Example installation on Ubuntu 22.04.03 LTS with Apache2, APCu, redis, and MariaDB behind an NGINX proxy, no Docker, no Snap
This is an example installation for Ubuntu users who want to host a Nextcloud instance bare metal. No Docker, no Snap. The goal of this guide is to have no warnings in the admin center and the instance should get a perfect security score from scan.nextcloud.com. The official documentation is pretty good, but it can be a little bit overwhelming to newcomers because you need to jump from one topic to another and have to read up on multiple things. This guide should offer you a more streamlined experience.
There are some placeholder values or variables that always start with x_. You need to replace them with your data. This is the structure of the setup used in this guide.
If you want to host Nextcloud in your home and want to access it remotely or even share some files externally, there are some network requirements. You need a real, public routable, none Carrier-grade NAT (CG-NAT) IPv4 address. If you don't have a real IPv4 address, you could ask your ISP to give you one or use IPv6 or a VPN instead. The latter two options don't really work if you want to share files externally. You also need split DNS described in the next paragraph.
Why is split DNS this necessary? Let's assume your WAN IPv4 is 85.29.10.1 and your NGINX Proxy has the IP 192.168.1.10 and your domain is cloud.yourdomain.com.
If you are on the road and try to connect to your Nextcloud, your client will ask "Hey, what IP is cloud.yourdomain.com?" a DNS server will answer with "85.29.10.1". Then traffic will go to your firewall and some kind of NAT will redirect it to your NGINX Proxy on 192.168.1.10.
But if you are on your local network, that probably will not work, because your firewall only NATs from WAN to LAN and not LAN to LAN. The easiest way to solve this is to use split DNS. Tell your DNS server, that instead of answering cloud.yourdomain.com with 85.29.10.1 it should answer it with 192.168.1.10. This is done by unbound overrides. Most home routers don't offer unbound, so you may need to look into setting up a pi-hole DNS server. Another option that should work (but I have not looked into it!) is NAT overrides.
Since Nextcloud 28, there are also some MIME checks in the admin center. For these checks to work, the Nextcloud instance needs to be able to connect to the NGINX proxy. For that you either need SplitDNS or you need to set the /etc/hosts like this:
sudo nano /etc/hosts
x_nextcloud_host_IPv4 cloud.x_yourdomain.com nginxproxyThis step is optional. You can preload HTTP Strict Transport Security (HSTS) for your domain and all your subdomains. That way you gain security by forcing all your domains and subdomains to use HTTPS. To learn more about HSTS and how you can enable it for your domain, go to https://hstspreload.org/ If you don't want to use this, you need to make a small change in Apache and NGINX by removing "preload".
sudo apt update && sudo apt upgrade -y
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgradesDifferent versions of Ubuntu may have differing versions of PHP, for example Ubuntu 22.04 ships PHP 8.1, which is not the currently recommended version by Nextcloud. Nextcloud currently recommends PHP 8.2. Adding optional repositories to apt's sources (e.g. Sury's ppa for Ubuntu or dpa for Debian) is beyond the scope of this tutorial, and will require modifying the name of libapache2-mod-php and all php modules to include the specific version number, e.g. libapache2-mod-php8.2 php8.2-apcu php8.2-bcmat and so on.I think it is simpler to use the Ubuntu PHP version, but adding a PPA is also not that hard. The choice is yours :) In this tutorial we will use the included PHP packages from Ubuntu. While 8.1 is not recommended, it is still currently supported by Nextcloud. For up to date system requiremets, please visit Nextcloud admin manual
We install all the software that is needed plus some optional software so we won't get warnings in the Nextcloud Admin Center.
sudo apt install apache2 \
bzip2 \
exif \
imagemagick \
mariadb-server \
redis-serverInstall all php modules.
sudo apt install libapache2-mod-php \
php-apcu \
php-bcmath \
php-bz2 \
php-ctype \
php-curl \
php-dom \
php-gd \
php-gmp \
php-imagick \
php-intl \
php-mbstring \
php-mysql \
php-posix \
php-redis \
php-xml \
php-zipChange the MariaDB settings to the recommended READ-COMITTED and binlog format ROW.
sudo nano /etc/mysql/conf.d/nextcloud.cnfinsert
[mysqld]
transaction_isolation = READ-COMMITTED
binlog_format = ROW exit and save. Reload mariadb
sudo systemctl restart mariadb.serviceCreate the database
sudo mariadbYou should now see "MariaDB [(none)]>"
Check if the tx_isolation is "READ-COMITTED" and if binlog_format is "ROW".
SELECT @@global.tx_isolation;
SELECT @@global.binlog_format;If everything looks good, we can continue. Insert this to create a database called nextcloud. Replace all three x_ variables with your data.
