Univention 4.2 and owncloud 10 - changing base URL

feedback
owncloud

#1

Hello all,

We installed Univention 4.2 and the Owncloud 10 App from the appstore. For security reasons, we want to change the default URL /owncloud to /veryowncloud

Changed:

ucs/web/overview/entries/service/owncloud/link to /veryowncloud

Then we have modified the

./var/lib/univention-appcenter/apps/owncloud/conf/config.php

overwrite.cli.url
and
htaccess.RewriteBase

also, we have modified the ProxyPass and ProxyPassReverse in the Apache2 Configs to the new URL

But now when we access our own URL, it will still redirect to /owncloud and then give a 404 not found.

How to properly change the base URL of the owncloud installation.

Thanks,

Andreas


#2

Hi

i think that is because of the apache rewrite rule in the owncloud container (RewriteRule ^(.*)$ /owncloud$1 [R=301,L]).

And there are several other configs/settings in the container with hard coded references to /owncloud (/etc/apache2/sites-enabled/000-default.conf, var/www/owncloud/.htaccess). Maybe it is possible to change all this but keep in mind, those settings (in the container) are all lost after the next owncloud image update.

Therefor I would strongly recommend not to change to owncloud URI.

best regards.
Felix


#3

Hi,

I agree with @botner that it’s probably very inconvenient and complicated to change this on UCS itself. It most probably will also break on upgrades.
To achieve your goal I would consider a reverse proxy. Something like:

https://www.your-external-url.com/veryowncloud

-> the reverse proxy then maps this to the internal UCS system, e.g.

https://ucs.intranet.example.org/owncloud

while all your clients always connect to the external address.

I recommend this blog post about reverse proxies:

Using Squid as described in the article is just on possibility. Nginx does also a good job and some Firewalls/NAT-Devices can do this, too.

Best regards,
Michael


#4

Hello Felix, Michael,

First let me address again why I want to do this (change the default URI):

A few years back when owncloud was initially released, I had a look at the source code. At that time the software was as close to a PHP mess as it gets, buggy to no end. While I think it has come a long way since then, I am still wary to expose it on a public facing server.

In my experience, almost all security breaches nowadays happen with automated systems that scan for software on default locations and identify versions that are vulnerable, and then proceed with an exploit. Even the western security agencies did that to stock up on relay boxes for their activities.

Therefore the single most important measure to secure a public facing system is to minimize attack vectors in the first place, i.e. relocate all services to custom locations as possible and only accept connections on TLS secured ports as possible as to not expose the location to third parties.

In the case of owncloud as stated earlier, I would see this as a necessity. I will not deploy owncloud public facing on the default location when I am responsible for the security of the system.

Before owncloud was dockerized, it was relatively simple to change the URI. In my brief flirt with Docker, I quickly decided that the benefits of docker were outweighed by the introduced additional complexity and therefore to me, it only makes sense in massive deployments.

Like in this case. I hope you will consider my points and repair the App package so that the URI can be modified again via UCR as in previous versions.

Regarding the reverse proxy solution, I tried it this morning with Apache (Rewrite Rules and mod_proxy), and it is not possible because owncloud uses absolute URIs in the HTML and Javascript. So one would have to rewrite the content to make it work, not really a good solution.

Now I have found and changed all the locations to make it work:

On the Univention system itself, the default-ssl.conf and UCR:

# ucr search --all veryowncloud | grep  "^ucs"
ucs/web/overview/entries/admin/owncloud-admindoc/icon: /veryowncloud/core/img/favicon.png
ucs/web/overview/entries/admin/owncloud-userdoc/icon: /veryowncloud/core/img/favicon.png
ucs/web/overview/entries/service/owncloud/link: /veryowncloud

In the Docker Containter:

  • the Apache configuration Rewrite Rule changed to
 RewriteCond %{REQUEST_URI} !^/veryowncloud
 RewriteRule ^(.*)$ /verowncloud$1 [R=301,L]
  • in the /var/www/owncloud/.htaccess
ErrorDocument 403 /veryowncloud/core/templates/403.php
ErrorDocument 404 /veryowncloud/core/templates/404.php
[...]
  RewriteCond %{REQUEST_FILENAME} !/ocs/v2.php
  RewriteCond %{REQUEST_FILENAME} !/updater/
  RewriteCond %{REQUEST_FILENAME} !/ocs-provider/
  RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*
  RewriteRule . index.php [PT,E=PATH_INFO:$1]
  RewriteBase /veryowncloud
  <IfModule mod_env.c>
    SetEnv front_controller_active true
    <IfModule mod_dir.c>
[...]

And finally the /var/www/owncloud/config/config.php as stated in my initial post.

Please fix the owncloud package in the next version so that the URI is controllable via UCR. We use and pay for Univention because it reduces complexity and provides stability over updates.

regards,

Andreas


#5

Hello Andreas,

thank you for your detailed feedback and the suggestion. This is very helpful for us to improve our products.

I spoke about this thread with a colleague of our UCS App Center team. We will have a further look on your suggestion to check, if we can implement a easy way to alter the URL of installed apps in the UCS App Center or at least define and documentate a standard compliant way to do this.

Please understand that this is not supported at the moment and I can’t promise if and when this will be implemented in the product. But with this feature request the first step is done.

Regards,
Ben


#6

Hello,

I created Bug 45725. As stated above, there are two parts involved in the URI, the App Center itself responsible for the app setup and the app.

Best regards.