Security warning in owncloud after new install of owncloud server 10.4.1
Dein Datenverzeichnis und Deine Dateien sind wahrscheinlich vom Internet aus erreichbar. Die .htaccess-Datei funktioniert nicht. Es wird dringend empfohlen, Deinen Webserver dahingehend zu konfigurieren, dass das Datenverzeichnis nicht mehr vom Internet aus erreichbar ist oder dass Du es aus dem Document-Root-Verzeichnis des Webservers herausverschiebst.
I checked it and noticed you can reach everything what is under owncloud directory even config and more.
So the best ist to change DocumentRoot. But how can I reach then owncloud index.php?
The FAQ I found before but didn’t understand. The Problem is that the new repository installation is incomplete. After installation of owncloud server, I coudn’t reach owncloud login site.
So I changed the documentroot of apache2 from var/www/html to var/www where owncloud is then a subfolder.
But now I know you may not have owncloud as a subfolder of documentroot, because you can reach everything, if you find out the adresses. It’s not only the data folder you can reach, it is everything of configuration like config.php - So everything is unsecure!
And here is how I solved the problem:
Change document root to var/www/html in ‘/etc/apache2/sites-available/000-default.conf’.
By this change owncloud login is not reachable anymore because you need alias configuration in webserver.
The alias you can configure in 000-default.conf, but I did it as recommended in a owncloud.conf which didn’t exist after new installation by repository.
Contents of owncloud.conf as you find here: https://doc.owncloud.com/server/admin_manual/installation/ubuntu_18_04.html#configure-apache
Alias /owncloud "/var/www/owncloud/"
<Directory /var/www/owncloud/>
Options +FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /var/www/owncloud
SetEnv HTTP_HOME /var/www/owncloud
</Directory>
Set the virtual host active in apache with that commands:
a2ensite owncloud.conf
service apache2 reload