Nextcloud: data directory accessible from the internet

Prevent your Nextcloud data directory from being accessible from the internet.


By. Jacob

Edited: 2023-09-10 22:56

Your data directory and files are probably accessible from the internet. The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.

The safest and easiest solution is to move the data directory outside of the Nextcloud root folder. E.g. Move it to /srv/nextdata, because then you are sure that something will not accidentally make the folder publicly available.

1. Before moving, I would simply stop Apache to avoid weird errors from happening:

systemctl stop apache2

2. Then, obviously move the data:

mv /var/www/nextcloud/data /srv/

3. Make cure to update your config/config.php file with the new path:

$CONFIG = array(
  // ...
  'datadirectory' => '/srv/nextdata',
  // ...

4. Finally, remember to start Apache again:

systemctl start apache2

Perhaps even more intriguing; you will practically also have prepared your Nextcloud server for a migration to s3fs. The idea is to allow fast serving of frontend / design related resources, to have a fast and snappy Nextcloud frontend, while keeping the user-data itself stored in a cheap storage, such as a AWS s3 bucket. Users probably host local copies of their data anyway, so fast access is much less crucial for this type of data.

Your data directory and files are probably accessible...

This is a warning telling you that your data directory may be accessible from the internet because of a possible misconfigured Nextcloud environment. But, any server admin worth their weight in gold also know not to use .htaccess as it adds unnecessary overhead — if you have access to your Apache host configuration, then change the settings from the .conf files instead.

Not that we should be hysterical about it. If you are not experiencing any performance issues, then it's probably premature and insignificant to avoid .htaccess entirely. Nevertheless, it may still be a good idea to move the Nextcloud data directory for other reasons.

Route everything through PHP

Another interesting option, from a developers point of view, is to route everything through index.php and handle all routing from PHP, but that is a design decision that is better left with Nextcloud developers to make, and it is probably not going to happen, because it comes with additional overhead when you have to query PHP for each request.

However, PHP tends to be far less ambiguous and adaptable; it is simply so extremely convenient not having to mess too much with server configuration files, that it could be offered as an alternative option in the future. Nextcloud is open source after all :-)

Tell us what you think:

  1. How to toggle maintenance mode on or off for your Nextcloud server
  2. How to change the domain name for your Nextcloud server.
  3. How to solve a problem that causes Nextcloud to report inaccurate amount of free space.
  4. How to setup a redirect for webfinger and nodeinfo in your server configuration to make Nextcloud stop complaining about it.

More in: Nextcloud