Get the most out of your Centmin Mod LEMP stack
Become a Member

Install Nextcloud 13

Discussion in 'Centmin Mod User Tutorials & Guides' started by Meirami, Mar 17, 2018.

  1. Meirami

    Meirami Member

    93
    8
    8
    Dec 21, 2017
    Ratings:
    +29
    Local Time:
    1:57 AM
    My guide starts from the very beginning. The new fresh vps has just deployed with Centos 7.
    This guide may have errors. And beacuse I'm not a professional there may be security holes just beacuse I have done something wrong. So, if you follow this and something bad happens, blame yourself. You have been warned. I've done my best but I don't know if it's enough or not. Please report changes which make this better and safer.

    #log in as root or user with root privileges
    #for Centmin Mod
    #disable selinux if in use
    Code:
    setenforce 0
    #enable PHP module fileinfo (highly recommended, enhances file analysis performance)
    #and enable Let's Encrypt detection
    Code:
    mkdir -p /etc/centminmod
    echo "PHPFINFO='y'" >> /etc/centminmod/custom_config.inc
    echo LETSENCRYPT_DETECT='y' >> /etc/centminmod/custom_config.inc
    #install Centmin Mod beta (fully working)
    #Centmin Mod LEMP Stack Install Nginx on CentOS
    Code:
    yum -y update; curl -O https://centminmod.com/betainstaller.sh && chmod 0700 betainstaller.sh && bash betainstaller.sh
    #read Getting Started Guide - CentminMod.com LEMP Nginx web stack for CentOS
    #do initial settings except 2
    #that's done in this guide

    #change ssh port from default 22 to something else
    #reduces bots trying to log in
    Code:
    centmin
    16
    #follow the instructions

    #run Centmin menu option #2
    y #continue
    domain.name
    n #we don't need self-signed certificate.
    y #we'll use Letsencrypt
    #I suppose domain is set
    y #continue
    y #continue
    4 #live cert with HTTPS default (trusted)
    ftpusername #or whatever you like
    y #auto generate FTP password
    y #continue

    #run Centmin menu option #5 and upgrade PHP
    y #YUM install check
    y #continue
    7.2.3 #wanted PHP version (check if there's newer PHP: Hypertext Preprocessor)
    y #let's use Zend OPcache
    n #don't re-add legacy mysql extension

    #exit
    24

    #bind mysql to 127.0.0.1
    Code:
    nano /etc/my.cnf
    #uncomment bind-address=127.0.0.1 (remove #)

    #setup database
    #you can try /usr/local/src/centminmod/addons/mysqladmin_shell.sh setuserdb
    #or do it like before
    Code:
    mysqladmin -u root -p create nextclouddb
    mysql -u root -p -e "CREATE USER '1username'@'localhost' IDENTIFIED BY 'myslipassu';"
    mysql -u root -p -e "GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, LOCK TABLES, CREATE TEMPORARY TABLES ON nextclouddb.* TO '1username'@'localhost'; FLUSH PRIVILEGES;"
    
    #clear home from unnecessary files
    #download, extract and install NC
    Code:
    cd /home/nginx/domains/domain.name/public
    rm * -Rf #make sure you are in the right directory!!
    cd /home/nginx/domains/domain.name/private
    mkdir nextcloud
    cd nextcloud/
    #check the newest version The most popular self-hosted file share and collaboration platform
    Code:
    wget https://download.nextcloud.com/server/releases/nextcloud-13.0.1.tar.bz2
    wget https://download.nextcloud.com/server/releases/nextcloud-13.0.1.tar.bz2.sha256
    sha256sum -c nextcloud-13.0.1.tar.bz2.sha256
    tar -xjf nextcloud-13.0.1.tar.bz2
    cd nextcloud
    
    cp -Rpf /home/nginx/domains/domain.name/private/nextcloud/nextcloud/. /home/nginx/domains/domain.name/public
    cd /home/nginx/domains/domain.name/public
    chown -R nginx:nginx *
    chown -R nginx:nginx .*
    rm -rf /home/nginx/domains/domain.name/private/nextcloud
    Code:
    nano /usr/local/nginx/conf/ssl_include.conf
    #delete TLSv1 and TLSv1.1
    # Not using TLSv1 will break:
    # Android <= 4.4.40
    # IE <= 10
    # IE mobile <=10
    # Removing TLSv1.1 breaks nothing else!

    #take a backup from the domain.name.ssl.conf then edit
    Code:
    nano domain.name.ssl.conf
    
    #delete all inside
    #paste everything below between ## -lines

    Code:
    ##
    upstream php-handler {
        server 127.0.0.1:9000;
        #server unix:/var/run/php5-fpm.sock;
    }
    
    server {
        listen 80;
        listen [::]:80;
        server_name domain.name;
        # enforce https
        return 302 https://$server_name$request_uri;
    }
    
    server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name domain.name;
    
    #keys' locations
        include /usr/local/nginx/conf/ssl/domain.name/domain.name.crt.key.conf;
    #ssl settings
        include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
    
    # mozilla recommended
      ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
    
        # Add headers to serve security related headers
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;";
        #
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
    
        ssl_buffer_size 1369;
        ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
      access_log /home/nginx/domains/domain.name/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/domain.name/log/error.log;
      include /usr/local/nginx/conf/autoprotect/domain.name/autoprotect-domain.name.conf;
    
        # Path to the root of your installation
        root /home/nginx/domains/domain.name/public;
    
        # The following 2 rules are only needed for the user_webfinger app.
        # Uncomment it if you're planning to use this app.
        #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
        #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
        # last;
    
        location = /.well-known/carddav {
          return 301 $scheme://$host/remote.php/dav;
        }
        location = /.well-known/caldav {
          return 301 $scheme://$host/remote.php/dav;
        }
    
        # set max upload size
        client_max_body_size 1024M;
        fastcgi_buffers 64 4K;
    
        # Enable gzip but do not remove ETag headers
        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
    
        # Uncomment if your server is build with the ngx_pagespeed module
        # This module is currently not supported.
        #pagespeed off;
    
        location / {
            rewrite ^ /index.php$request_uri;
            include /usr/local/nginx/conf/php-pool2.conf;
        }
    
    #Let's Encrypt renewal
     location ~ ^/.well-known/acme-challenge/* {
       allow all;
       }
    
        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
            deny all;
        }
        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
            deny all;
        }
    
        location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
            fastcgi_split_path_info ^(.+\.php)(/.*)$;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            fastcgi_param HTTPS on;
            #Avoid sending the security headers twice
            fastcgi_param modHeadersAvailable true;
            fastcgi_param front_controller_active true;
            fastcgi_pass php-handler;
            fastcgi_request_buffering off;
        }
    
        location ~ ^/(?:updater|ocs-provider)(?:$|/) {
            try_files $uri/ =404;
            index index.php;
        }
    
        # Adding the cache control header for js and css files
        # Make sure it is BELOW the PHP block
        location ~ \.(?:css|js|woff|svg|gif)$ {
            try_files $uri /index.php$request_uri;
            add_header Cache-Control "public, max-age=31536000";
            # Add headers to serve security related headers (It is intended to
            # have those duplicated to the ones above)
            # The ones above removed because those are harcoded in NC13.
            # Before enabling Strict-Transport-Security headers please read into
            # this topic first.
            add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;";
            #
            # WARNING: Only add the preload option once you read about
            # the consequences in https://hstspreload.org/. This option
            # will add the domain to a hardcoded list that is shipped
            # in all major browsers and getting removed from this list
            # could take several months.
            add_header X-Content-Type-Options nosniff;
            add_header X-XSS-Protection "1; mode=block";
            add_header X-Robots-Tag none;
            add_header X-Download-Options noopen;
            add_header X-Permitted-Cross-Domain-Policies none;
            # Optional: Don't log access to assets
            access_log off;
        }
    
        location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
            try_files $uri /index.php$request_uri;
            # Optional: Don't log access to other assets
            access_log off;
        }
    
      include /usr/local/nginx/conf/pre-staticfiles-local-domain.name.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
    
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    
    }
    ##
    Code:
    nano /usr/local/nginx/conf/fastcgi_params
    fastcgi_intercept_errors on; #edit off to on
    #deafault is off in centmin mod.

