Setting up Nextcloud

Just a quick guide how I do install Nextcloud. This is Nextcloud 25.0.1 with PHP 8.1 on Debian Bullseye with Redis, APCu and MariaDB.

I am a fan of https://deb.sury.org/ hence I’ll install those repo’s first. Please check that Site for Debian – you’ll find a README.txt which contains all the required commands.

Next make sure your system is up2date using

apt-get update
apt-get upgrade

PHP

Then install the required (and some optional) PHP modules, you may want to add ldap, ftp, smbclient. According to the documentation. 

apt install php8.1-{ctype,curl,dom,gd,xml,zip,bz2,intl,exif,apcu,redis,imagick,mbstring,bcmath,gmp,opcache,mysql,igbinary,fpm}

Now install a few more optional things

apt install ffmpeg imagemagick

In /etc/php/8.1/fpm/ you’ll find the php.ini. Let’s make a few changes to it:

memory_limit = 512M
# a much lower execution time should work, too
max_execution_time = 3600
max_input_time = 3600
output_buffering = Off
post_max_size = 10G
upload_max_filesize = 10G
allow_url_fopen = On
date.timezone = Europe/Berlin

In /etc/php/8.1/mods-available/ you’ll find a few more .ini files. Also changing a few. Just add them below the specific zend_extension line.

Update 26.03.24: I raised memory_limit to 1G, I reduced post_max_size and upload_max_filesize to 1G.

opcache.ini

# check defaults / explanation at:
# https://www.php.net/manual/de/opcache.configuration.php
opcache.enable = 1
opcache.enable_cli = 1
opcache.interned_strings_buffer = 16
opcache.max_accelerated_files = 524521

Update 26.03.24: I added opcache.memory_consumption = 256

apcu.ini

# check defaults / explanation at:
# https://www.php.net/manual/de/apcu.configuration.php
apc.enable_cli = 1

igbinary.ini

# check defaults / explanation at:
# https://github.com/igbinary/igbinary
session.serialize_handler = igbinary
apc.serializer = igbinary

redis.ini

# check defaults / explanation at:
# https://github.com/phpredis/phpredis
session.save_handler = redis
session.save_path = "unix:///var/run/redis/redis-server.sock?persistent=1&database=15"
redis.session.locking_enabled = 1

Update 26.03.24: I removed ?persistent=1&database=15 from the session.save_path string. I added: redis.session.locking_enabled = 1 and redis.session.lock_retries = -1 and redis.session.lock_wait_time = 10000

Make sure these are symlinked from /etc/php/8.1/fpm/conf.d/. Finally let’s edit the FPM settings a little bit. In /etc/php/8.1/fpm/pool.d/www.conf:

pm.max_children = 12
pm.start_servers = 3
pm.min_spare_servers = 3
pm.max_spare_servers = 9
pm.max_requests = 500

Use the the FPM calculator and adjust for your needs. Finally restart php and check whether it works. 🙂 

systemctl restart php8.1-fpm

Update 26.03.24: Also tested with PHP8.2.

Apache

The Apache Webserver installation is pretty easy:

apt install apache2

Now enable and disable a few modules and sites according to your needs

a2enmod proxy
a2enmod proxy_fcgi

# if behind a loadbalancer
a2enmod remoteip

# i also disable reqtimeout because my Nextcloud is
# behind a loadbalancer and there seem to be / were
# issues with large file uploads with it enabled
a2dismod reqtimeout

For large file uploads you may want to add

ProxyTimeout 3600

in /etc/apache2/mods-enabled/proxy.conf. Because the default takes the Timeout value which is 60 (and should be high enough anyway, but still…).

