After upgrade to Nextcloud 29.0.2 «data directory and files are probably accessible from the internet »

[ndx1905-github]

Describe the bug

after upgrading to Nextcloud 29.0.2 I get this message

Your data directory and files are probably accessible from the internet. The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.

Context

• Hardware: VPS bought online /
• YunoHost version: 11.2.15 stable
• I have access to my server: *Through SSH | through the webadmin *
• Are you in a special context or did you perform some particular tweaking on your YunoHost instance?: *no *

Steps to reproduce

Upgrade yunohost Nextcloud app from 28.x to 29.0.2
Upgrade works but when you click in Nextcloud in the admin settings you have a security warning

[TiberiusRegenschein]

I can confirm the behavior. I am not sure if #674 is related. When looking into the Nextcloud documentation it might be

[tuxmouraille]

Hello,

I have the same warning message.

[milouse]

Documented here upstream https://help.nextcloud.com/t/frequent-nextcloud-29-hub-8-update-issues/189897#htaccess-issue-2

Looking at those threads, I found a working solution by removing 'localhost' from the 'trusted_domains' in nextcloud config.

i.e. edit /var/www/nextcloud/config/config.php and change

$CONFIG = array(
  …
  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => 'YOUR_ACTUAL_NEXTCLOUD_DOMAIN',
  ),
  …
);

to

$CONFIG = array(
  …
  'trusted_domains' => 
  array (
    0 => 'YOUR_ACTUAL_NEXTCLOUD_DOMAIN',
  ),
  …
);

Then restart fpm: sudo systemctl restart php8.2-fpm

That said, I’m not really sure of the implication of removing localhost from the trusted domain list :/

And finally upstream issue is nextcloud/server#45087 and from my understanding the issue comes from the fact the nextcloud internal test succeed because of the http -> https redirection when trying the 'localhost' domain. Not sure how to deal with that :/

[rodinux]

Hello... I am not sure is really the solution. I have got the same issue and first edit also this parameter, but I have got problems with caldav and cardard apps... I found the solution was to edit the nginx.conf with

location ^~ /.well-known {
  # The following 6 rules are borrowed from `.htaccess`

  # The following 2 rules are only needed for the user_webfinger app.
  # Uncomment it if you're planning to use this app.
  #rewrite ^/\.well-known/host-meta\.json  /public.php?service=host-meta-json  last;
  #rewrite ^/\.well-known/host-meta        /public.php?service=host-meta       last;

#  location = /.well-known/carddav     { return 301 /remote.php/dav/; }
#  location = /.well-known/caldav      { return 301 /remote.php/dav/; }
  
  location = /.well-known/webfinger     { return 301 /index.php$request_uri; }
  location = /.well-known/nodeinfo      { return 301 /index.php$request_uri; }

  # Let Nextcloud's API for `/.well-known` URIs handle all other
  # requests by passing them to the front-end controller.
  return 301 /index.php$request_uri;
}

location /.well-known/carddav {
    return 301 https://nextcloud.domaine.tld/remote.php/dav/;
}

location /.well-known/caldav {
    return 301 https://nextcloud.domaine.tld/remote.php/dav/;
}

nextcloud/server#45033 (comment)

Then I put back the localhost and the warning did not come back...

I can try with another server if I am right, I tell you after testing.

This issue is not related, but another one explain here: #701

[rodinux]

Well, in another server I have a bug with the .well-known, and specially the /.well-known/caldav, after reading doc, It not clear, it seems for nginx the good configuration is

 location ^~ /.well-known {
        # The rules in this block are an adaptation of the rules
        # in the Nextcloud `.htaccess` that concern `/.well-known`.

        location = /.well-known/carddav { return 301 /nextcloud/remote.php/dav/; }
        location = /.well-known/caldav  { return 301 /nextcloud/remote.php/dav/; }

seems something strange with the api nextcloud and the calendar

[rodinux]

well I have got the same error after a while, and the workaround was to delete localhost, but I couldn't resolve the .well-know issue.

Ok, this issue is not related, but explain here with a solution: #701

[stepcellwolf]

Is there a plan of a new release?

[Luncheon3462]

I have Same error. I don’t understand cause or what to do. Is my data safe or at risk. Should I disconnect from internet until there is a fix

[rodinux]

@Luncheon3462 if you edit the file /var/www/config/config.php as said before the error will be resolved

removing 0 => 'localhost', and keep the line

 'trusted_domains' => 
  array (
    0 => 'YOUR_ACTUAL_NEXTCLOUD_DOMAIN',
  ),

For my errors with .well-know it is not related, but another issue

[rodinux]

Also this works on my side

  'trusted_domains' => 
  array (
    0 => 'YOUR_ACTUAL_NEXTCLOUD_DOMAIN',
    1 => 'localhost',
  ),

[kay0u]

I have Same error. I don’t understand cause or what to do. Is my data safe or at risk. Should I disconnect from internet until there is a fix

No, your datas should be safe. From what I understand, it's more of a false positive.

Related topic
https://help.nextcloud.com/t/frequent-nextcloud-29-hub-8-update-issues/189897
https://help.nextcloud.com/t/after-upgrade-from-28-to-29-i-have-data-directory-and-your-files-are-probably-accessible-from-the-internet/189882

I was able to fix this error message by removing the "localhost" entry from the trusted_domains array in the config file, but I don't know the implication (setting localhost at the second entry instead of the first one didn't fixed it for me)