Not so long ago – almost 2 years from now – I wrote about setting up Nextcloud 13 on FreeBSD.
Today Nextcloud is at 17 version and the configuration that worked two years ago requires some tweaks.
This guide will not cover the same information that is available in earlier Nextcloud 13 on FreeBSD article like settings to run Nextcloud inside FreeBSD Jail. Please refer to that earpier article for these settings.
Today we will use these as backends for Nextcloud 17.
As Nextcloud in FreeBSD packages comes with MySQL and without PostgreSQL support we will need to build it from source using FreeBSD Ports.
Settings
Let’s fetch the latest FreeBSD Ports tree.
# rm -r /var/db/portsnap
# mkdir /var/db/portsnap
# portsnap auto
Now we need to configure needed options in the /etc/make.conf file.
# cat /etc/make.conf
WRKDIRPREFIX=${PORTSDIR}/obj
DEFAULT_VERSIONS+= php=7.3
DEFAULT_VERSIONS+= pgsql=12
OPTIONS_UNSET+= MYSQL
OPTIONS_SET+= PGSQL
OPTIONS_SET+= IMAGICK
OPTIONS_SET+= PCNTL
OPTIONS_SET+= SMB
OPTIONS_SET+= REDIS
Packages and Ports
First we will add some basic tools and things like PostgreSQL still using FreeBSD packages to save tome time instead of compiling them.
# pkg install \
sudo \
portmaster \
beadm \
lsblk \
postgresql12-client \
postgresql12-server \
nginx \
memcached \
php73-pecl-memcached
Now we will compile Nextcloud and its dependencies using FreeBSD Ports – but with portmaster.
# env BATCH=yes portmaster \
databases/php73-pdo_pgsql \
databases/php73-pgsql \
www/nextcloud
PostgreSQL
We will now configure the FreeBSD’s Login Class for PostgreSQL database in the /etc/login.conf file.
# cat /etc/login.conf
postgres:\
:lang=en_US.UTF-8:\
:setenv=LC_COLLATE=C:\
:tc=default:
EOF
# cap_mkdb /etc/login.conf
… and PostgreSQL settings in main FreeBSD’s configuration /etc/rc.conf file.
# grep postgresql /etc/rc.conf
postgresql_enable=YES
postgresql_class=postgres
postgresql_data=/var/db/postgres/data12
Let’s initialize the PostgreSQL database.
# /usr/local/etc/rc.d/postgresql initdb
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.
The database cluster will be initialized with locales
COLLATE: C
CTYPE: en_US.UTF-8
MESSAGES: en_US.UTF-8
MONETARY: en_US.UTF-8
NUMERIC: en_US.UTF-8
TIME: en_US.UTF-8
The default text search configuration will be set to "english".
Data page checksums are disabled.
fixing permissions on existing directory /var/db/postgres/data12 ... ok
creating subdirectories ... ok
selecting dynamic shared memory implementation ... posix
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting default time zone ... Europe/Warsaw
creating configuration files ... ok
running bootstrap script ... ok
performing post-bootstrap initialization ... ok
syncing data to disk ... ok
initdb: warning: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the option -A, or
--auth-local and --auth-host, the next time you run initdb.
Success. You can now start the database server using:
/usr/local/bin/pg_ctl -D /var/db/postgres/data12 -l logfile start
As PostgreSQL database uses 8k blocks let’s set it in ZFS. We could of course create dedicated dataset for this purpose if needed.
# zfs set recordsize=8k zroot/ROOT/default
Now, let’s start the PostgreSQL database.
# /usr/local/etc/rc.d/postgresql start
2019-12-31 11:47:04.918 CET [36089] LOG: starting PostgreSQL 12.1 on amd64-portbld-freebsd12.0, compiled by FreeBSD clang version 6.0.1 (tags/RELEASE_601/final 335540) (based on LLVM 6.0.1), 64-bit
2019-12-31 11:47:04.918 CET [36089] LOG: listening on IPv6 address "::1", port 5432
2019-12-31 11:47:04.918 CET [36089] LOG: listening on IPv4 address "127.0.0.1", port 5432
2019-12-31 11:47:04.919 CET [36089] LOG: listening on Unix socket "/tmp/.s.PGSQL.5432"
2019-12-31 11:47:04.928 CET [36089] LOG: ending log output to stderr
2019-12-31 11:47:04.928 CET [36089] HINT: Future log output will go to log destination "syslog".
