Nextcloud webroot and data directory - best practices on Ubuntu 18.04 LTS

ryan442 · June 12, 2019, 2:42pm

The admin isn’t quite clear about this so I have a couple of questions:
Admin manual says :“On other HTTP servers it is recommended to install Nextcloud outside of the document root.”

Assumptions:
Ubuntu 18.04 LTS
webroot: /var/www/html/
Nextcloud standard webroot: /var/www/html/nextcloud/
Nextcloud standard data directory: /var/www/html/nextcloud/data/

If I use Apache2 is this OK
What are the things I should be extra careful with if I do this (ie: don’t change .htaccess etc.)
What is the best location for the nextcloud data directory?
Is this any more secure:
webroot: /var/www/html/
Nextcloud webroot: /var/www/nextcloud/
Nextcloud data directory: /var/www/nextcloud-data/

Thanks for your help!

-Ryan

rotational · June 12, 2019, 5:32pm

Your webroot is /var/www/, and you’ll want to change the location of your data folder. Using the same setup, I put Nextcloud in /var/www/nextcloud/, and my Data folder in /opt/nextcloud/data. You want it outside of /var/www/.

Assuming all of the above, also make sure www-data (your web user) owns everything recursively in /var/www/nextcloud/ and /opt/nextcloud/ when you’ve finished setting things up (before launching the install wizard).

edit: Here’s a site config file for Apache that works with the above setup and has strong SSL settings.

https://pastebin.com/cyZXDMCV

ryan442 · June 12, 2019, 7:13pm

Thanks for your input!

I’m about to do a fresh re-install, and I’ll use your suggested configuration.

Thanks,

-Ryan

gas85 · June 13, 2019, 8:42am

You can simply stop the server, move data directory, change path in config and start server again.

Gannet · June 20, 2019, 10:35pm

But in case /var/www/nextcloud/ it is not possible to get A+ on scan.nextcloud.com with a “__Host-Prefix” security hardening issue. If I am not right, please, explain how to fix this when Nextcloud installed in this directory. I have only A security check result.

gas85 · June 21, 2019, 7:16am

Thanks you for a question, just get an A+ after reconfiguring my server

Based on this forum you have to comment alias and configure DocumentRoot only: Security Scan: __Host-Prefix

If you have config for nextcloud directory only, you have to disable it and configure as virtual host. E.g.:

# cat /etc/apache2/sites-enabled/nextcloud.conf
Alias /nextcloud /var/www/nextcloud/
Alias /javascript /usr/share/javascript/

<Directory /var/www/nextcloud/>
  Options +FollowSymlinks
  AllowOverride All

 <IfModule mod_dav.c>
  Dav off
 </IfModule>
 
 SetEnv HOME /var/www/nextcloud
 SetEnv HTTP_HOME /var/www/nextcloud

</Directory>

Run a2dissite nextcloud.conf to disable this particular config and reload apache2 should be enough to take new config: service apache2 reload

Gannet · July 10, 2019, 7:08am

I tried to comment alias and add the DocumentRoot in my /etc/apache2/conf-available/nextcloud.conf

Підсумок

DocumentRoot "/var/www/nextcloud"
 
#Alias /nextcloud "/var/www/nextcloud/" 

<Directory "/var/www/nextcloud">
    Options +FollowSymLinks
    AllowOverride All
    SSLRenegBufferSize  10486000

    <IfModule mod_dav.c>
      Dav off
    </IfModule>

    SetEnv HOME /var/www/nextcloud
    SetEnv HTTP_Home /var/www/nextcloud

</Directory>

<Directory "/var/www/nextcloud/data/">
  # just in case if .htaccess gets disabled
  Require all denied
</Directory>

## Please enable this manually, if needed. See also
## https://docs.nextcloud.com/server/11/admin_manual/issues/general_troubleshooting.html#troubleshooting-contacts-calendar
Redirect 301 /.well-known/carddav /nextcloud/remote.php/dav
Redirect 301 /.well-known/caldav  /nextcloud/remote.php/dav
Redirect 301 /ocm-provider/ /nextcloud/ocm-provider/
Redirect 301 /ocs-provider/ /nextcloud/ocs-provider/

But after this I’ve got Not Found trying to open my Nextcloud in a browser.
Also running:

a2dissite nextcloud.conf

my result is:

ERROR: Site nextcloud does not exist!

Something is wrong…

gas85 · July 10, 2019, 7:24am

Because you edit config and try to disable “site”. My NC config was in sites-enabled and your in conf-available.

