Yeah I know it is old fashioned, but I like my Nextcloud to run bare metal 
The goal of this guide is to have no warnings in the admin center and the instance should get a perfect security score from scan.nextcloud.com.
3 Likes
amazing. please also include letsencrypt cert without opening port 80 and 443. its possiable
https://www.c-rieger.de/lets-encrypt-zertifikate-ohne-tcp-ports-80-und-443/
Cheers.
DNS based let’s encrypt has some disadvantages over certs for each domain. That is why I personally don’t use it.
I also fail to see what upside there is of not having Port 80 and 443 to be open. They have to be open for Nextcloud anyway.
my ISP has blocked all ports. I’m behind strict CGNET. Anyway can I use this setup with caddy and Tailscale? if you please make a guide for that?
Thanks for sharing 
1 Like
Hi @A4all
CG-NAT makes hosting over IPv4 impossible. That includes VPNs or proxies.
Unfortunately I am not familiar with Tailscale.
There are some ways how you can address your CG-NAT problem:
- use IPv6 instead (but then all remote clients like your phone also need to support IPv6). This is by far the best solution in my opinion.
- use some kind of VPN service that allows port forwarding. In my opinion a complex and wonky solutions and probably also not free.
- ask your ISP for a “gaming” or “NAS” IP. Sometimes free, sometimes 5$ a month.
- get a new ISP that does not use CG-NAT
- don’t host it yourself but on a rented VPS. In my opinion too expensive.
Why not just use c-rieger’s installation guide, or his installation script if it suits your case better?
Or just use @saettel.beifuss0’s tutorial, and at the point where Certbot is used, use acme.sh with the DNS challenge instead, and either adapt the paths in the acme.sh command to the paths in @saettel.beifuss0’s Apache Config, or adapt the paths in the Apache Config to the paths in C-Rieger’s acme command.
It is unlikely that you will find a tutorial that exactly fits your use case and infrastructure that you can just copy and paste down to the last detail. You should try to understand at least the basics of what these tutorials do and be able to adapt simple things like a certificate path in a web server configuration to your needs, otherwise you will have a hard time maintaining the thing once it is up and running. A manually installed Nextcloud instance is not a “set it and forget it” solution.
2 Likes
While I do think that my tutorial should fit most use cases and infrastructure, and that you mostly should not have a hard time maintaining it, I agree with @bb77 that you should understand the commands and not just blindly copy paste them. That is why I tried to explain every single command we use.
If you understand the commands and requirements @A4all, you also will understand that simply getting the cert from DNS instead of the challenge as described my tutorial will not help you at all. Sure, you then have a valid cert, but the routing to your Nextcloud is still not possible with CG-NAT.
2 Likes
Nice and thanks for posting! I’m getting an error in setting up the database step 1. Error message: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘INDENTIFIED BY ‘“inserted pwd placeholder”’’ at line 1
Any ideas?
The error tells you, you have an error in the syntax.
Since it also tells you that the error is near IDENTIFIED BY, my guess would be that it not step 1 but this line
CREATE USER 'x_database_user'@'localhost' IDENTIFIED BY 'x_database_password';
are you sure you inserted the right values and have set the apostrophes correctly?
Shoud be something like this:
CREATE USER 'marathon'@'localhost' IDENTIFIED BY '42kminunderfourhours';
Yes that is where the error is and my 1st step. Assuming the tutorial is correct I inserted my value for username and pwd. My pwd uses “”, so I’m using this '" '" format.
I know it should work as it did before. However ‘identified’ is different than most other syntax I’ve seen
I guess I’ll use another tut with different syntax that I know works.
I made it work using the following syntax:
ariaDB [(none)]> CREATE USER 'xxxx'@'localhost' IDENTIFIED BY '"xxxx xxxx"';
1 Like
So you did the exact same syntax as described in the tutorial and it worked? 
No but seriously, you just have to start and end with a single apostrophe, something like ‘password’.
By these apostrophes, the SQL syntax knows that this is a value.
To use ’ you could either use a backslash or double the ’
Like 'Men''s world' or 'Men\'s World'.
But since these password is only used locally (@localhost) and stored in an unencrypted config file, I would not bother creating a secure password anyway 
2 Likes