Hello,
I’m having an issue with my .htaccess, I can’t get rid of the warning in the admin page, and my files are accessible from the Internet. Here are the steps to reproduce
- Install Nextcloud on fresh Debian Stretch
- Configure as indicated in documentation (including AllowOverride All in /etc/apache2/apache2.conf)
Expected behaviour:
- Warning disappears
Actual behaviour:
- My files are accessible from the internet
- Warning still present: “Your data directory and your files are probably accessible from the Internet. The .htaccess file is not working. It is strongly recommended that you configure your web server in a way that the data directory is no longer accessible or you move the data directory outside the web server document root.”
- .htaccess in nextcloud and nextcloud/data are owned by www-data:www-data (tried with root:www-data, same issue)
- I also tried sudo -u www-data php occ maintenance:update:htaccess
- Should I set config ‘htaccess.RewriteBase’ => ‘/’, ??
- I also checked but there’s no “htaccess.txt” file anywhere
- By the way, I used to follow these instructions to set Strong Directory Permissions : https://docs.nextcloud.com/server/9/admin_manual/installation/installation_wizard.html#strong-perms-label I don’t see this in the documentation for NC12: I don’t need to do that anymore to change .htaccess permissions? For the moment, all my nextcloud folder is owned by www-data:www-data
My server configuration:
Debian GNU/Linux 9.1 (stretch)
Server version: Apache/2.4.25 (Debian) - Server built: 2017-07-18T18:37:33
PHP 7.0.19-1 (cli) (built: May 11 2017 14:04:47) ( NTS )
mariadb Ver 15.1 Distrib 10.1.26-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
Nextcloud version 12.0.2 - installed: true - version: 12.0.2.0 - versionstring: 12.0.2
- Updated from an older Nextcloud/ownCloud or fresh install: fresh install
- Where did you install Nextcloud from: Nextcloud website (zip)
- Signing status: No errors have been found.
- List of activated apps: Fresh install
- Nextcloud configuration:
Config report
{
"system": {
"instanceid": "xxxx",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"192.168.0.40",
"nextcloud.website.com"
],
"datadirectory": "/var/www/html/nextcloud/data",
"overwrite.cli.url": "https://nextcloud.website.com",
"dbtype": "mysql",
"version": "12.0.2.0",
"dbname": "nextcloud",
"dbhost": "localhost",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"installed": true
}
}
data/.htaccess content
# Generated by Nextcloud on 2017-08-25 23:18:20
# line below if for Apache 2.4
<ifModule mod_authz_core.c>
Require all denied
</ifModule>
# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
deny from all
Satisfy All
</ifModule>
# section for Apache 2.2 and 2.4
<ifModule mod_autoindex.c>
IndexIgnore *
</ifModule>
Are you using external storage, if yes which one: no
Are you using encryption: no
For info : my nextcloud.conf
DocumentRoot /var/www/html/nextcloud
ServerName nextcloud.website.com
<Directory /var/www/html/nextcloud/>
Options +FollowSymlinks
#Options MultiViews FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
#Order allow,deny
#Allow from all
SetEnv HOME /var/www/html/nextcloud
SetEnv HTTP_HOME /var/www/html/nextcloud
Satisfy Any
</Directory>
TransferLog /var/log/apache2/nextcloud_access.log
ErrorLog /var/log/apache2/nextcloud_error.log
RewriteEngine on
RewriteCond %{SERVER_NAME} =nextcloud.website.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>
And my nextcloud-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www/html/nextcloud
ServerName nextcloud.website.com
<Directory /var/www/html/nextcloud/>
Options +FollowSymlinks
#Options MultiViews FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
#Order allow,deny
#Allow from all
SetEnv HOME /var/www/html/nextcloud
SetEnv HTTP_HOME /var/www/html/nextcloud
Satisfy Any
</Directory>
TransferLog /var/log/apache2/nextcloud_access.log
ErrorLog /var/log/apache2/nextcloud_error.log
SSLCertificateFile /etc/letsencrypt/live/nextcloud.website.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.website.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
</VirtualHost>
</IfModule>
And my apache2.conf file:
DefaultRuntimeDir ${APACHE_RUN_DIR}
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
AccessFileName .htaccess
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf