uberspace.de has a wildcard certificate for *.servername.uberspace.de. So if you want to use it, your ownCloud-installation must go in a subdirectory like so:

https://accountname.servername.uberspace.de/owncloud

…because you have no certificate for https://owncloud.accountname.servername.uberspace.de (unless you buy one)

Sadly the server hardening information for HTTPS apply only if you installed ownCloud in a subdomain.

There used to be a config option for ownCloud telling it to secure everything using PHP code, but it’s gone now, so we have to use the “.htaccess” file for hardening and we do it like this:

Redirect to HTTPS

After the line “RewriteEngine On” add these lines:

RewriteBase /
RewriteCond %{HTTPS} !=on
RewriteCond %{ENV:HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This redirects every access to HTTPS. But there is one problem: If a user enters the HTTP address of the ownCloud instance, the session cookie might leak over HTTP before the redirect to HTTPS happens.

Harden the cookies

After the line “<IfModule mod_env.c>” add this line:

Header always edit Set-Cookie (.*) "$1; Secure"

This tells the browser to never transmit the ownCloud cookies over an insecure channel.