Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade from Nextcloud 28.0.6 to 29.0.1 results in security warning #2640

Closed
JSchimmelpfennig opened this issue May 24, 2024 · 20 comments
Closed

Comments

@JSchimmelpfennig
Copy link

JSchimmelpfennig commented May 24, 2024

Steps To Reproduce

Hello guys :)
thank you for the awesome VM.
After upgrading from Nextcloud 28.0.6 to 29.0.1 I see the following security warning in the admin web interface:

Your data directory and files are probably accessible from the internet. The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.

Expected Result

No security warning because I didn't change anything manually and the warning was not there in 28.0.6.

If you need any more information, I'll provide it. Thank you in advance :)

Actual Result

I get a security warning. I checked some other threads about this error, but I think my configs are fine:

/var/www/nextcloud/config/config.php
<?php
$CONFIG = array (
  'passwordsalt' => 'removed',
  'secret' => 'removed',
  'trusted_domains' =>
  array (
    0 => '192.168.178.12',
    1 => 'mydomain.com',
  ),
  'datadirectory' => '/mnt/ncdata',
  'dbtype' => 'pgsql',
  'version' => '29.0.1.1',
  'overwrite.cli.url' => 'https://mydomain.com',
  'dbname' => 'nextcloud_db',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextcloud_db_user',
  'dbpassword' => 'removed',
  'installed' => true,
  'instanceid' => 'ocfj09ydf7l8',
  'redis' =>
  array (
    'host' => '/var/run/redis/redis-server.sock',
    'port' => '0',
    'dbindex' => '0',
    'timeout' => '0.5',
    'password' => 'removed',
  ),
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'filelocking.enabled' => 'true',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'upgrade.disable-web' => true,
  'log_type' => 'file',
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'loglevel' => '2',
  'log.condition' =>
  array (
    'apps' =>
    array (
      0 => 'admin_audit',
    ),
  ),
  'mail_smtpmode' => 'smtp',
  'remember_login_cookie_lifetime' => '2520168',
  'auto_logout' => false,
  'log_rotate_size' => '0',
  'trashbin_retention_obligation' => 'auto, 60',
  'versions_retention_obligation' => 'auto, 180',
  'activity_expire_days' => '120',
  'simpleSignUpLink.shown' => false,
  'default_phone_region' => 'de',
  'logtimezone' => 'Etc/UTC',
  'htaccess.RewriteBase' => '/',
  'mail_sendmailmode' => 'smtp',
  'mail_smtpsecure' => 'ssl',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_from_address' => 'mail',
  'mail_domain' => 'removed',
  'mail_smtphost' => 'removed',
  'mail_smtpport' => '465',
  'mail_smtpname' => 'removed',
  'mail_smtppassword' => 'removed',
  'preview_concurrency_new' => '6',
  'preview_concurrency_all' => '12',
  'enabledPreviewProviders' =>
  array (
    0 => 'OC\\Preview\\Imaginary',
    1 => 'OC\\Preview\\Image',
    2 => 'OC\\Preview\\MarkDown',
    3 => 'OC\\Preview\\MP3',
    4 => 'OC\\Preview\\TXT',
    5 => 'OC\\Preview\\OpenDocument',
    6 => 'OC\\Preview\\Movie',
    7 => 'OC\\Preview\\Krita',
  ),
  'preview_imaginary_url' => 'http://127.0.0.1:9000',
  'preview_max_x' => '2048',
  'preview_max_y' => '2048',
  'jpeg_quality' => '60',
  'preview_max_memory' => '256',
  'maintenance' => false,
);
/etc/apache2/sites-available/mydomain.com.conf
<VirtualHost *:80>
    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST} [R=301,L]
</VirtualHost>

<VirtualHost *:443>
### YOUR SERVER ADDRESS ###

    ServerAdmin [email protected]
    ServerName mydomain.com

### SETTINGS ###
    <FilesMatch "\.php$">
        SetHandler "proxy:unix:/run/php/php8.1-fpm.nextcloud.sock|fcgi://localhost"
    </FilesMatch>

    # Intermediate configuration
    Header add Strict-Transport-Security: "max-age=15552000;includeSubdomains"
    SSLEngine               on
    SSLCompression          off
    SSLProtocol             -all +TLSv1.2 +TLSv1.3
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder     off
    SSLSessionTickets       off
    ServerSignature         off

    # Logs
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    ErrorLog ${APACHE_LOG_DIR}/error.log

    # Document root folder
    DocumentRoot /var/www/nextcloud

    # The Nextcloud folder
    <Directory /var/www/nextcloud>
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
    Satisfy Any
    # This is to include all the Nextcloud rules due to that we use PHP-FPM and .htaccess aren't read
    Include /var/www/nextcloud/.htaccess
    </Directory>

