Security: "__Host-Prefix", how to fix?

#1

I want to fix this and get A+ on security scan.
NC version 13.0.2

#2
#3

Right, so what file I need to edit exactly inside /etc/apache2 ?
It’s the /etc/apache2/sites-enabled/nextcloud.conf ?

#4

That totally depends on your system/ installation and I don’t know nothing about, except the fact that it’s NC 13.0.2 :wink:

So, if nextcloud.conf is the only file in that directory, then it is definitely this file where you need to apply the changes :wink:

#5

/etc/apache2/sites-enabled/
├── 000-default.conf -> …/sites-available/000-default.conf
└── nextcloud.conf -> …/sites-available/nextcloud.conf

Debian Stretch
PHP 7.0.27
SQLite 3.16.2
Apache 2.4.25
NC dir /var/www/html/nextcloud

Security: __Host-Prefix cookie setting? & HTTP headers
#6

Any of my files haven’t an alias configured inside to comment out. Any other tips?

#7

You should have a config file

/etc/apache2/sites-available/nextcloud.conf

that is the actual config file. The files in sites-enabled are symbolic links to that directory. Check that this is the case.

To start over, what is your exact problem? What does the security scan tell?

#8

Security scan looks everything OK, except Host-Prefix issue that is pending to be fixed, after fix this I would get an A+ in scan, that’s all.

#9

https://help.nextcloud.com/t/security—host-prefix-cookie-setting/9740

1 Like
#10

Content of /etc/apache2/sites-available/nextcloud.conf file:

<IfModule mod_ssl.c>
   <VirtualHost _default_:443>

     ServerAdmin <hidden-for-security-purposes>
     ServerName <hidden-for-security-purposes>
     DocumentRoot /var/www/html

     <Directory /var/www/html/>
       Options +FollowSymlinks
       AllowOverride All

      <IfModule mod_dav.c>
        Dav off
      </IfModule>

       SetEnv HOME /var/www/html
       SetEnv HTTP_HOME /var/www/html
     </Directory>
#11

And is your nextcloud installation directly inside

or is it a subfolder like /var/www/html/nextcloud? I have my nextcloud installed in /var/www/nextcloud, and DocumentRoot and Directory point to that directory.
Does your URL look like cloud.domain.com or like domain.com/cloud?

#12

@eehmke

/var/www/html/nextcloud

There’s a way to move data to root without do a fresh install?
Maybe I leave as it is due to not be a big security issue I think. Also I like my current server address (i.e: domain.com/nextcloud)

#13

Sure you can move the directory to /var/www/nextcloud. No need to reinstall. And you may like your address, but a subdomain like nextcloud.domain.com is preferred by the security checker. That may be the reason not to get A+. And the setup of a subdomain in your /etc/apache2/sites-available is easy too. BTW, https is also preferred.
https://docs.nextcloud.com/server/11/admin_manual/configuration_server/harden_server.html

#15

I made these changes but still with score A on security scan. Anyways, I will leave as it is (in default dir /var/www/html/nextcloud).

#16

Jep no worries about this. _host prefix is just not possible when having Nextcloud in a sub directory. About preferred or not, there were quite some discussions about this (just search for A+, scan.nextcloud.com etc) and some claim that using a sub directory is actually more secure.

1 Like
#17

Hello all,

I have NextCloud on /var/www/nextcloud
And I access it via data.example.net/index.php so no subfolder

When trying to get A+ on my NextCloud instance, I was left with just this issue and no way to deal with it. Seeing no solution that worked for me in any help threads I decided to move on, clearing the Security tips in the NextCloud Admin panel.

After setting my Referrer Policy to:
Header always set Referrer-Policy “no-referrer”
and running the scan again, I got the A+ rating and the __Host-Prefix issue was cleared.

Hope this helps any of you still having issues with it

1 Like
#18

Unfortunately that didn’t work for me (NC 14, php7.0).
It would be very helpful if NC docs could highlight the importance of certain steps in the install. While the docs say on an Apache install it is safe to put NC at the web root — the docs don’t say that the security check will be downgraded if you don’t. It is a real bore to go through the install only to basically rework steps if you want those last bits of security.

It is exactly the same with the hardening advice to take the data directory out of root. The install is done. That is really frustrating. Particularly for users running a command line / Linux install. Surely it wouldn’t be hard to include an explanation in the docs here about setting up storage correctly (i.e., out of root).

I don’t want to seem to harsh – I really appreciate the NC product – but really wish that the documentation could be sharpened up.

#19

Thanks for the guiding.

ufabet : po