SSL証明書更新サービスの状態
それでは、Nextcloudパッケージの中で、SSL証明書の更新を司る nextcloud.renew-certs サービスの状態を確認します。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
$ sudo systemctl status snap.nextcloud.renew-certs.service ● snap.nextcloud.renew-certs.service - Service for snap application nextcloud.renew-certs Loaded: loaded (/etc/systemd/system/snap.nextcloud.renew-certs.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2021-08-24 14:39:06 HKT; 54min ago Main PID: 785 (renew-certs) Tasks: 2 (limit: 6885) Memory: 22.3M CGroup: /system.slice/snap.nextcloud.renew-certs.service ├─ 785 /bin/sh /snap/nextcloud/28426/bin/renew-certs └─4363 sleep 1d Aug 24 14:45:22 ubnxc nextcloud.renew-certs[1239]: Detail: Fetching Aug 24 14:45:22 ubnxc nextcloud.renew-certs[1239]: http://nxc.servercan.net/.well-known/acme-challenge/7-y..... Aug 24 14:45:22 ubnxc nextcloud.renew-certs[1239]: Timeout during connect (likely firewall problem) Aug 24 14:45:22 ubnxc nextcloud.renew-certs[1239]: To fix these errors, please make sure that your domain name was Aug 24 14:45:22 ubnxc nextcloud.renew-certs[1239]: entered correctly and the DNS A/AAAA record(s) for that domain Aug 24 14:45:22 ubnxc nextcloud.renew-certs[1239]: contain(s) the right IP address. Additionally, please check that Aug 24 14:45:22 ubnxc nextcloud.renew-certs[1239]: your computer has a publicly routable IP address and that no Aug 24 14:45:22 ubnxc nextcloud.renew-certs[1239]: firewalls are preventing the server from communicating with the Aug 24 14:45:22 ubnxc nextcloud.renew-certs[1239]: client. If you're using the webroot plugin, you should also verify Aug 24 14:45:22 ubnxc nextcloud.renew-certs[1239]: that you are serving files from the webroot path you provided. out during connect (likely firewall problem) Aug 24 14:45:22 ubnxc nextcloud.renew-certs[1239]: To fix these errors, please make sure that your domain name was Aug 24 14:45:22 ubnxc nextcloud.renew-certs[1239]: entered correctly and the DNS A/AAAA record(s) for that domain Aug 24 14:45:22 ubnxc nextcloud.renew-certs[1239]: contain(s) the right IP address. Additionally, please check that Aug 24 14:45:22 ubnxc nextcloud.renew-certs[1239]: your computer has a publicly routable IP address and that no Aug 24 14:45:22 ubnxc nextcloud.renew-certs[1239]: firewalls are preventing the server from communicating with the Aug 24 14:45:22 ubnxc nextcloud.renew-certs[1239]: client. If you're using the webroot plugin, you should also verify Aug 24 14:45:22 ubnxc nextcloud.renew-certs[1239]: that you are serving files from the webroot path you provided. |
サービスは正常に居座っているようですが、直近のログが何やら不穏なので、当該サービスに関連するログを出力してみます。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 |
$ sudo journalctl -u snap.nextcloud.renew-certs.service -n 100 -- Logs begin at Thu 2021-03-18 05:36:08 HKT, end at Wed 2021-09-01 11:37:02 HKT. -- Aug 30 15:12:00 ubnxc nextcloud.renew-certs[747195]: Restarting apache... done Aug 30 15:12:00 ubnxc nextcloud.renew-certs[747195]: 1 renew failure(s), 0 parse failure(s) Aug 30 15:12:00 ubnxc nextcloud.renew-certs[747195]: IMPORTANT NOTES: Aug 30 15:12:00 ubnxc nextcloud.renew-certs[747195]: - The following errors were reported by the server: Aug 30 15:12:00 ubnxc nextcloud.renew-certs[747195]: Domain: #####.######.