"access forbidden by rule" for files named ".ht*"

Nextcloud version 17.0.3:
Operating system and version: Ubuntu 16.04:
Apache or nginx version: nginx
(adminstrated with PLESK)
PHP version 7.1.33:

Hello. I hope somebody can lead me into the right direction :slight_smile:

I created my Nextcloud server a while ago and was able to change it so that I would be able to upload .htaccess-files (as far as I remember by just removing it from “blacklisted_files” in config/config.php).
The other day I noticed that this doesnt work. After further investigation I found that all files that start with “.ht” lead to an empty error response from the server (either by client or over the browser).

I found the following error in my server-logs, which seems to be the culprit:

2020/03/05 14:09:04 [error] 14728#0: *1155942 access forbidden by rule, client: XXX, server: XXX, request: "PUT /nextcloud/remote.php/webdav/Projekte/.ht HTTP/2.0", host: "XXX"

So I guess the problem lies in a .htaccess-file of my server or my nginx-configuration. But I cant find anything that could be responsible for that error.
Am I blind?
Are their other locations I should check?
What else can cause this error? :confused:

My main .htaccess-file:

<IfModule mod_headers.c>
  <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1

  <IfModule mod_env.c>
    # Add security and privacy related headers
    Header always set Referrer-Policy "no-referrer"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Download-Options "noopen"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Permitted-Cross-Domain-Policies "none"
    Header always set X-Robots-Tag "none"
    Header always set X-XSS-Protection "1; mode=block"
    SetEnv modHeadersAvailable true

  # Add cache control for static resources
  <FilesMatch "\.(css|js|svg|gif)$">
    Header set Cache-Control "max-age=15778463"

  # Let browsers cache WOFF files for a week
  <FilesMatch "\.woff2?$">
    Header set Cache-Control "max-age=604800"
<IfModule mod_php7.c>
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} DavClnt
  RewriteRule ^$ /remote.php/webdav/ [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
  RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
  RewriteRule ^\.well-known/webfinger /public.php?service=webfinger [QSA,L]
  RewriteRule ^\.well-known/nodeinfo /public.php?service=nodeinfo [QSA,L]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
  RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddEncoding gzip svgz
<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
  ModPagespeed Off

ErrorDocument 403 /
ErrorDocument 404 /

My nginx-configuration from plesk:

rewrite ^/.well-known/host-meta /nextcloud/public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /nextcloud/public.php?service=host-meta-json last;
rewrite ^/.well-known/webfinger /nextcloud/public.php?service=webfinger last;

add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";

location = /.well-known/carddav {
	return 301 $scheme://$host/nextcloud/remote.php/dav;

location = /.well-known/caldav {
	return 301 $scheme://$host/nextcloud/remote.php/dav;

location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;

# Enable gzip but do not remove ETag headers

gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
	deny all;

location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
	deny all;

location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
	try_files $uri/ =404;
	index index.php;

# Adding the cache control header for js and css files

location ~ ^\/.+[^\/]\.(?:css|js|woff2?|svg|gif)$ {
	try_files $uri /nextcloud/index.php$request_uri;
	add_header Cache-Control "public, max-age=15778463";
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Robots-Tag none;
	add_header X-Download-Options noopen;
	add_header X-Permitted-Cross-Domain-Policies none;
	add_header Referrer-Policy no-referrer;

location ~ ^\/.+[^\/]\.(?:png|html|ttf|ico|jpg|jpeg)$ {
	try_files $uri /nextcloud/index.php$request_uri;
	# Optional: Don't log access to other assets
	access_log off;

I hope that is all information you guys need.
Thanks in advance for any help! :slight_smile: