I want to fix this and get A+ on security scan.
NC version 13.0.2
3 Likes
Right, so what file I need to edit exactly inside /etc/apache2 ?
It’s the /etc/apache2/sites-enabled/nextcloud.conf ?
That totally depends on your system/ installation and I don’t know nothing about, except the fact that it’s NC 13.0.2 
So, if nextcloud.conf is the only file in that directory, then it is definitely this file where you need to apply the changes
/etc/apache2/sites-enabled/
├── 000-default.conf -> …/sites-available/000-default.conf
└── nextcloud.conf -> …/sites-available/nextcloud.conf
Debian Stretch
PHP 7.0.27
SQLite 3.16.2
Apache 2.4.25
NC dir /var/www/html/nextcloud
Any of my files haven’t an alias configured inside to comment out. Any other tips?
You should have a config file
/etc/apache2/sites-available/nextcloud.conf
that is the actual config file. The files in sites-enabled are symbolic links to that directory. Check that this is the case.
To start over, what is your exact problem? What does the security scan tell?
Security scan looks everything OK, except Host-Prefix issue that is pending to be fixed, after fix this I would get an A+ in scan, that’s all.
Content of /etc/apache2/sites-available/nextcloud.conf file:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin <hidden-for-security-purposes>
ServerName <hidden-for-security-purposes>
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options +FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /var/www/html
SetEnv HTTP_HOME /var/www/html
</Directory>And is your nextcloud installation directly inside
or is it a subfolder like /var/www/html/nextcloud? I have my nextcloud installed in /var/www/nextcloud, and DocumentRoot and Directory point to that directory.
Does your URL look like cloud.domain.com or like domain.com/cloud?
/var/www/html/nextcloud
There’s a way to move data to root without do a fresh install?
Maybe I leave as it is due to not be a big security issue I think. Also I like my current server address (i.e: domain.com/nextcloud)
Sure you can move the directory to /var/www/nextcloud. No need to reinstall. And you may like your address, but a subdomain like nextcloud.domain.com is preferred by the security checker. That may be the reason not to get A+. And the setup of a subdomain in your /etc/apache2/sites-available is easy too. BTW, https is also preferred.
https://docs.nextcloud.com/server/11/admin_manual/configuration_server/harden_server.html
I made these changes but still with score A on security scan. Anyways, I will leave as it is (in default dir /var/www/html/nextcloud).
Jep no worries about this. _host prefix is just not possible when having Nextcloud in a sub directory. About preferred or not, there were quite some discussions about this (just search for A+, scan.nextcloud.com etc) and some claim that using a sub directory is actually more secure.
1 Like
Hello all,
I have NextCloud on /var/www/nextcloud
And I access it via data.example.net/index.php so no subfolder
When trying to get A+ on my NextCloud instance, I was left with just this issue and no way to deal with it. Seeing no solution that worked for me in any help threads I decided to move on, clearing the Security tips in the NextCloud Admin panel.
After setting my Referrer Policy to:
Header always set Referrer-Policy “no-referrer”
and running the scan again, I got the A+ rating and the __Host-Prefix issue was cleared.
Hope this helps any of you still having issues with it
2 Likes
Unfortunately that didn’t work for me (NC 14, php7.0).
It would be very helpful if NC docs could highlight the importance of certain steps in the install. While the docs say on an Apache install it is safe to put NC at the web root — the docs don’t say that the security check will be downgraded if you don’t. It is a real bore to go through the install only to basically rework steps if you want those last bits of security.
It is exactly the same with the hardening advice to take the data directory out of root. The install is done. That is really frustrating. Particularly for users running a command line / Linux install. Surely it wouldn’t be hard to include an explanation in the docs here about setting up storage correctly (i.e., out of root).
I don’t want to seem to harsh – I really appreciate the NC product – but really wish that the documentation could be sharpened up.
1 Like
Thanks! This is almost what I was looking for to resolve the __Host-Prefix complaint in the security scanner. The solution for me was as described in that article, adding Header set Referrer-Policy "no-referrer-when-downgrade" to the Apache config file for the Nextcloud virtualhost.
My Nextcloud install has always been as described here,
but was failing the __Host-Prefix check. I don’t understand why - looking at the cookies in the Firefox console, with or without the above change, I’m sent cookies with __Host-nc_sameSiteCookielax and __Host-nc_sameSiteCookiestrict with domain set to mycloud.example.com and path set to /. Also with that change, now I am sending two sets of Referrer-Policy headers in the same request, first no-referrer then no-referrer-when-downgrade (and just no-referrer without the line in the config file).
Wish I understood why this worked and what’s actually changing!
1 Like
I only just noticed that making this change also causes a warning to appear under “Security & setup warnings”, saying
The “Referrer-Policy” HTTP header is not set to “no-referrer”, “no-referrer-when-downgrade”, “strict-origin”, “strict-origin-when-cross-origin” or “same-origin”. This can leak referer information.
Maybe it’s combining the two “Referrer-Policy” replies into an array and thus the value does not equal one of those. On my setup, I have now reverted the changes in the previous post.
Adding the following to my Apache virtual host file fixed this for me:
Header edit Set-Cookie ^(.*)$ "$1;HttpOnly;Secure;SameSite=Strict"
You can find more info on setting secure cookies here:
Also, if you are changing header settings in your apache virtual host file you need to match the syntax used in the nextcloud .htaccess file to prevent duplicate header settings. For instance, if you wanted to set Header set Referrer-Policy "no-referrer" globally in apache you would need to change that to Header always set Referrer-Policy "no-referrer" because the always set condition is now used in the Nextcloud /var/www/nextcloud/.htaccess file.
You can check your current headers here: https://securityheaders.com/