Nextcloud 17 was released, so here is a manual to install it on a Debian Buster VPS, secure it with LetsEncrypt and deploy it via Apache2 with php-fpm and HTTP/2.

Requirements:

– an VPS with Debian Buster installed
– shell access and appropriate rights
– One DNS A and possibly AAAA record for our Apache vhost

Step 1: Install MariaDB

First, we install the MariaDB as Database-Server:

apt install -y mariadb-server mariadb-client

and we secure the MariaDB installation:

mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we’ll need the current
password for the root user. If you’ve just installed MariaDB, and
you haven’t set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on…

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y
New password:your-password
Re-enter new password:your-password
Password updated successfully!
Reloading privilege tables..
… Success!

By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
… Success!

Normally, root should only be allowed to connect from ‚localhost‘. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
… Success!

By default, MariaDB comes with a database named ‚test‘ that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
– Dropping test database…
… Success!
– Removing privileges on test database…
… Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
… Success!

Cleaning up…

All done! If you’ve completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

Step 2: Install Apache2

With the following command we will install the Apache-Webserver:

apt install -y apache2 apache2-utils

Step 3: Install php7.3-fpm an recommended moduls

Installation of nextcloud needs a few php-modules and other packages, which we install with the following command:

apt install -y php7.3-cli php7.3-common php7.3-mbstring php7.3-gd php-imagick php7.3-intl php7.3-bz2 php7.3-xml php7.3-mysql php7.3-zip php7.3-dev php7.3-curl php7.3-fpm php-dompdf redis-server php-redis php-smbclient php7.3-ldap

Step 4: Configure Apache2 and php7.3-fpm

Now we enable the needed modules in Apache2 with:

a2enmod proxy_fcgi setenvif mpm_event rewrite headers env dir mime ssl http2

and after that we activate php7.3-fpm:

a2enconf php7.3-fpm

now we have edit the apache2.conf to allow the usage of .htaccess-files:

nano /etc/apache2/apache2.conf

and change the following code:

<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>

to:

<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>

To enable HTTP/2, we need to add this line to apache2.conf:

Protocols h2 h2c http/1.1

now we have to prepare the php.ini for nextcloud:

nano /etc/php/7.3/fpm/php.ini

extend with the following directives:

opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1

and adjust the following Lines:

max_execution_time = 300
max_input_time = 600
memory_limit = 512M
upload_max_filesize = 10240M

Afterwards, the web server and php7.3-fpm must be restarted:

systemctl restart apache2 php7.3-fpm

Step 4: Install Certbot and other tools

To request a ssl-sert from LetsEncrypt we use Certbot and the apache-plugin:

apt install python-certbot-apache certbot wget curl sudo unzip

Step 5: Create Database

Before we can install Nextcloud, we first have to create a database. To do this, we execute the following commands:

mysql -u root -p

enter your password and then execute:

create database nextcloud;
create user nextcloud@localhost identified by 'YOUR_PASSWORD';
grant all privileges on nextcloud.* to nextcloud@localhost;
flush privileges;
exit;

Step 6: Download Nextcloud and create filesystem

Now it’s time to download the latest Release of Nextcloud 17 from nextcloud:

wget https://download.nextcloud.com/server/releases/latest-17.zip

and unzip the downloaded archive:

unzip latest-17.zip

Afterwards we move the folder nextcloud to the right place.

If we just want to deploy Nextcloud on this server, we can move the data to the /var/www/html/ folder and adjust the permissions.

mv nextcloud/* /var/www/html/
chown -R www-data:www-data /var/www/html/

In order to keep the option of other websites open, we move the entire folder into the path /var/www/html/

mv nextcloud /var/www/html/
chown -R www-data:www-data /var/www/html/nextcloud

You can delete the downloaded archive now:

sudo rm latest-17.zip

For our nextcloud-files we prepare a directory outside of /var/www/html/nextcloud:

mkdir /nextcloud_data

and change the owner to www-data:

chown -R www-data:www-data /nextcloud_data

Step 7: Create Apache2 vHost and secure with SSL

To create an Apache vhost, we simply create a new .conf in /etc/apache2/sites-available/:

nano /etc/apache2/sites-available/001-nextcloud.conf

add the following content and adjust your names:

<VirtualHost *:80>
ServerName nextcloud.your-domain.tld
ServerAdmin webmaster@your-domain.tld
DocumentRoot /var/www/html/nextcloud

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

 

then we activate this site and disable the default vHost:

a2ensite 001-nextcloud.conf
a2dissite 000-default.conf
systemctl reload apache2

Since we want to reach the site of course via https, we create a LetEncrypt certificate. The easiest way to do this is with Certbot, which we already installed above:

certbot --apache --rsa-key-size 4096

In the last query, we confirm with „2“ that a redirect should occur.

Certbot then creates a second vhost configuration file, which we then process again:

nano /etc/apache2/sites-available/001-nextcloud-le-ssl.conf

we add the following block under DocumentRoot-directive:

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; preload"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Prevent MIME based attacks
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
</IfModule>
# SSL Configuration - uses strong cipher list - these might need to be downgraded if you need to support older browsers/devices
SSLEngine on
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On

<Directory /var/www/html/nextcloud/>
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews

<IfModule mod_dav.c>
Dav off
</IfModule>

SetEnv HOME /var/www/html/nextcloud
SetEnv HTTP_HOME /var/www/html/nextcloud
Satisfy Any

</Directory>

then we have to reload the webserver again:

systemctl reload apache2

Step 8: Configure Nextcloud

For final configuration, we call our domain in the browser:

and enter the corresponding data, as DB host we enter localhost and the data directory is /nextcloud_data.

Now, let’s take Nextcloud’s config.php to configure the recommended memory cache:

nano /var/www/html/nextcloud/config/config.php

add the following code:

'memcache.local' => '\OC\Memcache\Redis',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'redis' => array(
'host' => 'localhost',
'port' => 6379,
),

It looks like this:

In the basic settings, we customize the background tasks and use cron:

and configure the user’s cron job accordingly www-data(adjust path and/or user if you use another one):

sudo crontab -u www-data -e

add the following line at the end:

*/15 * * * * php7.3 -f /var/www/html/nextcloud/cron.php

Restart Aapche2 and php-fpm:

systemctl restart apache2 && sudo systemctl restart php7.3-fpm

and refresh your browser

Do not forget to configure your mail-settings

Now we have a freshly installed Nextcloud 17 and can enjoy… Remember: If you find issues within the Nextcloud, then report here on GitHub.

Problems with the tutorial? Then comment below or contact me per Mail or Mastodon.

Happy nextclouding and do not forget to share 🙂