1

I have a problem with nginx and owncloud. When i access the owncloud's login page i get this error:

Your data directory and your files are probably accessible from the internet. The .htaccess file that ownCloud provides is not working. We strongly suggest that you configure your webserver in a way that the data directory is no longer accessible or you move the data directory outside the webserver document root.

Here is my vhost file:

server {

    listen 80;

    server_name default_server;

    root /usr/share/nginx/www;
    index index.html index.htm;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ /index.html;
        # Uncomment to enable naxsi on this location
        # include /etc/nginx/naxsi.rules
    }


    location /phpmyadmin {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /phpMyAdmin {
        rewrite ^/* /phpmyadmin last;
    }

    location /owncloud {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /cloud {
        rewrite ^/* /phpmyadmin last;
    }

    location /roundcube {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /RoundCube {
        rewrite ^/* /roundcube last;
    }

    location /squirrelmail {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /SquirrelMail {
        rewrite ^/* /squirrelmail last;
    }


    error_page 404 /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/www;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

}



server {

    listen 443 ssl;
    ssl_certificate      /etc/ssl/localcerts/certificate.crt;
    ssl_certificate_key  /etc/ssl/localcerts/privateKey.key;

    server_name default_server;

    root /usr/share/nginx/www;
    index index.html index.htm;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ /index.html;
        # Uncomment to enable naxsi on this location
        # include /etc/nginx/naxsi.rules
    }


    location /phpmyadmin {
        root /usr/share/;
        index index.php index.html index.htm;
        location ~ ^/phpmyadmin/(.+\.php)$ {
            try_files $uri =404;
            root /usr/share/;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_param HTTPS $https;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            include /etc/nginx/fastcgi_params;
            fastcgi_param PATH_INFO $fastcgi_script_name;
            fastcgi_buffer_size 128k;
            fastcgi_buffers 256 4k;
            fastcgi_busy_buffers_size 256k;
            fastcgi_temp_file_write_size 256k;
            fastcgi_intercept_errors on;
        }
        location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /usr/share/;
        }
    }
    location /phpMyAdmin {
        rewrite ^/* /phpmyadmin last;
    }


    location /owncloud {
        root /var/www/;
        index index.php index.html index.htm;
        location ~ ^/owncloud/(.+\.php)$ {
            try_files $uri =404;
            root /var/www/;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_param HTTPS $https;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            include /etc/nginx/fastcgi_params;
            fastcgi_param PATH_INFO $fastcgi_script_name;
            fastcgi_buffer_size 128k;
            fastcgi_buffers 256 4k;
            fastcgi_busy_buffers_size 256k;
            fastcgi_temp_file_write_size 256k;
            fastcgi_intercept_errors on;
        }
        location ~* ^/owncloud/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /var/www/;
        }
    }
    location /ownCloud {
        rewrite ^/* /owncloud last;
    }


    location /roundcube {
        root /usr/share/;
        index index.php index.html index.htm;
        location ~ ^/roundcube/(.+\.php)$ {
            try_files $uri =404;
            root /usr/share/;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_param HTTPS $https;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            include /etc/nginx/fastcgi_params;
            fastcgi_param PATH_INFO $fastcgi_script_name;
            fastcgi_buffer_size 128k;
            fastcgi_buffers 256 4k;
            fastcgi_busy_buffers_size 256k;
            fastcgi_temp_file_write_size 256k;
            fastcgi_intercept_errors on;
        }
        location ~* ^/roundcube/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /usr/share/;
        }
    }
    location /RoundCube {
        rewrite ^/* /roundcube last;
    }

    location /squirrelmail {
        root /usr/share/;
        index index.php index.html index.htm;
        location ~ ^/squirrelmail/(.+\.php)$ {
            try_files $uri =404;
            root /usr/share/;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_param HTTPS $https;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            include /etc/nginx/fastcgi_params;
            fastcgi_param PATH_INFO $fastcgi_script_name;
            fastcgi_buffer_size 128k;
            fastcgi_buffers 256 4k;
            fastcgi_busy_buffers_size 256k;
            fastcgi_temp_file_write_size 256k;
            fastcgi_intercept_errors on;
        }
        location ~* ^/squirrelmail/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /usr/share/;
        }
    }
    location /SquirrelMail {
        rewrite ^/* /squirrelmail last;
    }


    location /doc/ {
        alias /usr/share/doc/;
        autoindex on;
        allow 127.0.0.1;
        allow ::1;
        deny all;
    }

    error_page 404 /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/www;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

}

Specifically here is the location /owncloud:

location /owncloud {
        root /var/www/;
        index index.php index.html index.htm;
        location ~ ^/owncloud/(.+\.php)$ {
            try_files $uri =404;
            root /var/www/;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_param HTTPS $https;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            include /etc/nginx/fastcgi_params;
            fastcgi_param PATH_INFO $fastcgi_script_name;
            fastcgi_buffer_size 128k;
            fastcgi_buffers 256 4k;
            fastcgi_busy_buffers_size 256k;
            fastcgi_temp_file_write_size 256k;
            fastcgi_intercept_errors on;
        }
        location ~* ^/owncloud/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /var/www/;
        }
    }
    location /ownCloud {
        rewrite ^/* /owncloud last;
    }

I tried to fix it based on the documentation http://doc.owncloud.org/server/5.0/admin_manual/installation/installation_others.html#nginx-configuration but i can't.

I also changed permissions just in case that was causing the error but it did't fix it:

chown -R www-data:www-data /var/www/owncloud

phpmyadmin, roundcube and squirrelmail work just fine so i used their configuration only changing the root path of owncloud which is /var/www/owncloud.

Here is the contents of the owncloud/

root@vps1:/var/www# ls -l owncloud/
total 156
drwxr-xr-x 26 www-data www-data  4096 Σεπ   6 18:38 3rdparty
drwxrwxrwx 32 www-data www-data  4096 Σεπ   6 18:38 apps
-rw-r--r--  1 www-data www-data   585 Σεπ   6 18:38 AUTHORS
drwxrwxrwx  2 www-data www-data  4096 Σεπ  27 18:54 config
-rw-r--r--  1 www-data www-data   832 Σεπ   6 18:38 console.php
-rw-r--r--  1 www-data www-data 34520 Σεπ   6 18:38 COPYING-AGPL
-rw-r--r--  1 www-data www-data   567 Σεπ   6 18:38 COPYING-README
drwxr-xr-x 10 www-data www-data  4096 Σεπ   6 18:38 core
-rw-r--r--  1 www-data www-data  3156 Σεπ   6 18:38 cron.php
drwxrwx---  2 www-data www-data  4096 Σεπ  27 18:54 data
-rw-r--r--  1 www-data www-data 17669 Σεπ   6 18:38 db_structure.xml
drwxr-xr-x  2 www-data www-data  4096 Σεπ   6 18:38 files
-rw-r--r--  1 www-data www-data   179 Σεπ   6 18:38 index.html
-rw-r--r--  1 www-data www-data   853 Σεπ   6 18:38 index.php
drwxr-xr-x 81 www-data www-data  4096 Σεπ   6 18:38 l10n
drwxr-xr-x 20 www-data www-data  4096 Σεπ   6 18:38 lib
-rw-r--r--  1 www-data www-data   279 Σεπ   6 18:38 occ
drwxr-xr-x  2 www-data www-data  4096 Σεπ   6 18:38 ocs
-rw-r--r--  1 www-data www-data   443 Σεπ   6 18:38 public.php
-rw-r--r--  1 www-data www-data   753 Σεπ   6 18:38 README
-rw-r--r--  1 www-data www-data   960 Σεπ   6 18:38 remote.php
-rw-r--r--  1 www-data www-data    26 Σεπ   6 18:38 robots.txt
drwxr-xr-x  6 www-data www-data  4096 Σεπ   6 18:38 search
drwxr-xr-x  8 www-data www-data  4096 Σεπ   6 18:38 settings
-rw-r--r--  1 www-data www-data  1216 Σεπ   6 18:38 status.php
drwxr-xr-x  2 www-data www-data  4096 Σεπ   6 18:38 themes
-rw-r--r--  1 www-data www-data  2460 Σεπ   6 18:38 upgrade.php

I noticed that the tar file doesn't include tha /data folder and is created the first time you access the owncloud's web interface. Also these files are created:

root@vps1:/var/www# ls -la owncloud/data/
total 12
drwxrwx---  2 www-data www-data 4096 Σεπ  27 18:54 .
drwxr-xr-x 14 www-data www-data 4096 Σεπ  27 18:54 ..
-rw-r--r--  1 www-data www-data   27 Σεπ  27 18:54 .htaccess
-rw-r--r--  1 www-data www-data    0 Σεπ  27 18:54 index.html

So i am not sure in which .htaccess file the warning is referring to. /var/www/owncloud/.htaccess or /var/www/owncloud/data/.htaccess or how to fix it.

Edit: i tried adding this and it still doesn't work.

location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
              deny all;
      }
Christos Baziotis
  • 313

2 Answers2

4

My fellow Greek guy:

The problem seems to be that the directory where the data UPLOADED to Owncloud (the data you want accessible like a "cloud") is a subdirectory of the document root of your server, where ONLY directories and files for the functionality of Owncloud ITSELF should be. This is the /var/www directory that you mention. User data has no place inside /var/www, otherwise it is accessible from the Internet with a simple "list" of the served files .

Normally, during the initial setup wizard, run from the browser, you have the option to set the path to the data directory. Even if you miss it, you can always change afterwards, by setting the "datadirectory" directive in the config.php file of the Owncloud installation. Like this:

<?php
$CONFIG = array (
  'datadirectory' => '/media/usbdisk/ocdata/',
  'dbtype' => ...

