NextCloud Installation Q & A

    • OMV 3.x

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • scottct1 wrote:

      brotbox wrote:

      thank you both very much! That's a good starting point. Then I will have a look at Docker and LAMP/LEMP the next days.
      According to YT comments on Techno Dad Life channel he may make a video about nc and docker.
      I hope he does. I am a new OpenMediaVault user and his videos have been very very helpful!
      in the meantime i completely switched to netcloud. https://ownyourbits.com/nextcloudpi/very simple to install and its secure!
      there i have smb,nfs, failtoban, letsencrypt....
      For me and my odroid hc2 it is the best way.
    • Your guide didn't really work step by step for OMV4 & NC 13, but it is referenced in many posts from my research so good on you for your comprehensive work. The wider community has benefited greatly!!

      I've managed to get it all working using a combination of sites and info, i will try and detail below, i am no expert in linux but have been a hobbyist for some time, so please feel free to correct or question anything, but this is what worked for me. Hope these breadcrumbs may help someone else.

      1. Install OMV and plugins as per Techno Dad Life -

      2. Install PHP7 and related packages

      Source Code

      1. apt install php7.0 libapache2-mod-php7.0 php7.0-common php7.0-gd php7.0-json php7.0-mysql php7.0-curl php7.0-mbstring php7.0-intl php7.0-mcrypt php7.0-imagick php7.0-xml php7.0-zip

      3. Install Nextcloud and config/prep in OMV as per section from - wiki.pine64.org/index.php/OpenMediaVault

      4. Somewhere in the NC setup, i had to log in as admin user, but it didn't work. Tried creating a new "nextcloud" user in mysql and granted permissions, still didnt work. In the end, found somewhere to login as "omvadmin" for initial NC login when creating the databases etc. and it worked a treat.Cheers everyone, keep up the good work and communications!

      The post was edited 2 times, last by 4bc ().

    • 4bc wrote:

      3. Install Nextcloud and config/prep in OMV as per section from - wiki.pine64.org/index.php/OpenMediaVault4.

      4. Somewhere in the NC setup, i had to log in as admin user, but it didn't work. Tried creating a new "nextcloud" user in mysql and granted permissions, still didnt work. In the end, found somewhere to login as "omvadmin" for initial NC login when creating the databases etc. and it worked a treat.Cheers everyone, keep up the good work and communications!
      nice, sound good! Maybee i give it a try.
      The Link has no copntent? -->There is currently no text in this page.....

      I hope we will se a updated guide for OMV4 & NC 13 :)
    • I fixed the link up in my previous post, not sure where the number 4 came from at the end.

      I'll paste the info below just incase.