### Aug 30 15:12:00 ubnxc nextcloud.renew-certs[747195]: Type: connection Aug 30 15:12:00 ubnxc nextcloud.renew-certs[747195]: Detail: Fetching Aug 30 15:12:00 ubnxc nextcloud.renew-certs[747195]: http://nxc.servercan.net/.well-known/acme-challenge/FuaJ...... Aug 30 15:12:00 ubnxc nextcloud.renew-certs[747195]: Timeout during connect (likely firewall problem) Aug 30 15:12:00 ubnxc nextcloud.renew-certs[747195]: To fix these errors, please make sure that your domain name was Aug 30 15:12:00 ubnxc nextcloud.renew-certs[747195]: entered correctly and the DNS A/AAAA record(s) for that domain Aug 30 15:12:00 ubnxc nextcloud.renew-certs[747195]: contain(s) the right IP address. Additionally, please check that Aug 30 15:12:00 ubnxc nextcloud.renew-certs[747195]: your computer has a publicly routable IP address and that no Aug 30 15:12:00 ubnxc nextcloud.renew-certs[747195]: firewalls are preventing the server from communicating with the Aug 30 15:12:00 ubnxc nextcloud.renew-certs[747195]: client. If you're using the webroot plugin, you should also verify Aug 30 15:12:00 ubnxc nextcloud.renew-certs[747195]: that you are serving files from the webroot path you provided. Aug 31 15:12:01 ubnxc nextcloud.renew-certs[869783]: Saving debug log to /var/snap/nextcloud/current/certs/certbot/logs/letsencrypt.log Aug 31 15:12:01 ubnxc nextcloud.renew-certs[869783]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Aug 31 15:12:01 ubnxc nextcloud.renew-certs[869783]: Processing Aug 31 15:12:01 ubnxc nextcloud.renew-certs[869783]: /var/snap/nextcloud/current/certs/certbot/config/renewal/#####.######.###.conf Aug 31 15:12:01 ubnxc nextcloud.renew-certs[869783]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Aug 31 15:12:01 ubnxc nextcloud.renew-certs[869783]: Cert is due for renewal, auto-renewing... Aug 31 15:12:01 ubnxc nextcloud.renew-certs[869783]: Non-interactive renewal: random delay of 372 seconds Aug 31 15:18:14 ubnxc nextcloud.renew-certs[869783]: Plugins selected: Authenticator webroot, Installer None Aug 31 15:18:14 ubnxc nextcloud.renew-certs[869783]: Renewing an existing certificate Aug 31 15:18:18 ubnxc nextcloud.renew-certs[869783]: Performing the following challenges: Aug 31 15:18:18 ubnxc nextcloud.renew-certs[869783]: http-01 challenge for #####.######.### Aug 31 15:18:18 ubnxc nextcloud.renew-certs[869783]: Waiting for verification... Aug 31 15:18:29 ubnxc nextcloud.renew-certs[869783]: Challenge failed for domain #####.######.### Aug 31 15:18:29 ubnxc nextcloud.renew-certs[869783]: http-01 challenge for #####.######.### Aug 31 15:18:29 ubnxc nextcloud.renew-certs[869783]: Cleaning up challenges Aug 31 15:18:29 ubnxc nextcloud.renew-certs[869783]: Attempting to renew cert (nxc.servercan.net) from /var/snap/nextcloud/current/cer> Aug 31 15:18:29 ubnxc nextcloud.renew-certs[869783]: All renewal attempts failed. The following certs could not be renewed: Aug 31 15:18:29 ubnxc nextcloud.renew-certs[869783]: /var/snap/nextcloud/current/certs/certbot/config/live/#####.######.###/fullcha> Aug 31 15:18:29 ubnxc nextcloud.renew-certs[869783]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Aug 31 15:18:29 ubnxc nextcloud.renew-certs[869783]: All renewal attempts failed. The following certs could not be renewed: Aug 31 15:18:29 ubnxc nextcloud.renew-certs[869783]: /var/snap/nextcloud/current/certs/certbot/config/live/#####.######.###/fullcha> Aug 31 15:18:29 ubnxc nextcloud.renew-certs[869783]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Aug 31 15:18:29 ubnxc nextcloud.renew-certs[869783]: Running post-hook command: restart-apache Aug 31 15:18:30 ubnxc nextcloud.renew-certs[869783]: Output from post-hook command restart-apache: Aug 31 15:18:30 ubnxc nextcloud.renew-certs[869783]: Restarting apache... done Aug 31 15:18:30 ubnxc nextcloud.renew-certs[869783]: 1 renew failure(s), 0 parse failure(s) Aug 31 15:18:30 ubnxc nextcloud.renew-certs[869783]: IMPORTANT NOTES: Aug 31 15:18:30 ubnxc nextcloud.renew-certs[869783]: - The following errors were reported by the server: Aug 31 15:18:30 ubnxc nextcloud.renew-certs[869783]: Domain: #####.