Install Config Wiki

All about installing, configuring and troubleshooting

User Tools

Site Tools

Trace:
install_nextcloud_nginx_let_encrypt_ssl_ubuntu_20_04_lts

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
install_nextcloud_nginx_let_encrypt_ssl_ubuntu_20_04_lts [2020/06/19 22:37] – [Step 3 - Install and Configure MariaDB Server] wikiadmininstall_nextcloud_nginx_let_encrypt_ssl_ubuntu_20_04_lts [2020/06/19 23:21] (current) – [Step 8 - Nextcloud Post-Installation] wikiadmin
Line 146: Line 146:
 And you will be asked for some configuraiton of MariaDB Server. Also, type the new root password for MariaDB Server. And you will be asked for some configuraiton of MariaDB Server. Also, type the new root password for MariaDB Server.
  
-</code>+<code>
 Enter current password for root (enter for none): Press Enter Enter current password for root (enter for none): Press Enter
  
Line 210: Line 210:
  
 The SSL certificates Letsencrypt for the netxcloud domain name has been generated, all located at the '/etc/letsencrypt/live/your-domain' directory. The SSL certificates Letsencrypt for the netxcloud domain name has been generated, all located at the '/etc/letsencrypt/live/your-domain' directory.
 +
 +===== Step 5 - Download Nextcloud =====
 +
 +Before downloading the nextcloud source code, make sure the unzip package is installed on the system. If you don't have the package, install it using the apt command below.
 +
 +<code>
 +sudo apt install wget unzip zip -y
 +</code>
 +
 +Now go to the '/var/www' directory and download the latest version of Nextcloud using the following command.
 +
 +
 +<code>
 +cd /var/www/
 +
 +wget -q https://download.nextcloud.com/server/releases/latest.zip
 +</code>
 +
 +Extract the Nextcloud source code and you will get a new directory 'netxcloud', change the ownership of the nextcloud directory to user 'www-data'.
 +
 +<code>
 +unzip -qq latest.zip
 +
 +sudo chown -R www-data:www-data /var/www/nextcloud
 +</code>
 +
 +As a result, the Nextcloud has been downloaded under the '/var/www/nextcloud' directory, and it will be the web root directory.
 +
 +===== Step 6 - Configure Nginx Virtual Host for Nextcloud =====
 +
 +In this step, we will configure the nginx virtual host for nextcloud. We will configure nextcloud to run under the HTTPS connection and will force the HTTP connection automatically to the secure HTTPS connection.
 +
 +Now go to the '/etc/nginx/sites-available' directory and create a new virtual host file 'nextcloud'.
 +
 +<code>
 +cd /etc/nginx/sites-available/
 +vim nextcloud
 +</code>
 +
 +There, paste the following nextcloud virtual host configuration.
 +
 +<code>
 +
 +upstream php-handler {
 +    #server 127.0.0.1:9000;
 +    server unix:/var/run/php/php7.4-fpm.sock;
 +}
 +
 +server {
 +    listen 80;
 +    listen [::]:80;
 +    server_name cloud.hakase-labs.io;
 +    # enforce https
 +    return 301 https://$server_name:443$request_uri;
 +}
 +
 +server {
 +    listen 443 ssl http2;
 +    listen [::]:443 ssl http2;
 +    server_name cloud.hakase-labs.io;
 +
 +    # Use Mozilla's guidelines for SSL/TLS settings
 +    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
 +    # NOTE: some settings below might be redundant
 +    ssl_certificate /etc/letsencrypt/live/cloud.hakase-labs.io/fullchain.pem;
 +    ssl_certificate_key /etc/letsencrypt/live/cloud.hakase-labs.io/privkey.pem;
 +
 +    # Add headers to serve security related headers
 +    # Before enabling Strict-Transport-Security headers please read into this
 +    # topic first.
 +    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
 +    #
 +    # WARNING: Only add the preload option once you read about
 +    # the consequences in https://hstspreload.org/. This option
 +    # will add the domain to a hardcoded list that is shipped
 +    # in all major browsers and getting removed from this list
 +    # could take several months.
 +    add_header Referrer-Policy "no-referrer" always;
 +    add_header X-Content-Type-Options "nosniff" always;
 +    add_header X-Download-Options "noopen" always;
 +    add_header X-Frame-Options "SAMEORIGIN" always;
 +    add_header X-Permitted-Cross-Domain-Policies "none" always;
 +    add_header X-Robots-Tag "none" always;
 +    add_header X-XSS-Protection "1; mode=block" always;
 +
 +    # Remove X-Powered-By, which is an information leak
 +    fastcgi_hide_header X-Powered-By;
 +
 +    # Path to the root of your installation
 +    root /var/www/nextcloud;
 +
 +    location = /robots.txt {
 +        allow all;
 +        log_not_found off;
 +        access_log off;
 +    }
 +
 +    # The following 2 rules are only needed for the user_webfinger app.
 +    # Uncomment it if you're planning to use this app.
 +    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
 +    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
 +
 +    # The following rule is only needed for the Social app.
 +    # Uncomment it if you're planning to use this app.
 +    #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
 +
 +    location = /.well-known/carddav {
 +      return 301 $scheme://$host:$server_port/remote.php/dav;
 +    }
 +    location = /.well-known/caldav {
 +      return 301 $scheme://$host:$server_port/remote.php/dav;
 +    }
 +
 +    # set max upload size
 +    client_max_body_size 512M;
 +    fastcgi_buffers 64 4K;
 +
 +    # Enable gzip but do not remove ETag headers
 +    gzip on;
 +    gzip_vary on;
