Nextcloud: Data directory accessible from the internet

If you’ve recently upgraded to NC 29 then you may be seeing the following warning in your Administration overview:

Your data directory and files are probably accessible from the internet. The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.

It took me quite a bit of head-scratching and searching to web to figure out what’s going on as my “data” directory was indeed outside of the webroot for NC.

It turns out that when NC checks to see if it has direct access to the data directory it curls itself via HTTP (Not HTTPS). Usually this wouldn’t be a problem, but if your web server is configured to redirect all HTTP traffic to HTTPS like mine was, then you’ll see something like this in the logs:

The important part of that console output is the HTTP status code “302” it means that NC is being redirected from HTTP > HTTPS. The problem with this is that NC is expecting a 404 status code to be returned in order for it to pass the test, when it sees a 302 it considers “data” to be publicly accessible and reports a failure.

To resolve this you need to make an exception in your RewriteRule so that when NC curls itself no redirect takes place. For example:

Now reload your Apache configuration and run the test again. This time you should see the expected 404:

And that’s it. The issue should be solved.

For more info on Apaches Rewrite module you can check out their docs HERE


Posted

in

by

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.