We will now create PostgreSQL database for our Nextcloud instance.
# psql -hlocalhost -Upostgres
psql (12.1)
Type "help" for help.
postgres=# CREATE USER nextcloud WITH PASSWORD 'NEXTCLOUD_DB_PASSWORD';
CREATE ROLE
postgres=# CREATE DATABASE nextcloud TEMPLATE template0 ENCODING 'UNICODE';
CREATE DATABASE
postgres=# ALTER DATABASE nextcloud OWNER TO nextcloud;
ALTER DATABASE
postgres=# \q
Keep in mind to put something more sophisticated in the NEXTCLOUD_DB_PASSWORD place.
PostgreSQL Cleanup and Indexing Script
Lets automate some PostgreSQL housekeeping.
# mkdir -p /var/db/postgres/bin
# chown postgres /var/db/postgres/bin
# vi /var/db/postgres/bin/vacuum.sh
#! /bin/sh
/usr/local/bin/vacuumdb -az 1> /dev/null 2> /dev/null
/usr/local/bin/reindexdb -a 1> /dev/null 2> /dev/null
/usr/local/bin/reindexdb -s 1> /dev/null 2> /dev/null
:wq
# cat /var/db/postgres/bin/vacuum.sh
#! /bin/sh
/usr/local/bin/vacuumdb -az 1> /dev/null 2> /dev/null
/usr/local/bin/reindexdb -a 1> /dev/null 2> /dev/null
/usr/local/bin/reindexdb -s 1> /dev/null 2> /dev/null
# chown postgres /var/db/postgres/bin/vacuum.sh
# chmod +x /var/db/postgres/bin/vacuum.sh
# su - postgres -c 'crontab -e'
0 0 * * * /var/db/postgres/bin/vacuum.sh
:wq
/tmp/crontab.JMg5BfT5HV: 2 lines, 42 characters.
crontab: installing new crontab
# su - postgres -c 'crontab -l'
0 0 * * * /var/db/postgres/bin/vacuum.sh
# su - postgres -c '/var/db/postgres/bin/vacuum.sh'
Nginx
Now its time for Nginx webserver.
# chown -R www:www /var/log/nginx
# ls -l /var/log/nginx
total 3
-rw-r----- 1 www www 64 2019.12.31 00:00 access.log
-rw-r----- 1 www www 133 2019.12.31 00:00 access.log.0.bz2
-rw-r----- 1 www www 64 2019.12.31 00:00 error.log
-rw-r----- 1 www www 133 2019.12.31 00:00 error.log.0.bz2
… and its main nginx.conf configuration file.
# cat /usr/local/etc/nginx/nginx.conf
user www;
worker_processes 4;
worker_rlimit_nofile 51200;
error_log /var/log/nginx/error.log;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" ';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
upstream php-handler {
server 127.0.0.1:9000;
}
server {
# ENFORCE HTTPS
listen 80;
server_name nextcloud.domain.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name nextcloud.domain.com;
ssl_certificate /usr/local/etc/nginx/ssl/ssl-bundle.crt;
ssl_certificate_key /usr/local/etc/nginx/ssl/server.key;
# HEADERS SECURITY RELATED
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header Referrer-Policy "no-referrer";
# HEADERS
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# PATH TO THE ROOT OF YOUR INSTALLATION
root /usr/local/www/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# BUFFERS TIMEOUTS UPLOAD SIZES
client_max_body_size 16400M;
client_body_buffer_size 1048576k;
send_timeout 3000;
# ENABLE GZIP BUT DO NOT REMOVE ETag HEADERS
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
location / {
rewrite ^ /index.php$request_uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_keep_conn off;
fastcgi_buffers 16 256K;
fastcgi_buffer_size 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_send_timeout 3000s;
fastcgi_read_timeout 3000s;
fastcgi_connect_timeout 3000s;
}
location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}
# ADDING THE CACHE CONTROL HEADER FOR JS AND CSS FILES
# MAKE SURE IT IS BELOW PHP BLOCK
location ~ \.(?:css|js|woff2?|svg|gif)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=15778463";
# HEADERS SECURITY RELATED
# IT IS INTENDED TO HAVE THOSE DUPLICATED TO ONES ABOVE
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
# HEADERS
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# OPTIONAL: DONT LOG ACCESS TO ASSETS
access_log off;
}
location ~ \.(?
