Skip to content

apache

Jump to bottom
Marcel Waldvogel edited this page Feb 23, 2018 · 18 revisions

Setting up Apache with a Let's Encrypt certificate

Run this on the Nextcloud host, if you have two separate servers.

Create the following files

/etc/apache/sites-available/example-org.conf

<VirtualHost *:80>
    ServerName example.org
    ServerAdmin [email protected]

    DocumentRoot /var/www/nextcloud
    ErrorLog ${APACHE_LOG_DIR}/nc_error.log
    CustomLog ${APACHE_LOG_DIR}/nc_access.log combined

    ProxyPass /http-bind/ https://xmpp.example.org:5281/http-bind/
    ProxyPassReverse /http-bind/ https://xmpp.example.org:5281/http-bind/
    ProxyPreserveHost On
    SSLProxyEngine On
</VirtualHost>

(Based on the JSXC documentation.)

If Nextcloud and Prosody are on the same host, you can replace the Proxy URLs with http://localhost:5280/http-bind/ and remove SSLProxyEngine On. This can help improve the performance.

/etc/apache/sites-available/www-example-org.conf

<VirtualHost *:80>
   ServerName www.example.org
   ServerAdmin [email protected]

   DocumentRoot /var/www/nextcloud
   ErrorLog ${APACHE_LOG_DIR}/nc_error.log
   CustomLog ${APACHE_LOG_DIR}/nc_access.log combined

   Redirect permanent / https://example.org
</VirtualHost>

Activate the sites and modules

a2enmod proxy proxy_http
a2ensite www-example-org example-org

Obtain the certificate and make HTTPS default

…and fix the strange permissions letsencrypt creates.

letsencrypt -d example.org -d www.example.org -d userdata.example.org -d conference.example.org -d pubsub.example.org -m [email protected] --redirect --hsts --uir --staple-ocsp
chgrp -R ssl-cert /etc/letsencrypt/{archive,live}
chmod -R g+rX /etc/letsencrypt/{archive,live}

Make sure your certificate is renewed in time

Make the command executable and run it at a random time every night between 00:00 and 05:59 (to be easy on the Let's Encrypt servers).

echo $(($RANDOM % 60)) $((RANDOM % 6)) "* * * root letsencrypt renew" > /etc/cron.d/auto-renew-letsencrypt

⚠️ The above code assumes to be run from bash (this is the default shell, so you only have to care if you changed your default shell)

Activate changes and certificate for Apache

…after giving Apache the permission read the private key associated with the certificate.

adduser www-data ssl-cert
service apache2 restart

Separate Nextcloud and XMPP hosts

If you have two hosts, then at this point, you need to rsync (or similar) /etc/letsencrypt to the XMPP server. Also replace the service prosody reload line in the cron job above with a command that syncs the certificates and reloads them on the XMPP server.

Next: Configuring either Prosody or ejabberd (without authentication)

Clone this wiki locally