NextCloud Installation Q & A

    • OMV 3.x
    • We not suppose to turn on the PHP default config.


      @FixXx,

      Apparently, I have the same issue when I ran the test on sslabs.com.

      Another issue is : This server supports weak Diffie-Hellman (DH) key exchange parameters.

      Solution:

      Note: This process may takes 15 to 30 mins depends on your service specs.

      1. Go to and run:

      Source Code

      1. cd /etc/ssl/certs
      2. openssl dhparam -out dhparam.pem 4096

      2. Add this line at the beginning of the vhost config:

      ssl_dhparam /etc/ssl/certs/dhparam.pem;
      OMV v4.0
      Asus Z97-A/3.1; i3-4370
      32GB RAM Corsair Vengeance Pro
      4x3TB RAID10

      The post was edited 4 times, last by tinh_x7 ().

    • tinh_x7 wrote:

      We not suppose to turn on the PHP default config.


      @FixXx,

      Apparently, I have the same issue when I ran the test on sslabs.com.

      Another issue is : This server supports weak Diffie-Hellman (DH) key exchange parameters.

      Solution:

      Note: This process may takes 15 to 30 mins depends on your service specs.

      1. Go to and run:

      Source Code

      1. cd /etc/ssl/certs
      2. openssl dhparam -out dhparam.pem 4096
      2. Add this line at the beginning of the vhost config:

      ssl_dhparam /etc/ssl/certs/dhparam.pem;
      I have no problem with the ssllabs score. I got A+, 100 in every category... thx to this excellent documentation.

      My main problem is the reported /login loop. I've used the vanilla nextcloud13 config to sort the problem out. The config works after i made the common changes (server, cert, root, $socket) but the redirect loop persists.

      Do you - does anyone - have an idea what the reason could be? Is there someone out there with omv4+nc13 installation and without redirect loop reported by ssllabs?
    • FixXx wrote:


      Is there someone out there with omv4+nc13 installation and without redirect loop reported by ssllabs?
      Yes, it works on my system. omv 4 + nc13 but i have installed 12.0.x and updated to nc13.
      omv 4.0.19 | 64 bit | omvextrasorg 4.1.2 | kernel 4.14
      used plugins: nginx | mysql | docker-gui |rsnapshot | antivirus | apt tool | letsEncrypt |
      used other: netxtcloud | logitechmediaserver | emby
    • happyreacer wrote:

      FixXx wrote:

      Is there someone out there with omv4+nc13 installation and without redirect loop reported by ssllabs?
      Yes, it works on my system. omv 4 + nc13 but i have installed 12.0.x and updated to nc13.
      Can you please post your nginx config?

      tinh_x7 wrote:

      I don't know why there is HTTP redirect loop.

      Can you share your vhost config ?

      My current config is based on the official Nextcloud sample. Basically I only added security settings and the omv-generated $socket.

