Closed
Description
Steps To Reproduce
Hello guys :)
thank you for the awesome VM.
After upgrading from Nextcloud 28.0.6 to 29.0.1 I see the following security warning in the admin web interface:
Your data directory and files are probably accessible from the internet. The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.
Expected Result
No security warning because I didn't change anything manually and the warning was not there in 28.0.6.
If you need any more information, I'll provide it. Thank you in advance :)
Actual Result
I get a security warning. I checked some other threads about this error, but I think my configs are fine:
/var/www/nextcloud/config/config.php
<?php
$CONFIG = array (
'passwordsalt' => 'removed',
'secret' => 'removed',
'trusted_domains' =>
array (
0 => '192.168.178.12',
1 => 'mydomain.com',
),
'datadirectory' => '/mnt/ncdata',
'dbtype' => 'pgsql',
'version' => '29.0.1.1',
'overwrite.cli.url' => 'https://mydomain.com',
'dbname' => 'nextcloud_db',
'dbhost' => 'localhost',
'dbport' => '',
'dbtableprefix' => 'oc_',
'dbuser' => 'nextcloud_db_user',
'dbpassword' => 'removed',
'installed' => true,
'instanceid' => 'ocfj09ydf7l8',
'redis' =>
array (
'host' => '/var/run/redis/redis-server.sock',
'port' => '0',
'dbindex' => '0',
'timeout' => '0.5',
'password' => 'removed',
),
'memcache.local' => '\\OC\\Memcache\\Redis',
'filelocking.enabled' => 'true',
'memcache.distributed' => '\\OC\\Memcache\\Redis',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'upgrade.disable-web' => true,
'log_type' => 'file',
'logfile' => '/var/log/nextcloud/nextcloud.log',
'loglevel' => '2',
'log.condition' =>
array (
'apps' =>
array (
0 => 'admin_audit',
),
),
'mail_smtpmode' => 'smtp',
'remember_login_cookie_lifetime' => '2520168',
'auto_logout' => false,
'log_rotate_size' => '0',
'trashbin_retention_obligation' => 'auto, 60',
'versions_retention_obligation' => 'auto, 180',
'activity_expire_days' => '120',
'simpleSignUpLink.shown' => false,
'default_phone_region' => 'de',
'logtimezone' => 'Etc/UTC',
'htaccess.RewriteBase' => '/',
'mail_sendmailmode' => 'smtp',
'mail_smtpsecure' => 'ssl',
'mail_smtpauthtype' => 'LOGIN',
'mail_smtpauth' => 1,
'mail_from_address' => 'mail',
'mail_domain' => 'removed',
'mail_smtphost' => 'removed',
'mail_smtpport' => '465',
'mail_smtpname' => 'removed',
'mail_smtppassword' => 'removed',
'preview_concurrency_new' => '6',
'preview_concurrency_all' => '12',
'enabledPreviewProviders' =>
array (
0 => 'OC\\Preview\\Imaginary',
1 => 'OC\\Preview\\Image',
2 => 'OC\\Preview\\MarkDown',
3 => 'OC\\Preview\\MP3',
4 => 'OC\\Preview\\TXT',
5 => 'OC\\Preview\\OpenDocument',
6 => 'OC\\Preview\\Movie',
7 => 'OC\\Preview\\Krita',
),
'preview_imaginary_url' => 'http://127.0.0.1:9000',
'preview_max_x' => '2048',
'preview_max_y' => '2048',
'jpeg_quality' => '60',
'preview_max_memory' => '256',
'maintenance' => false,
);
/etc/apache2/sites-available/mydomain.com.conf
<VirtualHost *:80>
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST} [R=301,L]
</VirtualHost>
<VirtualHost *:443>
### YOUR SERVER ADDRESS ###
ServerAdmin [email protected]
ServerName mydomain.com
### SETTINGS ###
<FilesMatch "\.php$">
SetHandler "proxy:unix:/run/php/php8.1-fpm.nextcloud.sock|fcgi://localhost"
</FilesMatch>
# Intermediate configuration
Header add Strict-Transport-Security: "max-age=15552000;includeSubdomains"
SSLEngine on
SSLCompression off
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
ServerSignature off
# Logs
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
ErrorLog ${APACHE_LOG_DIR}/error.log
# Document root folder
DocumentRoot /var/www/nextcloud
# The Nextcloud folder
<Directory /var/www/nextcloud>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
Satisfy Any
# This is to include all the Nextcloud rules due to that we use PHP-FPM and .htaccess aren't read
Include /var/www/nextcloud/.htaccess
</Directory>
# Deny access to your data directory
<Directory /mnt/ncdata>
Require all denied
</Directory>
# Deny access to the Nextcloud config folder
<Directory /var/www/nextcloud/config/>
Require all denied
</Directory>
<IfModule mod_dav.c>
Dav off
</IfModule>
# The following lines prevent .htaccess and .htpasswd files from being viewed by Web clients.
<Files ".ht*">
Require all denied
</Files>
SetEnv HOME /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud
# Disable HTTP TRACE method.
TraceEnable off
# Disable HTTP TRACK method.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [R=405,L]
# Avoid "Sabre\DAV\Exception\BadRequest: expected filesize XXXX got XXXX"
<IfModule mod_reqtimeout.c>
RequestReadTimeout body=0
</IfModule>
### LOCATION OF CERT FILES ###
# SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/chain.pem
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
SSLOpenSSLConfCmd DHParameters /etc/letsencrypt/live/mydomain.com/dhparam.pem
</VirtualHost>
### EXTRAS ###
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
SetEnv proxy-sendcl 1
Build Version
29.0.1
Environment
By using the scripts
Environment Details
Ubuntu 22.04.4 with ZFS on Proxmox.
php -v
PHP 8.1.2-1ubuntu2.17 (cli) (built: May 1 2024 10:10:07) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.1.2, Copyright (c) Zend Technologies
with Zend OPcache v8.1.2-1ubuntu2.17, Copyright (c), by Zend Technologies
apache -v
Server version: Apache/2.4.52 (Ubuntu)
Server built: 2024-04-10T17:45:18