Upgrade from Nextcloud 28.0.6 to 29.0.1 results in security warning

[JSchimmelpfennig]

Steps To Reproduce

Hello guys :) thank you for the awesome VM. After upgrading from Nextcloud 28.0.6 to 29.0.1 I see the following security warning in the admin web interface:

Your data directory and files are probably accessible from the internet. The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.

Expected Result

No security warning because I didn't change anything manually and the warning was not there in 28.0.6.

If you need any more information, I'll provide it. Thank you in advance :)

Actual Result

I get a security warning. I checked some other threads about this error, but I think my configs are fine:

/var/www/nextcloud/config/config.php

``` 'removed', 'secret' => 'removed', 'trusted_domains' => array ( 0 => '192.168.178.12', 1 => 'mydomain.com', ), 'datadirectory' => '/mnt/ncdata', 'dbtype' => 'pgsql', 'version' => '29.0.1.1', 'overwrite.cli.url' => 'https://mydomain.com', 'dbname' => 'nextcloud_db', 'dbhost' => 'localhost', 'dbport' => '', 'dbtableprefix' => 'oc_', 'dbuser' => 'nextcloud_db_user', 'dbpassword' => 'removed', 'installed' => true, 'instanceid' => 'ocfj09ydf7l8', 'redis' => array ( 'host' => '/var/run/redis/redis-server.sock', 'port' => '0', 'dbindex' => '0', 'timeout' => '0.5', 'password' => 'removed', ), 'memcache.local' => '\\OC\\Memcache\\Redis', 'filelocking.enabled' => 'true', 'memcache.distributed' => '\\OC\\Memcache\\Redis', 'memcache.locking' => '\\OC\\Memcache\\Redis', 'upgrade.disable-web' => true, 'log_type' => 'file', 'logfile' => '/var/log/nextcloud/nextcloud.log', 'loglevel' => '2', 'log.condition' => array ( 'apps' => array ( 0 => 'admin_audit', ), ), 'mail_smtpmode' => 'smtp', 'remember_login_cookie_lifetime' => '2520168', 'auto_logout' => false, 'log_rotate_size' => '0', 'trashbin_retention_obligation' => 'auto, 60', 'versions_retention_obligation' => 'auto, 180', 'activity_expire_days' => '120', 'simpleSignUpLink.shown' => false, 'default_phone_region' => 'de', 'logtimezone' => 'Etc/UTC', 'htaccess.RewriteBase' => '/', 'mail_sendmailmode' => 'smtp', 'mail_smtpsecure' => 'ssl', 'mail_smtpauthtype' => 'LOGIN', 'mail_smtpauth' => 1, 'mail_from_address' => 'mail', 'mail_domain' => 'removed', 'mail_smtphost' => 'removed', 'mail_smtpport' => '465', 'mail_smtpname' => 'removed', 'mail_smtppassword' => 'removed', 'preview_concurrency_new' => '6', 'preview_concurrency_all' => '12', 'enabledPreviewProviders' => array ( 0 => 'OC\\Preview\\Imaginary', 1 => 'OC\\Preview\\Image', 2 => 'OC\\Preview\\MarkDown', 3 => 'OC\\Preview\\MP3', 4 => 'OC\\Preview\\TXT', 5 => 'OC\\Preview\\OpenDocument', 6 => 'OC\\Preview\\Movie', 7 => 'OC\\Preview\\Krita', ), 'preview_imaginary_url' => 'http://127.0.0.1:9000', 'preview_max_x' => '2048', 'preview_max_y' => '2048', 'jpeg_quality' => '60', 'preview_max_memory' => '256', 'maintenance' => false, ); ```

/etc/apache2/sites-available/mydomain.com.conf

