Nextcloud 17 was released, so here is a manual to install it on a Debian Buster VPS, secure it with LetsEncrypt and deploy it via Apache2 with php-fpm and HTTP/2.
Requirements:
– an VPS with Debian Buster installed
– shell access and appropriate rights
– One DNS A and possibly AAAA record for our Apache vhost
Step 1: Install MariaDB
First, we install the MariaDB as Database-Server:
apt install -y mariadb-server mariadb-client
and we secure the MariaDB installation:
mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!In order to log into MariaDB to secure it, we’ll need the current
password for the root user. If you’ve just installed MariaDB, and
you haven’t set the root password yet, the password will be blank,
so you should just press enter here.Enter current password for root (enter for none):
OK, successfully used password, moving on…Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.Set root password? [Y/n] y
New password:your-password
Re-enter new password:your-password
Password updated successfully!
Reloading privilege tables..
… Success!By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.Remove anonymous users? [Y/n] y
… Success!Normally, root should only be allowed to connect from ‚localhost‘. This
ensures that someone cannot guess at the root password from the network.Disallow root login remotely? [Y/n] y
… Success!By default, MariaDB comes with a database named ‚test‘ that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.Remove test database and access to it? [Y/n] y
– Dropping test database…
… Success!
– Removing privileges on test database…
… Success!Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.Reload privilege tables now? [Y/n] y
… Success!Cleaning up…
All done! If you’ve completed all of the above steps, your MariaDB
installation should now be secure.Thanks for using MariaDB!
Step 2: Install Apache2
With the following command we will install the Apache-Webserver:
apt install -y apache2 apache2-utils
Step 3: Install php7.3-fpm an recommended moduls
Installation of nextcloud needs a few php-modules and other packages, which we install with the following command:
apt install -y php7.3-cli php7.3-common php7.3-mbstring php7.3-gd php-imagick php7.3-intl php7.3-bz2 php7.3-xml php7.3-mysql php7.3-zip php7.3-dev php7.3-curl php7.3-fpm php-dompdf redis-server php-redis php-smbclient php7.3-ldap
Step 4: Configure Apache2 and php7.3-fpm
Now we enable the needed modules in Apache2 with:
a2enmod proxy_fcgi setenvif mpm_event rewrite headers env dir mime ssl http2
and after that we activate php7.3-fpm
:
a2enconf php7.3-fpm
now we have edit the apache2.conf
to allow the usage of .htaccess
-files:
nano /etc/apache2/apache2.conf
and change the following code:
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
to:
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
To enable HTTP/2, we need to add this line to apache2.conf
:
Protocols h2 h2c http/1.1
now we have to prepare the php.ini
for nextcloud:
nano /etc/php/7.3/fpm/php.ini
extend with the following directives:
opcache.enable=1 opcache.enable_cli=1 opcache.interned_strings_buffer=8 opcache.max_accelerated_files=10000 opcache.memory_consumption=128 opcache.save_comments=1 opcache.revalidate_freq=1
and adjust the following Lines:
max_execution_time = 300 max_input_time = 600 memory_limit = 512M upload_max_filesize = 10240M
Afterwards, the web server
and php7.3-fpm
must be restarted:
systemctl restart apache2 php7.3-fpm
Step 4: Install Certbot and other tools
To request a ssl-sert from LetsEncrypt we use Certbot
and the apache-plugin
:
apt install python-certbot-apache certbot wget curl sudo unzip
Step 5: Create Database
Before we can install Nextcloud, we first have to create a database. To do this, we execute the following commands:
mysql -u root -p
enter your password and then execute:
create database nextcloud; create user nextcloud@localhost identified by 'YOUR_PASSWORD'; grant all privileges on nextcloud.* to nextcloud@localhost; flush privileges; exit;
Step 6: Download Nextcloud and create filesystem
Now it’s time to download the latest Release of Nextcloud 17 from nextcloud:
wget https://download.nextcloud.com/server/releases/latest-17.zip
and unzip the downloaded archive:
unzip latest-17.zip
Afterwards we move the folder nextcloud
to the right place.
