Hello,
before this I’m using the nextcloud without any error when running my ip address to the browser. Today, I saw there’s a part in nextcloud 13 administration manual that enable the SSL for the nextcloud. After adding the SSL commands and add Satisfy Any at directory section at vim /etc/apache2/sites-available/nextcloud.conf , I cannot open my nextcloud instead navigate the browser page to apache2 ubuntu default page. I’m also put the https:// before the ip address and also try to put https://myipaddress/nextcloud but got a message unable to connect/URL not found. Is anyone know what’s the problem?
before this,I followed the tutorial on how to install nextcloud from this website: https://www.linuxhelp.com/how-to-install-nextcloud-in-ubuntu/
Did you redirect 80 to 443 in your apache conf, this is the most common error:
( wiki copy )When using SSL, you will frequently have at least two virtual hosts: one on port 80 to serve ordinary requests, and one on port 443 to serve SSL. If you wish to redirect users from the non-secure site to the SSL site, you can use an ordinary Redirect directive inside the non-secure VirtualHost:
https://wiki.apache.org/httpd/RedirectSSL
So, I need to change my apache configuration below:
root@linuxhelp:/var/www/html# vim /etc/apache2/sites-available/nextcloud.conf
Entry:
Alias /nextcloud "/var/www/html/nextcloud/"
Options +FollowSymlinks
AllowOverride All
Dav off
SetEnv HOME /var/www/html/nextcloud
SetEnv HTTP_HOME /var/www/html/nextcloud
to new apache configuration that specify virtualhost 80 and 443 like the redirectSSL link you share with me?
Best thing to do is using apache2 module rewrite
To check your modules installed liste, check /etc/apache2/mods-available/
( or do apt-cache search libapache2
)
access_compat.load authn_core.load authz_host.load cache_socache.load dbd.load fcgid.conf info.conf macro.load negotiation.conf proxy_fcgi.load proxy_wstunnel.load session_dbd.load ssl.load
actions.conf authn_dbd.load authz_owner.load cern_meta.load deflate.conf fcgid.load info.load mime.conf negotiation.load proxy_fdpass.load ratelimit.load session.load status.conf
actions.load authn_dbm.load authz_user.load cgid.conf deflate.load file_cache.load lbmethod_bybusyness.load mime.load perl.load proxy_ftp.conf reflector.load setenvif.conf status.load
alias.conf authn_file.load autoindex.conf cgid.load dialup.load filter.load lbmethod_byrequests.load mime_magic.conf php7.0.conf proxy_ftp.load remoteip.load setenvif.load substitute.load
alias.load authn_socache.load autoindex.load cgi.load dir.conf headers.load lbmethod_bytraffic.load mime_magic.load php7.0.load proxy_hcheck.load reqtimeout.conf slotmem_plain.load suexec.load
allowmethods.load authnz_fcgi.load brotli.conf charset_lite.load dir.load heartbeat.load lbmethod_heartbeat.load mpm_event.conf proxy_ajp.load proxy_html.conf reqtimeout.load slotmem_shm.load unique_id.load
asis.load authnz_ldap.load brotli.load data.load dump_io.load heartmonitor.load ldap.conf mpm_event.load proxy_balancer.conf proxy_html.load request.load socache_dbm.load userdir.conf
auth_basic.load authz_core.load buffer.load dav_fs.conf echo.load http2.load ldap.load mpm_prefork.conf proxy_balancer.load proxy_http2.load rewrite.load socache_memcache.load userdir.load
auth_digest.load authz_dbd.load cache_disk.conf dav_fs.load env.load ident.load log_debug.load mpm_prefork.load proxy.conf proxy_http.load sed.load socache_shmcb.load usertrack.load
auth_form.load authz_dbm.load cache_disk.load dav.load expires.load imagemap.load log_forensic.load mpm_worker.conf proxy_connect.load proxy.load session_cookie.load speling.load vhost_alias.load
authn_anon.load authz_groupfile.load cache.load dav_lock.load ext_filter.load include.load lua.load mpm_worker.load proxy_express.load proxy_scgi.load session_crypto.load ssl.conf xml2enc.load
to check the active modules /etc/apache2/mods-enabled the ls -la
rewrite.load -> ../mods-available/rewrite.load
IF rewrite_load is present in /etc/apache2/mods-available/ but not present in /etc/apache2/mods-enabled then do
a2enmod rewrite
systemctl restart apache2
IF rewrite.load is present then you need to modify your /etc/apache2/sites-enabled/000-default.conf
to match something like:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html <--- your doc root location
Protocols h2 http/1.1 <--- this is http2 protocol enable if apache >= 2.4
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on <-- start of permanent redirection using the --apache-rewrite mod
RewriteCond %{SERVER_NAME} =YOURSERVERNAMEHERE
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent] <-- end of rewrite rules_
</VirtualHost>
thats it, ALL your http access will be rewrite as https
after that, you need to have a ssl conf like this one:
/etc/apache2/sites-enabled/000-default-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
Protocols h2 http/1.1
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/REDACTED/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/REDACTED/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ServerName YOURSERVERNAME
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
</VirtualHost>
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
SSLCompression on
SSLSessionTickets off
SSLOptions +StrictRequire
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
</IfModule>
This configuration files is made for an debian/ubuntu server with APACHE2 >= 2.4
- SSL certs by letsencrypt
- more secure SSL setting
- HTTP2 enable
- HSTS enable
- CERTS STAPPLING enable
- Strong modern CipherSuite
and of course a good /etc/apache2/apache2.conf
# Global configuration
ServerName YOURSERVERNAMEHERE
# server wide global conf for HTTP2 over http/https could be set also in vhost
Protocols h2c http/1.1
Protocols h2 http/1.1
ServerTokens Prod
ServerSignature Off
DefaultRuntimeDir ${APACHE_RUN_DIR}
PidFile ${APACHE_PID_FILE}
Timeout 800
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 20
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
# logging ip needed for fail2ban parsing
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
# better security enable in vhost files
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
# Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
AccessFileName .htaccess
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf
# EOF