archiemeng | created on Dec. 7, 2020, 1:29 p.m.
Updated on Feb. 18, 2021, 10:14 a.m. | viewed: 1025
Nextcloud is a suite of client-server software for creating and using file hosting services. It is functionally similar to Dropbox, although Nextcloud is free and open-source, allowing anyone to install and operate it on a private server. In contrast to proprietary services like Dropbox, the open architecture allows adding additional functionality to the server in form of applications.
Also, Nextcloud is a fork of ownCloud.
Based on different distro, there are many different installation guides. For Ubuntu: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-nextcloud-on-ubuntu-20-04. For Arch Linux https://wiki.archlinux.org/index.php/Nextcloud. In this post, I am going to based on Arch Linux which is the distro of my server.
To install Nextcloud, it basically needs three components(and they are critical to the performance of Nextcloud):
Additionally, on Arch Linux, it needs a hook to upgrade Nextcloud database on every Nextcloud package upgrades. For more details, see Nextcloud - ArchWiki.
# add contents below to /etc/pacman.d/hooks/nextcloud.hook [Trigger] Operation = Install Operation = Upgrade Type = Package
Target = nextcloud Target = nextcloud-app-* [Action] Description = Update Nextcloud installation When = PostTransaction Exec = /usr/bin/runuser -u http -- /usr/bin/php /usr/share/webapps/nextcloud/occ upgrade
However, if the Nextcloud server is behind NAT such as home LAN, people outside the LAN will be unable to gain access to the server. One solution is to use a public server to expose the server port to the public. There is already a tool called FRP which can do this.
Download address: https://github.com/fatedier/frp/releases
Download the compiled binary according to your system and CPU Architecture. And done.
For our reverse proxy usage. I recommend simply using tcp protocol. Because the p2p NAT punching protocol xtcp rarely success on my servers. Using tcp can ensure a high rate of usability.
The example configuration is on https://gofrp.org/docs/examples/ssh/. Here is a English copy of them.
[common] bind_port = 7000
#frpc.ini[common] server_addr = x.x.x.x server_port = 7000 [ssh] type = tcp local_ip = 127.0.0.1 local_port = 80 remote_port = 8080
This example expose http server from local port 80 onto remote port 8080 on server x.x.x.x
Once it is accessible on x.x.x.x:8080, the frp part of exposing server is done.
When we use reverse proxy to expose server, there are some other configurations to be done if you have other requirements like reverse proxy it behind apache, and disable public access to 8080 which is hosted by FRP.
add following lines to apache configurations. It is usually /etc/apache2/sites-available/000-default.conf for HTTP and /etc/apache2/sites-available/000-default-le-ssl.conf for HTTPS
ProxyPreserveHost on ProxyPass /nextcloud/ http://localhost:8080/nextcloud/ ProxyPassReverse /nextcloud/ http://localhost:8080/nextcloud/ RewriteEngine On RewriteRule ^/\.well-known/carddav http://localhost:8080/remote.php/dav/ [R=301,L] RewriteRule ^/\.well-known/caldav http://local;/remote.php/dav/ [R=301,L]
To only allow local access to port 8080, we need to add some rules in iptable.
sudo iptables -A INPUT -p tcp -s 127.0.0.1 --dport 8080 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 8080 -j DROP
if you cannot access nextcloud behind reverse proxy and find strange remote.phpp 404 error in apache. Then it is definitely caused by incorrect Proxypass rules. Check the link below for more details.
Reverse proxy and data directory
I am talking about command:
sudo -u www-data php occ config:app:set files max_chunk_size
Chunking upload files size DOES NOT SUPPORT UNIT SUFFIXES. So only set numbers for it. I mean, you cannot use suffix like "K", "M", "G".
enable http2 for apache2 on debian-like distro https://www.howtoforge.com/how-to-enable-http-2-in-apache/
enable http2 for apache2 (the official way): https://httpd.apache.org/docs/2.4/howto/http2.html
'cache_chunk_gc_ttl' => 60*60*24
to avoid filling up temp directory which is default to /tmp.