Apache2 VHost for subdomain

I configured several months ago my nextcloud on my Ubuntu 20.04.3 LTS VM running on my FreeNAS, following their tutorial so bear with me, I'm in no means a trained apache2 guru ;-)

My current VHost config for my nextcloud is as followed:

<VirtualHost *:80>
     ServerAdmin [email protected]
     DocumentRoot /var/www/nextcloud/
     ServerName cloud.domain.net
     ServerAlias www.cloud.domain.net

     Alias /nextcloud "/var/www/nextcloud/"

     <Directory /var/www/nextcloud/>
        Options +FollowSymlinks
        AllowOverride All
        Require all granted
          <IfModule mod_dav.c>
            Dav off
          </IfModule>
        SetEnv HOME /var/www/nextcloud
        SetEnv HTTP_HOME /var/www/nextcloud
     </Directory>

     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =cloud.domain.net [OR]
RewriteCond %{SERVER_NAME} =www.cloud.domain.net
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

I recently set up my Home Assistant and wanted to grant remote access via the HASS App. I wanted to redirect traffic, comming in via

https://homeassistant.domain.net

My approach for the homeassistant.conf was:

<VirtualHost *>
    ServerName homeassistant.domain.net

    ProxyRequests Off
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    ProxyPass / http://192.168.0.9:8123/
    ProxyPassReverse / http://192.168.0.9:8123/
    <Location />
        Order allow,deny
        Allow from all
    </Location>
</VirtualHost>

Unfortunately this doesn't work....

Can anyone point me to the right config so my Home Assistant Trafic is also ssl encrypted?

You need to ensure that your VirtualHost statements are exactly the same. Currently, one of them says VirtualHost *, and the other says VirtualHost *:80. This is wrong. Since it's generally a better idea to have the port number, you should add the :80 bit to the other VirtualHost line. This should make it work without encryption.

In order to add HTTPS, you have more things to do. The instructions below explain what to do for your homeassistant.domain.net domain, but you'll have to repeat the instructions for your nextcloud domain, if you want to encrypt traffic there too.

First, you'll need a certificate. Since you're saying you want to "grant remote access", I'm assuming your server is available from the public Internet; that means you can use letsencrypt:

1. Install certbot, letsencrypt's application to create and install certificates.

2. Modify your VirtualHost stanza so it doesn't proxy the "/.well-known" directory, and give it a DocumentRoot, by adding the following lines

    DocumentRoot /var/www/homeassistant
    ProxyPass /.well-known !
   

3. Create the /var/www/homeassistant directory, if it doesn't exist yet.

4. Run certbot to create your certificates:

    certbot register
    certbot certonly --webroot -w /var/www/homeassistant -d homeassistant.domain.net
   

   The first of these commands will register you with letsencrypt; the second will request a certificate that it will install into /etc/letsencrypt.

   Note: certbot also has a mode to automagically enable SSL and install the certificates for you, but I have never used it and so don't know what exactly it does. You might want to play with it. In order to do so, use --apache rather than --webroot, and read the certbot --help output. The rest of this post assums you didn't do that, and instead used the --webroot mode.

5. Ensure certbot renew is run periodically, so that your certificates are automatically renewed before they expire (e.g., by using cron).

You now have certificates under /etc/letsencrypt. In order to enable SSL and use them, you need to take the following steps:

1. Ensure that mod_ssl is loaded; if you use Debian (or one of its derivatives, like Ubuntu) this can be done by way of a2enmod ssl; other systems usually have an optional configuration file or some such that you'll need to include.

2. Change every VirtualHost statement so it says VirtualHost *:443, for the HTTPS port.

3. add the required options for SSL to your VirtualHost stanzas:

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/homeassistant.domain.net/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/homeassistant.domain.net/privkey.pem
   

4. (optionally) add a redirecting stanza so that plain HTTP requests 80 get redirected to HTTPS:

    <VirtualHost *:80>
        ServerName homeassistant.domain.net
        DocumentRoot /var/www/homeassistant
        <Directory /var/www/homeassistant>
            Require all granted
            Redirect permanent / https://homeassistant.domain.net/
        </Directory>
    </VirtualHost>
   

   This requires mod_alias, which is usually enabled (but you may have to enable it if not; on Debian and derivatives, you'd use a2enmod alias).

5. (optionally) harden your SSL configuration by using Strict-Transport-Security, and a few other options:

    Header set Strict-Transport-Security max-age=15768000
    Header set X-Frame-Options SAMEORIGIN
    Header set X-Content-Type-Options nosniff
   

   This requires mod_headers (a2enmod headers).