Welcome to Centmin Mod Community
Become a Member

Install Nextcloud 13

Discussion in 'Centmin Mod User Tutorials & Guides' started by Meirami, Mar 17, 2018.

  1. Meirami

    Meirami Active Member

    154
    28
    28
    Dec 21, 2017
    Ratings:
    +63
    Local Time:
    1:23 PM
    My guide starts from the very beginning. The new fresh vps has just deployed with Centos 7.
    This guide may have errors. And beacuse I'm not a professional there may be security holes just beacuse I have done something wrong. So, if you follow this and something bad happens, blame yourself. You have been warned. I've done my best but I don't know if it's enough or not. Please report changes which make this better and safer.

    #log in as root or user with root privileges
    #for Centmin Mod
    #disable selinux if in use
    Code:
    setenforce 0
    #enable PHP module fileinfo (highly recommended, enhances file analysis performance)
    #and enable Let's Encrypt detection
    Code:
    mkdir -p /etc/centminmod
    echo "PHPFINFO='y'" >> /etc/centminmod/custom_config.inc
    echo LETSENCRYPT_DETECT='y' >> /etc/centminmod/custom_config.inc
    #install Centmin Mod beta (fully working)
    #Centmin Mod LEMP Stack Install Nginx on CentOS
    Code:
    yum -y update; curl -O https://centminmod.com/betainstaller.sh && chmod 0700 betainstaller.sh && bash betainstaller.sh
    #read Getting Started Guide - CentminMod.com LEMP Nginx web stack for CentOS
    #do initial settings except 2
    #that's done in this guide

    #change ssh port from default 22 to something else
    #reduces bots trying to log in
    Code:
    centmin
    16
    #follow the instructions

    #run Centmin menu option #2
    y #continue
    domain.name
    n #we don't need self-signed certificate.
    y #we'll use Letsencrypt
    #I suppose domain is set
    y #continue
    y #continue
    4 #live cert with HTTPS default (trusted)
    ftpusername #or whatever you like
    y #auto generate FTP password
    y #continue

    #run Centmin menu option #5 and upgrade PHP
    y #YUM install check
    y #continue
    7.2.3 #wanted PHP version (check if there's newer PHP: Hypertext Preprocessor)
    y #let's use Zend OPcache
    n #don't re-add legacy mysql extension


    #exit
    24

    #bind mysql to 127.0.0.1
    Code:
    nano /etc/my.cnf
    #uncomment bind-address=127.0.0.1 (remove #)

    #setup database
    #you can try /usr/local/src/centminmod/addons/mysqladmin_shell.sh setuserdb
    #or do it like before
    Code:
    mysqladmin -u root -p create nextclouddb
    mysql -u root -p -e "CREATE USER '1username'@'localhost' IDENTIFIED BY 'myslipassu';"
    mysql -u root -p -e "GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, LOCK TABLES, CREATE TEMPORARY TABLES ON nextclouddb.* TO '1username'@'localhost'; FLUSH PRIVILEGES;"
    
    #clear home from unnecessary files
    #download, extract and install NC
    Code:
    cd /home/nginx/domains/domain.name/public
    rm * -Rf #make sure you are in the right directory!!
    cd /home/nginx/domains/domain.name/private
    mkdir nextcloud
    cd nextcloud/
    #check the newest version The most popular self-hosted file share and collaboration platform
    Code:
    wget https://download.nextcloud.com/server/releases/nextcloud-13.0.1.tar.bz2
    wget https://download.nextcloud.com/server/releases/nextcloud-13.0.1.tar.bz2.sha256
    sha256sum -c nextcloud-13.0.1.tar.bz2.sha256
    tar -xjf nextcloud-13.0.1.tar.bz2
    cd nextcloud
    
    cp -Rpf /home/nginx/domains/domain.name/private/nextcloud/nextcloud/. /home/nginx/domains/domain.name/public
    cd /home/nginx/domains/domain.name/public
    chown -R nginx:nginx *
    chown -R nginx:nginx .*
    rm -rf /home/nginx/domains/domain.name/private/nextcloud
    Code:
    nano /usr/local/nginx/conf/ssl_include.conf
    #delete TLSv1 and TLSv1.1
    # Not using TLSv1 will break:
    # Android <= 4.4.40
    # IE <= 10
    # IE mobile <=10
    # Removing TLSv1.1 breaks nothing else!