CREATE USER 'x_database_user'@'localhost' IDENTIFIED BY 'x_database_password';
CREATE DATABASE IF NOT EXISTS nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
GRANT ALL PRIVILEGES ON nextcloud.* TO 'x_database_user'@'localhost';
FLUSH PRIVILEGES;
exit;You should see 3 times a "Query OK" line and a "Bye" at the end.
Secure MariaDB. Insert a root password, otherwise just use the defaults by pressing enter.
sudo mariadb-secure-installationDownload Nextcloud
wget https://download.nextcloud.com/server/releases/latest.tar.bz2
wget https://download.nextcloud.com/server/releases/latest.tar.bz2.asc
wget https://download.nextcloud.com/server/releases/latest.tar.bz2.md5
wget https://nextcloud.com/nextcloud.asc
gpg --import nextcloud.ascverify
md5sum -c latest.tar.bz2.md5 < latest.tar.bz2and
gpg --verify latest.tar.bz2.asc latest.tar.bz2extract and move to the webroot. Change ownership and delete install files
tar -xjvf latest.tar.bz2
sudo cp -r nextcloud /var/www
sudo chown -R www-data:www-data /var/www/nextcloud
rm -r nextcloud
rm latest.tar.bz2 latest.tar.bz2.asc latest.tar.bz2.md5 nextcloud.ascWe wanna change the PHP memory limit and upload filesize. Replace 8.1 if you have a newer version of PHP.
sudo nano /etc/php/8.1/apache2/php.iniWe search for these settings to change (use ctrl+W to search in nano).
memory_limit = 1G
upload_max_filesize = 50G
post_max_size = 0
max_execution_time = 3600
date.timezone = Europe/Amsterdam
opcache.interned_strings_buffer=16Save and exit. Reload apache2
sudo systemctl reload apache2.servicecreate a PHP file so we can check the changes
sudo nano /var/www/html/phpinfo.phpand insert
<?php phpinfo(); ?>Now can see the default Apache2 page at http://x_nextcloud_host_IPv4. To see the PHP settings go to http://x_nextcloud_host_IPv4/phphinfo.php You should find the values we defined. To disable that page and delete the html folder, run
sudo a2dissite 000-default.conf
sudo systemctl reload apache2
sudo rm -r /var/www/htmlCreate the data folder. You can also use a different location. Just make sure to replace /var/www/nextcloud/data everywhere with your data path.
sudo mkdir /var/www/nextcloud/data
sudo chown -R www-data:www-data /var/www/nextcloud/dataConfigure Apache2
sudo nano /etc/apache2/sites-available/nextcloud.confinsert:
<VirtualHost *:80>
DocumentRoot /var/www/nextcloud/
ServerName cloud.x_youromain.com
<Directory /var/www/nextcloud/>
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
<IfModule mod_dav.c>
Dav off
</IfModule>
</Directory>
</VirtualHost>Enable site and mods:
sudo a2ensite nextcloud.conf
sudo a2enmod rewrite headers env dir mime
sudo systemctl reload apache2This guide assumes you already have a NGINX reverse Proxy up and running. It also assumes that you have Certbot installed. There is an excellent tool for creating config files from DigitalOcean do.co/nginxconfig Create an emtpy site without ssl.
sudo nano /etc/nginx/sites-available/cloud.x_youromain.confserver {
listen 80;
listen [::]:80;
server_name cloud.x_yourdomain.com;
}sudo nginx -t
sudo ln -s /etc/nginx/sites-available/cloud.x_yourdomain.conf /etc/nginx/sites-enabled/cloud.x_yourdomain.conf
sudo nginx -s reloadNow we let certbot create a cert. For certbot to be sucessfull, you need an A or AAAA record that points to your proxy with the open port 80.
sudo certbotFollow the certbot instructions. This will create a cert and also change your config to redirect all traffic to https. To test if the automatic removal is working run
sudo certbot renew --dry-runsudo nano /etc/nginx/sites-available/cloud.x_youromain.confAt the time of writing this, there is still an open issue for certbot (certbot/certbot#3646). To not get any warnings from NGINX, add 'http2' in the two ssl listen lines.
server {
server_name cloud.x_youromain.com;
listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/cloud.x_youromain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/cloud.x_youromain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
# security headers
# add_header X-Content-Type-Options "nosniff" always;
# add_header X-Robots-Tag "noindex, nofollow" always;
add_header Referrer-Policy "no-referrer" always;
add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# logging
access_log /var/log/nginx/access.log combined buffer=512k flush=1m;
error_log /var/log/nginx/error.log warn;
# reverse proxy
location / {
proxy_pass http://x_nextcloud_host_IPv4/;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
# Proxy SSL
proxy_ssl_server_name on;
# Proxy headers
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Forwarded $proxy_add_forwarded;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# Proxy timeouts
proxy_connect_timeout 600s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
}
location /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
}
server {
if ($host = cloud.x_youromain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name cloud.x_youromain.com;
return 404; # managed by Certbot
}
If you decided against HTST, remove the preload. Check your NGINX config and reload.
sudo nginx -t
sudo nginx -s reloadYou can install Nextcloud with that command or by using the WebPage.
cd /var/www/nextcloud/
sudo -u www-data php occ maintenance:install \
--database='mysql' --database-name='nextcloud' \
--database-user='x_database_user' --database-pass='x_database_password' \
--admin-user='x_nextcloud_admin_user' --admin-pass='x_nextcloud_admin_user_password' \
--data-dir='/var/www/nextcloud/data'If we navigate now to https://cloud.x_youromain.com, we should see a warning that we are not trusted, because we have not set up the proxy configs yet.
