.htaccess and virtualhost problems

Hello,

I’m having issues to apply certain configurations in Nextcloud.

The following directives are in my .htaccess file:

Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
Header set Referrer-Policy "no-referrer"             

# Block configuration files
RewriteRule ^(\.|package\.json|package-lock\.json|composer\.lock|Gruntfile\.js|Vagrantfile|Gemfile|Rakefile|.*rc)$ - [R=404,L]

# Block documentation directory
RewriteRule ^core/doc/admin(/.*)?$ - [R=404,L]

I’ve tried moving these rules into the VirtualHost configuration instead of .htaccess . However:

1. Strict-Transport-Security header works when I use curl, but I still get a warning in the “overview” section of Nextcloud
2. The file and directory blocking does not work at all unless they are in .htaccess.

Unfortunately, I’m on a shared hosting server, so many of the solutions I’ve found aren’t applicable to my situation.

I really want to avoid relying on .htaccess as I have read that there is no built-in option to prevent it from being overwritten during updates.

– operating system:

PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

– Apache version

Server version: Apache/2.4.62 (Debian)
Server built:   2024-07-22T12:30:55

Thanks in advance!

Strict-Transport-Security header works when I use curl, but I still get a warning in the “overview” section of Nextcloud

Are you running curl from the Nextcloud Server command-line or from your workstation? The tests run from the server, so try from there if you are not already.

Also, the tests run against the overwrite.cli.url (and trusted_domains, if necessary) so make sure you’re that is the correct URL in your config.

The file and directory blocking does not work at all unless they are in .htaccess.

A RewriteRule in Apache is handled a bit differently depending on the context. See the Apache docs on the topic here and here for example. It’s also possible to turn on additional logging to troubleshoot mod_rewrite matters.

Note you may not need to use mod_rewrite at all for simple blocking scenarios:

• Using mod_rewrite to control access - Apache HTTP Server Version 2.5
• https://www.baeldung.com/linux/apache-restrict-specific-directory