    #take a backup from the domain.name.ssl.conf then edit
    Code:
    nano domain.name.ssl.conf
    
    #delete all inside
    #paste everything below between ## -lines

    Code:
    ##
    upstream php-handler {
        server 127.0.0.1:9000;
        #server unix:/var/run/php5-fpm.sock;
    }
    
    server {
        listen 80;
        listen [::]:80;
        server_name domain.name;
        # enforce https
        return 302 https://$server_name$request_uri;
    }
    
    server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name domain.name;
    
    #keys' locations
        include /usr/local/nginx/conf/ssl/domain.name/domain.name.crt.key.conf;
    #ssl settings
        include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
    
    # mozilla recommended
      ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
    
        # Add headers to serve security related headers
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;";
        #
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
    
        ssl_buffer_size 1369;
        ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
      access_log /home/nginx/domains/domain.name/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/domain.name/log/error.log;
      include /usr/local/nginx/conf/autoprotect/domain.name/autoprotect-domain.name.conf;
    
        # Path to the root of your installation
        root /home/nginx/domains/domain.name/public;
    
        # The following 2 rules are only needed for the user_webfinger app.
        # Uncomment it if you're planning to use this app.
        #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
        #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
        # last;
    
        location = /.well-known/carddav {
          return 301 $scheme://$host/remote.php/dav;
        }
        location = /.well-known/caldav {
          return 301 $scheme://$host/remote.php/dav;
        }
    
        # set max upload size
        client_max_body_size 1024M;
        fastcgi_buffers 64 4K;
    
        # Enable gzip but do not remove ETag headers
        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
    
        # Uncomment if your server is build with the ngx_pagespeed module
        # This module is currently not supported.
        #pagespeed off;
    
        location / {
            rewrite ^ /index.php$request_uri;
            include /usr/local/nginx/conf/php-pool2.conf;
        }
    
    #Let's Encrypt renewal
     location ~ ^/.well-known/acme-challenge/* {
       allow all;
       }
    
        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
            deny all;
        }
        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
            deny all;
        }
    
        location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
            fastcgi_split_path_info ^(.+\.php)(/.*)$;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            fastcgi_param HTTPS on;
            #Avoid sending the security headers twice
            fastcgi_param modHeadersAvailable true;
            fastcgi_param front_controller_active true;
            fastcgi_pass php-handler;
            fastcgi_request_buffering off;
        }
    
        location ~ ^/(?:updater|ocs-provider)(?:$|/) {
            try_files $uri/ =404;
            index index.php;
        }
    
        # Adding the cache control header for js and css files
        # Make sure it is BELOW the PHP block
        location ~ \.(?:css|js|woff|svg|gif)$ {
            try_files $uri /index.php$request_uri;
            add_header Cache-Control "public, max-age=31536000";
            # Add headers to serve security related headers (It is intended to
            # have those duplicated to the ones above)
            # The ones above removed because those are harcoded in NC13.
            # Before enabling Strict-Transport-Security headers please read into
            # this topic first.
            add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;";
            #
            # WARNING: Only add the preload option once you read about
            # the consequences in https://hstspreload.org/. This option
            # will add the domain to a hardcoded list that is shipped
            # in all major browsers and getting removed from this list
            # could take several months.
            add_header X-Content-Type-Options nosniff;
            add_header X-XSS-Protection "1; mode=block";
            add_header X-Robots-Tag none;
            add_header X-Download-Options noopen;
            add_header X-Permitted-Cross-Domain-Policies none;
            # Optional: Don't log access to assets
            access_log off;
        }
    
        location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
            try_files $uri /index.php$request_uri;
            # Optional: Don't log access to other assets
            access_log off;
        }
    
      include /usr/local/nginx/conf/pre-staticfiles-local-domain.name.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
    
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    
    }
    ##
    Code:
    nano /usr/local/nginx/conf/fastcgi_params
    fastcgi_intercept_errors on; #edit off to on
    #deafault is off in centmin mod.