ng|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# OPTIONAL: DONT LOG ACCESS TO OTHER ASSETS
access_log off;
}
}
}
OpenSSL HTTPS Certificates
We will generate a certificates needed for HTTPS service for Nextcloud.
# mkdir -p /usr/local/etc/nginx/ssl
# cd /usr/local/etc/nginx/ssl
# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
............+++++
....+++++
e is 65537 (0x010001)
Enter pass phrase for server.key: SERVER_KEY_PASSWORD
Verifying - Enter pass phrase for server.key: SERVER_KEY_PASSWORD
As usual use something more sensible then SERVER_KEY_PASSWORD string here
# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:PL
State or Province Name (full name) [Some-State]:lodzkie
Locality Name (eg, city) []:Lodz
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Vermaden Enterprises Ltd.
Organizational Unit Name (eg, section) []:IT Department
Common Name (e.g. server FQDN or YOUR name) []:nextcloud.domain.com
Email Address []:vermaden@interia.pl
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# cp server.key server.key.orig
# openssl rsa -in server.key.orig -out server.key
Enter pass phrase for server.key.orig: SERVER_KEY_PASSWORD
writing RSA key
# ls -l /usr/local/etc/nginx/ssl
total 7
-rw-r--r-- 1 root wheel 1151 2019.12.31 12:39 server.csr
-rw------- 1 root wheel 1679 2019.12.31 12:41 server.key
-rw------- 1 root wheel 1751 2019.12.31 12:40 server.key.orig
# openssl x509 -req -days 7000 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=C = PL, ST = lodzkie, L = Lodz, O = Vermaden Enterprises Ltd., OU = IT Department, CN = nextcloud.domain.com, emailAddress = vermaden@interia.pl
Getting Private key
# ln -s /usr/local/etc/nginx/ssl/server.crt /usr/local/etc/nginx/ssl/ssl-bundle.crt
PHP
Here is the used PHP configuration with up to 16GB files for Nextcloud.
# grep '^[^;]' /usr/local/etc/php.ini
Today Nextcloud is at 17 version and the configuration that worked two years ago requires some tweaks.
This guide will not cover the same information that is available in earlier Nextcloud 13 on FreeBSD article like settings to run Nextcloud inside FreeBSD Jail. Please refer to that earpier article for these settings.
Today we will use these as backends for Nextcloud 17.
- PostgreSQL 12
- PHP 7.3
- Nginx 1.14 (with php-fpm)
- Memcached 1.5.19
As Nextcloud in FreeBSD packages comes with MySQL and without PostgreSQL support we will need to build it from source using FreeBSD Ports.
Settings
Let’s fetch the latest FreeBSD Ports tree.
# rm -r /var/db/portsnap
# mkdir /var/db/portsnap
# portsnap auto
Now we need to configure needed options in the /etc/make.conf file.
# cat /etc/make.conf
WRKDIRPREFIX=${PORTSDIR}/obj
DEFAULT_VERSIONS+= php=7.3
DEFAULT_VERSIONS+= pgsql=12
OPTIONS_UNSET+= MYSQL
OPTIONS_SET+= PGSQL
OPTIONS_SET+= IMAGICK
OPTIONS_SET+= PCNTL
OPTIONS_SET+= SMB
OPTIONS_SET+= REDIS
Packages and Ports
First we will add some basic tools and things like PostgreSQL still using FreeBSD packages to save tome time instead of compiling them.
