How to Install and Configure Nextcloud 19 with SSL on Debian 10

by

Nextcloud is an open-source and self-hosted cloud application. It’s similar to Google Drive, Box and Dropbox. Nexcloud server only available for Linux, Windows user may install Nextcloud on Virtual Machine.

For this tutorial, we will start from scratch, so if you already had some of the software already installed you can be adjusted as needed.

Set DNS for Nextcloud Domain

To get secure Nextcloud by using SSL, first set DNS record for the domain you chose to used.
nextcloud set domain dns

Update System

Update Debian 10 to the latest available version

sudo apt update; sudo apt install -y

Install Dependency

sudo apt install wget curl -y

Install MariaDB Database

Nextcloud support PostgreSQL, SQLite and MySQL (MariaDB) for it’s database. On this tutorial we will use MariaDB as the database server.

sudo apt install mariadb-server -y

Create User and Database for Nextcloud

Login to MySQL/MariaDB shell as root

sudo mysql

Create database

create database nextcloud

Create user

GRANT ALL PRIVILEGES ON nextcloud.* TO "nextclouduser"@"localhost" IDENTIFIED BY "STRONG-PASSWORD";

mariadb shell create user and database

2. Install PHP
Because Nextcloud based on PHP, we’ll install PHP on Debian 10. On Debian 10 PHP 7.3 comes as default PHP.

sudo apt-get install php php-cli php-common php-gd php-xmlrpc php-fpm \
        php-curl php-intl php-imagick php-mysql php-zip php-xml \
        php-mbstring php-bcmath -y

3. Install NGINX

sudo apt install nginx -y

4. Install Letsencrypt SSL
Let’s Encrypt offering free SSL for everyone, let’s use this SSL because it can be automated

sudo apt install certbot python-certbot-nginx -y

Generate SSL for domain

sudo certbot --nginx -d DOMAIN --agree-tos -m email@gmail.com

When asked “Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel):” enter 2, to redirect HTTP to HTTPS.
certbot install ssl on atetux

Edit file /etc/nginx/sites-enabled/default

server {
    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;
    server_name nextcloud.atetux.com; # managed by Certbot
    location / {
        try_files $uri $uri/ =404;
    }
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/nextcloud.atetux.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/nextcloud.atetux.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

adjust these value to

server {
    root /var/www/html/nextcloud;
    index index.html index.htm index.nginx-debian.html;
    server_name nextcloud.atetux.com; # managed by Certbot
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/nextcloud.atetux.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/nextcloud.atetux.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    location = /.well-known/carddav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
    location / {
        rewrite ^ /index.php;
    }
    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
        deny all;
    }
    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }
    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }
    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
        try_files $uri/ =404;
        index index.php;
    }
    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463";
        add_header Referrer-Policy "no-referrer" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Download-Options "noopen" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Permitted-Cross-Domain-Policies "none" always;
        add_header X-Robots-Tag "none" always;
        add_header X-XSS-Protection "1; mode=block" always;
        access_log off;
    }
    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ {
        try_files $uri /index.php$request_uri;
        access_log off;
    }
}

restart nginx

sudo systemctl restart nginx

5. Download Nextcloud
Download Nextcloud latest version from nextcloud

wget https://download.nextcloud.com/server/releases/nextcloud-19.0.1.zip

extract the file to our root directory as stated on nginx

sudo unzip nextcloud-19.0.1.zip -d /var/www/html/

set file and folder permission to www-data (nginx and PHP FPM user)

sudo chown www-data:www-data -R /var/www/html/nextcloud

6. Install Nextcloud
Open nextcloud domain https://DOMAIN.com on the browser. Because this is the first time we open the nextcloud domain, it will ask us to enter the admin user and database credential. Fill the form for
User admin
User admin password
Database user
Database password
Database name
click Finish Setup to start instalation.
nextcloud first installation wizard

it may take a while to install Recommended apps
nextcloud installing recommended apps

After above step done, Nextcloud will automatic login.
nextcloud first time login

Enjoy your new Nextcloud

Leave a Comment