Nextcloud version: 18.0.0
Operating system and version: Debian 10
Apache version: 2.4.38
PHP version: 7.3
I’ve setup Nextcloud and used certbot (A+ grade from scan.nextcloud), to do so I had to use a DNS provider.
Ideally I would like that someone who knows my public IP (and doesn’t know my DNS) would not be able to acknowledge I’m hosting a web server of any kind, but I think that’s not possible.
So I edited /etc/apache2/sites-available/nextcloud.conf and nextcloud-le-ssl.conf and added (both for *:80 and *:443)
<VirtualHost *:80>
ServerName X.X.X.X #public ip
Redirect gone
</VirtualHost>
In this way, if they try to reach me through my public IP, they get an error page instead of reaching the nextcloud “untrusted domain” page, but if someone tries to reach httpS://my_public_ip/ they can see the certificate for that page is not valid because it is associated to my DNS name and they can acknowledge it.
What would be the best thing (security wise) to do if someone tries to reach my nextcloud server through my public IP? Should I leave the “untrusted domain” nextcloud page?
With letsencrypt, you can’t get certificates on IP addresses. And even if, since you connect through that IP, the certificate then must contain your domain and the IP. So it’s in the certificate.
Without SSL, it would be possible. But still, it is very much security by obscurity. It’s a bit like a sign “dangerous dog” in front of your house.
I agree that this is security by obscurity, but I did the same And I like the effect, that I don’t return much information to the attackers who run scans over all IP addresses.
So before I forwarded all requests to the correct domain, so that my users always land on the login page even if the mistyped the host or simply forgot to enter the difficult to remember word “cloud” in front of the domain.
What that did, however: every PHP attack which is regularly sent to all IP addresses was handled by my PHP interpreter. If there is a security bug in php-fpm it could be used by simply sending the http requests to my IP.
Now I return status 404 if requests don’t go directly to my correct FQDN. This status is returned before the SSL connection is established and the request is not put through to the php interpreter.
Just to be 100% safe the SSL cert is not provided to an attacker, I assigned a self-signed SSL cert to my “default server” returning 404.
Thing is, I use nginx and cannot provide a configuration example for apache.
Thanks for the replies but I didn’t quite get the response. I’m not really an expert, but not a full noob either. I managed to get that A+ rating from scan.nextcloud. It probably doesn’t mean much to guys like you, but it’s already something for me.
ATM that’s what happens if I input the following in a browser:
Thanks for the contribution, but that’s exactly what I don’t want to do! In that way I would be able to login from inserting my public IP. I want the opposite, that if someone enters my ip in their browsers they don’t get any info about the fact I’m hosting a nextcloud server. One must know my domain to get to nextcloud login. In other words I want attackers who somehow know my public IP to acknowledge the least amount of information possible!
that should be the way doing it. i am not sure on how to implement that on apache. but if @Schmu would be nice he might add his nginx setup and maybe you could learn from it?
or maybe it was the right time and place for you to switch over to nginx, though?
I managed to SelfSign certificates for MY.IP so it’s not possible to acknowledge my domain by examining the certs on https://MY.IP.
I edited /etc/apache2/sites-available/nextcloud.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName MY.IP
SSLEngine on
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
# enable HTTP/2, if available
Protocols h2 http/1.1
# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
Header always set Strict-Transport-Security "max-age=63072000"
# Returns forbidden
<Directory /var/www/html/>
Require ip MY.IP
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName MY.DOMAIN
ServerAdmin MAIL
DocumentRoot /var/www/nextcloud
<Directory /var/www/nextcloud/>
AllowOverride All
</Directory>
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
</IfModule>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/my.domain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
So this is the least amount of info I managed to provide to someone trying to reach my ip address. Do you have any suggestions on how to improve these measures?
And I like the effect, that I don’t return much information to the attackers who run scans over all IP addresses.