# pkg install \
sudo \
portmaster \
beadm \
lsblk \
postgresql12-client \
postgresql12-server \
nginx \
memcached \
php73-pecl-memcached
Now we will compile Nextcloud and its dependencies using FreeBSD Ports – but with portmaster.
# env BATCH=yes portmaster \
databases/php73-pdo_pgsql \
databases/php73-pgsql \
www/nextcloud
PostgreSQL
We will now configure the FreeBSD’s Login Class for PostgreSQL database in the /etc/login.conf file.
# cat /etc/login.conf
postgres:\
:lang=en_US.UTF-8:\
:setenv=LC_COLLATE=C:\
:tc=default:
EOF
# cap_mkdb /etc/login.conf
… and PostgreSQL settings in main FreeBSD’s configuration /etc/rc.conf file.
# grep postgresql /etc/rc.conf
postgresql_enable=YES
postgresql_class=postgres
postgresql_data=/var/db/postgres/data12
Let’s initialize the PostgreSQL database.
# /usr/local/etc/rc.d/postgresql initdb
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.
The database cluster will be initialized with locales
COLLATE: C
CTYPE: en_US.UTF-8
MESSAGES: en_US.UTF-8
MONETARY: en_US.UTF-8
NUMERIC: en_US.UTF-8
TIME: en_US.UTF-8
The default text search configuration will be set to "english".
Data page checksums are disabled.
fixing permissions on existing directory /var/db/postgres/data12 ... ok
creating subdirectories ... ok
selecting dynamic shared memory implementation ... posix
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting default time zone ... Europe/Warsaw
creating configuration files ... ok
running bootstrap script ... ok
performing post-bootstrap initialization ... ok
syncing data to disk ... ok
initdb: warning: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the option -A, or
--auth-local and --auth-host, the next time you run initdb.
Success. You can now start the database server using:
/usr/local/bin/pg_ctl -D /var/db/postgres/data12 -l logfile start
As PostgreSQL database uses 8k blocks let’s set it in ZFS. We could of course create dedicated dataset for this purpose if needed.
# zfs set recordsize=8k zroot/ROOT/default
Now, let’s start the PostgreSQL database.
# /usr/local/etc/rc.d/postgresql start
2019-12-31 11:47:04.918 CET [36089] LOG: starting PostgreSQL 12.1 on amd64-portbld-freebsd12.0, compiled by FreeBSD clang version 6.0.1 (tags/RELEASE_601/final 335540) (based on LLVM 6.0.1), 64-bit
2019-12-31 11:47:04.918 CET [36089] LOG: listening on IPv6 address "::1", port 5432
2019-12-31 11:47:04.918 CET [36089] LOG: listening on IPv4 address "127.0.0.1", port 5432
2019-12-31 11:47:04.919 CET [36089] LOG: listening on Unix socket "/tmp/.s.PGSQL.5432"
2019-12-31 11:47:04.928 CET [36089] LOG: ending log output to stderr
2019-12-31 11:47:04.928 CET [36089] HINT: Future log output will go to log destination "syslog".
We will now create PostgreSQL database for our Nextcloud instance.
# psql -hlocalhost -Upostgres
psql (12.1)
Type "help" for help.
postgres=# CREATE USER nextcloud WITH PASSWORD 'NEXTCLOUD_DB_PASSWORD';
CREATE ROLE
postgres=# CREATE DATABASE nextcloud TEMPLATE template0 ENCODING 'UNICODE';
CREATE DATABASE
postgres=# ALTER DATABASE nextcloud OWNER TO nextcloud;
ALTER DATABASE
postgres=# \q
Keep in mind to put something more sophisticated in the NEXTCLOUD_DB_PASSWORD place.
PostgreSQL Cleanup and Indexing Script
Lets automate some PostgreSQL housekeeping.
