How to Install Nextcloud with Nginx and Let's Encrypt SSL on Ubuntu 20.04 LTS

Nextcloud is a free (Open Source) Dropbox-like software, a fork of the ownCloud project. Nextcloud is written in PHP and JavaScript, it supports many database systems such as MySQL/MariaDB, PostgreSQL, Oracle Database, and SQLite.

In order to keep your files synchronized between Desktop and your own server, Nextcloud provides applications for Windows, Linux, and Mac desktops and a mobile app for Android and iOS. Nextcloud is not just a Dropbox clone, it provides additional features like Calendar, Contacts, Schedule tasks, and streaming media with Ampache etc.

In this tutorial, we will show you how to install and configure the latest Nextcloud release (at the time of writing this, the latest release is 18) on an Ubuntu 20.04 server. We will run Nextcloud with an Nginx web server and PHP7.4-FPM and use MariaDB server as the database system.

Prerequisites

  • Ubuntu 20.04
  • Root privileges

What we will do

  1. Install Nginx Webserver
  2. Install and Configure PHP7.4-FPM
  3. Install and Configure MySQL Server
  4. Generate SSL Letsencrypt
  5. Download Nextcloud 18
  6. Configure Nginx Virtual Host for Nextcloud
  7. UFW Firewall Configuration
  8. Nextcloud Post-Installation

Step 1 - Install Nginx Webserver

The first step we will do in this nextcloud guide is to install the Nginx web server. We will be using the Nginx web server instead of Apache webserver.

Log in to the server and update the repository, then install the Nginx web server using the apt command as shown below.

sudo apt update
sudo apt install nginx -y

After the installation is complete, start the Nginx service and enable the service to launch every time at system boot using systemctl.

systemctl start nginx
systemctl enable nginx

The Nginx service is up and running, check it using the following command.

systemctl status nginx

And you will get the result as below.

Install Nginx Web server

As a result, the Nginx web server has been installed on Ubuntu 20.04.

Step 2 - Install and Configure PHP7.4-FPM

By default, the Ubuntu 20.04 comes with default version PHP 7.4.

Install PHP and PHP-FPM packages needed by Nextcloud using the apt command below.

sudo apt install php-fpm php-curl php-cli php-mysql php-gd php-common php-xml php-json php-intl php-pear php-imagick php-dev php-common php-mbstring php-zip php-soap php-bz2 -y

After the installation is complete, we will configure the php.ini files for php-fpm and php-cli.

Go to the '/etc/php/7.4' directory.

cd /etc/php/7.4/

Edit the php.ini files for php-fpm and php-cli using vim.

vim fpm/php.ini
vim cli/php.ini

Uncomment the 'date.timezone' line and change the value with your own timezone.

date.timezone = Asia/Jakarta

Uncomment the 'cgi.fix_pathinfo' line and change the value to '0'.

cgi.fix_pathinfo=0

Save and exit.

Next, edit the php-fpm pool configuration 'www.conf'.

vim fpm/pool.d/www.conf

Uncomment those lines below.

env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

Save and exit.

Restart the PHP7.4-FPM service and enable it to launch every time on system boot.

systemctl restart php7.4-fpm
systemctl enable php7.4-fpm

Install PHP-FPM 7.4

Now check the PHP-FPM service using the following command.

ss -xa | grep php
systemctl status php7.4-fpm

And you will get the php-fpm is up and running under the sock file '/run/php/php7.4-fpm.sock'.

Check PHP-FPM Service

Step 3 - Install and Configure MariaDB Server

In this step, we will install the latest MariaDB version and create a new database for the nextcloud installation. The latest version MariaDB packages are available on the repository by default.

Install MariaDB server's latest version using the apt command below.

sudo apt install mariadb-server -y

After the installation is complete, start the MariaDB service and enable it to launch everytime at system boot.

systemctl start mariadb
systemctl enable mariadb

Now check the MySQL service using the following command.

systemctl status mariadb

Install MariaDB Server

The MariaDB server is up and running on Ubuntu 20.04.

Next, we will configure the MariaDB root password using the 'mysql_secure_installation' command.

