Nextcloud – RainLoop data folder is accessible. Please configure your web server to hide the data folder from external access.

If you have Nextcloud running and discovered that Rainloop ist way better then the regular mail plugin for Nextcloud then you are on the right track.

However if the above warning keeps looking at you and you can not figure out why it is still looking at you, well let me try to explain.

This could either mean that your rainloop folder is in fact reachable from the outside and this is nothing you want to have happen. Funny enough it could mean you did secure it properly, but you are running into the fact that the warning being given here is based on a „check“ not being 100% true. Nextcloud is returning a 302 http code (found). The „check“ is thingking that this means that the „VERSION“ file can be read. However nextcloud is doing a rewrite and sending you elsewhere and that „elsewhere“ has been „found“. So the „check“ is telling you, the location is accessible one way or the other.

To understand a bit more about it, read the folling github Ticket: https://github.com/pierre-alain-b/rainloop-nextcloud/issues/62

You will find some .htaccess solutions as well as Nginx solutions right there at GitHub. I personally use Apache 2.4. So if you are like me and are using Apache then the following in you vhost file is going to handle it for you:

<DirectoryMatch "^.*/rainloop/app/data/.*">
# Apache 2.2
<IfModule !authz_core_module>
Order Deny,Allow
Deny from all
</IfModule>
# Apache 2.4+
<IfModule authz_core_module>
Require all denied
</IfModule>
</DirectoryMatch>

What DirectoryMatch does exactly ist best read in the documentation: https://httpd.apache.org/docs/2.4/de/mod/core.html#directorymatch

The advantage in my optinion is that it does not care at all where your Nextcloud is hanging around. The above will look for whenever it finds „rainlop app data“ and then pending on if you are using Apache 2.2 or 2.4 deny access.

So, back to the Warning and the check which is causing it. Like I said you will find that the check being done to create this warning is not outright wrong, however it did not calculate there being a rewrite present.

So do the check yourself.

wget https://your.nextcloud.domain/apps/rainloop/app/data/VERSION

Check what you get inside the „VERSION“ file. If it is in fact the version number, something is definately wrong. If it is a nextcloud page sending you elsewhere, then everything is just fine.