nginx 和 owncloud,.htaccess 安全警告

tag-icon tag-icon nginx .htaccess owncloud
nginx 和 owncloud,.htaccess 安全警告

我在使用 nginx 和 owncloud 时遇到了问题。当我访问 owncloud 的登录页面时,出现以下错误:

您的数据目录和文件可能可以通过互联网访问。ownCloud 提供的 .htaccess 文件不起作用。我们强烈建议您配置 Web 服务器,使数据目录不再可访问,或者将数据目录移出 Web 服务器文档根目录。

这是我的虚拟主机文件:

server {

    listen 80;

    server_name default_server;

    root /usr/share/nginx/www;
    index index.html index.htm;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ /index.html;
        # Uncomment to enable naxsi on this location
        # include /etc/nginx/naxsi.rules
    }


    location /phpmyadmin {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /phpMyAdmin {
        rewrite ^/* /phpmyadmin last;
    }

    location /owncloud {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /cloud {
        rewrite ^/* /phpmyadmin last;
    }

    location /roundcube {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /RoundCube {
        rewrite ^/* /roundcube last;
    }

    location /squirrelmail {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /SquirrelMail {
        rewrite ^/* /squirrelmail last;
    }


    error_page 404 /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/www;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

}



server {

    listen 443 ssl;
    ssl_certificate      /etc/ssl/localcerts/certificate.crt;
    ssl_certificate_key  /etc/ssl/localcerts/privateKey.key;

    server_name default_server;

    root /usr/share/nginx/www;
    index index.html index.htm;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ /index.html;
        # Uncomment to enable naxsi on this location
        # include /etc/nginx/naxsi.rules
    }


    location /phpmyadmin {
        root /usr/share/;
        index index.php index.html index.htm;
        location ~ ^/phpmyadmin/(.+\.php)$ {
            try_files $uri =404;
            root /usr/share/;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_param HTTPS $https;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            include /etc/nginx/fastcgi_params;
            fastcgi_param PATH_INFO $fastcgi_script_name;
            fastcgi_buffer_size 128k;
            fastcgi_buffers 256 4k;
            fastcgi_busy_buffers_size 256k;
            fastcgi_temp_file_write_size 256k;
            fastcgi_intercept_errors on;
        }
        location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /usr/share/;
        }
    }
    location /phpMyAdmin {
        rewrite ^/* /phpmyadmin last;
    }


    location /owncloud {
        root /var/www/;
        index index.php index.html index.htm;
        location ~ ^/owncloud/(.+\.php)$ {
            try_files $uri =404;
            root /var/www/;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_param HTTPS $https;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            include /etc/nginx/fastcgi_params;
            fastcgi_param PATH_INFO $fastcgi_script_name;
            fastcgi_buffer_size 128k;
            fastcgi_buffers 256 4k;
            fastcgi_busy_buffers_size 256k;
            fastcgi_temp_file_write_size 256k;
            fastcgi_intercept_errors on;
        }
        location ~* ^/owncloud/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /var/www/;
        }
    }
    location /ownCloud {
        rewrite ^/* /owncloud last;
    }


    location /roundcube {
        root /usr/share/;
        index index.php index.html index.htm;
        location ~ ^/roundcube/(.+\.php)$ {
            try_files $uri =404;
            root /usr/share/;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_param HTTPS $https;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            include /etc/nginx/fastcgi_params;
            fastcgi_param PATH_INFO $fastcgi_script_name;
            fastcgi_buffer_size 128k;
            fastcgi_buffers 256 4k;
            fastcgi_busy_buffers_size 256k;
            fastcgi_temp_file_write_size 256k;
            fastcgi_intercept_errors on;
        }
        location ~* ^/roundcube/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /usr/share/;
        }
    }
    location /RoundCube {
        rewrite ^/* /roundcube last;
    }

    location /squirrelmail {
        root /usr/share/;
        index index.php index.html index.htm;
        location ~ ^/squirrelmail/(.+\.php)$ {
            try_files $uri =404;
            root /usr/share/;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_param HTTPS $https;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            include /etc/nginx/fastcgi_params;
            fastcgi_param PATH_INFO $fastcgi_script_name;
            fastcgi_buffer_size 128k;
            fastcgi_buffers 256 4k;
            fastcgi_busy_buffers_size 256k;
            fastcgi_temp_file_write_size 256k;
            fastcgi_intercept_errors on;
        }
        location ~* ^/squirrelmail/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /usr/share/;
        }
    }
    location /SquirrelMail {
        rewrite ^/* /squirrelmail last;
    }


    location /doc/ {
        alias /usr/share/doc/;
        autoindex on;
        allow 127.0.0.1;
        allow ::1;
        deny all;
    }

    error_page 404 /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/www;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

