Install instructions for Nextcloud on Debian Buster with nginx

I would like to install Nextcloud on a Linode VM with Debian Buster that already has nginx instead of apache installed for use by Mattermost. Can anyone provide a link to the best installation instructions for this scenario.

Thanks,
Dennis

https://www.c-rieger.de/

1 Like

Thanks much, a have a few questions:

In the nginx conf file /etc/nginx/nginx.conf:
I just have one ip address for my server. You have the entries:
1. set-real_ip_from 192.168.2.0/24; Do I just set my ipaddress here or is this for subnet determination? The last 3 digits of my Ip address is 220.
2. resolver 192.168.2.1; Do I just set my ip address here do I leave it as is?
I am not sure what to put for these fields as I have only one ip address for the server

In the /etc/mysql/my.cnf:
I have mysql installed and is working for Mattermost. Do I really need to install mariadb over mysql or can I use this sample my.cnf for mysql with the following considerations? You have some entries such as,
1. log_bin = /var/log/mysql/mariadb-bin
2. log_bin_index = /var/log/mysql/mariadb-bin.index
3. slow_query_log_file = /var/log/mysql/mariadb-slow.log
Does mysql have the same functionality and can I change the name to ā€œmysqlā€ in the file name or delete the entries.

In the file you created the file /etc/nginx/conf.d/nextcloud.conf. It seems that other install instructions for nginx put the config file in /etc/nginx/sites-available. Does it matter? My mattermost conf file is in that location.

if you have a working setup you leaf everything as it is here.

this is used if you run your server in NAT environment. it defines the subnet.

this is the ip address of a DNS server.

no. you canā€™t. the packages would remove each other.

if you have a working mysql/mariadb itā€™s fine.

nevertheless you have to meet some requirements. check the docs.

https://docs.nextcloud.com/server/17/admin_manual/configuration_database/linux_database_configuration.html#configuring-a-mysql-or-mariadb-database

this is important:

transaction_isolation = READ-COMMITTED
binlog_format = ROW

but donā€™t change mysql to mariadb in any path.

you have to check the include statements in /etc/nginx/nginx.conf.
check if the file in /etc/nginx/sites-available areincluded or the links in /etc/nginx/sites-enabled.

try to create this file Nginx configuration ā€” Nextcloud latest Administration Manual latest documentation in the same way as your mattermost.conf.

Hello,
I have been having problems with getting Nextcloud to work side by side with Mattermost using Nginx.

I have a WordPress website on a hosting service using domain name of [domain name] of the form*.org. I installed Mattermost with nginx on a Linode linode (VM, I think) on a server with ipaddress of [server ip address]. It is working fine. I then tried to install Nextcloud. On the WordPress host site DNS Zone Editor I created records of mattermost.[domain name] that points to [server ip address] and nextcloud.[domain name] that points to [server ip address], both records are of type A.

However, I am missing something. Browser calls to nextcloud.[domain name] always get redirected to mattermost.[domain name] and mattermost appears.

Can someone give me an idea of what I am missing or have wrong. Any help is appreciated, below are the contents of the 2 nginx config files for mattermost and nextcloud.

Thank you,
Dennis

/etc/nginx/nginx.conf has the includes needed for the below

/etc/nginx/sites-available/mattermost:

upstream backend {
server [server ip address]:8065;
keepalive 32;
}

proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;

server {
listen 80 default_server;
server_name mattermost.[domain name];
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name mattermost.[domain name];

ssl on;
ssl_certificate /etc/letsencrypt/live/mattermost.[domain name]/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mattermost.[domain name]/privkey.pem;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2;
ssl_ciphers ā€˜ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256ā€™;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;

HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)

add_header Strict-Transport-Security max-age=15768000;

OCSP Stapling ā€”

fetch OCSP records from URL in ssl_certificate and cache them

ssl_stapling on;
ssl_stapling_verify on;

location ~ /api/v[0-9]+/(users/)?websocket$ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection ā€œupgradeā€;
client_max_body_size 50M;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
client_body_timeout 60;
send_timeout 300;
lingering_timeout 5;
proxy_connect_timeout 90;
proxy_send_timeout 300;
proxy_read_timeout 90s;
proxy_pass http://backend;
}

location / {
client_max_body_size 50M;
proxy_set_header Connection ā€œā€;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_cache mattermost_cache;
proxy_cache_revalidate on;
proxy_cache_min_uses 2;
proxy_cache_use_stale timeout;
proxy_cache_lock on;
proxy_http_version 1.1;
proxy_pass http://backend;
}
}

/etc/nginx/sites-available/nextcloud

upstream php-handler {
#server 127.0.0.1:9000;
server unix:/run/php/php7.3-fpm.sock;
}

server {
	listen 80;
	server_name nextcloud.[domain name];
	root /var/www/nextcloud;
	index index.htm index.html;

	location / {
    	try_files $uri $uri/ =404;    upstream php-handler {
#server 127.0.0.1:9000;
server unix:/run/php/php7.3-fpm.sock;
}

server {
	listen 80;
	server_name nextcloud.[domain name];
	root /var/www/nextcloud;
	index index.htm index.html;

	location / {
    	try_files $uri $uri/ =404;
	}    
}

server {
listen 443 ssl;
server_name nextcloud.[domain name];

ssl_certificate /etc/letsencrypt/live/mattermost.[domain name]/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mattermost.l[domain name]/privkey.pem;

