Nextcloud version: 18.0.0
Operating system and version: Debian 10
Apache version: 2.4.38
PHP version: 7.3
I’ve setup Nextcloud and used certbot (A+ grade from scan.nextcloud), to do so I had to use a DNS provider.
Ideally I would like that someone who knows my public IP (and doesn’t know my DNS) would not be able to acknowledge I’m hosting a web server of any kind, but I think that’s not possible.
So I edited /etc/apache2/sites-available/nextcloud.conf and nextcloud-le-ssl.conf and added (both for *:80 and *:443)
ServerName X.X.X.X #public ip
In this way, if they try to reach me through my public IP, they get an error page instead of reaching the nextcloud “untrusted domain” page, but if someone tries to reach httpS://my_public_ip/ they can see the certificate for that page is not valid because it is associated to my DNS name and they can acknowledge it.
What would be the best thing (security wise) to do if someone tries to reach my nextcloud server through my public IP? Should I leave the “untrusted domain” nextcloud page?
I agree that this is security by obscurity, but I did the same And I like the effect, that I don’t return much information to the attackers who run scans over all IP addresses.
So before I forwarded all requests to the correct domain, so that my users always land on the login page even if the mistyped the host or simply forgot to enter the difficult to remember word “cloud” in front of the domain.
What that did, however: every PHP attack which is regularly sent to all IP addresses was handled by my PHP interpreter. If there is a security bug in php-fpm it could be used by simply sending the http requests to my IP.
Now I return status 404 if requests don’t go directly to my correct FQDN. This status is returned before the SSL connection is established and the request is not put through to the php interpreter.
Just to be 100% safe the SSL cert is not provided to an attacker, I assigned a self-signed SSL cert to my “default server” returning 404.
Thing is, I use nginx and cannot provide a configuration example for apache.
Thanks for the replies but I didn’t quite get the response. I’m not really an expert, but not a full noob either. I managed to get that A+ rating from scan.nextcloud. It probably doesn’t mean much to guys like you, but it’s already something for me.
ATM that’s what happens if I input the following in a browser:
Thanks for the contribution, but that’s exactly what I don’t want to do! In that way I would be able to login from inserting my public IP. I want the opposite, that if someone enters my ip in their browsers they don’t get any info about the fact I’m hosting a nextcloud server. One must know my domain to get to nextcloud login. In other words I want attackers who somehow know my public IP to acknowledge the least amount of information possible!