How secure is config.php file from prying eyes?

Just a question, not an issue.

I just moved my data directory out of web root as was recommended to improve security. However, config.php is still in web root and there is information in that file that I would be concerned about if it were accessed.

How secure is that file? If it is simply permission management, what are the right permissions for that file for proper NC operation but to prevent unauthorized access? Or am I just paranoid?

This depends on how secure your hosting set up is. As a general rule, PHP files should never be downloadable from the web. For Nextcloud, the entire config/ folder should be protected from direct access.

I’d say that is a common PHP issue: you can just drop a file into a folder. This makes it super easy for beginners but very hard to harden correctly for advanced use cases. I’d probably think about the scenario where your config.php leaks in plain text.

What can you do to prevent damage? For instance don’t make your webserver accessible to the internet but run it on localhost only or on a system which is only connected to your webserver.

@BernhardPosselt, I need to have my server accessible to the internet. My setup is an Ubuntu 16.04 server with Virtualbox running 3 Ubuntu 16.04 virtual servers. One is a mail server, one is serving web pages, and the third hosts Nextcloud. All are configured to require https.

So based on your comment, in which cases might config.php leak in plain text? And I am a beginner and while I absolutely wouldn’t say “super easy”, there is enough support via the web that I feel confident in what I’ve put together. I just can’t be overconfident with security as individuals will be trusting me with their personal information, with Nextcloud as the platform to exchange that information. If I enable server side encryption, does that add an additional layer of security, or does it not affect config.php?

@grouchysysadmin, how could I protect my config folder from direct access?

Sorry if these are basic or stupid questions, as I said, I am a beginner who has learned just enough to be dangerous. I’m pretty comfortable with the email server and web server, but when it comes to putting someone’s social security number into Nextcloud, I need more eyes than just my own.

You need more than that. The storage of PII, like social security numbers, requires specific qualifications to avoid legal and ethical issues. My strong advice is to not do that until you have provable experience in building and maintaining secure infrastructure.

To answer your questions directly,

Server side encryption does nothing to protect your locally stored data. The encryption keys are also stored server side, thus negating any kind of security.

Blocking access to specific folders can be handled at the web server level. Here is an Nginx example,

Deny access to the following folders
location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
deny all;

It’s just an example. A production configuration has a lot more. The documentation at is helpful.

Cases where your config.php can be leaked mostly boil down to server misconfiguration, remote code execution and file inclusion (e.g. through XXE)

The latter two are often lesser known security vulnerabilities which is why would be cautious when installing apps.

PS: just recently the demo insurance source was readable in plain text because of a ddos attack. Don’t ask me how that worked, I don’t know it myself

In terms of server configuration, you should run your database with a socket connection that you can’t access your database via network connections. So even with a mysql password, the attacker would need to execute code as the webserver user (put additional password on phpmyadmin and other tools).

One important thing with security vulnerabilities is also to keep your system and Nextcloud up to date (you don’t need the newest branch of Nextcloud but always the latest release, e.g. it is fine to run OC 9.0.54).