Nextcloud shows error "Data directory and your files are probably accessible from the Internet"

Starting Nextcloud v29 the error "Data directory and your files are probably accessible from the Internet".

Nextcloud error "Data directory and your files are probably accessible from the Internet"

 

Cause

root@prdanc2049:/var/www/nextcloud/config# pwd
/var/www/nextcloud/config
root@prdanc2049:/var/www/nextcloud/config#
root@prdanc2049:/var/www/nextcloud/config# cat config.php
<?php
$CONFIG = array (
  'passwordsalt' => 'Redacted',
  'secret' => 'Redacted',
  'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => '10.68.127.123',
    2 => 'nextcloud',

    3 => 'mypublic.domain.com',
  ),
  'datadirectory' => '/mnt/ncdata',
  'dbtype' => 'pgsql',
[...]

Solution

Remove the ip addresses, "localhost" and "nextcloud" from the trusted_domains in /var/www/nextcloud/config/config.php

root@prdanc2049:/var/www/nextcloud/config# pwd
/var/www/nextcloud/config
root@prdanc2049:/var/www/nextcloud/config#
root@prdanc2049:/var/www/nextcloud/config# cat config.php
<?php
$CONFIG = array (
  'passwordsalt' => 'Redacted',
  'secret' => 'Redacted',
  'trusted_domains' =>
  array (
    0 => 'mypublic.domain.com',
  ),
  'datadirectory' => '/mnt/ncdata',
  'dbtype' => 'pgsql',
[...]


Information regarding trusted_domains in the config.php: https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html#trusted-domains

Your list of trusted domains that users can log into. Specifying trusted domains prevents host header poisoning. Do not remove this, as it performs necessary security checks.

You can specify:

  • the exact hostname of your host or virtual host, e.g. demo.example.org.

  • the exact hostname with permitted port, e.g. demo.example.org:443. This disallows all other ports on this host

  • use * as a wildcard, e.g. ubos-raspberry-pi*.local will allow ubos-raspberry-pi.local and ubos-raspberry-pi-2.local

  • the IP address with or without permitted port, e.g. [2001:db8::1]:8080 Using TLS certificates where commonName=<IP address> is deprecated

Azure Managed Identities (technical service accounts)

Explaination Azure Managed Identities = technical service accounts Password is automatically managed, as it was the case in managed service ...