→ Everything under *-available is something that you could use, but it is not.
→ Everything under *-enabled is something are using now.

Check your folder /etc/apache2/sites-enables/there should be something like 000-default.conf this is your site configuration. It could be that nextcloud.conf is also there, then run a2disconf nextcloud.conf. My Site config example was listed here:

Only difference that you have to comment to get it A+:

Alias /javascript /usr/share/javascript/
Alias /nextcloud /var/www/nextcloud/

Gannet · July 10, 2019, 7:51am

I have only the following files in there:
$ ls /etc/apache2/sites-enabled
000-default.conf 000-default-le-ssl.conf

My nextcloud.conf is here:
/etc/apache2/conf-available/nextcloud.conf

gas85 · July 10, 2019, 8:30am

000-default.conf - per default serving you HTTP requests with document root /var/www/html.
000-default-le-ssl.conf - per default serving your HTTPS requests with document root /var/www/html.

I would go to the folder /etc/apache2/sites-available and create there file e.g. 100-nextcloud.conf and pack there your old config by:

cd /etc/apache2/sites-available/
sudo cp 000-default.conf 100-nextcloud.conf
sudo cat 000-default-le-ssl.conf >> 100-nextcloud.conf

Now you can play with 100-nextcloud.conf only. Try to enable it and disable old config:

sudo a2ensite 100-nextcloud.conf 
sudo a2dissite 000-default.conf
sudo a2dissite 000-default-le-ssl.conf
apachectl configtest ###not sure if it should be run under sudo or not. Should be no errors shown
sudo service apache2 reload

Check if it woks as before. Now you have restore point, you can play only with 100-nextcloud.conf and if something goes really wrong - disable it and enable your 000* defaults.

Now you can edit your 100-nextcloud.conf and bring it to something like this (my with letsencrypt and nextcloud under /var/www/nextcloud, I also copied your nextcloud.conf here) check what is already there especially regarding IPs and SSL configuration:

<VirtualHost 192.168.0.100:80>

ServerName HOST
ServerAdmin webmaster@HOST

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
#Use HTTPS only, all http requests will be redirected
Redirect permanent / https://HOST/

</VirtualHost>

<VirtualHost 192.168.0.100:443>

ServerName HOST
ServerAdmin webmaster@HOST

DocumentRoot /var/www/nextcloud

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/HOST/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/HOST/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/HOST/chain.pem
	
<FilesMatch "\.(cgi|shtml|phtml|php)$">
	SSLOptions +StdEnvVars
</FilesMatch>

<Directory /usr/lib/cgi-bin>
	SSLOptions +StdEnvVars
</Directory>
    
<Directory "/var/www/nextcloud">
	Options +FollowSymLinks
	AllowOverride All
	SSLRenegBufferSize  10486000

<IfModule mod_dav.c>
	Dav off
</IfModule>

SetEnv HOME /var/www/nextcloud
SetEnv HTTP_Home /var/www/nextcloud

</Directory>

<Directory "/var/www/nextcloud/data/">
	# just in case if .htaccess gets disabled
	Require all denied
</Directory>

## Please enable this manually, if needed. See also
## https://docs.nextcloud.com/server/11/admin_manual/issues/general_troubleshooting.html#troubleshooting-contacts-calendar
Redirect 301 /.well-known/carddav /nextcloud/remote.php/dav
Redirect 301 /.well-known/caldav  /nextcloud/remote.php/dav
Redirect 301 /ocm-provider/ /nextcloud/ocm-provider/
Redirect 301 /ocs-provider/ /nextcloud/ocs-provider/

## If you want enable http2.0 --> https://gist.github.com/GAS85/990b46a3a9c2a16c0ece4e48ebce7300
#Protocols h2 h2c http/1.1
#H2Push on
#H2PushPriority * after
#H2PushPriority text/css before
#H2PushPriority image/jpg after 32
#H2PushPriority image/jpeg after 32
#H2PushPriority image/png after 32
#H2PushPriority application/javascript interleaved

#SSLUseStapling on
#SSLStaplingResponderTimeout 5
#SSLStaplingReturnResponderErrors off

Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
Header always set Referrer-Policy no-referrer
ErrorDocument 403 "Hmmmm... Looks it is not here:)"

</VirtualHost>

Gannet · July 11, 2019, 3:13am

Hello. Thank you very much for your explanation. Am I understood correct: after creating this config, the old one which is: /etc/apache2/conf-available/nextcloud.conf ?

