How to Install Nextcloud 31 on Debian 12
This article describes how to manually install Nextcloud on a Debian server.
It is based on the general Nextcloud documentation:
https://docs.nextcloud.com/server/31/admin_manual/installation/ https://docs.nextcloud.com/server/31/admin_manual/configuration_server/
Warning: This article is not verified as a whole. I installed Nextcloud 19 in 2020 like described below. Since then I only incrementally updated the installations up to 31 but not verified the article as a whole. So if something does not add up, that's perhaps why.
All descriptions of installation and configuration of individual software packages were updated in 2020 or at some time after that to work on the back than available versions of OS and servers. But again: They are not tested from start to end.
Last updated configuration:
- Debian 12.11 (Bookworm)
- MariaDB 10.11
- Apache 2.4.62
- PHP 8.2.28
- Redis 5.3.7
- Nextcloud 31.0.4
The installed server will work on a virtual host which will respond to a subdomain of your domain, e.g. nextcloud.yourserver.com. There is also the alternative conf to install nextcloud in a subfolder of an existing server, but this is not the prime target of this how to.
For some statements you need root permissions. Either use SUDO or login as root.
Operating System
Install Debian
todo
Default install from USB stick.
Suifficient: Auto partitioning. Better: create small partitions for system and swap and a big one for /var
Disable Power Saving and Hibernation
If the operation system should not attempt any type of suspend or hybernation, the appropriate targets need to be disabled at the systemd level:
systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target
Reboot or restart service:
systemctl restart systemd-logind.service
For more information see Energiespareinstellungen_(Debian)#Disable_Suspend_and_Hibernation
Prerequisites
Sources:
- https://docs.nextcloud.com/server/15/admin_manual/installation/system_requirements.html
- https://docs.nextcloud.com/server/15/admin_manual/installation/source_installation.html
Install and Configure MariaDB
apt-get install mariadb-client mariadb-server
In order to prevent data loss using multiple user access the transaction_isolation needs to be READ-COMMITTED.
In order to enable Emoji support (UTF8 4-byte) the innodb_file_format needs to be barracuda and innodb_file_per_table needs to be active.
Create a new file named /etc/mysql/conf.d/nextcloud.cnf with following content:
[mysqld] transaction_isolation=READ-COMMITTED binlog_format=ROW innodb_file_format=barracuda innodb_file_per_table=1 innodb_buffer_pool_size=1G innodb_io_capacity=4000 innodb_io_capacity_max=12000
Restart MariaDB Server:
systemctl restart mariadb
How to check variables: MariaDB_(Debian)#Transaction_Isolation_Level_und_Binary_Logging_konfigurieren
Install and Configure Apache Webserver
apt-get install apache2
Install and Configure PHP
PHP will be utilized from apache via FPM (FastCGI Process Manager) for performance reasons:
apt-get install php apt-get install php-fpm libapache2-mod-fcgid apt-get install php-apcu php-bcmath php-bz2 php-curl php-gd php-gmp php-json php-mbstring php-mysql php-imagick php-intl php-xml php-zip ffmpeg
The following modules are part of libapache2-mod-php7.3 which will be automatically installed with php:
bcmath bz2 calendar Core ctype date dba dom ereg exif fileinfo filter ftp gettext hash iconv libxml mhash openssl pcre Phar posix Reflection session shmop SimpleXML soap sockets SPL standard sysvmsg sysvsem sysvshm tokenizer wddx xmlreader xmlwriter zlib
Activate additional Apache Modules:
a2enmod rewrite headers env dir mime setenvif
Modules env, dir, mime and setenvif are probably active by default.
Install and Configure PHP-FPM
PHP will be utilized from apache via FPM (FastCGI Process Manager) for performance reasons:
apt-get install php-fpm libapache2-mod-fcgid
Disable Apache PHP Module and enable proxy modules and php7.3-fpm configuration:
a2dismod php7.3 a2enmod proxy proxy_fcgi a2enconf php7.3-fpm
PHP-FPM resets by default system environment variables (See default value of clear_env parameter in www.conf). Therefore environment variables need to be set according to system variables.
