Super nextcloud server ubuntu+nginx+clamav+firewall

NAT PORTS OPEN ON FIREWALL 22 80 443 8080 10000

INSTALAR APT-FAST DOWNLOADER

sudo add-apt-repository ppa:saiarcot895/myppa
sudo apt-get update
sudo apt-get install -y apt-fast 

sudo nano /etc/apt-fast.conf
	MIRRORS=('http://us.archive.ubuntu.com/ubuntu,http://mirror.cc.columbia.edu/pub/linux/ubuntu/archive/,http://mirror.cc.vt.edu/pub2/ubuntu/,http://mirror.umd.edu/ubuntu/,http://mirrors.mit.edu/ubuntu/')

ACTUALIZAR UBUNTU

sudo apt-fast update
sudo apt-fast -y upgrade

INSTALAR NGINX WEB SERVER

sudo apt-fast -y install nginx
sudo systemctl enable nginx
sudo systemctl start nginx
systemctl status nginx	(presionar q)

OBTENER IP PUBLICA

sudo apt-fast -y install curl
curl http://icanhazip.com

INSTALAR MariaDB

sudo apt-fast -y install mariadb-server mariadb-client
systemctl status mysql
sudo systemctl start mysql
sudo systemctl enable mysql

sudo mysql_secure_installation	(presionar ENTER, luego Y e ingresar contraseña, luego ENTER hasta el final)

INSTALAR PHP7

sudo apt-fast -y install php7.0-fpm php7.0-mbstring php7.0-xml php7.0-mysql php7.0-common php7.0-gd php7.0-json php7.0-cli php7.0-curl php7.0-imap
sudo systemctl start php7.0-fpm
systemctl status php7.0-fpm	(presionar q)

CONFIGURAR NGINX WEB SERVER

sudo rm /etc/nginx/sites-enabled/default
sudo nano /etc/nginx/conf.d/default.conf

server {
listen 80;
listen [::]:80;
server_name poner_ip_local;
root /usr/share/nginx/html/;
index index.php index.html index.htm index.nginx-debian.html;

location / {
try_files $uri $uri/ =404;
}

error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;

location = /50x.html {
root /usr/share/nginx/html;
}

location ~ .php$ {
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
include snippets/fastcgi-php.conf;
}

location ~ /.ht {
deny all;
}
}

sudo nginx -t
sudo systemctl reload nginx

INSTALAR NEXTCLOUD 12

sudo apt-fast -y install unzip unrar
wget https://download.nextcloud.com/server/releases/nextcloud-12.0.3.zip
unzip nextcloud-12.0.3.zip
sudo mv nextcloud /usr/share/nginx/
sudo chown www-data:www-data /usr/share/nginx/nextcloud/ -R

CREAR USUARIO Y BASE DE DATOS PARA MariaDB

mysql -u root -p

create database nextcloud;
create user admin@localhost identified by 's3CUR3p4SS';
grant all privileges on nextcloud.* to admin@localhost identified by 's3CUR3p4SS';
flush privileges;
exit;

ACTIVAR SEGUIMIENTO BINARIO EN MariaDB

sudo nano /etc/mysql/mariadb.conf.d/50-server.cnf

[mysqld]
log-bin = /var/log/mysql/mariadb-bin
log-bin-index = /var/log/mysql/mariadb-bin.index
binlog_format = mixed

sudo systemctl restart mysql

CONFIGURAR NGINX PARA NEXTCLOUD

sudo nano /etc/nginx/conf.d/nextcloud.conf

server {
listen 80;
server_name cloud.dominio.ext;

# Add headers to serve security related headers
add_header X-Content-Type-Options nosniff;
# add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;

# Path to the root of your installation
root /usr/share/nginx/nextcloud/;

location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}

# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;

location = /.well-known/carddav {
    return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
   return 301 $scheme://$host/remote.php/dav;
}

location ~ /.well-known/acme-challenge {
  allow all;
}

# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;

# Disable gzip to avoid the removal of the ETag header
gzip off;

# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;

error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

location / {
   rewrite ^ /index.php$uri;
}

location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
   deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
   deny all;
 }

location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
   include fastcgi_params;
   fastcgi_split_path_info ^(.+\.php)(/.*)$;
   fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
   fastcgi_param PATH_INFO $fastcgi_path_info;
   #Avoid sending the security headers twice
   fastcgi_param modHeadersAvailable true;
   fastcgi_param front_controller_active true;
   fastcgi_pass unix:/run/php/php7.0-fpm.sock;
   fastcgi_intercept_errors on;
   fastcgi_request_buffering off;
}

location ~ ^/(?:updater|ocs-provider)(?:$|/) {
   try_files $uri/ =404;
   index index.php;
}

# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* \.(?:css|js)$ {
    try_files $uri /index.php$uri$is_args$args;
    add_header Cache-Control "public, max-age=7200";
    # Add headers to serve security related headers (It is intended to
    # have those duplicated to the ones above)
    add_header X-Content-Type-Options nosniff;
    # add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    # Optional: Don't log access to assets
    access_log off;