Run the following command.

mysql_secure_installation

And you will be asked for some configuraiton of MariaDB Server. Also, type the new root password for MariaDB Server.

Enter current password for root (enter for none): Press Enter
Set root password? [Y/n] Y
Remove anonymous users? [Y/n] Y
Disallow root login remotely? [Y/n] Y
Remove test database and access to it? [Y/n] Y
Reload privilege tables now? [Y/n] Y

And the MariaDB root password has been set up.

Next, we will create a new database for nextcloud installation. We will create a new database named 'nextcloud_db' with the user 'nextclouduser' and password '[email protected]'.

Login to the MySQL shell as a root user with mysql command.

mysql -u root -p
TYPE THE MYSQL ROOT PASSWORD

Now create the database and user with the password by running following MySQL queries.

create database nextcloud_db;
create user [email protected] identified by '[email protected]';
grant all privileges on nextcloud_db.* to [email protected] identified by '[email protected]';
flush privileges;

And the new database and user for the nextcloud installation has been created.

Create new database for Nextcloud

The MariaDB installation and configuration for nextcloud has been completed.

Step 4 - Generate SSL Letsencrypt

In this tutorial, we will secure nextcloud using free SSL from Letsencrypt, and we will generate certificates files using the letsencrypt tool.

If you do not have a domain name or install nextcloud on the local computer, you can generate the Self-Signed certificate using OpenSSL.

Install the 'letsencrypt' tool using the apt command below.

sudo apt install certbot -y

After the installation is complete, stop the nginx service.

systemctl stop nginx

Next, we will generate the SSL certificates for our domain name 'nextcloud.hakase-labs.io' using the cerbot command line. Run the command below.

certbot certonly --standalone -d cloud.hakase-labs.io

You will be asked for the email address, and it's used for the renew notification. For the Letsencrypt TOS agreement, type 'A' to agree and for the share email address, you can type 'N' for No.

Generate Let's encrypt SSL certificate

When it's complete, you will get the result as shown below.

SSL cert created

The SSL certificates Letsencrypt for the netxcloud domain name has been generated, all located at the '/etc/letsencrypt/live/your-domain' directory.

Step 5 - Download Nextcloud

Before downloading the nextcloud source code, make sure the unzip package is installed on the system. If you don't have the package, install it using the apt command below.

sudo apt install wget unzip zip -y

Now go to the '/var/www' directory and download the latest version of Nextcloud using the following command.

cd /var/www/
wget -q https://download.nextcloud.com/server/releases/latest.zip

Extract the Nextcloud source code and you will get a new directory 'netxcloud', change the ownership of the nextcloud directory to user 'www-data'.

unzip -qq latest.zip
sudo chown -R www-data:www-data /var/www/nextcloud

As a result, the Nextcloud has been downloaded under the '/var/www/nextcloud' directory, and it will be the web root directory.

Download Nextcloud

Step 6 - Configure Nginx Virtual Host for Nextcloud

In this step, we will configure the nginx virtual host for nextcloud. We will configure nextcloud to run under the HTTPS connection and will force the HTTP connection automatically to the secure HTTPS connection.

Now go to the '/etc/nginx/sites-available' directory and create a new virtual host file 'nextcloud'.

cd /etc/nginx/sites-available/
vim nextcloud

There, paste the following nextcloud virtual host configuration.

upstream php-handler {
    #server 127.0.0.1:9000;
    server unix:/var/run/php/php7.4-fpm.sock;
}

server {
    listen 80;
    listen [::]:80;
    server_name cloud.hakase-labs.io;
    # enforce https
    return 301 https://$server_name:443$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name cloud.hakase-labs.io;

    # Use Mozilla's guidelines for SSL/TLS settings
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
    # NOTE: some settings below might be redundant
    ssl_certificate /etc/letsencrypt/live/cloud.hakase-labs.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/cloud.hakase-labs.io/privkey.pem;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # Path to the root of your installation
    root /var/www/nextcloud;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

    # The following rule is only needed for the Social app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;

    location = /.well-known/carddav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }

    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    location / {
        rewrite ^ /index.php;
    }

    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
        deny all;
    }
    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;
        # Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        # Enable pretty urls
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
        try_files $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js, css and map files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
        #
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header Referrer-Policy "no-referrer" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Download-Options "noopen" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Permitted-Cross-Domain-Policies "none" always;
        add_header X-Robots-Tag "none" always;
        add_header X-XSS-Protection "1; mode=block" always;

        # Optional: Don't log access to assets
        access_log off;
    }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
        try_files $uri /index.php$request_uri;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

Save and exit.

Enable the virtual host and test the configuration, and make sure there is no error.

ln -s /etc/nginx/sites-available/nextcloud /etc/nginx/sites-enabled/
nginx -t

Now restart PHP7.4-FPM service and nginx service using the systemctl command below.

systemctl restart nginx
systemctl restart php7.4-fpm

The Nginx virtual host configuration for nextcloud has been created.

Setup Nginx virtualhost for Nextcloud

Step 7 - Configure UFW Firewall

In this tutorial, we will turn on the firewall, and we will be using the UFW firewall for Ubuntu.

Add the SSH, HTTP and HTTPS to the UFW firewall list using the command below.

for svc in ssh http https
do
ufw allow $svc
done

After that, enable the UFW firewall and check the allowed service and port.

ufw enable
ufw status numbered

And you will get the HTTP port 80 and HTTPS port 443 is on the list.

Add SSH HTTP and HTTPS to UFW Firewall

Step 8 - Nextcloud Post-Installation

Open your web browser and type the nextcloud URL address.

http://cloud.hakase-labs.io/

And you will be redirected to the secure HTTPS connection.

On the Top page, we need to create the admin user for nextcloud, type the admin user password. On the 'Data folder' configuration, type the full path of the 'data' directory '/var/www/nextcloud/data'.

Scroll the page to the bottom, and you will get the database configuration. Type the database info that we've created in step 3 and then click the 'Finish Setup' button.

Install Nextcloud on Ubuntu 20.04

If you check the option 'Install recommended apps', you will get the following page.

Install Recommended Application Nextcloud

Nextcloud is installing additional recommended applications for you.

And after the installation is complete, you will get the Nextcloud Dashboard as below.

Nextcloud Dashboard

The Nextcloud 18 installation with Nginx web server and MySQL database on Ubuntu 20.04 has been completed successfully.

Reference

Share this page:

Suggested articles

10 Comment(s)

Add comment

Comments

By: Jutta at: 2020-05-14 11:54:36

Hello,

thanks for the tutorial. I followed it to install Nextcloud on a Debian server. It seems to have worked so far, I can get to the Nextcloud startpage, but then I get an error when I enter the credentials for the MariaDb:

Error while trying to create admin user: Failed to connect to the database: An exception occurred in driver: SQLSTATE[HY000] [1044] Access denied for user 'nextclouduser'@'localhost' to database 'nextcloud_db'

The user credentials seem to be correct, though, I can log in to the MariaDB as nextclouduser from the command line, so it does not just seem to be a typo when creating the database or user. Do you have any idea what it could be? Do I need to specify a port for localhost? 

Any help would be greatly appreciated,

thanks

By: Muhammad Arul at: 2020-05-21 15:39:08

Try to change the grant command options as below.

grant all privileges on nextcloud_db.* to [email protected] with grant option

By: Tobias at: 2020-06-06 19:43:24

Hello, great guide. I was especially happy about the ready made nginx config since I needed a fast solution and didn't want to work long on that.

There is only one issue I see with your guide: You are using php 7.4 which isn't officially supported by nextcloud (see: https://portal.nextcloud.com/article/supported-platforms-26.html ). That said it should be fine as a lab setup but since this guide is quite thorough I would imagine that it could be used to set up a production environment where that clould become a big problem.

Thanks

By: Muhammad Arul at: 2020-06-12 01:24:40

If you see the Nextcloud Server System Requirements, you will get the PHP 7.3 and 7.4 is a recommended version for the latest version of Nextcloud.

https://docs.nextcloud.com/server/19/admin_manual/installation/system_requirements.html#server

By: Ben at: 2020-06-18 20:34:59

Hey, this is an awesome tutorial. The only snags I'm hitting is the "optimization part" on the systems settings overviewpage. I'm getting the following:

There are some warnings regarding your setup.

 

The PHP memory limit is below the recommended value of 512MB. The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ?. No memory cache has been configured. To enhance performance, please configure a memcache, if available. Further information can be found in the documentation.

I've tried to follow the directions as perscribed by the manuals and searched around to find ways to alleviate the problem, but my attempts haven't been fruitful

By: Ben at: 2020-08-28 16:03:12

I figured it out. In order to help clear out those issues, do the following:- For the php memory limit issue:     - sudo nano /etc/php/7.4/fpm/php.ini     - set "memory_limit = 512M" (from 128M)

- For the memory cache configuration:     - sudo apt install redis-server     - Check the version: redis-server -v     - Check that it's running: systemctl status redis     - If it's not running, do: sudo systemctl start redis-server     - Auto start the service on boot: sudo systemctl enable redis-server     - Install the PHP extension for Redis to work with Nextcloud: sudo apt install php-redis     - Check to see if the extension is enabled: php --ri redis          - If not enabled: sudo phpenmod redis     - Configure the Nextcloud config file: sudo nano /var/www/nextcloud/config/config.php          - Place in the following, in bold, right below the 'loglevel' setting and above the ");" syntax:               -   'theme' => '',                   'loglevel' => 2,                                      'memcache.distributed' => '\OC\Memcache\Redis',                   'memcache.local' => '\OC\Memcache\Redis',                   'memcache.locking' => '\OC\Memcache\Redis',                   'redis' => array(                   'host' => 'localhost',                   'port' => 6379,                   ),

          );     - Check the configuration syntax: sudo nginx -t     - If it's all clear restart the services:  sudo systemctl restart nginx php7.4-fpm

- The last part on the Strict-Transport-Security was my fault, I didn't get the chance to copy/paste everything. I now have and that works as well.

Hope this helps someone else who may run into these issues!

By: zogthegreat at: 2020-06-28 15:35:22

Hi!

I'm having two problems. The first is with creating a certbot SSL certificate. I'm using a dynamic DNS servie from No-IP. I have the No-Ip client running properly and the server set on the DMZ of my network, however, I get the following error:

[email protected]:/etc/nginx/sites-available$ sudo certbot certonly --standalone -d anikavf.ddns.net

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator standalone, Installer None

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for anikavf.ddns.net

Waiting for verification...

Challenge failed for domain anikavf.ddns.net

http-01 challenge for anikavf.ddns.net

Cleaning up challenges

Some challenges have failed.

IMPORTANT NOTES:

 - The following errors were reported by the server:

Domain: anikavf.ddns.net

Type:   connection

Detail: Fetching

http://anikavf.ddns.net/.well-known/acme-challenge/0RYP-E7FnofW8nIuLSY_hLzyTJZY9_2MuVWSNBbweCo:

Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.

The other problem is with nginx, where I'm getting the following error:

[email protected]:/etc/nginx/sites-available$ sudo nginx -t

nginx: [emerg] unexpected "}" in /etc/nginx/sites-enabled/nextcloud:1

nginx: configuration file /etc/nginx/nginx.conf test failed

I copied and pasted from the above, changing :cloud.hakase-labs.io" to "anikavf.ddns.net", so I'm not sure why I'm getting the error here.

Any suggestions?

Thanks!

zog

By: max at: 2020-07-16 05:37:28

Great stuff :)

By: HenrysCat at: 2020-08-24 18:27:06

For extra peace of mind move the 'data' folder to /var/opt/data/ then run chown -R www-data:www-data /var/opt/data/ Next open \var\www\nextcloud\config\config.php and change line 10 to 'datadirectory' => '/var/opt/data',

By: HenrysCat at: 2020-10-18 13:04:06

Let's encrypt does automatically renew, I have to run systemctl stop nginx certbot renew systemctl start nginx Is it possible to automate renewal?