    Code:
    fpmconf
    #uncomment (=remove ;) and save
    ;include=/usr/local/nginx/conf/phpfpmd/*.conf
    Code:
    cd /usr/local/nginx/conf/phpfpmd
    nano phpfpm_pool2.conf
    #add lines below to the end
    env[HOSTNAME] = $HOSTNAME
    env[PATH] = /usr/local/bin:/usr/bin:/bin
    env[TMP] = /tmp
    env[TMPDIR] = /tmp
    env[TEMP] = /tmp

    Code:
    cd /etc/centminmod/php.d/
    cp zendopcache.ini zendopcache_custom.ini
    nano zendopcache_custom.ini
    #edit:
    opcache.enable=1
    opcache.enable_cli=1
    opcache.interned_strings_buffer=8
    opcache.max_accelerated_files=10000
    opcache.memory_consumption=128
    opcache.save_comments=1
    opcache.revalidate_freq=1
    
    nprestart
    #open domain.name with browser.
    #create admin account and fill other empty spaces. (Remember to choose MySQL)
    /home/nginx/domains/domain.name/data #the place for the data directory

    Code:
    centmin
    13 #Install Redis
    1
    3
    Code:
    yum -y install redis --enablerepo=remi --disableplugin=priorities
    chkconfig redis on
    service redis start
    Code:
    cat /var/log/redis/redis.log
    #you may see warnings
    #WARNING overcommit_memory is set to 0! Background save may fail under low memory condition.
    #To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run
    #the command 'sysctl vm.overcommit_memory=1' for this to take effect.
    #If you're running OpenVZ you can't change this setting!
    --
    # You may also have the next warning. Follow instructions.
    # WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis.
    #To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in
    #order to retain the setting after a reboot. Redis must be restarted after THP is disabled.

    #redis with unixsocket or TPCsocket. I have unixsocket.
    Code:
    nano /etc/redis.conf
    change port to 0.
    #uncomment and edit:
     unixsocket /tmp/redis.sock
     unixsocketperm 770
     maxclients 512
    #ctrl+x y (save and exit)
    
    usermod -a -G redis nginx
    systemctl restart redis.service
    #edit config.php
    #add lines above mail setting
    Code:
    nano /home/nginx/domains/domain.name/public/config/config.php
    'memcache.local' => '\OC\Memcache\Redis',
    'filelocking.enabled' => 'true',
    'memcache.locking' => '\OC\Memcache\Redis',
    'redis' => array(
         'host' => '/tmp/redis.sock',
         'port' => 0,
    'timeout' => 0.0,
          ),
    #TCPsocket IF YOU DID UnixSOCKET DON'T DO THIS!
    Code:
    cd /home/nginx/domains/domain.name/public/config
    nano config.php
    #add next lines
    'memcache.local' => '\OC\Memcache\Redis',
    'filelocking.enabled' => 'true',
    'memcache.locking' => '\OC\Memcache\Redis',
    'redis' => array(
         'host' => 'localhost',
         'port' => 6379,
          ),
    #ctrl+x y (save and exit)
    systemctl restart redis.service
    
    #memcached is not needed
    Code:
    chkconfig memcached off
    service memcached stop
    nprestart
    reboot
    #change Ajax to Cron
    #log in to you Nextcloud as admin.
    #settings
    #click Cron
    #back to command line
    crontab -u nginx -e
    #copy, paste and save
    Code:
    */15  *  *  *  * /usr/local/bin/php -f /home/nginx/domains/domain.name/public/cron.php
    
    #verify
    Code:
    crontab -u nginx -l
    #enable from apps End-to-End Encryption
    #install mobile app to your phone, create a folder and turn end to end ecryption on.
    #Nextcloud Introducing Native Integrated End-to-end Encryption – The most popular self-hosted file share and collaboration platform

    #if you get errors about max childrens
    #Determining the correct number of child processes for PHP-FPM on NGinx
    Code:
    nano /usr/local/nginx/conf/phpfpmd/phpfpm_pool2.conf
    #edit & save
    nprestart
    #follow /var/log/php-fpm/www-error.log

