Install Nextcloud

I have SSH’d into the server so I need to open the SSH port before enabling the universal fire wall.

# sudo ufw allow 22/tcp
# sudo ufw enable

Update server.

# sudo apt update && apt upgrade

# sudo apt install -y apache2

We will need to allow Apache through the firewall by opening port 80/tcp and 443/tcp for HTTP and HTTPS.

# sudo ufw allow ‘Apache Full’
# sudo ufw status

Start Apache.

# sudo systemctl enable --now apache2

Create file directory example in www location for website example.com .

# sudo mkdir -p /var/www/example

Create the file example.conf for the apache virtual host in directory /etc/apache2/sites-available.

# sudo vi /etc/apache2/sites-available/example.conf

Add the following code, un-hash logs if required.

<VirtualHost *:80>
    ServerAdmin contact@example.com
    DocumentRoot /var/www/example
    ServerName example.com
    ServerAlias www.example.com

    <Directory "/var/www/example">
         Allowoverride All
    </Directory>

    # ErrorLog logs/example.com-error_log
    # CustomLog logs/example.com-access_log combined
</VirtualHost>

The configuration should automatically create symlinks within /etc/apache2/sites-enabled/. If not run the following command to enable the configuration.

# sudo a2ensite example.conf

Disable the default site 000-default use -p to purge all traces of the module in the internal state data base.

# sudo a2dissite -p 000-default

Restart Apache.

# sudo systemctl reload apache2

For Nextcloud to work correctly, we need the module mod_rewrite.

# sudo a2enmod rewrite

Additional recommended modules are mod_headers, mod_env, mod_dir and mod_mime.

# sudo a2enmod headers
# sudo a2enmod env
# sudo a2enmod dir
# sudo a2enmod mime

Restart Apache.

# sudo systemctl restart apache2

# sudo apt install -y libapache2-mod-php php-gd php-mysql php-curl php-mbstring php-intl php-gmp php-bcmath php-xml php-imagick php-zip

Restart Apache.

# sudo systemctl reload apache2

# sudo apt install -y mariadb-server

Start MariaDB Service and enable for auto start.

# sudo systemctl enable --now mariadb

Secure database.

# sudo mysql_secure_installation

1. Set root password
2. Remove anonymous
3. Set local only
4. Remove test db
5. Reload permissions

Configure MariaDB with user and database for WordPress.

# sudo mysql -u root -p

Enter these values changing <database-name>, <user-name> and <password> we will need to remember these for later when setting up WordPress.

MariaDB [(none)]> CREATE DATABASE <database-name>;
MariaDB [(none)]> CREATE USER <user-name>@localhost IDENTIFIED BY '<password>';
MariaDB [(none)]> GRANT all PRIVILEGES ON <database-name>.* TO <user-name>@localhost;
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> QUIT;

Check Apache virtual host is setup correctly.

# sudo apache2ctl configtest

Result should be syntax ok, If changes are needed the reload Apache after.

# sudo systemctl reload apache2

Install Certbot and python3-certbot-apache a plugin to connect Certbot with Apache.

# sudo apt install -y certbot python3-certbot-apache

Obtain a certificate with Certbot.

# sudo certbot --apache

Verify Certbot auto-renewal

# sudo systemctl status certbot.timer

Test Renewal.

# sudo certbot renew --dry-run

To download Nextcloud we will need the wget package.

# sudo apt install -y wget

Download Nextcloud setup file in /var/www/example.

# sudo cd /var/www/example
# sudo wget https://download.nextcloud.com/server/installer/setup-nextcloud.php

Setup file access.

# sudo chown -R www-data:www-data /var/www/example
# sudo chmod -R 755 /var/www/example

Configure Nextcloud. Open your favorite browser and enter your domain name example.com/setup-nextcloud.php into the URL.

# https://example.com/setup-nextcloud.php

Follow the installation steps using the database details we setup earlier in this walkthrough.

After setup remove the setup file.

# sudo rm /var/www/example/setup-nextcloud.php

To configure Nextcloud. Open your favorite browser and enter your domain name example.com into the URL and login.

Under administration settings there will be some errors that will need fixing.

NC: Goto Administration Settings -> Overview 

Most common errors shown below. We will go through each one and resolve the issue.

