Htaccess warning while configuration should be OK

Hello,

I’m having an issue with my .htaccess, I can’t get rid of the warning in the admin page, and my files are accessible from the Internet. Here are the steps to reproduce

• Install Nextcloud on fresh Debian Stretch
• Configure as indicated in documentation (including AllowOverride All in /etc/apache2/apache2.conf)

Expected behaviour:

• Warning disappears

Actual behaviour:

• My files are accessible from the internet
• Warning still present: “Your data directory and your files are probably accessible from the Internet. The .htaccess file is not working. It is strongly recommended that you configure your web server in a way that the data directory is no longer accessible or you move the data directory outside the web server document root.”
• .htaccess in nextcloud and nextcloud/data are owned by www-data:www-data (tried with root:www-data, same issue)
• I also tried sudo -u www-data php occ maintenance:update:htaccess
• Should I set config ‘htaccess.RewriteBase’ => ‘/’, ??
• I also checked but there’s no “htaccess.txt” file anywhere
• By the way, I used to follow these instructions to set Strong Directory Permissions : https://docs.nextcloud.com/server/9/admin_manual/installation/installation_wizard.html#strong-perms-label I don’t see this in the documentation for NC12: I don’t need to do that anymore to change .htaccess permissions? For the moment, all my nextcloud folder is owned by www-data:www-data

My server configuration:

    Debian GNU/Linux 9.1 (stretch)
    Server version: Apache/2.4.25 (Debian) - Server built: 2017-07-18T18:37:33
    PHP 7.0.19-1 (cli) (built: May 11 2017 14:04:47) ( NTS )
    mariadb Ver 15.1 Distrib 10.1.26-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
    Nextcloud version 12.0.2 - installed: true - version: 12.0.2.0 - versionstring: 12.0.2

• Updated from an older Nextcloud/ownCloud or fresh install: fresh install
• Where did you install Nextcloud from: Nextcloud website (zip)
• Signing status: No errors have been found.
• List of activated apps: Fresh install
• Nextcloud configuration:
  Config report

{
"system": {
"instanceid": "xxxx",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"192.168.0.40",
"nextcloud.website.com"
],
"datadirectory": "/var/www/html/nextcloud/data",
"overwrite.cli.url": "https://nextcloud.website.com",
"dbtype": "mysql",
"version": "12.0.2.0",
"dbname": "nextcloud",
"dbhost": "localhost",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"installed": true
}
}

data/.htaccess content

# Generated by Nextcloud on 2017-08-25 23:18:20
# line below if for Apache 2.4
<ifModule mod_authz_core.c>
Require all denied
</ifModule>

# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
deny from all
Satisfy All
</ifModule>

# section for Apache 2.2 and 2.4
<ifModule mod_autoindex.c>
IndexIgnore *
</ifModule>

Are you using external storage, if yes which one: no
Are you using encryption: no

For info : my nextcloud.conf

DocumentRoot /var/www/html/nextcloud
ServerName nextcloud.website.com

<Directory /var/www/html/nextcloud/>
Options +FollowSymlinks
#Options MultiViews FollowSymlinks
AllowOverride All

<IfModule mod_dav.c>
Dav off
</IfModule>

#Order allow,deny
#Allow from all

SetEnv HOME /var/www/html/nextcloud
SetEnv HTTP_HOME /var/www/html/nextcloud

Satisfy Any

</Directory>

TransferLog /var/log/apache2/nextcloud_access.log
ErrorLog /var/log/apache2/nextcloud_error.log

RewriteEngine on
RewriteCond %{SERVER_NAME} =nextcloud.website.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

And my nextcloud-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>

DocumentRoot /var/www/html/nextcloud
ServerName nextcloud.website.com

<Directory /var/www/html/nextcloud/>
Options +FollowSymlinks
#Options MultiViews FollowSymlinks
AllowOverride All

<IfModule mod_dav.c>
Dav off
</IfModule>

#Order allow,deny
#Allow from all

SetEnv HOME /var/www/html/nextcloud
SetEnv HTTP_HOME /var/www/html/nextcloud

Satisfy Any

</Directory>

TransferLog /var/log/apache2/nextcloud_access.log
ErrorLog /var/log/apache2/nextcloud_error.log

SSLCertificateFile /etc/letsencrypt/live/nextcloud.website.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.website.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>

</VirtualHost>

</IfModule>

And my apache2.conf file:

DefaultRuntimeDir ${APACHE_RUN_DIR}

PidFile ${APACHE_PID_FILE}

Timeout 300

KeepAlive On

MaxKeepAliveRequests 100

KeepAliveTimeout 5

User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

HostnameLookups Off

ErrorLog ${APACHE_LOG_DIR}/error.log

LogLevel warn

IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf

Include ports.conf

<Directory />
        Options FollowSymLinks
        AllowOverride None
        Require all denied
</Directory>

<Directory /usr/share>
        AllowOverride None
        Require all granted
</Directory>

<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
</Directory>

AccessFileName .htaccess

<FilesMatch "^\.ht">
        Require all denied
</FilesMatch>

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

IncludeOptional conf-enabled/*.conf

IncludeOptional sites-enabled/*.conf

You see the warning for the data folder, did you try yourself if you can access files?

https://nextcloud.website.com/data/myuser/files/… (this is the root folder of myuser, just try a file you know exists in his folder).

If you don’t want to continue debugging this .htaccess stuff for the data-folder, you could just deny access via apache configuration instead of .htaccess:

<Directory /var/www/nextcloud/data>
        AllowOverride None
        Require all denied
</Directory>

You can still use them, however they are not compatible with the updater that was the reason it was removed. During the update, you need to make all files readable/writable for the web-user that old files can be removed and replaced by the new code.

Thank you very much for your quick reply @tflidd

Yes, these files are accessible (I edited my message above to make this clear)

I tried this: I added your block into my /etc/apache2/apache2.conf and then sudo service apache2 reload but my files are still accessible

Would you have other ideas? Is it possible that it’s related to Debian stretch? Thank you again for your support.

In order to complete my configuration, here are my apache modules installed (result of sudo apache2ctl -M)

 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 filter_module (shared)
 headers_module (shared)
 mime_module (shared)
 mpm_prefork_module (shared)
 negotiation_module (shared)
 php7_module (shared)
 reqtimeout_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 socache_shmcb_module (shared)
 ssl_module (shared)
 status_module (shared)

And the php modules installed (result of php -m):

apc apcu bz2 calendar Core ctype curl date dom exif fileinfo filter ftp gd gettext hash iconv imagick intl json libxml mbstring mcrypt mysqli mysqlnd openssl pcntl pcre PDO pdo_mysql Phar posix readline Reflection Reflection session session shmop shmop SimpleXML SimpleXML sockets sockets SPL SPL standard standard sysvmsg sysvmsg sysvsem sysvsem sysvshm sysvshm tokenizer tokenizer wddx wddx xml xmlreader xmlwriter xsl Zend OPcache zip zlib

Are you sure you are editing the correct files and that you don’t have another config-file that overwrites the one you are editing (you can put errors into your config at purpose to find out if you edit the correct file). Or did you install nginx and apache and nginx is running at the default ports?

Thank you @tflidd

I did not install nginx.

And the files I’m editing are

/etc/apache2/apache2.conf
/etc/apache2/sites-available/nextcloud-le-ssl.conf
/etc/apache2/sites-available/nextcloud.conf

There are 2 other files in /etc/apache2/sites-available/:

000-default.conf 
default-ssl.conf

But they are not in /etc/apache2/sites-enabled

What kind of error could I put in my config (in which file?) and how should I find out it it has an impact?

This is also configuring a SSL-VHOST, therefore nextcloud-le-ssl.conf is probably ignored.
You can disable it:
a2dissite default-ssl
and restart apache. In case something goes wrong, you can enable it again:
a2ensite default-ssl

I get this answer:
Site default-ssl already disabled

@tflidd: for information, I have a certificate from let’s encrypt, and my Firefox accepts the certificate. Does it mean that my nextcloud-le-ssl.conf is taken into account?

I also tried to delete default-ssl.conf and 000-default.conf. No improvement

What kind of error could I put in my config (in which file?) and how should I find out it it has an impact?

I found a solution, but I don’t understand why it was so important: I commented out the line Satisfy Any and reloaded Apache: the access to my files from the internet was removed.

But why was it wrong? It is advised here: https://docs.nextcloud.com/server/12/admin_manual/installation/source_installation.html

Should I maintain it? Is it the sign of another issue?

Thank you again for your help

Only if you use authentication on a parent folder. And it is not part of the default configuration.

But it should also not break apache access permissions, should it?