      Source Code

      1. Reference: https://forum.openmediavault.org/index.php/Thread/17738-NextCloud-Installation/
      2. 1. SSH to the device
      3. # apt-get update
      4. # apt-get upgrade
      5. - Configuring openmediavault => Press [Tab] => Press [Enter] on Ok
      6. # apt-get install php5-curl php5-gd
      7. 2. Create the Shared Folders for all your Nginx's web pages
      8. - Name: www
      9. - Path: www/
      10. - Click on the ACL
      11. - User/Groups permissions: Tick Read/Write for both www-data user and group
      12. - Set Owner / Group to Read/Write/Execute and Others to None
      13. 3. Create the sub shared folder for your NextCloud web pages
      14. - Name: nextcloud
      15. - Path: www/nextcloud
      16. - Click on the ACL
      17. - User/Groups permissions: Tick Read/Write for both www-data user and group
      18. - Set Owner / Group to Read/Write/Execute and Others to None
      19. 4. Go to System => Plugins => Tick openmediavault-nginx => Install
      20. 5. Services => Nginx => Settings => Enable => Save => Apply
      21. 6. Services => Nginx => Pools => Add
      22. - Name: pool_nextcloud
      23. - User: www-data
      24. - Group: www-data
      25. - Extra options: <<<Copy Texts In Between ########## Below>>>
      26. ##########
      27. clear_env = no
      28. env[HOSTNAME] = $HOSTNAME
      29. env[PATH] = /usr/local/bin:/usr/bin:/bin
      30. env[TMP] = /tmp
      31. env[TMPDIR] = /tmp
      32. env[TEMP] = /tmp
      33. ##########
      34. - Save => Apply
      35. 7. Services => Nginx => Servers => Add
      36. - General
      37. - Directory: nextcloud
      38. - SSL
      39. - Enable SSL: Enable
      40. - Port: 91
      41. - Certificate: <<<Select Created SSL Certificate>>>
      42. - System => Certificates => SSL => Add => Create (Set longer "Period of validity" if you do not want to renew the certificate too frequently) => Save => Apply
      43. - Only use SSL: Enable
      44. - PHP
      45. - Enable PHP: Enable
      46. - PHP-FPM Pool: pool_nextcloud
      47. - Extra options: <<<Copy Texts In Between ########## Below>>>
      48. ##########
      49. add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
      50. add_header X-Content-Type-Options nosniff;
      51. add_header X-Frame-Options "SAMEORIGIN";
      52. add_header X-XSS-Protection "1; mode=block";
      53. add_header X-Robots-Tag none;
      54. add_header X-Download-Options noopen;
      55. add_header X-Permitted-Cross-Domain-Policies none;
      56. location = /robots.txt {
      57. log_not_found off;
      58. allow all;
      59. access_log off;
      60. }
      61. # The following 2 rules are only needed for the user_webfinger app.
      62. # Uncomment it if you're planning to use this app.
      63. #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
      64. #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
      65. # last;
      66. location = /.well-known/carddav {
      67. return 301 $scheme://$host/remote.php/dav;
      68. }
      69. location = /.well-known/caldav {
      70. return 301 $scheme://$host/remote.php/dav;
      71. }
      72. # set max upload size
      73. client_max_body_size 50G;
      74. fastcgi_buffers 64 4K;
      75. # Disable gzip to avoid the removal of the ETag header
      76. gzip off;
      77. # Uncomment if your server is build with the ngx_pagespeed module
      78. # This module is currently not supported.
      79. #pagespeed off;
      80. error_page 403 /core/templates/403.php;
      81. error_page 404 /core/templates/404.php;
      82. location / {
      83. rewrite ^ /index.php$uri;
      84. }
      85. location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
      86. deny all;
      87. }
      88. location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
      89. deny all;
      90. }
      91. location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
      92. fastcgi_split_path_info ^(.+\.php)(/.*)$;
      93. include fastcgi_params;
      94. fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      95. fastcgi_param PATH_INFO $fastcgi_path_info;
      96. fastcgi_param HTTPS on;
      97. #Avoid sending the security headers twice
      98. fastcgi_param modHeadersAvailable true;
      99. fastcgi_param front_controller_active true;
      100. fastcgi_pass $socket;
      101. fastcgi_intercept_errors on;
      102. }
      103. location ~ ^/(?:updater|ocs-provider)(?:$|/) {
      104. try_files $uri/ =404;
      105. index index.php;
      106. }
      107. # Adding the cache control header for js and css files
      108. # Make sure it is BELOW the PHP block
      109. location ~* \.(?:css|js|woff|svg|gif)$ {
      110. try_files $uri /index.php$uri$is_args$args;
      111. add_header Cache-Control "public, max-age=7200";
      112. add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
      113. add_header X-Content-Type-Options nosniff;
      114. add_header X-Frame-Options "SAMEORIGIN";
      115. add_header X-XSS-Protection "1; mode=block";
      116. add_header X-Robots-Tag none;
      117. add_header X-Download-Options noopen;
      118. add_header X-Permitted-Cross-Domain-Policies none;
      119. # Optional: Don't log access to assets
      120. access_log off;
      121. }
      122. location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ {
      123. try_files $uri /index.php$uri$is_args$args;
      124. # Optional: Don't log access to other assets
      125. access_log off;
      126. }
      127. ##########
      128. 8. Go to System => Plugins => Tick openmediavault-mysql => Install
      129. 9. Services => MySQL => Enable => Save => Apply
      130. => Reset Password
      131. 10. Go to https://nextcloud.com/ => Download => Get Nextcloud Server => Download => Web Installer (Bottom Tab) => Download setup-nextcloud.php to your PC
      132. 11. Use FTP/SAMBA/etc to transfer setup-nextcloud.php to www/nextcloud/
      133. 12. Go to https://<<<DEVICE_IP>>>:91/setup-nextcloud.php
      134. - Please add exception for the self-signed certificate if your browser prompt you to do so
      135. - Next
      136. - Dependency check: Enter a single "." => Next
      137. - Wait until: 504 Gateway Time-out
      138. 13. Go to https://<<<DEVICE_IP>>>:91/ (Retry again if you get 404)
      139. - Click on Storage & database => MySQL/MariaDB
      140. - Database user: root
      141. - Database password: <<<Password Reset On Step #10>>>
      142. - Database name: nextcloud
      143. - Database host: localhost
      144. - Finish setup
      145. 14. Services => Nginx => Servers => Edit
      146. - PHP => Default config: Disable
      147. 15. Go to https://<<<DEVICE_IP>>>:91/
      148. 16. If installation failed on step #12 onwards:
      149. - Remove all the folders/files/hidden files in www/nextcloud/* through FTP/SAMBA/etc (Note that, removing 13,000+ files may take a while)
      150. - Services => MySQL => SQL management site => Enable => Save => Apply => Show
      151. - Tools => Database Manager => tick "nextcloud" and "DROP selected databases" => Submit
      152. - Start over again from step #12
      153. 17. Setup the Dynamic DNS if you need to access your NextCloud through internet. Then, on your internet modem/router: Port Forward to the device with port 91
      Display All
    • Since update to 13.0.4 I get

      Source Code

      1. X-Content-Type-Options
      2. The X-Content-Type-Options response header forbids browsers to guess the Content-Type of a file, this prevents so called "MIME confusion attacks".
      3. X-XSS-Protection
      4. The X-XSS-Protection response header prevents browsers from loading a page when they detect a reflected Cross-Site Scripting attack. While not really required anymore for up-to-date browsers this is a decent security hardening for older browsers.
      5. X-Download-Options
      6. The X-Download-Options response header instructs Internet Explorer not to open the file directly but to offer it for download first. This mitigates some potential Social Engineering attacks.
      7. X-Permitted-Cross-Domain-Policies
      8. The X-Permitted-Cross-Domain-Policies response header instructs Adobe software on how to handle cross-domain policies. This provides a decent security hardening as it restricts Adobe Flash Player's access to data.
      Display All

      by security-check of nextcloud. My nginx-setting looks like this:

      Source Code

      1. add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
      2. add_header X-Content-Type-Options nosniff;
      3. add_header X-XSS-Protection "1; mode=block";
      4. add_header X-Robots-Tag none;
      5. add_header X-Download-Options noopen;
      6. add_header X-Permitted-Cross-Domain-Policies none;
      7. location = /robots.txt {
      8. log_not_found off;
      9. allow all;
      10. access_log off;
      11. }
      12. # The following 2 rules are only needed for the user_webfinger app.
      13. # Uncomment it if you're planning to use this app.
      14. #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
      15. #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
      16. # last;
      17. location = /.well-known/carddav {
      18. return 301 $scheme://$host/remote.php/dav;
      19. }
      20. location = /.well-known/caldav {
      21. return 301 $scheme://$host/remote.php/dav;
      22. }
      23. # set max upload size
      24. client_max_body_size 50G;
      25. fastcgi_buffers 64 4K;
      26. # Disable gzip to avoid the removal of the ETag header
      27. gzip off;
      28. # Uncomment if your server is build with the ngx_pagespeed module
      29. # This module is currently not supported.
      30. #pagespeed off;
      31. error_page 403 /core/templates/403.php;
      32. error_page 404 /core/templates/404.php;
      33. location / {
      34. rewrite ^ /index.php$uri;
      35. }
      36. location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
      37. deny all;
      38. }
      39. location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
      40. deny all;
      41. }
      42. location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
      43. fastcgi_split_path_info ^(.+\.php)(/.*)$;
      44. include fastcgi_params;
      45. fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      46. fastcgi_param PATH_INFO $fastcgi_path_info;
      47. fastcgi_param HTTPS on;
      48. #Avoid sending the security headers twice
      49. fastcgi_param modHeadersAvailable true;
      50. fastcgi_param front_controller_active true;
      51. fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
      52. fastcgi_intercept_errors on;
      53. }
      54. location ~ ^/(?:updater|ocs-provider)(?:$|/) {
      55. try_files $uri/ =404;
      56. index index.php;
      57. }
      58. # Adding the cache control header for js and css files
      59. # Make sure it is BELOW the PHP block
      60. location ~* \.(?:css|js|woff|svg|gif)$ {
      61. try_files $uri /index.php$uri$is_args$args;
      62. add_header Cache-Control "public, max-age=7200";
      63. add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
      64. add_header X-Content-Type-Options nosniff;
      65. add_header X-Frame-Options "SAMEORIGIN";
      66. add_header X-XSS-Protection "1; mode=block";
      67. add_header X-Robots-Tag none;
      68. add_header X-Download-Options noopen;
      69. add_header X-Permitted-Cross-Domain-Policies none;
      70. # Optional: Don't log access to assets
      71. access_log off;
      72. }
      73. location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ {
      74. try_files $uri /index.php$uri$is_args$args;
      75. # Optional: Don't log access to other assets
      76. access_log off;
      77. }
      Display All
      all the headers the security scan claims not to be set are set, so whats wrong with it?
      Chaos is found in greatest abundance wherever order is being sought.
      It always defeats order, because it is better organized.
      Terry Pratchett
    • here's my working version:
      you need to adapt server_name to your domain. And in contraty to your settings gzip is enabled.

