Complete NC Installation on Debian 9 Stretch and manual update

Since the last guide was pretty polulair for installing Nextcloud on Debian 8.5, the complete step by step manual, I now created a step by step guide for installing and configuring Nextcloud on a fresh installed Debian 9 (Stretch) server. In my other guide I also configured WebRTC and Turn, but for now I only have a Nextcloud configuration. The guide already contains some modules (php) for WebRTC so I might add it in the future. The guide is pretty straight forward. I’m not gonna bore you with why i install and configure the things i install. It’s just the way i do it. Follow every step and you have a pretty secure Nextcloud installation.

Like this guide? Feel free to buy me a beer
BTC = 13UZVReLLLCa1iPhziBa7diJGCS34Hunwd
LTC = LSFaj9N79qPix2kxu5KRNv5LaHZUMiXxBZ
XVG = DSVNRTmbRP86swseGWq6TtRgAzT8KvBEJg

Again, like the first guide, just install a clean Debian 9 Stretch server with nothing more than ssh-server and standard system utilities. If your installing on vmware also install open-vm-tools (apt install open-vm-tools)

When you’re logged in I always su – to root

Install the packages for apache, mariadb, php

apt install vim unzip sudo
apt install apache2 mariadb-server libapache2-mod-php
apt install php-gd php-json php-mysql php-curl
apt install php-intl php-mcrypt php-imagick
apt install php-zip php-xmlwriter php-xmlreader php-xml php-mbstring php-simplexml

Download the latest nextcloud version, unzip it, and move it to /var/www

wget https://download.nextcloud.com/server/releases/latest.zip
unzip latest.zip
mv nextcloud/ /var/www

Enable ssl module and create a ssl self signed certificate. If you want to fill in al the questions when you create the certificate, you may, but you can also just enter trough al the questions. It works either way.

a2enmod ssl
a2ensite default-ssl
mkdir /etc/apache2/ssl
cd /etc/apache2/ssl
openssl req -new -x509 -days 365 -nodes -out /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.key

Set the file permissions for the certificate files to 600

chmod 600 /etc/apache2/ssl/apache.*

Optional, as suggested by @MichaIng . You could also use Let’s Encrypt. This is a free service to generate signed certificates you can use on your server. Be sure you don’t already have certificates you or your company bought on the domain name you want to use. If there already is a certificate you wont be able to sign a new certificate on the same domain name! I haven’t tested this configuration myself yet.

apt install python-certbot-apache
certbot --apache

Create a configuration file for apache.

cd /etc/apache2/sites-available/
wget https://raw.githubusercontent.com/dicenl/nextcloud/master/vhost.conf

Change the settings in nextcloud.conf to match your url/server settings and then create a symbolic link to enable the nextcloud configuration.

vi nextcloud.conf
ln -s /etc/apache2/sites-available/nextcloud.conf /etc/apache2/sites-enabled/nextcloud.conf

Enable the following apache modules. The last 3 are necessary for the WebRTC configuration (not configured in this guide yet!) If you dont want to enable these you also need remove the configuration from nextcloud.conf (<Location /webrtc> to RequestHeader)

a2enmod rewrite
a2enmod headers
a2enmod env
a2enmod dir
a2enmod mime
a2enmod proxy 
a2enmod proxy_http 
a2enmod proxy_wstunnel

Change to the nextcloud directory

cd /var/www/nextcloud/

Setup folder permissions, the easy way. We’ll fix it later on with the strong permission script.

chown www-data:www-data . -R

Restart apache and mariadb and enable them so the automaticly start at boot

systemctl restart apache2
systemctl enable apache2
systemctl restart mariadb
systemctl enable mariadb

Now make your mariadb/mysql configuration a bit more secure. Also set a root password.

mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n]
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n]
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

Now you can create a empty database so we can run the occ install script

mysql -u root -p
CREATE DATABASE nextcloud;
GRANT ALL ON nextcloud.* to 'nextcloud'@'localhost' IDENTIFIED BY 'YOURdbPASSWORD';
FLUSH PRIVILEGES;
exit

Run the command below to start the nextcloud installation.

sudo -u www-data php occ maintenance:install --database "mysql" --database-name "nextcloud" --database-user "nextcloud" --database-pass "YOURdbPASSWORD" --admin-user "ncadmin" --admin-pass "YOURadminPASSWORD"

To be able to open your nextcloud you need to add your fqdn or ip address in the trusted domains section in the config.php. You can add multiple entry’s, just increase the number in front of the line.

vi /var/www/nextcloud/config/config.php

array (
0 => 'localhost',
1 => 'host.domain.nl',

'datadirectory' => '/var/nc_data',

We also want to move the /var/www/nextcloud/data folder to /var/nc_data (or any other mount point you desire)

mv /var/www/nextcloud/data /var/nc_data

Now as promised, the secure folder and file permissions

vi /var/www/nc_perm.sh

Add the script below to the nc_perm.sh file. If you changed the data folder to another location, you need to change it in the script also.

