I have managed to install owncloud 9.1.0 on an old laptop that is running Ubuntu server 14.04 LTS. Installed from PPA. As a database I am using MySQL and as server I am using Apache. Owncloud is up and running. I followed the Owncloud 9 Administrator Manual to configure Apache and set up MySQL as well as the owncloud install. I have also setup a free account with "no-ip.com" and forwarded port 80 on my router to my server's static IP Port 80. I can access owncloud fine from within my network and also over http from outside my network using both either "http://mystaticIP/owncloud" from within the network or "http://mydomain(from no-ip)/owncloud" from outside my network. I followed the hardening and security tips. I have IPtables running as a firewall (all necessary ports are configured correctly: 80, 443) and within my network https works with a self signed certificate that I have created in Ubuntu as well as with the Ubuntu default self signed certificate. Outside of my network https is not working even if I forward port 443. I think it has to do with the self signed certificate. I also have fail2ban up and running configured for Owncloud 9 according to the guide here in the forum.
I have a couple of questions due to being relatively new to Owncloud and Apache.
Is this correct:
In the virtual host configuration files I have entered Virtualhost my server's static ip :80 Virtualhost my server's static ip :443
ServerName my domain(from no-ip) Do I need a server Alias? DocumentRoot /var/www/ (should it be /var/www/owncloud for owncloud only use?)
How do I get https to run from outside of my network?
How do I redirect all traffic to https? Right now I have a redirect that is uncommented due to ssl not working from outside my network that looks like this in Virtualhost file for port 80:
"#redirect all unencrypted traffic to https "#Redirect permanent / https:/mydomain(from no-ip)/
Is this correct or should I use their server's static IP here?
If I enter "http://mydomain(from no-ip)" I am directed to a blank index file that is located under /var/www/ can I somehow redirect that to also directly got to "http://mydomain(from no-ip)/owncloud (sub directory)"
I also have a parked domain with a domain registrar that is only used for email hosting at this point. Maybe it could be used as well?!
What other things do I need to do to secure my server? Anything Apache related in fail2ban. Any .htaccess file changes or better in the Apache config files? Block certain IPs?
I would very much appreciate any help possible. I know this is a lot of different questions. Let me know if you need additional information.
I get what you are saying, I guess what I am trying to say is: I will go and take my Apache topics somewhere else and believe I have looked in regards to SSL I just can't figure out what I would need in order to get it to work. I am 99% sure that my configuration of Virtualhost:443 is correct but that my problem is the self signed certificate. Is there a way around it? It is not like I haven't researched before, I just am not entirely sure how I get a SSL certificate that works or how to make the self signed one work outside my network and how to redirect all the traffic to HTTPS and to subdomain mydomain/owncloud even if someone only types in mydomain without the /owncloud. For that matter I was asking about the redirect or I could achieve this by changing the Documentroot in the Virtual host config to /var/www/owncloud from currently /var/www but I am not sure if this has any other downsides in regards to owncloud. (Which was another one of my questions) So this was really more of an owncloud related question than an Apache related one. I know this would work, already tried it but I read in the old forum that this may be a problem in regards to owncloud updates. Maybe there is someone here that has experience with that as well.
I think I can check the rest of the config by researching but I would really appreciate help with the SSL certificate and redirect to subdomain or if changing the Documentroot is a problem and will affect owncloud in any way negatively.
Very good idea, because with your own domain, you can easily use a public SSL certificate for free: letsencrypt.org or startssl.com. The easiest would be to set a CNAME entry for your domain which points to your no-ip-domain. Hopefully you can manually add DNS entries.
A good default configuration of your services and a minimal usage of them (only install services that you really need) are a good start. If you only allow connections via a VPN, then you add another layer of security but it makes the use more difficult. Most security measures are more or less controversial, IP blocks seem to be a good idea but don't prevent serious attackers and might have downsides for legitimate users (proxy servers, carrier grade nat, ...).
First of all I wanted to say, I get what you are saying now you would think questions only related to e.g. The owncloud config.php etc would be more for this forum. I also wanted to say I really didn't want to come across the wrong way and am greatly appreciating your answers. You did help me with this be cause I change the web route accordingly. Now my Owncloud is accessible without typing the "/owncloud".
Thank you, I have created a CNAME record at my parked domain and pointed it to my no-ip (free domain). Now my owncloud is accessible by "http://cloud.mydomain.com". All port 80. I have also obtained a free SSL certificate from Startssl for cloud.mydomain.com and changed my virtualhostfile for port 443 to use the Startssl certificate and keyfile. I forwarded port 443 on my router to my server's static ip. What else would I have to do because it is still not accepting the HTTPS connection. Do I need to upgrade my no-ip account? Doesn't look like the free account can be used with external SSL Certificates. What was the DNS name server part about. I have my domain at goDaddy and it is parked. GoDaddy does let you change nameservers. I still need it to work with my current MX records though because it is the domain I use for my main email. I would also consider transferring my domain to no-ip if that would make it any easier.
If you get access via http, your DNS setting are correct. It's more likely an issue with your router's settings or a firewall. A certificate problem would be shown after you were able to connect to your server. Once you got a connection, you can check your certificate and your ssl settings with a online check on ssllabs.com
Internally port 443 and HTTPS are working that tells me it is not a firewall issue at the server, right. I also forwarded port 443 from the router to the servers's static ip internal port 443, that should be correct as well. If I read this correctly I would have to upgrade my no-ip account to plusdns, right?
Sorry for going a little bit outside of the owncloud topic.
No, because you use cloud.mydomain.com for your ssl certificate. But independent from your ssl certificate, you should be able to access your server via ssl (is also possible for self-signed certs). I suppose it is your router. Perhaps they reserved port 443 for their web-interface? Or you provider doesn't allow traffic on it? Can you do a portscan from outside your home on your public ip?
I have scanned my public ip, my no-ip domain and cloud.mydomain.com for open ports using mobile internet and a portscan app on my phone. All had the same result, port 80 for http and port 443 for HTTPS are open.
Still can't "https://cloud.mydomain.com" error I get on safari "secure connection could not be established"
Ssllabs however says unable to connect to the server.
I am soooooo sorry, that I didn't think of this before.....nevermind it is working now. I was wrong saying this:
Because security cautious as I am I have restricted access via Linux firewall to internal subnet that is why internally it was working. Why it didn't behave the same for port 80 I really don't know. However after flushing all firewall rules and allowing all traffic it is working now. So I guess I just have to setup my firewall correctly again and that is it.
Thank you so much for your help. Should have listened more closely before, I guess.