      Source Code

      1. upstream php-handler {
      2. server 127.0.0.1:9000;
      3. #server unix:/var/run/php5-fpm.sock;
      4. }
      5. server {
      6. listen 80;
      7. listen [::]:80;
      8. server_name my.domain.com;
      9. # enforce https
      10. return 301 https://$server_name$request_uri;
      11. }
      12. server {
      13. listen 443 ssl http2;
      14. listen [::]:443 ssl http2;
      15. server_name my.domain.com;
      16. ssl_certificate /etc/ssl/certs/cert.crt;
      17. ssl_certificate_key /etc/ssl/priv.key;
      18. # Add headers to serve security related headers
      19. # Before enabling Strict-Transport-Security headers please read into this
      20. # topic first.
      21. # add_header Strict-Transport-Security "max-age=15768000;
      22. # includeSubDomains; preload;";
      23. #
      24. # WARNING: Only add the preload option once you read about
      25. # the consequences in https://hstspreload.org/. This option
      26. # will add the domain to a hardcoded list that is shipped
      27. # in all major browsers and getting removed from this list
      28. # could take several months.
      29. add_header X-Content-Type-Options nosniff;
      30. add_header X-XSS-Protection "1; mode=block";
      31. add_header X-Robots-Tag none;
      32. add_header X-Download-Options noopen;
      33. add_header X-Permitted-Cross-Domain-Policies none;
      34. set $socket "unix:/var/run/fpm-b4f19467-563b-4681-b8e4-582ee046726b.sock";
      35. # Path to the root of your installation
      36. root /path/to/nextcloud/;
      37. # Set HTTP Strict Transport Security (HSTS) to 365 days
      38. add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
      39. ## Key Exchange Settings
      40. # Use self generated Diffie-Hellman parameter for DHE ciphersuites
      41. ssl_dhparam /etc/ssl/dhparams4096.pem;
      42. ssl_ecdh_curve secp384r1;
      43. # Session resumption
      44. ssl_session_timeout 1d;
      45. ssl_session_cache shared:SSL:50m;
      46. ssl_session_tickets off;
      47. # OCSP stapling
      48. ssl_stapling on;
      49. ssl_stapling_verify on;
      50. resolver 8.8.8.8 8.8.4.4;
      51. ssl_trusted_certificate /etc/letsencrypt/live/my.domain.com/chain.pem;
      52. # modern cipher configuration
      53. ssl_protocols TLSv1.2;
      54. ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384';
      55. ssl_prefer_server_ciphers on;
      56. location = /robots.txt {
      57. allow all;
      58. log_not_found off;
      59. access_log off;
      60. }
      61. # The following 2 rules are only needed for the user_webfinger app.
      62. # Uncomment it if you're planning to use this app.
      63. #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
      64. #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
      65. # last;
      66. location = /.well-known/carddav {
      67. return 301 $scheme://$host/remote.php/dav;
      68. }
      69. location = /.well-known/caldav {
      70. return 301 $scheme://$host/remote.php/dav;
      71. }
      72. # set max upload size
      73. client_max_body_size 512M;
      74. fastcgi_buffers 64 4K;
      75. # Enable gzip but do not remove ETag headers
      76. gzip on;
      77. gzip_vary on;
      78. gzip_comp_level 4;
      79. gzip_min_length 256;
      80. gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
      81. gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
      82. # Uncomment if your server is build with the ngx_pagespeed module
      83. # This module is currently not supported.
      84. #pagespeed off;
      85. location / {
      86. rewrite ^ /index.php$uri;
      87. }
      88. location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
      89. deny all;
      90. }
      91. location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
      92. deny all;
      93. }
      94. location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
      95. fastcgi_split_path_info ^(.+\.php)(/.*)$;
      96. include fastcgi_params;
      97. fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      98. fastcgi_param PATH_INFO $fastcgi_path_info;
      99. fastcgi_param HTTPS on;
      100. #Avoid sending the security headers twice
      101. fastcgi_param modHeadersAvailable true;
      102. fastcgi_param front_controller_active true;
      103. fastcgi_pass $socket;
      104. fastcgi_intercept_errors on;
      105. fastcgi_request_buffering off;
      106. }
      107. location ~ ^/(?:updater|ocs-provider)(?:$|/) {
      108. try_files $uri/ =404;
      109. index index.php;
      110. }
      111. # Adding the cache control header for js and css files
      112. # Make sure it is BELOW the PHP block
      113. location ~ \.(?:css|js|woff|svg|gif)$ {
      114. try_files $uri /index.php$uri$is_args$args;
      115. add_header Cache-Control "public, max-age=15778463";
      116. # Add headers to serve security related headers (It is intended to
      117. # have those duplicated to the ones above)
      118. # Before enabling Strict-Transport-Security headers please read into
      119. # this topic first.
      120. # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
      121. #
      122. # WARNING: Only add the preload option once you read about
      123. # the consequences in https://hstspreload.org/. This option
      124. # will add the domain to a hardcoded list that is shipped
      125. # in all major browsers and getting removed from this list
      126. # could take several months.
      127. add_header X-Content-Type-Options nosniff;
      128. add_header X-XSS-Protection "1; mode=block";
      129. add_header X-Robots-Tag none;
      130. add_header X-Download-Options noopen;
      131. add_header X-Permitted-Cross-Domain-Policies none;
      132. # Optional: Don't log access to assets
      133. access_log off;
      134. }
      135. location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
      136. try_files $uri /index.php$uri$is_args$args;
      137. # Optional: Don't log access to other assets
      138. access_log off;
      139. }
      140. }
      Display All

      The post was edited 1 time, last by FixXx ().

    • I have OMV version 3.0.99 and I have followed NC installation instrustions (with variation for net install) but I am sucked on step 7, when i type in browser 192.168.1.27:81/setup-nextcloud.php i get 404 Not Found as some other users and problem havent been solved. The log error:

      2018/04/11 15:36:27 [error] 2294#0: *2004 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 192.168.1.100, server: ,request: "GET /setup-nextcloud.php HTTP/1.1", upstream: "fastcgi://unix:/run/fpm-32a2476e-7999-4df4-99b9-53432153b9b2.sock:", host: "192.168.1.27:81"

      if I use Firefox and with Qupzilla I get:

      2018/04/11 14:34:04 [crit] 2292#0: *1057 stat() "/srv/dev-disk-by-id-md-name-openmediavault-0/www/nextcloud/favicon.ico" failed (13: Permission denied), client: 192.168.1.100, server: , request: "GET /favicon.ico HTTP/1.1", host: "192.168.1.27:81", referrer: "http://192.168.1.27:81/setup-nextcloud.php"
      and
      2018/04/11 14:34:04 [error] 2292#0: *1057 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 192.168.1.100, server: , request: "GET /favicon.ico HTTP/1.1", upstream: "fastcgi://unix:/run/fpm-32a2476e-7999-4df4-99b9-53432153b9b2.sock:", host: "192.168.1.27:81", referrer: "http://192.168.1.27:81/setup-nextcloud.php"

      i have found this link which says that: To resolve "Primary script unknown" problem:

      if you see "GET /" without a correct php file name, then it's your nginx conf problem.
      if you see "GET /app.php" with 404, it means nginx is correctly passing the script file name but php-fpm failed to access this file (user "php-fpm:php-fpm" don't have access to your file, which trapped me for 3 hours)

      Knowing almost nothing about anything I went and chect processes for my OMV:
      23010 root 20 0 304272 25608 20436 S 0.0 1.3 0:00.12 php5-fpm
      23013 www-data 20 0 304224 10480 5292 S 0.0 0.5 0:00.00 php5-fpm
      23014 www-data 20 0 304224 10480 5292 S 0.0 0.5 0:00.00 php5-fpm
      23015 www-data 20 0 304224 8596 3424 S 0.0 0.4 0:00.00 php5-fpm
      23016 www-data 20 0 304224 8596 3424 S 0.0 0.4 0:00.00 php5-fpm
      23017 www-data 20 0 304224 8596 3424 S 0.0 0.4 0:00.00 php5-fpm
      23018 www-data 20 0 304224 8596 3424 S 0.0 0.4 0:00.00 php5-fpm
      23019 999 20 0 306460 19176 11508 S 0.0 0.9 0:18.31 php5-fpm
      23217 999 20 0 305928 17804 10924 S 0.0 0.9 0:00.25 php5-fpm
      23219 999 20 0 305928 17804 10924 S 0.0 0.9 0:00.26 php5-fpm

      php5-fpm has been run by 3 userrs and I dont know if it should be like that and which of them is trying to access NC folder.
      Where user 999 is openmediavault-config:x:999:openmediavault-webgui and has no access to NextCloud directory.

      This post may look unfinished, so is my NC installation.

      The post was edited 1 time, last by kole ().

    • New

      It's in the config.php in your NextCloud dir.

      Source Code

      1. 'trusted_domains' =>
      2. array (
      3. 0 => '192.168.1.12',
      4. 1 => 'abc.dfe.com',
      5. 2 => 'localhost',
      6. ),
      7. 'datadirectory' => '/srv/dev-disk-by-label-Data/www/nextcloud/data',
      8. 'overwrite.cli.url' => 'https://abc.dfe.com',
      Display All
      OMV v4.0
      Asus Z97-A/3.1; i3-4370
      32GB RAM Corsair Vengeance Pro
      4x3TB RAID10
    • New

      tinh_x7 wrote:

      It's in the config.php in your NextCloud dir.

      Source Code

      1. 'trusted_domains' =>
      2. array (
      3. 0 => '192.168.1.12',
      4. 1 => 'abc.dfe.com',
      5. 2 => 'localhost',
      6. ),
      7. 'datadirectory' => '/srv/dev-disk-by-label-Data/www/nextcloud/data',
      8. 'overwrite.cli.url' => 'https://abc.dfe.com',
      Display All
      I've tried so, but it doesn't work. In my opinion the port on which nc is listening to must be mentioned as well?
    • New

      Stramm wrote:

      wouterve wrote:

      How could you point to nextcloud through an addition to your url?

      Eg:
      openmediavault: domain.com (port 443)
      nextcloud: domain.com/nextcloud (port 8443)

      (not sure whether separate ports are necessary but I think so)
      You change the port in the nginx config (nginx plugin -> server tab)
      Could you be more precise? I see you can choose between 'port based' or 'name based', should i choose the latter and give it the name "nextcloud"?
    • New

      I'm receiving this error upon enabling ssl:

      Display Spoiler

      Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C; nginx -t 2>&1' with exit code '1': nginx: [warn] server name "mydomain/cloud" has suspicious symbols in /etc/nginx/sites-enabled/zzz-omv-nginx:6 nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/ssl/private/openmediavault-9ce86383-82b4-4302-bde6-898b8c32e30d.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch) nginx: configuration file /etc/nginx/nginx.conf test failed
      ut #0: exception 'OMV\ExecException' with message 'Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C; nginx -t 2>&1' with exit code '1': nginx: [warn] server name "mydomain/cloud" has suspicious symbols in /etc/nginx/sites-enabled/zzz-omv-nginx:6 nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/ssl/private/openmediavault-9ce86383-82b4-4302-bde6-898b8c32e30d.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch) nginx: configuration file /etc/nginx/nginx.conf test failed' in /usr/share/php/openmediavault/system/process.inc:175 Stack trace: #0 /usr/share/openmediavault/engined/module/webserver.inc(40): OMV\System\Process->execute() #1 /usr/share/openmediavault/engined/rpc/config.inc(168): OMVModuleNginxAbstract->applyConfig() #2 [internal function]: OMVRpcServiceConfig->applyChanges(Array, Array) #3 /usr/share/php/openmediavault/rpc/serviceabstract.inc(124): call_user_func_array(Array, Array) #4 /usr/share/php/openmediavault/rpc/serviceabstract.inc(150): OMV\Rpc\ServiceAbstract->callMethod('applyChanges', Array, Array) #5 /usr/share/php/openmediavault/rpc/serviceabstract.inc(528): OMV\Rpc\ServiceAbstract->OMV\Rpc\{closure}('/tmp/bgstatusfD...', '/tmp/bgoutput5O...') #6 /usr/share/php/openmediavault/rpc/serviceabstract.inc(151): OMV\Rpc\ServiceAbstract->execBgProc(Object(Closure)) #7 /usr/share/openmediavault/engined/rpc/config.inc(213): OMV\Rpc\ServiceAbstract->callMethodBg('applyChanges', Array, Array) #8 [internal function]: OMVRpcServiceConfig->applyChangesBg(Array, Array) #9 /usr/share/php/openmediavault/rpc/serviceabstract.inc(124): call_user_func_array(Array, Array) #10 /usr/share/php/openmediavault/rpc/rpc.inc(86): OMV\Rpc\ServiceAbstract->callMethod('applyChangesBg', Array, Array) #11 /usr/sbin/omv-engined(536): OMV\Rpc\Rpc::call('Config', 'applyChangesBg', Array, Array, 1) #12 {main}

    • Users Online 1

      1 Guest