We will walk through the meticulous process of setting up a secure Nextcloud installation on your personal CentOS 9 server, utilizing NFS as a robust backend storage solution. Furthermore, we will ensure the integrity of your server environment by enabling SELinux and configuring Nginx for optimal performance.
Introduction
This comprehensive guide will walk us through the meticulous process of setting up a secure Nextcloud installation on your personal CentOS 9 server, utilizing NFS as a robust backend storage solution. Furthermore, we will ensure the integrity of your server environment by enabling SELinux and configuring Nginx for optimal performance.
Prerequisites
Before embarking on this endeavor, make sure you have the following prerequisites:
- A server running CentOS 9.
- Administrative access to the server.
- Familiarity with Linux command-line operations.
- A functional NFS server with shared storage.
- Selinux Enabled
Installing Nginx
sudo dnf updatesudo dnf install nginxStart and Enable Nginx:sudo systemctl start nginxsudo systemctl enable nginx
sudo firewall-cmd --permanent --add-service=httpsudo firewall-cmd --permanent --add-service=httpssudo firewall-cmd --reload
Install MariaDB Server
sudo dnf install mariadb-serversudo systemctl start mariadbsudo systemctl enable mariadb
Secure MariaDB Installation
sudo mysql_secure_installation
sudo systemctl status mariadb
sudo mysql -u root -p
CREATE DATABASE nextcloud;CREATE USER 'nextclouduser'@'localhost' IDENTIFIED BY 'your_password';GRANT ALL PRIVILEGES ON nextcloud.* TO 'nextclouduser'@'localhost';FLUSH PRIVILEGES;EXIT;
Installing and configuring PHP
Install EPEL and Remi Repositories:
You're installing the EPEL and Remi repositories to get access to more recent versions of PHP and its extensions.sudo dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
sudo dnf install -y https://rpms.remirepo.net/enterprise/remi-release-9.rpm
Reset PHP Module:
You're resetting the PHP module to ensure a clean installation.dnf module reset PHP
Install PHP 7.4:
You're installing PHP 7.4 using the Remi repository.dnf module install php:remi-7.4
dnf update
Install PHP Extensions:
You're installing various PHP extensions that are commonly used with Nextcloud and other web applications.dnf install -y php php-gd php-mbstring php-intl php-pecl-apcu php-mysqlnd php-opcache php-json php-zip
Enable PHP-FPM:
You're enabling and starting the PHP-FPM service, which is used to serve PHP files through Nginx.systemctl enable --now php-fpm
Additional Extensions:
You're installing more PHP extensions that can be useful for various purposes.dnf install -y php-gd php-json php-curl php-mbstring php-intl php-xml php-zip php-pear php-soap php-bcmath php-gmp php-opcache php-imagick php-pecl-redis php-pecl-apcu
These commands set up PHP and its extensions, making your server ready to support applications like Nextcloud. After completing these steps, you should be closer to having a functional web environment for hosting your applications. Always ensure to follow official documentation and best practices when setting up your server.
Edit PHP-FPM Configuration:
You're editing the www.conf file to set the user and group for PHP-FPM.vi /etc/php-fpm.d/www.conf
Inside the file, update the user and group settings to use nginx:
user = nginx
group = nginx
Set SELinux Boolean:
You're setting a SELinux boolean to allow PHP to execute memory-mapped shared libraries.setsebool -P httpd_execmem 1
Enable and Restart Services:
You're enabling and starting the PHP-FPM service and restarting the Nginx service.systemctl enable --now php-fpm.service
systemctl restart nginx.service
Create PHP Info File:
You're creating a PHP info file to check the PHP configuration.vi /usr/share/nginx/html/info.phpAdd the following content to the file:
<?php phpinfo(); ?>
Check PHP and FPM Status:
You're checking thestatus of the PHP-FPM service.netstat -pl | grep php
systemctl status php-fpm
Update PHP Configuration:
You're editing the PHP configuration file to adjust some settings.nano /etc/php.iniUncomment and/or modify the following lines:
cgi.fix_pathinfo=0
memory_limit=512M
Further, Adjust PHP-FPM Configuration:
You're modifying the www.conf file for PHP-FPM to fine-tune its settings.nano /etc/php-fpm.d/www.conf
user = nginxFollow the instructions you provided to set the user, group, environment variables, and process manager settings for PHP-FPM.
group = nginx
Uncomment these lines by removing the ‘;’.
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
Edit OPCache Configuration:
You're editing the OPCache configuration file to optimize PHP performance.nano /etc/php.d/10-opcache.ini
opcache.enable=1
opcache.max_accelerated_files=10000
opcache.interned_strings_buffer=8
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1
Downloading and Configuring NextCloud
Install wget, You're installing wget, which is a good idea for downloading files. Download and Extract Nextcloud, You're downloading and extracting the Nextcloud archive. Remember to adjust the version number in the URL to the latest version.
sudo dnf install wget
wget https://download.nextcloud.com/server/releases/nextcloud-latest.zip
sudo dnf install unzip -y
unzip nextcloud-latest.zip -d /usr/share/nginx/
Set Ownership
You're setting ownership of the Nextcloud files to the nginx user. This is needed for Nginx to have the appropriate permissions.
sudo chown -R nginx:nginx /usr/share/nginx/nextcloud
Adjust PHP Permissions
You're adjusting permissions for PHP directories. However, it seems like you're trying to adjust /var/lib/php paths. If this is related to your PHP configuration, ensure that these paths match your actual PHP setup.
sudo chgrp -R nginx /var/lib/php/{opcache,session,wsdlcache}
Create Nextcloud Data Directory
You're creating the data directory for Nextcloud. This is where Nextcloud will store user data and files.
sudo mkdir /usr/share/nginx/nextcloud/data
Installing and Mounting NFS
Install NFS Utilities:
You're installing the NFS utility package, which is necessary for working with NFS shares.sudo dnf install nfs-utils
Show Available NFS Exports:
You're using the showmount command to list the available NFS exports on a remote server with the IP address xxx.xxx.xxx.xxxshowmount -e "xxx.xxx.xxx.xxx"This will display a list of directories that are shared through NFS on the specified server.
