Initial Owncloud 9 Apache Setup and HTTPS - help needed

webserver_issue

#1

Hello,

I have managed to install owncloud 9.1.0 on an old laptop that is running Ubuntu server 14.04 LTS. Installed from PPA. As a database I am using MySQL and as server I am using Apache.
Owncloud is up and running. I followed the Owncloud 9 Administrator Manual to configure Apache and set up MySQL as well as the owncloud install.
I have also setup a free account with "no-ip.com" and forwarded port 80 on my router to my server's static IP Port 80.
I can access owncloud fine from within my network and also over http from outside my network using both either "http://mystaticIP/owncloud" from within the network or "http://mydomain(from no-ip)/owncloud" from outside my network. I followed the hardening and security tips. I have IPtables running as a firewall (all necessary ports are configured correctly: 80, 443) and within my network https works with a self signed certificate that I have created in Ubuntu as well as with the Ubuntu default self signed certificate. Outside of my network https is not working even if I forward port 443. I think it has to do with the self signed certificate.
I also have fail2ban up and running configured for Owncloud 9 according to the guide here in the forum.

I have a couple of questions due to being relatively new to Owncloud and Apache.

  1. Is this correct:

In the virtual host configuration files I have entered
Virtualhost my server's static ip :80
Virtualhost my server's static ip :443

ServerName my domain(from no-ip)
Do I need a server Alias?
DocumentRoot /var/www/
(should it be /var/www/owncloud for owncloud only use?)

  1. How do I get https to run from outside of my network?

How do I redirect all traffic to https?
Right now I have a redirect that is uncommented due to ssl not working from outside my network that looks like this in Virtualhost file for port 80:

"#redirect all unencrypted traffic to https
"#Redirect permanent / https:/mydomain(from no-ip)/

Is this correct or should I use their server's static IP here?

  1. If I enter "http://mydomain(from no-ip)" I am directed to a blank index file that is located under /var/www/ can I somehow redirect that to also directly got to "http://mydomain(from no-ip)/owncloud (sub directory)"

  2. I also have a parked domain with a domain registrar that is only used for email hosting at this point. Maybe it could be used as well?!

  3. What other things do I need to do to secure my server?
    Anything Apache related in fail2ban. Any .htaccess file changes or better in the Apache config files? Block certain IPs?

I would very much appreciate any help possible. I know this is a lot of different questions. Let me know if you need additional information.

Thank you!

Regards

OCnoob


#2

From what i can see most questions are related to Apache itself which are often better asked at a community like:

http://www.apachelounge.com/


#3

Thank you, I can see that that makes sense.

I just thought that this would be topics that other first time installers might have as well or is Apache as a server uncommon for owncloud. Quite honestly the Apache part was more intense for me.

I would appreciate the https or SSL certificate topic to be addressed here though. I think I can manage the redirect things if necessary myself.

Regards

OCnoob


#4

The problem is that each of those topics (especially SSL and certificates) are specific to ownCloud and you will find tons of tutorials and howtos to that topics on the net.

Especially Apache on e.g. Debian has completely differen configs and setup needs than on CentOS for example.

You will definitely find better support on these Topics on a community dedicated for those.


#5

I get what you are saying, I guess what I am trying to say is: I will go and take my Apache topics somewhere else and believe I have looked in regards to SSL I just can't figure out what I would need in order to get it to work. I am 99% sure that my configuration of Virtualhost:443 is correct but that my problem is the self signed certificate. Is there a way around it?
It is not like I haven't researched before, I just am not entirely sure how I get a SSL certificate that works or how to make the self signed one work outside my network and how to redirect all the traffic to HTTPS and to subdomain mydomain/owncloud even if someone only types in mydomain without the /owncloud. For that matter I was asking about the redirect or I could achieve this by changing the Documentroot in the Virtual host config to /var/www/owncloud from currently /var/www but I am not sure if this has any other downsides in regards to owncloud. (Which was another one of my questions) So this was really more of an owncloud related question than an Apache related one. I know this would work, already tried it but I read in the old forum that this may be a problem in regards to owncloud updates. Maybe there is someone here that has experience with that as well.

I think I can check the rest of the config by researching but I would really appreciate help with the SSL certificate and redirect to subdomain or if changing the Documentroot is a problem and will affect owncloud in any way negatively.

Thanks again for your answer.


#6

SSL is also a topic completely unrelated to ownCloud itself. SSL happens at your webserver and doesn't affect the functionality of oC in any way (if SSL is setup correctly).

