Moving application source outside of public html directory

ℹ️ Support
, ,
1

The Basics

  • Nextcloud Server version (e.g., 29.x.x):
    • 33.0.2
  • Operating system and version (e.g., Ubuntu 24.04):
    • replace me
  • Web server and version (e.g, Apache 2.4.25):
    • Apache 2.4.58
  • Reverse proxy and version _(e.g. nginx 1.27.2)
    • replace me
  • PHP version (e.g, 8.3):
    • 8.3.6
  • Is this the first time you’ve seen this error? (Yes / No):
    • n/a
  • When did this problem seem to first start?
    • n/a
  • Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
  • Are you using CloudfIare, mod_security, or similar? (Yes / No)
    • n/a

Summary of the issue you are facing:

I would like to have the Nextcloud source code in another directory than the files that need to be public, like index.php and css/js. I know there are documentation about moving the data directory outside the public directory, this is not about that. Mainly from a security point of view I don’t like the config.php, but also other application files, to be in a public directory.

Is this possible, and if so how can this be done?

Steps to replicate it (hint: details matter!):

  1. Create an account at Hetzner

  2. Create a server, instead of choosing an image, choose an app; Nextcloud

  3. SSH into the server, cd /var/www/html, ls -la

Log entries

Nextcloud

Please provide the log entries from your Nextcloud log that are generated during the time of problem (via the Copy raw option from Administration settings->Logging screen or from your nextcloud.log located in your data directory). Feel free to use a pastebin/gist service if necessary.

n/a

Web Browser

If the problem is related to the Web interface, open your browser inspector Console and Network tabs while refreshing (reloading) and reproducing the problem. Provide any relevant output/errors here that appear.

n/a

Web server / Reverse Proxy

The output of your Apache/nginx/system log in /var/log/____:

n/a

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***",
            "nextcloud-test.mydomainname.tld"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "33.0.2.2",
        "overwrite.cli.url": "https:\/\/nextcloud-test.mydomainname.tld\/",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "htaccess.RewriteBase": "\/",
        "maintenance": false,
        "updater.secret": "***REMOVED SENSITIVE VALUE***",
        "theme": "",
        "loglevel": 2,
        "twofactor_enforced": "true",
        "twofactor_enforced_groups": [],
        "twofactor_enforced_excluded_groups": [],
        "allowed_admin_ranges": [
            "***REMOVED SENSITIVE VALUE***"
        ],
        "maintenance_window_start": 1,
        "memories.exiftool": "\/var\/www\/html\/apps\/memories\/bin-ext\/exiftool-amd64-glibc",
        "memories.vod.path": "\/var\/www\/html\/apps\/memories\/bin-ext\/go-vod-amd64",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauth": true,
        "mail_smtpport": "587",
        "mail_sendmailmode": "smtp",
        "mail_smtpstreamoptions": {
            "ssl": {
                "allow_self_signed": false,
                "verify_peer": true,
                "verify_peer_name": true
            }
        },
        "config_preset": 2
    }
}

Apps

The output of occ app:list (if possible).

n/a

Tips for increasing the likelihood of a response

  • Use the preformatted text formatting option in the editor for all log entries and configuration output.
  • If screenshots are useful, feel free to include them.
    • If possible, also include key error output in text form so it can be searched for.
  • Try to edit log output only minimally (if at all) so that it can be ran through analyzers / formatters by those trying to help you.
2

If you have well-founded security concerns (not just a gut feeling) and can substantiate them, please report them as described in the Security Policy and please do not discuss them here.

Thank you

ernolf