Security: "__Host-Prefix", how to fix?

Dear Steve,
I am running NextCloud 20.0.1 on Ubuntu 20.04.1 with Apache 2.4.41 and php 7.4. I am trying to fix the __Host-Prefix issue. I am running Nextcloud in /var/www/nextcloud from a domain which is solely used for nextcloud.

I am trying to figure out what you mean with “my Apache virtual host file” in your message above. If I look at Geekflare’s site it seems to be httpd.conf. Trying to find this file it also seems to be possebly named /etc/apache2/apache2.conf as that file is on my system.

As you understand I am not very good at this. Is it possible to give some more info how to implement your suggestion? Thanks a lot! Cees.

Hi Cees,
The /etc/apache2/apache2.conf file you mention is the main apache config file. You probably don’t want to mess with that.
References to an httpd.conf file or /etc/httpd/conf.d/ directory are going to be for Red Hat and similar installations.
In Apache on Ubuntu you will usually find your virtual host files in /etc/apache2/sites-available
These are the config files for your virtual hosts. When you enable them with the command

   sudo a2ensite name_of_site.conf
   sudo systemctl restart apache2

You will see an alias created in /etc/apache2/sites-enabled for each site that was enabled.
There can be multiple files that are enabled that will affect your site. I think Ubuntu has a 000-default.conf and a default-ssl.conf that are both enabled and used by a default install of Nextcloud.
The virtual host blocks will look like this:

<VirtualHost *:80>
host configuration options are set in here somewhere.

In my case I set the following security header outside of the virtual host block so that it affects all my hosts but you could put it inside as well:

# Implement cookie HTTP header flag with HTTPOnly & Secure to protect a website from XSS attacks
Header edit Set-Cookie ^(.*)$ "$1;HttpOnly;Secure;SameSite=Strict"

<VirtualHost *:80>
host configuration options are set in here somewhere.

Your host files might look different depending on how you have set up Apache. But you would probably want to set that in the 000-default.conf or if you created the file /etc/apache2/sites-available/nextcloud.conf I would set it there. Either way you should check the sites-enabled directory to see what you actually have enabled.

You should have a look at the documentation for apache on nextcloud. Understanding apache configuration is a big topic and is probably going to take some time to get comfortable with:

Another good resource is the Mozilla SSL configuration generator. It will give you an idea of what your virtual host file might look like:

1 Like

Thanks for your explanation.

I put this line in my /etc/apache2/sites-available/nextcloud-le-ssl.conf between and <VirtualHost *:443>.

From my Windows machine I did not notice any change. The “__Host-Prefix” did not get fixed.

Later on I noticed that when I uploaded files from my Android tablet it would not work. After removing the lines again from the nextcloud-le-ssl.conf file I got messages that there where duplicate files, that I solved later.

I must have understood you incorrectly Later I noticed you have this in a file for port 80 where I used it in a configuration file for port 443. Also it was not for the Host_prefix issue but for XSS attacks. Sorry I misunderstood you here.

You got me reading the documentation for Nextcloud however. Thats what I am going to do much more!

What helped me is commenting ServerPath /nextcloud line in the Apache config file.

1 Like