Now Apache needs to marry PHP:

a2enconf php8.1-fpm

You may want to enable SSL if not using a Loadbalancer; but even then you might want to:

# enable SSL - if your loadbalancer already does
# you may not need this
a2enmod ssl

Create the nextcloud.conf in /etc/apache2/sites-available with contents:

<VirtualHost *:80>
  DocumentRoot /var/www/nextcloud/
  ServerName  yournext.clouddomain.tld

  <Directory /var/www/nextcloud/>
    Require all granted
    AllowOverride All
    Options FollowSymLinks MultiViews

    <IfModule mod_dav.c>
      Dav off
    </IfModule>
  </Directory>
</VirtualHost>

Letsencrypt / TLS:

apt-get install certbot python3-certbot-apache

Certbot will add Rewrite Rules to the nextcloud.conf and it will create nextcloud-le-ssl.conf.

certbot --apache -d yournext.clouddomain.tld

If you’re using SSL please check the Mozilla TLS Generator with your Apache Version and OpenSSL version. Create a ssl.conf in /etc/apache2/conf-available with the configuration outside of the VirtualHosts from the generator. E.g.:

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

Then enable that using:

a2enconf ssl

You may also add the Strict-Transport-Security header by adding it to the nextcloud-le-ssl.conf. If you add the Protocols line you’ll also need to enable http2. So add:

# enable HTTP/2, if available
Protocols h2 http/1.1

# HTTP Strict Transport Security (mod_headers is required) (6307200)
Header always set Strict-Transport-Security "max-age=63072000"

to the nextcloud-le.conf and then enable HTTP2. If your System is behind an NGINX loadbalancer, enabling HTTP2 will likely not help you. In that case I would not enable http2 in Apache. Anyway:

a2enmod http2

The VM I’m using is only there for nextcloud. So I’m disabling the default web:

a2dissite 000-default.conf
a2dissite default-ssl.conf

Finally restart Apache (or reload)

systemctl restart apache2

Redis

apt-get install redis

We just disable that redis listens on a TCP port, enable the socket, set the permissions

port 0
unixsocket /var/run/redis/redis-server.sock
unixsocketperm 770

Then add redis to www-data and you’re done

usermod -a -G redis www-data
systemctl restart redis

MariaDB

Update: Check out my Nextcloud migrate to PostgreSQL article. I got better results with PostgreSQL instead of MariaDB due to a Bug I am constantly hitting.

apt-get install mariadb-server
mysql_secure_installation

Enter current password for root (enter for none):
Switch to unix_socket authentication [Y/n] n
Change the root password? [Y/n] n
Remove anonymous users? [Y/n]
Disallow root login remotely? [Y/n]
Remove test database and access to it? [Y/n]
Reload privilege tables now? [Y/n]
mysql -u root 

CREATE USER 'username'@'localhost' IDENTIFIED BY 'password';
CREATE DATABASE IF NOT EXISTS nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
GRANT ALL PRIVILEGES on nextcloud.* to 'username'@'localhost';
FLUSH privileges;

create a file /etc/mysql/conf.d/nextcloud.cnf

[server]
skip_name_resolve = 1

[mysqld]
transaction_isolation = READ-COMMITTED
binlog_format = ROW
innodb_file_per_table = 1
innodb_large_prefix = on

[client]
default-character-set = utf8mb4

And restart the database

systemctl restart mariadb

Nextcloud

Download the latest.tar.bz2 and unpack it

cd /usr/src
wget https://download.nextcloud.com/server/releases/latest.tar.bz2
tar -xjvf latest.tar.bz2
mv nextcloud /var/www/
chown www-data:www-data -R /var/www/

Then follow the installer when you access your nextcloud installation. Enter the Database settings.

In /var/www/nextcloud/config/config.php add the following snippets

  'memcache.local' => '\OC\Memcache\APCu',
  'memcache.distributed' => '\OC\Memcache\Redis',
  'memcache.locking' => '\OC\Memcache\Redis',
  'redis' => [
     'host' => '/var/run/redis/redis-server.sock',
     'port' => 0,
     'timeout' => 0.0,
  ],
  'default_language' => 'de',
  'default_locale' => 'de_DE',
  'default_phone_region' => 'DE',
  'filelocking.enabled' => true,

Update 26.03.24: I added timeout 0.0 to the redis part above.

Done.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.