Nextcloud
From wiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Prerequisite
Install
Download
Download Nextcloud from https://nextcloud.com/install/#instructions-server and extract the archive in /var/www/nextcloud.
Fix file permissions using
$ sudo chown -r www-data: /var/www/nextcloud/
Configure PHP
Edit file /etc/php/7.0/mods-available/local-common.ini and add /var/www/nextcloud/:/dev/:/var/log/nextcloud/ to the open_basedir setting.
Reload PHP:
$ sudo systemctl reload php7.0-fpm.service
Configure Webserver
- Create the config file
/etc/nginx/sites-available/nextcloud.example.orgserver { include snippets/listen-http.conf; server_name nextcloud.example.org; access_log /var/log/nginx/nextcloud.example.org.access.log; error_log /var/log/nginx/nextcloud.example.org.error.log; include snippets/https-permanent-redirect.conf; } server { include snippets/listen-https.conf; server_name nextcloud.example.org; access_log /var/log/nginx/nextcloud.example.org.access.log; error_log /var/log/nginx/nextcloud.example.org.error.log; include snippets/acme-challenge.conf; #include snippets/ssl.conf; #ssl_certificate /etc/letsencrypt/live/nextcloud.example.org/fullchain.pem; #ssl_certificate_key /etc/letsencrypt/live/nextcloud.example.org/privkey.pem; #include snippets/hsts.conf; # Protect web interface during initial setup # The following two lines must be removed after initial configuration auth_basic "You shall not pass!"; auth_basic_user_file /etc/nginx/htpasswd/generic.htpasswd; include snippets/security-headers.conf; # Using more_set_headers instead of add_header to be cascaded in sub location more_set_headers "X-Robots-Tag: none"; more_set_headers "X-Download-Options: noopen"; # Path to the root of your installation root /var/www/nextcloud/; location = /.well-known/carddav { return 301 $scheme://$host/remote.php/dav; } location = /.well-known/caldav { return 301 $scheme://$host/remote.php/dav; } client_max_body_size 10G; # set max upload size fastcgi_buffers 64 4K; location / { rewrite ^ /index.php$uri; } location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { deny all; } location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { fastcgi_split_path_info ^(.+\.php)(/.+)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param HTTPS on; fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice fastcgi_param front_controller_active true; fastcgi_pass php; fastcgi_intercept_errors on; fastcgi_request_buffering off; } location ~ ^/(?:updater|ocs-provider)(?:$|/) { try_files $uri/ =404; index index.php; } # Adding the cache control header for js and css files # Make sure it is BELOW the PHP block location ~* \.(?:css|js|woff|svg|gif)$ { try_files $uri /index.php$uri$is_args$args; add_header Cache-Control "public, max-age=15778463"; } location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ { try_files $uri /index.php$uri$is_args$args; } }
- Activate the configuration with
$ sudo nginx_modsite -e nextcloud.example.org Would you like to reload the Nginx configuration now? (Y/n) Y
- Edit file
/usr/local/etc/certmanage/main.jsonand add the following to the list{ "domains": ["nextcloud.example.org"], "reload": [["/bin/systemctl", "reload", "nginx.service"]] }
- Get your certificate
$ sudo /usr/local/sbin/certmanage Renewing certificate for nextcloud.example.org that will expire on 0001-01-01 Saving debug log to /var/log/letsencrypt/letsencrypt.log Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: http-01 challenge for nextcloud.example.org Using the webroot path /var/www/acme-challenge for all unmatched domains. Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/1764_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/1764_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/nextcloud.example.org/fullchain.pem. Your cert will expire on 2024-07-22. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le Restarting services: systemctl reload nginx.service
- Uncomment the ssl related lines in
/etc/nginx/sites-available/nextcloud.example.organd run$ sudo systemctl reload nginx.service
Configure Nextcloud
//config.php
$ sudo tee "/usr/local/bin/occ" > /dev/null << EOF
> !/bin/sh
> sudo -u www-data /usr/bin/php /var/www/nextcloud/occ "\$@"
> EOF
$ sudo chmod +x /usr/local/bin/occ
Logs
First you need to create a folder for the logs
$ sudo mkdir /var/log/nextcloud
$ sudo chmod 750 /var/log/nextcloud
$ sudo chown www-data:adm /var/log/nextcloud
Create file /etc/logrotate.d/nextcloud with the following content
/var/log/nextcloud/nextcloud.log {
rotate 6
monthly
compress
delaycompress
missingok
notifempty
create 640 www-data adm
}
Finally activate the new log location. Edit /var/www/nextcloud/config/config.php and add/edit the logfile line
'logfile' => '/var/log/nextcloud/nextcloud.log',
Cron
Create file /etc/cron.d/nextcloud
*/15 * * * * www-data /usr/bin/php -f /var/www/nextcloud/cron.php
Now open Nextcloud in your browser and go to the admin section and activate cron
Test
Security
Nextcloud is providing a security scanning service for public instances. Scan your instance to find configuration issues.
