After upgrade to Nextcloud 29.0.2 «data directory and files are probably accessible from the internet »

[ndx1905-github]

Describe the bug

after upgrading to Nextcloud 29.0.2 I get this message

Your data directory and files are probably accessible from the internet. The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.

Context

• Hardware: VPS bought online /
• YunoHost version: 11.2.15 stable
• I have access to my server: Through SSH | through the webadmin
• Are you in a special context or did you perform some particular tweaking on your YunoHost instance?: no

Steps to reproduce

Upgrade yunohost Nextcloud app from 28.x to 29.0.2 Upgrade works but when you click in Nextcloud in the admin settings you have a security warning

[TiberiusRegenschein]

I can confirm the behavior. I am not sure if #674 is related. When looking into the Nextcloud documentation it might be

[tuxmouraille]

Hello,

I have the same warning message.

[milouse]

Documented here upstream https://help.nextcloud.com/t/frequent-nextcloud-29-hub-8-update-issues/189897#htaccess-issue-2

Looking at those threads, I found a working solution by removing 'localhost' from the 'trusted_domains' in nextcloud config.

i.e. edit /var/www/nextcloud/config/config.php and change

$CONFIG = array(
  …
  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => 'YOUR_ACTUAL_NEXTCLOUD_DOMAIN',
  ),
  …
);

to

$CONFIG = array(
  …
  'trusted_domains' => 
  array (
    0 => 'YOUR_ACTUAL_NEXTCLOUD_DOMAIN',
  ),
  …
);

Then restart fpm: sudo systemctl restart php8.2-fpm

That said, I’m not really sure of the implication of removing localhost from the trusted domain list :/

And finally upstream issue is https://github.com/nextcloud/server/issues/45087 and from my understanding the issue comes from the fact the nextcloud internal test succeed because of the http -> https redirection when trying the 'localhost' domain. Not sure how to deal with that :/

[rodinux]

~Hello... I am not sure is really the solution. I have got the same issue and first edit also this parameter, but I have got problems with caldav and cardard apps... I found the solution was to edit the nginx.conf with~

location ^~ /.well-known {
  # The following 6 rules are borrowed from `.htaccess`

  # The following 2 rules are only needed for the user_webfinger app.
  # Uncomment it if you're planning to use this app.
  #rewrite ^/\.well-known/host-meta\.json  /public.php?service=host-meta-json  last;
  #rewrite ^/\.well-known/host-meta        /public.php?service=host-meta       last;

#  location = /.well-known/carddav     { return 301 /remote.php/dav/; }
#  location = /.well-known/caldav      { return 301 /remote.php/dav/; }

  location = /.well-known/webfinger     { return 301 /index.php$request_uri; }
  location = /.well-known/nodeinfo      { return 301 /index.php$request_uri; }

  # Let Nextcloud's API for `/.well-known` URIs handle all other
  # requests by passing them to the front-end controller.
  return 301 /index.php$request_uri;
}

location /.well-known/carddav {
    return 301 https://nextcloud.domaine.tld/remote.php/dav/;
}

location /.well-known/caldav {
    return 301 https://nextcloud.domaine.tld/remote.php/dav/;
}

https://github.com/nextcloud/server/issues/45033#issuecomment-2136532798

Then I put back the localhost and the warning did not come back...

I can try with another server if I am right, I tell you after testing.

This issue is not related, but another one explain here: #701

[rodinux]

Well, in another server I have a bug with the .well-known, and specially the /.well-known/caldav, after reading doc, It not clear, it seems for nginx the good configuration is

 location ^~ /.well-known {
        # The rules in this block are an adaptation of the rules
        # in the Nextcloud `.htaccess` that concern `/.well-known`.

        location = /.well-known/carddav { return 301 /nextcloud/remote.php/dav/; }
        location = /.well-known/caldav  { return 301 /nextcloud/remote.php/dav/; }

seems something strange with the api nextcloud and the calendar

[rodinux]

well I have got the same error after a while, and the workaround was to delete localhost, but I couldn't resolve the .well-know issue.

Ok, this issue is not related, but explain here with a solution: #701

[stepcellwolf]

Is there a plan of a new release?

[Luncheon3462]

I have Same error. I don’t understand cause or what to do. Is my data safe or at risk. Should I disconnect from internet until there is a fix

[rodinux]

@Luncheon3462 if you edit the file /var/www/config/config.php as said before the error will be resolved

removing 0 => 'localhost', and keep the line

 'trusted_domains' => 
  array (
    0 => 'YOUR_ACTUAL_NEXTCLOUD_DOMAIN',
  ),

For my errors with .well-know it is not related, but another issue

[rodinux]

Also this works on my side

  'trusted_domains' => 
  array (
    0 => 'YOUR_ACTUAL_NEXTCLOUD_DOMAIN',
    1 => 'localhost',
  ),