[Bug]: Apache log reports AH01630: client denied by server configuration: `./data/.ocdata`

[nagmat84]

⚠️ This issue respects the following points: ⚠️

• [X] This is a bug, not a question or a configuration/webserver/proxy issue.
• [X] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• [X] I agree to follow Nextcloud's Code of Conduct.

Bug description

After upgrading to NC 29, my Apache log is flooded with

[authz_core:error] cloud.my-domain.tld: AH01630: client denied by server configuration: /var/www/my-domain.tld/nextcloud/data/.ocdata

The error did not exist on NC 28. I noticed that the data directory contains a .htaccess file now which hasn't been there before (it seems to be new since NC 29). The file .ocdata exists, has proper ownership and size zero. However from looking at the new .htaccess file it is obvious, that access is denied to everything inside the data directory.

What is the purpose of the file .ocdata? What client tries to access that file and why? Is this a bug in the new .htaccess file because rights are set too restrictive and should be relaxed for .ocdata or is this a client bug which tries to access a file it shouldn't anymore?

I am using the Web UI, the Windows NC client, the Android client and the Linux NC client 3.13.0 to access my NC account.

Steps to reproduce

1. Install and/or upgrade to NC 29
2. Use the Web UI, Windows Client, Android Client or Linux Client 3.13.0 to access the NC account (note: i haven't yet figured out for sure which client causes the error, but I suspect the Linux client)
3. Get error message in Apache log

Expected behavior

No error in Apache log.

Installation method

Community Manual installation with Archive

Nextcloud Server version

28

Operating system

Other

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database engine version

PostgreSQL

Is this bug present after an update or on a fresh install?

Upgraded to a MAJOR version (ex. 28 to 29)

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• [X] Default user-backend (database)
• [X] LDAP/ Active Directory
• [ ] SSO - SAML
• [ ] Other

Configuration report

{
    "system": {
        "dbtype": "pgsql",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "default_language": "de",
        "default_locale": "de_DE",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "sendmail",
        "overwrite.cli.url": "https:\/\/cloud.mhnnet.de",
        "htaccess.RewriteBase": "\/",
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloud.mhnnet.de",
            "cloud.famna.de"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "version": "29.0.3.4",
        "dbtableprefix": "oc_",
        "installed": true,
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "default_phone_region": "DE",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "timeout": 0
        },
        "skeletondirectory": "",
        "templatedirectory": "",
        "default_timezone": "Europe\/Berlin",
        "enabledPreviewProviders": [
            "OC\\Preview\\BMP",
            "OC\\Preview\\GIF",
            "OC\\Preview\\HEIC",
            "OC\\Preview\\JPEG",
            "OC\\Preview\\Krita",
            "OC\\Preview\\MarkDown",
            "OC\\Preview\\MSOffice2003",
            "OC\\Preview\\MSOffice2007",
            "OC\\Preview\\MSOfficeDoc",
            "OC\\Preview\\Movie",
            "OC\\Preview\\MP3",
            "OC\\Preview\\OpenDocument",
            "OC\\Preview\\PDF",
            "OC\\Preview\\PNG",
            "OC\\Preview\\SVG",
            "OC\\Preview\\TIFF",
            "OC\\Preview\\TXT",
            "OC\\Preview\\WebP",
            "OC\\Preview\\XBitmap"
        ],
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "allow_user_to_change_display_name": false,
        "defaultapp": "",
        "maintenance_window_start": 1
    }
}

