True meaning of "Placing the data directory outside of the Web root"

Nextcloud version: 29.0.1.1
Using a webhoster (not a root server or anything fancy).

According to Hardening and security guidance — Nextcloud latest Administration Manual latest documentation the nextcloud data directory should be placed outside of the Web root.

Currently my data is in
/foo/bar/nextcloud/data

In my apache2.conf there is the line
DocumentRoot "/foo/bar"
and a VirtualHost entry with /foo/bar/nextcloud
Perhaps I am misunderstanding this, but this seems to say that both directories are webroot and therefore, nextcloud data should be in neither.

According to my webhoster, I can’t remove DocumentRoot "/foo/bar" from apache2.conf but it would be safe to move the data directory to /foo/bar/data since no domain points there.

So is the nextcloud documentation actually meaning to place the data directory somewhere where domains don’t point to or does it really mean not anywhere inside of any of the document root entries of the apache2.conf?

Since I can’t move nextcloud data outside of /foo/bar/ without changing my hosting package and tremendous effort: does moving nextcloud data from /foo/bar/nextcloud/data to /foo/bar/data provide a meaningful security benefit or is it pointless?

Virtual hosting allows you to dynamically change the document root (see Apache - Using Name-based Virtual Hosts).

Any request that doesn’t match an existing <VirtualHost> is handled by the global server configuration, regardless of the hostname or ServerName.

To ensure that default document root /foo/bar/ is never used (even accidentally), you should also set some kind of default virtual host to handle random requests that do not meet Nextcloud virtual host conditions.

If you manage to redirect all external requests to Nextcloud virtual host and default virtual host, then you can safely move your /Data directory to /foo/bar/ and resolve Nextcloud warning.

1 Like

So the DocumentRoot "/foo/bar" entry at the beginning of the apache2.conf is the default document root and is only used if there are no virtual hosts?

And something like a catchall virtualhost put before all other virtualhosts in the apache2.conf would block access to that default document root? Something like this?

<VirtualHost _default_:*>
    <Location />
        Deny from all
        Options None
        ErrorDocument 403 Forbidden.
    </Location>
</VirtualHost>

(source: apache 2.2 - How to disable default VirtualHost in apache2? - Server Fault)

A “request that doesn’t match an existing virtualhost” - assuming that there is a virtualhost for every sub/domain, this would happen if somebody would use the server IP directly, is that about right?

How would I test if it works:
htaccess off, enter server IP/new path to data/file in the browser and see if it is displayed?