}

具体来说,这里是位置 /owncloud:

location /owncloud {
        root /var/www/;
        index index.php index.html index.htm;
        location ~ ^/owncloud/(.+\.php)$ {
            try_files $uri =404;
            root /var/www/;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_param HTTPS $https;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            include /etc/nginx/fastcgi_params;
            fastcgi_param PATH_INFO $fastcgi_script_name;
            fastcgi_buffer_size 128k;
            fastcgi_buffers 256 4k;
            fastcgi_busy_buffers_size 256k;
            fastcgi_temp_file_write_size 256k;
            fastcgi_intercept_errors on;
        }
        location ~* ^/owncloud/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /var/www/;
        }
    }
    location /ownCloud {
        rewrite ^/* /owncloud last;
    }

我尝试根据文档修复它http://doc.owncloud.org/server/5.0/admin_manual/installation/installation_others.html#nginx-configuration但我不能。

我还更改了权限,以防万一导致错误,但这并没有解决问题:

chown -R www-data:www-data /var/www/owncloud

phpmyadmin、roundcube 和 squirrelmail 工作正常,所以我使用它们的配置,只更改 owncloud 的根路径,即 /var/www/owncloud。

以下是 owncloud/ 的内容

root@vps1:/var/www# ls -l owncloud/
total 156
drwxr-xr-x 26 www-data www-data  4096 Σεπ   6 18:38 3rdparty
drwxrwxrwx 32 www-data www-data  4096 Σεπ   6 18:38 apps
-rw-r--r--  1 www-data www-data   585 Σεπ   6 18:38 AUTHORS
drwxrwxrwx  2 www-data www-data  4096 Σεπ  27 18:54 config
-rw-r--r--  1 www-data www-data   832 Σεπ   6 18:38 console.php
-rw-r--r--  1 www-data www-data 34520 Σεπ   6 18:38 COPYING-AGPL
-rw-r--r--  1 www-data www-data   567 Σεπ   6 18:38 COPYING-README
drwxr-xr-x 10 www-data www-data  4096 Σεπ   6 18:38 core
-rw-r--r--  1 www-data www-data  3156 Σεπ   6 18:38 cron.php
drwxrwx---  2 www-data www-data  4096 Σεπ  27 18:54 data
-rw-r--r--  1 www-data www-data 17669 Σεπ   6 18:38 db_structure.xml
drwxr-xr-x  2 www-data www-data  4096 Σεπ   6 18:38 files
-rw-r--r--  1 www-data www-data   179 Σεπ   6 18:38 index.html
-rw-r--r--  1 www-data www-data   853 Σεπ   6 18:38 index.php
drwxr-xr-x 81 www-data www-data  4096 Σεπ   6 18:38 l10n
drwxr-xr-x 20 www-data www-data  4096 Σεπ   6 18:38 lib
-rw-r--r--  1 www-data www-data   279 Σεπ   6 18:38 occ
drwxr-xr-x  2 www-data www-data  4096 Σεπ   6 18:38 ocs
-rw-r--r--  1 www-data www-data   443 Σεπ   6 18:38 public.php
-rw-r--r--  1 www-data www-data   753 Σεπ   6 18:38 README
-rw-r--r--  1 www-data www-data   960 Σεπ   6 18:38 remote.php
-rw-r--r--  1 www-data www-data    26 Σεπ   6 18:38 robots.txt
drwxr-xr-x  6 www-data www-data  4096 Σεπ   6 18:38 search
drwxr-xr-x  8 www-data www-data  4096 Σεπ   6 18:38 settings
-rw-r--r--  1 www-data www-data  1216 Σεπ   6 18:38 status.php
drwxr-xr-x  2 www-data www-data  4096 Σεπ   6 18:38 themes
-rw-r--r--  1 www-data www-data  2460 Σεπ   6 18:38 upgrade.php

我注意到 tar 文件不包含 /data 文件夹,并且是在您第一次访问 owncloud 的 Web 界面时创建的。还会创建以下文件:

root@vps1:/var/www# ls -la owncloud/data/
total 12
drwxrwx---  2 www-data www-data 4096 Σεπ  27 18:54 .
drwxr-xr-x 14 www-data www-data 4096 Σεπ  27 18:54 ..
-rw-r--r--  1 www-data www-data   27 Σεπ  27 18:54 .htaccess
-rw-r--r--  1 www-data www-data    0 Σεπ  27 18:54 index.html

所以我不确定警告指的是哪个 .htaccess 文件。/var/www/owncloud/.htaccess 或 /var/www/owncloud/data/.htaccess 或者如何修复它。

编辑:我尝试添加它但仍然不起作用。

location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
              deny all;
      }

答案1

我的希腊朋友:

问题似乎是,上传到 Owncloud 的数据(您希望像“云”一样可访问的数据)的目录是服务器文档根目录的子目录,其中只应包含 Owncloud 自身功能的目录和文件。这就是您提到的 /var/www 目录。用户数据不应该放在 /var/www 中,否则可以通过互联网通过简单的“服务文件列表”访问。

通常,在浏览器运行的初始设置向导期间,您可以选择设置数据目录的路径。即使您错过了,您也可以随时更改,方法是在 Owncloud 安装的 config.php 文件中设置“datadirectory”指令。像这样:

<?php
$CONFIG = array (
  'datadirectory' => '/media/usbdisk/ocdata/',
  'dbtype' => ...