######.### Aug 31 15:18:30 ubnxc nextcloud.renew-certs[869783]: Type: connection Aug 31 15:18:30 ubnxc nextcloud.renew-certs[869783]: Detail: Fetching Aug 31 15:18:30 ubnxc nextcloud.renew-certs[869783]: http://#####.######.###/.well-known/acme-challenge/AND...... Aug 31 15:18:30 ubnxc nextcloud.renew-certs[869783]: Timeout during connect (likely firewall problem) Aug 31 15:18:30 ubnxc nextcloud.renew-certs[869783]: To fix these errors, please make sure that your domain name was Aug 31 15:18:30 ubnxc nextcloud.renew-certs[869783]: entered correctly and the DNS A/AAAA record(s) for that domain Aug 31 15:18:30 ubnxc nextcloud.renew-certs[869783]: contain(s) the right IP address. Additionally, please check that Aug 31 15:18:30 ubnxc nextcloud.renew-certs[869783]: your computer has a publicly routable IP address and that no Aug 31 15:18:30 ubnxc nextcloud.renew-certs[869783]: firewalls are preventing the server from communicating with the Aug 31 15:18:30 ubnxc nextcloud.renew-certs[869783]: client. If you're using the webroot plugin, you should also verify Aug 31 15:18:30 ubnxc nextcloud.renew-certs[869783]: that you are serving files from the webroot path you provided. Aug 31 21:50:39 ubnxc systemd[1]: Stopping Service for snap application nextcloud.renew-certs... Aug 31 21:50:40 ubnxc systemd[1]: snap.nextcloud.renew-certs.service: Succeeded. Aug 31 21:50:40 ubnxc systemd[1]: Stopped Service for snap application nextcloud.renew-certs. |
更新時にLet’s Encrypt側が次のURIへアクセスを試みるもタイムアウトでエラー
1 |
http://####.######.###/.well-known/acme-challenge/........ |
これは nextcloud.renew-certsサービスが、Let’s EncryptのSSL証明書を更新する手順であるHTTP-01チャレンジにおいて、httpで認証用トークンファイルへアクセスしようとしているところでした。
Nextcloudパッケージの一部と化している httpd.conf にこのパスへのエイリアスを見ることができます。
1 2 3 4 5 6 |
# Serve ACME authentication data (Let's Encrypt). Alias "/.well-known/acme-challenge" "${SNAP_DATA}/certs/certbot/.well-known/acme-challenge" <Directory "${SNAP_DATA}/certs/certbot/.well-known/acme-challenge"> AllowOverride None Require all granted </Directory> |
ここで ${SNAP_DATA} は、 /var/snap/nextcloud/current/ であることから、その実体は以下のパスを指していることになります。
1 |
/var/snap/nextcloud/current/certs/certbot/.well-known/acme-challenge |
そしてSSL証明書関連ファイルや更新ログも、この場所付近に以下のツリー構成で存在していました。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
/var/snap/nextcloud/current/certs/certbot ├── config │ ├── accounts │ │ └── acme-v02.api.letsencrypt.org │ │ └── directory │ │ └── ################################# │ │ ├── meta.json │ │ ├── private_key.json │ │ └── regr.json │ ├── archive │ │ └── #####.#####.### │ │ ├── cert1.pem │ │ ├── chain1.pem │ │ ├── fullchain1.pem │ │ └── privkey1.pem │ ├── csr │ ├── keys │ ├── live │ ├── renewal │ │ └── #####.#####.###.conf │ └── renewal-hooks ├── logs └── work |
証明書ファイルの日付はインスタンス構築当初のままです。
1 2 3 4 5 |
# ls -la /var/snap/nextcloud/current/certs/certbot/config/archive/#####./#####..### -rw-r--r-- 1 root root 2195 Jun 22 15:15 cert1.pem -rw-r--r-- 1 root root 3750 Jun 22 15:15 chain1.pem -rw-r--r-- 1 root root 5945 Jun 22 15:15 fullchain1.pem -rw------- 1 root root 3272 Jun 22 15:15 privkey1.pem |
現在のこのSSL証明書をリモートから確かめてみましたが、未だ有効でした。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