Edit config.php file.
sudo nano /var/www/nextcloud/config/config.phpSet the trusted_domains array
0 => 'cloud.x_youromain.com',also change or add these settings:
'trusted_proxies' => ['x_NGINX_IPv4'],
'default_language' => 'de',
'default_locale' => 'de_DE',
'default_phone_region' => 'DE',
'overwrite.cli.url' => 'https://cloud.x_youromain.com',
'overwriteprotocol' => 'https',
'overwritewebroot' => '/',
'overwritecondaddr' => 'x_NGINX_IPv4',
'htaccess.RewriteBase' => '/',save and exit
update the settings by
cd /var/www/nextcloud/
sudo -u www-data php occ maintenance:update:htaccessWe wanna use crontab instead of AJAX.
sudo crontab -u www-data -epress 1 to use nano and insert at the end
*/5 * * * * php -f /var/www/nextcloud/cron.phpChange the settings by
sudo -u www-data php /var/www/nextcloud/occ background:cronIn the web GUI, go to user settings and insert the mail address for the x_nextcloud_admin_user you created earlier. Naviate to Administration -> Basic settings to set up outgoing mail. In my example, I am using Office365 with an AppPassword created in the account settings of MS365.
Servername: smtp.office365.com
Port: 587
Encryption: STARTTLS
Needs authentification, sender and user is me@mydomain.com
AppPasswort
Check if Opcache is working
php -r 'phpinfo();' | grep opcache.enableAdd redis to the www-data group
sudo usermod -a -G redis www-dataConfigure Redis server
sudo nano /etc/redis/redis.confuncomment unixsocket /var/run/redis/redis.sock Set unixsocketperm to 770 Exit and save. Restart redis
sudo service redis-server restartCheck output of redis
ls -lh /var/run/redisChange nextcloud PHP config. While we are in this file, we also add the memcache.local for APCu.
sudo nano /var/www/nextcloud/config/config.phpAdd:
'memcache.local' => '\OC\Memcache\APCu',
'memcache.locking' => '\OC\Memcache\Redis',
'redis' => array(
'host' => 'localhost',
'port' => 6379,
'timeout' => 1,
'password' => '',
),Change apcu.ini. Watch out for the PHP version
sudo nano /etc/php/8.1/apache2/conf.d/20-apcu.iniChange it to:
extension=apcu.so
apc.enabled=1
apc.enable_cli=1
To start APCu automatically use this command and replace the PHP version 8.1 if needed
sudo -u www-data php8.1 --define apc.enable_cli=1 /var/www/nextcloud/occ maintenance:repairProbably only cosmetics, because it is already done by the proxy. Anyway setting this will remove the warning in the admin center.
sudo nano /etc/apache2/sites-available/nextcloud.confinsert mod_headers.c
<VirtualHost *:80>
DocumentRoot /var/www/nextcloud/
ServerName cloud.x_youromain.com
<Directory /var/www/nextcloud/>
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
<IfModule mod_dav.c>
Dav off
</IfModule>
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
</IfModule>
</Directory>
</VirtualHost>save and exit. Reload
sudo systemctl reload apache2If you decided against HSTS, ditch the "preload" in the IfModule on use it like this instead
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"We can define when a the maintenance window starts (UTC time!). By default, the maintenance windows ends 4 hours after the start. We start it at 3 in the morning.
sudo -u www-data php /var/www/nextcloud/occ config:system:set maintenance_window_start --type=integer --value=1Congrats! You should no have no warnings in the admin center and a perfect score on scan.nextcloud.com.
Instead of using local storage, you can move the data directory to a NFS mount.
sudo apt install nfs-commonCreate a folder and a mountpoint in fstab. In this example the data dir is set to /mnt/nextcloud/data. Make sure the user www-data has write access.
sudo nano /var/www/nextcloud/config/config.phpadd the line
'datadirectory' => '/mnt/nextcloud/data',Updates can take a long time if your data directory is on a NFS share, because Nextcloud will create a backup first. To speed it up, create a temp backup and update dir.
sudo mkdir /var/www/update
sudo chown www-data:www-data /var/www/update/
sudo nano /var/www/nextcloud/config/config.phpadd the line
'updatedirectory' => '/var/www/update',