Data directory always outside web root?

I just installed nextcloud and because of

You should locate your Nextcloud data directory outside of your Web root if you are using an HTTP server other than Apache, or you may wish to store your Nextcloud data in a different location for other reasons (e.g. on a storage server).

what I found in the administration manual on the page of the Installation wizard, I didn’t change data directory because I’m using Apache.

Now I wanted to fix some security issues and I found in the “Hardening and Security Guidance” this

Place data directory outside of the web root

It is highly recommended to place your data directory outside of the Web root (i.e. outside of /var/www). It is easiest to do this on a new installation.

My question is:
Is it always better to place the data directory outside web root?
If not:
Why is it save with apache but not save with the other web server?

Best regards

1 Like

Stumbled over exactly the same thing :slight_smile:.

I’m a little bit confused, because I thought this would be an easy one in this forum.
I already asked in the IRC-Channel, but also with no answer.
Is there another place where I can ask this question?

Best regards

I just asked again on IRC-Channel and got a satisfying answer from User Kelsar.

Does anybody know why it is save with apache to place data directory within the web root but not with any other web server?
because nextcloud comes with .htaccess files, but other webservers can be as save
And apache can have .htaccess disabled, then it is not save anymore

I’m not sure why Apache vs Nginx or others would make a difference (I don’t think it does), but I like keeping data outside of the web root because it makes upgrades, backups, and restores easier when necessary.

Depending on how far you are into Nextcloud as far as having shared links, etc. you may not want to attempt this, and they technically don’t support changing the location after installation. However, it does seem to be possible if you’re willing to make manual changes to the config file and database (there are some relative paths, but there are some full paths as well which would need to be updated by hand or with update queries).

I did this a while ago but unfortunately I don’t have a step by step guide for it.

There’s a safe way to do it after installation. It’s technically still somewhat exposing the data dir though I suppose.


that is very intressting question.
I have a private nextcloud and at the moment the data directory is outside of the web root.
I’m using a webhosting service and i have a lot of problems. The problem is that the data directory is outside the web root.
I would like to reinstall nextcloud and put the data directory into the nextcloud installation path.

I’m not sure if this is a big security hole. The webhosting service uses apache as http server.

What is the problem if the data directory is in the web root (nextcloud folder)? Are my files are insecure or can be access by anyone?

It would be great if someone can explain this behavior.
Thank you!


I’m running nextcloud data on our SLES distro outside the default /srv/www/htdocs/ dir.
Just because it is recommend in the docs.
Inside config.php you can set the path, or use symlinks… Whatever you like.
Don’t forget to set the proper rights and disable other/world access to this nextcloud data dir.
You can also put the whole nextcloud web dir outside your default webroot, like the nextcloud data dir.
I would recommend to use something like /srv/nextcloud and /srv/nextcloud-data or something like that.
I wouldn’t put the data dir. inside the nexcloud web dir. Just configure the apache config properly to serve your nextcloud dir, even if it’s outside your default webroot.

Have fun…

I throw in my 5 cents…

if the server is hacked, it doesn’t matter anything where the data can finally be found. Better save your energy and try to accomplish an A+ rank in Nextcloud, Mozilla Observatory and SSLLab Security Scanners…