In my apache2.conf there is the line DocumentRoot "/foo/bar"
and a VirtualHost entry with /foo/bar/nextcloud
Perhaps I am misunderstanding this, but this seems to say that both directories are webroot and therefore, nextcloud data should be in neither.
According to my webhoster, I can’t remove DocumentRoot "/foo/bar" from apache2.conf but it would be safe to move the data directory to /foo/bar/data since no domain points there.
So is the nextcloud documentation actually meaning to place the data directory somewhere where domains don’t point to or does it really mean not anywhere inside of any of the document root entries of the apache2.conf?
Since I can’t move nextcloud data outside of /foo/bar/ without changing my hosting package and tremendous effort: does moving nextcloud data from /foo/bar/nextcloud/data to /foo/bar/data provide a meaningful security benefit or is it pointless?
Any request that doesn’t match an existing <VirtualHost> is handled by the global server configuration, regardless of the hostname or ServerName.
To ensure that default document root /foo/bar/ is never used (even accidentally), you should also set some kind of default virtual host to handle random requests that do not meet Nextcloud virtual host conditions.
If you manage to redirect all external requests to Nextcloud virtual host and default virtual host, then you can safely move your /Data directory to /foo/bar/ and resolve Nextcloud warning.
So the DocumentRoot "/foo/bar" entry at the beginning of the apache2.conf is the default document root and is only used if there are no virtual hosts?
And something like a catchall virtualhost put before all other virtualhosts in the apache2.conf would block access to that default document root? Something like this?
<VirtualHost _default_:*>
<Location />
Deny from all
Options None
ErrorDocument 403 Forbidden.
</Location>
</VirtualHost>
A “request that doesn’t match an existing virtualhost” - assuming that there is a virtualhost for every sub/domain, this would happen if somebody would use the server IP directly, is that about right?
How would I test if it works:
htaccess off, enter server IP/new path to data/file in the browser and see if it is displayed?