Nextcloud

Table of Contents

• Nextcloud

  • Introduction

  • Prerequisites

  • Apache configuration

  • MariaDB configuration

  • Nextcloud installation

  • Improve Nextcloud settings

    • Settings of background jobs

    • Tunning php

  • Ckeck the configuration

    • Update the database

  • Application installation

    • OnlyOffice/Document server community

    • Talk

  • Bibliography

Introduction

Nextcloud is a flexible open source file synchronization and sharing solution. Nextcloud includes the Nextcloud server, which runs on Linux, client applications for Microsoft Windows, macOS and Linux, and mobile clients for the Android and Apple iOS operating systems.

This topics summarizes all commands to install manually the Nextcloud server on a Debian distribution.

---

Prerequisites

This section explains how to install all prerequisites for the Nextcloud server.

Debian 11 is supposed to be fully functional. For more details about the OS installation, refer to Virtual machines. 2 cores, 32GB (OS) and 4GB of RAM is a good balance for the Nextcloud server.

Add a new user nextcloud. It will be a system user and belong to the group www-data:

adduser --system nextcloud --ingroup www-data

Change the password of the new user:

passwd nextcloud

Install openssl for the certificat:

sudo apt-get install openssl

Install a Web server:

sudo apt-get install apache2

Install libxml2:

sudo apt-get install libxml2

Install a database:

sudo apt-get install default-mysql-server

Note

MariaDB 10.5 is the default MySQL server on Debian 11

Install php:

sudo apt-get install php

Note

php7.4 is the default version on Debian 11

Install php’s modules:

sudo apt-get install php-ctype php-curl php-dom php-gd php-json php-mbstring
php-mbstring php-iconv php-openssl php-posix php-xml php-zip php-mysql php-intl
php-fileinfo php-bz2 php-apcu php-imagick php-fpm php-pear php-bcmath php-gmp

Php will be tuned later in this topic, after to have installed Nextcloud server.

---

Apache configuration

This section explains how to configure the Apache Web server. Any helps for the Apache server installation is here Apache Webserver.

Activate all following modules:

sudo a2enmod http2 rewrite headers env dir mime ssl proxy proxy_fcgi setenvif authz_core alias

Be sure to disable next module …

Warning

sudo a2dismod mpm_prefork

… and enable the php module:

sudo a2enmod php7.4

Add a Web site’s configuration file to the Apache configuration folder:

sudo nano /etc/apache2/sites-availables/nextcloud.conf

with the content:

<VirtualHost *:80>
  ServerName nextcloud.domain.com
  ServerAlias 192.168.1.102

  DocumentRoot "/path/to/nextcloud/"

  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined

  Protocols h2 http/1.1

  Header set X-Robots-Tag "none"

  Alias /nextcloud "/path/to/nextcloud/"

  <IfModule mod_rewrite.c>
    Redirect permanent / https://nextcloud.legibus.fr/
  </IfModule>

  <Directory /path/to/nextcloud/>
    Require all granted
    AllowOverride All
    Options FollowSymLinks MultiViews

    <IfModule mod_dav.c>
      Dav off
    </IfModule>

  </Directory>
</VirtualHost>

For an access in https, add a Web site’s configuration file to the Apache configuration folder:

sudo nano /etc/apache2/sites-availables/nextcloud-ssl.conf

with the content:

<VirtualHost *:443>
  ServerName nextcloud.domain.com
  ServerAlias 192.168.1.102

  DocumentRoot "/path/to/nextcloud/"

  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined

  SSLEngine on

  Protocols h2 http/1.1
  H2Direct on
  H2Push on

  Header set X-Robots-Tag "none"

  TraceEnable off

  Alias /nextcloud "/path/to/nextcloud/"

  <Directory /path/to/nextcloud/>

    Require all denied

    # AllowOverride none et AllowOverrideList none pour ignorer l'acces à .htaccess
    AllowOverride none
    AllowOverrideList none

    Options -Indexes +FollowSymLinks +MultiViews +Includes
    SetEnv HOME /rep/to/the/site/web/
    SetEnv HTTP_HOME /rep/to/the/site/web/
    Satisfy Any

    <IfModule mod_dav.c>
      Dav off
    </IfModule>

    <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubdomains; preload"
    </IfModule>

    <Files ".ht*">
      Require all denied
    </Files>

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^TRACK
    RewriteRule .* - [R=405,L]
  </Directory>

</VirtualHost>

SSLProtocol -all +TLSv1.2 +TLSv1.3 -SSLv3 -TLSv1 -TLSv1.1

SSLCipherSuite DEFAULT

SSLHonorCipherOrder   off
SSLCipherSuite        ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:
ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLSessionTickets     off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

SSLCertificateFile /path/to/certificate/nextcloud-selfsigned.crt
SSLCertificateKeyFile /path/to/certificate/nextcloud-selfsigned.key

Then enable both access to the Nextcloud site:

a2ensite nextcloud.conf
a2ensite nextcloud-ssl.conf

Note

No not forget either to disable the default Web site (000-default.conf) or to change its default port (80 by default), because Nextcloud server is listening on port 80 (a2dissite 000-default.conf). The same for default-ssl.conf.

Finally, reload the Apache server:

sudo systemctl reload apache2

Add 2 entries (80 and 443) in the reverse proxy of pfSense router. Refer to Firewall configuration for more detail:

Fig. 43 Squid: Reverse Proxy Server

---

MariaDB configuration

During the Nextcloud server installation, a database will be requested. Here is the configuration of MariaDB.

First of all, the MariaDB server should be secured thanks to the following script:

sudo mysql_secure_installation

Set the configuration as followed:

Fig. 44 MariaDB secure installation

Then, create a database and an user that will be used by the Nextcloud server, later during its configuration.

Connect to the MariaDB server:

sudo mysql -u root -p

Enter root password and creat database password.

Create the database:

CREATE DATABASE nextcloud_database;

Add the user to the database:

CREATE USER 'nextcloud_username'@'localhost' IDENTIFIED BY 'password';
CREATE DATABASE IF NOT EXISTS nextcloud_database;
GRANT ALL PRIVILEGES ON nextcloud_database.* TO 'nextcloud_username'@'localhost' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;
exit;

All command lines are summarized on the screenshot below:

Fig. 45 Nextcloud database

---

Nextcloud installation

Download the installer script into the folder of the Nextcloud Web server:

wget https://download.nextcloud.com/server/installer/setup-nextcloud.php /path/to/nextcloud/

Set the proper rights access to the folder. The default user is the one of Apache:

chown -R www-data:www-data /path/to/nextcloud/

Then, open a browser and connect to the Nextcloud wizard page and clic to the Next button:

If all dependencies are satisfied, select the folder to install Nextcloud server:

Nextcloud server is now installed but the database is not yet configured:

Then, configure the Nextcloud admin login and password, set the database with login and password of the Nextcloud database that was previously created:

Fig. 46 Configuration settings

Note

it is advised to configure the folder “data” outside the Nextcloud folder.

Applications installation are in progress:

Fig. 47 Recommended applications

And that’s all !

Fig. 48 Installation done!

---

Improve Nextcloud settings

After to be logged with the admin loggin, check the configuration of the server (clic on the “A” on the top right, then menu Settings ‣ Overview)

Somethings are wrong !:

Fig. 49 Warnings raised by Nextcloud

Note

If all php modules are well installed, there is no warning for them.

Settings of background jobs

Select “Cron” to make the job (menu Settings ‣ Basics Settings:

In a terminal, add a Cron’s cyclic task:

crontab -u www-data -e

Append the following line:

*/5  *  *  *  * php -f /path/to/nextcloud/cron.php

Tunning php

sudo nano /etc/php/7.4/apache2/php.ini

Update the content with:

memory_limit = 512M
;output_buffering = 4096 ;comment this line

Update config.php file:

sudo nano /path/to/nextcloud/config.config.php

with the following settings:

'trusted_domains' =>
array (
  0 => 'localhost',
  1 => '192.168.1.9'
  2 => 'nextcloud.domain.com',
),
'memcache.local' => '\OC\Memcache\APCu',
'default_phone_region => 'FR',

Add the following lines to the nextcloud-ssl.conf Apache file:

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteRule ^\.well-known/carddav /remote.php/dav [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav [R=301,L]
  RewriteRule ^\.well-known/webfinger /index.php/.well-known/webfinger [R=301,L]
  RewriteRule ^\.well-known/nodeinfo /index.php/.well-known/nodeinfo [R=301,L]
</IfModule>

To fix the issue with the php-imagick module, install extra codec:

apt-get install libmagickcore-6.q16-6-extra

---

Ckeck the configuration

If all steps are satisfied, you shoud have a A+ for your Web server.

Check the Nextcloud server inside himself:

Check the configuration with the scan of Nextcloud:

Check the configuration of the server:

---

Update the database

Some informations are missing in the database. To update the database, append commands in a terminal:

Switch on the server in maintenance mode:

sudo -u www-data php occ maintenance:mode --on

Update missing informations in the database:

sudo -u www-data php occ db:add-missing-indices
sudo -u www-data php occ db:convert-filecache-bigint

Switch off the server in maintenance mode:

sudo -u www-data php occ maintenance:mode --off

Steps to update database:

---

Application installation

OnlyOffice/Document server community

OnlyOffice is quite huge to be installed by the Web interface. Thus the timeout is elapsed before the complete installation. Nevertheless this installation could be made in command line.

In a terminal:

sudo -u www-data php occ app:install documentserver_community

After the installation is finished, set the address of the OnlyOffice Community server at https://nextcloud.address.server/index.php/apps/documentserver_community/ and check the box for opening format.

OnlyOffice document server:

Note: Don’t check the box **Connect to demo ONLYOFFICE Document Server* unless you choose to use a public server.*

To update documentserver_community:

sudo -u www-data php occ app:install documentserver_community

Talk

Talk is an application that can be added to the Nextcloud instance. This application allows users to communicate via video conference. But to use this application, a TURN server must be installed.

sudo apt-get install coturn

Check whether a systemd unit is available:

ls -l /lib/systemd/system/coturn.service

Otherwise, before Debian Buster, to have the turnserver running as an automatic system service daemon, uncomment the line into /etc/default/coturn:

TURNSERVER_ENABLED=1

Generate a key for TURN server: .. code-block:: bash

gibus@LAPTOP:~$ openssl rand -hex 32 26b2a285a9f1bd4f41faa5af323db92a82bcdebd4a0eb0d2d69cdf47b550294b

Configure the TURN server:

sudo nano /etc/turnserver.conf

listening-port=3478
external-ip=PublicIP/PrivateIP
fingerprint
use-auth-secret
static-auth-secret=<26b2a285a9f1bd4f41faa5af323db92a82bcdebd4a0eb0d2d69cdf47b550294b
realm=your.domain.org
total-quota=100
bps-capacity=0
stale-nonce=600
no-multicast-peers

Note: If the TURN server is behind a routeur, do not forget to open and redirect the port from 3478 to 3478. The port number should be the same between external and internal.

Once the TURN server is configured, go to Nextcloud admin panel Talk settings to set the address and port (domain:port) of the TURN server, without http(s):// nor turn(s)://. It is automatically added by Nextcloud.

---

Bibliography

• Nextcloud official Website

• Nextcloud - Installation and server configuration

• How to Install MariaDB Database in Debian 10

• SSL Labs

• Nextcloud - Server coTURN

---

Date

2020-06-02 00:00

Tags

Nextcloud, computer, Let’s Encrypt

Authors

Gibus

pfSense eLatex