Hi, I have installed nextcloud on Raspberry pi running Raspbian Stretch Lite. It is installed under /var/www/html/nextcloud directory.
In the sites-available/000-default-le-ssl.conf I changed DocumentRoot to
DocumentRoot /var/www/html/nextcloud
After this, the site works correctly but I ran a scan using Nmap and it exposed few files. Most being JS & CSS files.
-
https://redacted/core/vendor/core.js?v=6e38f86c-7. Contents of this JS files were exposed.
-
https://REDACTED/core/vendor/select2/select2.css?v=6e38f86c-7]. Contents of this css file were also exposed.
Hence, I added a redirect using:
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/$
RewriteRule (.*) /nextcloud/ [R=301]
The site is working fine now too.
I wanted to understand the security implications of this given the internet exposure of the site.
-
Is it secure to change the DocumentRoot to NextClouds installation folder (which worked perfectly) but exposed the files I mentioned above.
-
Is it secure to Rewrite (add redirect) to Nextcloud as done above.
The above mentioned code is working for me. Only difference being, instead of:
https://subdomain.domain.com showing Nextcloud
https://subdomain.domain.com/nextcloud shows up nextcloud login page.
Are there any security implications?