httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lentes, Bernd" <bernd.len...@helmholtz-muenchen.de>
Subject [users@httpd] Apache and nextcloud - insecure ?
Date Tue, 01 Sep 2020 11:05:55 GMT
Hi,

i'm planning to install Nextcloud on an Ubuntu 20.04 with Apache.
But the recommendations from Nextcloud to configure Apache don't appeal to me.

1. https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html#installation-wizard
The recommendation is to change the owner of the DocumentRoot of the Nextcloud installation
to www-data, the user the apache2 process is running.
"chown -R www-data:www-data /var/www/nextcloud/"
This is weird, isn't it ? I remember http://httpd.apache.org/docs/2.4/misc/security_tips.html
"Permissions on ServerRoot Directories"
which is contradictory to that.

2. The second recommendation is even stranger:
https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html#pretty-urls
"mod_env and mod_rewrite must be installed on your webserver and the .htaccess must be writable
by the HTTP user. Then you can set in the config.php two variables:"
.htaccess writeable by the HTTP User !?! I'm no Webserver expert, but i get pain in my stomach
reading this.
What do you think ?
Has anyone experience in installing nextcloud ?
Would it be a good idea to install nextcloud via snap, which seems to be more secure ?

Bernd
-- 

Bernd Lentes 
Systemadministration 
Institute for Metabolism and Cell Death (MCD) 
Building 25 - office 122 
HelmholtzZentrum München 
bernd.lentes@helmholtz-muenchen.de 
phone: +49 89 3187 1241 
phone: +49 89 3187 3827 
fax: +49 89 3187 2294 
http://www.helmholtz-muenchen.de/mcd 

stay healthy
Helmholtz Zentrum München

Helmholtz Zentrum München


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message