How to deny access to /univention portal from internet

Hello im new to nextcloud and ive setup my first server using the VMWARE ESX Image version 13.0.4-0 from here

Everything is setup fine and i was wondering is it possible to deny access to

https://server.mydomain.qc.ca/univention/

I would prefer that this site is not accessible from the internet to not allow user to try to access it since it’s connect with my Active Directory

Ive configure the settings “apache2/startsite” to start nextcloud by defaut but can’t find a way to deny access to /univention portal

Also is it possible to remove the “How to login” on the ucs login screen because it’s telling what is my domain admin account when you pass your mouse over it

Thanks for your help !

Hey,

that’s just basic Apache access control: allow access from your local network’s IP addresses, deny access from everywhere else. Try putting something like this in e.g. /etc/apache2/conf-available/umc-access.conf, then run a2enconf umc-access and reload Apache:

<Location /univention/>
  Require ip 192.168.0.0/24 # put your local network address range here
  Require all denied
</Location>

Untested.

Kind regards,
mosu

wow thanks alot ! it’s working perfectly

when there will be updates will i loose these settings ?

Also i had another question ive activated this

ucr set apache2/force_https=yes

and this

vi /etc/apache2/sites-enabled/default-ssl.conf

Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”

reboot

When i enter the address for the first time on a new pc like this

server.mydomain.qc.ca

it don’t make the redirection to https

Once ive gone to https://server.mydomain.qc.ca/

after that it’s working

Is there a way to make it work the first time

Thanks !

Hey,

If you create a new file in /etc/apache2/conf-available, you won’t lose that in an update.

However:

You will lose any change made to a file that starts with a header such as this one:

# Warning: This file is auto-generated and might be overwritten by
#          univention-config-registry.
#          Please edit the following file(s) instead:

Such files are created from template files. You can read more about how template files work in this blog post.

No. It generally just works if you set the variable you already mentioned and restart Apache (which you did via rebooting). For me it just works; I don’t know why it wouldn’t for you.

Kind regards,
mosu

I think this could be an interest feature.
Can this be pushed to a ucr variable for easy configuration.
For instance a variable that if is set will have networks that will allow access,

univention-portal/access = 192.168.0.0;10.10.10.0

That said, i think a notice should be done, if the users pretend have sso with 3rd parts (office365) that cannot be set if i’m not wrong

Is there a guide how to import a certificate from godaddy into the server ?

I found it

Hello Moritz,

I want to use this but when i search for the umc-access file i dont have it only ucs.config?

Gr Dave

Hi Dave,

this file is not there - it has to be created by yourself

rg
Christian

Just noticed… In the 4.4.4 version, they have added an option (via registry) to hide this message “How to login” by changing the entry to false.

https://docs.software-univention.de/release-notes-4.4-4-en.html

And how we can safe the UCS5 Portal now? I disabled the service:

systemctl disable univention-portal-server.service
systemctl stop univention-portal-server.service

But after some time, or update my changes will be undone. I therefore assume that this service must also be deactivated via a UCR variable. I found this as an example:

ucr set postgres11/autostart='yes'

But I can’t find anything there for the portal service.

Here now the howto for UCS5: https://deepdoc.at/dokuwiki/doku.php?id=prebuilt_systems:ucs:umc_und_portal_vor_externen_zugriff_schuetzen