Server Setup 11: Config Improvements

If this is your first time looking at a post from this series, have a look at this summary: Server Setup 0: Contents

Before enabling public access to Nextcloud, lets take a moment to improve things a little.

Apache Config

First up, let’s force the use of the HTTPS and make sure we haven’t left any security holes by stripping back the HTTP config file to it’s bare bones.

sudoedit /etc/apache2/sites-available/nextcloud.conf
<VirtualHost *:80>
	ServerName nextcloud.example.org
	Redirect permanent / https://nextcloud.example.org/
</VirtualHost>

The default Apache configuration gives access to a little too much – we can lock that down, and just open up the bits we want later with the site-specific configuration files.

sudoedit /etc/apache2/apache2.conf

Look for this section and put a # at the beginning of every line so they’re ignored.

<Directory /usr/share>
	AllowOverride None
	Require all granted
</Directory>

<Directory /var/www/>
	Options Indexes FollowSymLinks
	AllowOverride None
	Require all granted
</Directory>

Now we have to give access back just where want it:

sudoedit /etc/apache2/sites-available/nextcloud-le-ssl.conf

Before the ErrorLog line, add this:

<Directory /var/www/nextcloud>
    Require all granted
</Directory>

Then do the same for the WordPress config:

sudoedit /etc/apache2/sites-available/wordpress-le-ssl.conf	

Before the ErrorLog line, add this:

<Directory /var/www/wordpress>
    Require all granted
</Directory>

Restart Apache (you should know how to do that by now – look back through the previous posts until you find it.)

Nextcloud Administration Warnings

Log into your nextcloud administrator account, click on the circle with your initial in the top right corner, choose setttings. On the page that pops up, pick Overview from the menu on the right.

The system will think for a moment, then show a list of warnings:

If your list is the same as mine, I’ll show you how to fix the first 2, but you can work through the others on your own if you like.

PHP Memory Limit

“The PHP memory limit is below the recommended value of 512MB.”

It isn’t essential to fix this, and if you’re running nextcloud on an old, lower powered machine I wouldn’t recommend it, because that’s the limit per script, and a script fires up every time someone access your site, so with a few users doing heavy things, you’ll have a problem.

If you do want to do it, edit the PHP configuration file:

sudoedit /etc/php/7.3/apache2/php.ini

Find this line and change the number to what you want:

memory_limit = 512M

Then restart Apache

Enable HSTS

“The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.”

You can follow that link in the tip to find out the details of how we fix this, but these are the steps:

Enable the Apache headers module:

sudo a2enmod headers

Modify the Nextcloud apache configuration:

sudoedit /etc/apache2/sites-available/nextcloud-le-ssl.conf

Add this after the ServerName line:

Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

And reload Apache

Re-enable public access

Now we’ve dealt with a few potential security issues, you can enable access to Nextcloud from outside you network.

sudoedit /etc/apache2/sites-available/nextcloud-le-ssl.conf

Either delete, or comment out these 3 lines. You can make a line into a comment by putting a # at the beginning of the line. That means it will be ignored.

<Location />
    Require ip xxx.xxx.xxx.0/24
</Location>

Reload apache and you’re done!

Leave a Reply

Your email address will not be published.