Is removing localhost from trusted domains a real solution for false ".htaccess file is not working" error message?

Nextcloud version: 29.0.1.1

The issue you are facing:
Since the upgrade to version 29, I was getting this error message in “Security & setup warnings”:

There are some errors regarding your setup.

Your data directory and files are probably accessible from the internet. The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.

So I made sure that my files are not actually accessible from the internet and my webhoster confirmed that mod_env is loaded in apache2, so the issue had to be somewhere else. This post

proposed to remove localhost from trusted domains in /config/config.php and it works, the error message is gone!

BUT: is this just preventing the test to work properly or is it a true fix?
I have no idea what localhost does, but it is still part of the in the Default config.php Examples of the latest documentation, so I suppose it is actually meant to be there?

config.php file prior to the change:

<?php
$CONFIG = array (
  'passwordsalt' => 'xxxx',
  'secret' => 'xxxx',
  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => 'nextcloud.domain.com',
  ),
  'datadirectory' => '/foo/bar/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '29.0.1.1',
  'overwrite.cli.url' => 'http://nextcloud.domain.com',
  'dbname' => 'xxxx',
  'dbhost' => '127.0.0.1:xxxx',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'xxxx',
  'dbpassword' => 'xxxx',
  'installed' => true,
  'instanceid' => 'xxxx',
  'htaccess.RewriteBase' => '/',
  'appstoreenabled' => true,
  'logtimezone' => 'xxxx',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'updatechecker' => false,
  'updater.release.channel' => 'stable',
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
  'mail_domain' => 'domain.com',
  'mail_from_address' => 'nextcloud',
  'mail_smtpmode' => 'smtp',
  'mail_smtphost' => 'xxxx',
  'mail_sendmailmode' => 'smtp',
  'mail_smtpauth' => 1,
  'mail_smtpname' => 'xxxx',
  'mail_smtppassword' => 'xxxx',
  'mail_smtpsecure' => 'ssl',
  'mail_smtpport' => '465',
);
1 Like

Anybody knows the answer?

Well, is your data folder accessable from the internet?

If not, you’re fine, and you probably were fine before.

I’m not sure why it’s there, but I’ve been running Nextcloud without it for years and never had a problem because it wasn’t there. So I’d say you’ll be fine without it.

1 Like

No, that was the first test of course, but I don’t know what I don’t know - perhaps there are other ways to access the files that nextcloud recognized or it has a bug handling the localhost url (sounds like it here , referring to 29.0.2 with some indication that it might be fixed in a newer version, but maybe I am misunderstanding something).
At least in 29.0.3 the Your data directory and files are probably accessible from the internet. The .htaccess file is not working... error is still only displayed if localhost is in the list of trusted domains. Also changing the order of trusted domains did not prevent the error.

If I remove localhost now without knowing what it does, I might run into problems in the future. But you may be right, localhost also was in the documentation of much older versions, so it doesn’t seem to be something that is specifically required for new features and may not be all that important for typical use.

Still, it seems to be a workaround at best, not a solution.

To be honest, I can’t explain how this check works. All I know is that the check has changed since NC29, but also that I never got this error message and never had localhost in my config.php.

I’ve also never seen a tutorial that includes localhost, and I don’t know why you would include it in the first place. Maybe it was or will be added if you install Nextcloud without explicitly specifying a trusted domain, or if you run the initial setup via the web installer and add localhost as a URL there. Or certain appliances or installation scripts like NextcloudPi or the official VM include it because, I don’t know, people might install a desktop environment on their “servers” or install Nextcloud on their desktop PCs and then want to access it from the same machine they installed Nextcloud on via http://localhost…?

Either way, I’m pretty sure you don’t need localhost in your config.php if you use an FQDN like cloud.domain.tld and DNS is configured properly so that the FQDN can be resolved correctly from everywhere, which probably should include adding the FQDN to the /etc/hosts file on the Nextcloud server itself.

So I’d say that if anything can be called a “workaround” in this context, it would be the addition of localhost to the config.php, not its removal :wink:

1 Like

Thanks bb77!
Using the webinstaller instead of the old one-click-installer of my webhoster, localhost is not included in the list of trusted domains in my new config.php

It seems that removing localhost from the trusted domains in config.php would only be an issue if one wants to access the server locally, and even then, according to Installation wizard — Nextcloud latest Administration Manual latest documentation " The loopback address, 127.0.0.1, is automatically whitelisted, so as long as you have access to the physical server you can always log in".

So to sum it up (based on my limited understanding):
localhost in the list of trusted domains in config.php:

  • should not cause issues, but in nextcloud 29, it does
  • causes nextcloud to falsely claim that “the .htaccess file is not working”
  • can be removed from the list without causing issues for most use cases