[CLOSED] Arch Server: NGINX+Nextcloud configuration Problems

Runcrow · February 25, 2020, 6:31pm

Hello everyone,
I have finally found the time to setup my own nextcloud server and I am quite excited.
As I have been using Arch Linux for 7 years, I installed it and started getting all programs installed as well as configured. I use a LEMP Stack, featuring the nginx-mainline package, and MariaDB for the SQL database.

I consulted this popular youtube video for more indepth configuration:

I have so far:

Installed Linux, nginx, mariaDB, php-fpm, php-gd and nextcloud
Configured these programs to the best of my abilities
Setup an A Record on my domain (lets say) “foobar.com”, that I wish to host my server on.
Used DDclient / Certbot to handle DNS and SSL
Gotten nginx to display its standard web page by accessing my purchased domain url, while being ssl encrypted

Here’s the problem however:
No matter what I do, I simply can not get nginx to use the nextcloud php page stored in /usr/share/webapps/nextcloud/...

As described in the video as well as on many sources online, I added a nextcloud configuration file to the nginx directory, then included it in the nginx.conf file. There I changed the server_name varialbe to my domain and added the ssl certificate information. But to no avail…

Here is my current configuration:

/etc/nginx/nginx.conf

#user html;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include 	  /etc/nginx/conf.d/nextcloud.conf;
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    types_hash_max_size 4096;
    types_hash_bucket_size 128;

    #gzip  on;

    server {
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   /usr/share/nginx/html;
            index  index.html index.htm;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/share/nginx/html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        location ~ \.php$ {
            root           /usr/share/nginx/html;
            fastcgi_pass   unix:/run/php-fpm/php-fpm.sock;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
        }

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/foobar.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/foobar.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}


    # HTTPS server
    #
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}
#}
}

/etc/nginx/conf.d/nextcloud.conf

server {
    listen 80;
    server_name foobar.com;

    # Add headers to serve security related headers
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    # Path to the root of your installation
    #root /usr/share/nginx/nextcloud/;
    root /usr/share/webapps/nextcloud/;


    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
    # last;

    location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
       return 301 $scheme://$host/remote.php/dav;
    }

    location ~ /.well-known/acme-challenge {
      allow all;
    }

    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Disable gzip to avoid the removal of the ETag header
    gzip off;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;

    location / {
       rewrite ^ /index.php$uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
       deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
       deny all;
     }

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
       include fastcgi_params;
       fastcgi_split_path_info ^(.+\.php)(/.*)$;
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
       fastcgi_param PATH_INFO $fastcgi_path_info;
       #Avoid sending the security headers twice
       fastcgi_param modHeadersAvailable true;
       fastcgi_param front_controller_active true;
       fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
       fastcgi_intercept_errors on;
       fastcgi_request_buffering off;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
       try_files $uri/ =404;
       index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~* \.(?:css|js)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=7200";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)        
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
   }

   location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
   }
}

Result:

Capture678×503 25.7 KB

I know that I just bombarded your eyes with mile long config files, asking for help. And I am not nearly as knowledgeable about Server configurations as I maybe should be, but I hope someone out there will be able to spot my mistake and help get this server up and running!

Best Regards,
Runcrow.

Reiner_Nippes · February 25, 2020, 7:17pm

you’ll find the needed nginx config here: Nginx configuration — Nextcloud latest Administration Manual latest documentation

should work also on arch.

you should remove the “server { }” sections from “/etc/nginx/nginx.conf”

or have a look at [URL REMOVED - Spam-protection [JK]] the nginx part should be unique to all linux flavors.

Runcrow · February 25, 2020, 7:50pm

Well I have removed the server { } section, now I get this when I access my url:

I don’t really know how to use those standard configs, as I use certbot to generate SSL certificates, which automatically appends them to the nginx config file. I also don’t know if this is related to this at all.

I tried checking the log in /var/log/nextcloud.log, but it is empty. I don’t have a www-data group defined, I used the http group instead. Does nextcloud automatically try writing to the system in the www-data group, or can I assign which group nextcloud uses?

Reiner_Nippes · February 25, 2020, 8:10pm

you removed only this? conf.d/nextcloud.conf is unchanged?

replace

    ssl_certificate /etc/ssl/nginx/cloud.example.com.crt;
    ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key;

with this

    ssl_certificate /etc/letsencrypt/live/foobar.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/foobar.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

but you should look what’s in /etc/letsencrypt/options-ssl-nginx.conf. maybe it’s already in the nextcloud.conf from the doc page. most likely it’s stuff like add_header Strict-Transport-Security ...

no. your error is related the fpm-php settings/connection.

upstream php-handler {
    server 127.0.0.1:9000;
    #server unix:/var/run/php/php7.2-fpm.sock;
}

yes. because nextcloud is not running. so it won’t write anything to its logs.

check the nginx log.

nextcloud doesn’t write anything. it’s the nginx process. and you didn’t define a “nginx user” grafik
did you check with ps -ef or ps aux under which user nginx is running?

Runcrow · February 25, 2020, 9:59pm

Thanks for your help so far, but its just not working yet.

After removing the # infromt of user html; i get this error:
1595#1595: getpwnam("html") failed in /etc/nginx/nginx.conf:2

I did find the ssl certificates in the letsencrypt folder and have added them like you posted, this seems to have worked.

Could you please elaborate on what I am supposed to look for in the output of ps aux or ps -ef ?

Currently with the new nextcloud.conf the only thing I am getting when accessing my url is:
502

Reiner_Nippes · February 26, 2020, 2:50pm

you may look into /etc/passwd if there is a user nginx and/or www-data.
then you have to check who is the owner of your nextcloud directory /usr/share/webapps/nextcloud.

that should be the user in your config.

could share the output of ps -ef | grep php?

Runcrow · February 26, 2020, 4:41pm

Hey, its all good. I decided to ditch Arch for Ubuntu, and use Apache2 instead of Nginx. Alot less hassle. Now it works fine, thanks.

Reiner_Nippes · February 26, 2020, 4:49pm

or have a look at: ReinerNippes · GitHub

Fouad · June 11, 2020, 9:48am

For anyone attempting the same, it is related to php 7.4 and described in the Nextcloud Arch wiki page.

https://wiki.archlinux.org/index.php/Nextcloud#Explicitly_permit_Nextcloud_directories_for_php-fpm

Since version 7.4 php-fpm is hardened per default and revokes read/write access on /usr (and sub-directories). Therefore it is also necessary to explicitly give permissions on /usr/share/webapps/nextcloud directories and the Nextcloud data directory.