您可以在里面找到更多相关内容论坛帖子。

需要注意的是,始终要尽量减少通过网络传输的数据量。你可以看看这里关于文档根权限的一些非常好的观点。

答案2

我搞明白了。我在 vhost 文件中犯了一个错误。我设置了

root /var/www/;

然后我写下了:

location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
              deny all;
}

而不是这样:

location ~ ^/owncloud/(data|config|\.ht|db_structure\.xml|README) {
              deny all;
}

这是我经过上述修正和一些清理之后的最终 catch-all vhost 文件。

server {

    listen 80;

    server_name default_server;

    root /usr/share/nginx/www;
    index index.html index.htm;

    location / {
        try_files $uri $uri/ /index.html;
    }

    error_page 404 /404.html;
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/www;
    }


    location /phpmyadmin {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /phpMyAdmin {
        rewrite ^/* /phpmyadmin last;
    }

    location /owncloud {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /cloud {
        rewrite ^/* /phpmyadmin last;
    }

    location /roundcube {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /RoundCube {
        rewrite ^/* /roundcube last;
    }

    location /squirrelmail {
        rewrite     ^   https://$http_host$request_uri? permanent;
    }
    location /SquirrelMail {
        rewrite ^/* /squirrelmail last;
    }

}



server {

    listen 443 ssl;
    ssl_certificate      /etc/ssl/localcerts/certificate.crt;
    ssl_certificate_key  /etc/ssl/localcerts/privateKey.key;

    server_name default_server;

    root /usr/share/nginx/www;
    index index.html index.htm;

    location / {
        try_files $uri $uri/ /index.html;
    }

    error_page 404 /404.html;
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/www;
    }

    location ~ /\.ht {
      deny  all;
    }



    ######  phpMyAdmin  ############################################################
    location /phpmyadmin {
        root /usr/share/;
        index index.php index.html index.htm;
        location ~ ^/phpmyadmin/(.+\.php)$ {
            root /usr/share/;
            include fastcgi-gen.conf;
        }
        location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /usr/share/;
        }
    }
    location /phpMyAdmin {
        rewrite ^/* /phpmyadmin last;
    }

    ######  RoundCube   ############################################################
    location /roundcube {
        root /usr/share/;
        index index.php index.html index.htm;
        location ~ ^/roundcube/(.+\.php)$ {
            root /usr/share/;
            include fastcgi-gen.conf;
        }

        location ~* ^/roundcube/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /usr/share/;
        }
    }
    location /RoundCube {
        rewrite ^/* /roundcube last;
    }

    ######  SquirrelMail    ############################################################
    location /squirrelmail {
        root /usr/share/;
        index index.php index.html index.htm;
        location ~ ^/squirrelmail/(.+\.php)$ {
            root /usr/share/;
            include fastcgi-gen.conf;
        }
        location ~* ^/squirrelmail/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /usr/share/;
        }
    }
    location /SquirrelMail {
        rewrite ^/* /squirrelmail last;
    }

    ######  ownCloud    ############################################################
    location /owncloud {
        root /var/www/;
        index index.php index.html index.htm;

        error_page 403 = owncloud/core/templates/403.php;
        error_page 404 = owncloud/core/templates/404.php;

        rewrite ^/owncloud/caldav(.*)$ /remote.php/caldav$1 redirect;
        rewrite ^/owncloud/carddav(.*)$ /remote.php/carddav$1 redirect;
        rewrite ^/owncloud/webdav(.*)$ /remote.php/webdav$1 redirect;

        location = /owncloud/robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }

        location /owncloud/ {
                # The following 2 rules are only needed with webfinger
                rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
                rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

                rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
                rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;

                rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;

                try_files $uri $uri/ index.php;
        }

        location ~ ^/owncloud/(data|config|\.ht|db_structure\.xml|README) {
                    deny all;
            }

        location ~ ^/owncloud/(.+\.php)$ {
            root /var/www/;
            include fastcgi-gen.conf;
        }
        location ~* ^/owncloud/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /var/www/;
        }
    }
    location /ownCloud {
        rewrite ^/* /owncloud last;
    }

}

这是 fastcgi-gen.conf

try_files $uri =404;

fastcgi_pass  unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param PATH_INFO         $fastcgi_script_name;
include fastcgi_params;

相关内容