Nextcloud is an open source software that allows users to store their data; files, contacts, calendars, news feed, TO-DO lists and much more. It is a tool for collaboration and sharing.
After completing this guide we are going to have the following:
- A newly installed Nextcloud server
- PHP caching provided by APCu and Redis
- Pretty Links
- SSL enabled with default self-signed certificates.
- An Ubuntu VPS with shell access and appropriate privileges
- A Fully Qualified subdomain Name.
Nextcloud don’t really provide detailed information regarding the minimum requirements only advising 512MB of RAM. In this guide, we will use a VPS with 2GB of memory and 20GB of disk space. The amount of storage space can always be increased depending on the amount of data that is to be stored.
Setting Up the Environment
We will use the following steps to set up our environment
Updating the server & Installing Software Packages; LAMP, APCu, Redis
Since this is a new server setup, it’s always a good idea to upgrade the server before we begin.
sudo apt update && sudo apt upgrade
NB: It is always good practice to create a non-root user account, assign sudo privileges to it and disable root login.
Here, we will be installing Apache, MySQL and PHP along with several Apache/PHP modules to ensure seamless collaboration between packages.
Before we run the command to install LAMP, we need to add repository for php7.3, certbot and the latest version of apache2. That can be done as follows
sudo apt install -y software-properties-commonsudo add-apt-repository -y ppa:ondrej/php sudo add-apt-repository -y ppa:ondrej/apache2 sudo add-apt-repository -y ppa:certbot/certbot
Now we can go ahead and install the LAMP stack
sudo apt install lamp-server^
The use of ^(caret) in the package name is important as it suggests that the package being installed is a meta-package that is, a number of programs bundled and installed together.
During the installation, you will be prompted to enter the root password for MySQL. Make sure you use a strong password . This password will be used later during Nextcloud setup.
Once the installation is complete, check to ensure that you are using php version that is greater than 7.0. You can disable all other versions of php on the system. We will be using php7.3 in this guide.
Installing APCu and Redis
We will use the command below to do the installation
sudo apt install php-apcu redis-server php-redis sudo apt update && sudo apt upgrade
Installing Required PHP modules
sudo apt install -y libapache2-mod-php7.3 php7.3-cli php7.3-common php7.3-mbstring php7.3-gd php-imagick php7.3-intl php7.3-bz2 php7.3-xml php7.3-mysql php7.3-zip php7.3-dev php7.3-curl php7.3-fpm php-dompdf php-apcu redis-server php-redis php-smbclient php7.3-ldap unzip nano python-certbot-apache certbot wget curl
Enabling Apache Modules
We need to enable a few apache modules to support our configuration. Once enabled, restart apache
sudo a2enmod rewrite headers env dir mime sudo service apache2 restart
Before we proceed, we can check the IP address on the browser to confirm that Apache is indeed up and running. You should see something like this.
Currently the server is running on HTTP port 80. We can however configure it to be accessible via a subdomain and then secure the subdomain with SSL. We will use Let’s Encrypt to secure the subdomain.
NB: Make sure the DNS records for the domain are pointing to the IP address of your VPS. Kindly note that the changes may take some time to propagate. Hopefully propagation will be complete before we get to the point where we need to use it.
Let’s encrypt offers a command line tool to issue certificates. Choose a location to download the Let’s encrypt client and make sure it is executable.
cd /home/user/ sudo wget https://dl.eff.org/certbot-auto && sudo chmod a+x certbot-auto
Once the client is downloaded , run the client as below
sudo ./certbot-auto --apache --agree-tos --rsa-key-size 4096 --email [email protected] --redirect -d subdomain.domain.com
–apache uses the Apache plugin to fully setup and integrate with the existing Apache configuration
–agree-tos simply pre-agrees to the TOS, preventing it popping up during installation
–rsa-key-size defines the length (and therefore security) of the RSA key. Default is 2048.