The document root topic you're referring too also can't cause any issue with SSL. However you should note:

Do not move the folders provided by these packages after the installation, as this will break updates.
from: https://doc.owncloud.org/server/9.1/admin_manual/installation/linux_installation.html

If you want to fiddle around with the stuff like accessing via example.com/owncloud vs example.com only see:

https://doc.owncloud.org/server/9.1/admin_manual/installation/changing_the_web_route.html

However note that all this stuff is again webserver specific stuff mostly unrelated to oC


#7

You can either configure apache in such a way, that you owncloud is available without the subdirectory (e.g. use /var/www/owncloud as DocumentRoot), or you redirect e.g by a /var/www/index.php:

<?PHP
header("Location: https://example.com/owncloud");
exit();
?>

Very good idea, because with your own domain, you can easily use a public SSL certificate for free: letsencrypt.org or startssl.com. The easiest would be to set a CNAME entry for your domain which points to your no-ip-domain. Hopefully you can manually add DNS entries.

A good default configuration of your services and a minimal usage of them (only install services that you really need) are a good start. If you only allow connections via a VPN, then you add another layer of security but it makes the use more difficult. Most security measures are more or less controversial, IP blocks seem to be a good idea but don't prevent serious attackers and might have downsides for legitimate users (proxy servers, carrier grade nat, ...).


#8

First of all I wanted to say, I get what you are saying now you would think questions only related to e.g. The owncloud config.php etc would be more for this forum. I also wanted to say I really didn't want to come across the wrong way and am greatly appreciating your answers. You did help me with this be cause I change the web route accordingly. Now my Owncloud is accessible without typing the "/owncloud".

Thank you, I have created a CNAME record at my parked domain and pointed it to my no-ip (free domain). Now my owncloud is accessible by "http://cloud.mydomain.com". All port 80.
I have also obtained a free SSL certificate from Startssl for cloud.mydomain.com and changed my virtualhostfile for port 443 to use the Startssl certificate and keyfile.
I forwarded port 443 on my router to my server's static ip.
What else would I have to do because it is still not accepting the HTTPS connection. Do I need to upgrade my no-ip account? Doesn't look like the free account can be used with external SSL Certificates. What was the DNS name server part about. I have my domain at goDaddy and it is parked. GoDaddy does let you change nameservers. I still need it to work with my current MX records though because it is the domain I use for my main email. I would also consider transferring my domain to no-ip if that would make it any easier.

Thanks for you comment. Was very useful!

Regards

OCnoob


#9

If you get access via http, your DNS setting are correct. It's more likely an issue with your router's settings or a firewall. A certificate problem would be shown after you were able to connect to your server. Once you got a connection, you can check your certificate and your ssl settings with a online check on ssllabs.com


#10

Do you think this could be the problem:
http://www.noip.com/support/knowledgebase/can-you-add-an-ssl-to-a-hostname-attached-to-no-ips-domain/

Internally port 443 and HTTPS are working that tells me it is not a firewall issue at the server, right. I also forwarded port 443 from the router to the servers's static ip internal port 443, that should be correct as well.
If I read this correctly I would have to upgrade my no-ip account to plusdns, right?

Sorry for going a little bit outside of the owncloud topic.


#11

No, because you use cloud.mydomain.com for your ssl certificate. But independent from your ssl certificate, you should be able to access your server via ssl (is also possible for self-signed certs). I suppose it is your router. Perhaps they reserved port 443 for their web-interface? Or you provider doesn't allow traffic on it? Can you do a portscan from outside your home on your public ip?


#12

I have scanned my public ip, my no-ip domain and cloud.mydomain.com for open ports using mobile internet and a portscan app on my phone. All had the same result, port 80 for http and port 443 for HTTPS are open.

Still can't "https://cloud.mydomain.com" error I get on safari "secure connection could not be established"

Ssllabs however says unable to connect to the server.


#13

Do you see anything in your webserver logfiles when you try to connect via SSL? Inside you virtualhost-config, did you set cloud.mydomain.com as ServerName or ServerAlias?


#14

I did set it as ServerName. I did set the no-ip domain as ServerAlias. Both without http or https in front. I also added both to trusted domains in owncloud config.php.

Lol...haven't found my log file directory yet...


#15

Or your VirtualHost is not matching (e.g <VirtualHost local_ip:443> instead of <VirtualHost *:443>)


#16

I have the local ip exactly where you pointed it out in the virtual host file. I found my logs and I found one thing:

[ssl:warn] [pid 5051] AH01909: RSA certificate configured for cloud.mydomain.com:443 does NOT include an ID which matches the server name

What else are you looking for?

I also set the ServerName globally to cloud.mydomain.com in the apache2.conf


#17

Can you then try this:

<VirtualHost *:443>
ServerName cloud.mydomain.com
...

#18

Same result as with the local ip. And yes I did restart the server :wink:

Btw the SSL error in the error log was probably old because it was from this morning. Didn't show up in this restart.


#19

I am soooooo sorry, that I didn't think of this before.....nevermind it is working now. I was wrong saying this:

Because security cautious as I am I have restricted access via Linux firewall to internal subnet that is why internally it was working. Why it didn't behave the same for port 80 I really don't know. However after flushing all firewall rules and allowing all traffic it is working now. So I guess I just have to setup my firewall correctly again and that is it.

Thank you so much for your help. Should have listened more closely before, I guess.

I learned a lot along the way!!!

Regards

OCnoob