# mkdir -p /var/db/postgres/bin
# chown postgres /var/db/postgres/bin
# vi /var/db/postgres/bin/vacuum.sh
#! /bin/sh
/usr/local/bin/vacuumdb -az 1> /dev/null 2> /dev/null
/usr/local/bin/reindexdb -a 1> /dev/null 2> /dev/null
/usr/local/bin/reindexdb -s 1> /dev/null 2> /dev/null
:wq
# cat /var/db/postgres/bin/vacuum.sh
#! /bin/sh
/usr/local/bin/vacuumdb -az 1> /dev/null 2> /dev/null
/usr/local/bin/reindexdb -a 1> /dev/null 2> /dev/null
/usr/local/bin/reindexdb -s 1> /dev/null 2> /dev/null
# chown postgres /var/db/postgres/bin/vacuum.sh
# chmod +x /var/db/postgres/bin/vacuum.sh
# su - postgres -c 'crontab -e'
0 0 * * * /var/db/postgres/bin/vacuum.sh
:wq
/tmp/crontab.JMg5BfT5HV: 2 lines, 42 characters.
crontab: installing new crontab
# su - postgres -c 'crontab -l'
0 0 * * * /var/db/postgres/bin/vacuum.sh
# su - postgres -c '/var/db/postgres/bin/vacuum.sh'
Nginx
Now its time for Nginx webserver.
# chown -R www:www /var/log/nginx
# ls -l /var/log/nginx
total 3
-rw-r----- 1 www www 64 2019.12.31 00:00 access.log
-rw-r----- 1 www www 133 2019.12.31 00:00 access.log.0.bz2
-rw-r----- 1 www www 64 2019.12.31 00:00 error.log
-rw-r----- 1 www www 133 2019.12.31 00:00 error.log.0.bz2
… and its main nginx.conf configuration file.
# cat /usr/local/etc/nginx/nginx.conf
user www;
worker_processes 4;
worker_rlimit_nofile 51200;
error_log /var/log/nginx/error.log;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" ';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
upstream php-handler {
server 127.0.0.1:9000;
}
server {
# ENFORCE HTTPS
listen 80;
server_name nextcloud.domain.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name nextcloud.domain.com;
ssl_certificate /usr/local/etc/nginx/ssl/ssl-bundle.crt;
ssl_certificate_key /usr/local/etc/nginx/ssl/server.key;
# HEADERS SECURITY RELATED
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header Referrer-Policy "no-referrer";
# HEADERS
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# PATH TO THE ROOT OF YOUR INSTALLATION
root /usr/local/www/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# BUFFERS TIMEOUTS UPLOAD SIZES
client_max_body_size 16400M;
client_body_buffer_size 1048576k;
send_timeout 3000;
# ENABLE GZIP BUT DO NOT REMOVE ETag HEADERS
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
location / {
rewrite ^ /index.php$request_uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_keep_conn off;
fastcgi_buffers 16 256K;
fastcgi_buffer_size 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_send_timeout 3000s;
fastcgi_read_timeout 3000s;
fastcgi_connect_timeout 3000s;
}
location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}
# ADDING THE CACHE CONTROL HEADER FOR JS AND CSS FILES
# MAKE SURE IT IS BELOW PHP BLOCK
location ~ \.(?:css|js|woff2?|svg|gif)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=15778463";
# HEADERS SECURITY RELATED
# IT IS INTENDED TO HAVE THOSE DUPLICATED TO ONES ABOVE
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
# HEADERS
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# OPTIONAL: DONT LOG ACCESS TO ASSETS
access_log off;
}
location ~ \.(?
ng|html|ttf|ico|jpg|jpeg)$ {try_files $uri /index.php$uri$is_args$args;
# OPTIONAL: DONT LOG ACCESS TO OTHER ASSETS
access_log off;
}
}
}
OpenSSL HTTPS Certificates
We will generate a certificates needed for HTTPS service for Nextcloud.
# mkdir -p /usr/local/etc/nginx/ssl
# cd /usr/local/etc/nginx/ssl
# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
............+++++
....+++++
e is 65537 (0x010001)
Enter pass phrase for server.key: SERVER_KEY_PASSWORD
Verifying - Enter pass phrase for server.key: SERVER_KEY_PASSWORD
As usual use something more sensible then SERVER_KEY_PASSWORD string here
# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:PL
State or Province Name (full name) [Some-State]:lodzkie
Locality Name (eg, city) []:Lodz
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Vermaden Enterprises Ltd.
