This tutorial will guide you on how to install and configure Nextcloud file sharing web service from sources in Debian 9, codename Stretch.
Nextcloud, a fork of Owncloud, is an Open Source client-server application used for file sharing. Similar to other cloud services, such as Gdrive, Nextcloud functionality can be extended easily through a suite of plug-ins that can enforce the cloud to behave as a mail client or video-call application, similar to Skype, or other forms of user and file collaboration.
Requirements
- Minimal installation of Debian 9 on a bare-metal machine or on a virtual private server
- A static IP address configured for one of your system network interfaces cards
- Access to root account or a user with root account privileges via sudo
- A domain name, private or public, with the proper DNS records configured. If no DNS server is configured at your premises you can still configure and access Nextcloud web app via server IP address.
Initial Configurations
Before starting to install Nextcloud from sources, first make sure the system meets all the software requirements for compiling and installing Nextcloud. On the first step, update your system repositories and software packages by issuing the below command.
apt update
apt upgrade
On the next step, fire-up a new command in order to install some necessary utilities that will be used to further manage your system from command line.
apt install wget unzip zip bash-completion
Next, setup the name for your system by executing the following command:
hostnamectl set-hostname server.nextcloud.local
Verify machine hostname and hosts file by issuing the below commands.
hostnamectl
cat /etc/hostname
cat /etc/hosts
Finally, reboot the system in order to apply the new hostname.
systemctl reboot
Nextcloud is a web based file sharing application written in PHP server-side programming language. In order to run Nextcloud php file scripts, a web server, such as Apache HTTP server, and a PHP processing gateway must be installed and operational in the system. In order to install Apache web server and the PHP interpreter alongside with all required PHP modules needed by Nextcloud to run properly, issue the following command in your server console.
apt install apache2 libapache2-mod-php7.0 php7.0 php7.0-gd php7.0-json php7.0-xml php7.0-mbstring php7.0-zip php7.0-curl php7.0-bz2 php7.0-intl php7.0-mcrypt php7.0-gmp php-imagick php7.0-opcache
After Apache and PHP has been installed, test if the web server is up and running and listening for network connections on port 80 by issuing the following command with root privileges.
netstat –tlpn
In case netstat network utility is not install by default in your Debian system, execute the below command to install it.
apt install net-tools
By inspecting the netstat command output you can see that apache web server is listening for incoming network connections on port 80
In case you have a firewall enabled in your system, such as UFW firewall application, you should add a new rule to allow HTTP traffic to pass through firewall by issuing the following command.
ufw allow WWW
or
ufw allow 80/tcp
Next, enable and apply the following Apache modules required by Nextcloud web application to run properly, by issuing the below command.
a2enmod rewrite headers env dir mime
systemctl restart apache2
Finally, test if Apache web server default web page can be displayed in your clients browsers by visiting your Debian machine IP address via HTTP protocol, as shown in the below image. If you don’t know your machine IP address, execute ifconfig or ip a commands.
http://192.168.1.15
On the next step we need to make some further changes to PHP default configuration file in order to assure that the file_uploads variable is enabled and the PHP timezone setting is correctly configured and matches your system physical location. Open /etc/php/7.0/apache2/php.ini file for editing and assure that the following lines are setup as follows.
file_uploads = On
date.timezone = Europe/London
Replace the timezone variable accordingly to your physical time by consulting the list of timezones provided by PHP docs at the following link http://php.net/manual/en/timezones.php
Next, make a backup of the PHP default configuration file and append the following OPCache settings for PHP interpreter, by issuing the following commands.
cp /etc/php/7.0/apache2/php.ini{,.backup}
echo -e "opcache.enable=1 \nopcache.enable_cli=1 \nopcache.interned_strings_buffer=8 \nopcache.max_accelerated_files=10000 \nopcache.memory_consumption=128 \nopcache.save_comments=1 \nopcache.revalidate_freq=1" >> /etc/php/7.0/apache2/php.ini
Verify the end of PHP configuration file to check if the variables had been correctly added.
tail /etc/php/7.0/apache2/php.ini
Restart apache daemon to reflect changes
systemctl restart apache2
After you’ve made the required changes, create a php info file and restart apache daemon to apply changes by issuing the following commands.
echo '<?php phpinfo(); ?>'| tee /var/www/html/info.php
systemctl restart apache2
Check if the PHP timezone has been correctly configured by visiting the php info script file from a browser at the following URL, as illustrated in the below image. Scroll down to date setting to check php timezone setting.
http://192.168.1.15/info.php
Nextcloud web app stores configurations in a RDBMS database. In this tutorial we’ll configure Nextcloud with MariaDB database backend. Issue the below command to install MariaDB database and the PHP module needed to access mysql database.
apt install mariadb-server php7.0-mysql
After you’ve installed MariaDB, verify if the daemon is running and listens for connections on localhost, port 3306, by running netstat command.
netstat –tlpn | grep mysql
Then, log in to MySQL console and secure MariaDB root account by issuing the following commands.
mysql -h localhost
use mysql; update user set plugin='' where user='root'; flush privileges; exit
On the next step, secure MariaDB by executing the script mysql_secure_installation provided by the installation packages from Debian stretch repositories. While running the script will ask a series of questions designed to secure MariaDB database, such as: to change MySQL root password, to remove anonymous users, to disable remote root logins and delete the test database. Execute the script by issuing the below command and assure you type yes to all questions asked in order to fully secure MySQL daemon. Use the below script output except as a guide.
sudo mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
You already have a root password set, so you can safely answer 'n'.
Change the root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
In order to test MariaDB security, try login to the database from console with no root password. The access to the database should be denied if no password is provided for the root account. If the password is supplied, the login process should be granted to MySQL console, as shown in the below screenshot.
mysql -h localhost -u root
mysql -h localhost -u root –p
Next, logged in to MariaDB database console, create a database for Nextcloud installation and the user with the password that will be used to manage Nextcloud database, by issuing the following commands. Replace the Nextcloud database name, user and password accordingly.
mysql –u root -p
create database my_nextcloud; grant all privileges on my_nextcloud.* to 'nextcloud_user'@'localhost' identified by 'nextcloud_pass'; flush privileges; exit
In order to apply all changes made so far, restart MySQL and Apache daemons and verify if daemons are running by issuing the following commands.
systemctl restart mysql apache2
systemctl status mysql apache2
Install Nextcloud
After all system requirements are meet for Nextcloud installation, visit Nextcloud official website at https://nextcloud.com/install/# and grab the latest version of Nextcloud tarball compressed archive by issuing the wget utility, as illustrated in the following sample.
wget https://download.nextcloud.com/server/releases/nextcloud-12.0.3.zip
After the tarball download finishes, extract Nextcloud zip archive and copy installation files to your webserver document root, by issuing the below commands. Be aware that the cp command in recursive mode won’t copy the dot or hidden file. You need to manually copy the hidden files from the extracted archive to Apache webroot.
unzip nextcloud-12.0.3.zip
cp -rf nextcloud/* /var/www/html/
Manually copy the installation hidden files
cp nextcloud/.htaccess /var/www/html/
cp nextcloud/.user.ini /var/www/html/
Finally, before starting to install Nextcloud using the web interface, execute the below command in order to remove the default index.html file installed by Apache web server and grant Apache runtime user with full write permissions to Nextcloud installation path.
rm /var/www/html/index.html
chown -R www-data:www-data /var/www/html/
ls –la /var/www/html
Proceed with Nextcloud installation by opening a browser and navigate your server’s IP address or domain name via HTTP layer 7 protocol. On the first installation screen add an administrator account for Nextcloud and a strong password. This account will be used to manage Nextcloud further via the web interface. Next, add a system path for Nextcloud data folder. The data folder can reside inside your web server webroot (/var/www/html) or it can be placed in a different directory which resides outside www root. Use the below image as a guide.
Next, scroll down to this page and add the credentials setup for MySQL database, the name of the Nexcloud MySQL database and the hostname and port where the database is running. If MariaDB is installed on the same node as the Nextcloud installation, use the localhost for MySQL database host and provide no port variable. In case you’ve changed MariaDB database port, update the port number accordingly. After you’ve completed filling all the required fields, hit on Finish setup button in order to start the installation process and populate Nextcloud MariaDB database with all required data, as shown in the below screenshot.
After the installation completes you will be redirected to Nextcloud default web page as illustrated in the below image. From the pop-up windows you can choose to download and install Nextcloud Desktop client application for your own operating system.
Next, navigate to Nextcloud web panel, hit on the right settings icon and go to Admin. Here, a waning should be displayed in your browser, suggesting that you should configure the web server to use HTTPS instead of accessing Nextcloud via HTTP unsafe protocol.
In order to use the HTTPS protocol to access Nextcloud web interface via a secured connection, issue the following command to enable Apache web server SSL module and SSL site configuration file.
a2enmod ssl
a2ensite default-ssl.conf
Next, open Apache default SSL site configuration file with a text editor and add the following lines of code after DocumentRoot directive, as shown in the below sample:
nano /etc/apache2/sites-enabled/default-ssl.conf
SSL site configuration file excerpt:
<Directory /var/www/html> Options +FollowSymlinks AllowOverride All <IfModule mod_dav.c> Dav off </IfModule>
Don’t close the file yet and go below and add the following code line after the SSL Certificates, as illustrated in the below image.
Header always set Strict-Transport-Security "max-age=15552000; includeSubdomains"
Close the SSL Apache configuration file and make this final change, in order to force the visitors to be redirected to HTTPS protocol each time they visit Netxcloud from their browsers. Open /etc/apache2/sites-enabled/000-default.conf file for editing and add the following rewrite rules after DocumentRoot statement as shown in the below example.
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*) https://%{HTTP_HOST}/$1
Finally, restart Apache daemon to apply all rules configured so far and visit Nextcloud web panel. By now, you should be automatically redirected to the Nextcloud web panel via HTTPS protocol. Because you’re using the automatically Self-Signed certificates pairs issued by Apache at installation, an error warning should be displayed in the browser. Accept the warning in order to continue and go to Admin -> Basic settings menu in order to test if the suggested security settings had been applied, as shown in the below screenshot.
systemctl restart apache2
In case you have the UFW firewall enabled in your system, you should add a new rule to allow HTTPS traffic to pass through firewall by issuing the following command.
ufw allow 'WWW Full'
or
ufw allow https
or
ufw allow 443/tcp
That’s all! You have successfully installed and configured Nextcloud from sources in Debian 9. You can now enable Mail, Calendar, External storage support, LDAP user and group backed, Video calls, Tasks or other apps required by your organization. For other custom configurations regarding Nextcloud, visit the manual pages at the following link https://docs.nextcloud.com/server/12/user_manual/