How can I handle htaccess Security Warning?


after updating to NC 10, I get the following security warning in Admin Settings:

Dein Datenverzeichnis und deine Dateien sind wahrscheinlich vom Internet aus erreichbar. Die .htaccess-Datei funktioniert nicht. Es wird dringend empfohlen, deinen Webserver dahingehend zu konfigurieren, dass das Datenverzeichnis nicht mehr vom Internet aus erreichbar ist oder dass du es aus dem Dokument-Root-Verzeichnis des Webservers bewegst.

(EN: htaccess is probably not working, your files might be accessible from the internet)

  1. How can I verify, if this is true?
  2. How can I fix this? (I don’t want to move my files, if possible)

Thanks! :slight_smile:

You can try to access the data-directory:

Normally it should give you an error. Not sure if and why the .htaccess is failing, if you use nginx as webserver you might want to disallow access to the data/-directory in the nginx configuration.

I am running into the same issue. When I try to access https://server_name/nextcloud/data, it just redirects me to the files app. Does this mean that its working properly and there’s just something wrong with the warning?

You should get access to the files this way: https://yourserver/data/$username/files/path/to/file

Redirection prevents you but I think per default it should show you a page with access denied.

yes that’s what I am using. It seems to just redirect back to the files app. Anything else I can try. Would really love to get rid of this warning.

What kind of setup are you using? Which webserver, do you have root access?

Fedora 24 with Apache. Yes I have root access

Did you put this into your apache configuration? It enables the use of .htaccess (AllowOverride All):

Yes I did. I am also pretty sure .htaccess worked just fine before the upgrade to NC 10

Same issue here after manual upgrade to NC 10.

“AllowOverride All” is already set in apache2.conf

Was okay before the upgrade.

Any ideas?

Thanks a lot!

Can you try and add this to your config:

<Directory /var/www/nextcloud/data>
  Deny from all

I’m on hosted webspace, Apache

If I enter https://myurl/data/ or https://myurl/data/$username/testfile.txt I get redirected to login (if not logged in) or to file-app (if logged in). So it doesn’t seem to be a security risk to me.

I didn’t do any modifications to the apache config, but I could. Will try tflidds approach later this day…

@tflidd: I added the command to the apache config, but I get the same error message. Nothing changed.

I’ve the same problem after update to NC 10. Debian Jessie and Apache.

@tflidd, I tried adding the new config snippet into my apache conf, but it didn’t do anything either. This was of course after restarting apache and rerunning the Nextcloud cron script.

Can you provide all your config-files somewhere. Looks like things are not at the right place.

My config.php:

$CONFIG = array (
  'instanceid' => 'strangenumber',
  'passwordsalt' => 'pepper',
  'secret' => 'nothingtoseehere',
  'trusted_domains' => 
  array (
    0 => '',
  'datadirectory' => '/home/www/owncloud/data',
  'overwrite.cli.url' => '',
  'dbtype' => 'mysql',
  'version' => '',
  'dbname' => 'web_db',
  'dbhost' => 'localhost',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'web',
  'dbpassword' => 'secret',
  'logtimezone' => 'UTC',
  'installed' => true,
  'appstore.experimental.enabled' => true,
  'theme' => '',
  'loglevel' => 0,
  'maintenance' => false,
  'htaccess.RewriteBase' => '/',

Which other files do you think of?

No, I meant your apache-stuff.

I’m on a shared hosting service. The admin conf (which I can’t change) is:

LogFormat "%h %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\" %V" common
ServerTokens ProductOnly
ServerSignature Off
TraceEnable off
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/plain text/html text/xml
    AddOutputFilterByType DEFLATE text/css text/javascript
    AddOutputFilterByType DEFLATE application/xml application/xhtml+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/javascript application/x-javascript
<IfModule mod_ssl.c>
SSLHonorCipherOrder On
SSLProtocol +ALL -SSLv2 -SSLv3
SSLCipherSuite 256-SHA-KEY
SSLInsecureRenegotiation Off
LoadModule geoip_module /usr/lib/apache2/modules/
<IfModule mod_geoip.c>
  GeoIPEnable On
  GeoIPDBFile /usr/share/GeoIP/GeoLiteCity.dat
  GeoIPDBFile /usr/share/GeoIP/GeoLiteCity.dat MemoryCache
  GeoIPDBFile /usr/share/GeoIP/GeoLiteCity.dat CheckCache
  GeoIPDBFile /usr/share/GeoIP/GeoIP.dat
  GeoIPDBFile /usr/share/GeoIP/GeoIP.dat MemoryCache
  GeoIPDBFile /usr/share/GeoIP/GeoIP.dat CheckCache
  GeoIPScanProxyHeaders On
ServerTokens Prod
AddType audio/ogg .oga
AddType video/ogg .ogv
AddType video/mp4 .mp4
AddType video/x-m4v .m4v
AddType application/ogg .ogg
AddType application/x-httpd-php .html
AddType video/quicktime .mov

DirectoryIndex index.html index.htm index.php

Alias /autodiscover/autodiscover.xml /usr/share/autodiscoveroutlook/autodiscover.php
Alias /.well-known/autoconfig/mail/config-v1.1.xml /usr/share/autodiscover/autodiscover.php

But I can add some custom code. This is my custom code for the whole domain:

<ifModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*

Hard to say, there is nothing about ownCloud. I think it was recommended to turn gzip-compression of for Nextcloud (did cause some problems) but it’s not related to the actual problem. Can you add this to your configuration: