Is there a safe and reliable way to move data directory out of web root?

dahumph,

Without the database edit the new disk is not being used.

Redo rsync, edit db, rename original data folder to be sure - you can delete it later.

Maybe we can move this to howto, as still questions about that appear. Or ah, I will collect all information here and write some howto the next hour. About symlink, which seems to be an easy alternative solution: How the enable symlink support for webservers or be sure that they’re supported?
€: Okay for apache it’s simply:

    <Directory />
            ...
            Options +FollowSymlinks
            ...
    </Directory>

as given in the recommended nextcloud.conf.

Is there something that needs to be done for nginx?

€: Howto done: HowTo: Change / Move data directory after installation
Input/Fixes welcome, and I will add the steps for mysql later and perhaps steps for nginx and other databases.

2 Likes

But be aware, symlinks are handled like they are in your webroot.
There is no difference between:

  1. /var/www/nextcloud/data/yourSecretFile
  2. /var/www/nextcloud/[symlink to /your/new/nextcloud/datadirectory]/yourSecretFile

There is no need to move your /data directory out of your webroot, if you symlink it.

Though that doesn’t matter if your move is based on storage requirements rather than security.

You’re right, for storage problems it is the best and easiest solution.
I had not considered that. :slight_smile:

But important to mention in the howto! Thanks for the hint, I just thought about the storage reason.

Read somewhere that especially with apache the location of data folder inside web root is no real security vulnerability anymore, but yeah it is still “highly” recommended by admin manual: https://docs.nextcloud.com/server/14/admin_manual/configuration_server/harden_server.html#place-data-directory-outside-of-the-web-root

I guess if data is exposed by a poorly configured installation then so is config.php. I’m not sure which I’m more concerned about - data or passwords and internal configuration - being open to the net. Wordpress and others have the same issue with exposing configs, too. :frowning:

Ah, it’s the .htaccess inside data directory that should prevent access:

# line below if for Apache 2.4
<ifModule mod_authz_core.c>
Require all denied
</ifModule>

# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
deny from all
Satisfy All
</ifModule>

Is there something similar for php_fpm or nginx, as they cannot handle .htaccess?

1 Like

No, just set your symlink. Nginx is following it by default.

1 Like
location  /data {
    deny  all;
    return 403;
}

should make it
edit: edits

Ah okay, this is also covered by the example configuration in admin manual:

location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
    deny all;
}
location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) {
    deny all;
}

But yeah, for every security step, there is a way to get around it. For my point of view, there is not enough you can do to protect your data :slight_smile:.
Same for strong nextcloud password + internal brute force prevention + fail2ban as second brute force detection (okay I do not use that anymore actually :wink: )

I am not skilled at linux or apache, etc. I just got NC 12.0.0 up and running following the manual install instructions and the default installation path when first starting nextcloud 192.168.1.xxx/nextcloud put the data in the webpath apparently.

I’d like to uninstall everything and start over.

I am guessing that I need to:

apt-get purge nextcloud
apt-get purge mysql-server

as to the non-web-root directory I was thinking of creating /home/share as the /home mount point has 3TB available and should do okay for my family sharing files

I don’t know what my chown command should look like?

And also is /home/share where both the nextcloud database and user created documents will be kept?

Thanks in advance, and any help much appreciated.

Thanks for support!
I have moved data directory to /opt/data and I can see data in the NextCoud App.
BUT I can’t upload any files, error is “Forbiden”.
In the Admin/Basic Settings I see error: Error occurred while checking server setup
In the Admin panel Logs never show up. I see file under /…/data directory file permissions are: -rw-r-----. 1 httpd httpd
Same as they where in the old location, where it worked fine…

When I upload files manually to home directory and run: sudo -u httpd php /var/www/nextcloud/occ files:scan --all
Files appear in my file list in web and application.
File permissions are the same as they where in original /…/data/ folder.

Strange thing. When I open new incognito window and try to open my nextcloud web page, I get page with error (Old session works):
“Your data directory is not writable
Permissions can usually be fixed by giving the webserver write access to the root directory.”

But in the console I can move files around with httpd user with no problem. For example:
sudo -u httpd cp /var/www/nextcloud/console.php /opt/data/

Where I might be forgetting to change something?
Thank You!Preformatted text

Just to move your data you don’t need to reinstall. But how did you install it? Via apt-get or with the zip?

Don’t purge mySQL or Apache, there’s no need. You can instead make a new database as part of the reinstall.

Don’t put your data in /home/ as there can be issues with ownership, rather use /opt/ or /media/ or /var/ or some other area.