    Code:
    fpmconf
    #uncomment (=remove ;) and save
    ;include=/usr/local/nginx/conf/phpfpmd/*.conf
    Code:
    cd /usr/local/nginx/conf/phpfpmd
    nano phpfpm_pool2.conf
    #add lines below to the end
    env[HOSTNAME] = $HOSTNAME
    env[PATH] = /usr/local/bin:/usr/bin:/bin
    env[TMP] = /tmp
    env[TMPDIR] = /tmp
    env[TEMP] = /tmp

    Code:
    cd /etc/centminmod/php.d/
    cp zendopcache.ini zendopcache_custom.ini
    nano zendopcache_custom.ini
    #edit:
    opcache.enable=1
    opcache.enable_cli=1
    opcache.interned_strings_buffer=8
    opcache.max_accelerated_files=10000
    opcache.memory_consumption=128
    opcache.save_comments=1
    opcache.revalidate_freq=1
    
    nprestart
    #open domain.name with browser.
    #create admin account and fill other empty spaces. (Remember to choose MySQL)
    /home/nginx/domains/domain.name/data #the place for the data directory

    Code:
    centmin
    13 #Install Redis
    1
    3
    Code:
    yum -y install redis --enablerepo=remi --disableplugin=priorities
    chkconfig redis on
    service redis start
    Code:
    cat /var/log/redis/redis.log
    #you may see warnings
    #WARNING overcommit_memory is set to 0! Background save may fail under low memory condition.
    #To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run
    #the command 'sysctl vm.overcommit_memory=1' for this to take effect.
    #If you're running OpenVZ you can't change this setting!
    --
    # You may also have the next warning. Follow instructions.
    # WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis.
    #To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in
    #order to retain the setting after a reboot. Redis must be restarted after THP is disabled.

    #redis with unixsocket or TPCsocket. I have unixsocket.
    Code:
    nano /etc/redis.conf
    change port to 0.
    #uncomment and edit:
     unixsocket /tmp/redis.sock
     unixsocketperm 770
     maxclients 512
    #ctrl+x y (save and exit)
    
    usermod -a -G redis nginx
    systemctl restart redis.service
    #edit config.php
    #add lines above mail setting
    Code:
    nano /home/nginx/domains/domain.name/public/config/config.php
    'memcache.local' => '\OC\Memcache\Redis',
    'filelocking.enabled' => 'true',
    'memcache.locking' => '\OC\Memcache\Redis',
    'redis' => array(
         'host' => '/tmp/redis.sock',
         'port' => 0,
    'timeout' => 0.0,
          ),
    #TCPsocket IF YOU DID UnixSOCKET DON'T DO THIS!
    Code:
    cd /home/nginx/domains/domain.name/public/config
    nano config.php
    #add next lines
    'memcache.local' => '\OC\Memcache\Redis',
    'filelocking.enabled' => 'true',
    'memcache.locking' => '\OC\Memcache\Redis',
    'redis' => array(
         'host' => 'localhost',
         'port' => 6379,
          ),
    #ctrl+x y (save and exit)
    systemctl restart redis.service
    
    #memcached is not needed
    Code:
    chkconfig memcached off
    service memcached stop
    nprestart
    reboot
    #change Ajax to Cron
    #log in to you Nextcloud as admin.
    #settings
    #click Cron
    #back to command line
    crontab -u nginx -e
    #copy, paste and save
    Code:
    */15  *  *  *  * /usr/local/bin/php -f /home/nginx/domains/domain.name/public/cron.php
    
    #verify
    Code:
    crontab -u nginx -l
    #enable from apps End-to-End Encryption
    #install mobile app to your phone, create a folder and turn end to end ecryption on.
    #Nextcloud Introducing Native Integrated End-to-end Encryption – The most popular self-hosted file share and collaboration platform

    #if you get errors about max childrens
    #Determining the correct number of child processes for PHP-FPM on NGinx
    Code:
    nano /usr/local/nginx/conf/phpfpmd/phpfpm_pool2.conf
    #edit & save
    nprestart
    #follow /var/log/php-fpm/www-error.log

    #you can monitor Redis:
    Code:
    redis-cli -s /tmp/redis.sock monitor
    #or
    redis-cli monitor
    That's it!
    Looks like this setup is working but never know. Don't be surprised if you find something which is not working. :D
     
    Last edited: Mar 17, 2018
  2. eva2000

    eva2000 Administrator Staff Member

    54,361
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    9:23 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Thanks for sharing. Love it when folks share what they're doing Centmin Mod wise and always interesting to see how other folks are doing stuff :)
     
  3. Meirami

    Meirami Active Member

    154
    28
    28
    Dec 21, 2017
    Ratings:
    +63
    Local Time:
    1:23 PM
    Damn! I found a bug.
    Crontab for nginx should look like this
    Code:
    */15  *  *  *  * /usr/local/bin/php -f /home/nginx/domains/domain.name/public/cron.php
    Cannot say by reading cron file which is working and which is not.
    Code:
    Mar 17 10:00:01 tiedot CROND[18413]: (nginx) CMD (php -f /home/nginx/domains/domain.name/public/cron.php)
    Mar 18 00:35:01 tiedot CROND[3344]: (nginx) CMD (/usr/local/bin/php -f /home/nginx/domains/domain.name/public/cron.php)
    Both lines don't have any errors below or above them.
    No errors in any log. Last line is working.

    Only way to find out if it's working is to open your Nextcloud's admin page with a browser and see basic settings. There's line "Background jobs Last job ran 1 minute ago."

    Can I somehow edit my post to add corrected line?
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,361
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    9:23 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    edited for you :)
     
  5. hardousse

    hardousse Active Member

    169
    35
    28
    Dec 15, 2015
    Sweden
    Ratings:
    +57
    Local Time:
    1:23 PM
    1.11.*
    10.1*
    Good work (y) i Will test and give feedback
     
  6. Meirami

    Meirami Active Member

    154
    28
    28
    Dec 21, 2017
    Ratings:
    +63
    Local Time:
    1:23 PM
    Let's Encrypt certificate won't autorenew with above settings. (Can you @eva2000 edit the post? just the domain.name.ssl.conf part)
    Add to domain.name.ssl.conf
    Code:
    #Let's Encrypt renewal
     location ~ ^/.well-known/acme-challenge/* {
        allow all;
        }
    
    Below
    Code:
      location / {
        rewrite ^ /index.php$request_uri;
        include /usr/local/nginx/conf/php-pool2.conf;
        }
    
    And that should work...

    And security update.
    unsafe nginx config · Issue #5117 · nextcloud/server
    Change three lines.
    Code:
    rewrite ^ /index.php$uri; --> rewrite ^ /index.php$request_uri;
    try_files $uri /index.php$uri$is_args$args; --> try_files $uri /index.php$request_uri;
    try_files $uri /index.php$uri$is_args$args; --> try_files $uri /index.php$request_uri;

    Some additional settings.
    Mail settings in my Nextcloud admin page, additional settings.
    Send mode PHP
    mail: no-reply@domain.name
    and Nextcloud's config.php last lines looks like this.
    Code:
      'mail_from_address' => 'no-reply',
      'mail_smtpmode' => 'php',
      'mail_smtpauthtype' => 'LOGIN',
      'mail_domain' => 'domain.name',
      'updater.release.channel' => 'stable',
      'mail_smtphost' => '127.0.0.1',
      'mail_smtpport' => 25,
      'mail_smtptimeout' => 30,
      'mail_smtpsecure' => 'TLS',
      'mail_smtpauth' => false,
      'mail_smtpname' => '',
    
    I have also set up Nextcloud's own logrotate setting so nextcloud.log won't grow too much.
    Add this to config.php. You can set your own size.
    Code:
    'log_rotate_size' => 2048576,
    If you don't want to have email to nginx's mailbox from every cronjob it runs, do this.
    Code:
    crontab -e -u nginx
    Add this to the top.
    MAILTO=""

    Preview generator is a nice Nextcloud app if you upload a lot's of pics and vids and want to see thumbs fast.
    Videos needs ffmpeg installed and with centminmod it's normally installed to /opt/bin.
    So you need to edit phpfpm_pool2.conf and make sure there's /opt/bin.
    Code:
    env[PATH] = /usr/local/bin:/usr/bin:/bin:/opt/bin
    I have set these lines to config.php, but it's possible use more.
    Code:
      'enable_previews' => true,
      'enabledPreviewProviders' =>
      array (
        0 => 'OC\\Preview\\Image',
        1 => 'OC\\Preview\\Movie',
        2 => 'OC\\Preview\\TXT',
      ),
    
    There are some changes to MariaDB also.
    Recommendation for MariaDB · Issue #10159 · nextcloud/server
    MariaDB does not use the transaction isolation level "READ-COMMIT" as default.
    So...
    At least two rows should be added to /etc/my.cnf in the mysqld-section:
    Code:
    [mysqld]
    ...
    transaction_isolation = READ-COMMITTED
    binlog_format = ROW
    ...
    I followed one guide earlier but I can't find it just now. There were told that you have to run next command in MariaDB too.
    Code:
    mysql -u root -p
    ---
    SET GLOBAL TRANSACTION ISOLATION LEVEL READ COMMITTED; SET SESSION TRANSACTION ISOLATION LEVEL READ COMMITTED;
    Do anyone know is that necessary?
    Is it possible that my.cnf can be overwritten when updating MariaDB?

    If someone follows this thread, please report if you see any security or performance related changes in admin's manual or in github.
    Thank You!
     
  7. eva2000

    eva2000 Administrator Staff Member

    54,361
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    9:23 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Actually, just gave long time members editing thread/post permissions in this specific Centmin Mod User Tutorials & Guides forum indefinitely instead of time limited. So you should be able to edit your posts within this thread.
     
  8. noly

    noly Member

    106
    16
    18
    Jul 24, 2017
    Germany
    Ratings:
    +28
    Local Time:
    12:23 PM
    1.18.x
    10.2.x
    Thank you very much @Meirami
    Your post helped me a lot!
     
  9. Meirami

    Meirami Active Member

    154
    28
    28
    Dec 21, 2017
    Ratings:
    +63
    Local Time:
    1:23 PM
    The old guide works quite a well with Nextcloud 17. Of course I did something differently at this time. Do the things, which are not here, like earlier. Follow both guides. ;)
    Started with this.
    Code:
    setenforce 0
    mkdir -p /etc/centminmod
    echo "PHPFINFO='y'" >> /etc/centminmod/custom_config.inc
    echo LETSENCRYPT_DETECT='y' >> /etc/centminmod/custom_config.inc
    echo MARIADB_INSTALLTENTHREE='y' >> /etc/centminmod/custom_config.inc
    yum -y update; curl -O https://centminmod.com/betainstaller73.sh && chmod 0700 betainstaller73.sh && bash betainstaller73.sh
    I didn't copy original my.cnf, so I can't check. I think I changed or added these.
    Code:
    default-character-set=utf8mb4
    character-set-server=utf8mb4
    collation-server = utf8mb4_general_ci
    transaction_isolation = READ-COMMITTED
    bind-address=127.0.0.1 (uncomment)
    default-storage-engine = InnoDB
    binlog_format=ROW (uncomment)
    default_storage_engine=InnoDB (uncomment)
    More help Nextcloud 17 installation guide and more (Ubuntu/NGINX) – Carsten Rieger IT-Services and Database configuration — Nextcloud latest Administration Manual latest documentation

