Restrict direct IP address?

Nextcloud version: 18.0.0
Operating system and version: Debian 10
Apache version: 2.4.38
PHP version: 7.3

I’ve setup Nextcloud and used certbot (A+ grade from scan.nextcloud), to do so I had to use a DNS provider.

Ideally I would like that someone who knows my public IP (and doesn’t know my DNS) would not be able to acknowledge I’m hosting a web server of any kind, but I think that’s not possible.
So I edited /etc/apache2/sites-available/nextcloud.conf and nextcloud-le-ssl.conf and added (both for *:80 and *:443)

<VirtualHost *:80>

        ServerName X.X.X.X #public ip

        Redirect gone

</VirtualHost>

In this way, if they try to reach me through my public IP, they get an error page instead of reaching the nextcloud “untrusted domain” page, but if someone tries to reach httpS://my_public_ip/ they can see the certificate for that page is not valid because it is associated to my DNS name and they can acknowledge it.

What would be the best thing (security wise) to do if someone tries to reach my nextcloud server through my public IP? Should I leave the “untrusted domain” nextcloud page?

With letsencrypt, you can’t get certificates on IP addresses. And even if, since you connect through that IP, the certificate then must contain your domain and the IP. So it’s in the certificate.

Without SSL, it would be possible. But still, it is very much security by obscurity. It’s a bit like a sign “dangerous dog” in front of your house.

I agree that this is security by obscurity, but I did the same :smiley: And I like the effect, that I don’t return much information to the attackers who run scans over all IP addresses.
So before I forwarded all requests to the correct domain, so that my users always land on the login page even if the mistyped the host or simply forgot to enter the difficult to remember word “cloud” in front of the domain.
What that did, however: every PHP attack which is regularly sent to all IP addresses was handled by my PHP interpreter. If there is a security bug in php-fpm it could be used by simply sending the http requests to my IP.

Now I return status 404 if requests don’t go directly to my correct FQDN. This status is returned before the SSL connection is established and the request is not put through to the php interpreter.
Just to be 100% safe the SSL cert is not provided to an attacker, I assigned a self-signed SSL cert to my “default server” returning 404.

Thing is, I use nginx and cannot provide a configuration example for apache.

Thanks for the replies but I didn’t quite get the response. I’m not really an expert, but not a full noob either. I managed to get that A+ rating from scan.nextcloud. It probably doesn’t mean much to guys like you, but it’s already something for me.

ATM that’s what happens if I input the following in a browser:

http://my.domain --> https://my.domain --> login
https://my.domain --> same as above
http://my.IP --> untrusted domain
https://my.IP --> untrusted domain and invalid certificate --> check the certificate and I can see my domain --> login page

Is this how it’s supposed to be by default?

I would like to return 404 to people that enter my IP in their browsers, without letting them know my domain or that I’m hosting nextcloud…

So, looking at what you have written:

Just to be 100% safe the SSL cert is not provided to an attacker, I assigned a self-signed SSL cert to my “default server” returning 404.

I should self-sign certs to my public IP ServerName and somehow return 404 to those “looking for” my public IP?

noob question: have you entered my.IP as a trusted domain to your config.php?

Thanks for the contribution, but that’s exactly what I don’t want to do! In that way I would be able to login from inserting my public IP. I want the opposite, that if someone enters my ip in their browsers they don’t get any info about the fact I’m hosting a nextcloud server. One must know my domain to get to nextcloud login. In other words I want attackers who somehow know my public IP to acknowledge the least amount of information possible!

ok i got that

completely wrong by reading through it.

that should be the way doing it. i am not sure on how to implement that on apache. but if @Schmu would be nice he might add his nginx setup and maybe you could learn from it?

or maybe it was the right time and place for you to switch over to nginx, though? :wink:

1 Like

I managed to SelfSign certificates for MY.IP so it’s not possible to acknowledge my domain by examining the certs on https://MY.IP.
I edited /etc/apache2/sites-available/nextcloud.conf

<VirtualHost *:80>
	
	ServerName MY.DOMAIN

	ServerAdmin MAIL
	DocumentRoot /var/www/nextcloud

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	RewriteEngine on
	RewriteCond %{SERVER_NAME} =MY.DOMAIN
	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
	
</VirtualHost>

<VirtualHost *:80>
	ServerName MY.IP
	
	RewriteEngine On
	RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

and nextcloud-le-ssl.conf

<IfModule mod_ssl.c>

<VirtualHost *:443>
	ServerName MY.IP

    SSLEngine on
    SSLCertificateFile      /etc/ssl/certs/apache-selfsigned.crt
    SSLCertificateKeyFile   /etc/ssl/private/apache-selfsigned.key

    # enable HTTP/2, if available
    Protocols h2 http/1.1

    # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
    Header always set Strict-Transport-Security "max-age=63072000"

 # Returns forbidden
<Directory /var/www/html/>
					Require ip  MY.IP     
				</Directory>
</VirtualHost>


<VirtualHost *:443>
	
	ServerName MY.DOMAIN
	
	ServerAdmin MAIL
	DocumentRoot /var/www/nextcloud
	
	<Directory /var/www/nextcloud/>
		 AllowOverride All
	</Directory>

	<IfModule mod_headers.c>
		 Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
	</IfModule>

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined


SSLCertificateFile /etc/letsencrypt/live/my.domain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>


So this is the least amount of info I managed to provide to someone trying to reach my ip address. Do you have any suggestions on how to improve these measures?