If we just want to deploy Nextcloud on this server, we can move the data to the /var/www/html/
folder and adjust the permissions.
mv nextcloud/* /var/www/html/ chown -R www-data:www-data /var/www/html/
In order to keep the option of other websites open, we move the entire folder into the path /var/www/html/
mv nextcloud /var/www/html/ chown -R www-data:www-data /var/www/html/nextcloud
You can delete the downloaded archive now:
sudo rm latest-17.zip
For our nextcloud-files we prepare a directory outside of /var/www/html/nextcloud
:
mkdir /nextcloud_data
and change the owner to www-data
:
chown -R www-data:www-data /nextcloud_data
Step 7: Create Apache2 vHost and secure with SSL
To create an Apache vhost, we simply create a new .conf
in /etc/apache2/sites-available/
:
nano /etc/apache2/sites-available/001-nextcloud.conf
add the following content and adjust your names:
<VirtualHost *:80> ServerName nextcloud.your-domain.tld ServerAdmin webmaster@your-domain.tld DocumentRoot /var/www/html/nextcloud ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
then we activate this site and disable the default vHost:
a2ensite 001-nextcloud.conf a2dissite 000-default.conf systemctl reload apache2
Since we want to reach the site of course via https, we create a LetEncrypt certificate. The easiest way to do this is with Certbot, which we already installed above:
certbot --apache --rsa-key-size 4096
In the last query, we confirm with „2“ that a redirect should occur.
Certbot then creates a second vhost configuration file, which we then process again:
nano /etc/apache2/sites-available/001-nextcloud-le-ssl.conf
we add the following block under DocumentRoot
-directive:
<IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15768000; preload" Header always set Referrer-Policy "strict-origin-when-cross-origin" # Prevent MIME based attacks Header always set X-Content-Type-Options "nosniff" Header always set X-Frame-Options "SAMEORIGIN" </IfModule> # SSL Configuration - uses strong cipher list - these might need to be downgraded if you need to support older browsers/devices SSLEngine on SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder On <Directory /var/www/html/nextcloud/> Require all granted AllowOverride All Options FollowSymLinks MultiViews <IfModule mod_dav.c> Dav off </IfModule> SetEnv HOME /var/www/html/nextcloud SetEnv HTTP_HOME /var/www/html/nextcloud Satisfy Any </Directory>
then we have to reload the webserver again:
systemctl reload apache2
Step 8: Configure Nextcloud
For final configuration, we call our domain in the browser:
and enter the corresponding data, as DB host
we enter localhost
and the data directory is /nextcloud_data
.
Now, let’s take Nextcloud’s config.php
to configure the recommended memory cache:
nano /var/www/html/nextcloud/config/config.php
add the following code:
'memcache.local' => '\OC\Memcache\Redis', 'memcache.locking' => '\\OC\\Memcache\\Redis', 'redis' => array( 'host' => 'localhost', 'port' => 6379, ),
It looks like this:
In the basic settings, we customize the background tasks and use cron
:
and configure the user’s cron job accordingly www-data
(adjust path and/or user if you use another one):
sudo crontab -u www-data -e
add the following line at the end:
*/15 * * * * php7.3 -f /var/www/html/nextcloud/cron.php
Restart Aapche2 and php-fpm:
systemctl restart apache2 && sudo systemctl restart php7.3-fpm
and refresh your browser
Do not forget to configure your mail-settings
Now we have a freshly installed Nextcloud 17 and can enjoy… Remember: If you find issues within the Nextcloud, then report here on GitHub.
Problems with the tutorial? Then comment below or contact me per Mail or Mastodon.
Happy nextclouding and do not forget to share 🙂
24 Gedanken zu „How to install Nextcloud 17 on Debian Buster with MariaDB php7.3-fpm Apache2 and HTTP/2“
perfect guide
thank you
Hey man just wanted to say this tutorial helped me a lot thanks for posting this!
Hi,
Im having an issue and was hoping you could help, it says that tld is an invalid suffix.
pi@Cloud-Server:/var/www/html $ sudo certbot –apache –rsa-key-size 4096
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
1: nextcloud.cloudserver.tld
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‚c‘ to cancel): 1
Obtaining a new certificate
An unexpected error occurred:
Error creating new order :: Cannot issue for „nextcloud.cloudserver.tld“: Domain name does not end with a valid public suffix (TLD)
Please see the logfiles in /var/log/letsencrypt for more details.
Hi, check your Apache-vHost, your Servername should something like nextcloud.cloudserver.com. „tld“ is a placeholder in this Guide.
Thank you, Ive changed it but i’m now getting the following error.
