doesn’t exist will literally get you nowhere.

So let’s back up a little. The first thing you need to do is get HTTPS set up in the first place. So:

  1. Do you already have a valid FQDN for your server with a DNS A or CNAME record set up?
  2. Do you have port 80 and 443 forwarded to the server?
  3. Choose a method for resolving that name on your LAN (split horizon DNS, hosts file, hairpin routing, etc.)
  4. Set up Let’s Encrypt for your HTTPS certificate
1 Like

maybe here?

hmmm. well than we have to look here:

and i guess it’s a combination:

maybe you have to place the certs before. maybe snap can create selfsigned certs for you. i don’t have any snap installation around. try the --help option.

i assumed you don’t want to access your nextcloud from the internet would be different story.

1 Like

The snap package has a script for setting up Let’s Encrypt once the other stuff is in place. It works differently than NC on other platforms.

1 Like

Thanks folks. I’ll start on those when the kids are in bed.
Yay, quarantine.

I want this server to be visible outside my home eventually.