    # Deny access to your data directory
    <Directory /mnt/ncdata>
    Require all denied
    </Directory>

    # Deny access to the Nextcloud config folder
    <Directory /var/www/nextcloud/config/>
    Require all denied
    </Directory>

    <IfModule mod_dav.c>
    Dav off
    </IfModule>

    # The following lines prevent .htaccess and .htpasswd files from being viewed by Web clients.
    <Files ".ht*">
    Require all denied
    </Files>

    SetEnv HOME /var/www/nextcloud
    SetEnv HTTP_HOME /var/www/nextcloud

    # Disable HTTP TRACE method.
    TraceEnable off
    # Disable HTTP TRACK method.
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^TRACK
    RewriteRule .* - [R=405,L]

    # Avoid "Sabre\DAV\Exception\BadRequest: expected filesize XXXX got XXXX"
    <IfModule mod_reqtimeout.c>
    RequestReadTimeout body=0
    </IfModule>

### LOCATION OF CERT FILES ###

    # SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/chain.pem
    SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
    SSLOpenSSLConfCmd DHParameters /etc/letsencrypt/live/mydomain.com/dhparam.pem
</VirtualHost>

### EXTRAS ###
    SSLUseStapling On
    SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
    SetEnv proxy-sendcl 1

Build Version

29.0.1

Environment

By using the scripts

Environment Details

Ubuntu 22.04.4 with ZFS on Proxmox.
php -v

PHP 8.1.2-1ubuntu2.17 (cli) (built: May  1 2024 10:10:07) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.1.2, Copyright (c) Zend Technologies
    with Zend OPcache v8.1.2-1ubuntu2.17, Copyright (c), by Zend Technologies

apache -v

Server version: Apache/2.4.52 (Ubuntu)
Server built:   2024-04-10T17:45:18
@enoch85
Copy link
Member

enoch85 commented May 24, 2024

Hi, there have been some issues in NC 29 regarding www-data permissions and that the data folder location isn't recognized. Check here for example.

We didn't change anything, so this is basically a Nextcloud Server bug - at least I think so based on the issue above.

@szaimen Any input here maybe?

@JSchimmelpfennig
Copy link
Author

JSchimmelpfennig commented May 24, 2024

Thanks for the quick answer.
My data directory seems to have to correct permissions. Also, I can run occ commands by using sudo -u www-data php /var/www/nextcloud/occ.

root@nc:/mnt# ls -liha
total 25K
524289 drwxr-xr-x  5 root     root     4.0K May 24 20:16 .
     2 drwxr-xr-x 20 root     root     4.0K Jan  3 12:58 ..
524291 drwxr-xr-x  4 root     root     4.0K May 24 20:16 NCBACKUP
524293 drwxr-xr-x  8 root     root     4.0K May 24 20:16 NCBACKUP-OLD
    34 drwxrwx---  8 www-data www-data   11 Jan  6 10:40 ncdata

The thing is: everything works fine. I'm just concerned about the security warning. Nextcloud Scan (from https://scan.nextcloud.com/) says everything is fine.

What do you think?

@enoch85
Copy link
Member

enoch85 commented May 24, 2024

Yeah and what about ls -la /mnt/ncdata?

@JSchimmelpfennig
Copy link
Author

JSchimmelpfennig commented May 24, 2024

root@nc:/mnt/ncdata# ls -la /mnt/ncdata
total 37
drwxrwx---  8 www-data www-data   11 Jan  6 10:40 .
drwxr-xr-x  5 root     root     4096 May 24 20:16 ..
drwxr-xr-x 14 www-data www-data   14 Apr 30 19:35 appdata_ocfj09ydf7l8
drwxr-xr-x  2 www-data www-data    3 May 24 20:14 files_external
-rw-r--r--  1 www-data www-data  542 May 24 20:17 .htaccess
-rw-rw-r--  1 www-data www-data    0 May 24 20:17 index.html
drwxr-xr-x  7 www-data www-data    7 Jan  3 20:08 renamedforprivacy
drwxr-xr-x  5 www-data www-data    5 Jan  7 09:41 renamedforprivacy
drwxr-xr-x  5 www-data www-data    5 Jan  3 13:29 renamedforprivacy
-rw-rw-r--  1 www-data www-data    0 May 24 20:17 .ocdata
drwxr-xr-x  5 www-data www-data    5 Jan  6 10:57 renamedforprivacy

@szaimen
Copy link
Collaborator

szaimen commented May 24, 2024

Can you post a screenshot of what you see in the admin overview?

