nginx e owncloud, aviso de segurança do .htaccess

Question

nginx e owncloud, aviso de segurança do .htaccess

#1 resposta do (4 votos)
#2 resposta do (1 votos)

1

Eu tenho um problema com o nginx e o owncloud. Quando eu acesso a página de login do owncloud eu recebo este erro:

Your data directory and your files are probably accessible from the internet. The .htaccess file that ownCloud provides is not working. We strongly suggest that you configure your webserver in a way that the data directory is no longer accessible or you move the data directory outside the webserver document root.

Aqui está o meu arquivo vhost:

server {

    listen 80;

    server_name default_server;

    root /usr/share/nginx/www;
    index index.html index.htm;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ /index.html;
        # Uncomment to enable naxsi on this location
        # include /etc/nginx/naxsi.rules
    }


    location /phpmyadmin {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /phpMyAdmin {
        rewrite ^/* /phpmyadmin last;
    }

    location /owncloud {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /cloud {
        rewrite ^/* /phpmyadmin last;
    }

    location /roundcube {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /RoundCube {
        rewrite ^/* /roundcube last;
    }

    location /squirrelmail {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /SquirrelMail {
        rewrite ^/* /squirrelmail last;
    }


    error_page 404 /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/www;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

}



server {

    listen 443 ssl;
    ssl_certificate      /etc/ssl/localcerts/certificate.crt;
    ssl_certificate_key  /etc/ssl/localcerts/privateKey.key;

    server_name default_server;

    root /usr/share/nginx/www;
    index index.html index.htm;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ /index.html;
        # Uncomment to enable naxsi on this location
        # include /etc/nginx/naxsi.rules
    }


    location /phpmyadmin {
        root /usr/share/;
        index index.php index.html index.htm;
        location ~ ^/phpmyadmin/(.+\.php)$ {
            try_files $uri =404;
            root /usr/share/;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_param HTTPS $https;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            include /etc/nginx/fastcgi_params;
            fastcgi_param PATH_INFO $fastcgi_script_name;
            fastcgi_buffer_size 128k;
            fastcgi_buffers 256 4k;
            fastcgi_busy_buffers_size 256k;
            fastcgi_temp_file_write_size 256k;
            fastcgi_intercept_errors on;
        }
        location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /usr/share/;
        }
    }
    location /phpMyAdmin {
        rewrite ^/* /phpmyadmin last;
    }


    location /owncloud {
        root /var/www/;
        index index.php index.html index.htm;
        location ~ ^/owncloud/(.+\.php)$ {
            try_files $uri =404;
            root /var/www/;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_param HTTPS $https;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            include /etc/nginx/fastcgi_params;
            fastcgi_param PATH_INFO $fastcgi_script_name;
            fastcgi_buffer_size 128k;
            fastcgi_buffers 256 4k;
            fastcgi_busy_buffers_size 256k;
            fastcgi_temp_file_write_size 256k;
            fastcgi_intercept_errors on;
        }
        location ~* ^/owncloud/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /var/www/;
        }
    }
    location /ownCloud {
        rewrite ^/* /owncloud last;
    }


    location /roundcube {
        root /usr/share/;
        index index.php index.html index.htm;
        location ~ ^/roundcube/(.+\.php)$ {
            try_files $uri =404;
            root /usr/share/;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_param HTTPS $https;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            include /etc/nginx/fastcgi_params;
            fastcgi_param PATH_INFO $fastcgi_script_name;
            fastcgi_buffer_size 128k;
            fastcgi_buffers 256 4k;
            fastcgi_busy_buffers_size 256k;
            fastcgi_temp_file_write_size 256k;
            fastcgi_intercept_errors on;
        }
        location ~* ^/roundcube/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /usr/share/;
        }
    }
    location /RoundCube {
        rewrite ^/* /roundcube last;
    }

    location /squirrelmail {
        root /usr/share/;
        index index.php index.html index.htm;
        location ~ ^/squirrelmail/(.+\.php)$ {
            try_files $uri =404;
            root /usr/share/;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_param HTTPS $https;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            include /etc/nginx/fastcgi_params;
            fastcgi_param PATH_INFO $fastcgi_script_name;
            fastcgi_buffer_size 128k;
            fastcgi_buffers 256 4k;
            fastcgi_busy_buffers_size 256k;
            fastcgi_temp_file_write_size 256k;
            fastcgi_intercept_errors on;
        }
        location ~* ^/squirrelmail/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /usr/share/;
        }
    }
    location /SquirrelMail {
        rewrite ^/* /squirrelmail last;
    }


    location /doc/ {
        alias /usr/share/doc/;
        autoindex on;
        allow 127.0.0.1;
        allow ::1;
        deny all;
    }

    error_page 404 /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/www;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

}

Especificamente, aqui está a localização / owncloud:

location /owncloud {
        root /var/www/;
        index index.php index.html index.htm;
        location ~ ^/owncloud/(.+\.php)$ {
            try_files $uri =404;
            root /var/www/;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_param HTTPS $https;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            include /etc/nginx/fastcgi_params;
            fastcgi_param PATH_INFO $fastcgi_script_name;
            fastcgi_buffer_size 128k;
            fastcgi_buffers 256 4k;
            fastcgi_busy_buffers_size 256k;
            fastcgi_temp_file_write_size 256k;
            fastcgi_intercept_errors on;
        }
        location ~* ^/owncloud/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /var/www/;
        }
    }
    location /ownCloud {
        rewrite ^/* /owncloud last;
    }

Eu tentei corrigi-lo com base na documentação link , mas eu não posso.

Eu também alterei as permissões apenas no caso de estar causando o erro, mas ele não corrigiu:

chown -R www-data:www-data /var/www/owncloud

phpmyadmin, roundcube e squirrelmail funcionam muito bem, então eu usei sua configuração apenas alterando o caminho da raiz do owncloud que é / var / www / owncloud.

Aqui está o conteúdo do owncloud /

root@vps1:/var/www# ls -l owncloud/
total 156
drwxr-xr-x 26 www-data www-data  4096 Σεπ   6 18:38 3rdparty
drwxrwxrwx 32 www-data www-data  4096 Σεπ   6 18:38 apps
-rw-r--r--  1 www-data www-data   585 Σεπ   6 18:38 AUTHORS
drwxrwxrwx  2 www-data www-data  4096 Σεπ  27 18:54 config
-rw-r--r--  1 www-data www-data   832 Σεπ   6 18:38 console.php
-rw-r--r--  1 www-data www-data 34520 Σεπ   6 18:38 COPYING-AGPL
-rw-r--r--  1 www-data www-data   567 Σεπ   6 18:38 COPYING-README
drwxr-xr-x 10 www-data www-data  4096 Σεπ   6 18:38 core
-rw-r--r--  1 www-data www-data  3156 Σεπ   6 18:38 cron.php
drwxrwx---  2 www-data www-data  4096 Σεπ  27 18:54 data
-rw-r--r--  1 www-data www-data 17669 Σεπ   6 18:38 db_structure.xml
drwxr-xr-x  2 www-data www-data  4096 Σεπ   6 18:38 files
-rw-r--r--  1 www-data www-data   179 Σεπ   6 18:38 index.html
-rw-r--r--  1 www-data www-data   853 Σεπ   6 18:38 index.php
drwxr-xr-x 81 www-data www-data  4096 Σεπ   6 18:38 l10n
drwxr-xr-x 20 www-data www-data  4096 Σεπ   6 18:38 lib
-rw-r--r--  1 www-data www-data   279 Σεπ   6 18:38 occ
drwxr-xr-x  2 www-data www-data  4096 Σεπ   6 18:38 ocs
-rw-r--r--  1 www-data www-data   443 Σεπ   6 18:38 public.php
-rw-r--r--  1 www-data www-data   753 Σεπ   6 18:38 README
-rw-r--r--  1 www-data www-data   960 Σεπ   6 18:38 remote.php
-rw-r--r--  1 www-data www-data    26 Σεπ   6 18:38 robots.txt
drwxr-xr-x  6 www-data www-data  4096 Σεπ   6 18:38 search
drwxr-xr-x  8 www-data www-data  4096 Σεπ   6 18:38 settings
-rw-r--r--  1 www-data www-data  1216 Σεπ   6 18:38 status.php
drwxr-xr-x  2 www-data www-data  4096 Σεπ   6 18:38 themes
-rw-r--r--  1 www-data www-data  2460 Σεπ   6 18:38 upgrade.php

Notei que o arquivo tar não inclui a pasta tha / data e é criado na primeira vez que você acessa a interface web do owncloud. Além disso, esses arquivos são criados:

root@vps1:/var/www# ls -la owncloud/data/
total 12
drwxrwx---  2 www-data www-data 4096 Σεπ  27 18:54 .
drwxr-xr-x 14 www-data www-data 4096 Σεπ  27 18:54 ..
-rw-r--r--  1 www-data www-data   27 Σεπ  27 18:54 .htaccess
-rw-r--r--  1 www-data www-data    0 Σεπ  27 18:54 index.html

Portanto, não tenho certeza em qual arquivo .htaccess o aviso está se referindo. /var/www/owncloud/.htaccess ou /var/www/owncloud/data/.htaccess ou como consertar isso.

Editar : eu tentei adicionar isso e ainda não funciona.

location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
              deny all;
      }

nginx .htaccess owncloud

por Christos Baziotis 27.09.2013 / 21:10

2 respostas

Tags nginx .htaccess owncloud

Verifica alterações de hardware no Windows usando a linha de comando Posso usar um VMdisk expandido sem reinicializar o servidor RHEL?

score 4 · Answer 1

Meu colega grego:

O problema parece ser que o diretório onde os dados UPLOADED to Owncloud (os dados que você quer acessíveis como uma "nuvem") é um subdiretório da raiz do documento do seu servidor, onde SOMENTE diretórios e arquivos para a funcionalidade do Owncloud PRÓPRIO deveria ser. Este é o diretório / var / www que você mencionou. Os dados do usuário não têm lugar dentro de / var / www, caso contrário, ele é acessível a partir da Internet com uma simples "lista" dos arquivos exibidos.

