How to install Nextcloud 17 on Debian Buster with MariaDB php7.3-fpm Apache2 and HTTP/2

Nextcloud 17 was released, so here is a manual to install it on a Debian Buster VPS, secure it with LetsEncrypt and deploy it via Apache2 with php-fpm and HTTP/2.

Requirements:

– an VPS with Debian Buster installed
– shell access and appropriate rights
– One DNS A and possibly AAAA record for our Apache vhost

Step 1: Install MariaDB

First, we install the MariaDB as Database-Server:

apt install -y mariadb-server mariadb-client

and we secure the MariaDB installation:

mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we’ll need the current
password for the root user. If you’ve just installed MariaDB, and
you haven’t set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on…

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y
New password:your-password
Re-enter new password:your-password
Password updated successfully!
Reloading privilege tables..
… Success!

By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
… Success!

Normally, root should only be allowed to connect from ‚localhost‘. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
… Success!

By default, MariaDB comes with a database named ‚test‘ that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
– Dropping test database…
… Success!
– Removing privileges on test database…
… Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
… Success!

Cleaning up…

All done! If you’ve completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

Step 2: Install Apache2

With the following command we will install the Apache-Webserver:

apt install -y apache2 apache2-utils

Step 3: Install php7.3-fpm an recommended moduls

Installation of nextcloud needs a few php-modules and other packages, which we install with the following command:

apt install -y php7.3-cli php7.3-common php7.3-mbstring php7.3-gd php-imagick php7.3-intl php7.3-bz2 php7.3-xml php7.3-mysql php7.3-zip php7.3-dev php7.3-curl php7.3-fpm php-dompdf redis-server php-redis php-smbclient php7.3-ldap

Step 4: Configure Apache2 and php7.3-fpm

Now we enable the needed modules in Apache2 with:

a2enmod proxy_fcgi setenvif mpm_event rewrite headers env dir mime ssl http2

and after that we activate php7.3-fpm:

a2enconf php7.3-fpm

now we have edit the apache2.conf to allow the usage of .htaccess-files:

nano /etc/apache2/apache2.conf

and change the following code:

<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>

to:

<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>

To enable HTTP/2, we need to add this line to apache2.conf:

Protocols h2 h2c http/1.1

now we have to prepare the php.ini for nextcloud:

nano /etc/php/7.3/fpm/php.ini

extend with the following directives:

opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1

and adjust the following Lines:

max_execution_time = 300
max_input_time = 600
memory_limit = 512M
upload_max_filesize = 10240M

Afterwards, the web server and php7.3-fpm must be restarted:

systemctl restart apache2 php7.3-fpm

Step 4: Install Certbot and other tools

To request a ssl-sert from LetsEncrypt we use Certbot and the apache-plugin:

apt install python-certbot-apache certbot wget curl sudo unzip

Step 5: Create Database

Before we can install Nextcloud, we first have to create a database. To do this, we execute the following commands:

mysql -u root -p

enter your password and then execute:

create database nextcloud;
create user nextcloud@localhost identified by 'YOUR_PASSWORD';
grant all privileges on nextcloud.* to nextcloud@localhost;
flush privileges;
exit;

Step 6: Download Nextcloud and create filesystem

Now it’s time to download the latest Release of Nextcloud 17 from nextcloud:

wget https://download.nextcloud.com/server/releases/latest-17.zip

and unzip the downloaded archive:

unzip latest-17.zip

Afterwards we move the folder nextcloud to the right place.

If we just want to deploy Nextcloud on this server, we can move the data to the /var/www/html/ folder and adjust the permissions.

mv nextcloud/* /var/www/html/
chown -R www-data:www-data /var/www/html/

In order to keep the option of other websites open, we move the entire folder into the path /var/www/html/

mv nextcloud /var/www/html/
chown -R www-data:www-data /var/www/html/nextcloud

You can delete the downloaded archive now:

sudo rm latest-17.zip

For our nextcloud-files we prepare a directory outside of /var/www/html/nextcloud:

mkdir /nextcloud_data

and change the owner to www-data:

chown -R www-data:www-data /nextcloud_data

Step 7: Create Apache2 vHost and secure with SSL

To create an Apache vhost, we simply create a new .conf in /etc/apache2/sites-available/:

nano /etc/apache2/sites-available/001-nextcloud.conf

add the following content and adjust your names:

