Server: htaccess additions disappear on auto update

We do not support to change the .htaccess and preserve the content after an update. To make it permanent please place the changes inside your apache config and not inside the htaccess file.

@MorrisJobke This is not convenient since some apache config modifications are not fitted to other applications.

At least can we imagine users to put their lines in some file (e.g. .htaccessadditions) and every update would add them to the bottom of their .htaccess ?

To make it permanent please place the changes inside your apache config and not inside the htaccess file.

Does this mean Nextcloud does not support running on shared hosting?

Does this mean Nextcloud does not support running on shared hosting?

We certainly want people to easily be able to use shared hosting, but we have to balance needs here - if we don't automatically update the .htaccess and changes are needed, we can break instances and that's a big no-no. We could try to be 'clever' and merge changes, but that might end up breaking things, too. The most reliable solution is simply to consider .htaccess part of the Nextcloud package and not support changing it. That is certainly not perfect either, there are situations where changing the .htaccess is the only way for users to get certain things done, but it is the solution we picked as the least worst.

I'm sorry if you're exactly at this point where you have to change .htaccess and there's no other way - there's not much we can do other than maybe provide some graphical way of dealing with .htaccess - perhaps somebody could build an app which lets you manage it. Everyone who bumps into this problem is of course entirely welcome to start building such an app.

Does this mean Nextcloud does not support running on shared hosting?

Most shared hoster, if not all, have a checkbox somewhere in their settings "always use https" these days. This is way more easy and less error prone then playing around with the htaccess file.

Most shared hoster, if not all, have a checkbox somewhere in their settings "always use https" these days. This is way more easy and less error prone then playing around with the htaccess file.

Even when you enable HTTPS only from your hoster interface, the warning about HSTS can still be displayed, depending on the hoster architecture.

In my case, I wanted to fix this with .htaccess file but it must be done again after every update.

A little script does the job, but isn't it possible to use comments like WordPress does? That's only a suggestion.

I think there are better solutions than just preventing .htaccess persistence @jospoortvliet :

There already is a
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####
comment in there—couldn’t this (or a similar comment) be used as a marker for preserved changes, as mentioned before?

Or an htaccessadditions file, as mentioned before?
(and insert it right after the above-mentioned comment line)

Or, for simple stuff, even something in config.php like
'htaccess.addidion' => 'whatever',
(similar to htaccess.RewriteBase, but ‘free-form’)?

Most shared hoster, if not all, have a checkbox somewhere in their settings "always use https" these days. This is way more easy and less error prone then playing around with the htaccess file.

Thank you for this comment @schiessle. A few years ago when I first started encountering this issue (ie. having to choose between not forcing HTTPS or not passing the file integrity scan) it was not the case. But your comment prompted me to check again with my hosting provider and they do indeed have this feature now. I just enabled it.

WHY exactly is this closed? this is really annoying! since the shared hosting i use at host europe has no apache config access i have to do everything with the .htaccess file. forcing https, enabling HTTP strict transport security, ... and with every upgrade i have to do a backup of the htacces file, change permissions, put my changes back in, load it up again ... PLEASE change that! at least nothing below the line "#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####" should be changed - otherwise why exactly do you have that line in there?

We have to support ulph0's protest. It's a pity that the .htaccess is always overwritten, even though there's the extra line stating "do not change above this line".
Let me explain why: even with a managed server of € 100+monthly price range, there is often no other way to include HSTS than via .htaccess directive (e.g. Hetzner). The HSTS app from Nextcloud's store doesn't work unfortunately (just tested again at NC 17.0.3).
In our case, because we help smaller Non-Profits with Nextclouds, it means I have to add the HSTS lines every update at 7 production Nextclouds of various sizes, at 2 test instances and 2 privately run instances. No exaggeration. (And we're not just demanding: DBJR is already in process of signing a paid support contract with Nextcloud.) .... Pleeease don't close the issue!

@DBJRdev : hi, @MorrisJobke already closed this issue. i reopened the issue as feature request in #19254 but @kesselb closed that also. while @MorrisJobke just mentioned that we could use apache.conf, which we can't, @kesselb comes to the point: "there are no plans to support ANY shared hosting out there" - if that is for security reasons i do understand it. BUT it doesn't match the reality of lots of users. if you have bigger files to manage and don't have lots of money or the ability to build your own server, shared hosting is the only way, since on any dedicated server, storage is very expensive. that's why even if you don't want to support shared hosting, it would be a good idea to back it at least to give that users some more safety and flexibility.
@kesselb also said "A common way to workaround this limitation is to run Nextcloud in a sub directory as .htaccess files are inherited from the document root." but this is also not practicable for every existing installation. even if i personally can live with that, some people maybe couldn't.

I rephrased ANY shared hosting to every shared hosting. There are no plans to drop support for shared hosting.

"#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####" should be changed - otherwise why exactly do you have that line in there?

@ulph0 to answer your question from #19254: If you change anything above this comment the integrity check will complain.

MorrisJobke and jospoortvliet already gave a official statement. We have plenty of such discussions (for example https://github.com/nextcloud/server/issues/18655) and I see your problem but it's not intended (and not possible) to support every shared hosting out there. Sorry :disappointed:

I'm always try to automated recurring tasks. Probably a script appending your individual configuration to .htaccess after each update will reduce your workload.

I'm sorry if you're exactly at this point where you have to change .htaccess and there's no other way - there's not much we can do other than maybe provide some graphical way of dealing with .htaccess - perhaps somebody could build an app which lets you manage it.

I don't know why this would be necessary. Almost all shared hosting providers allow editing .htaccess via a file manager or dedicated UI, but almost none allow editing Apache config directly.

More generally—

The fundamental problem here is that you're creating an incentive for users to ignore purposely provided security warnings or advice. For someone on shared hosting, they must either choose to ignore the hardening advice in the documentation or choose to ignore the file integrity failure notice in the admin settings. But those two things cover much more than the issue in question, and it's (IME) human nature that once a user has made such a choice, future changes to either of those things (eg. updated advice or a real, bona-fide integrity failure due to malice) will continue to go ignored.

@schiessle @jospoortvliet
I understand you don’t support shared hosting actively, but if you won’t implement the inclusion of an _htaccessadditions_ file, nor a config.php option, then why not state clearly in the .htaccess ‘This whole file will be overwitten’?

For those looking for a workaround: Set your DocRoot to (e.g.) nextcloud/nc (possible on most shared hosting) and edit your own nextcloud/.htaccess :)
@ulph0 No, it won’t be possible for _everyone_, but for most installations, I don’t see why not.