Forbidden paths vs allowed paths

ℹ️ Support
,
1

Hi,

I found a lot of example caddy configurations forbidding specific paths like

@forbidden {
    path /.htaccess
    ...
}
  respond @forbidden 404

But I wonder what happens if nextcloud, the distribution or even the user introduce new paths which should also be forbidden. Nobody would remember updating the forbidden paths.

So I want to specify which path are allowed, all others forbidden.

My current definition: see below. It is not complete because I do not want to exhibit how I protect my cloud. My list might exhibit more than it should.

What I would like to know: Is there any place where nextcloud defines what is needed? Including apps? Or do I just have to allow more paths when something does not work without?

@forbidden {
   not {
      path /.well-known/*
      path /remote.php/*
      path /dist/*
      ...
   }
}
respond @forbidden "Du kommst hier nicht rein" 404
2

If you are not using Apache, this is a known problem in the world of PHP applications. Apache is one of the only known and widely used web servers that allows configuration by the application itself. Nextcloud provides a .htaccess file for this purpose.

If you are not using Apache, I would check the NGINX configuration documentation for each major update (even if you are not using NGINX). The NGINX configuration often gives an indication of which directories/files should not be publicly accessible.

1 Like