Nextcloud

Prerequisite

Install

Download

Download Nextcloud from https://nextcloud.com/install/#instructions-server and extract the archive in /var/www/nextcloud.

Fix file permissions using

$ sudo chown -r www-data: /var/www/nextcloud/

Configure PHP

Edit file /etc/php/7.0/mods-available/local-common.ini and add /var/www/nextcloud/:/dev/:/var/log/nextcloud/ to the open_basedir setting.

Reload PHP:

$ sudo systemctl reload php7.0-fpm.service

Configure Webserver

  1. Create the config file /etc/nginx/sites-available/nextcloud.example.org
    server {
        include snippets/listen-http.conf;
        server_name nextcloud.example.org;
    
        access_log /var/log/nginx/nextcloud.example.org.access.log;
        error_log /var/log/nginx/nextcloud.example.org.error.log;
    
        include snippets/https-permanent-redirect.conf;
    }
    
    server {
        include snippets/listen-https.conf;
        server_name nextcloud.example.org;
    
        access_log /var/log/nginx/nextcloud.example.org.access.log;
        error_log /var/log/nginx/nextcloud.example.org.error.log;
    
        include snippets/acme-challenge.conf;
        #include snippets/ssl.conf;
        #ssl_certificate      /etc/letsencrypt/live/nextcloud.example.org/fullchain.pem;
        #ssl_certificate_key  /etc/letsencrypt/live/nextcloud.example.org/privkey.pem;
        #include snippets/hsts.conf;
    
        # Protect web interface during initial setup
        # The following two lines must be removed after initial configuration
        auth_basic            "You shall not pass!";
        auth_basic_user_file  /etc/nginx/htpasswd/generic.htpasswd;
    
        include snippets/security-headers.conf;
        # Using more_set_headers instead of add_header to be cascaded in sub location
        more_set_headers "X-Robots-Tag: none";
        more_set_headers "X-Download-Options: noopen";
        
        # Path to the root of your installation
        root /var/www/nextcloud/;
        
        location = /.well-known/carddav {
            return 301 $scheme://$host/remote.php/dav;
        }
        location = /.well-known/caldav {
            return 301 $scheme://$host/remote.php/dav;
        }
    
        client_max_body_size 10G; # set max upload size
        fastcgi_buffers 64 4K;
    
        location / {
            rewrite ^ /index.php$uri;
        }
    
        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
            deny all;
        }
        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
            deny all;
        }
    
        location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            fastcgi_param HTTPS on;
            fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
            fastcgi_param front_controller_active true;
            fastcgi_pass php;
            fastcgi_intercept_errors on;
            fastcgi_request_buffering off;
        }
    
        location ~ ^/(?:updater|ocs-provider)(?:$|/) {
            try_files $uri/ =404;
            index index.php;
        }
    
        # Adding the cache control header for js and css files
        # Make sure it is BELOW the PHP block
        location ~* \.(?:css|js|woff|svg|gif)$ {
            try_files $uri /index.php$uri$is_args$args;
            add_header Cache-Control "public, max-age=15778463";
        }   
        
        location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ {
            try_files $uri /index.php$uri$is_args$args;
        }
    }
    
  2. Activate the configuration with
    $ sudo nginx_modsite -e nextcloud.example.org
    Would you like to reload the Nginx configuration now? (Y/n) Y
    
  3. Edit file /usr/local/etc/certmanage/main.json and add the following to the list
    {
        "domains": ["nextcloud.example.org"],
        "reload": [["/bin/systemctl", "reload", "nginx.service"]]
    }
    
  4. Get your certificate
    $ sudo /usr/local/sbin/certmanage
    Renewing certificate for nextcloud.example.org that will expire on 0001-01-01
    
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for nextcloud.example.org
    Using the webroot path /var/www/acme-challenge for all unmatched domains.
    Waiting for verification...
    Cleaning up challenges
    Generating key (2048 bits): /etc/letsencrypt/keys/1764_key-certbot.pem
    Creating CSR: /etc/letsencrypt/csr/1764_csr-certbot.pem
    
    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at
       /etc/letsencrypt/live/nextcloud.example.org/fullchain.pem. Your cert
       will expire on 2019-03-11. To obtain a new or tweaked version of
       this certificate in the future, simply run certbot again. To
       non-interactively renew *all* of your certificates, run "certbot
       renew"
     - If you like Certbot, please consider supporting our work by:
    
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le
    
    Restarting services:
    systemctl reload nginx.service
    
  5. Uncomment the ssl related lines in /etc/nginx/sites-available/nextcloud.example.org and run
    $ sudo systemctl reload nginx.service
    

Configure Nextcloud

//config.php

$ sudo tee "/usr/local/bin/occ" > /dev/null << EOF
> !/bin/sh
> sudo -u www-data /usr/bin/php /var/www/nextcloud/occ "\$@"
> EOF
$ sudo chmod +x /usr/local/bin/occ

Logs

First you need to create a folder for the logs

$ sudo mkdir /var/log/nextcloud
$ sudo chmod 750 /var/log/nextcloud
$ sudo chown www-data:adm /var/log/nextcloud

Create file /etc/logrotate.d/nextcloud with the following content

/var/log/nextcloud/nextcloud.log {
  rotate 6
  monthly
  compress
  delaycompress
  missingok
  notifempty
  create 640 www-data adm
}

Finally activate the new log location. Edit /var/www/nextcloud/config/config.php and add/edit the logfile line

'logfile' => '/var/log/nextcloud/nextcloud.log',

Cron

Create file /etc/cron.d/nextcloud

*/15 *   *   *   *   www-data /usr/bin/php -f /var/www/nextcloud/cron.php

Now open Nextcloud in your browser and go to the admin section and activate cron

owncloud cron.png

Test

Security

Nextcloud is providing a security scanning service for public instances. Scan your instance to find configuration issues.