–email is the email address to register against the certificate (used for reminders by Let’s Encrypt)
–redirect will create both the SSL virtualhost configuration file and add a redirect for HTTP traffic to HTTPS (80 to 443)
-d is the domain to secure
Once the DNS changes have propagated, navigating to the domain allocated to the server will show an SSL-enabled site.
That’s pretty much all there is to it. Let’s Encrypt handles everything from certificate generation to Apache configuration, meaning nothing needs to be done beyond what’s illustrated above.
It is recommended that you add the following snippet to the Let’s Encrypt-created vhost.conf file for security purposes.
SetEnv HOME /var/www/html
SetEnv HTTP_HOME /var/www/html
Header always set Strict-Transport-Security "max-age=15768000; preload"
The text above may be pasted under the ServerName line in the file located at /etc/apache2/sites-available/000-default-le-ssl.conf
Since the certificate is only valid for 90 days, we can create a cron job to renew the certificate automatically as below
sudo crontab -e 0 0 * * 0 /home/user/certbot-auto renew
Before we proceed with installation of Nextcloud, kindly check your subdomain to ensure that it is accessible and SSL-secured.
With the server environment ready, we can now go an to install Nextcloud.
Navigate to the webroot directory and download and unzip the Nextcloud package as shown below:
cd /var/www/html/ sudo wget https://download.Nextcloud.com/server/releases/latest.zip sudo unzip latest.zip
Once unzipped, there will be a nextcloud folder situated under /var/www/html/ . At the moment it is owned by the root user. We need to change the ownership so that Apache can have write-access.
sudo chown -R www-data:www-data /var/www/html/nextcloud
Creating the Nextcloud Database
Open a MySQL session using the following command
mysql -u root -p
The password is the one that was defined during the initial installation of the LAMP stack.
Now we can create a dedicated database and user using the following SQL commands
CREATE DATABASE nextcloud; CREATE USER 'nextcloud'@'localhost' IDENTIFIED BY 'database_password'; GRANT ALL PRIVILEGES ON nextcloud . * TO 'nextcloud'@'localhost';
Once that is done, exit the MySQL session.
On your browser, navigate to subdomain/nextcloud. Hopefully at this point the DNS changes have propagated.
If there are no errors then the installation has been a success. From here we will only need to provide the following details to complete the installation.
• a username and password for the admin account
• Location for the data directory
• database user as configured earlier – nextcloud
• database user password
• database name – nextcloud
• database location – localhost
NB: Data Directory
When selecting the location for the data directory, keeping it in the webroot is only okay and secure provided .htaccess rules work. Apache by default is set up such that these rules are not defined. Failure to define these rules will make your data publicly available and this is a huge security risk. We do not want that.
If the data directory is placed outside /var/www, ensure that the user www-data can write to it. The ownership of the data directory can be modified with the following command.
sudo chown -R www-data:www-data /path/to/data/directory
Once this is done, we can now finish the setup on the web interface and log in.
The .htaccess file doesn’t work because we’ve put Nextcloud in the main /var/www/html webroot controlled by the apache.conf file. By default it is set to disallow .htaccess overrides and we’ll need to change that:
We change that by editing the apache2.conf file as follows:
<Directory /var/www/>Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory>
<Directory /var/www/>Options Indexes FollowSymLinks AllowOverride All Require all granted </Directory>
Once done, save & quit and restart apache
sudo service apache2 restart
The variation in speed between a Nextcloud server without cache and one that has is massive especially when the file count becomes huge and more multimedia files find their way onto the server.
Caching is very important for maintaining speed and optimizing performance. APCu will handle the caching initially while Redis will manage file locking.
Once the amount of data grows and APCu starts demanding more resources, it would be recommended to configure Redis to take a more active role in distributed caching.
Now let’s configure both APCu and Redis having installed them already earlier on.
Open the Redis configuration file and make the following changes
sudo vim /etc/redis/redis.conf
Find and change port 6379 to port 0
Uncomment the following lines
unixsocket /var/run/redis/redis.sock unixsocketperm 770
While at the same time changing the permissions from 700 to 770
Save and quit.
