HELP I am too stupid to setup Nextcloud

Hi,

I try to get Nextcloud up and running for me and my family for months now.
Was tinkering with it on and of but I seem not be able to setup it up the right way.
My “basic need” is to have Nextcloud running on an Ubuntu 20.04 LTS inside Oracle Virtualbox with Access only via HTTPS 443 with an valid certificate.
Sounds easy right? But I struggle way too hard.
I get Nextcloud to run with HTTP 80 just fine but HTTPS no way…
Not even mentioning at this point the hassle of creating an certificate and getting this stuff to run…

At the moment I succesfully get it to run with HTTP, Port Forwarding is fine, VM is fine, moving Datadirectory and managing permission is also fine.

If someone could provide me with an step by step guide that really includes everything I need I would be super thankful!
All the guides out there sending you from one guide to another are not helpful unless you have some sort of degree or something with Linux in the first place.
Really really frustrating…

Like I said please help me out - sooooo close to pay google my money instead of hosting stuff myself :frowning:

https://docs.nextcloudpi.com/en/how-to-get-certificate-with-letsencrypt-using-dns-to-verify-domain/

hey! I can relate to your frustration, I found the learning curve a bumpy road and it is still a bumpy road as sometimes things break and then having no clue why or what to do about it. No tutorial I have ever seen is in that regard 100% solid, and things can still break once it is running. That’s only fun if you are up for all of that. If you are not up for that, I can recommend you to consider a Nextcloud provider. You can find them listed here: https://nextcloud.com/signup/

Hey, thanks for the replies.
After my last post I set down one final time and got it to run.
I really want to write an guide about all the steps from setting up the share on the windows system, installing an vm or using wsl2, configuring ubuntu, install lamp stack and finally install and setup nextcloud but that may take some time :frowning:
Edit: Port Forwarding, Firewall, etc.

After going through all of this I think its not that hard but the guides out there are not sufficient.
They only tell you some certain parts and miss to explain how things Work together in the end and what are the consequense and reasons behind some settings.

But before I do all this i need to test some more setting with cifs acl, ssl, certificates and so on and need an better understanding for linux / nc security.

If you feel like contributing in some shape or form let me know.

Happy new Year everyone :wink:

glad you solved the problem.

In general self-hosting includes really high learning curve and requires continuous time invest. If you are looking for VM running your Nextcloud maybe the official VM (switch to “Appliance” tab) or the Hansson IT VM with more features is worth to take a look for… no need to struggle with you own manual steps… I’m happy with my NC running as docker container as well (was hard learning curve for me as well, but once you get the point it just works!).

Just saying… if you are happy with your solution go on… this the good thing with open source - you choose the way how you use it!

happy new year!

I’ll check out the VM’s you mentionend thanks.
Tried Docker the other day aswell but need some more testing here.
Personally I am really hyped about WSL on Windows and how it works because for me as of now it seems to be the least ressource hungry vm solution.
And as an Windows guy that will be my final goal :wink:
For now settling with Oracle VM.

Most trouble free for sure is running Linux native on bare Metal when it comes to self hosting nc.

A native Linux solution would be the best performing and you don’t have to deal with all the virtualization layers and Windows :wink: It is a different world, but for such stuff with servers, different raid systems, copy-on-write filesystems, backup, … it needs some learning though and virtual machines can be a good entry point.

I have no real-world experience with WSL and only know the new version should work pretty good - but I bet it’s not intended to run a server solution 24/7 - as long it works for you: great!

But running Linux software definitely force you to get in touch with it at some level… deeper is better! once you hit some unpredicted situation you will be happy you now how to access the shell of your system, how to find the data in the filesystem and search the database…

absolute truth as every abstraction layer (virtualization) costs your performance but in my eyes performance is hardly a limit for common private setups - lot of people are happy with their NC installation on RasPi - everything depends on your usage and expectations… at least you can start with hardware you have now and improve pretty easy in case you need.

With all kinds of virtualization your daily operations improves with great flexibility for important things you might overlook at the first glance:

  • another instance for testing - new versions, apps etc.,
  • restore (test) without touching production system…
  • easier disaster recovery (restore/rebuild on other hardware)

all are impossible with bare-metal until you have another hardware which is pretty similar to the production piece…

Congratulations! It must feel good now it’s all up :smiley: Cheers!

True, but full hardware virtualization is still very expensive. If you are on Linux environments, there are “cheaper” options, or even the jails on *BSD.

Thanks all of you for your replies.
I did spent now a couple of days reading through guides and tried to security harden and performance optimize Nextcloud according to the various guides but mainly official nextcloud doc.

