Thanks all of you for your replies.
I did spent now a couple of days reading through guides and tried to security harden and performance optimize Nextcloud according to the various guides but mainly official nextcloud doc.
I still face two issues which I not understand and struggle to find guidance for (My exact Configuration can be found at the end of this post):
-
Server is not configured for â/.well-known/caldavâ ⌠which seems to be a problem with the .htaccess file and php-fpm but cannot resolve it.
Documentation says: Nextcloud comes with its own nextcloud/.htaccess
file. Because php-fpm
canât read PHP settings in .htaccess
these settings and permissions must be set in the nextcloud/.user.ini
file., but that means nothing to me honestly ^^
-
Cannot get http2 / h2 to work.
As soon as I a2dismod php8.0 mpm_prefork and a2enmod mpm_event proxy_fcgi setenvif it either starts to download a file called âDownloadâ or gives me invalid response depending on the settings elsewhere.
Maybe someone much smarter than me can help with that?
Here are the steps I do perform on a fresh installed Ubuntu20.04 LTS Server:
sudo mkdir /mnt/Nextcloud
sudo nano /etc/fstab
Add this to mount my Windows Share (I am aware of the security issues I have here):
//192.168.1.240/Nextcloud /mnt/Nextcloud cifs username=user,password=password,uid=33,gid=33,forceuid,forcegid,file_mode=0770,dir_mode=0770,noacl,noperm 0 0
sudo mount -a
sudo apt install software-properties-common
sudo add-apt-repository ppa:ondrej/php
sudo apt-key adv --fetch-keys âhttps://mariadb.org/mariadb_release_signing_key.ascâ
sudo add-apt-repository âdeb [arch=amd64] Index of /repo/10.5/ubuntu/ focal mainâ
sudo apt update
sudo apt upgrade
sudo apt install unzip fail2ban apache2 php8.0 mariadb-server mariadb-client libapache2-mod-php php8.0-curl php8.0-mbstring php8.0-gd php8.0-zip php8.0-bz2 php8.0-intl php8.0-common php8.0-xml php8.0-mysql php8.0-bcmath php8.0-gmp php8.0-imagick php-apcu php8.0-apcu redis-server php-redis php8.0-redis libapache2-mod-fcgid php-fpm php8.0-fpm htop
sudo usermod -a -G redis www-data
sudo nano /etc/redis/redis.conf
Search for requirepass and set a password:
requirepass myredispassword
sudo service redis-server restart
sudo service mysql start
sudo mysql_secure_installation
sudo mysql
Paste the following:
create database nextcloud;
create user user@localhost identified by âmydatabasepwâ;
grant all privileges on nextcloud.* to user@localhost identified by âmydatabasepwâ;
flush privileges;
exit;
sudo service apache2 start
sudo a2enmod php8.0 ssl headers socache_shmcb env dir mime http2
sudo nano /etc/apache2/apache2.conf
Add this to the end of the conf:
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_fcgi_module /usr/lib/apache2/modules/mod_proxy_fcgi.so
sudo nano /etc/apache2/mods-available/fcgid.conf
Replace the content of fcgid.conf with this:
FcgidConnectTimeout 20
AddType application/x-httpd-php .php
AddHandler application/x-httpd-php .php
Alias /php8-fcgi /usr/lib/cgi-bin/php8-fcgi
AddHandler fcgid-script .fcgi
sudo nano /etc/php/8.0/fpm/pool.d/www.conf
Search for the values and enable / uncomment them including changing the values if needed:
clear_env = no
pm.max_children = 16
pm.start_servers = 4
pm.min_spare_servers = 4
pm.max_spare_servers = 12
wget -P /tmp https://download.nextcloud.com/server/releases/nextcloud-23.0.0.zip
sudo unzip /tmp/nextcloud-23.0.0.zip -d /var/www
sudo chown www-data:www-data /var/www/nextcloud -R