}

location ~* .(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Don’t log access to other assets
access_log off;
}
}

sudo nginx -t
sudo systemctl reload nginx

INSTALAR Y ACTIVAR MODULOS PHP

sudo apt-fast -y install php7.0-common php7.0-gd php7.0-json php7.0-curl php7.0-zip php7.0-xml php7.0-mbstring

HABILITAR HTTPS

MEDIANTE CERTBOT

	sudo apt-fast update
	sudo apt-fast -y install software-properties-common
	sudo add-apt-repository ppa:certbot/certbot
	sudo apt-fast update
	sudo apt-fast -y install python-certbot-nginx

	sudo certbot certonly --webroot --agree-tos --email info@dominio.ext -d cloud.dominio.ext -w /usr/share/nginx/nextcloud/
		para renovar mas adelante	certbot renew

MEDIANTE LETSENCRYPT

	sudo apt-fast -y install letsencrypt

	sudo letsencrypt certonly --webroot --agree-tos --email info@dominio.ext -d cloud.dominio.ext -w /usr/share/nginx/nextcloud/

INSTALAR EL CERTIFICADO

	sudo nano /etc/nginx/conf.d/nextcloud.conf

server {
listen 80;
server_name cloud.domain.ext;
return 301 https://$server_name$request_uri;
}

server {
listen 443 ssl http2;
server_name cloud.dominio.ext;

ssl_certificate /etc/letsencrypt/live/cloud.dominio.ext/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cloud.dominio.ext/privkey.pem;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
add_header Strict-Transport-Security "max-age=15768000;preload" always;
add_header X-Content-Type-Options nosniff;
# add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;

# Path to the root of your installation
root /usr/share/nginx/nextcloud/;

location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}

# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;

location = /.well-known/carddav {
    return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
   return 301 $scheme://$host/remote.php/dav;
}

location ~ /.well-known/acme-challenge {
  allow all;
}

# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;

# Disable gzip to avoid the removal of the ETag header
gzip off;

# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;

error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

location / {
   rewrite ^ /index.php$uri;
}

location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
   deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
   deny all;
 }

location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
   include fastcgi_params;
   fastcgi_split_path_info ^(.+\.php)(/.*)$;
   fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
   fastcgi_param PATH_INFO $fastcgi_path_info;
   #Avoid sending the security headers twice
   fastcgi_param modHeadersAvailable true;
   fastcgi_param front_controller_active true;
   fastcgi_pass unix:/run/php/php7.0-fpm.sock;
   fastcgi_intercept_errors on;
   fastcgi_request_buffering off;
}

location ~ ^/(?:updater|ocs-provider)(?:$|/) {
   try_files $uri/ =404;
   index index.php;
}

# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* \.(?:css|js)$ {
    try_files $uri /index.php$uri$is_args$args;
    add_header Cache-Control "public, max-age=7200";
    # Add headers to serve security related headers (It is intended to
    # have those duplicated to the ones above)
    # Before enabling Strict-Transport-Security headers please read into
    # this topic first.
    add_header Strict-Transport-Security "max-age=15768000;preload" always;
    add_header X-Content-Type-Options nosniff;
    # add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    # Optional: Don't log access to assets
    access_log off;

}

location ~* .(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Don’t log access to other assets
access_log off;
}
}

sudo nginx -t
sudo systemctl reload nginx

FINALIZAR LA INSTALACCION MEDIANTE WEB

cloud.dominio.ext

AUTORENOVAR CERTIFICADOS

sudo certbot renew --dry-run
certbot renew

OPTIMIZACION CACHE

sudo apt-fast update
sudo apt-fast install php7.0-dev git -y

cd /tmp
git clone https://github.com/krakjoe/apcu

cd apcu
phpize
./configure
make
sudo make install

echo "extension = apcu.so" | sudo tee -a /etc/php/7.0/mods-available/apcu.ini

sudo ln -s /etc/php/7.0/mods-available/apcu.ini /etc/php/7.0/fpm/conf.d/30-apcu.ini
sudo ln -s /etc/php/7.0/mods-available/apcu.ini /etc/php/7.0/cli/conf.d/30-apcu.ini

sudo nano /etc/php/7.0/mods-available/apcu.ini

extension=apcu.so
apc.shm_size = “50M”

sudo nano /etc/php/7.0/fpm/pool.d/www.conf

env[PATH] = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games

sudo nano /etc/php/7.0/fpm/php.ini

opcache.enable=1
opcache.enable_cli=1
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.revalidate_freq=1
opcache.save_comments=1

sudo nano /usr/share/nginx/nextcloud/config/config.php

‘memcache.local’ => ‘\OC\Memcache\APCu’,

sudo systemctl reload php7.0-fpm
sudo systemctl reload nginx

INSTALAR WEBMIN

apt-fast install -y perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.850_all.deb
dpkg --install webmin_1.850_all.deb

