Hi,
after updating to NC 10, I get the following security warning in Admin Settings:
Dein Datenverzeichnis und deine Dateien sind wahrscheinlich vom Internet aus erreichbar. Die .htaccess-Datei funktioniert nicht. Es wird dringend empfohlen, deinen Webserver dahingehend zu konfigurieren, dass das Datenverzeichnis nicht mehr vom Internet aus erreichbar ist oder dass du es aus dem Dokument-Root-Verzeichnis des Webservers bewegst.
(EN: htaccess is probably not working, your files might be accessible from the internet)
How can I verify, if this is true?
How can I fix this? (I don’t want to move my files, if possible)
Thanks!
tflidd
August 26, 2016, 6:13am
2
You can try to access the data-directory:
https://yourserver/nextcloud/data/
Normally it should give you an error. Not sure if and why the .htaccess is failing, if you use nginx as webserver you might want to disallow access to the data/-directory in the nginx configuration.
I am running into the same issue. When I try to access https://server_name/nextcloud/data, it just redirects me to the files app. Does this mean that its working properly and there’s just something wrong with the warning?
tflidd
August 26, 2016, 8:05am
4
You should get access to the files this way: https://yourserver/data/$username/files/path/to/file
Redirection prevents you but I think per default it should show you a page with access denied.
yes that’s what I am using. It seems to just redirect back to the files app. Anything else I can try. Would really love to get rid of this warning.
tflidd
August 26, 2016, 8:26am
6
What kind of setup are you using? Which webserver, do you have root access?
Fedora 24 with Apache. Yes I have root access
tflidd
August 26, 2016, 9:01am
8
Yes I did. I am also pretty sure .htaccess worked just fine before the upgrade to NC 10
p5ych0
August 26, 2016, 9:31am
10
Same issue here after manual upgrade to NC 10.
“AllowOverride All” is already set in apache2.conf
Was okay before the upgrade.
Any ideas?
Thanks a lot!
tflidd
August 26, 2016, 11:13am
11
Can you try and add this to your config:
<Directory /var/www/nextcloud/data>
Deny from all
</Directory>
Jacky_B
August 26, 2016, 11:30am
12
I’m on hosted webspace, Apache
If I enter https://myurl/data/ or https://myurl/data/$username/testfile.txt I get redirected to login (if not logged in) or to file-app (if logged in). So it doesn’t seem to be a security risk to me.
I didn’t do any modifications to the apache config, but I could. Will try tflidds approach later this day…
@tflidd : I added the command to the apache config, but I get the same error message. Nothing changed.
I’ve the same problem after update to NC 10. Debian Jessie and Apache.
@tflidd , I tried adding the new config snippet into my apache conf, but it didn’t do anything either. This was of course after restarting apache and rerunning the Nextcloud cron script.
tflidd
August 26, 2016, 8:08pm
16
Can you provide all your config-files somewhere. Looks like things are not at the right place.
My config.php:
<?php
$CONFIG = array (
'instanceid' => 'strangenumber',
'passwordsalt' => 'pepper',
'secret' => 'nothingtoseehere',
'trusted_domains' =>
array (
0 => 'sub.domain.de',
),
'datadirectory' => '/home/www/owncloud/data',
'overwrite.cli.url' => 'https://sub.domain.de',
'dbtype' => 'mysql',
'version' => '9.1.0.16',
'dbname' => 'web_db',
'dbhost' => 'localhost',
'dbtableprefix' => 'oc_',
'dbuser' => 'web',
'dbpassword' => 'secret',
'logtimezone' => 'UTC',
'installed' => true,
'appstore.experimental.enabled' => true,
'theme' => '',
'loglevel' => 0,
'maintenance' => false,
'htaccess.RewriteBase' => '/',
);
Which other files do you think of?
tflidd
August 26, 2016, 8:20pm
18
No, I meant your apache-stuff.
I’m on a shared hosting service. The admin conf (which I can’t change) is:
LogFormat "%h %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\" %V" common
ServerTokens ProductOnly
ServerSignature Off
TraceEnable off
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/plain text/html text/xml
AddOutputFilterByType DEFLATE text/css text/javascript
AddOutputFilterByType DEFLATE application/xml application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript application/x-javascript
</IfModule>
<IfModule mod_ssl.c>
SSLHonorCipherOrder On
SSLProtocol +ALL -SSLv2 -SSLv3
SSLCipherSuite 256-SHA-KEY
SSLInsecureRenegotiation Off
</IfModule>
LoadModule geoip_module /usr/lib/apache2/modules/mod_geoip.so
<IfModule mod_geoip.c>
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoLiteCity.dat
GeoIPDBFile /usr/share/GeoIP/GeoLiteCity.dat MemoryCache
GeoIPDBFile /usr/share/GeoIP/GeoLiteCity.dat CheckCache
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat MemoryCache
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat CheckCache
GeoIPScanProxyHeaders On
</Ifmodule>
ServerTokens Prod
AddType audio/ogg .oga
AddType video/ogg .ogv
AddType video/mp4 .mp4
AddType video/x-m4v .m4v
AddType application/ogg .ogg
AddType application/x-httpd-php .html
AddType video/quicktime .mov
DirectoryIndex index.html index.htm index.php
Alias /autodiscover/autodiscover.xml /usr/share/autodiscoveroutlook/autodiscover.php
Alias /.well-known/autoconfig/mail/config-v1.1.xml /usr/share/autodiscover/autodiscover.php
But I can add some custom code. This is my custom code for the whole domain:
<ifModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</ifModule>
tflidd
August 26, 2016, 11:19pm
20
Hard to say, there is nothing about ownCloud. I think it was recommended to turn gzip-compression of for Nextcloud (did cause some problems) but it’s not related to the actual problem. Can you add this to your configuration:
https://docs.nextcloud.com/server/9/admin_manual/installation/source_installation.html#apache-web-server-configuration