``` RewriteEngine On RewriteRule ^(.*)$ https://%{HTTP_HOST} [R=301,L] ### YOUR SERVER ADDRESS ### ServerAdmin admin@mydomain.com ServerName mydomain.com ### SETTINGS ### SetHandler "proxy:unix:/run/php/php8.1-fpm.nextcloud.sock|fcgi://localhost" # Intermediate configuration Header add Strict-Transport-Security: "max-age=15552000;includeSubdomains" SSLEngine on SSLCompression off SSLProtocol -all +TLSv1.2 +TLSv1.3 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 SSLHonorCipherOrder off SSLSessionTickets off ServerSignature off # Logs LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined ErrorLog ${APACHE_LOG_DIR}/error.log # Document root folder DocumentRoot /var/www/nextcloud # The Nextcloud folder Options Indexes FollowSymLinks AllowOverride None Require all granted Satisfy Any # This is to include all the Nextcloud rules due to that we use PHP-FPM and .htaccess aren't read Include /var/www/nextcloud/.htaccess # Deny access to your data directory Require all denied # Deny access to the Nextcloud config folder Require all denied Dav off # The following lines prevent .htaccess and .htpasswd files from being viewed by Web clients. Require all denied SetEnv HOME /var/www/nextcloud SetEnv HTTP_HOME /var/www/nextcloud # Disable HTTP TRACE method. TraceEnable off # Disable HTTP TRACK method. RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACK RewriteRule .* - [R=405,L] # Avoid "Sabre\DAV\Exception\BadRequest: expected filesize XXXX got XXXX" RequestReadTimeout body=0 ### LOCATION OF CERT FILES ### # SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/chain.pem SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem SSLOpenSSLConfCmd DHParameters /etc/letsencrypt/live/mydomain.com/dhparam.pem ### EXTRAS ### SSLUseStapling On SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" SetEnv proxy-sendcl 1 ```

Build Version

29.0.1

Environment

By using the scripts

Environment Details

Ubuntu 22.04.4 with ZFS on Proxmox. php -v

PHP 8.1.2-1ubuntu2.17 (cli) (built: May  1 2024 10:10:07) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.1.2, Copyright (c) Zend Technologies
    with Zend OPcache v8.1.2-1ubuntu2.17, Copyright (c), by Zend Technologies

apache -v

Server version: Apache/2.4.52 (Ubuntu)
Server built:   2024-04-10T17:45:18

[enoch85]

Hi, there have been some issues in NC 29 regarding www-data permissions and that the data folder location isn't recognized. Check here for example.

We didn't change anything, so this is basically a Nextcloud Server bug - at least I think so based on the issue above.

@szaimen Any input here maybe?

[JSchimmelpfennig]

Thanks for the quick answer. My data directory seems to have to correct permissions. Also, I can run occ commands by using sudo -u www-data php /var/www/nextcloud/occ.

root@nc:/mnt# ls -liha
total 25K
524289 drwxr-xr-x  5 root     root     4.0K May 24 20:16 .
     2 drwxr-xr-x 20 root     root     4.0K Jan  3 12:58 ..
524291 drwxr-xr-x  4 root     root     4.0K May 24 20:16 NCBACKUP
524293 drwxr-xr-x  8 root     root     4.0K May 24 20:16 NCBACKUP-OLD
    34 drwxrwx---  8 www-data www-data   11 Jan  6 10:40 ncdata

The thing is: everything works fine. I'm just concerned about the security warning. Nextcloud Scan (from https://scan.nextcloud.com/) says everything is fine.

What do you think?

[enoch85]

Yeah and what about ls -la /mnt/ncdata?

[JSchimmelpfennig]

root@nc:/mnt/ncdata# ls -la /mnt/ncdata
total 37
drwxrwx---  8 www-data www-data   11 Jan  6 10:40 .
drwxr-xr-x  5 root     root     4096 May 24 20:16 ..
drwxr-xr-x 14 www-data www-data   14 Apr 30 19:35 appdata_ocfj09ydf7l8
drwxr-xr-x  2 www-data www-data    3 May 24 20:14 files_external
-rw-r--r--  1 www-data www-data  542 May 24 20:17 .htaccess
-rw-rw-r--  1 www-data www-data    0 May 24 20:17 index.html
drwxr-xr-x  7 www-data www-data    7 Jan  3 20:08 renamedforprivacy
drwxr-xr-x  5 www-data www-data    5 Jan  7 09:41 renamedforprivacy
drwxr-xr-x  5 www-data www-data    5 Jan  3 13:29 renamedforprivacy
-rw-rw-r--  1 www-data www-data    0 May 24 20:17 .ocdata
drwxr-xr-x  5 www-data www-data    5 Jan  6 10:57 renamedforprivacy

[szaimen]

Can you post a screenshot of what you see in the admin overview?

