Redirecting All Unencrypted Traffic

Tom_Forge · August 23, 2017, 5:31pm

Redirecting All Unencrypted Traffic to HTTPS:

I am trying to keep people from establishing an unencrypted connection to NC.
This is for my home server I use Linux Mint 18.2. Apache2. MariaDB. Nextcloud 12.0.2

I have tried adding the following to /etc/apache2/nextcloud.conf:

<VirtualHost *:80>
   ServerName 192.168.1.45/nextcloud/
   Redirect permanent / https://192.168.1.45/nextcloud/
</VirtualHost>

and did systemctl restart apache2,

Based on https://docs.nextcloud.com/server/12/admin_manual/configuration_server/harden_server.html3

Which states:

Redirect all unencrypted traffic to HTTPS

To redirect all HTTP traffic to HTTPS administrators are encouraged to issue a permanent redirect using the 301 status code. When using Apache this can be achieved by a setting such as the following in the Apache VirtualHosts configuration:

<VirtualHost *:80>
   ServerName cloud.nextcloud.com
   Redirect permanent / https://cloud.nextcloud.com/
</VirtualHost>

But that doesn’t do the trick. Any help much appreciated.

FWIW I also read this thread Nextcloud not being forced to https connection and I am guessing that I am putting the recommended code into the wrong file, but I don’t know which file to put this stuff into. Thanks.

tacruc · August 23, 2017, 7:16pm

Have you tried:

   <VirtualHost *:80>
       Redirect permanent / https://192.168.1.45/
    </VirtualHost>

or

   <VirtualHost *:80>
       Redirect permanent /nextcloud https://192.168.1.45/nextcloud
    </VirtualHost>

worric · August 23, 2017, 7:32pm

Apache has some directories from which it automatically loads configurations, and some where it doesn’t and where the files in there are just stored waiting enabled. To illustrate this, take a look at the directory structure beneath /etc/apache2/

conf-available
conf-enabled
sites-available
sites-enabled
(also mods-avalable and mods-enabled, but these aren’t relevant in this context)

The *-enabled directories only contain links to the actual files which are stored in *-available. You’ve probably seen commands like sudo a2ensite xxx and sudo a2enconf xxx before; these commands are just a convenient way of making a link from a file in the *-available to *-enabled. Then, upon reloading / restarting apache2, it loads configuration from these enabled files.

The conf-available directory is where you’d want to store some specific configuration for your server, like how much information the server should display about itself, should you request an invalid URL. The sites-available directory is where you’d store your personal sites like the one you’re trying to add. The files there typically contain one <VirtualHost ...> ... </VirtualHost> element each, where you declare configuration about your site; they may, however, also contain more virtual hosts.

To emhpasize, configuring your server with sites and other configurations can essentially be done in a single file, but the layout / directory structure employed by apache2 makes it modular and thus easier to maintain and control.

Now on to your problem, which I will address by showing my setup (not actual names used). I have the redirect site placed in a file of its own called http-redirect.conf in sites-available, containing a minor variant of the 4 liner redirect example you posted (HTTP port 80). Then I have another site in a file called my-site.conf where I have the virtual host declaring the nextcloud configuration on the HTTPS port <VirtualHost *:443> ...</VirtualHost>. Both files have been enabled by sudo a2ensite http-redirect and sudo a2ensite my-site followed by a restart / reload of apache2.

From your example, I can spot some oddities. For example the ServerName directive; it should be the domain name where your nextcloud instance can be found - like cloud.example.com. Apache uses these ServerName directives internally to match incoming requests to the correct sites (you could have a site from where nextcloud could be served, described in its own file - cloud.example.com - and a site where a static web page could be served, likewise described in its own file - with a ServerName of www.example.com. Upon receiving a request, Apache maps the requested URL to the correct site based on the ServerName).

Keep in mind your SSL certificate should also reflect this domain name you choose. In your example, you have chosen an IP address for a domain name. I think it can work, but I would probably recommend you find a proper domain name, as IPs can change, but domain names are static and may point to any IP address you like.

Sorry for the long post, dunno if I explained a bit too much

Tom_Forge · August 23, 2017, 9:31pm

Tacruc and Worric:

Thanks for the help. Based on the combined information I thought I would step through different configurations to see which one worked and try to understand this a bit better.

The first thing I did was guess that Servername equated to [IP of Machine] or [Domain Name of Machine], not the Nextcloud service on that machine. So all I did was change:

ServerName 192.168.1.45/nextcloud/

to

ServerName 192.168.1.45

And this solved it for me. Albeit it’s not ideal to use the IP.

The thing I don’t understand and that still confuses me is the Servername example of cloud.nextcloud.com which I think of as a subdomain but when I had Yahoo web services a long time ago, I would just designate i.e. the domain and folder mycloud.com/help to be help.mycloud.com. So I was just hoping that cloud.nextcloud.com somehow would be magically linked to nextcloud.com/nextcloud which now that I think about it is a terrible assumption. No one would want all there subfolders to be subdomains for Pete’s sake.

Anyway, chewing on that made me think that a subfolder is not going to be a server. If a subdomain can act as a separate server that’s going to have to all be setup. So the next step in my process was to just say to myself, I wonder if the host IP can be the Servername for Nextcloud and that seems to be right on the vanilla install I have at the moment.

I guess the only reason I am explaining the stumbling blocks here is to keep the conversation going and to see if there is maybe a way to make it a bit easier from the documentation to guide someone like me to put the code in the right file and correctly identify one’s servername.

No, but your post is helping me understand this better and led to my dealing with the Servername issue first.

Actually I am really glad you gave all the detail that you did. It’s really helping me now and I’ll be referring back to it when I run into trouble. The Apache2 Enablesite/Conf made a ton of sense and helps a lot. Some of it I don’t understand right now, in particular:

I don’t understand virtual host to begin with. I am guessing it’s a way for Apache to run different websites off the same machine? And if you are running different websites from the same machine you very well may want Apache to act differently depending on the needs of the website? With that stab in the dark it seems you have set up the same website twice, once for encrypted connections and once for unencrypted connections? If that’s right well maybe I am starting to catch a clue.

worric · August 24, 2017, 9:22pm

I’m glad you got it working. There are quite a few things to get one’s head around in order to understand fully the consequences of one choice of configuration as opposed to another. Regarding virtual hosts, however:

… you are right on the money