Ech0's Blog

Ech0 - 06 / 08 / 2020

Nginx Nextcloud Server Setup

Rent a VPS with debian 10+ (or just run it yourself, but make sure it is correctly port forwarded so that public ip points to the machine like a vps).

Once you have ssh'd into your debian server, we can start:

Setting up php7.3 and pgsql



First we get every package we need:


apt update -y && apt upgrade -y
apt -y install apt-transport-https lsb-release ca-certificates curl gnupg -y
sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -

apt update -y
apt install sudo socat wget unzip zip postgresql-13 nginx php7.3-{xml,json,intl,dev,common,fpm,curl,cli,pgsql,gd,common,mbstring,zip,soap,bz2} -y

Once that's done, start nginx and cd into php7.3 to edit the 2 php.ini and www.conf


systemctl enable --now nginx
systemctl status nginx

cd /etc/php/7.3/

echo 'date.timezone = Europe/Paris' >> fpm/php.ini
echo 'date.timezone = Europe/Paris' >> cli/php.ini

echo 'cgi.fix_pathinfo=0' >> fpm/php.ini
echo 'cgi.fix_pathinfo=0' >> cli/php.ini

echo 'env[HOSTNAME] = $HOSTNAME' >> fpm/pool.d/www.conf
echo 'env[PATH] = /usr/local/bin:/usr/bin:/bin' >> fpm/pool.d/www.conf
echo 'env[TMP] = /tmp' >> fpm/pool.d/www.conf
echo 'env[TMPDIR] = /tmp' >> fpm/pool.d/www.conf
echo 'env[TEMP] = /tmp' >> fpm/pool.d/www.conf

Once that's done, restart php7.3-fpm and start postgres:



systemctl enable --now php7.3-fpm

systemctl enable --now postgresql 
systemctl status postgresql

Once that's done you will start the postgresql secure installation:



useradd nextcloud -s /bin/bash 
sudo -u postgres psql



CREATE USER nextcloud;
CREATE DATABASE nextcloud;
ALTER DATABASE nextcloud OWNER TO nextcloud;
GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud;
\q

Certbot Certificate and Nginx Configuration



From here we need to install our letsencrypt certificate. If you don't have a domain name yet, go get one, or just go for the free alternative DuckDNS and get one, mine currently is ech2.duckdns.org

So we know the server is now "ech2.duckdns.org" you can browse to it and see that nginx is active. now we'll install the certificate using certbot:


wget -O - https://get.acme.sh | sh
cd ~
source .bashrc
systemctl stop nginx
acme.sh --issue --standalone -d ech2.duckdns.org -k 4096
systemctl start nginx

This puts the certificate into /root/.acme.sh/ech2.duckdns.org/

Once that's done, we can download the latest nextcloud zipfile:


cd /var/www/
wget -q https://download.nextcloud.com/server/releases/latest.zip

unzip -qq latest.zip
sudo chown -R nextcloud:www-data /var/www/nextcloud

Once that's done, go and modify the nginx configuration:


cd /etc/nginx/sites-available/
wget https://ech1.netlify.app/servers/nextcloud/nginx.conf -O nextcloud.conf
nano nextcloud.conf

From here you need to modify the ech2.duckdns.org into whatever your domain name is. from nano you can do CTRL+W ech2.duckdns.org ENTER to find where the text is. do CTRL+X y when you're done, to save the file. 


ln -s /etc/nginx/sites-available/nextcloud.conf /etc/nginx/sites-enabled/
nginx -t

Once you're here, nginx should say that the configuration doesn't have any errors. Now we need to restart nginx and php7.3-fpm: 


nginx -s reload 
wget https://ech1.netlify.app/servers/nextcloud/nextcloud.conf -O /etc/php/7.3/fpm/pool.d/nextcloud.conf
systemctl restart php7.3-fpm

From here, just browse to your server at https://ech2.duckdns.org/ and you should be greeted by the following webpage:

Please make sure that each prompt field is correct (apart from the first 2 , you get to pick which your admin credentials)

At the top just create the admin account with credentials you choose, then below you need to input the postgresql credentials from earlier: "nextcloud with no password" and you should be able to get in your nextcloud instance:

And we're done! Or so we think! We have been able to install a nextcloud instance on debian10 using duckdns, nginx and php7.4-fpm But we still need to harden it, check out the errors in the overview dashboard and fix them one by one:

Starting with the php memory limit:


vim /etc/php/7.3/fpm/php.ini

[...]
memory_limit = 2048M
[...]

