Is it safe to use /var/www/html/data as data directory?

This is a general question regarding the official docker image.

I set up a Nextcloud instance using the official image and docker-compose. Everything works fine and I’m very thankful for this easy method of setting up Nextcloud!

I read the page entitled " Hardening and security guidance" in the docs and it says:

It is highly recommended to place your data directory outside of the Web root (i.e. outside of /var/www).

Interestingly, the official docker image does it like that by default- My question now is: Is this even secure or do I have to change it or something (which is not so easy due to the directory permission within the container)? Keep in mind that I’m talking about the location within the container (which is exposed to the public (in my case) using a traefik reverse-proxy).

Hi Fabian!

I can’t talk on behalf of the decision to include the data directory in the official docker image, but on a general basis I would assume that any misconfiguration on a webserver (apache/nginx/++) may more likely expose the data folder, compared to if it is not located in the webroot.

Docker is often more controlled and more strict when it comes to config, and perhaps it is properly configured and tested - meaning it doesn’t make a huge risk doing that there.

That is just what I would assume based on my knowledge, but please take it with a grain of salt in case I am wrong :slight_smile: