Join the community today
Become a Member

How could i install nextcloud 12 on centmindmod?

Discussion in 'Other Web Apps usage' started by hardousse, Nov 29, 2017.

Tags:
  1. hardousse

    hardousse Active Member

    123
    30
    28
    Dec 15, 2015
    Sweden
    Ratings:
    +45
    Local Time:
    2:30 PM
    1.11.*
    10.1*
  2. eva2000

    eva2000 Administrator Staff Member

    34,624
    7,653
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,771
    Local Time:
    9:30 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    haven't tried nextcloud myself so maybe someone else has
     
  3. hardousse

    hardousse Active Member

    123
    30
    28
    Dec 15, 2015
    Sweden
    Ratings:
    +45
    Local Time:
    2:30 PM
    1.11.*
    10.1*
    I was trying more time with the conf of Owncloud and trying to adapt it to nextcloud but No succes,i hope someone Here in the comunity has tut for nextcloud on centminmod.
    Thank you
     
  4. bassie

    bassie Active Member

    856
    200
    43
    Apr 29, 2016
    Ratings:
    +605
    Local Time:
    1:30 PM
    What is your goal and the intended use of Nextcloud?
    If you ask me

    At the beginning started as Own-cloud, Next-cloud had the goal to offer an own hosted, privacy friendly alternative to for example Google Drive.

    Nowadays it seems more and more bloat to me with extra features like:
    Online Office, Video chat and Workflow. Focused on the business 'earn money' model.

    I just do not want to mention Nero Burning Rom Platinum All In One Gold Master Power Suite, but it does go that way.
     
    • Like Like x 1
  5. hardousse

    hardousse Active Member

    123
    30
    28
    Dec 15, 2015
    Sweden
    Ratings:
    +45
    Local Time:
    2:30 PM
    1.11.*
    10.1*
    Thank you for your opinion,so you think better sray with own cloud,Yes i need simple self hosting but what i find thats all think nextcloud better developed
     
  6. bassie

    bassie Active Member

    856
    200
    43
    Apr 29, 2016
    Ratings:
    +605
    Local Time:
    1:30 PM
    As ownCloud is still actively maintained, if you have an active installation.
    There is no reason to switch to Nextcloud.
    Nextcloud is an fork of ownCloud.
     
  7. hardousse

    hardousse Active Member

    123
    30
    28
    Dec 15, 2015
    Sweden
    Ratings:
    +45
    Local Time:
    2:30 PM
    1.11.*
    10.1*
    no i donĀ“t have active installation i was have nextcloud installed in other server not centmin but now all my server is centmin so that's why i want install from new,i don't look for edg option that's nextcloud have just i want basic so i think i will go with owncloud 10 in centmin.
     
    • Informative Informative x 1
  8. hardousse

    hardousse Active Member

    123
    30
    28
    Dec 15, 2015
    Sweden
    Ratings:
    +45
    Local Time:
    2:30 PM
    1.11.*
    10.1*
    no one use nextcloud here? i still have problem to get nextcloud work with centminmod i was follow the owncloud guide but i have problem about two file ownlcoud.conf and phpowncloud.conf i was trying to adapt it it to nextclodud but no chance any help from community here.thank you
     
  9. eva2000

    eva2000 Administrator Staff Member

    34,624
    7,653
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,771
    Local Time:
    9:30 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Unfortunately seems like no one on this forum uses it. Keep at it.. don't give up :)
     
    • Like Like x 1
  10. Meirami

    Meirami Member

    63
    7
    8
    Dec 21, 2017
    Ratings:
    +20
    Local Time:
    2:30 PM
    Have you tried this guide?
    They're using Ubuntu, but for Centos users they told to use centmin.
     
    • Informative Informative x 1
  11. Meirami

    Meirami Member

    63
    7
    8
    Dec 21, 2017
    Ratings:
    +20
    Local Time:
    2:30 PM
    I think I made a working installation of Nextcloud 13.
    I used the owncloud tutorial on this site and official Nextcloud 13 manual. There's still things to do but looking good.

