Nextcloud Security & setup warnings error

[aka0kuro]

Hi, I just installed Nextcloud and I get the following errors as soon as I log in. I'm new and I don't know what they mean or how to fix them.
Thanks in advance

[Aaaamu]

Hi, since some updates (not clear since when) I also get
"Your data directory and files are probably accessible from the internet. The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root."
as ynh uses nginx which is not officially supported by nextcloud, it is quite demanding to find solid information on how to debug this very alarming problem. I must say, that i understand too little about nginx to understand what could cause it. Various threads say, that on apache servers, this error usually appears, if the server ignores .htaccess files or because the module "env" is not found. but on nginx it seems .htaccess files dont play a role at all and I am not sure how modules ar handled. can somebody help us out?

[Aaaamu]

addition regarding the .well-known error:
for me, it returns the same error as above, but on caldav (which is what i need it for):
Your web server is not properly set up to resolve .well-knownURLs, failed on:/.well-known/caldav For more details see the [documentation ↗](https://docs.nextcloud.com/server/29/go.php?to=admin-setup-well-known-URL).
on further exploration it seems nginx conf for nextcloud should be correct. it contains the following block for well known entries, which seems to be in accordance to the nextcloud help page https://docs.nextcloud.com/server/29/admin_manual/installation/nginx.html:

`
location ^~ /.well-known {
# The following 6 rules are borrowed from '.htaccess'

# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta.json /cloud/public.php?service=host-meta-json last;
#rewrite ^/.well-known/host-meta /cloud/public.php?service=host-meta last;

location = /.well-known/carddav { return 301 /cloud/remote.php/dav/; }
location = /.well-known/caldav { return 301 /cloud/remote.php/dav/; }

location = /.well-known/webfinger { return 301 /cloud/index.php$request_uri; }
location = /.well-known/nodeinfo { return 301 /cloud/index.php$request_uri; }

# Let Nextcloud's API for /.well-known URIs handle all other
# requests by passing them to the front-end controller.
return 301 /cloud/index.php$request_uri;
}
`
the error is confirmed by testing the well-known-url manually

[Bugsbane]

@Aaaamu @aka0kuro I'm sorry I don't remember more details off hand, but when I looked into the error about the data directory being publicly accessible, my memory was that it was actually a bug in Nextcloud causing a false positive. In other words, people whose data directory was not publicly accessible were being told by Nextcloud that it was. I think, iirc, that this was on the Yunohost forums, although it could also have been the Nextcloud GH issues.

I just remember that I researched it for myself and ended up deciding with the info I came across, that for me at least, this wasn't actually a real issue and that the warning should be fixed by a future point release of Nextcloud.

[Aaaamu]

Yes I think nextcloud checks just the .htaccess files, but those are irrelevant for nginx servers. Thanks for engaging. Am 6. Oktober 2024 05:46:43 MESZ schrieb Bugsbane ***@***.***>:

@Aaaamu @aka0kuro I'm sorry I don't remember more details off hand, but when I looked into the error about the data directory being publicly accessible, my memory was that it was actually a bug in Nextcloud causing a false positive. In other words, people whose data directory was *not* publicly accessible were being told by Nextcloud that it was. I think, iirc, that this was on the Yunohost forums, although it could also have been the Nextcloud GH issues. I just remember that I researched it for myself and ended up deciding with the info I came across, that for me at least, this wasn't actually a real issue and that the warning should be fixed by a future point release of Nextcloud. -- Reply to this email directly or view it on GitHub: #725 (comment) You are receiving this because you were mentioned. Message ID: ***@***.***>

-- Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

[rodinux]

Also I found all these errors are resolved if the nextcloud instance is on a dedicated domain nextcloud.domain.tld and not on sub-path like domain.tld/nextcloud.

[Bugsbane]

I had this error on my Nextcloud, which is on a root domain (ie domain.tld). Maybe subdomains are different?

[rodinux]

did you try this ?
#696 (comment)