Failed authorization procedure. nextcloud.cloudserver.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://nextcloud.cloudserver.com/.well-known/acme-challenge/qNFR-AhhxIEfLQ_7P0edjcDCTML_QE8eXC89OnO1HZA [185.53.177.51]: „\r\n403 Forbidden\r\n\r\n403 Forbidden\r\nnginx\r\n“
IMPORTANT NOTES:
– The following errors were reported by the server:
Domain: nextcloud.cloudserver.com
Type: unauthorized
Detail: Invalid response from
http://nextcloud.cloudserver.com/.well-known/acme-challenge/qNFR-AhhxIEfLQ_7P0edjcDCTML_QE8eXC89OnO1HZA
[185.53.177.51]: „\r\n403
Forbidden\r\n\r\n403
Forbidden\r\nnginx\r\n“
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Hi,
do you own a Virtual Private Server and a domain? Then you have to add a DNS-A-Record in your Domain-Management for nextcloud.your-domain with the IPv4-address of your server, optional an AAAA-Record with the IPv6-address of your server.
The error „Forbidden\r\nnginx\r\n““ tell me that this is not your server (no Apache2 is running).
You are not able to use a domain name you do not own!
Regards Markus
Hallo Markus,
das ist mit Abstand Beste Tutorial den ich im Internet gefunden hatte, sehr gut und detailliert gemacht.
Hi Markus,
this is by far the best tutorial I found on the internet, done very well and in detail.
Hi, thank you very much and you are welcome 🙂
Hi Markus,
first of all, thx for our work and great documentation.
Second a short question, how do you update via web-updater because nextcloud_data would not be exceeded while ‚check for expected files‘.
Copy from updater:
Check for expected files
The following extra files have been found:
– nextcloud_data
Best regards
Chris
Hi Christian,
What is the full path of your nextcloud_data? Check in config.php. it should be /nextcloud_data and it should Not detect by updater as expected File.
Markus
Hi Markus,
sry it should be your work first ;0) .
Yes its /var/www/nextcloud/nextcloud_data . Ah fu**, sry read it. Outside of ;0)
Thx for your help. Next time i rtfm clearly…
Very good explanation!
One correction: a second backspace before OC „\OC\Memcache\Redis“ is missing for the nextcloud config.php.
Thanks 🙂
The best TUTORIAL ?
Thank you very much 🙂
After install I have this:
There are some warnings regarding your setup.
Your web server is not properly set up to resolve „/.well-known/caldav“. Further information can be found in the documentation.
Your web server is not properly set up to resolve „/.well-known/carddav“. Further information can be found in the documentation.
No memory cache has been configured. To enhance performance, please configure a memcache, if available. Further information can be found in the documentation.
Some columns in the database are missing a conversion to big int. Due to the fact that changing column types on big tables could take some time they were not changed automatically. By running ‚occ db:convert-filecache-bigint‘ those pending changes could be applied manually. This operation needs to be made while the instance is offline. For further details read the documentation page about this.
mounts.storage_id
mounts.root_id
mounts.mount_id
Fixed ?
can you describe how did you fix it?
THX
hello, we had low memory warning, and had to adjust this file:
/etc/php/7.3/apache2/php.ini : memory_limit = 512M
thank you for the very good install and configure info!
Hi, are you sure you had activated php7.3-fpm?
It seems you run the apache-mod php7.3.
a2dismod php7.3 mpm_prefork
a2enmod proxy_fcgi setenvif mpm_event rewrite headers env dir mime ssl http2
a2enconf php7.3-fpm
switches to fpm
Sorry Marcus new install of Buster
and doing the „mysql_secure_installation“
i get
„enter current password for root (enter for none):
ERROR 2002 (HY000): Can’t connect to local MySQL server through socket ‚/var/run/mysqld/mysqld.sock‘ (2)
“
I have seen this before has to do with user permissions but I don’t remember where it is. It is a user permissions issue I tried just enter and my root password,
trouble shooting!
Oct 05 10:26:17 nextcloud systemd[1]: Starting MariaDB 10.3.17 database server…
Oct 05 10:26:17 nextcloud mysqld[1909]: 2019-10-05 10:26:17 0 [Note] /usr/sbin/mysqld (m
Oct 05 10:26:17 nextcloud systemd[1]: mariadb.service: Main process exited, code=exited,
Oct 05 10:26:17 nextcloud systemd[1]: mariadb.service: Failed with result ‚exit-code‘.
Oct 05 10:26:17 nextcloud systemd[1]: Failed to start MariaDB 10.3.17 database server.
MariaDB Troubleshooting: https://mariadb.com/kb/en/library/what-to-do-if-mariadb-doesnt-start/
Hi Ira, normally no password was set when you install mariadb. You can try to reset it. Look here: https://robbinespu.github.io/eng/2018/03/29/Reset_mariadb_root_password.html