First, check current content of PATH variable:
printenv PATH
All paths have to be added to /etc/php/7.3/fpm/pool.d/www.conf. Uncomment existing lines like this and add contents of PATH variable from above to env[PATH]:
env[HOSTNAME] = $HOSTNAME env[PATH] = /usr/local/bin:/usr/bin:/bin env[TMP] = /tmp env[TMPDIR] = /tmp env[TEMP] = /tmp
Uncomment the following line in for security reasons in order to allow local access only to PHP-FPM:
listen.allowed_clients = 127.0.0.1
Create file /etc/php/7.3/fpm/conf.d/99-nextcloud.ini with following content:
[PHP] memory_limit = 512M [opcache] opcache.enable_cli=1
As memory_limit is 512M at least needed as this is the minimum for installing Colabora Online Developer Edition (CODE).
opcache.enable_cli is needed for cronjobs (see below).
Restart:
systemctl restart php7.3-fpm systemctl restart apache2
Check PHP Configuration
Create new file phpinfo.php with following content:
<?php phpinfo(); ?>
Open the file using http://localhost/phpinfo.php
Check contents of the following variables:
| Variable | Expected Value |
|---|---|
| Server API | FPM/FastCGI |
| memory_limit | 512M |
| APCu Support | Enabled |
| Opcode Caching | Up and Running |
| opcache.enable | On |
| opcache.enable_cli | On |
Create Virtual Host for Subdomain
This how to is based on avirtual host for running nextcloud on a subdomain. Create a new subdirectory for Nextcloud:
mkdir /var/www/nextcloud
Create a new apache config file: /etc/apache2/sites-available/nextcloud.conf
<VirtualHost *:80>
DocumentRoot /var/www/nextcloud
ServerName nextcloud.yourserver.com
<Directory /var/www/nextcloud/>
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
<IfModule mod_dav.c>
Dav off
</IfModule>
</Directory>
</VirtualHost>
Replace DocumentRoot and ServerName with your actual path and servername.
If you want to run Nextcloud from a subdirectory you will need a different nextcloud.conf:
Alias /nextcloud "/var/www/nextcloud/"
<Directory /var/www/nextcloud/>
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
<IfModule mod_dav.c>
Dav off
</IfModule>
</Directory>
See this documentation for further instructions:
Activate site and reload configuration:
a2ensite nextcloud systemctl reload apache2
Install and Configure Let's Encrypt
apt-get install certbot python-certbot-apache
Activate certbot and alter config files for Apache:
certbot --apache
For higher security allow certbot to add redirection of unencrypted traffic to HTTPS to your configuration.
Certbot creates a config file similar to that at /etc/apache2/sites-available/nextcloud-le-ssl.conf:
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www/nextcloud
ServerName nextcloud.yourserver.com
<Directory /var/www/nextcloud/>
Options +FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud
</Directory>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/nextcloud.yourserver.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.yourserver.com/privkey.pem
</VirtualHost>
</IfModule>
Install and Configure Redis Database
Install Redis package as well as PHP Module
apt-get install redis php-redis
Check availability with:
systemctl status redis ps ax | grep redis
Enable redis sock and reading and writing in /etc/redis/redis.conf by adding / uncommenting these two lines and setting read- and write permissions with 770:
unixsocket /run/redis/redis-server.sock unixsocketperm 770
Enable the webserver user to read and writhe on redis-server.sock by adding the webserver user to the redis group:
usermod -a -G redis www-data
Restart Redis and restart Apache.
In case there is a firewall and Nextcloud is on a different server and needs to connect to the Redis server, open the port for the Redis server, which is defined in /etc/redis/redis.conf and is by default 6379.
This seems not to be necessary, when using UNIX socket connection.
Installation
Download and Uncompress Nextcloud
Download archive from https://nextcloud.com/install to /var/www (use current version):
wget https://download.nextcloud.com/server/releases/nextcloud-19.0.2.tar.bz2
Uncompress:
tar -xjf nextcloud-19.0.2.tar.bz2
Set directory ownership to www-data:
chown -R www-data:www-data /var/www/nextcloud/
Create Data Directory
A good practice is to configure the data directory outside of the webroot. It must be owned by the HTTP user, i.e.:
mkdir /var/opt/nextcloud chown www-data:www-data /var/opt/nextcloud
Create Database
Create database user and database with UTF8MB4 character set and according collation in order to enable Emojis. Also grant permissions to the database user:
CREATE USER 'nextcloud'@'localhost' IDENTIFIED BY 'password'; CREATE DATABASE IF NOT EXISTS nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci; GRANT ALL PRIVILEGES on nextcloud.* to 'nextcloud'@'localhost'; FLUSH privileges;
The step kann be omitted as the installation wizard automatically create a database and a database user. In that case the user will be named the same as the given admin user but it will get a prefix "oc_".