      Source Code

      1. server_name your.domain.name;
      2. add_header X-Content-Type-Options nosniff;
      3. add_header X-XSS-Protection "1; mode=block";
      4. add_header X-Robots-Tag none;
      5. add_header X-Download-Options noopen;
      6. add_header X-Permitted-Cross-Domain-Policies none;
      7. add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
      8. location = /robots.txt {
      9. allow all;
      10. log_not_found off;
      11. access_log off;
      12. }
      13. # The following 2 rules are only needed for the user_webfinger app.
      14. # Uncomment it if you're planning to use this app.
      15. #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
      16. #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
      17. # last;
      18. location = /.well-known/carddav {
      19. return 301 $scheme://$host/remote.php/dav;
      20. }
      21. location = /.well-known/caldav {
      22. return 301 $scheme://$host/remote.php/dav;
      23. }
      24. # set max upload size
      25. client_max_body_size 10G;
      26. fastcgi_buffers 64 4K;
      27. # Enable gzip but do not remove ETag headers
      28. gzip on;
      29. gzip_vary on;
      30. gzip_comp_level 4;
      31. gzip_min_length 256;
      32. gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
      33. gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
      34. location / {
      35. rewrite ^ /index.php$uri;
      36. }
      37. location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
      38. deny all;
      39. }
      40. location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
      41. deny all;
      42. }
      43. location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
      44. fastcgi_split_path_info ^(.+\.php)(/.*)$;
      45. include fastcgi_params;
      46. fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      47. fastcgi_param PATH_INFO $fastcgi_path_info;
      48. fastcgi_param HTTPS on;
      49. #Avoid sending the security headers twice
      50. fastcgi_param modHeadersAvailable true;
      51. fastcgi_param front_controller_active true;
      52. fastcgi_pass $socket;
      53. fastcgi_intercept_errors on;
      54. fastcgi_request_buffering off;
      55. }
      56. location ~ ^/(?:updater|ocs-provider)(?:$|/) {
      57. try_files $uri/ =404;
      58. index index.php;
      59. }
      60. # Adding the cache control header for js and css files
      61. # Make sure it is BELOW the PHP block
      62. location ~ \.(?:css|js|woff|svg|gif)$ {
      63. try_files $uri /index.php$uri$is_args$args;
      64. add_header Cache-Control "public, max-age=15778463";
      65. # Add headers to serve security related headers (It is intended to
      66. # have those duplicated to the ones above)
      67. # Before enabling Strict-Transport-Security headers please read into
      68. # this topic first.
      69. # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
      70. #
      71. # WARNING: Only add the preload option once you read about
      72. # the consequences in https://hstspreload.org/. This option
      73. # will add the domain to a hardcoded list that is shipped
      74. # in all major browsers and getting removed from this list
      75. # could take several months.
      76. add_header X-Content-Type-Options nosniff;
      77. add_header X-XSS-Protection "1; mode=block";
      78. add_header X-Robots-Tag none;
      79. add_header X-Download-Options noopen;
      80. add_header X-Permitted-Cross-Domain-Policies none;
      81. # Optional: Don't log access to assets
      82. access_log off;
      83. }
      84. location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
      85. try_files $uri /index.php$uri$is_args$args;
      86. # Optional: Don't log access to other assets
      87. access_log off;
      88. }
      Display All
    • By default, Nextcloud version 13.x already setup it's security configuration in .htaccess and php.
      So check your header security options with a web developer tool or by using an online service such as tools.geekflare.com/tools/x-frame-options-test and check if you get something like x-frame-options SAMEORIGIN, SAMEORIGIN
      If so, the directive was setup twice and you have to remove it from your site Nginx configuration, just put an # at the begging of the script above...
      Bye
    • @Stramm: my config looks similar to yours, I could fix my problems by uncommenting the entire first block, line 3-8, since they are mentioned twice (review to the block line 79-99)

      Security Scan gives me now an A+ with all topics checked green.
      Chaos is found in greatest abundance wherever order is being sought.
      It always defeats order, because it is better organized.
      Terry Pratchett
    • Random post here...lol.. I cant be bothered going back through all the pages...lol

      I have a working installation of Nextcloud in Nginx on omv3 and omv4. I had to fix the Extra Options code.
      From memory I had to remove the line below as its listed twice.
      add_header X-Frame-Options "SAMEORIGIN";

      I think there was some other things I fixed too, it was a while ago..lol

      Let me know if anyone would like me to post some of my notes/fixes.

      Baldman :)

    • Removing

      Source Code

      1. add_header X-Content-Type-Options nosniff;
      2. add_header X-XSS-Protection "1; mode=block";
      3. add_header X-Robots-Tag none;
      4. add_header X-Download-Options noopen;
      5. add_header X-Permitted-Cross-Domain-Policies none;
      6. add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
      from the top of my configuration gives me a positive check on nextcloud security scan online, but my nextcloud instace now complains the missing headers. So which one is right? What would be the correct setting?
      Chaos is found in greatest abundance wherever order is being sought.
      It always defeats order, because it is better organized.
      Terry Pratchett
    • Hey guys,
      the tutorial is great, it's actually all I need for my personal use as a newbie on all of this, thanks to all who put so much effort in that and in answering all these questions.

      I hope you can help me too finding the root problem, I can't get NC setup starting. I followed the tutorial here, but NC setup won't start, it shows me:
      404 Not Found
      nginx/1.10.3

      The error message I get, I couldn't copy from OMV GUI (how is that done?). So here is one of the errors in the log from nginx - servers:


      Repro steps:
      - OMV 4.1.3 installed, is now updated to 4.1.8.2-1
      - OMV port: 80, no SSL activated yet, so no certificates and stuff
      - followed the tutorial
      - did it over and over, activated nginx first, then did the configurations of pool and server
      - nginx port: 90, no SSL activated

      Questions:
      - the sharedfolders config done as told in 1c of the tutorial leads to weird looking path in nginx - servers - path field. Is that correct and intended by the tutorial? Because I always read about "media/..." but I cant't find that on my OMV.

      - if not correct, where could I do a different setup?

      thanks a lot, for helping me troubleshooting this.

      cheers!
    • hello,

      I think that error meant incorrect socket or PHP-FPM option.
      Double check your socket setting in the vhost config.

      Try this:

      tinh_x7 wrote:

      Replace fastcgi_pass $socket with fastcgi_pass /run/php/php7.0-fpm.sock;

      service nginx restart
      service php7.0-fpm restart




      Regarding the NC installation path: '/media' is for OMV3.
      OMV4 is like your screenshot: /srv/dev-disk-by-label....

      I can't update the tutorial due to the long instructions.
      OMV v4.0
      Asus Z97-A/3.1; i3-4370
      32GB RAM Corsair Vengeance Pro
      4x3TB RAID10

      The post was edited 1 time, last by tinh_x7 ().

    • tinh_x7 wrote:

      Regarding the NC installation path: '/media' is for OMV3.

      OMV4 is like your screenshot: /srv/dev-disk-by-label....
      Wow, great to hear, so that at least this is correct.

      I fiddled around in this Q&A and found one of your posts, saying to try the owncloud configuration. With that configuration in place, I can call the NC setup.

      Is that explainable? ?(