[Bug]: Wrong Setup & Security Warning about non-functional .htaccess

[nagmat84]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

Since v29, Nextcloud falsely reports a non-functional .htaccess in the "Setup & Security Warning" if the .htaccess is statically included in the Apache configuration.

For efficiency (and security) reasons the Apache manual recommends to not enable support for .htaccess. If required, those files can be included as part of the "static" configuration. In that case the file is only parsed once, but not anew for each HTTP request.

Hence my Apache configuration essentially looks as follows:

#
# Settings for the document root
#
# See: https://docs.nextcloud.com/server/20/admin_manual/installation/source_installation.html
<Directory /var/www/my-domain.tld/nextcloud/>
  Require all granted
  AllowOverride None
  Options FollowSymLinks MultiViews

  Include /var/www/my-domain.tld/nextcloud/.htaccess

  # Restrict index file to index.php otherwise the logs are cluttered
  # with many unnecessary attempts to find index.(html|htm|phtml|...) 
  # etc.
  DirectoryIndex index.php

  <IfModule mod_dav.c>
    Dav off
  </IfModule>
</Directory>

<Directory /var/www/my-domain.tld/nextcloud/config>
  Include /var/www/my-domain.tld/nextcloud/config/.htaccess
</Directory>

<Directory /var/www/my-domain.tld/nextcloud/data>
  Include /var/www/my-domain.tld/nextcloud/data/.htaccess
</Directory>

The relevant lines are:

• AllowOverride None which disables scanning for .htaccess for the NC root directory and all sub-directories
• Include /var/www/my-domain.tld/nextcloud/{config/,data/,}.htaccess which directly include the matching .htaccess` file as a static part of the configuration

With previous installation, NC was happy with that. Since, v29 I get the message

Your data directory and files are probably accessible from the internet. The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.

NC should not show this message, if the .htaccess file is actually part of the configuration.

Steps to reproduce

1. Create an Apache configuration which disables scanning for .htaccess files, but includes those files as part of the static web server configuration
2. Navigate to "Setup & Security Warning"
3. See wrong error about a non-working .htaccess file

Expected behavior

NC should not show an error.

Installation method

Community Manual installation with Archive

Nextcloud Server version

29

Operating system

None

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database engine version

PostgreSQL

Is this bug present after an update or on a fresh install?

Upgraded to a MAJOR version (ex. 28 to 29)

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "dbtype": "pgsql",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "default_language": "de",
        "default_locale": "de_DE",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "sendmail",
        "overwrite.cli.url": "https:\/\/cloud.mhnnet.de\/",
        "htaccess.RewriteBase": "\/",
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "mhnnet.de",
            "www.mhnnet.de",
            "server.mhnnet.de",
            "cloud.mhnnet.de",
            "famna.de",
            "www.famna.de",
            "cloud.famna.de"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "version": "29.0.3.4",
        "dbtableprefix": "oc_",
        "dbport": "",
        "installed": true,
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "default_phone_region": "DE",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "timeout": 0
        },
        "enabledPreviewProviders": [
            "OC\\Preview\\BMP",
            "OC\\Preview\\GIF",
            "OC\\Preview\\HEIC",
            "OC\\Preview\\JPEG",
            "OC\\Preview\\Krita",
            "OC\\Preview\\MarkDown",
            "OC\\Preview\\MSOffice2003",
            "OC\\Preview\\MSOffice2007",
            "OC\\Preview\\MSOfficeDoc",
            "OC\\Preview\\Movie",
            "OC\\Preview\\MP3",
            "OC\\Preview\\OpenDocument",
            "OC\\Preview\\PDF",
            "OC\\Preview\\PNG",
            "OC\\Preview\\SVG",
            "OC\\Preview\\TIFF",
            "OC\\Preview\\TXT",
            "OC\\Preview\\WebP",
            "OC\\Preview\\XBitmap"
        ],
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "maintenance_window_start": 1
    }
}

