Apache2 SSL A+ (Nextcloud)


Find my Apache2 configuration files (vhosts) below and receive an A+ ranking from ssllabs.com. First create the Nextcloud vhost to redirect from http (:80) to https (:443):

sudo -s
vi /etc/apache2/sites-available/nextcloud.conf

Add all the following rows and adjust the red ones:

<VirtualHost *:80>
Servername your.dedyn.io
ServerAdmin nextcloud@dedyn.io
DocumentRoot /var/www/nextcloud
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =your.dedyn.io
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost

To participate on Diffie-Hellman key exchange create the dhparam.pem:

openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

Create the second Nextcloud vHost to listen on port 443 (ssl):

vi /etc/apache2/sites-available/nextcloudssl.conf

Add  all the following rows and adjust the red ones:

<IfModule mod_ssl.c>
<VirtualHost *:443>
SSLEngine on
SSLOptions +StrictRequire
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
ServerAdmin nextcloud@your.dedyn.io
DocumentRoot /var/www/nextcloud
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ServerName your.dedyn.io
SSLCertificateFile /etc/letsencrypt/live/your.dedyn.io/fullchain.pem
SSLCACertificateFile /etc/letsencrypt/live/your.dedyn.io/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/your.dedyn.io/privkey.pem
<Directory /var/www/nextcloud/>
Options +FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud
</Directory>
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; preload"
</IfModule>
</VirtualHost>
SSLProtocol TLSv1.2
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
SSLOpenSSLConfCmd Curves secp384r1
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
</IfModule>

Create the sym-links to be present from the next Apache2 start:

ln -s /etc/apache2/sites-available/nextcloud.conf /etc/apache2/sites-enabled/nextcloud.conf
ln -s /etc/apache2/sites-available/nextcloudssl.conf /etc/apache2/sites-enabled/nextcloudssl.conf

Remove any other existing files or links from /etc/apache2/sites-enabled that aren’t needed.  Then restart Apache2:

service apache2 restart

From now you will receive an A+ ranking:

https://www.ssllabs.com/ssltest/analyze.html?d=your.dedyn.io

Enjoy your secure Nextcloud!


Carsten Rieger