Cloud
Photo by sendi gibran on Unsplash

Install Nextcloud with Apache2 on Debian 10

PRE-REQUISITES

  • Have your own domain and be able to configure DNS accordingly
  • Have access to a Debian host with root privileges

INSTALL DEPENDENCIES

apt update
apt install apache2 libapache2-mod-php php php-gd php-curl php-zip php-dom php-xml php-simplexml php-mbstring php-apcu php-mysql php-intl php-bcmath php-gmp php-imagick unzip mariadb-server certbot

CONFIGURE DATABASE

mysql -u root -p

CREATE DATABASE your_database;
GRANT ALL ON your_database.* TO 'your_user'@'localhost' IDENTIFIED BY 'your_password';
FLUSH PRIVILEGES;

DOWNLOAD NEXTCLOUD

Run the following commands:

cd /tmp
wget https://download.nextcloud.com/server/releases/latest.zip
unzip latest.zip
mv nextcloud/* /var/www/html/
mv nextcloud/.* /var/www/html/
rmdir nextcloud
chown -R www-data. /var/www/html/

SET UP NEXTCLOUD

Edit /var/www/html/config/config.php file and:

1) Declare your public access domain:

'trusted_domains' =>
  array (
    0 => 'your.domain.tld',
  ),

2) Disable new user registration:

'simpleSignUpLink.shown' => false,

3) Configure APCu as cache memory system:

'memcache.local' => '\\OC\\Memcache\\APCu',

SET UP APACHE2

1) Make it run at startup:

systemctl enable --now apache2

2) Enable HTTPS traffic:

a2enmod ssl

3) Issue a new Let’s Encrypt SSL certificate:

certbot certonly -d your.domain.tld

4) Set up Apache virtual host:

a2ensite your.domain.tld

Here’s a /etc/apache2/sites-available/your.domain.tld.conf file sample:

<VirtualHost *:80>
  ServerName your.domain.tld
  Redirect permanent "/" "https://your.domain.tld/"
</VirtualHost>

<VirtualHost *:443>
  ServerName your.domain.tld

  # Example SSL certificate path for Let's Encrypt
  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/your.domain.tld/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/your.domain.tld/privkey.pem

  DocumentRoot /var/www/html

  CustomLog /var/log/apache2/your.domain.tld-access.log combined
  ErrorLog /var/log/apache2/your.domain.tld-error.log
</VirtualHost>

Apply changes by running:

apachectl configtest
systemctl reload apache2

At this point you should be able to open https://your.domain.tld at any web browser and follow the web installation wizard.

FIX SECURITY WARNINGS ON A FRESH INSTALLATION

1) Add HSTS header

Edit /etc/apache2/sites-available/your_vhost.conf and within HTTPS VirtualHost block add:

Header always set Strict-Transport-Security: "max-age=63072000; includeSubDomains; preload"

2) Increase default PHP memory_limit value

Edit /etc/php/7.3/apache2/php.ini and set:

memory_limit = 512M # At least

3) Disable PHP output_buffering

Edit /etc/php/7.3/apache2/php.ini and set:

output_buffering = off

4) Fix missing database indices

Run these commands:

chmod +x /var/www/html/occ
sudo -u www-data /usr/bin/php /var/www/html/occ db:add-missing-indices

5) Fix webdav URLs

Edit /etc/apache2/sites-available/your_vhost.conf and within the HTTPS VirtualHost add:

  RewriteEngine On
  RewriteRule ^/\.well-known/carddav https://your.domain.tld/remote.php/dav/ [R=301,L]
  RewriteRule ^/\.well-known/caldav https://your.domain.tld/remote.php/dav/ [R=301,L]

Apply all these last changes by running:

systemctl restart apache2