This is an old revision of the document!
Table of Contents
NextCloud 14+ Install on Ubuntu 18.04
Prerequisite packages for NextCloud
$ sudo apt install nginx mariadb-server $ sudo apt install php7.2-gd php7.2-json php7.2-mysql php7.2-curl php7.2-mbstring php7.2-fpm $ sudo apt install php7.2-intl php-imagick php7.2-xml php7.2-zip php-mime-type $ sudo apt install php7.2-gmp ffmpeg libexif-dev ufw $ sudo apt install php-apcu php-redis redis-server
Download the nextcloud server file and matching sha256 from the official website
$ wget https://download.nextcloud.com/server/releases/latest-14.tar.bz2 $ wget https://download.nextcloud.com/server/releases/latest-14.tar.bz2.sha256
Verify the sha256
$ sha256sum -c latest-14.tar.bz2.sha256 < latest-14.tar.bz2
Extract the tarball after verifying the file is valid
$ tar -xjf latest-14.tar.bz2
Copy the nextcloud folder to the webroot, in this case /var/www.
$ sudo cp -r nextcloud /var/www
Create the Database
To start the MySQL command line mode use:
$ sudo mysql -uroot -p
Then a mysql> or MariaDB [root]> prompt will appear. Now enter the following lines and confirm them with the enter key. username can be whatever you like, but be sure to replace password with a good password These will be used later when initially configuring NextCloud from the browser.
CREATE USER 'username'@'localhost' IDENTIFIED BY 'password'; CREATE DATABASE IF NOT EXISTS nextcloud; GRANT ALL PRIVILEGES ON nextcloud.* TO 'username'@'localhost' IDENTIFIED BY 'password';
Let's Encrypt
For SSL use the EFF's PPA for the Let's Encrypt certbot.
$ sudo add-apt-repository ppa:certbot/certbot $ sudo apt update; sudo apt upgrade $ sudo apt install python-certbot-nginx $ sudo certbot --nginx certonly
Cert and Key locations:
/etc/letsencrypt/live/sub.domain.tld/fullchain.pem
/etc/letsencrypt/live/sub.domain.tld/privkey.pem
By default, a generic DH key is used which weakens the key exchange. Generate a non-generic Diffie-Hellman key with OpenSSL, the line in the Nginx configuration file has already been added in the config below.
$ sudo openssl dhparam -dsaparam -out /etc/ssl/dhparam.pem 4096
NGINX
Create the nginx config, and fill with a base config.
$ sudo nano /etc/nginx/sites-available/nextcloud.conf
upstream php-handler {
server 127.0.0.1:9000;
server unix:/var/run/php/php7.2-fpm.sock;
}
server {
listen 80;
listen [::]:80;
server_name cloud.bagelbiter.cat;
# enforce https
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name cloud.bagelbiter.cat;
ssl_certificate /etc/letsencrypt/live/cloud.bagelbiter.cat/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cloud.bagelbiter.cat/privkey.pem;
ssl_session_timeout 5m;
ssl_ecdh_curve prime256v1;
ssl_session_tickets off;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:AES256+EECDH:AES256+EDH:!aNULL';
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
ssl_dhparam /etc/ssl/dhparam.pem;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
#add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# add_header X-Content-Type-Options nosniff;
# add_header X-XSS-Protection "1; mode=block";
# add_header X-Robots-Tag none;
# add_header X-Download-Options noopen;
# add_header X-Permitted-Cross-Domain-Policies none;
# add_header Referrer-Policy no-referrer;
# add_header X-Frame-Options "SAMEORIGIN";
# #add_header Content-Security-Policy "default-src 'self'; script-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; frame-src 'self'; connect-src 'self' https://cloud.bagelbiter.cat; object-src 'none' ";
# Path to the root of your installation
root /var/www/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location / {
rewrite ^ /index.php;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Robots-Tag "none" always;
add_header X-Download-Options "noopen" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header Referrer-Policy "no-referrer" always;
#add_header X-Frame-Options "SAMEORIGIN" always;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}
# Collabora Config
# static files
location ^~ /loleaflet {
proxy_pass https://127.0.0.1:9980;
proxy_set_header Host $http_host;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass https://127.0.0.1:9980;
proxy_set_header Host $http_host;
}
# main websocket
location ~ ^/lool/(.*)/ws$ {
proxy_pass https://127.0.0.1:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ ^/lool {
proxy_pass https://127.0.0.1:9980;
proxy_set_header Host $http_host;
}
# Admin Console websocket
location ^~ /lool/adminws {
proxy_pass https://127.0.0.1:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}
}
Remove the default nginx config.
$ sudo rm /etc/nginx/sites-enabled/default
Allow access to web root for nginx.
$ sudo chown -R www-data:www-data /var/www/nextcloud
Enable the configuration
$ sudo ln -s /etc/nginx/sites-available/nextcloud.conf /etc/nginx/sites-enabled/nextcloud.conf
UFW
You will need to restart to start ufw and enable the rules.