Organizational Unit Name (eg, section) []:IT Department
Common Name (e.g. server FQDN or YOUR name) []:nextcloud.domain.com
Email Address []:vermaden@interia.pl
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# cp server.key server.key.orig
# openssl rsa -in server.key.orig -out server.key
Enter pass phrase for server.key.orig: SERVER_KEY_PASSWORD
writing RSA key
# ls -l /usr/local/etc/nginx/ssl
total 7
-rw-r--r-- 1 root wheel 1151 2019.12.31 12:39 server.csr
-rw------- 1 root wheel 1679 2019.12.31 12:41 server.key
-rw------- 1 root wheel 1751 2019.12.31 12:40 server.key.orig
# openssl x509 -req -days 7000 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=C = PL, ST = lodzkie, L = Lodz, O = Vermaden Enterprises Ltd., OU = IT Department, CN = nextcloud.domain.com, emailAddress = vermaden@interia.pl
Getting Private key
# ln -s /usr/local/etc/nginx/ssl/server.crt /usr/local/etc/nginx/ssl/ssl-bundle.crt
PHP
Here is the used PHP configuration with up to 16GB files for Nextcloud.
# grep '^[^;]' /usr/local/etc/php.ini
PHP:
max_input_time=3600
engine = On
short_open_tag = On
precision = 14
output_buffering = OFF
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func =
serialize_precision = 17
disable_functions =
disable_classes =
zend.enable_gc = On
expose_php = On
max_execution_time = 3600
max_input_time = 30000
memory_limit = 1024M
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
html_errors = On
error_log = /var/log/php.log
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 16400M
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
default_charset = "UTF-8"
doc_root =
user_dir =
enable_dl = Off
file_uploads = On
upload_max_filesize = 16400M
max_file_uploads = 64
allow_url_fopen = On
allow_url_include = Off
default_socket_timeout = 300
[CLI Server]
cli_server.color = On
[Date]
date.timezone = Europe/Warsaw
[filter]
[iconv]
[intl]
[sqlite3]
[Pcre]
[Pdo]
[Pdo_mysql]
pdo_mysql.cache_size = 2000
pdo_mysql.default_socket=
[Phar]
[mail function]
SMTP = localhost
smtp_port = 25
mail.add_x_header = On
[SQL]
sql.safe_mode = Off
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1
[Interbase]
ibase.allow_persistent = 1
ibase.max_persistent = -1
ibase.max_links = -1
ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
ibase.dateformat = "%Y-%m-%d"
ibase.timeformat = "%H:%M:%S"
[MySQLi]
mysqli.max_persistent = -1
mysqli.allow_persistent = On
mysqli.max_links = -1
mysqli.cache_size = 2000
mysqli.default_port = 3306
mysqli.default_socket =
mysqli.default_host =
mysqli.default_user =
mysqli.default_pw =
mysqli.reconnect = Off
[mysqlnd]
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off
[OCI8]
[PostgreSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0
[bcmath]
bcmath.scale = 0
[browscap]
[Session]
session.save_handler = files
session.save_path = "/tmp"
session.use_strict_mode = 0
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 0
session.hash_bits_per_character = 5
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
[Assertion]
zend.assertions = -1
[COM]
[mbstring]
[gd]
[exif]
[Tidy]
tidy.clean_output = Off
[soap]
soap.wsdl_cache_enabled=1
soap.wsdl_cache_dir="/tmp"
soap.wsdl_cache_ttl=86400
soap.wsdl_cache_limit = 5
[sysvshm]
[ldap]
ldap.max_links = -1
[mcrypt]
[dba]
[opcache]
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1
[curl]
[openssl]
[SIZE=5][B]PHP PostgreSQL Database Settings[/B][/SIZE]
Below are needed to make PHP work with PostgreSQL database.
