nginx and owncloud, .htaccess security warning

nginx .htaccess owncloud
6,828

Solution 1

My fellow Greek guy:

The problem seems to be that the directory where the data UPLOADED to Owncloud (the data you want accessible like a "cloud") is a subdirectory of the document root of your server, where ONLY directories and files for the functionality of Owncloud ITSELF should be. This is the /var/www directory that you mention. User data has no place inside /var/www, otherwise it is accessible from the Internet with a simple "list" of the served files .

Normally, during the initial setup wizard, run from the browser, you have the option to set the path to the data directory. Even if you miss it, you can always change afterwards, by setting the "datadirectory" directive in the config.php file of the Owncloud installation. Like this:

<?php
$CONFIG = array (
  'datadirectory' => '/media/usbdisk/ocdata/',
  'dbtype' => ...

You can find more on the topic inside this forum post.

As a note of caution, it is always important to have the LEAST possible amount of data available through the wire. You can look here for some very good points about document root permissions.

Solution 2

I figured it out. I had made a mistake in the vhost file. i had set the 

root /var/www/;

and then i had written this:

location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
              deny all;
}

instead of this:

location ~ ^/owncloud/(data|config|\.ht|db_structure\.xml|README) {
              deny all;
}

Here is my final catch-all vhost file after the correction above and some clean up.

server {

    listen 80;

    server_name default_server;

    root /usr/share/nginx/www;
    index index.html index.htm;

    location / {
        try_files $uri $uri/ /index.html;
    }

    error_page 404 /404.html;
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/www;
    }


    location /phpmyadmin {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /phpMyAdmin {
        rewrite ^/* /phpmyadmin last;
    }

    location /owncloud {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /cloud {
        rewrite ^/* /phpmyadmin last;
    }

    location /roundcube {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /RoundCube {
        rewrite ^/* /roundcube last;
    }

    location /squirrelmail {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /SquirrelMail {
        rewrite ^/* /squirrelmail last;
    }

}



server {

    listen 443 ssl;
    ssl_certificate      /etc/ssl/localcerts/certificate.crt;
    ssl_certificate_key  /etc/ssl/localcerts/privateKey.key;

    server_name default_server;

    root /usr/share/nginx/www;
    index index.html index.htm;

    location / {
        try_files $uri $uri/ /index.html;
    }

    error_page 404 /404.html;
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/www;
    }

    location ~ /\.ht {
      deny  all;
    }



    ######  phpMyAdmin  ############################################################
    location /phpmyadmin {
        root /usr/share/;
        index index.php index.html index.htm;
        location ~ ^/phpmyadmin/(.+\.php)$ {
            root /usr/share/;
            include fastcgi-gen.conf;
        }
        location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /usr/share/;
        }
    }
    location /phpMyAdmin {
        rewrite ^/* /phpmyadmin last;
    }

    ######  RoundCube   ############################################################
    location /roundcube {
        root /usr/share/;
        index index.php index.html index.htm;
        location ~ ^/roundcube/(.+\.php)$ {
            root /usr/share/;
            include fastcgi-gen.conf;
        }

        location ~* ^/roundcube/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /usr/share/;
        }
    }
    location /RoundCube {
        rewrite ^/* /roundcube last;
    }

    ######  SquirrelMail    ############################################################
    location /squirrelmail {
        root /usr/share/;
        index index.php index.html index.htm;
        location ~ ^/squirrelmail/(.+\.php)$ {
            root /usr/share/;
            include fastcgi-gen.conf;
        }
        location ~* ^/squirrelmail/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /usr/share/;
        }
    }
    location /SquirrelMail {
        rewrite ^/* /squirrelmail last;
    }

    ######  ownCloud    ############################################################
    location /owncloud {
        root /var/www/;
        index index.php index.html index.htm;

        error_page 403 = owncloud/core/templates/403.php;
        error_page 404 = owncloud/core/templates/404.php;

        rewrite ^/owncloud/caldav(.*)$ /remote.php/caldav$1 redirect;
        rewrite ^/owncloud/carddav(.*)$ /remote.php/carddav$1 redirect;
        rewrite ^/owncloud/webdav(.*)$ /remote.php/webdav$1 redirect;

        location = /owncloud/robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }

        location /owncloud/ {
                # The following 2 rules are only needed with webfinger
                rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
                rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

                rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
                rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;

                rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;

                try_files $uri $uri/ index.php;
        }

        location ~ ^/owncloud/(data|config|\.ht|db_structure\.xml|README) {
                    deny all;
            }

        location ~ ^/owncloud/(.+\.php)$ {
            root /var/www/;
            include fastcgi-gen.conf;
        }
        location ~* ^/owncloud/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /var/www/;
        }
    }
    location /ownCloud {
        rewrite ^/* /owncloud last;
    }

}

and this is fastcgi-gen.conf 

try_files $uri =404;

fastcgi_pass  unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param PATH_INFO         $fastcgi_script_name;
include fastcgi_params;
Share:
6,828

Related videos on Youtube

Christos Baziotis
Author by

Christos Baziotis

Updated on September 18, 2022

Comments

  • Christos Baziotis
    Christos Baziotis over 1 year

    I have a problem with nginx and owncloud. When i access the owncloud's login page i get this error:

    Your data directory and your files are probably accessible from the internet. The .htaccess file that ownCloud provides is not working. We strongly suggest that you configure your webserver in a way that the data directory is no longer accessible or you move the data directory outside the webserver document root.

