By default* Nextcloud uses the directory /var/www/html/data for storing the data and the file /var/www/html/config/config.php for storing the Nextcloud configuration (including important passwords!). Both locations are part of the DocumentRoot of Apache and therefore public.
* With default I mean on Red Hat Enterprise Linux (RHEL).
My question
Is this default configuration secure enough?
Shouldn’t the data directory and the configuration file be placed outside of the DocumentRoot?
Or maybe even better: everything except a PHP index file?
First of all I am not a security expert and other users may be able to give you more detailed information… But I can say at least the following…
If you have configured Apache according to the official documentation, and therefore the rewrite module is active (a2enmod rewrite) and the Require all granted and AllowOverride All directives are set, your data and config folders should not be publicly accessible. If this for some reason is the case, check your apache configuration and the .htaccess file in your Nextcloud folder.
As for the database password in the config.php: You can further minimize the risk by making the database only accessible to localhost. That’s the default setting if you have set up MariaDB with the mysql_secure_installation script.
For additional security you can of course take further measures. Placing the data folder outside the webroot is one of the common ones, and as far as I know even recommended by Nextcloud. See also…
That is not an easy question to answer.
Nextcloud is an application. The code is as safe as you can reasonably expect and not much is different between the community version and the enterprise version. In fact they are the same.
However a working Nextcloud instance is more than what is provided by Nextcloud. it is dependant on middleware components, network layer and Operating system. Any of these each needs to be configured and optimised for security to stay reasonably safe.
In regards to config and php files, then any PHP file except the OCC is meant to be reachable. However some can only be read/executed if you are authenticated and others only if you are a specific user. The config file is placed under a subfolder, which cannot be browsed from a browser, if you have followed recommended setup of you webserver. Using PHP-FPM can add a little bit extra security to your setup as then it is not the webserver or any webserver module which reads or executes the backend files, but instead the PHP-FPM deamon.
Truth be told, then no matter where in your servers filesystem you place a file. If it is needed by the backend application, it is reachable by the webserver or PHP-FPM engine.
Follow best practices and almost any popular installation and configuration guides, and you are reasonably secured. There are some guides that goes to the extreme for security aswell.
The directives Require all granted and AllowOverride All are set, but I’m not sure if mod_rewrite is enabled so that’s something I will have to check!
I secured the database with mysql_secure_installation so I guess that’s fine too.
I’m running Red Hat Enterprise Linux so SELinux is turned on by default.
I’m not a security specialist so I guess I just have to trust the rest of the default settings of Nextcloud. Moving the files to a directory outside the DocumentRoot is recommended but not really necessary?
If keeping the all the Nextcloud files in the DocumentRoot is safe enough, I will keep them there.
But if that’s not the case I think they should change the documentation. Moving the files after the installation is not supported as I read here somewhere on the website.
Yes you can manually move files, but it is not an easy task. But it is possible.
The more services you have to smoothen and enhancing Nextcloud (the Files Antivirus, Redise etc), the more cumbersome and huge the task will become.