    This is different.
    Code:
    CREATE DATABASE nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci; CREATE USER nextcloud@localhost identified by 'nextcloud'; GRANT ALL PRIVILEGES on nextcloud.* to nextcloud@localhost; FLUSH privileges; quit;
    Domain.name.ssl.conf is different. This may need changes later. Did this quite fast.
    Code:
    upstream php-handler {
        server 127.0.0.1:9000;
        #server unix:/var/run/php/php7.2-fpm.sock;
    }
    #x# HTTPS-DEFAULT
     server {
     
       server_name domain.name www.domain.name;
       return 302 https://domain.name$request_uri;
    #   include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    
    server {
      listen 443 ssl http2 reuseport;
      server_name domain.name www.domain.name;
    
      include /usr/local/nginx/conf/ssl/domain.name/domain.name.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/domain.name/origin.crt;
      #ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;" always;
     
    #from nextcloud's guide
        add_header Referrer-Policy "no-referrer" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Download-Options "noopen" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Permitted-Cross-Domain-Policies "none" always;
        add_header X-Robots-Tag "none" always;
        add_header X-XSS-Protection "1; mode=block" always;
    
        # Remove X-Powered-By, which is an information leak
        fastcgi_hide_header X-Powered-By;
    #from nextcloud ends
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.name/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/domain.name/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/domain.name/autoprotect-domain.name.conf;
      root /home/nginx/domains/domain.name/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
    
      location / {
      rewrite ^ /index.php$request_uri;
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Wordpress Permalinks example
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      }
    
      include /usr/local/nginx/conf/pre-staticfiles-local-domain.name.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
    #  include /usr/local/nginx/conf/staticfiles.conf;
    #staticfiles replaced Only acme-challenge here.
        location ~ /.well-known { location ~ /.well-known/acme-challenge/(.*) { more_set_headers    "Content-Type: text/plain"; } }
    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
            deny all;
        }
        location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
            deny all;
        }
    
        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
            fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            fastcgi_param HTTPS on;
            # Avoid sending the security headers twice
            fastcgi_param modHeadersAvailable true;
            # Enable pretty urls
            fastcgi_param front_controller_active true;
            fastcgi_pass php-handler;
    #        fastcgi_intercept_errors on; Turned on -> /usr/local/nginx/conf/fastcgi_params
            fastcgi_request_buffering off;
        }
    
        location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
            try_files $uri/ =404;
            index index.php;
        }
    
        # Adding the cache control header for js, css and map files
        # Make sure it is BELOW the PHP block
        location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
            try_files $uri /index.php$request_uri;
            add_header Cache-Control "public, max-age=15778463";
            # Add headers to serve security related headers (It is intended to
            # have those duplicated to the ones above)
            # Before enabling Strict-Transport-Security headers please read into
            # this topic first.
            add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;" always;
            #
            # WARNING: Only add the preload option once you read about
            # the consequences in https://hstspreload.org/. This option
            # will add the domain to a hardcoded list that is shipped
            # in all major browsers and getting removed from this list
            # could take several months.
            add_header Referrer-Policy "no-referrer" always;
            add_header X-Content-Type-Options "nosniff" always;
            add_header X-Download-Options "noopen" always;
            add_header X-Frame-Options "SAMEORIGIN" always;
            add_header X-Permitted-Cross-Domain-Policies "none" always;
            add_header X-Robots-Tag "none" always;
            add_header X-XSS-Protection "1; mode=block" always;
    
            # Optional: Don't log access to assets
            access_log off;
        }
    
        location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
            try_files $uri /index.php$request_uri;
            # Optional: Don't log access to other assets
            access_log off;
        }
    #
      include /usr/local/nginx/conf/php.conf;
     
      include /usr/local/nginx/conf/drop.conf;
    #From nextcloud's guide (caldav and carddav)
        location = /.well-known/carddav {
          return 301 $scheme://$host:$server_port/remote.php/dav;
        }
        location = /.well-known/caldav {
          return 301 $scheme://$host:$server_port/remote.php/dav;
        }
    #GZIP PART REMOVED
    
    
     #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    Turn fastcgi_intercept_errors on at /usr/local/nginx/conf/fastcgi_params

    fpmconf
    Add envs there. Didn't uncomment pool conf's this time.
    Code:
    env[HOSTNAME] = $HOSTNAME
    env[PATH] = /usr/local/bin:/usr/bin:/bin:/opt/bin
    env[TMP] = /tmp
    env[TMPDIR] = /tmp
    env[TEMP] = /tmp
    Code:
    cp /etc/centminmod/php.d/a_customphp.ini /etc/centminmod/php.d/b_customphp.ini
    Edit b-file and check opcache settings. I use these.
    Code:
    opcache.enable=1
    opcache.enable_cli=1
    opcache.interned_strings_buffer=8
    opcache.max_accelerated_files=10000
    opcache.memory_consumption=128
    opcache.save_comments=1
    opcache.revalidate_freq=1
    I edited these too.
    Code:
    upload_max_filesize = 1024M
    memory_limit = 1024M
    post_max_size = 1024M
    I changed unixsocket /tmp/redis.sock to /var/run/redis/redis.sock. Of course if you get errors about max children those have to be edited here php-fpm.conf. (fpmconf)

    And that's it. Something new and something old. I don't know if this is better than before or not... What do you think? Any comments?
     
    Last edited: Oct 7, 2019
  10. modder

    modder Member

    117
    16
    18
    Dec 6, 2019
    Ratings:
    +27
    Local Time:
    7:23 PM

    Hello, I'm a new comer.

    My immediate goal is to have my https://website.domain.com running with let's encrypt cert.

    I follow pretty much everything you did (up to creating new database)to my new VPS and I got this:

    https://upload.cc/i1/2019/12/08/P0yU9h.gif

    [​IMG]



    I use cloudflare.

    https://upload.cc/i1/2019/12/08/H8T5AD.gif

    [​IMG]

    https://upload.cc/i1/2019/12/08/moPair.gif

    [​IMG]


    How do I troubleshoot it? Thanks!
     
    Last edited: Dec 8, 2019
  11. eva2000

    eva2000 Administrator Staff Member

    54,361
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    9:23 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  12. Meirami

    Meirami Active Member

    154
    28
    28
    Dec 21, 2017
    Ratings:
    +63
    Local Time:
    1:23 PM
    I don't use Cloudflare, so I can't help with it.

    My guide is little bit outdated, because of this. Urgent security issue in NGINX/php-fpm
    -> keep your nginx, php etc. updated and edit few lines. After that, you're good to go.
     
  13. skringjer

    skringjer NoobMaster69

    208
    26
    28
    Apr 21, 2019
    Ratings:
    +43
    Local Time:
    4:23 PM
    Nginx 1.21.6
    MariaDB 10.3.x
    @Meirami Thank you soo soo much for this awesome guide, Used it on Nextcloud 19 worked like a charm, If you have time and want to update it please go ahead or make a new thread otherwise if there is nothing to update then its perfect.

    This is why Centmin is so great, due to Eva :p :p and secondly due to this awesome community.
     
  14. Kintaro

    Kintaro Member

    106
    11
    18
    Dec 2, 2016
    Italy
    Ratings:
    +30
    Local Time:
    12:23 PM
    1.15.x
    MariaDB 10
    Last edited: Nov 4, 2022
  15. eva2000

    eva2000 Administrator Staff Member

    54,361
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    9:23 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Thanks for sharing that info :)