List of activated Apps

Enabled:
  - activity: 2.21.1
  - bruteforcesettings: 2.9.0
  - calendar: 4.7.10
  - cloud_federation_api: 1.12.0
  - contacts: 6.0.0
  - dashboard: 7.9.0
  - dav: 1.30.1
  - federatedfilesharing: 1.19.0
  - federation: 1.19.0
  - files: 2.1.0
  - files_accesscontrol: 1.19.1
  - files_downloadlimit: 2.0.0
  - files_sharing: 1.21.0
  - files_trashbin: 1.19.0
  - files_versions: 1.22.0
  - groupfolders: 17.0.1
  - logreader: 2.14.0
  - lookup_server_connector: 1.17.0
  - mail: 3.7.2
  - nextcloud_announcements: 1.18.0
  - notifications: 2.17.0
  - oauth2: 1.17.0
  - password_policy: 1.19.0
  - previewgenerator: 5.5.0
  - provisioning_api: 1.19.0
  - recommendations: 2.1.0
  - related_resources: 1.4.0
  - serverinfo: 1.19.0
  - settings: 1.12.0
  - sharebymail: 1.19.0
  - support: 1.12.0
  - tasks: 0.16.0
  - text: 3.10.1
  - theming: 2.4.0
  - theming_customcss: 1.16.0
  - twofactor_backupcodes: 1.18.0
  - updatenotification: 1.19.1
  - user_ldap: 1.20.0
  - user_status: 1.9.0
  - viewer: 2.3.0
  - workflowengine: 2.11.0
Disabled:
  - admin_audit: 1.19.0
  - circles: 29.0.0-dev (installed 26.0.0)
  - comments: 1.19.0 (installed 1.10.0)
  - contactsinteraction: 1.10.0 (installed 1.7.0)
  - encryption: 2.17.0
  - files_external: 1.21.0
  - files_pdfviewer: 2.10.0 (installed 2.0.1)
  - files_reminders: 1.2.0 (installed 1.0.0)
  - firstrunwizard: 2.18.0 (installed 2.15.0)
  - photos: 2.5.0 (installed 1.2.1)
  - privacy: 1.13.0 (installed 1.11.0)
  - survey_client: 1.17.0 (installed 1.15.0)
  - suspicious_login: 7.0.0
  - systemtags: 1.19.0 (installed 1.10.0)
  - twofactor_totp: 11.0.0-dev
  - weather_status: 1.9.0 (installed 1.0.0)

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

No response

Additional info

No response

[joshtrichards]

That check does not care about your use (or not) of an .htaccess file.

It does, however, run a check against each of your configured trusted_domains (and any overwrite.cli.url.

In prior Server versions these checks were client based, but now they're server based.

If one of the listed domains returns a 200 code, that error will appear.

Usually this is when people discover they have many unnecessary domains in their config and clean them out, which fixes things.

Code is here:

server/apps/settings/lib/SetupChecks/DataDirectoryProtected.php

Line 51 in 99feafa

return SetupResult::error($this->l10n->t('Your data directory and files are probably accessible from the internet. The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.'));

[nagmat84]

It does, however, run a check against each of your configured trusted_domains [...]
If one of the listed domains returns a 200 code, that error will appear. [...]
Usually this is when people discover they have many unnecessary domains in their config [...]

You were right. That was the culprit.

I am using virtual hosting with several sub-domains on a single Apache server with the same IP address. One sub-domain is cloud.my-domain.tld (for NC), photos.my-domain.tld (for Lychee) and www.my-domain.tld (which only serves an imprint and other required legal information).

I had the following entries for trusted_domains:

'trusted_domains' => array (
  0 => 'localhost',
  1 => '127.0.0.1',
  2 => '[::1]',
  3 => '<my-public-IPv4-address>',
  4 => '<my-public-IPv6-address>',
  5 => 'cloud.my-domain.tld',
),

localhost and 127.0.0.1 had been listed by default and I added [::1] as well as my public IP addresses. However, if a client connected to any of those, the Apache server redirect the request to the default sub-domain www.my-domain.tld which serves the imprint. I removed every entry but the last one. Now the error disappeared again.

Maybe there should be an explicit hint at NC Admin Manual: Configuration Parameters - Trusted Domains that for virtual hosting only the proper domain should be listed. In particular, with virtual hosting the default entries localhost and 127.0.0.1 must be removed.

[joshtrichards]

Closing, but created nextcloud/documentation#12003 to track possible documentation matter.