    Here is my vhost file:

    server {

    listen 80;

    server_name default_server;

    root /usr/share/nginx/www;
    index index.html index.htm;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ /index.html;
        # Uncomment to enable naxsi on this location
        # include /etc/nginx/naxsi.rules
    }


    location /phpmyadmin {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /phpMyAdmin {
        rewrite ^/* /phpmyadmin last;
    }

    location /owncloud {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /cloud {
        rewrite ^/* /phpmyadmin last;
    }

    location /roundcube {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /RoundCube {
        rewrite ^/* /roundcube last;
    }

    location /squirrelmail {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /SquirrelMail {
        rewrite ^/* /squirrelmail last;
    }


    error_page 404 /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/www;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

}



server {

    listen 443 ssl;
    ssl_certificate      /etc/ssl/localcerts/certificate.crt;
    ssl_certificate_key  /etc/ssl/localcerts/privateKey.key;

    server_name default_server;

    root /usr/share/nginx/www;
    index index.html index.htm;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ /index.html;
        # Uncomment to enable naxsi on this location
        # include /etc/nginx/naxsi.rules
    }


    location /phpmyadmin {
        root /usr/share/;
        index index.php index.html index.htm;
        location ~ ^/phpmyadmin/(.+\.php)$ {
            try_files $uri =404;
            root /usr/share/;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_param HTTPS $https;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            include /etc/nginx/fastcgi_params;
            fastcgi_param PATH_INFO $fastcgi_script_name;
            fastcgi_buffer_size 128k;
            fastcgi_buffers 256 4k;
            fastcgi_busy_buffers_size 256k;
            fastcgi_temp_file_write_size 256k;
            fastcgi_intercept_errors on;
        }
        location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /usr/share/;
        }
    }
    location /phpMyAdmin {
        rewrite ^/* /phpmyadmin last;
    }


    location /owncloud {
        root /var/www/;
        index index.php index.html index.htm;
        location ~ ^/owncloud/(.+\.php)$ {
            try_files $uri =404;
            root /var/www/;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_param HTTPS $https;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            include /etc/nginx/fastcgi_params;
            fastcgi_param PATH_INFO $fastcgi_script_name;
            fastcgi_buffer_size 128k;
            fastcgi_buffers 256 4k;
            fastcgi_busy_buffers_size 256k;
            fastcgi_temp_file_write_size 256k;
            fastcgi_intercept_errors on;
        }
        location ~* ^/owncloud/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /var/www/;
        }
    }
    location /ownCloud {
        rewrite ^/* /owncloud last;
    }


    location /roundcube {
        root /usr/share/;
        index index.php index.html index.htm;
        location ~ ^/roundcube/(.+\.php)$ {
            try_files $uri =404;
            root /usr/share/;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_param HTTPS $https;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            include /etc/nginx/fastcgi_params;
            fastcgi_param PATH_INFO $fastcgi_script_name;
            fastcgi_buffer_size 128k;
            fastcgi_buffers 256 4k;
            fastcgi_busy_buffers_size 256k;
            fastcgi_temp_file_write_size 256k;
            fastcgi_intercept_errors on;
        }
        location ~* ^/roundcube/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /usr/share/;
        }
    }
    location /RoundCube {
        rewrite ^/* /roundcube last;
    }

    location /squirrelmail {
        root /usr/share/;
        index index.php index.html index.htm;
        location ~ ^/squirrelmail/(.+\.php)$ {
            try_files $uri =404;
            root /usr/share/;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_param HTTPS $https;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            include /etc/nginx/fastcgi_params;
            fastcgi_param PATH_INFO $fastcgi_script_name;
            fastcgi_buffer_size 128k;
            fastcgi_buffers 256 4k;
            fastcgi_busy_buffers_size 256k;
            fastcgi_temp_file_write_size 256k;
            fastcgi_intercept_errors on;
        }
        location ~* ^/squirrelmail/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /usr/share/;
        }
    }
    location /SquirrelMail {
        rewrite ^/* /squirrelmail last;
    }


    location /doc/ {
        alias /usr/share/doc/;
        autoindex on;
        allow 127.0.0.1;
        allow ::1;
        deny all;
    }

    error_page 404 /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/www;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

}

    Specifically here is the location /owncloud:

    location /owncloud {
        root /var/www/;
        index index.php index.html index.htm;
        location ~ ^/owncloud/(.+\.php)$ {
            try_files $uri =404;
            root /var/www/;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_param HTTPS $https;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            include /etc/nginx/fastcgi_params;
            fastcgi_param PATH_INFO $fastcgi_script_name;
            fastcgi_buffer_size 128k;
            fastcgi_buffers 256 4k;
            fastcgi_busy_buffers_size 256k;
            fastcgi_temp_file_write_size 256k;
            fastcgi_intercept_errors on;
        }
        location ~* ^/owncloud/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /var/www/;
        }
    }
    location /ownCloud {
        rewrite ^/* /owncloud last;
    }

    I tried to fix it based on the documentation http://doc.owncloud.org/server/5.0/admin_manual/installation/installation_others.html#nginx-configuration but i can't.