<VirtualHost *:80>
ServerName nextcloud.your-domain.tld
ServerAdmin webmaster@your-domain.tld
DocumentRoot /var/www/html/nextcloud

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

 

then we activate this site and disable the default vHost:

a2ensite 001-nextcloud.conf
a2dissite 000-default.conf
systemctl reload apache2

Since we want to reach the site of course via https, we create a LetEncrypt certificate. The easiest way to do this is with Certbot, which we already installed above:

certbot --apache --rsa-key-size 4096

In the last query, we confirm with „2“ that a redirect should occur.

Certbot then creates a second vhost configuration file, which we then process again:

nano /etc/apache2/sites-available/001-nextcloud-le-ssl.conf

we add the following block under DocumentRoot-directive:

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; preload"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Prevent MIME based attacks
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
</IfModule>
# SSL Configuration - uses strong cipher list - these might need to be downgraded if you need to support older browsers/devices
SSLEngine on
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On

<Directory /var/www/html/nextcloud/>
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews

<IfModule mod_dav.c>
Dav off
</IfModule>

SetEnv HOME /var/www/html/nextcloud
SetEnv HTTP_HOME /var/www/html/nextcloud
Satisfy Any

</Directory>

then we have to reload the webserver again:

systemctl reload apache2

Step 8: Configure Nextcloud

For final configuration, we call our domain in the browser:

and enter the corresponding data, as DB host we enter localhost and the data directory is /nextcloud_data.

Now, let’s take Nextcloud’s config.php to configure the recommended memory cache:

nano /var/www/html/nextcloud/config/config.php

add the following code:

'memcache.local' => '\OC\Memcache\Redis',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'redis' => array(
'host' => 'localhost',
'port' => 6379,
),

It looks like this:

In the basic settings, we customize the background tasks and use cron:

and configure the user’s cron job accordingly www-data(adjust path and/or user if you use another one):

sudo crontab -u www-data -e

add the following line at the end:

*/15 * * * * php7.3 -f /var/www/html/nextcloud/cron.php

Restart Aapche2 and php-fpm:

systemctl restart apache2 && sudo systemctl restart php7.3-fpm

and refresh your browser

Do not forget to configure your mail-settings

Now we have a freshly installed Nextcloud 17 and can enjoy… Remember: If you find issues within the Nextcloud, then report here on GitHub.

Problems with the tutorial? Then comment below or contact me per Mail or Mastodon.

Happy nextclouding and do not forget to share 🙂

24 Gedanken zu „How to install Nextcloud 17 on Debian Buster with MariaDB php7.3-fpm Apache2 and HTTP/2

  1. Hi,

    Im having an issue and was hoping you could help, it says that tld is an invalid suffix.

    pi@Cloud-Server:/var/www/html $ sudo certbot –apache –rsa-key-size 4096
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator apache, Installer apache

    Which names would you like to activate HTTPS for?
    – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
    1: nextcloud.cloudserver.tld
    – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
    Select the appropriate numbers separated by commas and/or spaces, or leave input
    blank to select all options shown (Enter ‚c‘ to cancel): 1
    Obtaining a new certificate
    An unexpected error occurred:
    Error creating new order :: Cannot issue for „nextcloud.cloudserver.tld“: Domain name does not end with a valid public suffix (TLD)
    Please see the logfiles in /var/log/letsencrypt for more details.

