[RESOLVED] Nextcloud on Debian Jessie - Access forbidden

#1

Following the documentation I installed nextcloud 10.0.1 on a debian jessie 64 bit.

The option AllowOverride All is set.
File owner is www-data.

I get the error

Nextcloud
    Access forbidden
Nextcloud – a safe home for all your data

This is my virtual host configuration:

<VirtualHost *:80>
ServerName cloud.example.com
ServerAdmin admin@example.com
DocumentRoot /mnt/dati/cloud

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

<Directory /mnt/dati/cloud>
Options +FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>

SetEnv HOME /mnt/dati/cloud
SetEnv HTTP_HOME /mnt/dati/cloud
</Directory>

</VirtualHost>

If I add the option Satisfy Any I can access owncloud but my files are exposed:

Your data directory and your files are probably accessible from the Internet. The .htaccess file is not working. We strongly suggest that you configure your web server in a way that the data directory is no longer accessible or you move the data directory outside the web server document root.

Note: during instllation I used the option Satisfy Any but now I can’t keep it.

This is the .htaccess.
The only changes are about the uplaod size.

<IfModule mod_headers.c>
<IfModule mod_setenvif.c>
<IfModule mod_fcgid.c>
SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
</IfModule>
<IfModule mod_proxy_fcgi.c>
SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
</IfModule>
</IfModule>

<IfModule mod_env.c>
# Add security and privacy related headers
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Robots-Tag "none"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Download-Options "noopen"
Header set X-Permitted-Cross-Domain-Policies "none"
SetEnv modHeadersAvailable true
</IfModule>

# Add cache control for CSS and JS files
<FilesMatch "\.(css|js)$">
Header set Cache-Control "max-age=7200, public"
</FilesMatch>
</IfModule>
<IfModule mod_php5.c>
php_value upload_max_filesize 10G
php_value post_max_size 10G
php_value memory_limit 512M
php_value mbstring.func_overload 0
php_value always_populate_raw_post_data -1
php_value default_charset 'UTF-8'
php_value output_buffering 0
<IfModule mod_env.c>
SetEnv htaccessWorking true
</IfModule>
</IfModule>
<IfModule mod_php7.c>
php_value upload_max_filesize 10G
php_value post_max_size 10G
php_value memory_limit 512M
php_value mbstring.func_overload 0
php_value default_charset 'UTF-8'
php_value output_buffering 0
<IfModule mod_env.c>
SetEnv htaccessWorking true
</IfModule>
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
RewriteRule ^remote/(.*) remote.php [QSA,L]
RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*
RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
<IfModule mod_mime.c>
AddType image/svg+xml svg svgz
AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
ModPagespeed Off
</IfModule>
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####

ErrorDocument 403 //core/templates/403.php
ErrorDocument 404 //core/templates/404.php
#2

Some more info

tail -f /var/log/apache2/error.log
[Wed Oct 12 12:55:31.977146 2016] [authz_core:error] [pid 413] [client xxx.xxx.xxx.xxx:36160] AH01630: client denied by server configuration: /mnt/dati/cloud/index.php
[Wed Oct 12 12:55:32.278273 2016] [authz_core:error] [pid 413] [client xxx.xxx.xxx.xxx:36160] AH01630: client denied by server configuration: /mnt/dati/cloud/core/css/styles.css
[Wed Oct 12 12:55:32.278419 2016] [authz_core:error] [pid 413] [client xxx.xxx.xxx.xxx:36160] AH01630: client denied by server configuration: /mnt/dati/cloud/core/templates/403.php
[Wed Oct 12 12:55:32.294672 2016] [authz_core:error] [pid 992] [client xxx.xxx.xxx.xxx:36161] AH01630: client denied by server configuration: /mnt/dati/cloud/core/css/inputs.css
[Wed Oct 12 12:55:32.294834 2016] [authz_core:error] [pid 992] [client xxx.xxx.xxx.xxx:36161] AH01630: client denied by server configuration: /mnt/dati/cloud/core/templates/403.php
[Wed Oct 12 12:55:32.306149 2016] [authz_core:error] [pid 414] [client xxx.xxx.xxx.xxx:36162] AH01630: client denied by server configuration: /mnt/dati/cloud/core/css/header.css
[Wed Oct 12 12:55:32.306282 2016] [authz_core:error] [pid 414] [client xxx.xxx.xxx.xxx:36162] AH01630: client denied by server configuration: /mnt/dati/cloud/core/templates/403.php
[Wed Oct 12 12:55:32.319238 2016] [authz_core:error] [pid 411] [client xxx.xxx.xxx.xxx:36163] AH01630: client denied by server configuration: /mnt/dati/cloud/core/css/icons.css
[Wed Oct 12 12:55:32.319370 2016] [authz_core:error] [pid 411] [client xxx.xxx.xxx.xxx:36163] AH01630: client denied by server configuration: /mnt/dati/cloud/core/templates/403.php
#3

I found what was wrong in my configuration.
Apache configuration in debian jessie restric the file system access to only 2 directories (/usr/share and /var/www).

# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and /var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>

<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>

<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>

So I had to add

<Directory /mnt/dati>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>

and the virtual host started working fine without Satisfy Any

PS: the page with error was

Forbidden
You don't have permission to access / on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

accessing the base url instead of url/index.php/settings/admin