Problem: .htaccess neglected, files unprotected

Hi Nextcloud community!

I am stuck with a problem concerning the .htaccess warning ("“Your data directory and your files are probably accessible from the Internet…”"). I checked if this is the case and indeed: it is possible to simply download the files from my cloud:

wget https://cloud.myurl.com/data/jakob/files/someFolder/someFile.pdf
works and downloads the file without complaining. This would be a disaster if my files were not encrypted.

In other threads here, here and here I read about the necessary apache configurations, like setting the AllowOverride All option and activating the apache rewrite module.

My apache does seem to recognize that there is a .htaccess file: When I add nonsense lines to it and restart apache, it complains.

From this post I understand that there is the possibility of simply moving the data directory somewhere else, out of reach for the apache webserver. Nevertheless, there must be something missing in my setup to make the .htaccess file work as it is supposed to be.

I am running a Ubuntu 16.04 system with Nextcloud 16.04 on apache 2.4.18; I pretty much followed the instructions described in the installation manual.

My apache config:

<VirtualHost *:80>
DocumentRoot "/var/www/nextcloud"
ServerName cloud.myurl.com

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

<Directory /var/www/nextcloud/>
Options +FollowSymlinks
AllowOverride All
Order allow,deny
allow from all

<IfModule mod_dav.c>
Dav off
</IfModule>

SetEnv HOME /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud
Satisfy Any

</Directory>

RewriteEngine on
RewriteCond %{SERVER_NAME} =cloud.myurl.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

The config.php

<?php
$CONFIG = array (
'instanceid' => 'someid',
'passwordsalt' => 'someSalt',
'secret' => 'someSecret',
'trusted_domains' => 
array (
  0 => 'bla.url.com',
  1 => 'cloud.myurl.com',
),
'datadirectory' => '/var/www/nextcloud/data',
'overwrite.cli.url' => 'https://cloud.myurl.com',
'dbtype' => 'mysql',
'version' => '9.1.0.16',
'dbname' => 'nextcloud',
'dbhost' => 'localhost',
'dbport' => '',
'dbtableprefix' => 'oc_',
'dbuser' => 'nextclouduser',
'dbpassword' => 'somePwd',
'logtimezone' => 'UTC',
'installed' => true,
'mail_from_address' => 'noreply',
'mail_smtpmode' => 'php',
'mail_domain' => 'myaddress.com',
'maintenance' => false,
'appstore.experimental.enabled' => false,
'htaccess.RewriteBase' => '/',
);

and the .htaccess file

<IfModule mod_headers.c>
  <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
    </IfModule>
  <IfModule mod_env.c>
    # Add security and privacy related headers
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Robots-Tag "none"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-Download-Options "noopen"
    Header set X-Permitted-Cross-Domain-Policies "none"
    SetEnv modHeadersAvailable true
  </IfModule>

  # Add cache control for CSS and JS files
  <FilesMatch "\.(css|js)$">
    Header set Cache-Control "max-age=7200, public"
  </FilesMatch>
</IfModule>
<IfModule mod_php5.c>
  php_value upload_max_filesize 513M
  php_value post_max_size 513M
  php_value memory_limit 512M
  php_value mbstring.func_overload 0
  php_value always_populate_raw_post_data -1
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>
<IfModule mod_php7.c>
  php_value upload_max_filesize 513M
  php_value post_max_size 513M
  php_value memory_limit 512M
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
  RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*
  RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####

ErrorDocument 403 /core/templates/403.php
ErrorDocument 404 /core/templates/404.php

Is there anything obvious?

Thanks, Jakob

remove that in your apacheconfig and it should work. I had that today too.

Perfect, that solves it!

Thanks a lot :smiley::+1:

Oh, after updating my nextcloud instance to 10.0.2 the problem came back again and my files are exposed :confused:
The fix of @dev0 is still implemented and in addition I unsuccessfully tried this approach to fix it:

The apache virtual host config did not change in the update. My nextcloud config gained some lines:

  'remember_login_cookie_lifetime' => 1296000,
  'session_lifetime' => '86400',
  'session_keepalive' => true,
  'updater.secret' => 'someSecret',
  'theme' => '',
  'loglevel' => 2,
  'updater.release.channel' => 'stable',
  #'updater.server.url' => 'https://updates.nextcloud.com/updater_server/',

Also, the .htaccess gained lines:

....
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####

ErrorDocument 403 //core/templates/403.php
ErrorDocument 404 //core/templates/404.php
<IfModule mod_rewrite.c>
  Options -MultiViews
  RewriteRule ^core/js/oc.js$ index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^core/preview.png$ index.php [PT,E=PATH_INFO:$1]
  RewriteCond %{REQUEST_FILENAME} !\.(css|js|svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$
  RewriteCond %{REQUEST_FILENAME} !core/img/favicon.ico$
  RewriteCond %{REQUEST_FILENAME} !/remote.php
  RewriteCond %{REQUEST_FILENAME} !/public.php
  RewriteCond %{REQUEST_FILENAME} !/cron.php
  RewriteCond %{REQUEST_FILENAME} !/core/ajax/update.php
  RewriteCond %{REQUEST_FILENAME} !/status.php
  RewriteCond %{REQUEST_FILENAME} !/ocs/v1.php
  RewriteCond %{REQUEST_FILENAME} !/ocs/v2.php
  RewriteCond %{REQUEST_FILENAME} !/updater/
  RewriteCond %{REQUEST_FILENAME} !/ocs-provider/
  RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*
  RewriteRule . index.php [PT,E=PATH_INFO:$1]
  RewriteBase /
  <IfModule mod_env.c>
    SetEnv front_controller_active true
    <IfModule mod_dir.c>
      DirectorySlash off
    </IfModule>
  </IfModule>

I am surprised that this problem is so resistant. What can I do to narrow down the source of the problem?

I just tested this on my install and it did download a file ‘someFile.pdf’, however when I examined the file downloaded it was actually the index.html login page. Visiting the URL with a browser results in the same redirect to the login page.

Can you try less /PATH/TO/someFile.pdf and confirm whether it is the actual file (encrypted or not) or is it an HTML document?

You are right, it actually is a html file. When I copy the pdf-file link into my browser, it brings me to my login page as well.
Does that mean that my data is secure, regardless of nextcloud’s warning?

Today I updated to Nextcould 11, and now it does not give the warning any longer. So I guess the things are fine now :smiley:
Thanks for your help!