1. The PHP memory limit is below the recommended value of 512MB.
2. The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.
3. You have not set or verified your email server configuration, yet. Please head over to the Basic settings in order to set them. Afterwards, use the “Send email” button below the form to verify your settings.
4. The database is used for transactional file locking. To enhance performance, please configure memcache, if available. See the documentation ↗ for more information.
5. Your installation has no default phone region set. This is required to validate phone numbers in the profile settings without a country code. To allow numbers without a country code, please add “default_phone_region” with the respective ISO 3166-1 code ↗ of the region to your config file.
6. No memory cache has been configured. To enhance performance, please configure a memcache, if available. Further information can be found in the documentation ↗.
7. Module php-imagick in this instance has no SVG support. For better compatibility it is recommended to install it.

An error you may not see at first. 

8. The PHP OPcache module is not properly configured. See the documentation ↗ for more information.
   • The OPcache buffer is nearly full. To assure that all scripts can be hold in cache, it is recommended to apply opcache.memory_consumption to your PHP configuration with a value higher than 128.
   • The OPcache interned strings buffer is nearly full. To assure that repeating strings can be effectively cached, it is recommended to apply opcache.interned_strings_buffer to your PHP configuration with a value higher than 8.

1. The PHP memory limit is below the recommended value of 512MB.

Open php.ini and change memory_limit to 512M. Also recommend setting the upload_max_filesize to a more appropriate size I choose 1024M (1G).

# sudo vi /etc/php/8.1/apache2/php.ini

2. The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.

Open the apache configuration file for your nextcloud installation, here it would be example.conf and add the header. Notice the increase in value also for max-age.

# sudo vi /etc/apache2/sites-available/example.conf

Add.

<IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15553000; includeSubDomains"
</IfModule>

If you have an SSL certificate do the same to nextcloud-le-ssl.conf file.

# sudo vi /etc/apache2/sites-available/nextcloud-le-ssl.conf

Restart Apache.

# systemctl restart apache2

3. You have not set or verified your email server configuration, yet. Please head over to the Basic settings in order to set them. Afterwards, use the “Send email” button below the form to verify your settings.

Before you can setup your SMTP email you need to add an email to your profile if you have not yet done so.

NC: Goto Personal Settings -> Email

Open Basic settings and add your SMTP email server settings. Your email provider can supply the settings needed or google mail settings for your provider.

NC: Goto Administration Settings -> Basic Settings

4. The database is used for transactional file locking. To enhance performance, please configure memcache, if available. See the documentation ↗ for more information.

For this we will use Redis this will do the file locking and the memory cache.

# sudo apt install -y redis-server php-redis

Open the Nextcloud config.php file and add the required settings.

# sudo vi /var/www/nextcloud/config/config.php

Add following settings.

'memcache.locking' => '\OC\Memcache\Redis',
'memcache.distributed' => '\OC\Memcache\Redis',
'memcache.local' => '\OC\Memcache\Redis',

Reboot server.

# reboot

You will notice the memory cache error has also disappeared now.

5. Your installation has no default phone region set. This is required to validate phone numbers in the profile settings without a country code. To allow numbers without a country code, please add “default_phone_region” with the respective ISO 3166-1 code ↗ of the region to your config file.

Add the setting to the Nextcloud config.php file.

# sudo vi /var/www/nextcloud/config/config.php

Add following settings for your region for me it’s Great Britain so GB.

default_phone_region ' => 'GB',

6. No memory cache has been configured. To enhance performance, please configure a memcache, if available. Further information can be found in the documentation ↗.

Completed when we did number 4.

7. Module php-imagick in this instance has no SVG support. For better compatibility it is recommended to install it.

Install imagick core files.

# sudo apt -y install libmagickcore-6.q16-6-extra

8. The PHP OPcache module is not properly configured. See the documentation ↗ for more information.

Open the php.ini file.

# vi /etc/php/8.1/apache2/php.ini

Uncomment and change the settings below.

opcache.memory_consumption=512

opcache.interned_strings_buffer=32

When setting up and configuring Nextcloud you can make mistakes logging in if this happens too many times your IP address can be blocked to clear this use the following command.

Open MariaDB.

# sudo mysql -u root -p

Find <database-name> .

MariaDB [(none)]> SHOW DATABASES;

Select database. Change <database-name> to your database name.

MariaDB [(none)]> use <database-name>;

List database tables. To find the brute force table.

MariaDB [(none)]> SHOW TABLES;

Find IP address to clear in your brute force tableex.

MariaDB [(none)]> SELECT * FROM oc_bruteforce_attempts;

Change X.X.X.X to your IP address, on most occasions the IP will be the internal router IP 192.168.1.1

MariaDB [<database-name>]> DELETE FROM oc_bruteforce_attempts WHERE ip ="X.X.X.X";