What is the target NC12 configuration for strict https only?


#1

Hi,

I am trying to set up the correct Apache2 config for strict https access only and strict http transport security only as recommended here:
https://docs.nextcloud.com/server/12/admin_manual/configuration_server/harden_server.html#enable-http-strict-transport-security

Where I am stuck is:

  • Which of the files 000-default.conf, default-ssl.conf and nextcloud.conf do I need to keep enabled?
  • What should be their content?

The server is up and running in my home network and I made it temporarily
accessible from outside for the certificate creation.
But before having the server permanently online accessible from outside,
I would like to make it robust.

There are fragments of configs on the pages I reference in this post, but I do not know where to put them.
And how the relevant files should look like in the end to be complete.

000-default.conf is unchanged from Kubuntu 16.04 fresh install, see below.
default-ssl.conf is unchanged from Kubuntu 16.04 fresh install, see below.
nextcloud.conf is from
https://docs.nextcloud.com/server/12/admin_manual/installation/source_installation.html#apache-web-server-configuration

  • How do I make the certificates know to Apache2?
    Letsencrypt certificates are available in /etc/letsencrypt/live/“cloud.nextcloud.com”/live/

Any hints are very welcome! I’m a total newbie in database/server/html.

Here is what the files currently look like (without comment lines):

cat /etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

cat /etc/apache2/sites-enabled/default-ssl.conf

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin webmaster@localhost

                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on

                SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
                SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

        </VirtualHost>

</IfModule>

cat /etc/apache2/sites-enabled/nextcloud.conf

Alias /nextcloud "/var/www/nextcloud/"

<Directory /var/www/nextcloud/>
  Options +FollowSymlinks
  AllowOverride All

 <IfModule mod_dav.c>
  Dav off
 </IfModule>

 SetEnv HOME /var/www/nextcloud
 SetEnv HTTP_HOME /var/www/nextcloud

 Satisfy Any

</Directory>

Letsencrypt certificate renewal fails with well hardend Nextcloud 15.04 server
#2

I would keep the http-vhost and redirect everything to https:

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        Redirect permanent https://example.com/
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

For https, you have quite a few settings, ssllabs.com helps you choosing secure ciphers. You can follow any guide for ubuntu+ssl+apache+letsencrypt, it’s not specific for Nextcloud.