sudo nano /etc/apache2/sites-available/nextcloud.conf
Create the nextcloud.conf with Mozilla Intermediate config for ssl and all the other suggested stuff from various guides (sorry for bad formatting last if module has the <> but had to remove it due to format issues here in the forum):
generated 2022-01-04, Mozilla Guideline v5.6, Apache 2.4.41, OpenSSL 1.1.1k, intermediate configuration
this configuration requires mod_ssl, mod_socache_shmcb and mod_headers
<VirtualHost *:80>
ServerName 192.168.1.187
Redirect permanent / https://192.168.1.187
<VirtualHost *:443>
DocumentRoot â/var/www/nextcloudâ
ServerName 192.168.1.187
ErrorLog ${APACHE_LOG_DIR}/nextcloud.error
CustomLog ${APACHE_LOG_DIR}/nextcloud.access combined
SSLEngine on
# curl https://ssl-config.mozilla.org/ffdhe2048.txt >> /path/to/signed_cert_and_intermediate_certs_and_dhparams
SSLCertificateFile /mnt/Nextcloud/cert.pem
SSLCertificateKeyFile /mnt/Nextcloud/key.pem
# enable HTTP/2, if available
Protocols h2 http/1.1
IfModule mod_headers.c>
Header always set Strict-Transport-Security âmax-age=15552000; includeSubDomainsâ
/IfModule>
<Directory /var/www/nextcloud/>
Require all granted
Options FollowSymlinks MultiViews
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud
Satisfy Any
</Directory>
IfModule mod_fcgid.c>
Options +ExecCGI
FcgidConnectTimeout 20
AddType application/x-httpd-php .php
AddHandler application/x-httpd-php .php
Alias /php8-fcgi /usr/lib/cgi-bin/php8-fcgi
ProxyPassMatch " ^/(..php(/.)?)$" âunix:listen = /run/php/php8.0-fpm.sock|fcgi://localhost/var/www/nextcloud/â
/IfModule>
/VirtualHost>
intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache âshmcb:logs/ssl_stapling(32768)â
sudo a2ensite nextcloud.conf
sudo service apache2 reload
sudo nano /etc/fail2ban/filter.d/nextcloud.conf
Creating the fail2ban configs:
[Definition]
_groupsre = (?:(?:,?\s*â\w+â:(?:â[^â]+â|\w+)))
failregex = ^{%(_groupsre)s,?\s"remoteAddrâ:ââ%(_groupsre)s,?\s*âmessageâ:âLogin failed:
^{%(_groupsre)s,?\s*âremoteAddrâ:ââ%(_groupsre)s,?\s*âmessageâ:âTrusted domain error.
datepattern = ,?\s*âtimeâ\s*:\s*â%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?â
sudo nano /etc/fail2ban/jail.d/nextcloud.local
[nextcloud]
backend = systemd
enabled = true
port = 443
protocol = tcp
filter = nextcloud
maxretry = 3
bantime = 86400
findtime = 43200
logpath = /mnt/Nextcloud/nextcloud.log
sudo service fail2ban restart
This is now the point where I fire up the browser for the first time and setup nextcloud using the web interface.
After it is done I go back to the command line and proceed with php.ini and config.php settings.
sudo nano /etc/php/8.0/apache2/php.ini
Search the values and change uncomment them:
memory_limit = 512M
opcache.enable = 1
opcache.interned_strings_buffer = 8
opcache.max_accelerated_files = 10000
opcache.memory_consumption = 128
opcache.save_comments = 1
opcache.revalidate_freq = 1
sudo nano /var/www/nextcloud/config/config.php
At this to the config.php:
âdefault_phone_regionâ => âATâ,
âmemcache.localâ => â\OC\Memcache\APCuâ,
âfilelocking.enabledâ => âtrueâ,
âmemcache.lockingâ => â\OC\Memcache\Redisâ,
âredisâ =>
array (
âhostâ => â127.0.0.1â,
âportâ => 6379,
âpasswordâ => âmyredispasswordâ,
âtimeoutâ => 0.0,
),
sudo service apache2 restart
And thats it! With the exception of the before mentioned two issues nextcloud runs fine and as far as I can tell and verify php-fpm, fail2ban, apcu, redis are working properly.