# [B]cat /usr/local/etc/php/ext-20-pgsql.ini[/B]
extension=pgsql.so
# [B]cat /usr/local/etc/php/ext-20-pgsql.ini
[PostgresSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0
EOF[/B]
# [B]cat /usr/local/etc/php/ext-20-pgsql.ini[/B]
extension=pgsql.so
[PostgresSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0
… and the second one.
# [B]cat /usr/local/etc/php/ext-30-pdo_pgsql.ini[/B]
extension=pdo_pgsql.so
# [B]cat /usr/local/etc/php/ext-30-pdo_pgsql.ini
[PostgresSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0
EOF[/B]
# [B]cat /usr/local/etc/php/ext-30-pdo_pgsql.ini[/B]
extension=pdo_pgsql.so
[PostgresSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0
[SIZE=5][B]PHP FPM[/B][/SIZE]
Now the PHP FPM daemon.
# [B]grep '^[^;]' /usr/local/etc/php-fpm.conf[/B]
[global]
pid = run/php-fpm.pid
error_log = log/php-fpm.log
syslog.facility = daemon
include=/usr/local/etc/php-fpm.d/*.conf
# [B]touch /var/log/php-fpm.log[/B]
# [B]chown www:www /var/log/php-fpm.log[/B]
# [B]grep '^[^;]' /usr/local/etc/php-fpm.d/www.conf[/B]
[www]
user = www
group = www
listen = 127.0.0.1:9000
listen.backlog = -1
listen.owner = www
listen.group = www
listen.mode = 0660
listen.allowed_clients = 127.0.0.1
pm = static
pm.max_children = 8
pm.start_servers = 4
pm.min_spare_servers = 4
pm.max_spare_servers = 32
pm.process_idle_timeout = 1000s;
pm.max_requests = 500
request_terminate_timeout = 0
rlimit_files = 51200
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
[SIZE=6][B]Start Backend Services[/B][/SIZE]
We will now start all ‘backend’ services needed for Nextcloud.
# [B]service postgresql start[/B]
2020-01-02 13:18:05.970 CET [52233] LOG: starting PostgreSQL 12.1 on amd64-portbld-freebsd12.0, compiled by FreeBSD clang version 6.0.1 (tags/RELEASE_601/final 335540) (based on LLVM 6.0.1), 64-bit
2020-01-02 13:18:05.974 CET [52233] LOG: listening on IPv6 address "::1", port 5432
2020-01-02 13:18:05.974 CET [52233] LOG: listening on IPv4 address "127.0.0.1", port 5432
2020-01-02 13:18:05.975 CET [52233] LOG: listening on Unix socket "/tmp/.s.PGSQL.5432"
2020-01-02 13:18:06.024 CET [52233] LOG: ending log output to stderr
2020-01-02 13:18:06.024 CET [52233] HINT: Future log output will go to log destination "syslog".
# [B]service postgresql status[/B]
pg_ctl: server is running (PID: 36089)
/usr/local/bin/postgres "-D" "/var/db/postgres/data12"
# [B]service php-fpm start[/B]
Performing sanity check on php-fpm configuration:
[02-Jan-2020 13:16:50] NOTICE: configuration file /usr/local/etc/php-fpm.conf test is successful
Starting php_fpm.
# [B]service php-fpm status[/B]
php_fpm is running as pid 52193.
# [B]service memcached start[/B]
Starting memcached.
# [B]service memcached status[/B]
memcached is running as pid 52273.
# [B]service nginx start[/B]
Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Starting nginx.
[SIZE=6][B]Nextcloud Configuration[/B][/SIZE]
I created a link named [B]/data[/B] to the Nextcloud data directory located at [B]/usr/local/www/nextcloud/data[/B] place.
# [B]ln -s /usr/local/www/nextcloud/data /data[/B]
The we use [I]Firefox[/I] or other web browser to finish the Nextcloud configuration.
Type [B][URL]https://1.2.3.4[/URL][/B] in the browser where [B]1.2.3.4[/B] is your Nextcloud instance IP address.
I am sorry but the following image is in the Polish language – I forgot to change it to English … but I assume you will what to put in these fields by context.