 +    gzip_comp_level 4;
 +    gzip_min_length 256;
 +    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
 +    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 +
 +    # Uncomment if your server is build with the ngx_pagespeed module
 +    # This module is currently not supported.
 +    #pagespeed off;
 +
 +    location / {
 +        rewrite ^ /index.php;
 +    }
 +
 +    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
 +        deny all;
 +    }
 +    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
 +        deny all;
 +    }
 +
 +    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
 +        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
 +        set $path_info $fastcgi_path_info;
 +        try_files $fastcgi_script_name =404;
 +        include fastcgi_params;
 +        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 +        fastcgi_param PATH_INFO $path_info;
 +        fastcgi_param HTTPS on;
 +        # Avoid sending the security headers twice
 +        fastcgi_param modHeadersAvailable true;
 +        # Enable pretty urls
 +        fastcgi_param front_controller_active true;
 +        fastcgi_pass php-handler;
 +        fastcgi_intercept_errors on;
 +        fastcgi_request_buffering off;
 +    }
 +
 +    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
 +        try_files $uri/ =404;
 +        index index.php;
 +    }
 +
 +    # Adding the cache control header for js, css and map files
 +    # Make sure it is BELOW the PHP block
 +    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
 +        try_files $uri /index.php$request_uri;
 +        add_header Cache-Control "public, max-age=15778463";
 +        # Add headers to serve security related headers (It is intended to
 +        # have those duplicated to the ones above)
 +        # Before enabling Strict-Transport-Security headers please read into
 +        # this topic first.
 +        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
 +        #
 +        # WARNING: Only add the preload option once you read about
 +        # the consequences in https://hstspreload.org/. This option
 +        # will add the domain to a hardcoded list that is shipped
 +        # in all major browsers and getting removed from this list
 +        # could take several months.
 +        add_header Referrer-Policy "no-referrer" always;
 +        add_header X-Content-Type-Options "nosniff" always;
 +        add_header X-Download-Options "noopen" always;
 +        add_header X-Frame-Options "SAMEORIGIN" always;
 +        add_header X-Permitted-Cross-Domain-Policies "none" always;
 +        add_header X-Robots-Tag "none" always;
 +        add_header X-XSS-Protection "1; mode=block" always;
 +
 +        # Optional: Don't log access to assets
 +        access_log off;
 +    }
 +
 +    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
 +        try_files $uri /index.php$request_uri;
 +        # Optional: Don't log access to other assets
 +        access_log off;
 +    }
 +}
 +
 +</code>
 +
 +Save and exit.
 +
 +Enable the virtual host (i.e. create a symlink from /sites-available/ over to /sites-enabled/ to enable nextcloud block / virtual host .conf file) and test the configuration, and make sure there is no error.
 +
 +<code>
 +ln -s /etc/nginx/sites-available/nextcloud /etc/nginx/sites-enabled/
 +
 +nginx -t
 +</code>
 +
 +Now restart PHP7.4-FPM service and nginx service using the systemctl command below.
 +
 +<code>
 +systemctl restart nginx
 +
 +systemctl restart php7.4-fpm
 +</code>
 +
 +The Nginx virtual host configuration for nextcloud has been created.
 +
 +
 +===== Step 7 - Configure UFW Firewall =====
 +
 +In this tutorial, we will turn on the firewall, and we will be using the UFW firewall for Ubuntu.
 +
 +Add the SSH, HTTP and HTTPS to the UFW firewall list using the command below.
 +
 +
 +<code>
 +for svc in ssh http https
 +do
 +ufw allow $svc
 +done
 +</code>
 +
 +After that, enable the UFW firewall and check the allowed service and port.
 +
 +
 +<code>
 +ufw enable
 +ufw status numbered
 +</code>
 +
 +And you will get the HTTP port 80 and HTTPS port 443 is on the list.
 +
 +
 +===== Step 8 - Nextcloud Post-Installation =====
 +
 +Open your web browser and type the nextcloud URL address.
 +
 +And you will be redirected to the secure HTTPS connection.
 +
 +On the Top page, we need to create the admin user for nextcloud, type the admin user password. On the 'Data folder' configuration, type the full path of the 'data' directory '/var/www/nextcloud/data'.
 +
 +Scroll the page to the bottom, and you will get the database configuration. Type the database info that we've created in step 3 and then click the 'Finish Setup' button.
 +
 +If you check the option 'Install recommended apps', you will get a page listing the recommended apps to be installed.
 +
 +
 +Nextcloud is installing additional recommended applications for you.
 +
 +And after the installation is complete, you will see the Nextcloud Dashboard in your browser. 
 +
 +The Nextcloud 18 installation with Nginx web server and MySQL database on Ubuntu 20.04 has been completed successfully.
 +
 +===== Reference and Credits =====
 +
 +https://docs.nextcloud.com/
 +
 +And Muhammad Arul and his article at
 +
 +[[https://www.howtoforge.com/tutorial/ubuntu-nginx-nextcloud/]]
 +
 +
  
  
install_nextcloud_nginx_let_encrypt_ssl_ubuntu_20_04_lts.1592606241.txt.gz · Last modified: 2020/06/19 22:37 by wikiadmin