1 Like

I have tried to:
sudo chmod -R 777 /opt
all /opt is owned by httpd:httpd still no success…

Log says:

Aug 15 16:34:05 nextcloud httpd[3000]: [:error] [pid 3000] [client 192.168.20.125:42994] {"reqId":"WZL4TXCfAMRB0DF7mRLwegAAAAM","level":3,"time":"2017-08-15T13:34:05+00:00","remoteAddr":"192.168.20.125","user":"--","app":"PHP","method":"GET","url":"\\/index.php\\/js\\/core\\/merged-template-prepend.js?v=df00724434e5f06d1daca52134e36ea3-2","message":"Invalid argument supplied for foreach() at \\/var\\/www\\/html\\/nextcloud\\/lib\\/private\\/Template\\/JSCombiner.php#107","userAgent":"Mozilla\\/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko\\/20100101 Firefox\\/54.0","version":"12.0.0.29"}
Aug 15 16:34:05 nextcloud httpd[3000]: [:error] [pid 3000] [client 192.168.20.125:42994] PHP Warning:  fileperms(): stat failed for /opt/data/nextcloud.log in /var/www/html/nextcloud/lib/private/Log/File.php on line 122
Aug 15 16:34:05 nextcloud httpd[3000]: [:error] [pid 3000] [client 192.168.20.125:42994] {"reqId":"WZL4TXCfAMRB0DF7mRLwegAAAAM","level":3,"time":"2017-08-15T13:34:05+00:00","remoteAddr":"192.168.20.125","user":"--","app":"PHP","method":"GET","url":"\\/index.php\\/js\\/core\\/merged-template-prepend.js?v=df00724434e5f06d1daca52134e36ea3-2","message":"Invalid argument supplied for foreach() at \\/var\\/www\\/html\\/nextcloud\\/lib\\/private\\/Template\\/SCSSCacher.php#145","userAgent":"Mozilla\\/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko\\/20100101 Firefox\\/54.0","version":"12.0.0.29"}

Or with previously logged user - reinis:

Aug 15 16:36:50 nextcloud httpd[3031]: [:error] [pid 3031] [client 192.168.20.125:43117] PHP Warning:  fileperms(): stat failed for /opt/data/nextcloud.log in /var/www/html/nextcloud/lib/private/Log/File.php on line 122
Aug 15 16:36:50 nextcloud httpd[3031]: [:error] [pid 3031] [client 192.168.20.125:43117] {"reqId":"WZL48jmwqeJEN51EO-50fAAAAAo","level":3,"time":"2017-08-15T13:36:50+00:00","remoteAddr":"192.168.20.125","user":"reinis","app":"PHP","method":"GET","url":"\\/index.php\\/apps\\/theming\\/img\\/core\\/filetypes\\/application.svg?v=2","message":"fileperms(): stat failed for \\/opt\\/data\\/nextcloud.log at \\/var\\/www\\/html\\/nextcloud\\/lib\\/private\\/Log\\/File.php#122","userAgent":"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/60.0.3112.90 Safari\\/537.36","version":"12.0.0.29"}`
Aug 15 16:36:50 nextcloud httpd[3031]: [:error] [pid 3031] [client 192.168.20.125:43117] {"reqId":"WZL48jmwqeJEN51EO-50fAAAAAo","level":3,"time":"2017-08-15T13:36:50+00:00","remoteAddr":"192.168.20.125","user":"reinis","app":"PHP","method":"GET","url":"\\/index.php\\/apps\\/theming\\/img\\/core\\/filetypes\\/application.svg?v=2","message":"chmod(): Permission denied at \\/var\\/www\\/html\\/nextcloud\\/lib\\/private\\/Log\\/File.php#123","userAgent":"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/60.0.3112.90 Safari\\/537.36","version":"12.0.0.29"}`

Any ideas?

Can you also please create an issue on GitHub: github.com/nextcloud/server/issues

Created issue: Github #6145

Created simple PHP file in
/var/www/nextcloud/pi.php
Containig:
require('/opt/data/test.php');

It also doesn’t work

require(/opt/data/pi.php): failed to open stream: Permission denied in /var/www/html/nextcloud/pi.php

So problem is not in the NextCloud itself, but in my config somewhere somehow…
Keep on digging :slight_smile:

Thnx comunity for support :+1:

Problem was in SELinux…

1 Like

Thank you for your response:

Actually I have no data to move as I have not done anything with Nextcloud itself other than install it. I have not placed any files anywhere other than the install files. I installed with apt-get per Installation on Linux — Nextcloud 12 Server Administration Manual 12 documentation since I use Linux Mint.

How about /nextcloud/data off the root then? And why would /home/share cause problems?

I’m really confused and didn’t find/understand the help on what is going on in Linux by referencing the admin manual. I am guessing that MySQL is going to put the database for Nextcloud where I designate the datapath during the initial setup of Nextcloud. But I am not sure about that. Also, I do not understand what happens if say I load a file into Nextcloud to share as far as the Linux file system goes. Does Nextcloud copy the file and share the copy? If so, where does it copy the file to – the Nextcloud datapath? Thanks.

As it happens I haven’t tried the apt install method but I think @jospoortvliet knows who maintains it and can answer those specific questions around how it installs and to where - much like Windows I guess the dev can decide if everything is in Program Files or %AppData%, etc.

So all the web interface is in practice for file management (and I’m simplifying this horribly, no lynching please) is a front-end to the hidden data folder on the linux system. Therefore when you upload a file you’re uploading it directly to the folder on linux. Nextcloud also registers the file in the database and can associate shares and other bits and pieces to it that way.

The database normally will be setup in mysql which in itself has a directory (/var/lib/mysql/… in ubuntu), but you don’t normally need to mess with directories for the database, instead something like phpmysql will offer a graphical interface for database management if you wish to install it.

1 Like