#!/bin/bash
ncpath='/var/www/nextcloud'
ncdata='/var/nc_data'
htuser='www-data'
htgroup='www-data'
rootuser='root'

printf "Creating possible missing Directories\n"
mkdir -p $ncpath/data
mkdir -p $ncpath/updater

printf "chmod Files and Directories\n"
find ${ncpath} -type f -print0 | xargs -0 chmod 0640
find ${ncpath} -type d -print0 | xargs -0 chmod 0750
find ${ncdata} -type f -print0 | xargs -0 chmod 0640
find ${ncdata} -type d -print0 | xargs -0 chmod 0750

printf "chown Directories\n"
chown -R ${rootuser}:${htgroup} ${ncpath}
chown -R ${htuser}:${htgroup} ${ncpath}/apps/
chown -R ${htuser}:${htgroup} ${ncpath}/config/
chown -R ${htuser}:${htgroup} ${ncdata}/
chown -R ${htuser}:${htgroup} ${ncpath}/themes/
chown -R ${htuser}:${htgroup} ${ncpath}/updater/

chmod +x ${ncpath}/occ

printf "chmod/chown .htaccess\n"
if [ -f ${ncpath}/.htaccess ]
then
        chmod 0644 ${ncpath}/.htaccess
        chown ${rootuser}:${htgroup} ${ncpath}/.htaccess
fi
if [ -f ${ncdata}/.htaccess ]
then
        chmod 0644 ${ncdata}/.htaccess
        chown ${rootuser}:${htgroup} ${ncdata}/.htaccess
fi
## END SCRIPT

chmod 750 /var/www/nc_perm.sh

Execute the script

/var/www/nc_perm.sh

Add the opcache configuration to your php.ini. Add it at the end of the file just before ; Local Variables:

vi /etc/php/7.0/apache2/php.ini

opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1

Now just restart apache2 one more time. You now can go to your browser and enter the url to login to nexcloud with the credentials you provided in the installation command.

systemctl restart apache2

If you followed the guide to the letter, you now have a Debian 9 Stretch server with the latest nextcloud, secured with a self signed certificate. The only thing we didnt configure is memory cache. If you want to know how to configure this you can check the Server Tuning section by clicking the link in the admin page of nextcloud.

If your server is directly connected to the internet you might want to configure ufw. It’s a uncomplicated firewall to complement this uncomplicated installation guide Don’t forget to allow ssh or you won’t be able to connect with a terminal client anymore.

apt install ufw
ufw allow ssh
ufw allow http
ufw allow https
ufw enable

Optional: if you experience performance issues with large amount of image and/or video files you might want check the Mariadb settings @pete.dawgg suggests in his post here

Manual Update:
As mentioned, i always update my nextcloud servers manualy. The updater is a very easy to use feature in nextcloud, but i always want to know what happens and how it works so i alwasy do it manualy.

First set nextcloud in maintenance mode and then remove the old nextcloud folders:

cd /var/www/nextcloud
sudo -u www-data ./occ maintenance:mode --on
rm 3rdparty/ apps/ AUTHORS console.php COPYING-AGPL core/ cron.php db_structure.xml index.php l10n/ lib/ occ ocs ocs-provider/ *.php settings/ themes/ updater/ -Rf

Now download the latest nextcloud, unzip it, and move it to the right folder

cd /tmp
wget https://download.nextcloud.com/server/releases/latest.zip
unzip latest.zip
mv nextcloud/ /var/www

After this you run the permissions script

/var/www/nc_perm.sh

And now run the update command from the command line and turn maintenance mode off:

cd /var/www/nextcloud
sudo -u www-data php ./occ upgrade
sudo -u www-data php ./occ maintenance:mode --off

Now you can login to your nextcloud server again and check under the Admin menu if everything is working as expected.

Great work, good to also have a step by step guide here!

