SOLVED HTTPS redirect in Owncloud jail

[keboose]

I have an owncloud jail set up, the current 9.1.2 version. I have SSL set up correctly, so if I go to https://mysite.com or https://www.mysite.com I get the login page for the server.

I have a problem in that sometimes, if I do not use the secure link, it does not load the login page. I believe I have not completed the setup to the level the jail is expecting, as evidenced by the error at the top of the admin page in the web UI:

Code:

The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. 
For enhanced security we recommend enabling HSTS as described in our security tips.

Their security tips page describes what to add to force a redirect to the secure site, but I am unsure how to add what the site is suggesting. I found a virtualhosts file under the directory "/usr/pbi/owncloud-amd64/etc/apache24/extra/httpd-vhosts.conf" but it only had two generic examples of "<VirtualHost *:80>" blocks, so it doesn't look (to me) like that's the actual file apache uses for virtual hosts.

I don't want to edit any files that could mess up the web UI if I mess it up, so I'd like to make sure: Is this the correct file to edit for HTTPS redirects? If so, should I be adding an anything besides what is shown on the owncloud guide page? I would like to add the "HSTS" line and the HTTPS force redirect.

 

[JohnDigital]

This is my actual owncloud httpd-vhosts.conf owncloud section that absolutely works. You can replace domain with your actual domain and if you have it right, it will work. To send owncloud.yourdomain.com to https://owncloud.yourdomain.com. Your mileage may vary, but this should help you.

Code:

<VirtualHost owncloud.domain.org:80>
	ServerAdmin admin@domain.org
	DocumentRoot "/usr/local/www/owncloud"
	ServerName owncloud.domain.org
	Redirect / https://owncloud.domain.org
	CustomLog /mnt/owncloud/data/owncloud.log combined
	ErrorLog /mnt/owncloud/data/owncloud.log
	<Directory "/usr/local/www/owncloud">
		Options All
		AllowOverride All
		Require all granted
	</Directory>
</VirtualHost>

<VirtualHost owncloud.domain.org:443>
	ServerAdmin admin@domain.org
	DocumentRoot "/usr/local/www/owncloud"
	ServerName owncloud.domain.org
	SSLEngine on
	SSLCertificateFile /usr/local/etc/letsencrypt/live/owncloud.domain.org/cert.pem
	SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/owncloud.domain.org/privkey.pem
	SSLCertificateChainFile /usr/local/etc/letsencrypt/live/owncloud.domain.org/chain.pem
	CustomLog /mnt/owncloud/data/owncloud.log combined
	ErrorLog /mnt/owncloud/data/owncloud.log
	<IfModule mod_headers.c>
	  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
	</IfModule>
</VirtualHost>

 

[keboose]

Thank you, so I can just replace the example domain with mine?

One thing: I already have my SSL certificates moved to the apache directory, and are defined elsewhere as "server.srt" and "server.key". Do I still have to define them using the "SSLCertificate" lines?

Also seeing where you put the log files made me realize that I am also using the default data directory to store my user files, rather than putting then outside the jail in my network share. Would it be relatively easy to move my data directory to jail attached storage like it appears you did?

Thank you again.

 

[JohnDigital]

Yes you can for the most part replace the example domain with yours. You want the certs and logs outside of any www directory. I cant imagine it being smart to store them in an apache data directory.

I have my certs in the default certbot directory.

If you look around this forum there are several threads detailing everything we are talking about. Moving your owncloud storage to a mount point and such.

 

[JohnDigital]

It should be noted that I did not use the PBI plugin. I did all this by hand. Some things may be different, but for the most part it should be similar. You can add the virtualhost blocks directly to your main apache config, alternatively you will have to tell the apache config you want to use the vhost file. Its in the config toward the bottom. I have all of mine in a vhosts file because I have lots of stuff going on in my apache server. But if all you are doing is using apache for owncloud, it would be perfectly fine to put these blocks directly inside the httpd.conf file, all the way at the end. Apache is good about complaining when something isnt right too, its not going to let you mess anything up too badly or it wont start. With that said it might be a good idea to backup this file before you start jacking with it.

 

[keboose]

Thank you for the clarification. I should have specified that I was using the Owncloud plugin, as I don't think I could have set this up myself.

My certs are currently saved in "/usr/pbi/owncloud-amd64/etc/apache24" under the names I listed above. I don't remember where I found the instructions, but there is no setup beyond copying those files to that folder and restarting apache, so I think it is some kind of default apache setup. Am I able to convert the .cert and .key files I have into the .pem files that you use? I used the Freenas web UI and some copy-paste wizardry with my domain provider (Namecheap) to generate those files.

 

[JohnDigital]

Those files, in that location, will work. You will want to specify the location in the virtualhost tags as /etc/apache24/server.crt as the PBI path is from within the freenas SSH session. Apache in an owncloud jail will probably not know how to find this directory.

 

[keboose]

I put the two virtualhost blocks at the end of my httpd.conf file, replacing the server admin, domain name, and log paths with my own values.

Directing the SSL lines to /etc/apache24/server.crt and server.key did not work; I got a "file not found" error when I try to restart apache. I copied the files to /usr/local, and directed the config there, so the lines are:

Code:

	SSLCertificateFile /usr/local/server.crt
	SSLCertificateKeyFile /usr/local/server.key

I still cannot access the HTTP site, but at this point I realize that I am probably not redirecting port 80 properly in my router (page times out), I will have to double-check that.