    Fileinfo is needed so do
    echo "PHPFINFO='y'" >> /etc/centminmod/custom_config.inc
    before installing Centmin mod or upgrading php.

    I have vhost with Letsencrypt. (I think automatic certificate update is broken now with my settings...)
    PHP is 7.2.2

    Make database, download and setup OwnCloud(=Nextcloud) like in this tutorial.
    https://community.centminmod.com/resources/how-to-install-owncloud-on-centmin-mod-nginx.1/
    Just check correct download url from nextcloud.com. ;)

    /usr/local/nginx/conf/conf.d/domain.com.ssl.conf copied from Nextcloud's manual.
    Change certificate paths.
    Uncomment Strict-Transport-Security
    Change path to the root of your installation
    Comment fastcgi_intercept_errors on; out. This is double setting. (phpssl.conf default off)
    Code:
    upstream php-handler {
        server 127.0.0.1:9000;
        #server unix:/var/run/php5-fpm.sock;
    }
    
    server {
        listen 80;
        listen [::]:80;
        server_name domain.com;
        # enforce https
        return 301 https://$server_name$request_uri;
    }
    
    server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name domain.com;
    
    include /usr/local/nginx/conf/ssl/domain.com/domain.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
        # Add headers to serve security related headers
        # Before enabling Strict-Transport-Security headers please read into this
        # topic first.
        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
        #
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
    
        # Path to the root of your installation
        root /home/nginx/domains/domain.com/public;
    
        location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }
    
        # The following 2 rules are only needed for the user_webfinger app.
        # Uncomment it if you're planning to use this app.
        #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
        #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
        # last;
    
        location = /.well-known/carddav {
          return 301 $scheme://$host/remote.php/dav;
        }
        location = /.well-known/caldav {
          return 301 $scheme://$host/remote.php/dav;
        }
    
        # set max upload size
        client_max_body_size 512M;
        fastcgi_buffers 64 4K;
    
        # Enable gzip but do not remove ETag headers
        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
    
        # Uncomment if your server is build with the ngx_pagespeed module
        # This module is currently not supported.
        #pagespeed off;
    
        location / {
            rewrite ^ /index.php$uri;
        }
    
        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
            deny all;
        }
        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
            deny all;
        }
    
        location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
            fastcgi_split_path_info ^(.+\.php)(/.*)$;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            fastcgi_param HTTPS on;
            #Avoid sending the security headers twice
            fastcgi_param modHeadersAvailable true;
            fastcgi_param front_controller_active true;
            fastcgi_pass php-handler;
    #        fastcgi_intercept_errors on;
            fastcgi_request_buffering off;
        }
    
        location ~ ^/(?:updater|ocs-provider)(?:$|/) {
            try_files $uri/ =404;
            index index.php;
        }
    
        # Adding the cache control header for js and css files
        # Make sure it is BELOW the PHP block
        location ~ \.(?:css|js|woff|svg|gif)$ {
            try_files $uri /index.php$uri$is_args$args;
            add_header Cache-Control "public, max-age=15778463";
            # Add headers to serve security related headers (It is intended to
            # have those duplicated to the ones above)
            # Before enabling Strict-Transport-Security headers please read into
            # this topic first.
            # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
            #
            # WARNING: Only add the preload option once you read about
            # the consequences in https://hstspreload.org/. This option
            # will add the domain to a hardcoded list that is shipped
            # in all major browsers and getting removed from this list
            # could take several months.
            add_header X-Content-Type-Options nosniff;
            add_header X-XSS-Protection "1; mode=block";
            add_header X-Robots-Tag none;
            add_header X-Download-Options noopen;
            add_header X-Permitted-Cross-Domain-Policies none;
            # Optional: Don't log access to assets
            access_log off;
        }
    
        location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
            try_files $uri /index.php$uri$is_args$args;
            # Optional: Don't log access to other assets
            access_log off;
        }
    }
    
    phpedit
    Find, uncomment and edit
    Code:
    opcache.enable=1
    opcache.enable_cli=1
    opcache.interned_strings_buffer=8
    opcache.max_accelerated_files=10000
    opcache.memory_consumption=128
    opcache.save_comments=1
    opcache.revalidate_freq=1
    (This is not working... still complaints about this)

    fpmconf
    (add and uncomment)
    Code:
    ;env[HOSTNAME] = $HOSTNAME
    ;env[PATH] = /usr/local/bin:/usr/bin:/bin
    ;env[TMP] = /tmp
    ;env[TMPDIR] = /tmp
    ;env[TEMP] = /tmp
    fpmrestart

    There may be lots of unexpecting things, but as soon as I have time I will continue tuning this. Comments and guidance is welcome.
    Nextcloud Security Scan gave me A+... :D
     
  12. eva2000

    eva2000 Administrator Staff Member

    34,624
    7,653
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,771
    Local Time:
    9:30 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Looking good and thanks for sharing your updates and working config setup :)

    Don't edit php.ini directly. For custom php settings read centminmod.com/phpfpm.html#customphpini. You might want to create /etc/centminmod/php.d/b_customphp.ini to override centmin mod defaults at /etc/centminmod/php.d/a_customphp.ini and restart PHP-FPM. Also outlined in Getting Started Guide Step 17

    Though to override zend opcache settings file might need a different name that is alphabetically below the existing zend opcache ini settings file at /etc/centminmod/php.d/zendopcache.ini so as to override settings in /etc/centminmod/php.d/zendopcache.ini
    Code (Text):
    php --ini
    Configuration File (php.ini) Path: /usr/local/lib
    Loaded Configuration File:         /usr/local/lib/php.ini
    Scan for additional .ini files in: /etc/centminmod/php.d
    Additional .ini files parsed:      /etc/centminmod/php.d/a_customphp.ini,
    /etc/centminmod/php.d/curlcainfo.ini,
    /etc/centminmod/php.d/geoip.ini,
    /etc/centminmod/php.d/igbinary.ini,
    /etc/centminmod/php.d/imagick.ini,
    /etc/centminmod/php.d/mailparse.ini,
    /etc/centminmod/php.d/memcache.ini,
    /etc/centminmod/php.d/memcached.ini,
    /etc/centminmod/php.d/redis.ini,
    /etc/centminmod/php.d/zendopcache.ini
    
     
    • Useful Useful x 1
  13. eva2000

    eva2000 Administrator Staff Member

    34,624
    7,653
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,771
    Local Time:
    9:30 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    That remember is server wide so might not want to do that and setup a separate php-fpm pool for use for nextcloud site if you have multiple nginx vhost sites on same server.

    FYI, in 123.09beta01 and higher there are 4 additional PHP-FPM pools already created that you can utilise i.e. take one PHP-FPM dedicated to one site with separate PHP-FPM config file in /usr/local/nginx/conf/phpfpmd directory
    so you can make such changes without affecting default PHP-FPM config Beta Branch - Centmin Mod .08 beta03+ Multiple PHP-FPM pools support added - just don't setup load balanced upstream multiple php-fpm instead use them individually. See heading under Individual PHP Include Files Usage
     
    • Useful Useful x 1
  14. Meirami

    Meirami Member

    63
    7
    8
    Dec 21, 2017
    Ratings:
    +20
    Local Time:
    2:30 PM
    I don't get this. If I put env variables to phpfpm_pool2.conf and uncomment include line from php-fpm.conf, should it be working? Because I can't make it work. If I go to 'Individual PHP Include Files Usage', there's info about php-pools. Not phpfpm_pools. I'm confused.
    I'm having only one vhost now, but it would be nice to have these settings only for this site.
    Must sleep now...
     
  15. eva2000

    eva2000 Administrator Staff Member

    34,624
    7,653
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,771
    Local Time:
    9:30 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    after enabling multiple PHP-FPM pools, you need to reference it in your vhost via include directive just like the default vhosts include for php.conf see the example in link i.e. admin
    Code (Text):
       location /admin {
        auth_basic "Private";
        auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin;
           #include /usr/local/nginx/conf/php.conf;
           # use php-pool2.conf include file and pool2 on 127.0.0.1:9002 to serve /admin requests
           include /usr/local/nginx/conf/php-pool2.conf;
           allow 127.0.0.1;
           #allow YOURIPADDRESS;
           deny all;
    }
    

    previously used default include /usr/local/nginx/conf/php.conf which is commented out in favour of separate PHP-FPM include pool you enabled include /usr/local/nginx/conf/php-pool2.conf
     
  16. Meirami

    Meirami Member

    63
    7
    8
    Dec 21, 2017
    Ratings:
    +20
    Local Time:
    2:30 PM
    Well... Should never do these things when tired. Stupid error which made harder to solve php-fpm pool problem.

    I edited domain.name.ssl.conf more. (copyed lines from centmin default conf)
    Code:
    upstream php-handler {
        server 127.0.0.1:9000;
        #server unix:/var/run/php5-fpm.sock;
    }
    
    server {
        listen 80;
        listen [::]:80;
        server_name domain.name;
        # enforce https
        return 301 https://$server_name$request_uri;
    }
    
    server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name domain.name;
    
    include /usr/local/nginx/conf/ssl/domain.name/domain.name.crt.key.conf;
    include /usr/local/nginx/conf/ssl_include.conf;
    
    
    #ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
    
    # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
    
        # Add headers to serve security related headers
        # Before enabling Strict-Transport-Security headers please read into this
        # topic first.
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;";
        #
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
    
    ssl_buffer_size 1369;
    ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    access_log /home/nginx/domains/domain.name/log/access.log combined buffer=256k flush=5m;
    error_log /home/nginx/domains/domain.name/log/error.log;
    include /usr/local/nginx/conf/autoprotect/domain.name/autoprotect-domain.name.conf;
    
        # Path to the root of your installation
        root /home/nginx/domains/domain.name/public;
    include /usr/local/nginx/conf/503include-main.conf;
    
    
        # The following 2 rules are only needed for the user_webfinger app.
        # Uncomment it if you're planning to use this app.
        #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
        #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
        # last;
    
        location = /.well-known/carddav {
          return 301 $scheme://$host/remote.php/dav;
        }
        location = /.well-known/caldav {
          return 301 $scheme://$host/remote.php/dav;
        }
    
        # set max upload size
        client_max_body_size 512M;
        fastcgi_buffers 64 4K;
    
        # Enable gzip but do not remove ETag headers
        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
    
        # Uncomment if your server is build with the ngx_pagespeed module
        # This module is currently not supported.
        #pagespeed off;
    
        location / {
    include /usr/local/nginx/conf/503include-only.conf;
    include /usr/local/nginx/conf/php-pool2.conf;
            rewrite ^ /index.php$uri;
        }
    
        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
            deny all;
        }
        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
            deny all;
        }
    
        location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
            fastcgi_split_path_info ^(.+\.php)(/.*)$;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            fastcgi_param HTTPS on;
            #Avoid sending the security headers twice
            fastcgi_param modHeadersAvailable true;
            fastcgi_param front_controller_active true;
            fastcgi_pass php-handler;
    #        fastcgi_intercept_errors on;
            fastcgi_request_buffering off;
        }
    
        location ~ ^/(?:updater|ocs-provider)(?:$|/) {
            try_files $uri/ =404;
            index index.php;
        }
    
        # Adding the cache control header for js and css files
        # Make sure it is BELOW the PHP block
        location ~ \.(?:css|js|woff|svg|gif)$ {
            try_files $uri /index.php$uri$is_args$args;
            add_header Cache-Control "public, max-age=15778463";
            # Add headers to serve security related headers (It is intended to
            # have those duplicated to the ones above)
            # Before enabling Strict-Transport-Security headers please read into
            # this topic first.
            add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;";
            #
            # WARNING: Only add the preload option once you read about
            # the consequences in https://hstspreload.org/. This option
            # will add the domain to a hardcoded list that is shipped
            # in all major browsers and getting removed from this list
            # could take several months.
            add_header X-Content-Type-Options nosniff;
            add_header X-XSS-Protection "1; mode=block";
            add_header X-Robots-Tag none;
            add_header X-Download-Options noopen;
            add_header X-Permitted-Cross-Domain-Policies none;
            # Optional: Don't log access to assets
            access_log off;
        }
    
        location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
            try_files $uri /index.php$uri$is_args$args;
            # Optional: Don't log access to other assets
            access_log off;
        }
    
      include /usr/local/nginx/conf/pre-staticfiles-local-domain.name.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
    
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    
    
    }
    
    And there's include pool line also.
    Code:
    location / {
    include /usr/local/nginx/conf/503include-only.conf;
    include /usr/local/nginx/conf/php-pool2.conf;
            rewrite ^ /index.php$uri;
        }
    Nextcloud's admin page's own error detection don't complain about environments anymore.
    But. It says:
    Code:
        The "X-XSS-Protection" HTTP header is not set to "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
        The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
        The "X-Robots-Tag" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
        The "X-Download-Options" HTTP header is not set to "noopen". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
        The "X-Permitted-Cross-Domain-Policies" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
    Those are set in the domain.name.ssl.conf.
    This is getting even weirder to me. Is the pool still wrong or what is overriding settings?

    *edit*
    Mozilla observatory tells:
    X-XSS-Protection header set to "1; mode=block"
    So the Nextcloud's admin page's selftest seems to be broken... and it means my config needs some work.
     
    Last edited: Mar 2, 2018
  17. eva2000

    eva2000 Administrator Staff Member

    34,624
    7,653
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,771
    Local Time:
    9:30 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    might need to create a separate staticfiles.conf include file (make a copy) and replace it in domain.name.ssl.conf with the copy and add those headers to .html location context match too
     
  18. Meirami

    Meirami Member

    63
    7
    8
    Dec 21, 2017
    Ratings:
    +20
    Local Time:
    2:30 PM
    If it's like that should the headers be actually configured wrong?
    Htbridge.com's test also tells headers are fine. At least X-XSS-Protection and X-Content-Type-Options are correct. Nextcloud's test (on my server) sees them wrong. HTTP header is not set to "nosniff" tell's admin page's test and htbridge's test tell's X-Content-Type-Options: nosniff. And so did Mozilla's test.

    I think it's permission or something like that issue. Because if I put ENV settings to php-fpm.conf and comment out include line to pool2 Nextcloud's admin page tells no errors. Only when fpm pool (env settings there) is in use there are header errors. But not when tested from outside...

    This pool "thing" is new to me. So I can't figure out how does it change things and why it makes Nextcloud falsely? report errors.

    *edit*
    curl -I https://domain.name
    Code:
    Location: https://domain.name/index.php/login
    Server: nginx centminmod
    X-Powered-By: centminmod
    Strict-Transport-Security: max-age=31536000; includeSubDomains;
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    X-Robots-Tag: none
    X-Download-Options: noopen
    X-Permitted-Cross-Domain-Policies: none
    
     
    Last edited: Mar 2, 2018
  19. eva2000

    eva2000 Administrator Staff Member

    34,624
    7,653
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,771
    Local Time:
    9:30 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    got example of the setings for php-fpm.conf and pool2 conf ?
     
  20. Meirami

    Meirami Member

    63
    7
    8
    Dec 21, 2017
    Ratings:
    +20
    Local Time:
    2:30 PM
    php-fpm.conf
    Code:
    [global]
    ; Log level
    ; Possible Values: alert, error, warning, notice, debug
    ; Default Value: notice
    log_level = warning
    pid = /var/run/php-fpm/php-fpm.pid
    error_log = /var/log/php-fpm/www-error.log
    emergency_restart_threshold = 10
    emergency_restart_interval = 1m
    process_control_timeout = 10s
    include=/usr/local/nginx/conf/phpfpmd/*.conf
    
    [www]
    user = nginx
    group = nginx
    
    listen = 127.0.0.1:9000
    listen.allowed_clients = 127.0.0.1
    ;listen.backlog = -1
    
    ;listen = /tmp/php5-fpm.sock
    listen.owner = nginx
    listen.group = nginx
    listen.mode = 0660
    
    pm = ondemand
    pm.max_children = 16
    ; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
    pm.start_servers = 8
    pm.min_spare_servers = 4
    pm.max_spare_servers = 12
    pm.max_requests = 1000
    
    ; PHP 5.3.9 setting
    ; The number of seconds after which an idle process will be killed.
    ; Note: Used only when pm is set to 'ondemand'
    ; Default Value: 10s
    pm.process_idle_timeout = 10s;
    
    rlimit_files = 65536
    rlimit_core = 0
    
    ; The timeout for serving a single request after which the worker process will
    ; be killed. This option should be used when the 'max_execution_time' ini option
    ; does not stop script execution for some reason. A value of '0' means 'off'.
    ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
    ; Default Value: 0
    ;request_terminate_timeout = 0
    ; Default Value: 0
    ;request_slowlog_timeout = 0
    slowlog = /var/log/php-fpm/www-slow.log
    
    pm.status_path = /phpstatus
    ping.path = /phpping
    ping.response = pong
    
    ; Limits the extensions of the main script FPM will allow to parse. This can
    ; prevent configuration mistakes on the web server side. You should only limit
    ; FPM to .php extensions to prevent malicious users to use other extensions to
    ; exectute php code.
    ; Note: set an empty value to allow all extensions.
    ; Default Value: .php
    security.limit_extensions = .php .php3 .php4 .php5
    
    ; catch_workers_output = yes
    php_admin_value[error_log] = /var/log/php-fpm/www-php.error.log
    php_admin_value[disable_functions] = shell_exec

    phpfpm_pool2.conf
    Code:
    [pool2]
    user = nginx
    group = nginx
    
    listen = 127.0.0.1:9002
    listen.allowed_clients = 127.0.0.1
    listen.backlog = 65535
    
    ;listen = /tmp/php5-fpm-pool2.sock
    listen.owner = nginx
    listen.group = nginx
    listen.mode = 0660
    
    pm = ondemand
    pm.max_children = 16
    ; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
    pm.start_servers = 8
    pm.min_spare_servers = 4
    pm.max_spare_servers = 12
    pm.max_requests = 1000
    
    ; PHP 5.3.9 setting
    ; The number of seconds after which an idle process will be killed.
    ; Note: Used only when pm is set to 'ondemand'
    ; Default Value: 10s
    pm.process_idle_timeout = 10s;
    
    rlimit_files = 65536
    rlimit_core = 0
    
    ; The timeout for serving a single request after which the worker process will
    ; be killed. This option should be used when the 'max_execution_time' ini option
    ; does not stop script execution for some reason. A value of '0' means 'off'.
    ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
    ; Default Value: 0
    ;request_terminate_timeout = 0
    ; Default Value: 0
    ;request_slowlog_timeout = 0
    slowlog = /var/log/php-fpm/www-slow-pool2.log
    
    pm.status_path = /phpstatus-pool2
    ping.path = /phpping-pool2
    ping.response = pong
    
    ; Limits the extensions of the main script FPM will allow to parse. This can
    ; prevent configuration mistakes on the web server side. You should only limit
    ; FPM to .php extensions to prevent malicious users to use other extensions to
    ; exectute php code.
    ; Note: set an empty value to allow all extensions.
    ; Default Value: .php
    security.limit_extensions = .php .php3 .php4 .php5
    
    ; catch_workers_output = yes
    php_admin_value[error_log] = /var/log/php-fpm/www-php.error-pool2.log
    php_admin_value[disable_functions] = shell_exec
    
    ;Nextcloud
    env[HOSTNAME] = $HOSTNAME
    env[PATH] = /usr/local/bin:/usr/bin:/bin
    env[TMP] = /tmp
    env[TMPDIR] = /tmp
    env[TEMP] = /tmp
    

    php-pool2.conf
    Code:
    location ~ [^/]\.php(/|$) {
      include /usr/local/nginx/conf/503include-only.conf;
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        if (!-f $document_root$fastcgi_script_name) {
            return 404;
        }
        fastcgi_pass   127.0.0.1:9002;
        #fastcgi_pass   unix:/tmp/php5-fpm-pool2.sock;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        #fastcgi_param  SCRIPT_FILENAME    $request_filename;
        #fastcgi_param PHP_ADMIN_VALUE open_basedir=$document_root/:/usr/local/lib/php/:/tmp/;
    
    # might shave 200+ ms off PHP requests
    # which don't pass on a content length header
    # slightly faster page response time at the
    # expense of throughput / scalability
    #sendfile on;
    #tcp_nopush off;
    #keepalive_requests 0;
    
    fastcgi_connect_timeout 60;
    fastcgi_send_timeout 180;
    fastcgi_read_timeout 180;
    fastcgi_buffer_size 512k;
    fastcgi_buffers 512 16k;
    fastcgi_busy_buffers_size 1m;
    fastcgi_temp_file_write_size 4m;
    fastcgi_max_temp_file_size 4m;
    fastcgi_intercept_errors off;
    
    # next 3 lines when uncommented / enabled
    # allow Nginx to handle uploads which then
    # passes back the completed upload to PHP
    #fastcgi_pass_request_body off;
    #client_body_in_file_only clean;
    #fastcgi_param  REQUEST_BODY_FILE  $request_body_file;
    
    #new .04+ map method
    fastcgi_param HTTPS $server_https;
    
    # comment out PATH_TRANSLATED line if /usr/local/lib/php.ini sets following:
    # cgi.fix_pathinfo=0
    # as of centminmod v1.2.3-eva2000.01 default is set to cgi.fix_pathinfo=1
    
    fastcgi_param  PATH_INFO          $fastcgi_path_info;
    fastcgi_param  PATH_TRANSLATED    $document_root$fastcgi_path_info;
    
    fastcgi_param  QUERY_STRING       $query_string;
    fastcgi_param  REQUEST_METHOD     $request_method;
    fastcgi_param  CONTENT_TYPE       $content_type;
    fastcgi_param  CONTENT_LENGTH     $content_length;
    
    fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
    fastcgi_param  REQUEST_URI        $request_uri;
    fastcgi_param  DOCUMENT_URI       $document_uri;
    fastcgi_param  DOCUMENT_ROOT      $document_root;
    fastcgi_param  SERVER_PROTOCOL    $server_protocol;
    fastcgi_param  REQUEST_SCHEME     $scheme;
    fastcgi_param  HTTPS              $https if_not_empty;
    fastcgi_param  HTTP_PROXY         "";
    
    fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
    fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
    
    fastcgi_param  REMOTE_ADDR        $remote_addr;
    fastcgi_param  REMOTE_PORT        $remote_port;
    fastcgi_param  SERVER_ADDR        $server_addr;
    fastcgi_param  SERVER_PORT        $server_port;
    fastcgi_param  SERVER_NAME        $server_name;
    
    # Set php-fpm geoip variables
    fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
    fastcgi_param GEOIP_COUNTRY_CODE3 $geoip_country_code3;
    fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;
    fastcgi_param GEOIP_CITY_COUNTRY_CODE $geoip_city_country_code;
    fastcgi_param GEOIP_CITY_COUNTRY_CODE3 $geoip_city_country_code3;
    fastcgi_param GEOIP_CITY_COUNTRY_NAME $geoip_city_country_name;
    fastcgi_param GEOIP_REGION $geoip_region;
    fastcgi_param GEOIP_CITY $geoip_city;
    fastcgi_param GEOIP_POSTAL_CODE $geoip_postal_code;
    fastcgi_param GEOIP_CITY_CONTINENT_CODE $geoip_city_continent_code;
    fastcgi_param GEOIP_LATITUDE $geoip_latitude;
    fastcgi_param GEOIP_LONGITUDE $geoip_longitude;
    
    # PHP only, required if PHP was built with --enable-force-cgi-redirect
    fastcgi_param  REDIRECT_STATUS    200;
                       }
    
    Phpfpm_pool2.conf is almost like default. Changed max children setting, because. WARNING: [pool pool2] server reached max_children setting (4), consider raising it. Also added env settings.

    Php-pool2.conf should be default...

    Php-fpm.conf also default except uncommented include line.
     
..