Remarks:

• assets folder from permissions script can/should be removed, as it is not used anymore since a while and can create integrity check errors.
• Actully the whole script is not part of admin manual anymore and not recommended as it blocks updates and brings not much security benefit, at least on apache. But I also still use it ;).
• opcache settings fit well into /mods-available/opcache.ini and will be auto activated together with the mod from there.
• Letsencryt could be added as alternative to self signed certificates, as it is easy and provides good default ssl/cipher config on apache (also nginx) with related python-certbot-apache package.
• APCu and Redis could be added.

Thanks for the feedback. I removed the assets from the permissions script. I also still use the scirpt and manual update since i had a update problem once with owncloud (before there was nextcloud so pretty long ago) which created a major security problem. Just a bad memory i cant erase I also added your Letsencrypt suggestion. Haven’t tested it, but it should be pretty straight forward.

Installation and apache configuration will work like this, at least did for me on raspbian stretch. Cron job was actually added with the package and was not necessary anymore. I thought this will be the same on debian, as the packages are mostly the same than on raspbian?

GREAT JOB!
love the perms-script
i run stretch, also. i found out and applied some settings to increase mariadb-performance; if you are interested you can find them here

I have installed as per the above guide. I have checked it again but my browser still go’s to the default Apache page instead of nextcloud. What must I do to rectify this?

This is the part for your host. Did you follow it?

and do a
systemctl restart apache2

Thanks. I redid that, but to no avail. I have destroyed the vm and are starting from scratch

Hi, works perfect out of the box with debian stretch, exept there is one error:

unzip latest.zip
mv nextcloud/ /var/www

should be
unzip latest.zip
mv nextcloud/ /var/www/html

thanks

Well that depends on were you want nextcloud to be installed. i place it under /var/www and thats how the nextcloud.conf apache config file is setup. but if you think its easier to place it under /var/ww/html your free to set it up like that ofcourse

true, your right!

So I followed this, got an install up and running and it was one version behind, followed the update instructions and botched the whole install somehow. Wound up getting it going again but it lost all it’s data. I’m a newb with owncloud but not totally stupid. Is there a way to follow this guide but while keeping the auto update feature working? I’m sure its simple but I don’t want to guess and tweak the wrong thing. Either way thanks for this manual, first one I’ve found that actually works and gets you up and running in a short amount of time.

Hi there. Thanks for you possitive feedback Check the /var/www/nextcloud/config/config.php and check the data folder config. If you followed the inital installation instruction it suggests you to move it to /var/nc_data or somehting like that. The default location however is /var/www/nextcloud/data. Probably its something like /var/www/nextcloud/data instead of /var/nc_data

Hi, thanks for this tutorial. I did everything and now get an error screen by logging into nextcloud which says (I translated it from German to Englisch).

Your data directory is not valid. Please ensure that a file named “.ocdata” is existing in the root directory of your data directory is existing.

And yes, this file is existing. And I checked the permissions. Folders are 750, files 640, owner is www-data. The data directory is located on a external drive.

Any ideas? The “nextcloud.log” in /var/www/nextcloud/ is still empty. So I don’t know where to check.

Update: Please note, I adapted your command mv /var/www/nextcloud/data /var/nc_data to my need mv /var/www/nextcloud/data /media/disk1/nextcloud

But with this moving he moved the data foldet to this folder so the correct new data folder was

'datadirectory' => '/media/disk1/nextcloud/data',

In your case:

'datadirectory' => '/var/nc_data/data',

I changed it in the conf and it is now working

Good to hear you like the tutorial. Even better you fixed your problem In my configuration /var/nc_data is the data folder. I just move /var/www/nextcloud/data to /var/nc_data/ without first creating /var/nc_data so /var/nc_data is the ‘root’ of the datadirectory. But as long as you define the correct location in config.php it doesnt realy matter where you place the data folder.

Keep on clouding

I to am having issues with the default apache2 page being displayed. nextcloud.conf file was edited not sure why its not working any ideas pointers?

Thanks.

Below are the only settings related to configuring and activating the nextcloud.conf configuration. If you did these things and restart apache it should be working.

Hello, thanks for this info. The site is working now but I am getting a certificate warning message. Attackers might be trying to steal your information from mynextcloud.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_AUTHORITY_INVALID any idea on how to correct this?
any pointer would be greatly appreciated

Thanks

You are using a self signed certificate. One you created yourself on your server with the openssl command. Self signed certficates give these messages. You can ignore the message or buy a certificate, or try the optional LetsEncrypt (free of charge) signed certicate. You do need to know how to use certificates to get this working, so if you are just experimenting just use the self signed certificate for now. Accept it permanently in firefox.

Gotcha, thanks again for this awesome guide and helping me out.