After upgrade from 28 to 29 I have "Data directory and your files are probably accessible from the Internet"

I also have this issue, after running NC for the last couple of years. What file should we check and/or change?

Check in config.php File in Nextcloud/config Folder:

  1. Trusted Domains

for example:

‘trusted_domains’ =>
array (
0 => ‘’

  1. Trusted Proxies

for example:

‘trusted_proxies’ =>
array (
0 => ‘’

  1. overwrite.cli.url

for example:

‘overwrite.cli.url’ => ‘’,

  1. overwriteprotocol

for example:

‘overwriteprotocol’ => ‘https’,

Here is a Link for Explanation config.php:
Configuration Parameters — Nextcloud latest Administration Manual latest documentation


I have 2 NC instances with the same problem.
One is situated in a private cloud provider with a dedicated DNS and the second at home with dyndns DNS.
I don"t see bad things with trusted_domains and overwrite.cli.url. :thinking:

I precise i’m using a docker container from [] and I also update image for both instances in the same time, I check on that part if there is a problem…

Niiiiiiiice ! It’s work for me ! It was a problem of trusted_domains…
And one less problem!

1 Like

Got the same error after upgrading to Hub29. I am using nextcloud docker with an nginx as reverse proxy (which is on a different host). I don’t have the trusted_proxy config setting at all. My config.php is set as follows:

  'trusted_domains' => 
  array (
    0 => ',

  'overwrite.cli.url' => '',
  'overwriteprotocol' => 'https',

If I remove trusted_domain, nextcloud doesn’t work. If I remove overwrite.cli.url and overwriteprotocol nextcloud still works but shows a lot of other errors. Really struggling how to fix this while also being worried that data is exposed.

Found this Frequent Nextcloud 29 (Hub 8) update issues - but it doesn’t really help.

There are some Website Security Scanners Out there. Checking your Website for vulnerabilit.
Google for Website SSL Check and Look out for some serious scanner

Same issue here. I’m using the recommended swag nginx config instructions:

## Version 2024/04/25
# make sure that your nextcloud container is named nextcloud
# make sure that your dns has a cname set for nextcloud
# assuming this container is called "swag", edit your nextcloud container's config
# located at /config/www/nextcloud/config/config.php and add the following lines before the ");":
#  'trusted_proxies' => [gethostbyname('swag')],
#  'overwrite.cli.url' => '',
#  'overwritehost' => '',
#  'overwriteprotocol' => 'https',
# Also don't forget to add your domain name to the trusted domains array. It should look somewhat like this:
#  array (
#    0 => '', # This line may look different on your setup, don't modify it.
#    1 => '',
#  ),```
1 Like

The solution for me was to remove the entry 'localhost' from 'trusted_domains' in config.php.


Not solving my issue on my part!
Thanks anyway :slightly_smiling_face:

Guys, my solution.
Configure properly your reverse proxy settings in config.php
for example, I am using Cloudflare as a main reverse proxy
thus I have to describe all possible IP addresses that can send the request to my Nextloud server.
‘trusted_proxies’ => [‘’, ‘’, ‘’, …]

When ‘trusted_proxies’ are presented must include also in the config.php the parameter ‘forwarded_for_headers’ => [‘HTTP_X_FORWARDED’, ‘HTTP_FORWARDED_FOR’],
Therefore all the above will not only fix the error but also protect your Nextcloud from various attacks.

Good luck all of you :wink:


Don’t remove it. You should have at least one entry in there: the domain you use to access Nextcloud.

Since you’re using Docker, please go into the container and determine whether resolves to the same IP address as it does from outside of your container.

I can’t remove ‘trusted_domain’ anyway, because otherwise nextcloud won’t work at all. However, whatever IP I put in ‘trusted_proxies’ I still get the error.

Thank you!
I solved it too by leaving the domain address in trusted_domains but removing the local IP.
But now how do I connect to nextcloud with my local IP? lol


same for me, just removed local ip from trusted. use him from domain name

In my case, it was a typo in overwrite.cli.url.
I had mistakenly put the host name of the NAS that the docker image is running on.
Changing it to be the same as the one listed in trusted_domains as resolved the issue for me.

1 Like

This help me resolve this problem.
Only thing to chcange was to add port in trusted domains
1 => ‘’,

Nextcloud version (eg, 29.0.5): 29.0.1
Operating system and version (eg, Ubuntu 29.04): Rocky Linux 9.4
Apache or nginx version (eg, Apache 2.4.25): 2.4.57
PHP version (eg, 8.3): 8.3.7

The issue you are facing:
I’m getting a warning message within my settings:

  • Your data directory and files are probably accessible from the internet. The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.

So I tried to find some solutions but nothing from what I found solved the issue.

I even moved out my data folder now from the public_html folder, so it’s not even visible from the net anymore, but still seeing that error.

Also trusted domains and overwrite cli are correct in my eyes
‘trusted_domains’ =>
array (
0 => ‘my.domain’,

‘overwrite.cli.url’ => ‘https://my.domain’,

Someone wrote to use *.my.domain under trusted domains and here I than just get an error that I’m accessing from an untrusted domain

In my http config I checked also the overwrite:
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted

Is this the first time you’ve seen this error? (Y/N): Y

The output of your Nextcloud log in Admin > Logging:


The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

$CONFIG = array (
  'instanceid' => '',
  'passwordsalt' => '/QokUhQNO',
  'secret' => '',
  'trusted_domains' => 
  array (
    0 => 'my.domain',
  'datadirectory' => '/my_data_folder',
  'dbtype' => 'mysql',
  'version' => '',
  'dbname' => '',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'overwrite.cli.url' => 'https://my.domain',
  'mysql.utf8mb4' => true,
  'dbuser' => '',
  'dbpassword' => '',
  'installed' => true,
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => 'localhost',
    'port' => 1234,
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
  '' => 'stable',
  'app_install_overwrite' => 
  array (
    0 => 'unsplash',
    1 => 'occweb',
    2 => 'apporder',
    3 => 'files_readmemd',
  'default_phone_region' => 'LU',
  'default_locale' => 'de_DE',
  'remember_login_cookie_lifetime' => 172800,
  'session_lifetime' => 86400,
  'mail_smtpmode' => 'sendmail',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => 'service',
  'mail_domain' => '',
  'defaultapp' => 'apporder',
  'simpleSignUpLink.shown' => false,
  'twofactor_enforced' => 
  array (
    'false' => '',
  'maintenance_window_start' => 1,

I’m now a bit lost as I don’t know what to do as next test - As I wrote even when moving out my data folder I’m still getting this message

The data folder has 770 as chmod and it is owned by the domain owner
The folders for the different users are drwxr-xr-x

Thanks for any idea and help

Hi @ISeeTWizard

You should have used the search function of the forum.

Read this please, maybe it explains your issue:

Much and good luck,

1 Like

like mentioned I searched for it and I found several entries and tried all of them

[root@web ~]# httpd -M
Loaded Modules:
env_module (shared)

So I also checked that this module is loaded, which it is as you see on the return I got

1 Like