Yeah I know it is old fashioned, but I like my Nextcloud to run bare metal 
The goal of this guide is to have no warnings in the admin center and the instance should get a perfect security score from scan.nextcloud.com.
8 Likes
amazing. please also include letsencrypt cert without opening port 80 and 443. its possiable
https://www.c-rieger.de/lets-encrypt-zertifikate-ohne-tcp-ports-80-und-443/
Cheers.
DNS based letās encrypt has some disadvantages over certs for each domain. That is why I personally donāt use it.
I also fail to see what upside there is of not having Port 80 and 443 to be open. They have to be open for Nextcloud anyway.
1 Like
my ISP has blocked all ports. Iām behind strict CGNET. Anyway can I use this setup with caddy and Tailscale? if you please make a guide for that?
Thanks for sharing 
1 Like
Hi @A4all
CG-NAT makes hosting over IPv4 impossible. That includes VPNs or proxies.
Unfortunately I am not familiar with Tailscale.
There are some ways how you can address your CG-NAT problem:
- use IPv6 instead (but then all remote clients like your phone also need to support IPv6). This is by far the best solution in my opinion.
- use some kind of VPN service that allows port forwarding. In my opinion a complex and wonky solutions and probably also not free.
- ask your ISP for a āgamingā or āNASā IP. Sometimes free, sometimes 5$ a month.
- get a new ISP that does not use CG-NAT
- donāt host it yourself but on a rented VPS. In my opinion too expensive.
Why not just use c-riegerās installation guide, or his installation script if it suits your case better?
Or just use @saettel.beifuss0ās tutorial, and at the point where Certbot is used, use acme.sh with the DNS challenge instead, and either adapt the paths in the acme.sh command to the paths in @saettel.beifuss0ās Apache Config, or adapt the paths in the Apache Config to the paths in C-Riegerās acme command.
It is unlikely that you will find a tutorial that exactly fits your use case and infrastructure that you can just copy and paste down to the last detail. You should try to understand at least the basics of what these tutorials do and be able to adapt simple things like a certificate path in a web server configuration to your needs, otherwise you will have a hard time maintaining the thing once it is up and running. A manually installed Nextcloud instance is not a āset it and forget itā solution.
2 Likes
While I do think that my tutorial should fit most use cases and infrastructure, and that you mostly should not have a hard time maintaining it, I agree with @bb77 that you should understand the commands and not just blindly copy paste them. That is why I tried to explain every single command we use.
If you understand the commands and requirements @A4all, you also will understand that simply getting the cert from DNS instead of the challenge as described my tutorial will not help you at all. Sure, you then have a valid cert, but the routing to your Nextcloud is still not possible with CG-NAT.
2 Likes
Nice and thanks for posting! Iām getting an error in setting up the database step 1. Error message: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near āINDENTIFIED BY āāinserted pwd placeholderāāā at line 1
Any ideas?
The error tells you, you have an error in the syntax.
Since it also tells you that the error is near IDENTIFIED BY, my guess would be that it not step 1 but this line
CREATE USER 'x_database_user'@'localhost' IDENTIFIED BY 'x_database_password';
are you sure you inserted the right values and have set the apostrophes correctly?
Shoud be something like this:
CREATE USER 'marathon'@'localhost' IDENTIFIED BY '42kminunderfourhours';
Yes that is where the error is and my 1st step. Assuming the tutorial is correct I inserted my value for username and pwd. My pwd uses āā, so Iām using this '" '" format.
I know it should work as it did before. However āidentifiedā is different than most other syntax Iāve seen
I guess Iāll use another tut with different syntax that I know works.
I made it work using the following syntax:
ariaDB [(none)]> CREATE USER 'xxxx'@'localhost' IDENTIFIED BY '"xxxx xxxx"';
1 Like
So you did the exact same syntax as described in the tutorial and it worked? 
No but seriously, you just have to start and end with a single apostrophe, something like āpasswordā.
By these apostrophes, the SQL syntax knows that this is a value.
To use ā you could either use a backslash or double the ā
Like 'Men''s world' or 'Men\'s World'.
But since these password is only used locally (@localhost) and stored in an unencrypted config file, I would not bother creating a secure password anyway 
3 Likes
Just wanted to give a big thanks to this Github guide. i have been trying to setup Nextcloud (30) on a Proxmox Ubuntu VM for some time now with an NFS data share. Despite following multiple guides, reading the documentation and many, many tries, I was never truly successful. That is, until I found this guide.
This guide provides an excellent blueprint for getting things set up. Thank you! I still have a few issues to track down since my configuration is sitting behind a pfSense HA Proxy. But I am finally at a point where I can truly begin exploring Nextcloud and all of its features.
The effort, documentation and guide is greatly appreciated. Thank you!!!
Awww thank you for all the kind words 
Unfortunately I canāt help you with HA Proxy, since I never used that.
But maybe this still helps:
I would really reconsider doing the reverse proxy on pfSense.
I moved my NGINX into a Debian VM.
I had my NGINX on my OPNsense and it was a pita.
This is probably not the fault of OPNsense, but for a newcomer, reverse proxy is complicated enough. If you donāt have multiple services, I would probably not even use a proxy and just Apache on the Nextcloud VM.
Actually, my HA Proxy setup is working quite well on pfSense. Using HA Proxy on pfSense for my personally hosted services also took me quite some time to setup. It too, is not simple or straightforward but it is working very well now.
As for Nextcloud, it is generally working quite well using your guide. I did not install an SSL cert so I still have the HTTP error but scan.nextcloud.com responds with an A rating when accessing it externally. I suppose I should install a self-hosted certificate to remove the error.
I also am using an NFS NAS share for my data folder. I still occasionally get the NC canāt create the data folder error but it is sporadic. Things do seem to be working though. This is for personal/family use so I can deal with it.
Thanks again for a wonderful write up.
1 Like
Not sure about your current setup, but normally you would get a Lets encrypt cert via Certbot for your HA proxy. It does not matter if the proxy redirects to http and is unencrypted internally. scan.nextcloud.com canāt and wonāt detect that.
1 Like
I actually updated the overwrite URL in config.php to include āhttpsā and the error is gone. Thank you.
Yes, that you have to do anyway.
Just to make sure, you did follow my Tutorial behind a NGINX proxy?
Even if you donāt use NGINX, use my NGINX tutorial and just adjust the NGINX stuff. But there is other reverse proxy stuff in that too, that also applies to HA Proxy.
I used to use NGINX Proxy Manager until I finally figured out how to properly configure HA Proxy on my pfSense router. Itās one less environment for me to update and manage and itās centrally located on my pfSense router. HA Proxy was not simple to setup properly on pfSense. It took me multiple tries, Google searches and YouTube videos to finally get it. But it all works now. NGINX PM is definitely simpler to setup.