The installation documents provide an example Apache configuration for the directory /var/www/nextcloud/. They also briefly recommend placing the data directory outside of the web root.
Nextcloud appears to rely on .htaccess rules for security, with a second .htaccess file created inside your data directory.
Does that .htaccess file, which is now outside of web root and not referenced by the AllowOverride All directive for /var/www/nextcloud have any effect?
Is there a more complete example that can be added to the documentation, such as:
<Directory /var/www/nextcloud/>
Require all granted
Options FollowSymlinks MultiViews
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud
</Directory>
<Directory /var/www/nextcloud-data/>
#####################################
# Maybe something needs to go here? #
#####################################
</Directory>
The .htaccess file has to be in /var/www/nextcloud, inside the web root. As the data directory has to be outside the web root, the directory entry in your file makes no sense. My data is in /var/lib/nextcloud/<cloudname>/
One of them is. Nextcloud uses multiple .htaccess files, another of which is placed at the root of your data directory. Without an AllowOverride All at or above each directory where they exist, my understanding is that they are ineffective.
The directory entry I provided was just an example, you can adapt it to match your specific deployment. For example, this would match yours:
<Directory /var/lib/nextcloud/<cloudname>/>
#####################################
# Maybe something needs to go here? #
#####################################
</Directory>
My understanding is that the reason for moving the data folder is so that there is no direct URL to your files because they aren’t under a folder served by Apache, rather than relying on a security mechanism to deny access which could potentially have a bug or exploit and fail.
Why would Apache need a list of user permissions for a folder that isn’t part of any of its sites? Just to be clear, your data folder should not appear anywhere in your Apache config.
Does moving the Nextcloud data directory outside of the Apache document root make the security rules in the data directory’s .htaccess file unnecessary?
Apache is serving those files, wherever they may be, and unless a directive enabling .htaccess is applied to a parent directory the security mitigations contained in that .htaccess file (not the main one, the one in /data) have no effect.
For the avoidance of doubt, my user data directory’s .htaccess file contains the following:
# line below if for Apache 2.4
<ifModule mod_authz_core.c>
Require all denied
</ifModule>
# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
deny from all
Satisfy All
</ifModule>
# section for Apache 2.2 and 2.4
<ifModule mod_autoindex.c>
IndexIgnore *
</ifModule>
Apache isn’t going to apply those rules now, because the data directory is outside its document root. Is that a problem or is it safe to ignore those rules?
Apache is not serving the data directory with any of its sites which, to my understanding, makes any .htaccess in the folder just an unused file.
The Apache user has access to the files, and they are accessed by PHP, but not by Apache’s site config, meaning there is no URL that could access one of the data files directly. Isn’t that where access rules would come into play?