List of activated Apps

Enabled:
  - activity: 2.21.1
  - bruteforcesettings: 2.9.0
  - calendar: 4.7.11
  - cloud_federation_api: 1.12.0
  - contacts: 6.0.0
  - dashboard: 7.9.0
  - dav: 1.30.1
  - federatedfilesharing: 1.19.0
  - federation: 1.19.0
  - files: 2.1.0
  - files_accesscontrol: 1.19.1
  - files_downloadlimit: 2.0.0
  - files_sharing: 1.21.0
  - files_trashbin: 1.19.0
  - files_versions: 1.22.0
  - groupfolders: 17.0.1
  - logreader: 2.14.0
  - lookup_server_connector: 1.17.0
  - mail: 3.7.2
  - nextcloud_announcements: 1.18.0
  - notifications: 2.17.0
  - oauth2: 1.17.0
  - password_policy: 1.19.0
  - previewgenerator: 5.5.0
  - provisioning_api: 1.19.0
  - recommendations: 2.1.0
  - related_resources: 1.4.0
  - serverinfo: 1.19.0
  - settings: 1.12.0
  - sharebymail: 1.19.0
  - support: 1.12.0
  - tasks: 0.16.0
  - text: 3.10.1
  - theming: 2.4.0
  - theming_customcss: 1.16.0
  - twofactor_backupcodes: 1.18.0
  - updatenotification: 1.19.1
  - user_ldap: 1.20.0
  - user_status: 1.9.0
  - viewer: 2.3.0
  - workflowengine: 2.11.0
Disabled:
  - admin_audit: 1.19.0
  - circles: 29.0.0-dev (installed 26.0.0)
  - comments: 1.19.0 (installed 1.10.0)
  - contactsinteraction: 1.10.0 (installed 1.7.0)
  - encryption: 2.17.0
  - files_external: 1.21.0
  - files_pdfviewer: 2.10.0 (installed 2.0.1)
  - files_reminders: 1.2.0 (installed 1.0.0)
  - firstrunwizard: 2.18.0 (installed 2.15.0)
  - photos: 2.5.0 (installed 1.2.1)
  - privacy: 1.13.0 (installed 1.11.0)
  - survey_client: 1.17.0 (installed 1.15.0)
  - suspicious_login: 7.0.0
  - systemtags: 1.19.0 (installed 1.10.0)
  - twofactor_totp: 11.0.0-dev
  - weather_status: 1.9.0 (installed 1.0.0)

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

No response

Additional info

No response

[joshtrichards]

I noticed that the data directory contains a .htaccess file now which hasn't been there before (it seems to be new since NC 29). The file .ocdata exists, has proper ownership and size zero. However from looking at the new .htaccess file it is obvious, that access is denied to everything inside the data directory.

That .htaccess file is not new.

note: i haven't yet figured out for sure which client causes the error, but I suspect the Linux client)

Your web server access log will have the attempts in it with the IP address as well as the user agent info so you can confirm where it's coming from. If you can't find that, please use the help forum: https://help.nextcloud.com

NC29:

test-nc29-app-1  | [Sun Jul 14 14:19:29.077206 2024] [access_compat:error] [pid 85] [client 192.168.128.1:53632] AH01797: client denied by server configuration: /var/www/html/data/.ocdata
test-nc29-app-1  | 192.168.128.1 - - [14/Jul/2024:14:19:29 +0000] "HEAD /data/.ocdata HTTP/1.1" 404 2174 "-" "Nextcloud Server Crawler"

NC28:

test-nc28-app-1  | [Sun Jul 14 14:19:10.610063 2024] [access_compat:error] [pid 195] [client 192.168.XX.YY:49392] AH01797: client denied by server configuration: /var/www/html/data/.ocdata
test-nc28-app-1  | 192.168.XX.YY - - [14/Jul/2024:14:19:10 +0000] "GET /data/.ocdata?t=1720966750544 HTTP/1.1" 404 15650 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"

After upgrading to NC 29, my Apache log is flooded The error did not exist on NC 28.

It's likely being generated by the data directory security setup check (well, or bots).

Each access of the setup checks (e.g. Administration settings->Overview or accessing the checks via occ) will trigger it. In v28 the same thing happened. The only difference was the query came from the browser instead of from the server itself (i.e. the checks are server-side now).

Are you perhaps triggering setup checks automatically?

[nextcloud-command]

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.