Now add the Apache user www-data to the redis group as follows
sudo usermod -a -G redis www-data
Once that is done, restart apache and redis server.
sudo service apache2 restart sudo service redis-server start
Check to confirm that Redis is up and running.
service redis-server status
Once you have confirmed that redis is up and running, we can go ahead and add the caching configuration to the Nextcloud config file
Open the Nextcloud config
sudo vim /var/www/html/Nextcloud/config/config.php
and add the following lines
'memcache.local' => '\OC\Memcache\Redis', 'memcache.locking' => '\OC\Memcache\Redis', 'filelocking.enabled' => 'true', 'redis' => array ( 'host' => '/var/run/redis/redis.sock', 'port' => 0, 'timeout' => 0.0, ),
The changes may require a reboot to take effect. Before we do that we can enable redis to start on boot as follows:
sudo systemctl enable redis-server
With that, caching is now configured!
This isn’t a necessary step but it does add to the overall aesthetics of the server and the application.
Here we will just be removing the index.php in every URL. Let’s open the Nextcloud config and add the following.
sudo vim /var/www/html/nextcloud/config/config.php
'htaccess.RewriteBase' => '/nextcloud',
Finally, navigate to the following directory and run the command below:
cd /var/www/html/nextcloud sudo -u www-data php occ maintenance:update:htaccess
You should get a notification that htaccess has been updated successfully
Refresh subdomain/nextcloud to confirm that the index.php has been removed from the URL page.
Updating Maximum Upload
This is an easy step to miss until we try to upload files that are bigger than the defined limit.
By default, PHP comes with a file-upload limit of 2MB. Since this is a personal cloud, we need to allow more flexibility to allow us to upload files that are bigger in size.
To do that, let’s open the PHP config file and update the upload limits as follows
sudo vim /etc/php/7.3/apache2/php.ini upload_max_filesize =2048M post_max_size = 2058M
These figures can be tweaked to suit your requirements, however be sure to always give post_max_size a bit more than upload_max_filesize to prevent errors when uploading files that match the maximum allowed upload size.
Once done restart apache using sudo service apache2 restart
Nextcloud and PHP Opcache
Since Nextcloud version 12, additional configuration is required in order to correctly setup PHP Opcache.
You will get the following error until this is resolved
Re-open the php.ini and add the following at the bottom of the file
sudo vim /etc/php/7.3/apache2/php.ini ; Nextcloud Opcache settings opcache.enable=1 opcache.enable_cli=1 opcache.interned_strings_buffer=8 opcache.max_accelerated_files=10000 opcache.memory_consumption=128 opcache.save_comments=1 opcache.revalidate_freq=1
Save, quit and restart apache with sudo service apache2 restart
Note Regarding Encryption and Backups
As we are running our Nextcloud installation on a remote host, it’s a good idea to talk about encryption.
Encrypting your data guarantees that should anyone gain access to your the data hosted on the server, the content of the files won’t be readable.
Encryption however is a complex topic far much beyond the scope of this guide and getting it wrong could lead to data loss.
Nextcloud server-side encryption is not recommended and it is advisable that you consider client-side encryption or any other method of enforcing OS filesystem encryption instead.
Kindly check out Nextcloud admin manual for more details regarding encryption.
You should never use Nextcloud as a replacement for your typical backup solutions. It is a tool for collaboration and sharing and it’s not advisable to solely rely it as the solution for protecting your data.
Never assume that your data us safe in some remote datacenter . Cloud service providers usually offer no liability and don’t take any responsibility for lost data should the server fail.
The Nextcloud admin manual has outlined how to backup Nextcloud data including the most critical files that need to be backed up. They have also recommended some approaches on how you can achieve that.
Nextcloud is a service platform that empowers self-hosting data and that gives it a big plus over the other solutions.
I hope you had as much fun as I did while doing the whole setup