[Solved] Hardening/Security: <myDomain>/nextcloud/config/ listing files in browser

Hello folks,

I have just made a fresh install of Nextcloud (v.11.0.3.2 on Debian 8) according to the manual.
So far everything seems working, redirect to always use SSL (selfsigned cert) is working too, and everything looks fine. Almost.

I used the setting-strong-directory-permissions script to make sure permissions are right. Though the instructions refer to version 9, I assume this is also applicable for the current version 11.

However, I noticed now that most subfolders are publicly accessible and its contents can be seen in the browser (even without having logged in to NC).

To be more specific, I mean folders like:
< myDomain >/nextcloud/apps/
< myDomain >/nextcloud/apps/files/
< myDomain >/nextcloud/apps/dav/
< myDomain >/nextcloud/apps/calendar/
< myDomain >/nextcloud/apps/gallery/
< myDomain >/nextcloud/apps/gallery/config/
< myDomain >/nextcloud/core/
All those urls can be entered in the browser and it will happily list its contents to the public.
The permission to those folder are set to (for example):
drwxr-x--- 45 www-data www-data 4096 May 6 02:18 apps
drwxr-x--- 7 www-data www-data 4096 May 6 02:18 dav
drwxr-x--- 16 root www-data 4096 May 6 02:18 core
…

But even worse, also:
< myDomain >/nextcloud/config/
can be reached, listing its contents in the browser showing the config.php file!
That cannot be good, right?
Permissions are:
drwxr-x--- 2 www-data www-data 4096 May 9 04:01 config

However, interestingly I noticed on the other hand, that the folder
< myDomain >/nextcloud/apps/external/
just returns a blank page. (which is good I think)
Its permissions are:
drwxr-x--- 10 www-data www-data 4096 May 6 02:18 external

It’s been a while since my last install (was an OC 5 or 6) and I think I used to harden the cloud with some .htaccess files, but I noticed there are some already existing and I don’t want to mess up my fresh install.
So, to make it short: What am I missing? Or am I just paranoid and that is supposed to be like that?

Thus, if anyone can give me some advice or point me to the right spot with instructions I would greatly appreciate that.

Thanks in advance.
Regards, Santigua

If someone can read the Nextcloud code this is not so critical because the code is already public. However, the config file must not be readable this is a real security issue.
Do you use the apache webserver? Normally the .htaccess files limit the access, in nginx you perhaps need to add something to prevent direct access. But I think the default configs from the documentation should already considering this.

Thanks for the reply. Yes, I am running NC with Apache 2.4.

However, as mentioned above also the config directory is listed in the browser showing config.php and config.sample.php. This was what started the initial concern.

And then I also read somewhere (I dont find it anymore), that < mydomain >/nextcloud/apps/files shoudl give an Error 403, which is also not the case. Also in /nextcloud/apps/files the contents are happily listed.

And last but not least, I had a quick look at the demo you can try on https://nextcloud.com/ and also there it seems that entering those url directly in the browser gives just a blank page, or a redirect to the login page.

So, this all together I do not really feel secure. Thus any advice, instructions or link would be highly appreciated. Thanks in advance.

So, just in case others see the same problem:

It seems I made a fundamental mistake in my Apache config which I just post here to give the hint also to others in case they see something similar.

On my Debian the apache configuration in /etc/apache2/sites-enabled/default-ssl.conf needed some adjustments.
(If you run apache for some reason without SSL, then you might want to change the file /etc/apache2/sites-enabled/000-default.conf )

The change is simple, but effective: Just below the line DocumentRoot /var/www/html I added the following section:

<Directory /var/www/html>
     Options -Indexes
</Directory>

Don’t forget to restart apache to activate the new config using:
apache2ctl restart

Then you should get an “access denied” when you try to list the contents of any subfolder without an index.html or index.php file.

The line Options -Indexes can also be used in a .htaccess file, but it makes more sense to directly make this here, and not on a “per folder basis”. This line then disables indexing of the folders in the webpath. So, thats exactly what I wanted.

Tomorrow I will do a thorough test of all functionality to make sure it does not interfer with any other intended function. But so far it looks good. I hope that’s it then.

Comments or further suggestions are of course very welcome.

Nextcloud already comes with .htaccess-files for the root folder, the config/ and the data/-folder. You can also place the data folder outside the webserver’s documentRoot.
If you have access to the server configuration, you can also deny direct access to the data and config folder.

you probably have to check for the correct options in apache.conf, like:
(find better examples in doc and the forum)

<Directory /var/www/nc/> Redirect 301 /.well-known/carddav /remote.php/carddav Redirect 301 /.well-known/caldav /remote.php/caldav Options Indexes FollowSymLinks MultiViews AllowOverride All Require all granted <IfModule mod_php7.c> php_value upload_max_filesize 512M php_value post_max_size 512M SSLRenegBufferSize 10486000 </IfModule> </Directory>