You can find more on the topic inside this forum post.

As a note of caution, it is always important to have the LEAST possible amount of data available through the wire. You can look here for some very good points about document root permissions.

Community
  • 1
dlyk1988
  • 1,684
  • btw, nginx cannot understand .htaccess as apacheee does – that guy from over there Sep 28 '13 at 07:53
  • Thanks for the reply but it's not it. I removed all the vhosts and kept only one with the configuration from the nginx documentation and i don't get any warning (with data dir -> /var/www/owncloud/data).

    So it must be something wrong in my vhost configuration. I think there must be some misconfiguration concerning .htaccess.

     – Christos Baziotis Sep 28 '13 at 10:37
1

I figured it out. I had made a mistake in the vhost file. i had set the 

root /var/www/;

and then i had written this:

location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
              deny all;
}

instead of this:

location ~ ^/owncloud/(data|config|\.ht|db_structure\.xml|README) {
              deny all;
}

Here is my final catch-all vhost file after the correction above and some clean up.

server {

    listen 80;

    server_name default_server;

    root /usr/share/nginx/www;
    index index.html index.htm;

    location / {
        try_files $uri $uri/ /index.html;
    }

    error_page 404 /404.html;
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/www;
    }


    location /phpmyadmin {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /phpMyAdmin {
        rewrite ^/* /phpmyadmin last;
    }

    location /owncloud {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /cloud {
        rewrite ^/* /phpmyadmin last;
    }

    location /roundcube {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /RoundCube {
        rewrite ^/* /roundcube last;
    }

    location /squirrelmail {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /SquirrelMail {
        rewrite ^/* /squirrelmail last;
    }

}



server {

    listen 443 ssl;
    ssl_certificate      /etc/ssl/localcerts/certificate.crt;
    ssl_certificate_key  /etc/ssl/localcerts/privateKey.key;

    server_name default_server;

    root /usr/share/nginx/www;
    index index.html index.htm;

    location / {
        try_files $uri $uri/ /index.html;
    }

    error_page 404 /404.html;
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/www;
    }

    location ~ /\.ht {
      deny  all;
    }



    ######  phpMyAdmin  ############################################################
    location /phpmyadmin {
        root /usr/share/;
        index index.php index.html index.htm;
        location ~ ^/phpmyadmin/(.+\.php)$ {
            root /usr/share/;
            include fastcgi-gen.conf;
        }
        location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /usr/share/;
        }
    }
    location /phpMyAdmin {
        rewrite ^/* /phpmyadmin last;
    }

    ######  RoundCube   ############################################################
    location /roundcube {
        root /usr/share/;
        index index.php index.html index.htm;
        location ~ ^/roundcube/(.+\.php)$ {
            root /usr/share/;
            include fastcgi-gen.conf;
        }

        location ~* ^/roundcube/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /usr/share/;
        }
    }
    location /RoundCube {
        rewrite ^/* /roundcube last;
    }

    ######  SquirrelMail    ############################################################
    location /squirrelmail {
        root /usr/share/;
        index index.php index.html index.htm;
        location ~ ^/squirrelmail/(.+\.php)$ {
            root /usr/share/;
            include fastcgi-gen.conf;
        }
        location ~* ^/squirrelmail/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /usr/share/;
        }
    }
    location /SquirrelMail {
        rewrite ^/* /squirrelmail last;
    }

    ######  ownCloud    ############################################################
    location /owncloud {
        root /var/www/;
        index index.php index.html index.htm;

        error_page 403 = owncloud/core/templates/403.php;
        error_page 404 = owncloud/core/templates/404.php;

        rewrite ^/owncloud/caldav(.*)$ /remote.php/caldav$1 redirect;
        rewrite ^/owncloud/carddav(.*)$ /remote.php/carddav$1 redirect;
        rewrite ^/owncloud/webdav(.*)$ /remote.php/webdav$1 redirect;

        location = /owncloud/robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }

        location /owncloud/ {
                # The following 2 rules are only needed with webfinger
                rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
                rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

                rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
                rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;

                rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;

                try_files $uri $uri/ index.php;
        }

        location ~ ^/owncloud/(data|config|\.ht|db_structure\.xml|README) {
                    deny all;
            }

        location ~ ^/owncloud/(.+\.php)$ {
            root /var/www/;
            include fastcgi-gen.conf;
        }
        location ~* ^/owncloud/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /var/www/;
        }
    }
    location /ownCloud {
        rewrite ^/* /owncloud last;
    }

}

and this is fastcgi-gen.conf 

try_files $uri =404;

fastcgi_pass  unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param PATH_INFO         $fastcgi_script_name;
include fastcgi_params;
Christos Baziotis
  • 313