Upgrade from Nextcloud 28.0.6 to 29.0.1 results in security warning

[JSchimmelpfennig]

Steps To Reproduce

Hello guys :)
thank you for the awesome VM.
After upgrading from Nextcloud 28.0.6 to 29.0.1 I see the following security warning in the admin web interface:

Your data directory and files are probably accessible from the internet. The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.

Expected Result

No security warning because I didn't change anything manually and the warning was not there in 28.0.6.

If you need any more information, I'll provide it. Thank you in advance :)

Actual Result

I get a security warning. I checked some other threads about this error, but I think my configs are fine:

/var/www/nextcloud/config/config.php

<?php
$CONFIG = array (
  'passwordsalt' => 'removed',
  'secret' => 'removed',
  'trusted_domains' =>
  array (
    0 => '192.168.178.12',
    1 => 'mydomain.com',
  ),
  'datadirectory' => '/mnt/ncdata',
  'dbtype' => 'pgsql',
  'version' => '29.0.1.1',
  'overwrite.cli.url' => 'https://mydomain.com',
  'dbname' => 'nextcloud_db',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextcloud_db_user',
  'dbpassword' => 'removed',
  'installed' => true,
  'instanceid' => 'ocfj09ydf7l8',
  'redis' =>
  array (
    'host' => '/var/run/redis/redis-server.sock',
    'port' => '0',
    'dbindex' => '0',
    'timeout' => '0.5',
    'password' => 'removed',
  ),
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'filelocking.enabled' => 'true',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'upgrade.disable-web' => true,
  'log_type' => 'file',
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'loglevel' => '2',
  'log.condition' =>
  array (
    'apps' =>
    array (
      0 => 'admin_audit',
    ),
  ),
  'mail_smtpmode' => 'smtp',
  'remember_login_cookie_lifetime' => '2520168',
  'auto_logout' => false,
  'log_rotate_size' => '0',
  'trashbin_retention_obligation' => 'auto, 60',
  'versions_retention_obligation' => 'auto, 180',
  'activity_expire_days' => '120',
  'simpleSignUpLink.shown' => false,
  'default_phone_region' => 'de',
  'logtimezone' => 'Etc/UTC',
  'htaccess.RewriteBase' => '/',
  'mail_sendmailmode' => 'smtp',
  'mail_smtpsecure' => 'ssl',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_from_address' => 'mail',
  'mail_domain' => 'removed',
  'mail_smtphost' => 'removed',
  'mail_smtpport' => '465',
  'mail_smtpname' => 'removed',
  'mail_smtppassword' => 'removed',
  'preview_concurrency_new' => '6',
  'preview_concurrency_all' => '12',
  'enabledPreviewProviders' =>
  array (
    0 => 'OC\\Preview\\Imaginary',
    1 => 'OC\\Preview\\Image',
    2 => 'OC\\Preview\\MarkDown',
    3 => 'OC\\Preview\\MP3',
    4 => 'OC\\Preview\\TXT',
    5 => 'OC\\Preview\\OpenDocument',
    6 => 'OC\\Preview\\Movie',
    7 => 'OC\\Preview\\Krita',
  ),
  'preview_imaginary_url' => 'http://127.0.0.1:9000',
  'preview_max_x' => '2048',
  'preview_max_y' => '2048',
  'jpeg_quality' => '60',
  'preview_max_memory' => '256',
  'maintenance' => false,
);

/etc/apache2/sites-available/mydomain.com.conf

<VirtualHost *:80>
    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST} [R=301,L]
</VirtualHost>

<VirtualHost *:443>
### YOUR SERVER ADDRESS ###

    ServerAdmin [email protected]
    ServerName mydomain.com

### SETTINGS ###
    <FilesMatch "\.php$">
        SetHandler "proxy:unix:/run/php/php8.1-fpm.nextcloud.sock|fcgi://localhost"
    </FilesMatch>

    # Intermediate configuration
    Header add Strict-Transport-Security: "max-age=15552000;includeSubdomains"
    SSLEngine               on
    SSLCompression          off
    SSLProtocol             -all +TLSv1.2 +TLSv1.3
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder     off
    SSLSessionTickets       off
    ServerSignature         off

