Client denied by server configuration: .ocdata

Whenever I access the admin page I get the following error in the httpd error log.
[Sun May 28 12:10:37.917440 2017] [authz_core:error] [pid 11662] [client 192.168.10.162:39942] AH01630: client denied by server configuration: /var/www/x.y.z/html/data/.ocdata
This only happens on the Admin page, no other page access generates this error.

And Nextcloud seems to be working. I can access everything fine, and the sync client works.

Nextcloud version: 12.0.0
Operating system and version: CentOs 7
Apache or nginx version: Apache 2.4.6
PHP version: 5.6
Is this the first time you’ve seen this error?: yes
Can you reliably replicate it? (If so, please outline steps): Yes, just start the server

1 Like

Hi together, i have the same problem.
I think the Problem is the .htaccess in /nextcloud/data

root@sysstem:/var/www/nextcloud/data# cat .htaccess 
# Generated by Nextcloud on 2017-05-27 08:38:51
# line below if for Apache 2.4
<ifModule !mod_authz_core.c>
Require all denied
#deny from all  <<< same error with require all or deny from all
</ifModule>

# line below if for Apache 2.2
<ifModule mod_authz_core.c>
deny from all
#Satisfy All
</ifModule>

# section for Apache 2.2 and 2.4
<ifModule mod_autoindex.c>
IndexIgnore *
</ifModule>

Apache Log Message:
client denied by server configuration: /var/www/html/nextcloud/data/.ocdata

System:
Linux 4.4.0-78-generic #99-Ubuntu SMP Thu Apr 27 15:29:09 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Ubuntu 16.04.2 LTS
PHP: PHP Version 7.0.18-0ubuntu0.16.04.1
Apache: Apache/2.4.18 (Ubuntu)

Regards Lars

How did you solved that? i have same Problem here, even if i turn off htaccess

This message shouldn’t worry you. It’s supposed to work like that:

A client (web-browser) must not be able to access directly the data/ folder. On the admin page, there is a check on this and it tries to access https://example.org/data/.ocdata, if the test succeeded, your data/ folder would be accessible from a web browser and everybody could access sensitive user data without authentication: e.g. via https://example.org/data/username/files/my_secret.txt

So if it must be impossible to access directly through it, how does Nextcloud access the file? Apache itself blocks access, but the php process can access the files in the data folder and provides after proper authentication via webdav.

3 Likes

yes but i still can’t change Background in Theming. And this is the Error i get.
So im worried :stuck_out_tongue:

That’s a different topic, please open a new discussion for that. This “error” is just a coincidence.

Hello,
I upgraded today my nextcloud from 11.0.3 to 12.0.2 and have the same warning messages regarding “client denied”.
The problem itself isn’t so big, but fail2ban bans me after hitting that point several times!

So it is not harmless at all. After 5 tries, I get a ban. After 5 bans, i am out for a week.

Thanks for an answer
Peter

2 Likes

This has bitten me too … and d*mn did it take long before I found out what caused those connection dropouts (since all other web apps are locked out as well by fail2ban).

My solution is to include a custom configuration file in fail2ban’s config directory, e.g., /etc/fail2ban/filter.d/apache-auth.local:

[apache-auth]

# ignore intentional auth failures from nextcloud admin page
ignoreregex = nextcloud/data/.ocdata

You might need to adapt the above regex if your nextcloud installation directory is not called nextcloud, or you might give a more specific path if needed.

Hope this helps someone, have fun.

3 Likes

[EDIT]
Ok, I get it. You need to mimic the .conf file, so apache-auth.local should contain:

[Definition]

# ignore intentional auth failures from nextcloud admin page
ignoreregex = nextcloud/data/.ocdata

Now, everything works as expected.
[/EDIT]

Hi there,

Your filter is working for me into /etc/fail2ban/filter.d/apache-auth.conf but not into /etc/fail2ban/filter.d/apache-auth.local. Did you do anything to load this local file? I’m on Ubuntu.

Have a nice day.

Here’s another solution.
Edit /www/nextcloud/data/.htaccess like below:

<ifModule mod_authz_core.c>
Require all denied
</ifModule>

<FilesMatch ".ocdata">
       <IfModule mod_authz_core.c>
          Require all granted
       </IfModule>
</FilesMatch>

# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
deny from all
Satisfy All
</ifModule>

# section for Apache 2.2 and 2.4
<ifModule mod_autoindex.c>
IndexIgnore *
</ifModule>

With this change, you will trigger the warning that the .htaccess file is ineffective. So I’d say this is not the best way to solve the “issue”.
Basically it is by design to NOT have access to nextcloud/data/.ocdata . So the errors in the Logs are just fine.

1 Like