Linuxserver Nextcloud Security and Performance Optimization

Nextcloud is a fantastic tool for managing and sharing files, but like any powerful software, it requires some TLC to keep it running smoothly. To ensure your Nextcloud instance is secure and performing optimally, follow these simple steps.

First, make sure to update your Nextcloud instance regularly, as updates often include security patches and performance enhancements. This is especially important if you're using an older version of Nextcloud.

Regularly cleaning up your Nextcloud instance is crucial for maintaining performance. This includes deleting unnecessary files, user accounts, and groups. By keeping your instance tidy, you'll reduce clutter and improve overall performance.

One of the most effective ways to optimize Nextcloud performance is by using a caching layer, such as Redis or Memcached. By caching frequently accessed data, you'll reduce the load on your server and improve overall responsiveness.

To set up Nextcloud on your Linux server, you'll need to install the nextcloud package. This will pull in several dependent packages, including php-legacy, which will take care of most of the required PHP extensions.

You'll also need to install a few extra packages, such as php-legacy-gd, php-legacy-sodium, and php-legacy-imagick, which are recommended for preview generation and the argon2 hashing algorithm.

Here are the exact packages you'll need to install:

To begin the installation process, you'll need to install the nextcloud package. This will pull in a number of dependent packages, including the required PHP extensions. Most of the required PHP extensions will be taken care of this way.

You'll need to choose php-legacy as your PHP version during the installation process. This will also install the required PHP extensions. Additionally, you'll need to install php-legacy-gd as a dependent package with pacman option --asdeps.

The following optional dependencies are recommended for installation:

Note that some modules, such as bcmath, exif, gmp, intl, and sysvsem, come with php-legacy, so no explicit installation is required for those.

To make sure the Nextcloud specific php.ini is used by the occ tool, you'll need to set the environment variable NEXTCLOUD_PHP_CONFIG. This setting can be made permanent by adding a line to your .bashrc (or .bash_profile).

It's a good idea to create a dedicated directory for session data as a privacy and security precaution. This will help keep your session data separate from other system files.

You can add a line to /etc/php-legacy/php-fpm.d/nextcloud.conf or /etc/uwsgi/nextcloud.ini to provide custom environment variables to Nextcloud's PHP code. Make sure to follow Nextcloud's documentation for the correct syntax.

If you're using a legacy PHP version, you'll need to add a line to /etc/php-legacy/php-fpm.d/nextcloud.conf. Don't forget to check for any blank spaces around the second equals sign.

You might enjoy: How to Add Https to Nextcloud

To set up custom app directories, you'll need to make the custom folder(s) available to the web server. This can be achieved by adding a volume to your container, as the recommended method.

You can add a volume by following the example: Ex: Afterwards, you can set "path" => OC::$SERVERROOT . "/your_custom_apps_folder", in your config.php file, per the official documentation.

To run Nextcloud as a systemd service, you'll need to modify the service configuration. This is done by creating a drop-in file that replaces the ExecStart line with a start command that uses the php-fpm.ini file. The php-fpm.ini file is covered in a previous section.

You'll also need to make the directories /var/lib/nextcloud and /etc/webapps/nextcloud/config (and everything below) writable. This is because the ProtectSystem=full in the original service definition causes /usr, /boot, and /etc to be mounted read-only for the FPM processes.

To do this, enable and start the service php-fpm-legacy. This will allow you to access your Nextcloud installation.

Here are the two sample configuration files you can use to access your Nextcloud installation:

To configure Nextcloud, you'll need to cover corresponding settings in the application server's configuration. These will be covered in the section about application servers.

You'll also want to create a user and database for Nextcloud. This is an essential step in getting your Nextcloud instance up and running.

To add maintenance windows to your Nextcloud configuration, include the parameter `maintenance_window_start` in the `/etc/webapps/nextcloud/config/config.php` file. This is recommended for ensuring your Nextcloud instance stays healthy and performing well.

Here's a quick rundown of the configuration options you'll need to consider:

To configure Nextcloud, you'll need to consider the corresponding settings in the configuration of the application server, which will be covered in a separate section about application servers.