Run Installation Wizard
Open in your browser and go to the following URL:
- When configured as VirtualHost with Subdomain: https://nextcloud.yourserver.com
- When configured as Subfolder: https://localhost/nextcloud
Enter credentials for new admin account.
Open Storage & Database Tab and specify data folder, database user, password and database name you created above.
You can deactivate the checkbox "Install recommended apps" for performance reasons of if you don't want to install Talk, Mail or OnlyOffice. All apps can also be installed or uninstalled by the administrator from the web administration backend.
Configure Trusted Domains
Parameter 'trusted_domains' should contain actual server name. Check /var/www/nextcloud/config/config.php:
'trusted_domains' => array ( 0 => 'nextcloud.yourserver.com', ),
While at it also check parameter 'overwrite.cli.url':
'overwrite.cli.url' => 'https://nextcloud.yourserver.com/',
Administrative or User Settings
Set name, email address, language and locale, SMTP server credentials:
- Login with user
- Click on user name and go to settings
- On tab "Personal info" enter name, email address, language and locale
- On tab "Basic settings" enter email server settings and sent test email
Security Hardening
Enable HTTP Strict Transport Security
In order to instruct browsers to not allow any connection to the Nextcloud instance using HTTP the HTTP Strict Transport Security header should be set.
This can be done by adding the following bold printed lines between to /etc/apache2/sites-available/nextcloud-le-ssl.conf:
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www/nextcloud
ServerName nextcloud.yourserver.com
<Directory /var/www/nextcloud/>
Options +FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud
</Directory>
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/nextcloud.yourserver.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.yourserver.com/privkey.pem
</VirtualHost>
</IfModule>
IPTables
todo
Fail2ban
Installation:
apt-get install fail2ban
Create filter file /etc/fail2ban/filter.d/nextcloud.conf with following content:
[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
Create jail file /etc/fail2ban/jail.d/nextcloud.conf in order to define how to handle failed authentication attempts:
[nextcloud] backend = auto enabled = true port = 80,443 protocol = tcp filter = nextcloud maxretry = 3 bantime = 86400 findtime = 43200 logpath = /path/to/data/directory/nextcloud.log
Restart fail2ban service and check status:
systemctl restart fail2ban fail2ban-client status nextcloud
Source: https://docs.nextcloud.com/server/19/admin_manual/installation/harden_server.html#setup-fail2ban
More details: Fail2Ban_(Debian)
Performance Tuning
Source: https://docs.nextcloud.com/server/19/admin_manual/installation/server_tuning.html#
From admin web access:
- Deactivate unneeded apps like
- User Account Migration
- First Run Wizard
- Deactivate Share API
Background Jobs with Cron
Nextcloud requires some tasks to be done on a regular basis. By default this will be done on every action a user does when logged in the web frontend. A better solution for that is to use cron in order to execute a script periodically, i.e. every five minutes.
Create file /etc/cron.d/nextcloud with following content:
# /etc/cron.d/nextcloud: Housekeeping cronjobs for Nextcloud # # m h dom mon dow user command */5 * * * * www-data php -f /var/www/nextcloud/cron.php
Hints:
- Filename mustn't contain the word "cron"
- File mustn't contain empty lines
After creating cron job:
- Login to web access with admin account
- Click on user name
- Click on settings
- Open tab basic settings
- Change radio button in section background jobs to Cron
Memory Caching
Recommended caching options as described in https://docs.nextcloud.com/server/31/admin_manual/configuration_server/caching_configuration.html are APCu and Redis.
APCu is faster at local caching than Redis. If you have enough memory, use APCu for Memory Caching and Redis for File Locking. If you are low on memory, use Redis for both.
APCu
Will be used for local caching. Activate APCu by adding the following line to /var/www/nextcloud/config/config.php:
'memcache.local' => '\OC\Memcache\APCu',
Enable Redis for File Locking and Memcache
Redis can be used in single-server installations for both, transactional file locking and data caching (except local memcache).
If Redis is configured to listen on an Unis socket, and if and Nextcloud is located on the same server, then it is recommended to connect to Redis over Unix socket, as indicated by the host line below.