INSTALAR ONLYOFFICE

sudo apt-fast -y install postgresql
sudo -u postgres psql -c "CREATE DATABASE onlyoffice;"
sudo -u postgres psql -c "CREATE USER onlyoffice WITH password 'onlyoffice';"
sudo -u postgres psql -c "GRANT ALL privileges ON DATABASE onlyoffice TO onlyoffice;"

curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash -
sudo apt-fast -y install nodejs
node -v

sudo apt-fast -y install redis-server rabbitmq-server
systemctl status redis-server
systemctl status rabbitmq-server	(presionar q)

echo "deb http://download.onlyoffice.com/repo/debian squeeze main" | sudo tee /etc/apt/sources.list.d/onlyoffice.list

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys CB2DE8E5

sudo apt-fast update
sudo apt-fast -y install onlyoffice-documentserver

onlyoffice
Yes

sudo nano /etc/nginx/conf.d/onlyoffice-documentserver.conf

include /etc/nginx/includes/onlyoffice-http.conf;
server {
listen 0.0.0.0:80;
listen [::]:80 default_server;
server_name office.dominio.ext;
server_tokens off;

include /etc/nginx/includes/onlyoffice-documentserver-*.conf;

location ~ /.well-known/acme-challenge {
root /var/www/onlyoffice/;
allow all;
}
}

sudo systemctl reload nginx

sudo certbot certonly --webroot --agree-tos --email info@dominio.ext -d office.dominio.ext -w /var/www/onlyoffice/

sudo nano /etc/nginx/conf.d/onlyoffice-documentserver.conf

include /etc/nginx/includes/onlyoffice-http.conf;

Normal HTTP host

server {
listen 0.0.0.0:80;
listen [::]:80 default_server;
server_name office.dominio.ext;
server_tokens off;

Redirects all traffic to the HTTPS host

root /nowhere; ## root doesn’t have to be a valid path since we are redirecting
rewrite ^ https://$host$request_uri? permanent;
}
#HTTP host for internal services
server {
listen 127.0.0.1:80;
listen [::1]:80;
server_name localhost;
server_tokens off;
include /etc/nginx/includes/onlyoffice-documentserver-common.conf;
include /etc/nginx/includes/onlyoffice-documentserver-docservice.conf;
}

HTTPS host

server {
listen 0.0.0.0:443 ssl;
listen [::]:443 ssl default_server;
server_name office.dominio.ext;
server_tokens off;
root /usr/share/nginx/html;

ssl_certificate /etc/letsencrypt/live/office.dominio.ext/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/office.dominio.ext/privkey.pem;

modern configuration. tweak to your needs.

ssl_protocols TLSv1.2;
ssl_ciphers ‘ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256’;
ssl_prefer_server_ciphers on;

HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)

add_header Strict-Transport-Security max-age=15768000;

ssl_session_cache builtin:1000 shared:SSL:10m;

add_header X-Frame-Options SAMEORIGIN;

add_header X-Content-Type-Options nosniff;

ssl_stapling on;

ssl_stapling_verify on;

ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;

resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired

resolver_timeout 10s;

[Optional] Generate a stronger DHE parameter:

cd /etc/ssl/certs

sudo openssl dhparam -out dhparam.pem 4096

#ssl_dhparam {{SSL_DHPARAM_PATH}};

location ~ /.well-known/acme-challenge {
root /var/www/onlyoffice/;
allow all;
}
include /etc/nginx/includes/onlyoffice-documentserver-*.conf;
}

sudo nginx -t
sudo systemctl reload nginx

INSTALAR CLAMAV ANTIVIRUS

sudo -s
apt-fast update && apt upgrade -y
apt-fast install clamav clamav-freshclam clamav-daemon -y

service clamav-freshclam stop
freshclam
service clamav-freshclam start

cp /etc/clamav/clamd.conf /etc/clamav/clamd.conf.bak
nano /etc/clamav/clamd.conf

MaxDirectoryRecursion 25
MaxFileSize 50M
PCREMaxFileSize 50M
StreamMaxLength 50M

service clamav-freshclam restart && service clamav-daemon restart

cd /usr/share/nginx/nextcloud/apps
wget https://github.com/nextcloud/files_antivirus/archive/master.zip
unzip master &&  mv files_antivirus-master files_antivirus && rm master.zip
chown -R www-data:www-data /usr/share/nginx/nextcloud

-Change to the admin panel and select “Additional settings” -> “Antivirus Configuration”. Adjust the configuration to “Daemon (Socket)” and change the “Stream Length” value to “52428800” (50MB).-

dpkg-reconfigure clamav-freshclam

INSTALAR FIREWALL

sudo apt-fast install ufw -y
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 22/tcp
ufw allow 10000/tcp
ufw logging medium
ufw default deny incoming
ufw enable
ufw status verbose