@JSchimmelpfennig
Copy link
Author

image

@enoch85
Copy link
Member

enoch85 commented May 24, 2024

The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.

Let's break this down...

The .htaccess file is not working.

Can you post a cat /mnt/ncdata/.htaccess?

It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.

It's already outside of document root (/var/www).

So I'd say a bug in Nextcloud, and a false positive.

@JSchimmelpfennig
Copy link
Author

root@nc:/mnt/ncdata# cat /mnt/ncdata/.htaccess
# Generated by Nextcloud on 2024-05-24 20:17:04
# Section for Apache 2.4 to 2.6
<IfModule mod_authz_core.c>
  Require all denied
</IfModule>
<IfModule mod_access_compat.c>
  Order Allow,Deny
  Deny from all
  Satisfy All
</IfModule>

# Section for Apache 2.2
<IfModule !mod_authz_core.c>
  <IfModule !mod_access_compat.c>
    <IfModule mod_authz_host.c>
      Order Allow,Deny
      Deny from all
    </IfModule>
    Satisfy All
  </IfModule>
</IfModule>

# Section for Apache 2.2 to 2.6
<IfModule mod_autoindex.c>
  IndexIgnore *
</IfModule>

@enoch85
Copy link
Member

enoch85 commented May 24, 2024

LGTM. :)

@szaimen
Copy link
Collaborator

szaimen commented May 24, 2024

This is what the check does: https://github.com/nextcloud/server/blob/ae4a6e8d4454b7896d0e40f367096a26d999dbf0/apps/settings/lib/SetupChecks/DataDirectoryProtected.php#L68

@enoch85
Copy link
Member

enoch85 commented May 24, 2024

@JSchimmelpfennig Can you test: curl -fL https://your.example.com/mnt/ncdata/.ocdata?

@JSchimmelpfennig
Copy link
Author

curl -fL https://mydomain.com/mnt/ncdata/.ocdata
curl: (22) The requested URL returned error: 404

@JSchimmelpfennig
Copy link
Author

Guys I have to say I'm amazed by the quality and speed in your responses 🥳

@enoch85
Copy link
Member

enoch85 commented May 24, 2024

curl: (22) The requested URL returned error: 404

Yeah, so the NC check is wrong! I don't know how to debug this furher, no PHP expert sorry. :/

Off-topic rant; same as with this, the check still says it's needed even though it's replaced with Imaginary for generation, and that was 6 years ago.... Just saying :)

@enoch85
Copy link
Member

enoch85 commented May 24, 2024

JFTR, did the same check myself on a VM installed with the latest scripts like 1 week ago (just to confirm main is working):

daniel@xps9310:~$ curl -I https://my.next.cloud/mnt/ncdata/.ocdata
HTTP/2 404 
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
x-request-id: nCpB6sIuq3udotpHTKjZ

@enoch85
Copy link
Member

enoch85 commented May 24, 2024

Well, here's the real issue I think: nextcloud/server#45087

Let's continue there.

@enoch85 enoch85 closed this as completed May 24, 2024
@enoch85 enoch85 pinned this issue May 24, 2024
@enoch85
Copy link
Member

enoch85 commented May 25, 2024

@JSchimmelpfennig If you change your rewrite command for port 80 to this instead, does it work?

RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [END,NE,R=permanent]

Or actually, just rerun the whole Let's Encrypt script for your already existing domain.

@JSchimmelpfennig
Copy link
Author

JSchimmelpfennig commented Jul 23, 2024

Hi, sorry I must have overread the notification for your answer.

So I changed /etc/apache2/sites-available/mydomain.com.conf as follows:

/etc/apache2/sites-available/mydomain.com.conf
<VirtualHost *:80>
    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [END,NE,R=permanent]
  # RewriteRule ^(.*)$ https://%{HTTP_HOST} [R=301,L]
</VirtualHost>

and the warning went away :-)

Current machine version:

Nextcloud Hub 8 (29.0.4)
Server version: Apache/2.4.52 (Ubuntu)
Server built: 2024-07-17T18:57:26
Linux mydomain.conf 5.15.0-116-generic #126-Ubuntu SMP Mon Jul 1 10:14:24 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

@enoch85
Copy link
Member

enoch85 commented Jul 24, 2024

Sorry for the late answer, yes that's what we do in main:

RewriteRule ^(.*)$ https://%{HTTP_HOST}\$1 [END,NE,R=permanent]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants