Blog/Nextcloud 29

From Forza's ramblings
A Common Spotted Orchid with pinkish-purple flowers, featuring darker spots and unique patterns on the petals, growing in a meadow background.
Dactylorhiza fuchsii, the common spotted orchid, is a species of flowering plant in the orchid family Orchidaceae.

Nextcloud[edit | edit source]

Nextcloud is an open-source cloud storage solution, designed to give users control over their data. It enables the hosting of personal or business data on private servers, providing a secure and flexible alternative to commercial cloud services. With features like file sharing, calendar integration, and collaborative tools, and document editing, Nextcloud empowers users to maintain their privacy and ensure data sovereignty.

In addition to core functionalities, Nextcloud 29 has a modular approach and can integrated with a variety of applications, enhancing security, usability and customisation. It has a built in app-store with free add-ons such as Keepass, a popular password management tool and the Memories app, which organises and displays your photos, provides a visually appealing way to manage your media library. It also has a foundation for self-hosted AI tools similar to ChatGPT or Bing's image creation.

The goal with Nextcloud is to provide a self-hosted platform that keeps your data on servers you trust, free from third-party oversight and potential data mining. There are several companion apps for mobile devices that makes accessing your content such as calendar, contacts and files easier.

Nextcloud Hub 8 (Nextcloud 29)[edit | edit source]

Screenshot of the Nextcloud update page, showing a new version and that currently installed apps are supported with the new version.

Nextcloud is pretty fast moving and updates come quickly. Starting with version 22, Nextcloud was rebranded Nextcloud Hub to really highlight the idea that Nexctcloud is a one-stop for all your data with a core set of features such as Office, Talk (like Zoom/Teams/FaceTime meetings) and Teams collaboration.

The Nextcloud server and administration documentation is pretty comprehensive. It's target is the so called LAMP (Linux, Apache, MySQL, Perl/PHP/Python) stack. Apache is the web server software that built most of the Web, though these days there are other popular servers such as nginx and Caddy. Personally, I switched to Caddy from Apache several years back because I had an interest in HTTP/3, the QUIC based HTTP protocol. At the time there was no other free, open-sources web servers that supported this.

Upgrading Nextcloud is usually straight forward. The administration page will show what new version is available and if all your current apps are supported in the new version. I held back upgrading to version 29 because Keeweb (a Keepass client) was not supported until recently.

This time, however, there were several warnings after the upgrade. For a long time, Nextcloud is automatically checking for common configuration and security problems. Several more checks were introduced in this upgrade which caught many users by surprise, as evident in their help forum https://help.nextcloud.com/t/frequent-nextcloud-29-hub-8-update-issues/189897

Caddy web server[edit | edit source]

Web server market share

I am using the Caddy web server, and one of the more difficult errors I hade to solve after the upgrade to Nextcloud 29, was an apparent problem with a .htaccess file. The error message was as follows:

.htaccess error
Your data directory and files are probably accessible from the internet. The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.

.htaccess files are used with the Apache web server to customise settings for specific directories. The idea is that it is possible to override Apache's global configuration for directories where the file is placed. Nextcloud includes .htaccess files that prevents users from accessing Nextcloud files directly.

However, since Caddy does not use such .htaccess files at all, it was rather unclear what the real error was about. Nextcloud is performing tests to see if the Nextcloud's data directory is accessible from the Internet. This is an important check, because the data directory contains all user data (all your files).

My data directory was definitely not accessible from the internet, so why the error? Looking at the bug report https://github.com/nextcloud/server/issues/45087 we can see that one of the tests use plain HTTP (not HTTPS). The issue comes from my Caddy configuration in that I had it setup to redirect all HTTP requests to HTTPS. A common setup with Caddy looks like this

Caddyfile example
## HTTP endpoint on port 80
example.com:80 {
	root /var/www/domains/example.com/htdocs
	file_server
	@https not path /.well-known/*
	redir @https https://example.com/ permanent
}

This instructs the Caddy server to redirect all plain HTTP requests to the secure HTTPS site with the HTTP 301 permanent error code. Requests to the ./well-known/ directory is allowed. This was useful with Let's Encrypt certbot to automate SSL/TLS certificate renewals using the certbot certonly --webroot option. I now use DNS based renewals, so that exception is no longer required for me.

The issue with the Nextcloud security check shows to be that it misinterprets the HTTP 301 redirect as a success, giving a false warning that the data directory is accessible from the Internet. The solution is to change the redirect to an access denied or a not found response code:

Caddyfile example
## HTTP endpoint on port 80
example.com:80 {
	root /var/www/domains/example.com/htdocs
	file_server
	@https not path /.well-known/*
	# Access denied
	respond @https 401
}
Caddy supports automatic HTTPS and cetificate creation and renewals by default. I continued with certbot because I used it with Apache. For new Caddy users, adding any special configuration to enable HTTPS is not required.