[JSchimmelpfennig]

[enoch85]

The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.

Let's break this down...

The .htaccess file is not working.

Can you post a cat /mnt/ncdata/.htaccess?

It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.

It's already outside of document root (/var/www).

So I'd say a bug in Nextcloud, and a false positive.

[JSchimmelpfennig]

root@nc:/mnt/ncdata# cat /mnt/ncdata/.htaccess
# Generated by Nextcloud on 2024-05-24 20:17:04
# Section for Apache 2.4 to 2.6
<IfModule mod_authz_core.c>
  Require all denied
</IfModule>
<IfModule mod_access_compat.c>
  Order Allow,Deny
  Deny from all
  Satisfy All
</IfModule>

# Section for Apache 2.2
<IfModule !mod_authz_core.c>
  <IfModule !mod_access_compat.c>
    <IfModule mod_authz_host.c>
      Order Allow,Deny
      Deny from all
    </IfModule>
    Satisfy All
  </IfModule>
</IfModule>

# Section for Apache 2.2 to 2.6
<IfModule mod_autoindex.c>
  IndexIgnore *
</IfModule>

[enoch85]

LGTM. :)

[szaimen]

This is what the check does: https://github.com/nextcloud/server/blob/ae4a6e8d4454b7896d0e40f367096a26d999dbf0/apps/settings/lib/SetupChecks/DataDirectoryProtected.php#L68

[enoch85]

@JSchimmelpfennig Can you test: curl -fL https://your.example.com/mnt/ncdata/.ocdata?

[enoch85]

That translates to this:

https://github.com/nextcloud/server/blob/ae4a6e8d4454b7896d0e40f367096a26d999dbf0/apps/settings/lib/SetupChecks/DataDirectoryProtected.php#L60

[JSchimmelpfennig]

curl -fL https://mydomain.com/mnt/ncdata/.ocdata
curl: (22) The requested URL returned error: 404

[JSchimmelpfennig]

Guys I have to say I'm amazed by the quality and speed in your responses 🥳

[enoch85]

curl: (22) The requested URL returned error: 404

Yeah, so the NC check is wrong! I don't know how to debug this furher, no PHP expert sorry. :/

Off-topic rant; same as with this, the check still says it's needed even though it's replaced with Imaginary for generation, and that was 6 years ago.... Just saying :)

[enoch85]

JFTR, did the same check myself on a VM installed with the latest scripts like 1 week ago (just to confirm main is working):

daniel@xps9310:~$ curl -I https://my.next.cloud/mnt/ncdata/.ocdata
HTTP/2 404 
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
x-request-id: nCpB6sIuq3udotpHTKjZ

[enoch85]

Well, here's the real issue I think: https://github.com/nextcloud/server/issues/45087

Let's continue there.

[enoch85]

@JSchimmelpfennig If you change your rewrite command for port 80 to this instead, does it work?

RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [END,NE,R=permanent]

Or actually, just rerun the whole Let's Encrypt script for your already existing domain.

[JSchimmelpfennig]

Hi, sorry I must have overread the notification for your answer.

So I changed /etc/apache2/sites-available/mydomain.com.conf as follows:

/etc/apache2/sites-available/mydomain.com.conf

``` RewriteEngine On RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [END,NE,R=permanent] # RewriteRule ^(.*)$ https://%{HTTP_HOST} [R=301,L] ```

and the warning went away :-)

Current machine version:

Nextcloud Hub 8 (29.0.4) Server version: Apache/2.4.52 (Ubuntu) Server built: 2024-07-17T18:57:26 Linux mydomain.conf 5.15.0-116-generic #126-Ubuntu SMP Mon Jul 1 10:14:24 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

[enoch85]

Sorry for the late answer, yes that's what we do in main: https://github.com/nextcloud/vm/blob/99ab136370f505f746cfc71575f9ff3025a555d4/lets-encrypt/activate-tls.sh#L140