Thoughts of a nerd

Nextcloud: Data directory accessible from the internet

If you’ve recently upgraded to NC 29 then you may be seeing the following warning in your Administration overview: 

Your data directory and files are probably accessible from the internet. The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.

It took me quite a bit of head-scratching and searching to web to figure out what’s going on as my “data” directory was indeed outside of the webroot for NC.

It turns out that when NC checks to see if it has direct access to the data directory it curls itself via HTTP (Not HTTPS). Usually this wouldn’t be a problem, but if your web server is configured to redirect all HTTP traffic to HTTPS like mine was, then you’ll see something like this in the logs:

{your servers ip here} - - [05/Jun/2024:09:57:00 +0100] "HEAD //DATA/.ocdata HTTP/1.1" 302 214 "-" "Nextcloud Server Crawler"

The important part of that console output is the HTTP status code “302” it means that NC is being redirected from HTTP > HTTPS. The problem with this is that NC is expecting a 404 status code to be returned in order for it to pass the test, when it sees a 302 it considers “data” to be publicly accessible and reports a failure.

To resolve this you need to make an exception in your RewriteRule so that when NC curls itself no redirect takes place. For example:

RewriteEngine On
RewriteCond %{HTTPS} =off
# Exclude requests from localhost
RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.1$
# Exclude requests from public IP address
RewriteCond %{REMOTE_ADDR} !^00\.000\.000\.000$
RewriteRule ^ https://nc.xxen.co.uk [L,NC]

Note: You’ll need to substitute “^00\.000\.000\.000$” with your servers public IP address.

Now reload your Apache configuration and run the test again. This time you should see the expected 404:

{your servers ip here} - - [05/Jun/2024:09:57:00 +0100] "HEAD //DATA/.ocdata HTTP/1.1" 404 214 "-" "Nextcloud Server Crawler"

And that’s it. The issue should be solved.

For more info on Apaches Rewrite module you can check out their docs HERE

Posted

in

by

Steveoo

Tags:

,

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.