# Path to the root of your installation
root /var/www/nextcloud/;
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;

# Disable gzip to avoid the removal of the ETag header
gzip off;

# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.8
#pagespeed off;

index index.php;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

rewrite ^/.well-known/carddav /remote.php/dav/ permanent;
rewrite ^/.well-known/caldav /remote.php/dav/ permanent;

# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}

location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}

location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}

location / {

rewrite ^/remote/(.*) /remote.php last;

rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;

try_files $uri $uri/ =404;
}

location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
}

# Adding the cache control header for js and css files
# Make sure it is BELOW the location ~ \.php(?:$|/) { block
location ~* \.(?:css|js)$ {
add_header Cache-Control "public, max-age=7200";
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}

# Optional: Don't log access to other assets
location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
access_log off;
}
}
	}    
}

server {
listen 443 ssl;
server_name nextcloud.lakewoodsolar.org;

ssl_certificate /etc/letsencrypt/live/mattermost.lakewoodsolar.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mattermost.lakewoodsolar.org/privkey.pem;

# Path to the root of your installation
root /var/www/nextcloud/;
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;

# Disable gzip to avoid the removal of the ETag header
gzip off;

# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.8
#pagespeed off;

index index.php;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

rewrite ^/.well-known/carddav /remote.php/dav/ permanent;
rewrite ^/.well-known/caldav /remote.php/dav/ permanent;

# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}

location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}

location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}

location / {

rewrite ^/remote/(.*) /remote.php last;

rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;

try_files $uri $uri/ =404;
}

location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
}

# Adding the cache control header for js and css files
# Make sure it is BELOW the location ~ \.php(?:$|/) { block
location ~* \.(?:css|js)$ {
add_header Cache-Control "public, max-age=7200";
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}

# Optional: Don't log access to other assets
location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
access_log off;
}
}

Sorry, I garbled something, The addresses used in the browser were mattermost.[domainname] and nextcloud.[domainname].

I was able to edit the previous post.

I got past that and onto the nextcloud signup page.

Any ideas on the problems with connecting to mysql or the .htaccess file?

That link (URL REMOVED - Spam-protection [JK]) appears to be a crap URL attempting to force the visitor to install browser plugins that first claims to perform a security check (with no way around it), and then informs the user that they will now be redirected to Google to install a plugin that will change the userā€™s default search engine.

Me personally? I consider this SPAM and Malware - I advise people not attempt to visit that URL, and even when you eventually try to click out (if you wait following the so-called security check, which apparently is nothing more than a fingerprinting session), Google will send you to riegers.com which is a distillery.

Thatā€™s just really bad juju man. Againā€¦ SPAM and Malware as far as Iā€™m concerned!

@riegerCLOUD has a ā€œnewā€ web page in german: https://www.c-rieger.de/
i donā€™t know what happend to his english pages.

so better remove the broken links. :wink:

Rieger just told me that he is only on c-rieger.de for a longer time, now.
@Bradley thanks for letting us know about the problems with that link. Weā€™re working on a solution (which would most prolly mean removing those links somehow)

update: thanks to my suggestion his english sites are on againā€¦ you can find them under https://english.c-rieger.de

@JimmyKater that is fantastic!

I was loathe to run the German version through libretranslate, and figured that Iā€™ll just tough it out since I can glean whatā€™s going on in the code blocks, but itā€™s really good to know that heā€™s posted a version I can also refer to others I know.

disclaimer: Although I have no affiliation to the dev or site in the following link, I did find that heā€™s got a pretty good and comprehensive tut for installing NextCloud with Nginx:

https://Linuxbabe.com -Iā€™ll leave the user to decide which particular tut is best for them, since the dev often publishes a tut for canonical OS as well as the proper Debian distro as well. I believe thereā€™s some good CentOS coverage as well.

Thereā€™s a fantastic cookbook style tut at YouTube by Jay of learnlinux.tv w/Apache here:

His HowTo is presented in a very easy to follow and patient way. I actually would have preferred to follow this line of methodology since NextCloud itself publishes installation and maintenance primarily with Apache in mind, but this would have necessitated me either moving all of the existing sites on that server over to Apache VirtualHosts or installing Apache to listen on say, 127.0.0.2 and Nginx to listen on 127.0.0.1 w/both behind HAProxy, and a couple of tweaks would be necssary to pass IPv6 traffic to Apache via IPv4 since IPv6 only supports ::1 on loopback. Then there would be the Certbot matters to attend to for proxy related matters too.

Anyway, thanks again for the heads up and reference to the English version of the c-rieger.de :slight_smile:

One thing I would like to mention in this era of Cybersquatters and such, if youā€™re going to abandon a domain, considering what will probably happen to that domain the moment it comes out of redemption and into the pool of available domain names, if folks would (if possible) consider extending their registrations for at least two years or so and putting in HTTP 301 redirects to where their new content will be hosted. Doing so will go a long way toward alleviating the surprises that I came across earlier.

I expect Iā€™ll be somewhat active here in the coming weeks since I have been tasked with migrating and upgrading a site with NextCloud 11 or 12 IIRC. That might be a real mess, and these forums have been really an excellent resource the few times Iā€™ve actually needed assistance with NextCloud.

but be careful - those sites arenā€™t maintained anymore.