I have installed a nextcloud on my raspberrypi. I want to use it in my local network for file transfer and everywhere for contacts and the calendar.
My nextcloud is located at /var/www/html/nextcloud. I also created a file /etc/apache2/sites-available/nextcloud.conf to enable the virtual host. Basically:
<VirtualHost *:80>
DocumentRoot /var/www/html/nextcloud/
ServerName nextcloud.example.com
<Directory /var/www/html/nextcloud/>
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
<IfModule mod_dav.c>
Dav off
</IfModule>
</Directory>
SetEnv HOME /var/www/html/nextcloud
SetEnv HTTP_HOME /var/www/html/nextcloud
</VirtualHost>
The nextcloud is reachable for the following links:
192.168.2.100/nextcloudnextcloud.example.comexample.com/nextcloud
My question: Is there a way to forbid the access via example.com/nextcloud?
I tried to add deny, allow entries into /var/www/html/nextcloud/.htaccess. But either I block too much, or it does not work. Help is appreciated.
CodePudding user response:
The fact that example.com/nextcloud is accessible at all is because you're pointing the subdomain at a subdirectory off the main domain's document root (as defined in the main domain's VirtualHost). If the subdomain is an entirely separate entity then it would be preferable that it points to an area outside of the main domain's document root.
I tried to add deny, allow entries into
/var/www/html/nextcloud/.htaccess
If you want to block this in .htaccess (as opposed to the main domain's vHost config) then you need to check the requested Host header. And in doing this I would have thought it would be preferable to block anything other than the canonical hostname, ie. anything other that nextcloud.example.com (so it also blocks requests via the IP address). Rather than checking for the hostnames you want to block. You can do this using mod_rewrite, for example:
# /var/www/html/nextcloud/.htaccess
RewriteEngine On
RewriteCond %{HTTP_HOST} !^nextcloud\.example\.com$
RewriteRule ^ - [F]
The above responds with a "403 Forbidden" for any request where the requested Host header is not (as denoted by the ! prefix) nextcloud.example.com.
You could also block this subdirectory in the main domain's vHost container (not the subdomain). So it only applies to requests to example.com. For example:
<Directory /var/www/html/nextcloud>
Require all denied
</Directory>
Note that Order, Allow and Deny are Apache 2.2 directives and formerly deprecated on Apache 2.4. You should be using Require (mod_authz_core) on Apache 2.4.