Normalmente, durante o assistente de configuração inicial, executado a partir do navegador, você tem a opção de definir o caminho para o diretório de dados. Mesmo se você errar, você pode sempre mudar depois, definindo a diretiva "datadirectory" no arquivo config.php da instalação do Owncloud. Assim:

<?php
$CONFIG = array (
  'datadirectory' => '/media/usbdisk/ocdata/',
  'dbtype' => ...

Você pode encontrar mais informações sobre o tópico esta postagem no fórum .

Como nota de cautela, é sempre importante ter a menor quantidade possível de dados disponíveis por meio da ligação. Você pode procurar aqui para alguns pontos muito bons sobre as permissões da raiz do documento.

score 1 · Answer 2

Eu percebi isso. Eu cometi um erro no arquivo vhost. eu tinha definido o

root /var/www/;

e então eu escrevi isso:

location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
              deny all;
}

em vez disso:

location ~ ^/owncloud/(data|config|\.ht|db_structure\.xml|README) {
              deny all;
}

Aqui está o meu último arquivo vhost catch-all após a correção acima e alguma limpeza.

server {

    listen 80;

    server_name default_server;

    root /usr/share/nginx/www;
    index index.html index.htm;

    location / {
        try_files $uri $uri/ /index.html;
    }

    error_page 404 /404.html;
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/www;
    }


    location /phpmyadmin {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /phpMyAdmin {
        rewrite ^/* /phpmyadmin last;
    }

    location /owncloud {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /cloud {
        rewrite ^/* /phpmyadmin last;
    }

    location /roundcube {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /RoundCube {
        rewrite ^/* /roundcube last;
    }

    location /squirrelmail {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /SquirrelMail {
        rewrite ^/* /squirrelmail last;
    }

}



server {

    listen 443 ssl;
    ssl_certificate      /etc/ssl/localcerts/certificate.crt;
    ssl_certificate_key  /etc/ssl/localcerts/privateKey.key;

    server_name default_server;

    root /usr/share/nginx/www;
    index index.html index.htm;

    location / {
        try_files $uri $uri/ /index.html;
    }

    error_page 404 /404.html;
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/www;
    }

    location ~ /\.ht {
      deny  all;
    }



    ######  phpMyAdmin  ############################################################
    location /phpmyadmin {
        root /usr/share/;
        index index.php index.html index.htm;
        location ~ ^/phpmyadmin/(.+\.php)$ {
            root /usr/share/;
            include fastcgi-gen.conf;
        }
        location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /usr/share/;
        }
    }
    location /phpMyAdmin {
        rewrite ^/* /phpmyadmin last;
    }

    ######  RoundCube   ############################################################
    location /roundcube {
        root /usr/share/;
        index index.php index.html index.htm;
        location ~ ^/roundcube/(.+\.php)$ {
            root /usr/share/;
            include fastcgi-gen.conf;
        }

        location ~* ^/roundcube/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /usr/share/;
        }
    }
    location /RoundCube {
        rewrite ^/* /roundcube last;
    }

    ######  SquirrelMail    ############################################################
    location /squirrelmail {
        root /usr/share/;
        index index.php index.html index.htm;
        location ~ ^/squirrelmail/(.+\.php)$ {
            root /usr/share/;
            include fastcgi-gen.conf;
        }
        location ~* ^/squirrelmail/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /usr/share/;
        }
    }
    location /SquirrelMail {
        rewrite ^/* /squirrelmail last;
    }

    ######  ownCloud    ############################################################
    location /owncloud {
        root /var/www/;
        index index.php index.html index.htm;

        error_page 403 = owncloud/core/templates/403.php;
        error_page 404 = owncloud/core/templates/404.php;

        rewrite ^/owncloud/caldav(.*)$ /remote.php/caldav$1 redirect;
        rewrite ^/owncloud/carddav(.*)$ /remote.php/carddav$1 redirect;
        rewrite ^/owncloud/webdav(.*)$ /remote.php/webdav$1 redirect;

        location = /owncloud/robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }

        location /owncloud/ {
                # The following 2 rules are only needed with webfinger
                rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
                rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

                rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
                rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;

                rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;

                try_files $uri $uri/ index.php;
        }

        location ~ ^/owncloud/(data|config|\.ht|db_structure\.xml|README) {
                    deny all;
            }

        location ~ ^/owncloud/(.+\.php)$ {
            root /var/www/;
            include fastcgi-gen.conf;
        }
        location ~* ^/owncloud/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /var/www/;
        }
    }
    location /ownCloud {
        rewrite ^/* /owncloud last;
    }

}

e isso é fastcgi-gen.conf

try_files $uri =404;

fastcgi_pass  unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param PATH_INFO         $fastcgi_script_name;
include fastcgi_params;