I still face two issues which I not understand and struggle to find guidance for (My exact Configuration can be found at the end of this post):

  1. Server is not configured for “/.well-known/caldav” … which seems to be a problem with the .htaccess file and php-fpm but cannot resolve it.
    Documentation says: Nextcloud comes with its own nextcloud/.htaccess file. Because php-fpm can’t read PHP settings in .htaccess these settings and permissions must be set in the nextcloud/.user.ini file., but that means nothing to me honestly ^^

  2. Cannot get http2 / h2 to work.
    As soon as I a2dismod php8.0 mpm_prefork and a2enmod mpm_event proxy_fcgi setenvif it either starts to download a file called “Download” or gives me invalid response depending on the settings elsewhere.

Maybe someone much smarter than me can help with that?

Here are the steps I do perform on a fresh installed Ubuntu20.04 LTS Server:

sudo mkdir /mnt/Nextcloud
sudo nano /etc/fstab

Add this to mount my Windows Share (I am aware of the security issues I have here):

//192.168.1.240/Nextcloud /mnt/Nextcloud cifs username=user,password=password,uid=33,gid=33,forceuid,forcegid,file_mode=0770,dir_mode=0770,noacl,noperm 0 0

sudo mount -a
sudo apt install software-properties-common
sudo add-apt-repository ppa:ondrej/php
sudo apt-key adv --fetch-keys ‘https://mariadb.org/mariadb_release_signing_key.asc
sudo add-apt-repository ‘deb [arch=amd64] Index of /repo/10.5/ubuntu/ focal main’
sudo apt update
sudo apt upgrade
sudo apt install unzip fail2ban apache2 php8.0 mariadb-server mariadb-client libapache2-mod-php php8.0-curl php8.0-mbstring php8.0-gd php8.0-zip php8.0-bz2 php8.0-intl php8.0-common php8.0-xml php8.0-mysql php8.0-bcmath php8.0-gmp php8.0-imagick php-apcu php8.0-apcu redis-server php-redis php8.0-redis libapache2-mod-fcgid php-fpm php8.0-fpm htop
sudo usermod -a -G redis www-data
sudo nano /etc/redis/redis.conf

Search for requirepass and set a password:

requirepass myredispassword

sudo service redis-server restart
sudo service mysql start
sudo mysql_secure_installation
sudo mysql

Paste the following:

create database nextcloud;
create user user@localhost identified by ‘mydatabasepw’;
grant all privileges on nextcloud.* to user@localhost identified by ‘mydatabasepw’;
flush privileges;
exit;

sudo service apache2 start
sudo a2enmod php8.0 ssl headers socache_shmcb env dir mime http2
sudo nano /etc/apache2/apache2.conf

Add this to the end of the conf:

LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_fcgi_module /usr/lib/apache2/modules/mod_proxy_fcgi.so

sudo nano /etc/apache2/mods-available/fcgid.conf

Replace the content of fcgid.conf with this:

FcgidConnectTimeout 20 AddType application/x-httpd-php .php AddHandler application/x-httpd-php .php Alias /php8-fcgi /usr/lib/cgi-bin/php8-fcgi AddHandler fcgid-script .fcgi

sudo nano /etc/php/8.0/fpm/pool.d/www.conf

Search for the values and enable / uncomment them including changing the values if needed:

clear_env = no
pm.max_children = 16
pm.start_servers = 4
pm.min_spare_servers = 4
pm.max_spare_servers = 12

wget -P /tmp https://download.nextcloud.com/server/releases/nextcloud-23.0.0.zip
sudo unzip /tmp/nextcloud-23.0.0.zip -d /var/www
sudo chown www-data:www-data /var/www/nextcloud -R
sudo nano /etc/apache2/sites-available/nextcloud.conf

Create the nextcloud.conf with Mozilla Intermediate config for ssl and all the other suggested stuff from various guides (sorry for bad formatting last if module has the <> but had to remove it due to format issues here in the forum):

generated 2022-01-04, Mozilla Guideline v5.6, Apache 2.4.41, OpenSSL 1.1.1k, intermediate configuration

https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1k&guideline=5.6

this configuration requires mod_ssl, mod_socache_shmcb and mod_headers

<VirtualHost *:80>
ServerName 192.168.1.187
Redirect permanent / https://192.168.1.187

<VirtualHost *:443>
DocumentRoot “/var/www/nextcloud”
ServerName 192.168.1.187

    ErrorLog ${APACHE_LOG_DIR}/nextcloud.error
    CustomLog ${APACHE_LOG_DIR}/nextcloud.access combined

SSLEngine on

# curl https://ssl-config.mozilla.org/ffdhe2048.txt >> /path/to/signed_cert_and_intermediate_certs_and_dhparams
SSLCertificateFile      /mnt/Nextcloud/cert.pem
SSLCertificateKeyFile   /mnt/Nextcloud/key.pem