[IMG alt="nextcloud-setup.png"]https://vermaden.files.wordpress.com/2020/01/nextcloud-setup.png?w=960[/IMG]
After we finish the setup we go straight to [I]Nextcloud Overview[/I] page at [URL]https://1.2.3.4/settings/admin/serverinfoto[/URL] page to see what else needs to be taken care of.
[IMG alt="nextcloud-setup-overview.png"]https://vermaden.files.wordpress.com/2020/01/nextcloud-setup-overview.png?w=960[/IMG]
Two issues needs to be addressed. One is about Nginx configuration, the other is about PostgreSQL, let’s fix them.
We will add needed header to the Nginx configuration file.
# [B]diff -u /usr/local/etc/nginx/nginx.conf.OLD /usr/local/etc/nginx/nginx.conf[/B]
--- /usr/local/etc/nginx/nginx.conf.OLD 2020-01-02 14:21:58.359398000 +0100
+++ /usr/local/etc/nginx/nginx.conf 2020-01-02 14:21:42.823426000 +0100
@@ -46,6 +46,7 @@
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
[COLOR=#00ff00]+ add_header X-Frame-Options "SAMEORIGIN";[/COLOR]
# PATH TO THE ROOT OF YOUR INSTALLATION
root /usr/local/www/nextcloud/;
# [B]service nginx reload[/B]
Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
… and update the PostgreSQL convertion.
# [B]sudo -u www /usr/local/bin/php /usr/local/www/nextcloud/occ db:convert-filecache-bigint[/B]
Following columns will be updated:
* mounts.storage_id
* mounts.root_id
* mounts.mount_id
This can take up to hours, depending on the number of files in your instance!
Continue with the conversion (y/n)? [n] [B]y[/B]
Viola! Both of our problems are gone now.
[IMG alt="nextcloud-setup-overview-fixed.png"]https://vermaden.files.wordpress.com/2020/01/nextcloud-setup-overview-fixed.png?w=960[/IMG]
[SIZE=5][B]Trusted Domains[/B][/SIZE]
When you will enter the Nextcloud using different domain you will get a warning about that.
To add new Trusted Domain to the Nextcloud config do the following.
Here is how it looks before changes.
# [B]grep -A 3 trusted /usr/local/www/nextcloud/config/config.php
[/B] 'trusted_domains' =>
array (
0 => '1.2.3.4',
),
We will now add [B]nextcloud.domain.com[/B] domain.
# [B]vi /usr/local/www/nextcloud/config/config.php[/B]
# [B]grep -A 4 trusted /usr/local/www/nextcloud/config/config.php[/B]
'trusted_domains' =>
array (
0 => '1.2.3.4',
1 => 'nextcloud.domain.com',
),
You can of course add more with successive numbers.
# [B]grep -A 5 trusted /usr/local/www/nextcloud/config/config.php[/B]
'trusted_domains' =>
array (
0 => '1.2.3.4',
1 => 'nextcloud.domain.com',
2 => 'cloud.domain.com',
),
This is the end of this guide. Feel free to share your thougths [IMG alt="🙂"]https://s0.wp.com/wp-content/mu-plugins/wpcom-smileys/twemoji/2/72x72/1f642.png[/IMG]
[SIZE=6][B]Log Rotation with Newsyslog[/B][/SIZE]
Newsyslog is part of FreeBSD’s base system. We will add Nextcloud and backend daemons log files to Newsyslog configuration so they will be rotated.
# [B]cat /etc/newsyslog.conf
/data/nextcloud.log www:www 640 7 * @T00 JC
/usr/local/www/nextcloud/data/nextcloud.log www:www 640 7 * @T00 JC
/var/log/php-fpm.log www:www 640 7 * @T00 JC
/var/log/nginx/error.log www:www 640 7 * @T00 JC
/var/log/nginx/access.log www:www 640 7 * @T00 JC
EOF[/B]
Now you will not run out of free space when logs will grow in time.
EOF
[url="https://vermaden.wordpress.com/2020/01/04/nextcloud-17-on-freebsd-12-1/"]Continue reading...[/url]