Could you please check my current config?

100-nextcloud.conf

<VirtualHost 10.17.16.9:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	ServerName bla.bla.com.ua

	ServerAdmin webmaster@localhost
	
	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	#Use HTTPS only, all http requests will be redirected
	Redirect permanent / https://bla.bla.com.ua/

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
	<IfModule http2_module>
	  ProtocolsHonorOrder On
	  Protocols h2 h2c http/1.1
	</IfModule>
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =bla.bla.com.ua
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
<IfModule mod_ssl.c>
<VirtualHost 10.17.16.9:443>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	ServerName bla.bla.com.ua

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/nextcloud

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
	
		
	<FilesMatch "\.(cgi|shtml|phtml|php)$">
		SSLOptions +StdEnvVars
	</FilesMatch>
	
	<Directory /usr/lib/cgi-bin>
		SSLOptions +StdEnvVars
	</Directory>
	
	<Directory "/var/www/nextcloud">
	    Options +FollowSymLinks
	    AllowOverride All
	    SSLRenegBufferSize  10486000

	    <IfModule mod_dav.c>
	      Dav off
	    </IfModule>

	    SetEnv HOME /var/www/nextcloud
	    SetEnv HTTP_Home /var/www/nextcloud

</Directory>

<Directory "/var/www/nextcloud/data/">
  # just in case if .htaccess gets disabled
  Require all denied
</Directory>
	
	## Please enable this manually, if needed. See also
	## https://docs.nextcloud.com/server/11/admin_manual/issues/general_troubleshooting.html#troubleshooting-contacts-calendar
	#Redirect 301 /.well-known/carddav /remote.php/dav
	#Redirect 301 /.well-known/caldav  /remote.php/dav
	#Redirect 301 /ocm-provider /ocm-provider/
	#Redirect 301 /ocs-provider /ocs-provider/
	
	<IfModule http2_module>
	  ProtocolsHonorOrder On
	  Protocols h2 h2c http/1.1
	</IfModule>


SSLCertificateFile /etc/letsencrypt/live/bla.bla.com.ua/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/bla.bla.com.ua/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
<IfModule mod_headers.c>
	Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
	Header always set Referrer-Policy no-referrer
</IfModule>
</VirtualHost>
</IfModule>

After creating and enabling it I checked and got A+ at last.

But the one thing: now I have the one security warning in Administration - Overview:

The “Referrer-Policy” HTTP header is not set to “no-referrer”, “no-referrer-when-downgrade”, “strict-origin”, “strict-origin-when-cross-origin” or “same-origin”. This can leak referer information. See the W3C

As you can see in my 100-nextcloud.conf, it has line:

Header always set Referrer-Policy no-referrer

But anyway the warning still exists.
Also in my .htaccess file there is a following section existing:

<IfModule mod_env.c>
        # Add security and privacy related headers
        Header set X-Content-Type-Options "nosniff"
        Header set X-XSS-Protection "1; mode=block"
        Header set X-Robots-Tag "none"
        Header set X-Download-Options "noopen"
        Header set X-Permitted-Cross-Domain-Policies "none"
        Header set Referrer-Policy "no-referrer"
        SetEnv modHeadersAvailable true
      </IfModule>

But for some reason the warning message is present. Any ideas?

Thanks you very much again.

gas85 · July 11, 2019, 7:17am

I have exactly the same problem since update to NC 15.x, I just ignore it, because settings were good and I did not found the way how to solve it.
There are also few topics about it, but it does not help for me.

KarlF12 · July 11, 2019, 11:44pm

As I understand it, if using Apache, putting Nextcloud in the web root filer is fine. However you will want to relocate your data folder completely outside the web folder. I think the idea here is that in case of a web server malfunction or breach that it could theoretically straight up serve your files on the web page. You might consider /srv/nextcloud/data.

You can move the folder and edit the config. After doing so you can use occ to scan the new location and update the database accordingly as needed.

Gannet · July 12, 2019, 4:04am

I had not this warning message until moved to virtual host from my old config. So, possibly it is somehow related to it. May be a bug (?) BTW, I’m using Nextcloud 16.0.3. So, if it is a bug, it still not fixed in the latest version.

ninjajellybean · October 23, 2022, 11:15am

Hi Rotational, does it mention to separate Data in the instructions? I trust you’re right however not sure where it mentions it and therefore not sure where this data folder is that i need to separate.