How is this avoided with AllowOverride = all then? It seems like apache checks those files often and if someone had access to the webroot and edited the .htaccess it would be loaded into apache with the next request, no?
Files starting with a dot (.) are hidden files in Linux by convention thus files starting with a dot are invisible to the non-privileged user and therefore can not be edited through the web interface. To edit those files you need access to the CLI. The directive AllowOverride = all doesnât change this behaviour.
If you are still worried about someone might view/access/edit .htaccess you can add the following to your Apache conf inside the virtual host container of your NC instance. Please note that the below entry is probably already set as per default within httpd.conf which comes with Apache:
<Files ".ht*">
Require all denied
</Files>
If you want to deny access to all files starting with a dot:
<Files "^\.">
Require all denied
</Files>
You have to restart Apache to make the changes take effect.
(The above is valid for Apache >= 2.4)
1 Like
Yes but why shoud anybody be able to write to your webroot in the first place? With web applications like Nextcloud, you shouldnât be fiddling around with the webroot anyway. There is no need to grant write access to the webreoot for anybody ecxept for server admins. Server admins, however, normaly administer the server via SSH and usually have root/sudo privileges anyways. Normal users should only use the Nextcloud webUI or the WebDAV interface and not directly upload any files to the webroot. Nextcloud is not a ânormalâ web site, where you upload page updates directley to the webroot of the server. And even with ânormalâ web sites you use most likely a CMS nowdays and only server admins have direct access to the filesystem of the server.
Conclusion: For inexperienced admins it is better to use Apache in combination with .htaccess and the configuration from the Nextcloud docs. If you disable .htaccess, or use nginx, you should know what you are doing. And of course you should not give remote write access to any folders on the server to anybody. There is no need for that with an application like Nextcloud.
There is a difference between the whole apache configuration and a limited per folder .htaccess. The .htaccess way I can only change the configuration of the folder the file is in, I canât change general configuration of apache. If I include the file in the apache config someone with access to the webfolder can change the whole apache config (linke adding virtual hosts, changing the root directory to some other folder the apache user can read etcâŚ)
1 Like
I can share my personal experience as a supplement for above answers.
Iâm running a Nextcloud for personal use on a very tiny box from DOďźwith 1 v-core and 1G memory. At the beginning, I used Apache with libphp and it runs well. When I changed it to nginx with phpftm, out memory error occurred many times to cause file uploading failure until I upgraded to 2 v-cores and 2G memory box. Then I switched back to Apache.
I guess the reason could be that libphp runs within apache process and the nginx + phpfpm requires 2 process, which required more memory than the former.
I didnât run benchmark for them so I wouldnât suggest Apache is better then nginx for Nextcloud. However, if your server is a very limited one like mine, Apache might be better option.
From what I can gather, Nginx is much faster than Apache on static content. In other words if you serve lots of files then this is the server for you. However when it comes to dynamic content, Apache is just as fast. *
If you run a nextcloud just for yourself or for your small agency / business, choose the webserver you are most familiar with and which configuration files are most easy for you to work with.
The differences show up after 10.000âs of requests, not in such a small scale. You will not notice any difference at all.
As you ask this question in this forum, I assume you are not administrating a nextcloud for a university or similar - hence, just go with what you like best. Personally for me its nginx, but apache2âs config files are ok to read as well.
Its a religion thing at this scale - vim vs emacs 
1 Like