I successfully restarted apache, and also restarted the jail entirely, but I still have the "HSTS" error at the top of my OC admin page. This is what I have [anonymized] at the bottom of the httpd.conf:

Code:

<VirtualHost [site.com]:80>											
		Serveradmin [name]@gmail.com										
		DocumentRoot "/usr/local/www/owncloud"								
		ServerName [site.com]										
		Redirect / https://[site.com]								
		CustomLog /logs/owncloud.log combined								
		Errorlog /logs/owncloud.log											
		<Directory "/usr/local/www/owncloud">								
				Options All													
				AllowOverride All											
				Require all granted											
		</Directory>															
</VirtualHost>

<VirtualHost [site.com]:443>											
	ServerAdmin [name]@gmail.com											
	DocumentRoot "/usr/local/www/owncloud"									
	ServerName [site.com]											
	SSLEngine on																
	SSLCertificateFile /usr/local/server.crt									
	SSLCertificateKeyFile /usr/local/server.key								
	CustomLog /logs/owncloud.log combined									
	ErrorLog /logs/owncloud.log												
	<IfModule mod_headers.c>													
	  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
	</IfModule>																
</VirtualHost>

 

[JohnDigital]

In the Apache config is the mod_headers module loaded?

Code:

LoadModule headers_module libexec/apache24/mod_headers.so

If this line is commented (#) out, uncomment it.

This module is needed for strict transport.

 

[keboose]

It is already uncommented, so the module is loaded.

 

[JohnDigital]

Im not sure where the plugin puts things exactly, but my files are all in /usr/local/etc or some variation of that and not /etc. This may be where the PBI puts things, I cant really help there.

 

[JohnDigital]

It is already uncommented, so the module is loaded.

Im not really sure where to tell you to do now. This is how mine is set, and it works with no warnings. I can tell you that not having HSTS isnt a deal breaker. If you are showing a green lock in the address bar, you are secured with SSL. Im sure you have gone over the OC help pages with regards to HSTS?

One other thing have you cleared caches and such in your browser? Maybe its a remnant?

 

[keboose]

I used microsoft edge to log in (which I never use,) and I saw the same symptoms: can't connect via normal http, and the HSTS error on the top of the admin page.

I checked my port forwarding rules, and they are OK, pointing both 80 and 443 to my OC jail's IP. I get the feeling that neither of the virtualhost settings have stuck.

I guess I have some amount of security in that the HTTP version is entirely inaccessible, so all a MITM attack would get from that is a timeout error. I could try redirecting inbound port 80 to port 443 on my router, and see if that helps.

 

[JohnDigital]

No I wouldnt go that route just yet. Tell me what are the contents of /usr/local/www? Just tell me if there is an owncloud directory in there. What are the contents of /usr/local/www/apache24/data? You can paste whatever ll returns.

 

[keboose]

There is only the 'owncloud' directory in /usr/local/www.

 

[JohnDigital]

Do you have this block in your apache config?? Probably at the bottom?

Code:

Alias /owncloud "/usr/local/www/owncloud"
<Directory "/usr/local/www/owncloud">
Options None
AllowOverride None
Require all granted
</Directory>

 

[JohnDigital]

Lastly what is your apache document root? Its a lines in the config that looks like this..

Code:

DocumentRoot "/usr/local/www/apache24/data"
<Directory "/usr/local/www/apache24/data">

 

[keboose]

Except for the first line, "Alias /owncloud "/usr/local/www/owncloud"" (which isn't anywhere in the config,) that particular directory block is only in the first virtualhost block, as given in your example.

Document root is as follows:

Code:

DocumentRoot "/usr/pbi/owncloud-amd64/www/apache24/data"						
<Directory "/usr/pbi/owncloud-amd64/www/apache24/data">

 

[JohnDigital]

Except for the first line, "Alias /owncloud "/usr/local/www/owncloud"" (which isn't anywhere in the config,) that particular directory block is only in the first virtualhost block, as given in your example.

Document root is as follows:

Code:

DocumentRoot "/usr/pbi/owncloud-amd64/www/apache24/data"					
<Directory "/usr/pbi/owncloud-amd64/www/apache24/data">

Okay then here is what I propose.. If owncloud is the only website you want to run on this webserver.. Change the document root to (httpd.conf)

Code:

DocumentRoot "/usr/local/www/owncloud"
<Directory "/usr/local/www/owncloud">

Then, just to be sure, chown www:www /usr/local/www/owncloud

Then service apache24 restart

Now you should have owncloud at www.domain.com, and the redirect might actually grab it and send you to https://www.domain.com

On port 80 it is looking for owncloud in
<Directory "/usr/pbi/owncloud-amd64/www/apache24/data">
without the alias block it does not know where to look...

Edit: I guess the virtualhost block would take care of that though.. Hmm.. Either way this is good.. It *should* work.

 

[keboose]

Owncloud is the only site running in this jail. I changed the document root, and gave ownership to 'www' for the owncloud directory like you showed, but it is still not working on port 80 after restarting apache.