Hardening and Security Guidance¶
ownCloud aims to ship with secure defaults that do not need to get modified by administrators. However, in some cases some additional security hardening can only be applied in scenarios were the administrator have complete control over the ownCloud instance.
This document lists some security hardenings which require manual interaction by administrators. The whole document content is based on the assumption that you run ownCloud Server on Apache2 on a Linux environment.
Note
ownCloud will warn you in the administration interface if some critical security relevant options are missing, however in some cases that are considered second level as defense administrators are encouraged to check these hardenings manually.
Deployment¶
Move data directory outside of the web root¶
It is highly recommended to move the data directory (where ownCloud stores its data) outside of the web root (i.e. outside of /var/www), this can be done by modifying the datadirectory switch in the configuration file. It is possible to do this also after an instance has been installed by moving the folder manually.
Use HTTPS¶
Using ownCloud without using an encrypted HTTPS connection might allow attackers in a man-in-the-middle (MITM) situation to intercept your users data and passwords. Thus ownCloud always recommends to setup ownCloud behind HTTPS.
How to setup HTTPS on your web server depends on your setup, we recommend to check your distributions vendor information on how to configure and setup HTTPS.
Redirect all unencrypted traffic to HTTPS¶
To redirect all HTTP traffic to HTTPS administrators are encouraged to issue a permanent redirect using the 301 statuscode, when using Apache this can be achieved by a setting such as the following in the Apache VirtualHosts config:
<VirtualHost *:80>
ServerName cloud.owncloud.com
Redirect permanent / https://cloud.owncloud.com/
</VirtualHost>
Enable HTTP Strict Transport Security¶
While redirecting all traffic to HTTPS is already a good start it will often not completely prevent man-in-the-middle attacks for a regular user. Thus administrators are encouraged to set the HTTP Strict Transport Security header which will instruct browsers to not allow any connection to the ownCloud instance anymore using HTTPS and a invalid certificate warning will often not be able to get bypassed.
This can be achieved by setting the following settings within the Apache VirtualHost file:
<VirtualHost *:443>
ServerName cloud.owncloud.com
Header always add Strict-Transport-Security "max-age=15768000"
</VirtualHost>
It shall be noted that this requires that the mod_headers extension to be installed.
Proper SSL configuration¶
Default SSL configurations by web servers are often not state of the art and require fine-tuning for an optimal performance and security experience. The available SSL ciphers and options depends completely on your environment and thus giving a generic recommendation is not really possible.
We recommend to use the Mozilla SSL Configuration Generator to generate a suitable configuration suited for your environment, furthermore the free Qualys SSL Labs Tests give a good guidance whether the SSL server was correctly configured.
Use a dedicated domain for ownCloud¶
Administrators are encouraged to install ownCloud on a dedicated domain such as cloud.domain.tld instead of domain.tld to gain all the benefits offered by the Same-Origin-Policy.