.htaccess is exposed to the internet?

Hello :),
Nextcloud version : nextcloud-11.0.2
Operating system and version (eg, Ubuntu 16.04): Mint 18.1 64 bits
Apache or nginx version (eg, Apache 2.4.25): apache 2.4.18-2ubuntu3.1
PHP version (eg, 5.6): libapache2-mod-php7.0 / 7.0.15-0ubuntu0.16.04.4

Is this the first time you’ve seen this error and can you replicate it?: yes

The issue you are facing: When creating a fresh install, the .htaccess is exposed to the internet (according to owncloud install wizard)? But it is not? Bogus notice?

This is how far i have come. There is no indication that the file is exposed to the internet.

This script is used to get the right permissions and the files are copy and pasted so no changes in between. Wizard is not run yet.


printf "Creating possible missing Directories\n"
mkdir -p $ocpath/data
mkdir -p $ocpath/updater

printf "chmod Files and Directories\n"
find ${ocpath}/ -type f -print0 | xargs -0 chmod 0640
find ${ocpath}/ -type d -print0 | xargs -0 chmod 0750

printf "chown Directories\n"
chown -R ${rootuser}:${htgroup} ${ocpath}/
chown -R ${htuser}:${htgroup} ${ocpath}/apps/
chown -R ${htuser}:${htgroup} ${ocpath}/config/
chown -R ${htuser}:${htgroup} ${ocpath}/data/
chown -R ${htuser}:${htgroup} ${ocpath}/themes/
chown -R ${htuser}:${htgroup} ${ocpath}/updater/

chmod +x ${ocpath}/occ

printf "chmod/chown .htaccess\n"
if [ -f ${ocpath}/.htaccess ]
  chmod 0644 ${ocpath}/.htaccess
  chown ${rootuser}:${htgroup} ${ocpath}/.htaccess
if [ -f ${ocpath}/data/.htaccess ]
  chmod 0644 ${ocpath}/data/.htaccess
  chown ${rootuser}:${htgroup} ${ocpath}/data/.htaccess

Thanks for the help in advance :slight_smile:

You can try on your browser or via curl/wget to download .htaccess yourself. Most webserver setups have a default rule that deny access to such files (/etc/apache2/apache.conf):

<FilesMatch "^\.ht">
        Require all denied

This is strange because this was never an issue. In the past I forgot to copy/paste the file but now everything I try is a negative result.

When I push forward on it then I complete the wizard and the notification is gone. No security warning what so ever. Maybe a bug in the new version for new/fresh installs?

Can you manually try in your browser if you can access the .htaccess file (https://youserver.com/nextcloud/.htaccess)? Or with wget or curl?


Sorry for the late answer but I did try localhost which give me a 403 error.

Using my external IP I got nothing. It tries to reach the page but it can’t.

It would lead to a time-out and a message stating that it has a problem.