$ openssl s_client -connect #####.#####.###:443 | openssl x509 -noout -enddate depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = #####.#####.### verify return:1 notAfter=Sep 20 06:15:38 2021 GMT $ nmap --script ssl-enum-ciphers -p 443 #####.#####.### Starting Nmap 7.60 ( https://nmap.org ) at 2021-08-24 21:12 HKT Nmap scan report for #####.#####.### (###.###.###.###) Host is up (0.052s latency). PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (rsa 4096) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 4096) - A | compressors: | NULL | cipher preference: server |_ least strength: A Nmap done: 1 IP address (1 host up) scanned in 22.22 seconds |
とは言え期限切れは近いので、早急な対応が必要です。もちろん他の更新手法も無くもないものの、あまり自由度の高くないSnapパッケージ版であることや汎用性も踏まえて、今回はHTTP-01チャレンジを維持すべく、httpポート開放を選びました。
httpポート開放手順
Let’s EncryptのHTTP-01チャレンジに必要な http/80tcp ポートを仮想インスタンス内まで疎通させるべく、下図の2箇所、イングレス・ルールとiptablesに穴を開けます。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
[INET] || || || || ========= O C I ========= | Ingress Rule | # TCP22/SSH | # TCP80/HTTP <--[Add.1] | # TCP443/HTTPS | ------ iptables ------ | # TCP22/SSH | # TCP80/HTTP <--[Add.2] | # TCP443/HTTPS | ((nextcloud)) # LISTEN http : 80 # LISTEN https:443 |
1.イングレス・ルール追加
Oracle CloudのWeb管理画面の左上のハンバーガーメニューを
「ネットワーキング」→「仮想クラウド・ネットワーキング」
と進み、一覧にあるVCNを開いたら、その左にあるリソースメニューの「セキュリティ・リスト」へと辿ります。そして、前回作成したリストを開き、「イングレス・ルールの追加」ボタンを押し、以下の要領でルールを追加します。
これでイングレス・ルールに http/80tcpが追加されました。
2.iptablesにルール追加
次にNextcloudが稼働する仮想マシンのファイアウォールiptablesでも、ポートを開放します。 /etc/iptables/rules.v4 を管理者権限で開き、前回追加した 443tcp エントリ付近に 80tcp の許可エントリを挿入します。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
# CLOUD_IMG: This file was created/modified by the Cloud Image build process # iptables configuration for Oracle Cloud Infrastructure # See the Oracle-Provided Images section in the Oracle Cloud Infrastructure # documentation for security impact of modifying or removing these rule *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [463:49013] :InstanceServices - [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p udp --sport 123 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -d 169.254.0.0/16 -j InstanceServices |
以下のコマンドでiptablesへのルールを追加、反映します。
1 2 |
$ sudo nano /etc/iptables/rules.v4 $ sudo iptables-restore < /etc/iptables/rules.v4 |
これでポート疎通は完了です。リモートからnmapを使って、当該ポートが適切に開いているか確認します。
1 2 3 4 5 6 7 8 9 |
$ nmap -Pn -p T:22,80,443 #####.##########.### Starting Nmap 7.60 ( https://nmap.org ) Nmap scan report for #####.##########.### (###.###.###.###) Host is up (0.095s latency). PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 7.45 seconds |
SSL証明書の更新
更新は手っ取り早く、 nextcloud.renew-certsサービスを再起動させてみることにしました。再起動後、ランダムスタンバイを経て、SSL証明書の更新作業は完走です。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
$ sudo systemctl restart snap.nextcloud.renew-certs.service $ sudo systemctl status snap.nextcloud.renew-certs.service ● snap.nextcloud.renew-certs.service - Service for snap application nextcloud.renew-certs Loaded: loaded (/etc/systemd/system/snap.nextcloud.renew-certs.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2021-09-02 14:33:35 HKT; 2s ago Main PID: 221085 (renew-certs) Tasks: 2 (limit: 6861) Memory: 30.7M CGroup: /system.slice/snap.nextcloud.renew-certs.service ├─221085 /bin/sh /snap/nextcloud/28426/bin/renew-certs └─221109 python2 /snap/nextcloud/28426/bin/certbot --text --config-dir /var/snap/nextcloud/current/ce> Sep 02 14:33:35 ubnxc systemd[1]: Started Service for snap application nextcloud.renew-certs. Sep 02 14:33:36 ubnxc nextcloud.renew-certs[221109]: Saving debug log to /var/snap/nextcloud/current/certs/certbot> Sep 02 14:33:36 ubnxc nextcloud.renew-certs[221109]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -> Sep 02 14:33:36 ubnxc nextcloud.renew-certs[221109]: Processing Sep 02 14:33:36 ubnxc nextcloud.renew-certs[221109]: /var/snap/nextcloud/current/certs/certbot/config/renewal/nxc.