$ sudo ufw allow "Nginx Full" $ sudo ufw allow OpenSSH $ sudo ufw enable
php-fpm configuration
When you are using php-fpm, system environment variables like PATH, TMP or others are not automatically populated in the same way as when using php-cli. A PHP call like getenv('PATH'); can therefore return an empty result. So you may need to manually configure environment variables in the appropropriate php-fpm ini/config file. I found that this necessary to make NextCloud stop complaining, although I did not see any bugs or issues as a result of having not changed anything here.
In the file /etc/php/7.2/fpm/pool.d/www.conf uncomment the line
;env[PATH] = /usr/local/bin:/usr/bin:/bin by removing the semicolon.
PHP OPcache
There is a built in caching function built for php called opcache. The configuration file for php is massively verbose, so just skip to the [opcache] section and copy in this config from the official documentation.
[/etc/php/7.2/fpm/php.ini]
opcache.enable=1 opcache.enable_cli=1 opcache.interned_strings_buffer=8 opcache.max_accelerated_files=10000 opcache.memory_consumption=128 opcache.save_comments=1 opcache.revalidate_freq=1
Startup
To start NextCloud nginx and php fpm.
$ sudo systemctl start nginx php7.2-fpm $ sudo systemctl enable php7.2-fpm
Navigate to the FQDM (sub.domain.tld) and enter the necessary details. Afterwards, we can setup the caching server.
MemCache: APCu and Redis
Using a memory cache should improve the performance of the server. Using the official documentation as a guide, they recommend for a single, small organization server, using APCu for local cache and Redis for remote.
All we need to do to get everthing working is add a few lines to the nextcloud config.php.
[/var/www/nextcloud/config/config.php]
'memcache.local' => '\OC\Memcache\APCu', 'memcache.locking' => '\OC\Memcache\Redis', 'redis' => array( 'host' => 'localhost', 'port' => 6379, ),
Email Server
Install the mailutils package by typing:
$ sudo apt install mailutils
Near the end of the installation process, you will be presented with a dialog window with options on how to configure Postfix. Select the default option which is Internet Site.
After that, you'll get another dialog window requesting to enter the System mail name enter the same domain name as the server.
Now you will edit the main Postfix configuration file
sudo nano /etc/postfix/main.cf
With the file open, scroll down until you see the entries shown in this code block.
mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all
Change the line that reads inet_interfaces = all to inet_interfaces = localhost. When you're done, that same section of the file should now read:
mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = localhost
After that, restart Postfix by typing:
sudo service postfix restart
To send a test email, type:
echo "This is the body of the email" | mail -s "This is the subject line" <your email here>
If everything is working correctly you should receive an email from the server.
Source How To Install and Configure Postfix as a Send-Only SMTP Server on Ubuntu 14.04
Collabora
Install the docker image
$ sudo apt install docker.io $ sudo systemctl enable docker $ sudo docker pull collabora/code $ sudo docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=sub\\.domain\\.tld' --restart always --cap-add MKNOD collabora/code
Add this to the bottom of the main nextcloud server block /etc/nginx/sites-available/nextcloud.conf
# Collabora Config
# static files
location ^~ /loleaflet {
proxy_pass https://127.0.0.1:9980;
proxy_set_header Host $http_host;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass https://127.0.0.1:9980;
proxy_set_header Host $http_host;
}
# main websocket
location ~ ^/lool/(.*)/ws$ {
proxy_pass https://127.0.0.1:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ ^/lool {
proxy_pass https://127.0.0.1:9980;
proxy_set_header Host $http_host;
}
# Admin Console websocket
location ^~ /lool/adminws {
proxy_pass https://127.0.0.1:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}
In the Nextcloud web interface under the admin account, go to Settings > Collabora Online and type in the domain name of the server ex:https://sub.domain.tld Wait a bit for Nextcloud to sort out itself and you should be able to edit documents in Nextcloud from the web browser.
Talk
To allow Talk sessions between firewall, a TURN needs to be installed on a separate server, it serves as a mid point for connecting two WebRTC sessions in NextCloud Talk, given that P2P and STUN connections fail beforehand (that is what the documentation says?). Install coturn, an open source TURN server.
$ sudo apt install coturn
A firewall rule needs to be added to allow coturn to function
$ sudo ufw allow Turnserver
Edit /etc/default/coturn so that coturn starts at boot as system daemon.
# # Uncomment it if you want to have the turnserver running as # an automatic system service daemon # TURNSERVER_ENABLED=1
Now we are going to write the turnserver config, there is a lot of commenting in the default file, you can ignore that and just paste the following lines then edit to your needs, but these, given that they are filled out correctly will result in a working turn server /etc/turnserver.conf
listening-ip=<server ip> relay-ip=<server ip> listening-port=3478 tls-listening-port=5349 fingerprint lt-cred-mech use-auth-secret static-auth-secret=<enter generated secret here> realm=sub.domain.tld total-quota=100 bps-capacity=0 stale-nonce cert=/etc/letsencrypt/live/sub.domain.tld/fullchain.pem pkey=/etc/letsencrypt/live/sub.domain.tld/privkey.pem cipher-list="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5" no-stun no-loopback-peers no-multicast-peers
Restart coturn
$ sudo systemctl restart coturn
Once you are done, install the Talk app in the web client, then in the admin settings, add the server URL and the secret that you generated earlier.