    I also changed permissions just in case that was causing the error but it did't fix it:

    chown -R www-data:www-data /var/www/owncloud

    phpmyadmin, roundcube and squirrelmail work just fine so i used their configuration only changing the root path of owncloud which is /var/www/owncloud.

    Here is the contents of the owncloud/

    root@vps1:/var/www# ls -l owncloud/
total 156
drwxr-xr-x 26 www-data www-data  4096 Σεπ   6 18:38 3rdparty
drwxrwxrwx 32 www-data www-data  4096 Σεπ   6 18:38 apps
-rw-r--r--  1 www-data www-data   585 Σεπ   6 18:38 AUTHORS
drwxrwxrwx  2 www-data www-data  4096 Σεπ  27 18:54 config
-rw-r--r--  1 www-data www-data   832 Σεπ   6 18:38 console.php
-rw-r--r--  1 www-data www-data 34520 Σεπ   6 18:38 COPYING-AGPL
-rw-r--r--  1 www-data www-data   567 Σεπ   6 18:38 COPYING-README
drwxr-xr-x 10 www-data www-data  4096 Σεπ   6 18:38 core
-rw-r--r--  1 www-data www-data  3156 Σεπ   6 18:38 cron.php
drwxrwx---  2 www-data www-data  4096 Σεπ  27 18:54 data
-rw-r--r--  1 www-data www-data 17669 Σεπ   6 18:38 db_structure.xml
drwxr-xr-x  2 www-data www-data  4096 Σεπ   6 18:38 files
-rw-r--r--  1 www-data www-data   179 Σεπ   6 18:38 index.html
-rw-r--r--  1 www-data www-data   853 Σεπ   6 18:38 index.php
drwxr-xr-x 81 www-data www-data  4096 Σεπ   6 18:38 l10n
drwxr-xr-x 20 www-data www-data  4096 Σεπ   6 18:38 lib
-rw-r--r--  1 www-data www-data   279 Σεπ   6 18:38 occ
drwxr-xr-x  2 www-data www-data  4096 Σεπ   6 18:38 ocs
-rw-r--r--  1 www-data www-data   443 Σεπ   6 18:38 public.php
-rw-r--r--  1 www-data www-data   753 Σεπ   6 18:38 README
-rw-r--r--  1 www-data www-data   960 Σεπ   6 18:38 remote.php
-rw-r--r--  1 www-data www-data    26 Σεπ   6 18:38 robots.txt
drwxr-xr-x  6 www-data www-data  4096 Σεπ   6 18:38 search
drwxr-xr-x  8 www-data www-data  4096 Σεπ   6 18:38 settings
-rw-r--r--  1 www-data www-data  1216 Σεπ   6 18:38 status.php
drwxr-xr-x  2 www-data www-data  4096 Σεπ   6 18:38 themes
-rw-r--r--  1 www-data www-data  2460 Σεπ   6 18:38 upgrade.php

    I noticed that the tar file doesn't include tha /data folder and is created the first time you access the owncloud's web interface. Also these files are created:

    root@vps1:/var/www# ls -la owncloud/data/
total 12
drwxrwx---  2 www-data www-data 4096 Σεπ  27 18:54 .
drwxr-xr-x 14 www-data www-data 4096 Σεπ  27 18:54 ..
-rw-r--r--  1 www-data www-data   27 Σεπ  27 18:54 .htaccess
-rw-r--r--  1 www-data www-data    0 Σεπ  27 18:54 index.html

    So i am not sure in which .htaccess file the warning is referring to. /var/www/owncloud/.htaccess or /var/www/owncloud/data/.htaccess or how to fix it.

    Edit: i tried adding this and it still doesn't work.

    location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
              deny all;
      }
  • that guy from over there
    that guy from over there over 10 years
    btw, nginx cannot understand .htaccess as apacheee does
  • Christos Baziotis
    Christos Baziotis over 10 years
    Thanks for the reply but it's not it. I removed all the vhosts and kept only one with the configuration from the nginx documentation and i don't get any warning (with data dir -> /var/www/owncloud/data). So it must be something wrong in my vhost configuration. I think there must be some misconfiguration concerning .htaccess.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

HTML files as PHP in Nginx
PRESTASHOP NGINX + REWRITE RULES
nginx rewrite all to index.php except whitelist
Htaccess on Nginx
What is nginx equalant for my htaccess mod_rewrite?
How to dynamically reload nginx config
Limit upload file size and redirect user to error page if limit exceeds
What is the name and location of the Nginx config file (htaccess equivalent)?
Nginx - allow access to directory
Nginx rewrite rule for CodeIgniter