Hi,
I am trying to set up the correct Apache2 config for strict https access only and strict http transport security only as recommended here:
https://docs.nextcloud.com/server/12/admin_manual/configuration_server/harden_server.html#enable-http-strict-transport-security
Where I am stuck is:
- Which of the files 000-default.conf, default-ssl.conf and nextcloud.conf do I need to keep enabled?
- What should be their content?
The server is up and running in my home network and I made it temporarily
accessible from outside for the certificate creation.
But before having the server permanently online accessible from outside,
I would like to make it robust.
There are fragments of configs on the pages I reference in this post, but I do not know where to put them.
And how the relevant files should look like in the end to be complete.
000-default.conf is unchanged from Kubuntu 16.04 fresh install, see below.
default-ssl.conf is unchanged from Kubuntu 16.04 fresh install, see below.
nextcloud.conf is from
https://docs.nextcloud.com/server/12/admin_manual/installation/source_installation.html#apache-web-server-configuration
- How do I make the certificates know to Apache2?
Letsencrypt certificates are available in /etc/letsencrypt/live/“cloud.nextcloud.com”/live/
Any hints are very welcome! I’m a total newbie in database/server/html.
Here is what the files currently look like (without comment lines):
cat /etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
cat /etc/apache2/sites-enabled/default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
cat /etc/apache2/sites-enabled/nextcloud.conf
Alias /nextcloud "/var/www/nextcloud/"
<Directory /var/www/nextcloud/>
Options +FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud
Satisfy Any
</Directory>