    # Logs
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    ErrorLog ${APACHE_LOG_DIR}/error.log

    # Document root folder
    DocumentRoot /var/www/nextcloud

    # The Nextcloud folder
    <Directory /var/www/nextcloud>
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
    Satisfy Any
    # This is to include all the Nextcloud rules due to that we use PHP-FPM and .htaccess aren't read
    Include /var/www/nextcloud/.htaccess
    </Directory>

    # Deny access to your data directory
    <Directory /mnt/ncdata>
    Require all denied
    </Directory>

    # Deny access to the Nextcloud config folder
    <Directory /var/www/nextcloud/config/>
    Require all denied
    </Directory>

    <IfModule mod_dav.c>
    Dav off
    </IfModule>

    # The following lines prevent .htaccess and .htpasswd files from being viewed by Web clients.
    <Files ".ht*">
    Require all denied
    </Files>

    SetEnv HOME /var/www/nextcloud
    SetEnv HTTP_HOME /var/www/nextcloud

    # Disable HTTP TRACE method.
    TraceEnable off
    # Disable HTTP TRACK method.
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^TRACK
    RewriteRule .* - [R=405,L]

    # Avoid "Sabre\DAV\Exception\BadRequest: expected filesize XXXX got XXXX"
    <IfModule mod_reqtimeout.c>
    RequestReadTimeout body=0
    </IfModule>

### LOCATION OF CERT FILES ###

    # SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/chain.pem
    SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
    SSLOpenSSLConfCmd DHParameters /etc/letsencrypt/live/mydomain.com/dhparam.pem
</VirtualHost>

### EXTRAS ###
    SSLUseStapling On
    SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
    SetEnv proxy-sendcl 1

Build Version

29.0.1

Environment

By using the scripts

Environment Details

Ubuntu 22.04.4 with ZFS on Proxmox.
php -v

PHP 8.1.2-1ubuntu2.17 (cli) (built: May  1 2024 10:10:07) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.1.2, Copyright (c) Zend Technologies
    with Zend OPcache v8.1.2-1ubuntu2.17, Copyright (c), by Zend Technologies

apache -v

Server version: Apache/2.4.52 (Ubuntu)
Server built:   2024-04-10T17:45:18

[enoch85]

Hi, there have been some issues in NC 29 regarding www-data permissions and that the data folder location isn't recognized. Check here for example.

We didn't change anything, so this is basically a Nextcloud Server bug - at least I think so based on the issue above.

@szaimen Any input here maybe?

[JSchimmelpfennig]

Thanks for the quick answer.
My data directory seems to have to correct permissions. Also, I can run occ commands by using sudo -u www-data php /var/www/nextcloud/occ.

root@nc:/mnt# ls -liha
total 25K
524289 drwxr-xr-x  5 root     root     4.0K May 24 20:16 .
     2 drwxr-xr-x 20 root     root     4.0K Jan  3 12:58 ..
524291 drwxr-xr-x  4 root     root     4.0K May 24 20:16 NCBACKUP
524293 drwxr-xr-x  8 root     root     4.0K May 24 20:16 NCBACKUP-OLD
    34 drwxrwx---  8 www-data www-data   11 Jan  6 10:40 ncdata

The thing is: everything works fine. I'm just concerned about the security warning. Nextcloud Scan (from https://scan.nextcloud.com/) says everything is fine.

What do you think?

[enoch85]

Yeah and what about ls -la /mnt/ncdata?

[JSchimmelpfennig]

root@nc:/mnt/ncdata# ls -la /mnt/ncdata
total 37
drwxrwx---  8 www-data www-data   11 Jan  6 10:40 .
drwxr-xr-x  5 root     root     4096 May 24 20:16 ..
drwxr-xr-x 14 www-data www-data   14 Apr 30 19:35 appdata_ocfj09ydf7l8
drwxr-xr-x  2 www-data www-data    3 May 24 20:14 files_external
-rw-r--r--  1 www-data www-data  542 May 24 20:17 .htaccess
-rw-rw-r--  1 www-data www-data    0 May 24 20:17 index.html
drwxr-xr-x  7 www-data www-data    7 Jan  3 20:08 renamedforprivacy
drwxr-xr-x  5 www-data www-data    5 Jan  7 09:41 renamedforprivacy
drwxr-xr-x  5 www-data www-data    5 Jan  3 13:29 renamedforprivacy
-rw-rw-r--  1 www-data www-data    0 May 24 20:17 .ocdata
drwxr-xr-x  5 www-data www-data    5 Jan  6 10:57 renamedforprivacy

[szaimen]

Can you post a screenshot of what you see in the admin overview?

