Nextcloud directory accessible through IP-address/other domains on the same host

Nextcloud version (eg, 20.0.5): 27.1.3
Operating system and version (eg, Ubuntu 20.04): Fedora Server 39
Apache or nginx version (eg, Apache 2.4.25): 2.4.58
PHP version (eg, 7.4): 8.2.12

Hi, I just updated to the latest Nextcloud Version without any issue. I have been running Nextcloud on this machine since about 1 1/2 years. After updating to the latest version of Nextcloud I fiddled around with URLs a little to see if anything was off. I was very dismayed when I found out that I could access the complete nextcloud directory including the data directory (inside the nextcloud root) from just entering the IP address or another domain pointing to it and the corresponding path.

Now at this point I had no idea why this is even possible as the .htaccess files should block any access to these directories as far as I understood it.

I took my server offline as everything is (or worse, was) accessible from the internet without authentication.

Looking into the httpd.conf I found the AllowOverride directive for /var/www and var/www/html set to none. I don’t remember changing the directives on installation and the default settings in the Apache config files are not mentioned in the installation documentation of Nextcloud. However, shouldnt the AllowOverride directive set for the virtual host still allow the .htaccess files to function?

Setting AllowOverride to All in the httpd.conf for /var/www and /var/www/html does indeed fix the issue. Can someone explain to me how the settings in the httpd.conf are not overridden by the virtual host configurations?

what are the permissions and owners of your NC-directory?

here’s a quick link for set the correct permissions at least for your data-directory. Setting the permissions for your NC-directory works likewise

Sorry for taking ages to respond to this but I had no time to look into this and just cut internet access to the instance in the meantime.

The nextcloud directory as well as most of the directories have 755 permissions. The data directory itself has 770 but the user directories as well as the files directories have 755 again. The owner is apache on all files and folders.

Is this wrong?

Yes, but only for that VirtualHost. For any other VirtualHosts - or access via IPs you haven’t associated with VirtualHosts - the parent config would be inherited.

Yes, but only for that VirtualHost. For any other VirtualHosts - or access via IPs you haven’t associated with VirtualHosts - the parent config would be inherited.

Oh well, that explains it then. Yikes. I really wonder if “AllowOverride” is set to “None” in the Apache default config (because I think it’s pretty easy to make this mistake when having multiple domain names pointing to the same machine) or if I somehow changed it.

Typically default Apache installations these days are pretty locked down, but that doesn’t mean it doesn’t matter where you place things you add.

In Debian, for example, /var/www/html has a default site (VirtualHost) pointed at it.[1] And it’ll inherit the global config for AllowOverride.[2]

A locally added sites could be placed into dedicated folders under /var/www (though they can go elsewhere too). These would be isolated from the default VirtualHost.

Alternatively, you could deploy in place of the default site. In that case you’d use /var/www/html and also adjust the default VirtualHost configuration as deemed appropriate for the web app you’re deploying.

If you install Nextcloud - in a standard Debian environment - into /var/www/nextcloud and add a Nextcloud VirtualHost via the example nextcloud.conf[3] pointed there you would not have a Nextcloud VirtualHost that overlaps with the default VirtualHost (and not have the situation it sounds like you encountered).

But if you put things into /var/www/**html**/nextcloud instead then you’re placing it under the default site (plus whatever VirtualHost you add for Nextcloud that you point at that folder). This may not be what you want…

You could also disable the default VirtualHost.

The example in the Nextcloud Admin Manual deploys into /var/www/nextcloud if using a VirtualHost deployment.

Fedora is relatively similar from IIRC.

[1] File: 000-default.conf | Debian Sources
[2] File: apache2.conf.in | Debian Sources
[3] Installation on Linux — Nextcloud latest Administration Manual latest documentation