First, create the user and database for Nextcloud as per the instructions provided. This will ensure a solid foundation for your Nextcloud setup.

Next, add the parameter maintenance_window_start to Nextcloud's configuration file /etc/webapps/nextcloud/config/config.php. This is a recommended step that will help you manage background jobs and maintenance tasks effectively, as outlined in the section on background jobs and Nextcloud's documentation.

You can find more information on how to configure Nextcloud and its various settings by consulting the relevant sections of this article.

Expand your knowledge: Nextcloud Application

PHP configuration is crucial for Nextcloud's functionality. The guide recommends not tampering with PHP's central configuration file, but instead, putting Nextcloud-specific configuration in dedicated places.

A dedicated copy of php.ini is created in /etc/webapps/nextcloud for the occ command line tool and the background job. This copy is a literal copy of the original php.ini with some Nextcloud-specific additions/modifications.

You can make a copy of /etc/php-legacy/php.ini to /etc/webapps/nextcloud, or better yet, extract php.ini from the php-legacy package tarball below /var/cache/pacman/pkg. Change ownership of the copy to the nextcloud user.

Most required PHP modules are already enabled in the copied bare PHP installation configuration file. Additionally, enable the following extensions: curl, fileinfo, gd, iconv, imap, json, mbstring, openssl, pcntl, soap, tidy, xml, and xmlrpc.

Depending on the database you choose, enable the corresponding pdo_xxxx module. Set date.timezone to your preferred timezone, for example, Europe/Berlin.

Raise PHP's memory limit to at least 512MiB. This will ensure Nextcloud runs smoothly.

Optional: For additional security, configure open_basedir. This limits the locations where Nextcloud's PHP code can read and write files. Proven settings are /usr, /var/www, /var/nextcloud, and /run/redis.

Here are the required PHP modules listed in a table:

Enabling HEIC image previews in Nextcloud requires a simple tweak to your config.php file. To do this, you'll need to add the relevant code to the file located in your `config/www/nextcloud/config` directory.

You may need to log out and back in for the changes to take effect, so be sure to save your changes and restart your Nextcloud instance.

HEIC preview generation is disabled by default due to performance or privacy concerns, so you're enabling this feature at your own risk.

Office integration is a crucial aspect of Nextcloud setup, especially for businesses. You'll need a dedicated server for all three office integration solutions.

Collabora Online, ONLYOFFICE, and MS Office Online Server are the three options available. Each requires a separate Nextcloud app for integration.

To use any of these solutions, your web server needs to be adapted to forward requests to the office service. This can be a bit of a challenge, but it's worth it for the benefits you'll get.

Here are the three office integration solutions, each with its own Nextcloud app:

Collabora Online offers a developers plan for free, which is a great option if you're on a tight budget. ONLYOFFICE's Home Server plan is also a reasonable choice for personal use.

Disabling app recommendations can be a lifesaver for those who don't want to be bombarded with notifications. To do this, you'll need to disable the recommendations app using the command occ app:disable recommendations.

Security and Hardening is a top priority for any Nextcloud setup. Nextcloud provides its own documentation on security, which is a great resource to get started.

To further harden your Nextcloud setup, you can use the Nextcloud Security scanner. This tool helps identify potential vulnerabilities and weaknesses in your setup.

Regularly reviewing and applying security updates is crucial to maintaining a secure Nextcloud environment.

Intriguing read: Nextcloud Security

Security hardening is a crucial step in protecting your data and system. Nextcloud provides a Security scanner to help identify potential vulnerabilities.

You can find more information on security hardening in the Nextcloud documentation and Security section.

User Group Identifiers are a crucial aspect of container security. You can specify a user PUID and group PGID when using volumes to avoid permissions issues between the host OS and the container.

To find your PUID and PGID, use the command `id your_user`. For example, if you're using PUID=1000 and PGID=1000, ensure the volume directories on the host are owned by the same user.

This is because permissions issues can arise if the host and container have different user and group ownership. By matching the ownership, you can prevent these issues from occurring.

Changing your storage location in NextCloud AIO requires multiple backups of your data, as relying on a single backup is not recommended.

You must stop the containers to prevent syncing of data while making the backup. This is crucial to avoid any data loss.

To create a backup, expand the Backup section and scroll down to the 'Create Backup' option. The Borg Backup process will start, and you should leave the containers stopped.

You'll also want to manually copy or rsync the data in the _data folder to a safe location, such as another machine or external drive. This is an extra precaution to ensure your data is safe.

Here's a step-by-step guide on how to change your storage location:

After verifying that your data is intact and valid in the new storage location, you can delete the old data from /var/lib/docker/volumes/nextcloud_aio_nextcloud_data/_data to save space.

MariaDB/MySQL is the canonical choice for Nextcloud. It's the go-to database for most Nextcloud installations.

Nextcloud developers admit to having less detailed expertise with other databases, so if you're considering alternatives, be aware of that.

PostgreSQL is said to deliver better performance and has fewer quirks compared to MariaDB/MySQL. It's a good option if you're looking for a more reliable database solution.

SQLite is mainly supported for test or development installations and not recommended for production. It's not the best choice if you're planning to use Nextcloud for real-world file storage.

To use PostgreSQL with Nextcloud, you'll need to install the package php-legacy-pgsql as a dependency. This will enable the necessary PHP extension for PostgreSQL integration.

Volume mappings are a crucial aspect of storage and files in NextCloud AIO. You can define a custom storage location by setting the NEXTCLOUD_DATADIR environment variable in your docker-compose.yml file.

To change the storage location, you'll need to update the docker-compose.yml file with the new path. For example, if you want to use a 1.5 TB allocation, you can add the path to that location in the NEXTCLOUD_DATADIR variable.

See what others are reading: Nextcloud Aio Docker Compose

If you're already using NextCloud AIO in production, you'll need to make multiple backups of your data before making the change. This involves stopping the containers, creating a backup using the built-in Borg Backup tool, and then copying or rsyncing the data to a safe location.

Here's a step-by-step guide to changing the storage location:

By following these steps, you can change the storage location of your NextCloud AIO without losing any data.

Cloud storage solutions like Nextcloud are perfect for storing and managing files.

To get started with Nextcloud, you'll need to create a pool file for FPM, which is responsible for spawning dedicated FPM processes for the Nextcloud application.

Create a file /etc/php-legacy/php-fpm.d/nextcloud.conf with settings like pm..., php_value[...], and php_flag[..] that are consistent with the corresponding settings in /etc/webapps/nextcloud/php.ini.

The settings in php-fpm.ini apply to all applications served by FPM, so it's best to specify them in the nextcloud.conf file instead.

Make sure the nextcloud.conf file is owned and only writeable by root, with permissions like -rw-r--r-- 1 root root.

To mount your Nextcloud using WebDAV, you'll need to install davfs2, as described in the instructions.

You can mount your Nextcloud by using the command: You can also create an entry for this in /etc/fstab.

The command to mount your Nextcloud is: This will allow you to access your Nextcloud files directly.

Nextcloud's performance can be a bit sluggish, especially if you're dealing with a large number of files and users.

Applying in-memory caching, as recommended by Nextcloud's documentation, can significantly improve performance. This technique helps reduce the load on your server by storing frequently accessed data in memory, rather than having to retrieve it from disk each time.

In-memory caching can make a big difference in the responsiveness of your Nextcloud instance, especially if you're using it for collaborative work or file sharing.

Readers also liked: Nextcloud Memory

In-memory caching can significantly improve performance, so it's worth considering as an optimization technique.

Nextcloud's documentation recommends applying some kind of in-memory object cache to achieve this.

If you're looking to implement in-memory caching, you'll need to install a suitable package, such as php-legacy-igbinary and php-legacy-redis, if running the component locally.

These packages can be installed with the --asdeps flag to ensure they're properly configured.

To enable the required extensions, igbinary and redis, you'll need to add two additional lines to the relevant configuration files, where other extensions are already enabled.

If you're using Redis locally with a Unix socket, you'll also need to extend the list of directories where PHP is allowed to read and write files.

This involves adding the directory containing the local Unix socket created by Redis to the relevant configuration files.

Background Jobs are essential for Nextcloud, as they allow tasks to be run on a scheduled basis. This is particularly useful for maintenance and updates.

To set up Background Jobs, you'll want to use the systemd service and timer units that come with Nextcloud. These units need to be tweaked to use the correct PHP ini-file.

Create a drop-in file and add the following line to it: "Environment=PHP_INI_SCAN_DIR=/etc/webapps/nextcloud/php.d". This ensures that the job uses the correct PHP ini-file.

Enable and start the nextcloud-cron.timer (not the service). This will take care of scheduling the jobs.

As recommended by Nextcloud's documentation, add the parameter "cron_hour" to the configuration file. Set the value to the hour of the day in UTC, defining the start of a 4-hour window. This is where time-consuming jobs will be scheduled.

Here's a quick reference for the two PHP ini-files used by Nextcloud:

The LinuxServer Nextcloud image comes with a pre-configured Nextcloud instance, accessible via the web interface at https://nextcloud.lan.

Nextcloud uses the Apache web server, which is configured to listen on port 80 by default.

You can access the Nextcloud web interface by navigating to https://nextcloud.lan in your web browser.

On a similar theme: Https Nextcloud Docker

To update the Docker image, simply run `docker pull lscr.io/linuxserver/nextcloud:latest`. This will ensure you have the latest version of the image.

You can stop the running container with `docker stop nextcloud`. This is especially useful when you need to make changes to the container or the host machine.

Deleting the container is as simple as running `docker rm nextcloud`. This will remove the container, but any data stored in the container will be lost.

If you want to preserve your data and settings, you can recreate a new container with the same Docker run parameters as instructed above. This will map your host folder to the container's folder, preserving your /config folder and settings.

To clean up your Docker environment, you can remove old, dangling images with `docker image prune`.

UWSGI is a great way to run Nextcloud, and it's actually pretty easy to set up. You can install it on your system and enable the uWSGI service by running the command `sudo systemctl enable [email protected]` and then starting it with `sudo systemctl start [email protected]`.

If you have multiple Nextcloud instances, you might want to consider using the emperor mode, which can help with resource usage.

To run Nextcloud with uWSGI, you'll need to configure a specific configuration file, nextcloud.ini. This file will define how uWSGI interacts with your Nextcloud instance.

You can find more information about uWSGI in its own article, which has a lot of useful information.

To integrate uWSGI with Apache, you'll need to use mod_proxy_uwsgi. This module is already included in the Apache package, so you just need to load it as required.

Here are the required Apache modules to run Nextcloud with uWSGI:

Don't forget to uncomment the directive to pull in TLS configuration parameters, and consult Mozilla's SSL configurator for details on optimizing your TLS configuration.

Nginx is a powerful web server that can be configured to work with Nextcloud. Configuration of nginx is quite complex and is beyond the scope of this article, so it's best to consult the relevant article or Nextcloud's documentation for further information.

You might like: Nextcloud Nginx

The example nginx config from the Nextcloud documentation can be used, but you'll need to change the root directory. You can separate configurations for various servers using the directories /etc/nginx/sites-available and /etc/nginx/sites-enabled.

To use the example nginx config, simply specify fastcgi_pass unix:/run/php-fpm-legacy/nextcloud.sock; in the location block that deals with forwarding requests with PHP URIs to the application server.

You can also use uWSGI instead of FPM, in which case you'll need to replace the location block with the correct configuration.

Here's a list of things you'll need to configure for your nginx setup:

One common approach is to use directories /etc/nginx/sites-available and /etc/nginx/sites-enabled to separate configurations for various servers. See Nginx#Managing server entries for details.

There is no need to install any additional modules since nginx natively supports both protocols FastCGI and uwsgi.