I can’t tell you straight away. Satisfy with any allows you to either grant access through authentication or host name.
https://wiki.apache.org/httpd/BypassAuthenticationOrAuthorizationRequirements
https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html#satisfy

Now, it could be if you haven’t specified any host where you allow access that it is everybody by default and you completely bypass authentication.

Hmm, I will play around a bid later. I that is true this directive is for me dangerous on admin manual the way it is there. It sounds more like it would bypass (additional) webserver folder authentication and would if that is not the case just do nothing.

I agree with @MichaIng : I’m really not a pro for server admin (Nextcloud is for a home use in my case). So I don’t understand every consequences precisely. And this option Satisfy Any is very dangerous for me

Thank you @tflidd. For information, I don’t use authentication on a parent folder.

Hello @MichaIng, were you able to play around this issue? Thank you

Yeah, just testet the following with Satisfy Any inside nextcloud apache config:

• Actually my data directory is outside of nextcloud folder on external drive, so in my case there is no security issue with this.
• But some script created an (unused) data directory in my nextcloud folder and a recent occ maintenance:update:htaccess created the /nextcloud/data/.htaccess file, which is/should be perfectly in use, since AllowOverride All is in place and redirection to pretty URLs + file upload size works by /nextcloud/.htaccess perfectly well.
• I created a test file /nextcloud/data/<user>/test besides the already existing /nextcloud/data/index.html.
• Actually pretty URLs redirects all access tries to the test file to the nextcloud base URL (but /data/index.html IS indeed accessible!), so I disabled pretty URLs inside /nextcloud/.htaccess, which by the way can not influence access rights to /nextcloud/data/ with it’s own .htaccess file.
• Afterwards is WAS able to access and read the test file inside browser!! Crazy shit!
• Next I removed Satisfy Any from nextcloud apache config and access tries to test file as well as index.html got answered with “Access forbidden” as it should be.

Just to answer every doubt, /data/.htaccess looks like this:

# Generated by Nextcloud on 2017-06-02 11:21:34
# line below if for Apache 2.4
<ifModule mod_authz_core.c>
Require all denied
</ifModule>

# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
deny from all
Satisfy All
</ifModule>

# section for Apache 2.2 and 2.4
<ifModule mod_autoindex.c>
IndexIgnore *
</ifModule>

“Require all denied” seems to be without effect if “Satisfy Any” is set. I use apache 2.4.25 btw.

From my point of view this is a huge security issue, as the admin manual more less recommends this setting, if you don’t know about parent folder authentication that might be there. The hint should be completely removed from admin manual. Even a big red warning about this, if data directory is inside nextcloud (which is default) is not enough for my point of view. If one really uses parent directory authentication, one would know it, has to move nextcloud to different location or whatever, but “Satisfy Any” really breaks every permissions attempt by nextclouds .htaccess. Even that admin manual gives warning about accessible data, if users don’t find the reason and instead find .htaccess work perfectly fine, they could ignore it. Also the warning does not clearly say that files ARE accessible, just that they MIGHT BE, which is also no good solution in my opinion.

I will directly open a github issue about this! Crazy nobody found it so far, as it is so easily reproducible .

€:

It should be more precise in the documentation. Did you test how it works if you use a different authentication for the parent folder? Even if that works, it’s probably not the main use case and someone just applying all this rules can make his setup vulnerable.

If you want, you can directly prepare a fix for the documentation and create a pull request in https://github.com/nextcloud/documentation

This should be indeed testet. I try to test this. Have to find out first how to actually set apache folder authentication .
Let’s see how the guys on github deal with this in between. If things are clear enough I will create the doc pull request.

@sisim @tflidd as it can be found also on the github issue:

For me it worked as solution (if you really need Satisfy Any for mentioned use case) to add Satisfy All also to the apache 2.4 part of nextcloud/data/.htaccess that it looks like this:

# Generated by Nextcloud on 2017-06-02 11:21:34
# line below if for Apache 2.4
<ifModule mod_authz_core.c>
Require all denied
Satisfy All
</ifModule>

# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
deny from all
Satisfy All
</ifModule>

# section for Apache 2.2 and 2.4
<ifModule mod_autoindex.c>
IndexIgnore *
</ifModule>

That way for data subdirectory Satisfy Any will be overwritten also in case of apache 2.4 (I conclude this should be tested by test module appearance?) and thus direct access will be blocked… at least for me this worked . Further knowledge and/or testing are of course welcome. Also I don’t know if Satisfy Any also has some vulnerability for the nextcloud folder itself? But here anyway everything is/should be accessible, right?