      1. Thank you, Ive changed it but i’m now getting the following error.

        Failed authorization procedure. nextcloud.cloudserver.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://nextcloud.cloudserver.com/.well-known/acme-challenge/qNFR-AhhxIEfLQ_7P0edjcDCTML_QE8eXC89OnO1HZA [185.53.177.51]: „\r\n403 Forbidden\r\n\r\n403 Forbidden\r\nnginx\r\n“

        IMPORTANT NOTES:
        – The following errors were reported by the server:

        Domain: nextcloud.cloudserver.com
        Type: unauthorized
        Detail: Invalid response from
        http://nextcloud.cloudserver.com/.well-known/acme-challenge/qNFR-AhhxIEfLQ_7P0edjcDCTML_QE8eXC89OnO1HZA
        [185.53.177.51]: „\r\n403
        Forbidden\r\n\r\n403
        Forbidden\r\nnginx\r\n“

        To fix these errors, please make sure that your domain name was
        entered correctly and the DNS A/AAAA record(s) for that domain
        contain(s) the right IP address.

        1. Hi,
          do you own a Virtual Private Server and a domain? Then you have to add a DNS-A-Record in your Domain-Management for nextcloud.your-domain with the IPv4-address of your server, optional an AAAA-Record with the IPv6-address of your server.
          The error „Forbidden\r\nnginx\r\n““ tell me that this is not your server (no Apache2 is running).
          You are not able to use a domain name you do not own!

          Regards Markus

  2. Hallo Markus,
    das ist mit Abstand Beste Tutorial den ich im Internet gefunden hatte, sehr gut und detailliert gemacht.

    Hi Markus,
    this is by far the best tutorial I found on the internet, done very well and in detail.

  3. Hi Markus,

    first of all, thx for our work and great documentation.

    Second a short question, how do you update via web-updater because nextcloud_data would not be exceeded while ‚check for expected files‘.

    Copy from updater:
    Check for expected files
    The following extra files have been found:
    – nextcloud_data

    Best regards
    Chris

      1. Hi Markus,

        sry it should be your work first ;0) .

        Yes its /var/www/nextcloud/nextcloud_data . Ah fu**, sry read it. Outside of ;0)

        Thx for your help. Next time i rtfm clearly…

  4. Very good explanation!
    One correction: a second backspace before OC „\OC\Memcache\Redis“ is missing for the nextcloud config.php.

  5. After install I have this:

    There are some warnings regarding your setup.

    Your web server is not properly set up to resolve „/.well-known/caldav“. Further information can be found in the documentation.
    Your web server is not properly set up to resolve „/.well-known/carddav“. Further information can be found in the documentation.
    No memory cache has been configured. To enhance performance, please configure a memcache, if available. Further information can be found in the documentation.
    Some columns in the database are missing a conversion to big int. Due to the fact that changing column types on big tables could take some time they were not changed automatically. By running ‚occ db:convert-filecache-bigint‘ those pending changes could be applied manually. This operation needs to be made while the instance is offline. For further details read the documentation page about this.
    mounts.storage_id
    mounts.root_id
    mounts.mount_id

  6. hello, we had low memory warning, and had to adjust this file:
    /etc/php/7.3/apache2/php.ini : memory_limit = 512M

    thank you for the very good install and configure info!

    1. Hi, are you sure you had activated php7.3-fpm?
      It seems you run the apache-mod php7.3.

      a2dismod php7.3 mpm_prefork
      a2enmod proxy_fcgi setenvif mpm_event rewrite headers env dir mime ssl http2
      a2enconf php7.3-fpm

      switches to fpm

  7. Sorry Marcus new install of Buster
    and doing the „mysql_secure_installation“
    i get

    „enter current password for root (enter for none):
    ERROR 2002 (HY000): Can’t connect to local MySQL server through socket ‚/var/run/mysqld/mysqld.sock‘ (2)

    I have seen this before has to do with user permissions but I don’t remember where it is. It is a user permissions issue I tried just enter and my root password,

    1. trouble shooting!

      Oct 05 10:26:17 nextcloud systemd[1]: Starting MariaDB 10.3.17 database server…
      Oct 05 10:26:17 nextcloud mysqld[1909]: 2019-10-05 10:26:17 0 [Note] /usr/sbin/mysqld (m
      Oct 05 10:26:17 nextcloud systemd[1]: mariadb.service: Main process exited, code=exited,
      Oct 05 10:26:17 nextcloud systemd[1]: mariadb.service: Failed with result ‚exit-code‘.
      Oct 05 10:26:17 nextcloud systemd[1]: Failed to start MariaDB 10.3.17 database server.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert