Tutorial: How to setup Nextcloud with PHP7.0 and ngix on a Synhology NAS with DMS 6 (in progress)

Probably there will be confidential data in your nextcloud you should secure wherever you can. By the time of the creation of this tutorial, I have only a simple ZyXEL NBG6616 Router and D-Link DGS-1008D 8-Port Gigabit Unmanaged Desktop switch. It is possible to install openWRT on the ZyXEL what gives me more some more additional features compared to stock firmware but first I want to get this done before I proceed to the next device. It is still on my agenda as firewall and guest wifi settings are a way more transparent in openWRT than in the stock firmware.

During my research, I came across several possibilities about how to secure my network from attacks from the inside and from the outside.
On the inside, there shall be mentioned VLAN and Radius Server but as long as the reset button is reachable by anyone in the flat, safety is limited.
On the outside, you split data and system of Nextcloud and expose as little as possible to the internet by means of firewall, proxy-server and creating dedicated user accounts for each service, what allows you to make use of Unix Domain Sockets instead of pure TCP socket based communication for data exchange between the different services on the server.
Keep in mind that in the end, only client-side encryption gives you a good level of privacy anything else makes it only harder to get there.

It isn’t little what I have learned so far but it is properly far from being complete. Nevertheless, I would like to share what I’ve learned so far allowing us to discuss security-related aspects of self-hosted Nextcloud hoping to end in a comprehensive hardening tutorial.

1. OSI and TCP/IP

First I tried to understand the architecture of the data transfer, what is described in the Transmission Control Protocol/Internet Protocol (TCP/IP), developed by the Department of Defense (DOD) to connect various devices to a common network (Internet). As well as in the OSI model, developed by ISO, the International Organization for Standardization.
The OSI is the newer protocol stack for networking. It contains a lot more layers and so more precisely defines the tasks performed by many TCP/IP layer protocols. So, if you want to develop a networking or telecommunication system, its specifications and description are more helpful to narrow down problems (Is it a physical issue or something with the application?), as well as computer programmers (when developing an application, which other layers does it need to work with?). Tech vendors selling new products will often refer to the OSI model to help customers understand which layer their products work with or whether it works “across the stack”.
With the rise of the internet, the TCP/IP stack become the de-facto standard of internet-based/related communication. Properly also supported by the fact that the TCP/IP model was focused on a smaller subset of protocols to support than OSI, the architecture is geared more specifically to its needs and its behaviours.

Before I continue you may have look on the following network protocols maps.

As I started my research, it made me feel that there are countless protocols ensuring that the data transfer works well at all layers of the stack understand each other, what made me feel lost.
These maps enlightened me a bit:
map one

grafik3400×2199 385 KB

map two

grafik1671×2048 928 KB

A lot of the mentioned protocols etc. are explained in Computer and network protocols; TCP / IP - OSI

Both are paradigms for discussing or describing how computers communicate with one another over a network but do not match exactly even for layers of the same name. Due to the clearness of the OSI and close relationship with TCP/IP some points in the following text are explained by expression related to OSI.
In order to avoid any confusion, when we talk about layer 2, layer 3 or layer 7 in which a network device works, we are referring to the OSI model, moreover, I will use the OSI layer names. This is reasoned that many devices or protocols, respectively act in a certain layer as defined by OSI only.
The main difference is that TCP/IP turns into usually known as the vertical technique and stands for Transmission Control Protocol/Internet Protocol. On the alternative hand, OSI Model was usually known as the flat technique whereby there are distinctive layers, as an illustration, introduction, session and utility layers. More about the difference can be found on Difference Between TCP/IP vs. OSI Model – Difference Wiki or TCP/IP Model Vs. OSI Model
Whereas OSI has distictiv layers for each function TCP/IP uses all-in-one protocols/services such as SMTP, DNS on the application layer, well explained on How Internet Work? With the OSI model and TCP/IP – Predict – Medium. Moreover you will find a good ilsuration on TCP/IP vs. OSI: What’s the Difference Between them?.

Dieser Text wird versteckt

Besides just copying all your files to an external drive, you find more details in Synology’s KB How to back up your Synology NAS but regard reset / reinstall DSM does not work. In addition, the Note Station allows to export all notes as in explaiend in Managing Note Station

see Synology 's tutorial on YouTube for details.

1. Hyper Backup, for restoring the backup

2. Antivirus Essential, I have no clue how good it is but better than nothing it is

3. Log Center, logging is essential for debugging

4. php 5.6, necessary for phpMyAdmin

5. phpMyAdmin for database adminstration

6. php 7.0, necessary for nextcloud

7. MariaDB 10, for the nextcloud database

8. DNS Server, to forget about the IP of the diskstation and call it by name, e.g. www.mynas.local

9. Note Station, as long as there isn’t a way to migrate to a nextcloud counterpart

10. Web Station, to make the diskstation web server ready

11. Java 8 if you want to run java based application after this installation, as I intend to do. If your model si not supported as mine follow Java SE Embedded package for Synology NAS

separating devices from each other that can be done by

1. subnetting
2. VLAN
3. MAC Filter
4. Port supervision

all functions are well explained on Synology’s Knowledge Base
I use the DNS Server freenom (what is my domain provider for experimenting and safeDNS.

Resolution SErver:
In resolution tab enable resolution to allow DNS server to query other DNS servers when it can’t resolve a name. A local machine caches DNS tables so that it doesn’t have to query a DNS server for each request to a resource URL when browsing internet etc. I believe this is the service that caches DNS tables in DiskStation and may make browsing from several clients in local network a bit faster. Forwarders is public DNS servers used to resolve other addresses, the IPs used here is for the public Google DNS servers.

You can enable resolution services to allow the DiskStation to resolve recursive queries. A recursive query occurs when the DiskStation is not authoritative for a requested domain. In this case, the DiskStation queries other domain name servers until the information is found, or until the query fails.

For example, if a client queries your DiskStation for the address of “synology.com,” but your DiskStation is not authoritative for this domain (i.e. you do not own synology.com), it will query other domain name servers or forward the request to specified forwarder servers, and then relay the result back to the sender of the query.

Second , you need to configure a fallback DNS for looking up unknown names. The resolution tab in the DNS Server configuration has everything: