How to deny access to /univention portal from internet

support_ti · July 19, 2018, 7:10am

Hello im new to nextcloud and ive setup my first server using the VMWARE ESX Image version 13.0.4-0 from here

Everything is setup fine and i was wondering is it possible to deny access to

https://server.mydomain.qc.ca/univention/

I would prefer that this site is not accessible from the internet to not allow user to try to access it since it’s connect with my Active Directory

Ive configure the settings “apache2/startsite” to start nextcloud by defaut but can’t find a way to deny access to /univention portal

Also is it possible to remove the “How to login” on the ucs login screen because it’s telling what is my domain admin account when you pass your mouse over it

2018-07-18%2015_12_08-Window

Thanks for your help !

Moritz_Bunkus · July 18, 2018, 7:15pm

Hey,

that’s just basic Apache access control: allow access from your local network’s IP addresses, deny access from everywhere else. Try putting something like this in e.g. /etc/apache2/conf-available/umc-access.conf, then run a2enconf umc-access and reload Apache:

<Location /univention/>
  Require ip 192.168.0.0/24 # put your local network address range here
  Require all denied
</Location>

Untested.

Kind regards,
mosu

support_ti · July 18, 2018, 8:33pm

wow thanks alot ! it’s working perfectly

when there will be updates will i loose these settings ?

Also i had another question ive activated this

ucr set apache2/force_https=yes

and this

vi /etc/apache2/sites-enabled/default-ssl.conf

Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”

reboot

When i enter the address for the first time on a new pc like this

server.mydomain.qc.ca

it don’t make the redirection to https

Once ive gone to https://server.mydomain.qc.ca/

after that it’s working

Is there a way to make it work the first time

Thanks !

Moritz_Bunkus · July 23, 2018, 6:22pm

Hey,

If you create a new file in /etc/apache2/conf-available, you won’t lose that in an update.

However:

You will lose any change made to a file that starts with a header such as this one:

# Warning: This file is auto-generated and might be overwritten by
#          univention-config-registry.
#          Please edit the following file(s) instead:

Such files are created from template files. You can read more about how template files work in this blog post.

No. It generally just works if you set the variable you already mentioned and restart Apache (which you did via rebooting). For me it just works; I don’t know why it wouldn’t for you.

Kind regards,
mosu

codedmind · July 19, 2018, 9:27am

I think this could be an interest feature.
Can this be pushed to a ucr variable for easy configuration.
For instance a variable that if is set will have networks that will allow access,

univention-portal/access = 192.168.0.0;10.10.10.0

That said, i think a notice should be done, if the users pretend have sso with 3rd parts (office365) that cannot be set if i’m not wrong

support_ti · July 23, 2018, 2:56pm

Is there a guide how to import a certificate from godaddy into the server ?

support_ti · July 23, 2018, 3:11pm

I found it

shadow1232 · July 31, 2018, 1:17pm

Hello Moritz,

I want to use this but when i search for the umc-access file i dont have it only ucs.config?

Gr Dave

externa1 · August 1, 2018, 6:57am

Hi Dave,

this file is not there - it has to be created by yourself

rg
Christian

abhinavjain · January 8, 2021, 9:00pm

Just noticed… In the 4.4.4 version, they have added an option (via registry) to hide this message “How to login” by changing the entry to false.

https://docs.software-univention.de/release-notes-4.4-4-en.html