> Sep 02 14:33:36 ubnxc nextcloud.renew-certs[221109]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -> Sep 02 14:33:36 ubnxc nextcloud.renew-certs[221109]: Cert is due for renewal, auto-renewing... Sep 02 14:33:36 ubnxc nextcloud.renew-certs[221109]: Non-interactive renewal: random delay of 377 seconds Sep 02 14:39:53,221:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None Sep 02 14:39:53,225:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot . . -略- . . Sep 02 14:40:02,292:DEBUG:certbot.renewal:no renewal failures Sep 02 14:40:02,292:INFO:certbot.hooks:Running post-hook command: restart-apache Sep 02 14:40:03,372:INFO:certbot.hooks:Output from post-hook command restart-apache: Restarting apache... done |
証明書ファイルの格納されているフォルダを確認すると、現行証明書もまだ有効期限まで日が残っているためか、新旧証明書が混在していました。
1 2 3 4 5 6 7 8 9 |
# ls -la /var/snap/nextcloud/current/certs/certbot/config/archive/#####.#####.###/ -rw-r--r-- 1 root root 2195 Jun 22 15:15 cert1.pem -rw-r--r-- 1 root root 2195 Sep 2 14:40 cert2.pem -rw-r--r-- 1 root root 3750 Jun 22 15:15 chain1.pem -rw-r--r-- 1 root root 3750 Sep 2 14:40 chain2.pem -rw-r--r-- 1 root root 5945 Jun 22 15:15 fullchain1.pem -rw-r--r-- 1 root root 5945 Sep 2 14:40 fullchain2.pem -rw------- 1 root root 3272 Jun 22 15:15 privkey1.pem -rw------- 1 root root 3272 Sep 2 14:40 privkey2.pem |
リモートよりSSL証明書を確認すると、その有効期限が延びていました。
1 2 3 4 5 6 7 8 |
$ openssl s_client -connect #####.#####.###:443 | openssl x509 -noout -enddate depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = #####.#####.### verify return:1 notAfter=Dec 1 05:39:58 2021 GMT |
http to httpsリダイレクション
この状態でブラウザからhttpでNextcloudへアクセスすると、httpsへリダイレクトされます。これをコマンドラインからwgetを使って確認すると、サーバから 301 Moved Permanently を受け取ると共に、httpsへ導かれていることが分かります。
1 2 3 4 5 6 7 8 9 10 |
$ wget http://#####.#####.###/ --2021-09-02 15:03:44-- http://#####.#####.###/ #####.#####.### をDNSに問いあわせています... ###.###.###.### #####.#####.###|###.###.###.###|:80 に接続しています... 接続しました。 HTTP による接続要求を送信しました、応答を待っています... 301 Moved Permanently 場所: https://#####.#####.###:443/ [続く] --2021-09-02 15:03:44-- https://#####.#####.###/ #####.#####.###|###.###.###.###|:443 に接続しています... 接続しました。 HTTP による接続要求を送信しました、応答を待っています... 302 Found 場所: https://#####.#####.###/index.php/login [続く] |
Nextcloud公式ドキュメントによるとこれは、Nginxに設定してあるEnforce HTTPSによるようです。その際、先ほど実行したLet’s Encryptの認証に使われる、 /.well-known/acme-challenge は除外されていることが見てとれました。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
server { listen 80; listen [::]:80; server_name cloud.example.com; # Enforce HTTPS return 301 https://$server_name$request_uri; } -略- # Make a regex exception for `/.well-known` so that clients can still # access it despite the existence of the regex rule # `location ~ /(\.|autotest|...)` which would otherwise handle requests # for `/.well-known`. location ^~ /.well-known { # The rules in this block are an adaptation of the rules # in `.htaccess` that concern `/.well-known`. location = /.well-known/carddav { return 301 /remote.php/dav/; } location = /.well-known/caldav { return 301 /remote.php/dav/; } location /.well-known/acme-challenge { try_files $uri $uri/ =404; } location /.well-known/pki-validation { try_files $uri $uri/ =404; } # Let Nextcloud's API for `/.well-known` URIs handle all other # requests by passing them to the front-end controller. return 301 /index.php$request_uri; } |
そもそも前回、Nextcloud構築の仕上げに http/80tcp を閉じなくても、Nginxがhttpsを強制してくれるので、安心しました。