How to deny access to /univention portal from internet


#1

Hello im new to nextcloud and ive setup my first server using the VMWARE ESX Image version 13.0.4-0 from here

Everything is setup fine and i was wondering is it possible to deny access to

https://server.mydomain.qc.ca/univention/

I would prefer that this site is not accessible from the internet to not allow user to try to access it since it’s connect with my Active Directory

Ive configure the settings “apache2/startsite” to start nextcloud by defaut but can’t find a way to deny access to /univention portal

Also is it possible to remove the “How to login” on the ucs login screen because it’s telling what is my domain admin account when you pass your mouse over it

2018-07-18%2015_12_08-Window

Thanks for your help !


#2

Hey,

that’s just basic Apache access control: allow access from your local network’s IP addresses, deny access from everywhere else. Try putting something like this in e.g. /etc/apache2/conf-available/umc-access.conf, then run a2enconf umc-access and reload Apache:

<Location /univention/>
  Require ip 192.168.0.0/24 # put your local network address range here
  Require all denied
</Location>

Untested.

Kind regards,
mosu


404 Not Found ! Https Error
#3

wow thanks alot ! it’s working perfectly

when there will be updates will i loose these settings ?

Also i had another question ive activated this

ucr set apache2/force_https=yes

and this

vi /etc/apache2/sites-enabled/default-ssl.conf

Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”

reboot

When i enter the address for the first time on a new pc like this

server.mydomain.qc.ca

it don’t make the redirection to https

Once ive gone to https://server.mydomain.qc.ca/

after that it’s working

Is there a way to make it work the first time

Thanks !


#4

Hey,

If you create a new file in /etc/apache2/conf-available, you won’t lose that in an update.

However:

You will lose any change made to a file that starts with a header such as this one:

# Warning: This file is auto-generated and might be overwritten by
#          univention-config-registry.
#          Please edit the following file(s) instead:

Such files are created from template files. You can read more about how template files work in this blog post.

No. It generally just works if you set the variable you already mentioned and restart Apache (which you did via rebooting). For me it just works; I don’t know why it wouldn’t for you.

Kind regards,
mosu


#5

I think this could be an interest feature.
Can this be pushed to a ucr variable for easy configuration.
For instance a variable that if is set will have networks that will allow access,

univention-portal/access = 192.168.0.0;10.10.10.0

That said, i think a notice should be done, if the users pretend have sso with 3rd parts (office365) that cannot be set if i’m not wrong


#6

Is there a guide how to import a certificate from godaddy into the server ?


#7

I found it :slight_smile:


#8

Hello Moritz,

I want to use this but when i search for the umc-access file i dont have it only ucs.config?

Gr Dave


#9

Hi Dave,

this file is not there - it has to be created by yourself

rg
Christian