Get the most out of your Centmin Mod LEMP stack
Become a Member

How could i install nextcloud 12 on centmindmod?

Discussion in 'Other Web Apps usage' started by hardousse, Nov 29, 2017.

Tags:
  1. eva2000

    eva2000 Administrator Staff Member

    35,617
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,093
    Local Time:
    10:24 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    strange unfortunately never used nextcloud - so only thing I'd go by is what curl and front facing web sites/header check tools report as being correct
     
  2. Meirami

    Meirami Member

    93
    8
    8
    Dec 21, 2017
    Ratings:
    +29
    Local Time:
    3:24 PM
    :woot:
    The test didn't like those lines being there twice. Problem solved.
    Thank You for the help eva2000!
     
    • Informative Informative x 1
  3. eva2000

    eva2000 Administrator Staff Member

    35,617
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,093
    Local Time:
    10:24 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    oh which duplicate lines were those again ?
     
  4. Meirami

    Meirami Member

    93
    8
    8
    Dec 21, 2017
    Ratings:
    +29
    Local Time:
    3:24 PM
    Comment #16 and domain.name.ssl.conf
    Upper lines
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    I'm not sure if those are hardcoded there. Lower lines comments says those have to be twice in that file, if I understand right...
     
  5. eva2000

    eva2000 Administrator Staff Member

    35,617
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,093
    Local Time:
    10:24 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    I see
     
  6. Meirami

    Meirami Member

    93
    8
    8
    Dec 21, 2017
    Ratings:
    +29
    Local Time:
    3:24 PM
    Have to check how this really goes. :)
    Here's the answer:
    Code:
    Serve security related headers by the Web server
    
    Basic security headers are served by Nextcloud already in a default environment. These include:
    
        X-Content-Type-Options: nosniff
                Instructs some browsers to not sniff the mimetype of files. This is used for example to prevent browsers from interpreting text files as JavaScript.
    
        X-XSS-Protection: 1; mode=block
                Instructs browsers to enable their browser side Cross-Site-Scripting filter.
    
        X-Robots-Tag: none
                Instructs search machines to not index these pages.
    
        X-Frame-Options: SAMEORIGIN
                Prevents embedding of the Nextcloud instance within an iframe from other domains to prevent Clickjacking and other similar attacks.
    
    These headers are hard-coded into the Nextcloud server, and need no intervention by the server administrator.
    
    For optimal security, administrators are encouraged to serve these basic HTTP headers by the Web server to enforce them on response. To do this Apache has to be configured to use the .htaccess file and the following Apache modules need to be enabled:
    
        mod_headers
        mod_env
    
    Administrators can verify whether this security change is active by accessing a static resource served by the Web server and verify that the above mentioned security headers are shipped.
    
     
    • Informative Informative x 1
  7. Meirami

    Meirami Member

    93
    8
    8
    Dec 21, 2017
    Ratings:
    +29
    Local Time:
    3:24 PM
    At the moment I have edited files:
    • /etc/centminmod/php.d/b_customphp.ini
    • /usr/local/nginx/conf/conf.d/domain.name.ssl.conf
    • /usr/local/nginx/conf/phpssl.conf ?
    • /usr/local/etc/php-fpm.conf (uncomment ;include=/usr/local/nginx/conf/phpfpmd/*.conf)
    • /usr/local/nginx/conf/phpfpmd/phpfpm_pool2.conf
    • /etc/centminmod/php.d/zendopcache_custom.ini
    • /etc/sysctl.conf ??
    • /etc/redis.conf

    Are those all safe to edit? No over written after update?

    ?) I found fastcgi_intercept_erros from 4 different files. What is the recommended to edit? php-pool2.conf, php.conf, domain.name.ssl.conf or phpssl.conf?

    ??) sysctl.conf was edited because
    WARNING overcommit_memory is set to 0! Background save may fail under low memory condition.
    To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run
    the command 'sysctl vm.overcommit_memory=1' for this to take effect.

    Fastcgi_buffers are also in 3 files. (at least) php-pool2.conf, php.conf and domain.name.ssl.conf. What is the recommended to edit?

    What about ssl_include.conf, is it ok to edit it? I'd like to delete TLSv1 and TLS v1.1.

    Should I leave autoprotect untouched?

    And the last thing, which is done:
    # WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis.
    To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in
    order to retain the setting after a reboot. Redis must be restarted after THP is disabled.

    Code:
    php --ini
    Cannot load Zend OPcache - it was already loaded
    Configuration File (php.ini) Path: /usr/local/lib
    Loaded Configuration File:         /usr/local/lib/php.ini
    Scan for additional .ini files in: /etc/centminmod/php.d
    Additional .ini files parsed:      /etc/centminmod/php.d/a_customphp.ini,
    /etc/centminmod/php.d/b_customphp.ini,
    /etc/centminmod/php.d/curlcainfo.ini,
    /etc/centminmod/php.d/geoip.ini,
    /etc/centminmod/php.d/igbinary.ini,
    /etc/centminmod/php.d/imagick.ini,
    /etc/centminmod/php.d/mailparse.ini,
    /etc/centminmod/php.d/mcrypt.ini,
    /etc/centminmod/php.d/memcache.ini,
    /etc/centminmod/php.d/memcached.ini,
    /etc/centminmod/php.d/redis.ini,
    /etc/centminmod/php.d/zendopcache.ini,
    /etc/centminmod/php.d/zendopcache_custom.ini
    
     
  8. eva2000

    eva2000 Administrator Staff Member

    35,617
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,093
    Local Time:
    10:24 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    yes they're safe

    if you need to edit that, then all 4 files need editing though domain.name.ssl.conf shouldn't have such directive as php.conf include file coves fastcgi_* settings

    same all 3 files

    should be ok

    up to you it's for security help with unknown .htaccess files that may pop up see why you may need it at Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all

    yeah running /usr/local/src/centminmod/tools/hptweaks.sh should do the same thing automatically as it is ran when setting up wordpress nginx level redis caching in centmin.sh menu option 22 wordpress installs.
     
  9. Meirami

    Meirami Member

    93
    8
    8
    Dec 21, 2017
    Ratings:
    +29
    Local Time:
    3:24 PM
    Should I move all fastcgi settings from domain.name.ssl.conf? I didn't even think about it because example nginx config is from Nextclouds admin manual...
    Code:
        # set max upload size
        client_max_body_size 512M;
        fastcgi_buffers 64 4K;
    ----
    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
            fastcgi_split_path_info ^(.+\.php)(/.*)$;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            fastcgi_param HTTPS on;
            #Avoid sending the security headers twice
            fastcgi_param modHeadersAvailable true;
            fastcgi_param front_controller_active true;
            fastcgi_pass php-handler;
            fastcgi_intercept_errors on;
            fastcgi_request_buffering off;
        }
    
    After better thinking I think I don't need php.conf at all because php-pool2.conf is in use. Correct?

    Include is now:
    Code:
    location / {
            include /usr/local/nginx/conf/503include-only.conf;
            rewrite ^ /index.php$uri;
            include /usr/local/nginx/conf/php-pool2.conf;
        }
    Before there were also php.conf included at the end of domain.name.ssl.conf.
    Code:
      include /usr/local/nginx/conf/pre-staticfiles-local-domain.name.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
    
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    
    }
    Is this ok or should I move include php-pool2.conf to the end of settings?

    I am very close to publishing a good guide which hopefully arouse people's interest in centmin. :D (was that sentence english..?)
     
  10. eva2000

    eva2000 Administrator Staff Member

    35,617
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,093
    Local Time:
    10:24 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    you don't need duplicate entries so if your php.conf or php-pool2.conf include has same settings as ones actually within domain.name.ssl.conf you can remove them and see
    try and see
    try and see :)

    it's all trial and error really :D
     
    • Like Like x 1
  11. Meirami

    Meirami Member

    93
    8
    8
    Dec 21, 2017
    Ratings:
    +29
    Local Time:
    3:24 PM
    Ok, I'll try to mix things... :cool:
    Because you say so I think I can't unsecure server. At least not badly. Maybe just a little... :ROFLMAO:
     
..