:wq
systemctl restart php7.3-fpm

next fix any potential missing php libraries and configure php-apcu:


apt install php-apcu php-imagick php7.3-{bcmath,gmp,imagick} php-xml-svg -y

vim /etc/php/7.3/fpm/pool.d/nextcloud.conf

pm = dynamic
pm.max_children = 120
pm.start_servers = 12
pm.min_spare_servers = 6
pm.max_spare_servers = 18

:wq

systemctl restart php7.3-fpm

Now for the memcache error:


vim /var/www/nextcloud/config/config.php

[...]

  'memcache.local' => '\OC\Memcache\APCu',
);

:wq

Now for the SVG error:


apt install libmagickcore-6.q16-6-extra -y

Now for the ~/.well-known/webfinger error:


vim /etc/nginx/sites-available/cloud.void.yt.conf

location ^~ /.well-known {
        # The following 6 rules are borrowed from `.htaccess`

        location = /.well-known/carddav     { return 301 /remote.php/dav/; }
        location = /.well-known/caldav      { return 301 /remote.php/dav/; }
        # Anything else is dynamically handled by Nextcloud
        location ^~ /.well-known            { return 301 /index.php$uri; }

        try_files $uri $uri/ =404;
}

:wq

systemctl restart nginx

And lastly the default phone region:


vim /var/www/nextcloud/config/config.php

[...]

  'default_phone_region' => 'FR',
);

:wq

systemctl restart php7.3-fpm

And at last just refresh your browser:

And that's it! We correctly hardened our nextcloud instance.

Post-Installation



Now from here you can make backups just in case if the server goes down or harddrive gets corrupted, etc. You could use a script like this: 


#!/bin/bash
#this must run as root !
if [ "$EUID" -ne 0 ]
then
        echo 'MUST RUN AS ROOT!'
        exit
fi

cd /var/www/nextcloud/data/nothing/files/
#make sure the path to your  user is correct!

#run it at 3AM
cooldate=$(date --iso-8601)
echo $cooldate

rm backup*.zip
rm backup-$cooldate.zip
zip -r backup-$cooldate.zip /var/www/nextcloud/data/nothing/files/

#rsync backup-$cooldate.zip nothing@10.0.0.10:/home/nothing/backup/
rsync backup-$cooldate.zip nothing@mainpc:/home/nothing/backup/

rm backup*.zip

#crontab -e
#0 3 * * * /bin/bash /var/www/nextcloud/data/nothing/files/backup.sh

#chmod u+x backup.sh

#BACKUP_SERVER (here its 10.0.0.10)
#https://github.com/ech1/serverside/blob/master/ssh/ssh.sh
#use this script to setup the key based ssh authentication, and then make sure your nextcloud server's root user has the private ssh key.

Here i can make rsync login via ssh to my mainpc host thanks to the private key ssh authentication specified in ~/.ssh/config:


root@home:/var/www/nextcloud/data/nothing/files# apt install rsync -y
root@home:/var/www/nextcloud/data/nothing/files# cat ~/.ssh/config
Host mainpc
        Hostname 10.0.0.10
        IdentityFile ~/.ssh/mainpc-10.pkey
        User nothing

of course you would have created the ssh keys on your remote host (in this case : 192.168.0.18) and placed the private key in the server's /root/.ssh/ folder. as comments at the end of the script imply, you can setup the cronjob to run backup.sh every day at 3 AM.

Special thanks to skid9000 from the anjara.eu staff for helping me update this tutorial. (23/09/2020)

My Bunker

Some Address 67120,
Duttlenheim, France.

My Links

Discord
Hack The Box

About Ech0

This cute theme was created to showcase your work in a simple way. Use it wisely.