Mount NFS Share:
You're mounting an NFS share from the remote server with the IP address xxx.xxx.xxx.xxx The share path is /Volume2/Media, and you're mounting it to the local directory /etc/plex/media.sudo mount xxx.xxx.xxx.xxx:/Volume2/Media /usr/share/nginx/nextcloud/data
This command mounts the remote NFS directory onto the local /etc/plex/media directory on your CentOS 9 server. The contents of the remote directory will now be accessible from the local directory.
Enabling the SELINUX
Change Ownership:
You're changing the ownership of the Nextcloud directory to the nginx user and group.chown -R nginx:nginx /usr/share/nginx/nextcloud/
Configure SELinux Contexts:
You're using the semanage fcontext command to adjust SELinux file contexts for various Nextcloud directories and files. This allows SELinux to work with these files without causing permission issues.semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/nextcloud/data(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/nextcloud/config(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/nextcloud/apps(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/nextcloud/assets(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/nextcloud/.htaccess'
semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/nextcloud/.user.ini'
Adjust Data Directory Permissions:
You're again changing ownership of the Nextcloud data directory.chown -R nginx:nginx /usr/share/nginx/nextcloud/data
Restore SELinux Contexts:
You're using the restorecon command to restore SELinux file contexts for the Nextcloud directories and files you've adjusted.restorecon -Rv '/usr/share/nginx/nextcloud/'
Set SELinux Boolean for NFS:
You're using the setsebool command to enable the httpd_use_nfs boolean. This allows the HTTP server (httpd) to access NFS shares.setsebool -P httpd_use_nfs=1
Getting the SSL for Domain
Obtain SSL/TLS Certificate:
You're using Certbot in manual mode with the DNS challenge. This means Certbot will prompt you to add a specific DNS TXT record to your domain's DNS configuration as a way to verify that you have control over the domain.sudo dnf install certbot -y
sudo certbot --manual --preferred-challenges dns certonly -d xyz.adcd.com
In this command, -d xyz.adcd.com.in specifies the domain for which you want to obtain the certificate.
Following this command, Certbot will provide you with instructions on what DNS TXT record to add, where to add it, and how to proceed. This process might involve temporarily adding the TXT record to your DNS zone and then waiting for DNS propagation before Certbot can validate it.
Update the Nginx Config
upstream php-handler {server unix:/run/php-fpm/www.sock;}server {listen 80;server_name xyz.adcd.com;# enforce httpsreturn 301 https://$server_name:443$request_uri;}server {listen 8443 ssl http2;server_name xyz.adcd.com;ssl_certificate /etc/letsencrypt/live/xyz.adcd.com/fullchain.pem;ssl_certificate_key /etc/letsencrypt/live/xyz.adcd.com/privkey.pem;add_header Strict-Transport-Security “max-age=15552000" always;add_header Referrer-Policy "no-referrer" always;add_header X-Content-Type-Options "nosniff" always;add_header X-Download-Options "noopen" always;add_header X-Frame-Options "SAMEORIGIN" always;add_header X-Permitted-Cross-Domain-Policies "none" always;add_header X-Robots-Tag "none" always;add_header X-XSS-Protection "1; mode=block" always;fastcgi_hide_header X-Powered-By;# Path to the root of your installationroot /usr/share/nginx/nextcloud;access_log /var/log/nginx/nc_access_log;error_log /var/log/nginx/nc_error_log;location = /robots.txt {allow all;log_not_found off;access_log off;}rewrite ^/.well-known/webfinger /nextcloud/public.php?service=webfinger last;rewrite ^/.well-known/nodeinfo /nextcloud/public.php?service=nodeinfo last;location = /.well-known/carddav {return 301 $scheme://$host:$server_port/remote.php/dav;}location = /.well-known/caldav {return 301 $scheme://$host:$server_port/remote.php/dav;}# set max upload sizeclient_max_body_size 512M;fastcgi_buffers 64 4K;# Enable gzip but do not remove ETag headersgzip on;gzip_vary on;gzip_comp_level 4;gzip_min_length 256;gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;location / {rewrite ^ /index.php;}location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {deny all;}location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {deny all;}location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;set $path_info $fastcgi_path_info;try_files $fastcgi_script_name =404;include fastcgi_params;fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;fastcgi_param PATH_INFO $path_info;fastcgi_param HTTPS on;fastcgi_param modHeadersAvailable true;fastcgi_param front_controller_active true;fastcgi_pass php-handler;fastcgi_intercept_errors on;fastcgi_request_buffering off;}location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {try_files $uri/ =404;index index.php;}location ~ \.(?:css|js|woff2?|svg|gif|map)$ {try_files $uri /index.php$request_uri;add_header Cache-Control "public, max-age=15778463";add_header Referrer-Policy "no-referrer" always;add_header X-Content-Type-Options "nosniff" always;add_header X-Download-Options "noopen" always;add_header X-Frame-Options "SAMEORIGIN" always;add_header X-Permitted-Cross-Domain-Policies "none" always;add_header X-Robots-Tag "none" always;add_header X-XSS-Protection "1; mode=block" always;access_log off;}location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {try_files $uri /index.php$request_uri;access_log off;}}