# enable HTTP/2, if available
Protocols h2 http/1.1

IfModule mod_headers.c>
Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”
/IfModule>

    <Directory /var/www/nextcloud/>
        Require all granted
        Options FollowSymlinks MultiViews
        AllowOverride All

       <IfModule mod_dav.c>
           Dav off
       </IfModule>

    SetEnv HOME /var/www/nextcloud
    SetEnv HTTP_HOME /var/www/nextcloud
    Satisfy Any

   </Directory>

IfModule mod_fcgid.c>
Options +ExecCGI
FcgidConnectTimeout 20
AddType application/x-httpd-php .php
AddHandler application/x-httpd-php .php
Alias /php8-fcgi /usr/lib/cgi-bin/php8-fcgi
ProxyPassMatch " ^/(..php(/.)?)$" “unix:listen = /run/php/php8.0-fpm.sock|fcgi://localhost/var/www/nextcloud/”
/IfModule>

/VirtualHost>

intermediate configuration

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off

SSLUseStapling On
SSLStaplingCache “shmcb:logs/ssl_stapling(32768)”

sudo a2ensite nextcloud.conf
sudo service apache2 reload
sudo nano /etc/fail2ban/filter.d/nextcloud.conf

Creating the fail2ban configs:

[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+)))
failregex = ^{%(_groupsre)s,?\s
"remoteAddr":""%(_groupsre)s,?\s*“message”:“Login failed:
^{%(_groupsre)s,?\s*“remoteAddr”:”"%(_groupsre)s,?\s*“message”:“Trusted domain error.
datepattern = ,?\s*“time”\s*:\s*”%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"

sudo nano /etc/fail2ban/jail.d/nextcloud.local

[nextcloud]
backend = systemd
enabled = true
port = 443
protocol = tcp
filter = nextcloud
maxretry = 3
bantime = 86400
findtime = 43200
logpath = /mnt/Nextcloud/nextcloud.log

sudo service fail2ban restart

This is now the point where I fire up the browser for the first time and setup nextcloud using the web interface.
After it is done I go back to the command line and proceed with php.ini and config.php settings.

sudo nano /etc/php/8.0/apache2/php.ini

Search the values and change uncomment them:

memory_limit = 512M
opcache.enable = 1
opcache.interned_strings_buffer = 8
opcache.max_accelerated_files = 10000
opcache.memory_consumption = 128
opcache.save_comments = 1
opcache.revalidate_freq = 1

sudo nano /var/www/nextcloud/config/config.php

At this to the config.php:

‘default_phone_region’ => ‘AT’,
‘memcache.local’ => ‘\OC\Memcache\APCu’,
‘filelocking.enabled’ => ‘true’,
‘memcache.locking’ => ‘\OC\Memcache\Redis’,
‘redis’ =>
array (
‘host’ => ‘127.0.0.1’,
‘port’ => 6379,
‘password’ => ‘myredispassword’,
‘timeout’ => 0.0,
),

sudo service apache2 restart

And thats it! With the exception of the before mentioned two issues nextcloud runs fine and as far as I can tell and verify php-fpm, fail2ban, apcu, redis are working properly.

im no linux wizz, but followed this guide was a piece of cake to get up and running everything including the cert, is a guide and a video
guide - Nextcloud – Complete Setup Guide – LearnLinuxTV
video - https://youtu.be/y4dtcr2NL5M

I think you need a redirect (301) but at the first step (Apache2) the system can not found it. Please read this and test the apache2-settings for 301-redirect.

Have you activated it?

sudo a2enmod http2
Or read perhaps this

Sorry i never configured it.

Thanks! Yes http2 was enabled.
I even see that when the issue appears it is in fact using h2 as protocol which is meaningless if the website does not work :slight_smile:
So I guess I enabled h2 but at the same time broke my php / nextcloud / apache somehow.

Regarding the redirect (301) I will do some testing and come back to this post when I learned something.

Have you test it:
curl -I --http2 -s https://domain.com/ | grep HTTP

OK so I added the 301 redirect to my nextcloud.conf and restarted apache2.
No change in behavior…

I tested http2 simply with Google Chrome at the client side.
Opening developer Tools with F12 and looking for the protocol in use (with the config posted above it uses http1.1 when I change to http2 it says h2 but gives me an error response).
The curl command you posted does nothing for me (not even an error) - since I am pretty lame with Linux what should be the desired outcome?

Ok with no output there is no HTTP in the answer. Test it again (with your domain) and without grep:
curl -I --http2 -s https://domain.com/

This is what it looks like for me bot at the command line and browser:
image

EDIT: Seem to have used the wrong “Answer” Button sorry.
And also I checked the 301 redirect config again and this works now.
So one issue solved one to go :wink: Thanks so far.

Like I said answered to the h2 curl stuff with a picture - please have a look.