Security & setup warnings on OpenSUSE

warning

Hi All, Please help me with the error message attached
I realized that ‘Your web server is not properly set up to resolve “/.well-known/********”’. is a common issue when configuring the Nextcloud first time and there are many solutions for different Linux distributions.
However, my Nextcloud is installted in OpenSUSE 15.3 and I haven’t found a solution.
According to offical document:
If your Nextcloud instance is installed in a subfolder called nextcloud and you’re running Apache create or edit the .htaccess file within the document root of your Web server and add the following lines:

RewriteEngine on RewriteRule ^\.well-known/carddav /nextcloud/remote.php/dav [R=301,L] RewriteRule ^\.well-known/caldav /nextcloud/remote.php/dav [R=301,L]

I created a .htaccess file in /srv/www/htdocs

RewriteEngine on RewriteRule ^\.well-known/carddav https://192.168.1.*/nextcloud/remote.php/dav [R=301,L] RewriteRule ^\.well-known/caldav https://192.168.1.*/nextcloud/remote.php/dav [R=301,L]

And it doesn’t work.

Someone advised that create an Apache configuration file at /etc/apache2/sites-available/nextcloud.conf. But there is no sites-available subfolder in OpenSUSE system.
Instead I created a nextcloud.conf in /etc/apache2/conf.d

Alias /nextcloud “/srv/www/htdocs/nextcloud/”

<Directory /srv/www/htdocs/nextcloud/>
Options +FollowSymlinks
AllowOverride All

Dav off

SetEnv HOME /srv/www/htdocs/nextcloud
SetEnv HTTP_HOME /srv/www/htdocs/nextcloud

It also requires to enable the newly created site:

a2ensite nextcloud.conf

but ‘a2ensite’ command is not available in OpenSUSE. so it still doesn’t work.

any advise for the OpenSUSE environment running Nextcloud?
I’m looking forward to your reply.

Hi @yluo0

I would not recommend doing it that way. Create a VirtualHost instead and point the DocumentRoot to the actual folder of your Nextcloud installation like this…


<VirtualHost *:80>
  DocumentRoot /var/www/htdocs/nextcloud/
  ServerName  your.server.com

  <Directory /var/www/htdocs/nextcloud/>
    Require all granted
    AllowOverride All
    Options FollowSymLinks MultiViews

    <IfModule mod_dav.c>
      Dav off
    </IfModule>

  </Directory>
</VirtualHost>

According to the openSUSE documentation it’s in /etc/apache2/vhosts.d/. The a2ensite command seems not to be necessary on openSUSE. I guess every config file in the vhost.d folder is active automatically, after you restart the apache2 service…

https://doc.opensuse.org/documentation/leap/reference/html/book-reference/cha-apache2.html#sec-apache2-configuration

I hope this helps you at least a little, unfortunately I have no experience with openSUSE myself. As far as I know, you can also do all the configuration via YAST (GUI configuration tool). Maybe it is easier to manage with that…?

Hi,

Are you running any other sites on your server, or nextcloud exclusively?
If you are running NC exclusively, you can set the config directly in httpd.conf

This is a common problem with Apache and not with your specific configuration. The default .htaccess files will work fine.

https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#apache-web-server-configuration

Confirm if your Apache configuration is correct, and let us know?
-G

Thanks for the help @bb77,
accoring to the instruction Configuring Apache with SSL

My virtualhost.conf file is created in /etc/apache2/vhosts.d folder.

SSL Virtual Host Context

<VirtualHost *:443>

    #  General setup for the virtual host
    DocumentRoot "/srv/www/htdocs"
    ServerName 192.168.17.252:443
    ServerAdmin ericjingluo@qq.com
    ErrorLog /var/log/apache2/error_log
    TransferLog /var/log/apache2/access_log

    #   SSL Engine Switch:
    #   Enable/Disable SSL for this virtual host.
    SSLEngine on

    #   OCSP Stapling:
    #   Enable/Disable OCSP for this virtual host.
    SSLUseStapling  on

    #   You can use per vhost certificates if SNI is supported.
    SSLCertificateFile /etc/apache2/ssl.crt/server.crt
    SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
    #SSLCertificateChainFile /etc/apache2/ssl.crt/vhost-example-chain.crt

    #   Per-Server Logging:
    #   The home of a custom SSL log file. Use this when you want a
    #   compact non-error SSL logfile on a virtual host basis.
    CustomLog /var/log/apache2/ssl_request_log   ssl_combined

    <IfModule mod_headers.c>
     Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
    </IfModule>

the issue still persists.

