Security: "__Host-Prefix", how to fix?

Dear Steve,
I am running NextCloud 20.0.1 on Ubuntu 20.04.1 with Apache 2.4.41 and php 7.4. I am trying to fix the __Host-Prefix issue. I am running Nextcloud in /var/www/nextcloud from a domain https://www.mydomain.nl which is solely used for nextcloud.

I am trying to figure out what you mean with “my Apache virtual host file” in your message above. If I look at Geekflare’s site it seems to be httpd.conf. Trying to find this file it also seems to be possebly named /etc/apache2/apache2.conf as that file is on my system.

As you understand I am not very good at this. Is it possible to give some more info how to implement your suggestion? Thanks a lot! Cees.

Hi Cees,
The /etc/apache2/apache2.conf file you mention is the main apache config file. You probably don’t want to mess with that.
References to an httpd.conf file or /etc/httpd/conf.d/ directory are going to be for Red Hat and similar installations.
In Apache on Ubuntu you will usually find your virtual host files in /etc/apache2/sites-available
These are the config files for your virtual hosts. When you enable them with the command

   sudo a2ensite name_of_site.conf
   sudo systemctl restart apache2

You will see an alias created in /etc/apache2/sites-enabled for each site that was enabled.
There can be multiple files that are enabled that will affect your site. I think Ubuntu has a 000-default.conf and a default-ssl.conf that are both enabled and used by a default install of Nextcloud.
The virtual host blocks will look like this:

<VirtualHost *:80>
host configuration options are set in here somewhere.
</VirtualHost>

In my case I set the following security header outside of the virtual host block so that it affects all my hosts but you could put it inside as well:

# Implement cookie HTTP header flag with HTTPOnly & Secure to protect a website from XSS attacks
Header edit Set-Cookie ^(.*)$ "$1;HttpOnly;Secure;SameSite=Strict"

<VirtualHost *:80>
host configuration options are set in here somewhere.
</VirtualHost>

Your host files might look different depending on how you have set up Apache. But you would probably want to set that in the 000-default.conf or if you created the file /etc/apache2/sites-available/nextcloud.conf I would set it there. Either way you should check the sites-enabled directory to see what you actually have enabled.

You should have a look at the documentation for apache on nextcloud. Understanding apache configuration is a big topic and is probably going to take some time to get comfortable with:

Another good resource is the Mozilla SSL configuration generator. It will give you an idea of what your virtual host file might look like:

Thanks for your explanation.

I put this line in my /etc/apache2/sites-available/nextcloud-le-ssl.conf between and <VirtualHost *:443>.

From my Windows machine I did not notice any change. The “__Host-Prefix” did not get fixed.

Later on I noticed that when I uploaded files from my Android tablet it would not work. After removing the lines again from the nextcloud-le-ssl.conf file I got messages that there where duplicate files, that I solved later.

I must have understood you incorrectly Later I noticed you have this in a file for port 80 where I used it in a configuration file for port 443. Also it was not for the Host_prefix issue but for XSS attacks. Sorry I misunderstood you here.

You got me reading the documentation for Nextcloud however. Thats what I am going to do much more!

What helped me is commenting ServerPath /nextcloud line in the Apache config file.

1 Like