Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

htaccess warning while files non accessible from internet #6281

Closed
biva opened this issue Aug 28, 2017 · 4 comments
Closed

htaccess warning while files non accessible from internet #6281

biva opened this issue Aug 28, 2017 · 4 comments

Comments

@biva
Copy link

biva commented Aug 28, 2017

Steps to reproduce

  1. Install Nextcloud on fresh Debian Stretch
  2. Configure as indicated in documentation (including AllowOverride All in /etc/apache2/apache2.conf)

Expected behaviour

Warning disappears

Actual behaviour

Warning still present: "Your data directory and your files are probably accessible from the Internet. The .htaccess file is not working. It is strongly recommended that you configure your web server in a way that the data directory is no longer accessible or you move the data directory outside the web server document root."

  • .htaccess in nextcloud and nextcloud/data are owned by www-data:www-data (tried with root:www-data, same issue)
  • I think I cannot access my files from the internet. I tried to enter this in Firefox : https://nextcloud.website.com/remote.php/webdav/test.txt and I receive an "Unauthorized" answer if I don't enter my credentials
  • I also tried sudo -u www-data php occ maintenance:update:htaccess
  • Should I set config 'htaccess.RewriteBase' => '/', ??
  • I also checked but there's no "htaccess.txt" file anywhere
  • By the way, I used to follow these instructions to set Strong Directory Permissions : https://docs.nextcloud.com/server/9/admin_manual/installation/installation_wizard.html#strong-perms-label I don't see this in the documentation for NC12: I don't need to do that anymore to change .htaccess permissions? For the moment, all my nextcloud folder is owned by www-data:www-data

Server configuration

  • Debian GNU/Linux 9.1 (stretch)
  • Server version: Apache/2.4.25 (Debian) - Server built: 2017-07-18T18:37:33
  • PHP 7.0.19-1 (cli) (built: May 11 2017 14:04:47) ( NTS )
  • mariadb Ver 15.1 Distrib 10.1.26-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
  • Nextcloud version 12.0.2 - installed: true - version: 12.0.2.0 - versionstring: 12.0.2

Updated from an older Nextcloud/ownCloud or fresh install: fresh install

Where did you install Nextcloud from: Nextcloud website (zip)

Signing status:

Signing status No errors have been found.

List of activated apps:
Fresh install

Nextcloud configuration:

Config report

{
"system": {
"instanceid": "xxxx",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"192.168.0.40",
"nextcloud.website.com"
],
"datadirectory": "/var/www/html/nextcloud/data",
"overwrite.cli.url": "https://nextcloud.website.com",
"dbtype": "mysql",
"version": "12.0.2.0",
"dbname": "nextcloud",
"dbhost": "localhost",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"installed": true
}
}

data/.htaccess content # Generated by Nextcloud on 2017-08-25 23:18:20 # line below if for Apache 2.4 Require all denied

line below if for Apache 2.2

<ifModule !mod_authz_core.c>
deny from all
Satisfy All

section for Apache 2.2 and 2.4

IndexIgnore *

Are you using external storage, if yes which one: no

Are you using encryption: no
@biva
Copy link
Author

biva commented Aug 28, 2017
edited
Loading

For info : my nextcloud.conf


DocumentRoot /var/www/html/nextcloud
ServerName nextcloud.website.com

<Directory /var/www/html/nextcloud/>
Options +FollowSymlinks
#Options MultiViews FollowSymlinks
AllowOverride All

<IfModule mod_dav.c>
Dav off
</IfModule>

#Order allow,deny
#Allow from all

SetEnv HOME /var/www/html/nextcloud
SetEnv HTTP_HOME /var/www/html/nextcloud

Satisfy Any

</Directory>

TransferLog /var/log/apache2/nextcloud_access.log
ErrorLog /var/log/apache2/nextcloud_error.log

RewriteEngine on
RewriteCond %{SERVER_NAME} =nextcloud.website.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>```

@biva
Copy link
Author

biva commented Aug 28, 2017
edited
Loading

And my nextcloud-le-ssl.conf

<VirtualHost *:443>

DocumentRoot /var/www/html/nextcloud
ServerName nextcloud.website.com

<Directory /var/www/html/nextcloud/>
Options +FollowSymlinks
#Options MultiViews FollowSymlinks
AllowOverride All

<IfModule mod_dav.c>
Dav off
</IfModule>

#Order allow,deny
#Allow from all

SetEnv HOME /var/www/html/nextcloud
SetEnv HTTP_HOME /var/www/html/nextcloud

Satisfy Any

</Directory>

TransferLog /var/log/apache2/nextcloud_access.log
ErrorLog /var/log/apache2/nextcloud_error.log

SSLCertificateFile /etc/letsencrypt/live/nextcloud.website.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.website.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>

</VirtualHost>

</IfModule>```

@MorrisJobke
Copy link
Member

This seems to be a setup question. I would ask you to open this in the forums and ask for help there: https://help.nextcloud.com

Thanks

@biva biva mentioned this issue Sep 11, 2017
Closed
@biva
Copy link
Author

biva commented Sep 11, 2017

@MorrisJobke : this has been followed in the forum, and appears to be a security issue: #6449

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MorrisJobke @biva