Perhaps you can add something to your apache2-configurations.

<IfModule mod_headers.c>
 Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; strict-origin; preload"
 Redirect 301 /.well-known/carddav /nextcloud/remote.php/dav
 Redirect 301 /.well-known/caldav /nextcloud/remote.php/dav
 Redirect 301 /.well-known/webfinger /nextcloud/index.php/.well-known/webfinger
 Redirect 301 /.well-known/nodeinfo /nextcloud/index.php/.well-known/nodeinfo
</IfModule>

Sorry german: docs

Hi @gibikha ,
Thank you for your advice.

Nextcloud is the only Web service running in the system.
Accorinding to the instruction from nextcloud:

To use the virtual host installation, put the following in your nextcloud.conf replacing ServerName, as well as the DocumentRoot and Directory filepaths with values appropriate for your system:
/etc/apache2/sites-available/nextcloud.conf for Debian, Ubuntu, and their derivatives.
/etc/httpd/conf.d/nextcloud.conf for Fedora, CentOS, RHEL, and similar systems.
OpenSUSE has a different file structure, so I created a nextcloud.conf in /etc/apache2.

<VirtualHost *:80>
DocumentRoot /srv/www/htdocs/
ServerName 192.168.1.252:443

<Directory /srv/www/htdocs/nextcloud/>
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews

<IfModule mod_dav.c>
  Dav off
</IfModule>

I also created .htaccess file within the document root (/srv/www/htdocs) of the Web server and added the following lines:

RewriteEngine on RewriteRule ^\.well-known/carddav https://192.168.1.252/nextcloud/remote.php/dav [R=301,L] RewriteRule ^\.well-known/caldav https://192.168.1.252/nextcloud/remote.php/dav [R=301,L]

The issue still persists.

Hi,

To make sure your configuration is working, try setting the options directly in httpd.conf - your VirtualHost might not be set up properly, but since you’re hosting NextCloud exclusively, a VirtualHost isn’t required.

DocumentRoot "/srv/www/htdocs/"
<Directory /srv/www/htdocs/>
  Require all granted
  AllowOverride All
  Options FollowSymLinks MultiViews

  <IfModule mod_dav.c>
    Dav off
  </IfModule>
</Directory>

Let me know if it works after setting it directly in httpd.conf
-G

Hi @gibikha,

I edited the /etc/apache2/httpd.conf file with the following line and the original lines are commented.

# forbid access to the entire filesystem by default
#<Directory />
#    Options None
#    AllowOverride None
#    <IfModule !mod_access_compat.c>
#        Require all denied
#    </IfModule>
#    <IfModule mod_access_compat.c>
#        Order deny,allow
#        Deny from all
#    </IfModule>
#</Directory>

DocumentRoot “/srv/www/htdocs/”
<Directory /srv/www/htdocs/>
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews

Dav off

didn’t resolve the issue.
run systemctl status httpd showing error message below:
AH00558: httpd-prefork: Could not reliably determine the server’s fully qualified domain name, using ::1. Set the ‘ServerName’ directive globally to suppress this message
httpd

Hi,

I’m sorry, but I think this is getting beyond my abilities here.
Did you install manually or using the built in package on openSuSE?

Maybe you need to go through the setup instructions for opensuse and the nextcloud documentation and see if there is anything you missed. It is probably just a small detail.

https://en.opensuse.org/SDB:Nextcloud
https://docs.nextcloud.com/server/22/admin_manual/installation/source_installation.html

Hi @gibikha @bb77 @devnull
According to the instruction below:
’ For the first case the .htaccess file shipped with Nextcloud should do this work for you when you’re running Apache. You need to make sure that your Web server is using this file.’

So I tested the .htaceess file in /srv/www/htdocs, it turns out the .htaccess is not working at all.
the default .htaccess in /srv/www/htdocs/nextcloud is the one taking effect.

The root of the problem are Virtual host file and .htaccess file.
I add the follwing configuration to virtualhost file.

<Directory /srv/www/htdocs/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted

after that the .htaccess file in /srv/www/htdocs finally works. below is the link that helped me troubleshoot the .htaccess issue.
https://docs.boltcms.io/4.0/howto/making-sure-htaccess-works

Thanks all.

pass

You are right, my virtualHost setting is not correct.

1 Like