Technitium DNS server zone high-availability

on
0

Self-hosted nextCloud

on

Nextcloud is a suite of client-server software for creating and using file hosting services. It is enterprise-ready with comprehensive support options. Being free and open-source software, anyone is allowed to install and operate it on their own private server devices. 

You can download and install nextCloud on your own Linux server, try some prefab cloud or virtual machine images, or sign up for hosted nextCloud services. 

1. Install recommended packages, especially running on Ubuntu 22.04 minimal.

sudo apt-get install nano cron wget rsyslog logrotate unzip

2. Install nextCloud's required packages and modules.

sudo apt-get install apache2 libapache2-mod-php mariadb-server php-zip php-xml php-imagick php-bcmath php-gmp php-gd php-mysql php-curl php-mbstring php-intl redis-server php-redis php-apcu

3. If you plan to install nextCloud on Oracle Cloud VPS, enable iptables and Oracle Cloud's VCN to allow TCP port 80 and 443.

sudo nano /etc/iptables/rules.v4

-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

4. Reload the iptables rules.

sudo iptables-restore < /etc/iptables/rules.v4

5. Download latest NextCloud package and unpack to /var/www directory. Change the ownership of your Nextcloud directories to your apache2 user.

wget https://download.nextcloud.com/server/releases/nextcloud-24.0.3.zip
unzip nextcloud-24.0.3.zip
sudo cp -r nextcloud /var/www/ && sudo chown -R www-data:www-data /var/www/nextcloud

6. Disable Apache2's default web configuration.

sudo a2dissite 000-default.conf

7. Create nextCloud's virtual host configuration. Replace the server name accordingly.

sudo nano /etc/apache2/sites-available/nextcloud.conf

<VirtualHost *:80>
  DocumentRoot /var/www/nextcloud/
  ServerName your.server.com

  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined

  <Directory /var/www/nextcloud/>
    Require all granted
    AllowOverride All
    Options FollowSymLinks MultiViews

    <IfModule mod_dav.c>
      Dav off
    </IfModule>
  </Directory>
</VirtualHost>

8. Enable Apache2 module and nextCloud virtual host configuration.

sudo a2ensite nextcloud
sudo a2enmod dir env headers mime rewrite setenvif
sudo systemctl restart apache2

9. Configure nextCloud's MySQL database. Customize the database name and credential accordingly.

sudo mysql -u root -e "CREATE DATABASE IF NOT EXISTS nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci; GRANT ALL PRIVILEGES ON nextcloud.* TO nextcloud@localhost IDENTIFIED BY 'password123'";

10. Install minimal nextCloud via occ command or setup default/full nextCloud via the web installer in browser http://your-nextcloud-ip.

sudo -u www-data php /var/www/nextcloud/occ maintenance:install --database "mysql" --database-name "nextcloud" --database-user "nextcloud" --database-pass "password123" --admin-user "admin" --admin-pass "admin"

11. Configure nextCloud's Trusted Domain with your local network.

myip=$(hostname -I|cut -f1 -d ' ')
sudo -u www-data php /var/www/nextcloud/occ config:system:set trusted_domains 1 --value="$myip"

12. If you setup nextCloud on Oracle Cloud, configure Trusted Domain with a valid FQDN.

sudo -u www-data php /var/www/nextcloud/occ config:system:set trusted_domains 1 --value="your.server.com"

13. Setup nextCloud with self-signed HTTPS certicate connection. Redirect HTTP to HTTPS.

sudo /etc/apache2/sites-available/nextcloud.conf

<VirtualHost *:80>
  DocumentRoot /var/www/nextcloud/
  ServerName your.server.com

  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined

  Redirect permanent / https://your.server.com/
</VirtualHost>

sudo nano /etc/apache2/sites-available/nextcloud-ssl.conf

<VirtualHost *:443>
  DocumentRoot /var/www/nextcloud/
  ServerName your.server.com

  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined

  SSLEngine on
  SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
  SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

  <Directory /var/www/nextcloud/>
    Require all granted
    AllowOverride All
    Options FollowSymLinks MultiViews

    <IfModule mod_dav.c>
      Dav off
    </IfModule>
  </Directory>
</VirtualHost>

sudo a2ensite nextcloud-ssl
sudo a2enmod ssl
sudo systemctl restart apache2

14. Setup nextCloud with Let's Encrypt free SSL cert, for Oracle Cloud setup. Remember to restart apache2 service afterward.

sudo apt-get install certbot python3-certbot-apache
sudo certbot --apache -d your.server.com -m xxx@hotmail.com

15. Enable HTTP Strict Transport Security. Add below entry to either nextcloud-ssl.conf or nextcloud-le-ssl.conf. Restart apache2 service afterward.

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>

16. Increase PHP's default memory size from 120MB to 512MB and some others adjustment.

sudo nano /etc/php/8.1/apache2/php.ini
memory_limit = 512M
upload_max_filesize = 20M
max_execution_time = 360
post_max_size = 20M
date.timezone = Asia/Kuala_Lumpur

17. Enable php-apcu by editing /etc/php/8.1/mods-available/apcu.ini to include apc.enable_cli=1.

extension=apcu.so
apc.enable_cli=1

18. Configure nextCloud caching and file locking.

sudo -u www-data php /var/www/nextcloud/occ config:system:set memcache.distributed --value '\OC\Memcache\Redis'
sudo -u www-data php /var/www/nextcloud/occ config:system:set memcache.local --value '\OC\Memcache\APCu'
sudo -u www-data php /var/www/nextcloud/occ config:system:set memcache.locking --value '\OC\Memcache\Redis'
sudo -u www-data php /var/www/nextcloud/occ config:system:set redis host --value 'localhost'
sudo -u www-data php /var/www/nextcloud/occ config:system:set redis port --value 6379

19. Enable php-imagick svg support.

sudo apt-get install libmagickcore-6.q16-6-extra

20. Set default phone region code for nextcloud.

sudo -u www-data php /var/www/nextcloud/occ config:system:set default_phone_region --value 'MY'

21. Setup nextCloud background cron job.

echo '*/5  *  *  *  * www-data /usr/bin/php -f /var/www/nextcloud/cron.php' | sudo tee -a /etc/cron.d/nextcloud

22. Setup correct timezone for nextcloud.

sudo -u www-data php /var/www/nextcloud/occ config:system:set logtimezone --value 'Asia/Kuala_Lumpur'

23. Configure logrotate for nextCloud.

sudo nano /etc/logrotate.d/nextcloud

/var/www/nextcloud/data/nextcloud.log {
  size 10M
  rotate 12
  copytruncate
  missingok
  compress
  compresscmd /bin/gzip
}

24. Install fail2ban to prevent brute force attack. Make sure nextcloud is using the proper timezone. Remember restart fail2ban service with the nextCloud filter and jail configuration.

sudo apt-get install fail2ban

sudo nano /etc/fail2ban/filter.d/nextcloud.conf

[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<host>"%(_groupsre)s,?\s*"message":"Login failed:
            ^\{%(_groupsre)s,?\s*"remoteAddr":"<host>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"

sudo nano /etc/fail2ban/jail.d/nextcloud.conf

[nextcloud]
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
maxretry = 3
bantime = 10800
logpath = /var/www/nextcloud/data/nextcloud.log

sudo systemctl enable fail2ban --now
sudo systemctl restart fail2ban

 

Comments

Post a Comment