How could i install nextcloud 12 on centmindmod?

The test didn't like those lines being there twice. Problem solved.
Thank You for the help eva2000!

 

Comment #16 and domain.name.ssl.conf
Upper lines
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;

I'm not sure if those are hardcoded there. Lower lines comments says those have to be twice in that file, if I understand right...

 

Have to check how this really goes.
Here's the answer:

Code:

Serve security related headers by the Web server

Basic security headers are served by Nextcloud already in a default environment. These include:

    X-Content-Type-Options: nosniff
            Instructs some browsers to not sniff the mimetype of files. This is used for example to prevent browsers from interpreting text files as JavaScript.

    X-XSS-Protection: 1; mode=block
            Instructs browsers to enable their browser side Cross-Site-Scripting filter.

    X-Robots-Tag: none
            Instructs search machines to not index these pages.

    X-Frame-Options: SAMEORIGIN
            Prevents embedding of the Nextcloud instance within an iframe from other domains to prevent Clickjacking and other similar attacks.

These headers are hard-coded into the Nextcloud server, and need no intervention by the server administrator.

For optimal security, administrators are encouraged to serve these basic HTTP headers by the Web server to enforce them on response. To do this Apache has to be configured to use the .htaccess file and the following Apache modules need to be enabled:

    mod_headers
    mod_env

Administrators can verify whether this security change is active by accessing a static resource served by the Web server and verify that the above mentioned security headers are shipped.

 

At the moment I have edited files:

• /etc/centminmod/php.d/b_customphp.ini
• /usr/local/nginx/conf/conf.d/domain.name.ssl.conf
• /usr/local/nginx/conf/phpssl.conf ?
• /usr/local/etc/php-fpm.conf (uncomment ;include=/usr/local/nginx/conf/phpfpmd/*.conf)
• /usr/local/nginx/conf/phpfpmd/phpfpm_pool2.conf
• /etc/centminmod/php.d/zendopcache_custom.ini
• /etc/sysctl.conf ??
• /etc/redis.conf

Are those all safe to edit? No over written after update?

?) I found fastcgi_intercept_erros from 4 different files. What is the recommended to edit? php-pool2.conf, php.conf, domain.name.ssl.conf or phpssl.conf?

??) sysctl.conf was edited because
WARNING overcommit_memory is set to 0! Background save may fail under low memory condition.
To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run
the command 'sysctl vm.overcommit_memory=1' for this to take effect.

Fastcgi_buffers are also in 3 files. (at least) php-pool2.conf, php.conf and domain.name.ssl.conf. What is the recommended to edit?

What about ssl_include.conf, is it ok to edit it? I'd like to delete TLSv1 and TLS v1.1.

Should I leave autoprotect untouched?

And the last thing, which is done:
# WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis.
To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in
order to retain the setting after a reboot. Redis must be restarted after THP is disabled.

Code:

php --ini
Cannot load Zend OPcache - it was already loaded
Configuration File (php.ini) Path: /usr/local/lib
Loaded Configuration File:         /usr/local/lib/php.ini
Scan for additional .ini files in: /etc/centminmod/php.d
Additional .ini files parsed:      /etc/centminmod/php.d/a_customphp.ini,
/etc/centminmod/php.d/b_customphp.ini,
/etc/centminmod/php.d/curlcainfo.ini,
/etc/centminmod/php.d/geoip.ini,
/etc/centminmod/php.d/igbinary.ini,
/etc/centminmod/php.d/imagick.ini,
/etc/centminmod/php.d/mailparse.ini,
/etc/centminmod/php.d/mcrypt.ini,
/etc/centminmod/php.d/memcache.ini,
/etc/centminmod/php.d/memcached.ini,
/etc/centminmod/php.d/redis.ini,
/etc/centminmod/php.d/zendopcache.ini,
/etc/centminmod/php.d/zendopcache_custom.ini

 

Should I move all fastcgi settings from domain.name.ssl.conf? I didn't even think about it because example nginx config is from Nextclouds admin manual...

Code:

    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;
----
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        #Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

After better thinking I think I don't need php.conf at all because php-pool2.conf is in use. Correct?

Include is now:

Code:

location / {
        include /usr/local/nginx/conf/503include-only.conf;
        rewrite ^ /index.php$uri;
        include /usr/local/nginx/conf/php-pool2.conf;
    }

Before there were also php.conf included at the end of domain.name.ssl.conf.

Code:

  include /usr/local/nginx/conf/pre-staticfiles-local-domain.name.conf;
  include /usr/local/nginx/conf/pre-staticfiles-global.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;

  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;

}

Is this ok or should I move include php-pool2.conf to the end of settings?

I am very close to publishing a good guide which hopefully arouse people's interest in centmin. (was that sentence english..?)

 

Ok, I'll try to mix things...
Because you say so I think I can't unsecure server. At least not badly. Maybe just a little...