Hardening of Nextcloud

Hi guys,

i’m following https://docs.nextcloud.com/server/20/admin_manual/installation/harden_server.html to harden my Nextcloud instance.
Following https://docs.nextcloud.com/server/20/admin_manual/installation/harden_server.html#place-data-directory-outside-of-the-web-root i should move my data folder outside /var/www/html. I’d like to do this, but it surely needs additional apache2 config.
Did anyone follow this recommendation and explain me what to do ?
Furthermore i’d like to use Apparmor in conjunction with Nextcloud.
Anyones has done that already and give me some advice ?

Thanks a lot.



You don’t need any apache2 config to move the files. As far as I’m aware, the point is to get them away from anywhere that the webserver knows about.

I followed the instructions, and it just works, although I moved the data files from the start - they now live in /var/local/nextcloud. The files in there are owned by www-data on my Debian VM, though, as that is the user that the backend will be running as.

Not sure about apparmor. It runs on my VM, but I’ve not modified the existing config. What are you planning on doing with it?


Hi Alan,
thanks for your quick answer. “I followed the instructions…”. Which instructions?
I can’t imagine that it’s enough to just move the folder to somewhere else. NC or Apache needs to know where they are.
I’m thinking about AppArmor to have a kind of a jail for NC.


ay, I don’t believe apache2 config is needed.

in your ‘config.php’, look for ‘datadirectory=’ line, that’s the root of your NC root.

make sure “www-data:www-data” owns everything in the folder.

Hi Bernd,

I followed the hardening instructions that you linked to, as I was doing a new installation. I created a directory (/var/local/nextcloud) and changed the owner to www-data. I then gave this path to the installation wizard (I think in an “advanced” section).

I have previously moved the data folder after installation (serves me right for not reading all of the instructions). I can’t remember the steps for it, but I think I googled it. Certainly, doing it from the start is easier.