Activate Redis by adding the following lines to /var/www/nextcloud/config/config.php:
'memcache.distributed' => '\OC\Memcache\Redis', 'memcache.locking' => '\OC\Memcache\Redis', 'redis' => [ 'host' => '/run/redis/redis-server.sock', 'port' => 0, ],
Enable HTTP2
HTTP/2 provides major speed improvements when multiple request and most clients already provice HTTP/2 support. Sources:
- https://www.troyhunt.com/i-wanna-go-fast-https-massive-speed-advantage/
- https://caniuse.com/http2
- https://www.howtoforge.com/how-to-enable-http-2-in-apache/
Disable prefork MPM (Multi-Processing Module) and enable event MPM. Also enable SSL and HTTP2 modules:
sudo a2dismod mpm_prefork sudo a2enmod mpm_event sudo a2enmod ssl sudo a2enmod http2
Add protocols to either global configuration or in the Nextcloud virtual host configuration file /etc/apache2/sites-available/nextcloud-le-ssl.conf (created in previous step by Let's encrypt):
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www/nextcloud
ServerName nextcloud.yourserver.com
<Directory /var/www/nextcloud/>
Options +FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud
</Directory>
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/nextcloud.yourserver.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.yourserver.com/privkey.pem
Protocols h2 http/1.1
</VirtualHost>
</IfModule>
Restart Apache Webserver:
systemctl restart apache2
Check in Firefox and Chrome:
- Open Developer Tools with F12
- Go to Network Pane
- Show Column Protocol.
- Reload page
- Check value in Protocol column. Expected Value: HTTP/2.0 (in Firefox) or h2 (in Chrome)
PHP-FPM
The default configuration may lead to excessive load times in the web interface. The following configuration is based on a machine with 4 GB RAM and 1 GB MySQL cache.
Alter following lines in /etc/php/7.3/fpm/pool.d/www.conf:
listen.allowed_clients = 127.0.0.1 pm.max_children = 120 pm.start_servers = 12 pm.min_spare_servers = 6 pm.max_spare_servers = 18 env[HOSTNAME] = $HOSTNAME env[PATH] = /usr/local/bin:/usr/bin:/bin env[TMP] = /tmp env[TMPDIR] = /tmp env[TEMP] = /tmp
Optionally in order to make updates easier add the above configuration to a separate file. In that case you have to make sure, that the separate file is loaded after the original www.conf. This can be done by naming the new file i.e. wwwextenions.conf.
In order to check if the file was loaded as intended use:
sudo php-fpm7.3 -tt
Source: https://docs.nextcloud.com/server/19/admin_manual/installation/server_tuning.html#tune-php-fpm
Pre-Generating Gallery Previews
Normally gallery previews will be generated at the moment of browsing through a directory containing pictures. By default in Nextcloud 19 a max preview (Filename "*-max.jpg") as well as a crop preview (Filename 256-256-crop.jpg") will be generated at browsing time. This takes some time.
The previews can be pre-generated as follows:
Install and activate the app Preview Generator: https://apps.nextcloud.com/apps/previewgenerator
Set sizes and quality for the preview generator in order to prevent it from creating a lot more different sizes which would not be created by Nextcloud by default:
sudo -u www-data php /var/www/nextcloud/occ config:app:set previewgenerator squareSizes --value="256" sudo -u www-data php /var/www/nextcloud/occ config:app:set previewgenerator widthSizes --value="256" sudo -u www-data php /var/www/nextcloud/occ config:app:set previewgenerator heightSizes --value="256" sudo -u www-data php /var/www/nextcloud/occ config:app:set preview jpeg_quality --value="60"
Default values for max size doesn't need to be specified as it has a default value of 4096 (see config.sample.php). It can be defined otherwhise in config.php.
Now create initial previews (this can take some time):
sudo -u www-data php /var/www/nextcloud/occ preview:generate-all -vvv
Update of previews takes place via a cron job. The following definition creates it once a night but you could also repeat it every couple of minutes. This could lead to problems when adding a large amount of new files as they would also need some time to be generated.
Add following line to /etc/cron.d/nextcloud from above:
# /etc/cron.d/nextcloud: Housekeeping cronjobs for Nextcloud # # m h dom mon dow user command */5 * * * * www-data php -f /var/www/nextcloud/cron.php 21 2 * * * www-data php /var/www/nextcloud/occ preview:pre-generate
Troubleshooting
Protocol
In case the admin console shows that there are errors in the protocol files you can look into the nextcloud.log located in the data directory.
Uploading of Big Files
If uploads of big files fail check this:
If php-fpm is in use then put the changes in a file into
/etc/php/8.2/fpm/conf.d
Dont-forget to restart the phpx.x-fpm service, i.e.:
systemctl restart php8.2-fpm
Previews Not Generated
If created preview files seem not to be used perhaps it helps to update the file database:
sudo -u www-data php /var/www/nextcloud/occ files:scan-app-data
Or delete preview folder and generate previews from scratch.