[JSchimmelpfennig]

[enoch85]

The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.

Let's break this down...

The .htaccess file is not working.

Can you post a cat /mnt/ncdata/.htaccess?

It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.

It's already outside of document root (/var/www).

So I'd say a bug in Nextcloud, and a false positive.

[JSchimmelpfennig]

root@nc:/mnt/ncdata# cat /mnt/ncdata/.htaccess
# Generated by Nextcloud on 2024-05-24 20:17:04
# Section for Apache 2.4 to 2.6
<IfModule mod_authz_core.c>
  Require all denied
</IfModule>
<IfModule mod_access_compat.c>
  Order Allow,Deny
  Deny from all
  Satisfy All
</IfModule>

# Section for Apache 2.2
<IfModule !mod_authz_core.c>
  <IfModule !mod_access_compat.c>
    <IfModule mod_authz_host.c>
      Order Allow,Deny
      Deny from all
    </IfModule>
    Satisfy All
  </IfModule>
</IfModule>

# Section for Apache 2.2 to 2.6
<IfModule mod_autoindex.c>
  IndexIgnore *
</IfModule>

[enoch85]

LGTM. :)

[szaimen]

This is what the check does: https://github.com/nextcloud/server/blob/ae4a6e8d4454b7896d0e40f367096a26d999dbf0/apps/settings/lib/SetupChecks/DataDirectoryProtected.php#L68

[enoch85]

@JSchimmelpfennig Can you test: curl -fL https://your.example.com/mnt/ncdata/.ocdata?

[enoch85]

That translates to this:

https://github.com/nextcloud/server/blob/ae4a6e8d4454b7896d0e40f367096a26d999dbf0/apps/settings/lib/SetupChecks/DataDirectoryProtected.php#L60

[JSchimmelpfennig]

curl -fL https://mydomain.com/mnt/ncdata/.ocdata
curl: (22) The requested URL returned error: 404

[JSchimmelpfennig]

Guys I have to say I'm amazed by the quality and speed in your responses 🥳

[enoch85]

curl: (22) The requested URL returned error: 404

Yeah, so the NC check is wrong! I don't know how to debug this furher, no PHP expert sorry. :/

Off-topic rant; same as with this, the check still says it's needed even though it's replaced with Imaginary for generation, and that was 6 years ago.... Just saying :)

[enoch85]

JFTR, did the same check myself on a VM installed with the latest scripts like 1 week ago (just to confirm main is working):

daniel@xps9310:~$ curl -I https://my.next.cloud/mnt/ncdata/.ocdata
HTTP/2 404 
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
x-request-id: nCpB6sIuq3udotpHTKjZ

[enoch85]

Well, here's the real issue I think: nextcloud/server#45087

Let's continue there.

[enoch85]

@JSchimmelpfennig If you change your rewrite command for port 80 to this instead, does it work?

RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [END,NE,R=permanent]

Or actually, just rerun the whole Let's Encrypt script for your already existing domain.

[JSchimmelpfennig]

Hi, sorry I must have overread the notification for your answer.

So I changed /etc/apache2/sites-available/mydomain.com.conf as follows:

/etc/apache2/sites-available/mydomain.com.conf

<VirtualHost *:80>
    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [END,NE,R=permanent]
  # RewriteRule ^(.*)$ https://%{HTTP_HOST} [R=301,L]
</VirtualHost>

and the warning went away :-)

Current machine version:

Nextcloud Hub 8 (29.0.4)
Server version: Apache/2.4.52 (Ubuntu)
Server built: 2024-07-17T18:57:26
Linux mydomain.conf 5.15.0-116-generic #126-Ubuntu SMP Mon Jul 1 10:14:24 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

[enoch85]

Sorry for the late answer, yes that's what we do in main:

vm/lets-encrypt/activate-tls.sh

Line 140 in 99ab136

RewriteRule ^(.*)$ https://%{HTTP_HOST}\$1 [END,NE,R=permanent]