How can I install Nextcloud correctly with ISPConfig?

Discussion in 'General' started by Milly, Jan 24, 2020.

Thread Status:
Not open for further replies.
  1. Milly

    Milly Member

    Hi, I can't get Nextcloud to work correctly using ISPConfig.

    How can I install Nextcloud securely and with the correct permissions to folders and the correct certificates?

    Thank you

    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    [WARN] could not determine server's ip address by ifconfig
    [INFO] OS version is Debian GNU/Linux 10 (buster)
    [INFO] ISPConfig is installed.

    ##### ISPCONFIG #####
    ISPConfig version is 3.1.15p2


    ##### VERSION CHECK #####

    [INFO] php (cli) version is 7.3.11-1~deb10u1

    ##### PORT CHECK #####

    [WARN] Port 22 (SSH server) seems NOT to be listening

    ##### MAIL SERVER CHECK #####


    ##### RUNNING SERVER PROCESSES #####

    [INFO] I found the following web server(s):
    Apache 2 (PID 4267)
    [INFO] I found the following mail server(s):
    Postfix (PID 1085)
    [INFO] I found the following pop3 server(s):
    Dovecot (PID 508)
    [INFO] I found the following imap server(s):
    Dovecot (PID 508)
    [INFO] I found the following ftp server(s):
    PureFTP (PID 846)

    ##### LISTENING PORTS #####
    (only ()
    Local (Address)
    [anywhere]:993 (508/dovecot)
    [anywhere]:995 (508/dovecot)
    [localhost]:10023 (790/postgrey)
    [localhost]:10024 (1120/amavisd-new)
    [localhost]:10025 (1085/master)
    [localhost]:10026 (1120/amavisd-new)
    [anywhere]:22090 (535/sshd)
    [localhost]:10027 (1085/master)
    [anywhere]:587 (1085/master)
    [localhost]:11211 (445/memcached)
    [anywhere]:110 (508/dovecot)
    [anywhere]:143 (508/dovecot)
    [anywhere]:465 (1085/master)
    [anywhere]:21 (846/pure-ftpd)
    ***.***.***.***:53 (454/named)
    ***.***.***.***:53 (454/named)
    [localhost]:53 (454/named)
    [anywhere]:25 (1085/master)
    [localhost]:953 (454/named)
    *:*:*:*::*:993 (508/dovecot)
    *:*:*:*::*:995 (508/dovecot)
    *:*:*:*::*:10024 (1120/amavisd-new)
    *:*:*:*::*:10026 (1120/amavisd-new)
    *:*:*:*::*:3306 (638/mysqld)
    *:*:*:*::*:22090 (535/sshd)
    *:*:*:*::*:587 (1085/master)
    [localhost]10 (508/dovecot)
    [localhost]43 (508/dovecot)
    *:*:*:*::*:8080 (4267/apache2)
    *:*:*:*::*:80 (4267/apache2)
    *:*:*:*::*:8081 (4267/apache2)
    *:*:*:*::*:465 (1085/master)
    *:*:*:*::*:21 (846/pure-ftpd)
    *:*:*:*::*:53 (454/named)
    *:*:*:*::*:25 (1085/master)
    *:*:*:*::*:953 (454/named)
    *:*:*:*::*:443 (4267/apache2)




    ##### IPTABLES #####
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    f2b-roundcube tcp -- [anywhere]/0 [anywhere]/0 multiport dports 80,443
    f2b-auth tcp -- [anywhere]/0 [anywhere]/0 multiport dports 80,443
    f2b-pure-ftpd tcp -- [anywhere]/0 [anywhere]/0 multiport dports 21
    f2b-auth tcp -- [anywhere]/0 [anywhere]/0 multiport dports 80,443
    f2b-ispconfig tcp -- [anywhere]/0 [anywhere]/0 multiport dports 8080
    f2b-postfix-sasl tcp -- [anywhere]/0 [anywhere]/0 multiport dports 25,465,587,143,993,110,995
    f2b-sshd tcp -- [anywhere]/0 [anywhere]/0 multiport dports 22

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain f2b-sshd (1 references)
    target prot opt source destination
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain f2b-postfix-sasl (1 references)
    target prot opt source destination
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain f2b-ispconfig (1 references)
    target prot opt source destination
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain f2b-auth (2 references)
    target prot opt source destination
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    RETURN all -- [anywhere]/0 [anywhere]/0
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain f2b-pure-ftpd (1 references)
    target prot opt source destination
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain f2b-apache-postflood (1 references)
    target prot opt source destination
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain f2b-roundcube (1 references)
    target prot opt source destination
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    RETURN all -- [anywhere]/0 [anywhere]/0
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Create an ispconfig website, ensure that php-mode is php-fpm and suexec is enabled, and then install nextcloud into the web folder and configure nextcloud to use the private folder of the website to store documents. All files and folders from nextcloud must be owned by the web user and client group of the website, but that's automatically the case when you install nextcloud by using an ssh user of that website or upload it by using an FTP user of that website.
     
    Milly likes this.
  3. Milly

    Milly Member

    From ISPConfog add the database, database user, add the website cloud.domain.com

    But I have problems with the permissions because it does not enter.

    [email protected]:/var/www/clients/client0/web1# ls -la
    total 40
    drwxr-xr-x 10 root root 4096 Jan 24 17:03 .
    drwxr-xr-x 3 root root 4096 Jan 24 17:03 ..
    drwxr-xr-x 2 web1 client0 4096 Jan 24 17:03 cgi-bin
    drwxr-xr-x 2 root root 4096 Jan 24 18:04 log
    drwx--x--- 2 web1 client0 4096 Jan 24 17:03 private
    drwx------ 2 web1 client0 4096 Jan 24 17:03 .ssh
    drwxr-xr-x 2 root root 4096 Jan 24 17:03 ssl
    drwxrwx--- 2 web1 client0 4096 Jan 24 17:03 tmp
    drwxr-xr-x 15 www-data www-data 4096 Jan 24 17:23 web
    drwx--x--- 2 web1 client0 4096 Jan 24 17:03 webdav
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Seems as if you manually have set wrong permissions, because the web folder is never owned by www-data in ISPConfig and if you change it to www-data, then the permmissions are wrong and writing to that folder must fail. The web folder must be owned by web1:client0 in your case, so change it back to that owner. and all files and folders inside the web folder must be owned by web1:client0 as well.
     
    Milly likes this.
  5. Milly

    Milly Member

    Excellent thanks

    My mistake was not using ftp to send the files

    From ssh download nextcloud to /tmp and then change the permissions of /web to move the files.

    I went back to the previous permissions created by ISPConfig (web1: client0) as you told me and now it works.
     
    Th0m and till like this.
  6. ledufakademy

    ledufakademy Member HowtoForge Supporter

    hum ... this is much more complicated of this !

    first you need snipets if using nginx :
    here is mine :

    Code:
    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;
    
    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;
    
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    
    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
    
    # The following rule is only needed for the Social app.
    # Uncomment it if you're planning to use this app.
    rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
    
    location = /.well-known/carddav {
        return 301 $scheme://$host:$server_port/remote.php/dav;
    }
    location = /.well-known/caldav {
        return 301 $scheme://$host:$server_port/remote.php/dav;
    }
    location ~ /.well-known/acme-challenge {
        allow all;
    }
    
    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;
    
    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
    
    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;
    
    location / {
        rewrite ^ /index.php;
    }
    
    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
        deny all;
    }
    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }
    
    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;
        # Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        # Enable pretty urls
        fastcgi_param front_controller_active true;
    {FASTCGIPASS}
    # fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }
    
    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
        try_files $uri/ =404;
        index index.php;
    }
    
    # Adding the cache control header for js, css and map files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
        #
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header Referrer-Policy "no-referrer" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Download-Options "noopen" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Permitted-Cross-Domain-Policies "none" always;
        add_header X-Robots-Tag "none" always;
        add_header X-XSS-Protection "1; mode=block" always;
    
        # Optional: Don't log access to assets
        access_log off;
    }
    
    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
        try_files $uri /index.php$request_uri;
        # Optional: Don't log access to other assets
        access_log off;
    }
    
    #in vhost :
    #comment out ...
    
    # ~ \.php$ {
    #    try_files /e058ab8950a416e47a1c58aa82949134.htm @php;
    # }
    
    And php.ini code (need more optimisation) :
    Code:
    opcache.enable = 1
    opcache.enable_cli = 1
    opcache.memory_consumption = 128
    opcache.interned_strings_buffer = 8
    opcache.max_accelerated_files = 10000
    opcache.revalidate_freq = 1
    opcache.save_comments = 1
    post_max_size = 512M
    upload_max_filesize = 512M
    max_execution_time = 3600
    memory_limit = 1024M
    
     
    Last edited: Sep 22, 2020
  7. ledufakademy

    ledufakademy Member HowtoForge Supporter

    Facing another issue ...
    gateway time out 504 when updatting nextcloud .
    where can i increase timeout for nginx (or fastcgi or fpm ...) in ispconfig ?
     
  8. ledufakademy

    ledufakademy Member HowtoForge Supporter

    Stuck in updater web page ..grrrhhhhhhhh

    Code:
    Downloading
    Parsing response failed. <html> <head><title>504 Gateway Time-out</title></head> <body bgcolor="white"> <center><h1>504 Gateway Time-out</h1></center> <hr><center>nginx/1.14.2</center> </body> </html>
    
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Do not Hijack other users' threads.
     
Thread Status:
Not open for further replies.

Share This Page