I have an Ubuntu 18.04 server with Nextcloud installed in an Apache2 (Apache/2.4.29 (Ubuntu)) virtual host. I am using PHP 7.3. In an attempt to harden the server, I installed libapache2-mod-security2. This immediately locked out access to Nextcloud with an error 403. I clearly did not understand modsecurity well enough.
I decided to uninstall it with sudo apt purge libapache2-mod-security2. I moved the /etc/modsecurity to my home directory. Still, I get the error 403.
Googling I found that if you put an .htaccess file in the root of the virtual host with the following it should turn off modsecurity for that host.
<IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule>
I put this in
but I had no success.
I also checked the ufw firewall which had the following status:
Status: active To Action From -- ------ ---- 22/tcp LIMIT Anywhere 5432 ALLOW 192.168.0.0/24 Apache Full ALLOW Anywhere 8069 ALLOW Anywhere 3000 ALLOW Anywhere 22/tcp (v6) LIMIT Anywhere (v6) Apache Full (v6) ALLOW Anywhere (v6) 8069 (v6) ALLOW Anywhere (v6) 3000 (v6) ALLOW Anywhere (v6)
the directory up to /var/www/mydomain.com/html is owned by root and the subdirectories underneath that are owned by www-data.
There are only a handful of users on Nextcloud but they like it very much and I am loath to reinstall everything again.