    #you can monitor Redis:
    Code:
    redis-cli -s /tmp/redis.sock monitor
    #or
    redis-cli monitor
    That's it!
    Looks like this setup is working but never know. Don't be surprised if you find something which is not working. :D
     
    Last edited: Mar 17, 2018
    • Informative Informative x 1
  2. eva2000

    eva2000 Administrator Staff Member

    35,522
    7,833
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,074
    Local Time:
    8:57 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Thanks for sharing. Love it when folks share what they're doing Centmin Mod wise and always interesting to see how other folks are doing stuff :)
     
  3. Meirami

    Meirami Member

    93
    8
    8
    Dec 21, 2017
    Ratings:
    +29
    Local Time:
    1:57 AM
    Damn! I found a bug.
    Crontab for nginx should look like this
    Code:
    */15  *  *  *  * /usr/local/bin/php -f /home/nginx/domains/domain.name/public/cron.php
    Cannot say by reading cron file which is working and which is not.
    Code:
    Mar 17 10:00:01 tiedot CROND[18413]: (nginx) CMD (php -f /home/nginx/domains/domain.name/public/cron.php)
    Mar 18 00:35:01 tiedot CROND[3344]: (nginx) CMD (/usr/local/bin/php -f /home/nginx/domains/domain.name/public/cron.php)
    Both lines don't have any errors below or above them.
    No errors in any log. Last line is working.

    Only way to find out if it's working is to open your Nextcloud's admin page with a browser and see basic settings. There's line "Background jobs Last job ran 1 minute ago."

    Can I somehow edit my post to add corrected line?
     
  4. eva2000

    eva2000 Administrator Staff Member

    35,522
    7,833
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,074
    Local Time:
    8:57 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    edited for you :)
     
    • Like Like x 1
  5. hardousse

    hardousse Active Member

    123
    30
    28
    Dec 15, 2015
    Sweden
    Ratings:
    +45
    Local Time:
    1:57 AM
    1.11.*
    10.1*
    Good work (y) i Will test and give feedback
     
    • Like Like x 1
  6. Meirami

    Meirami Member

    93
    8
    8
    Dec 21, 2017
    Ratings:
    +29
    Local Time:
    1:57 AM
    Let's Encrypt certificate won't autorenew with above settings. (Can you @eva2000 edit the post? just the domain.name.ssl.conf part)
    Add to domain.name.ssl.conf
    Code:
    #Let's Encrypt renewal
     location ~ ^/.well-known/acme-challenge/* {
        allow all;
        }
    
    Below
    Code:
      location / {
        rewrite ^ /index.php$request_uri;
        include /usr/local/nginx/conf/php-pool2.conf;
        }
    
    And that should work...

    And security update.
    unsafe nginx config · Issue #5117 · nextcloud/server
    Change three lines.
    Code:
    rewrite ^ /index.php$uri; --> rewrite ^ /index.php$request_uri;
    try_files $uri /index.php$uri$is_args$args; --> try_files $uri /index.php$request_uri;
    try_files $uri /index.php$uri$is_args$args; --> try_files $uri /index.php$request_uri;

    Some additional settings.
    Mail settings in my Nextcloud admin page, additional settings.
    Send mode PHP
    mail: [email protected]
    and Nextcloud's config.php last lines looks like this.
    Code:
      'mail_from_address' => 'no-reply',
      'mail_smtpmode' => 'php',
      'mail_smtpauthtype' => 'LOGIN',
      'mail_domain' => 'domain.name',
      'updater.release.channel' => 'stable',
      'mail_smtphost' => '127.0.0.1',
      'mail_smtpport' => 25,
      'mail_smtptimeout' => 30,
      'mail_smtpsecure' => 'TLS',
      'mail_smtpauth' => false,
      'mail_smtpname' => '',
    
    I have also set up Nextcloud's own logrotate setting so nextcloud.log won't grow too much.
    Add this to config.php. You can set your own size.
    Code:
    'log_rotate_size' => 2048576,
    If you don't want to have email to nginx's mailbox from every cronjob it runs, do this.
    Code:
    crontab -e -u nginx
    Add this to the top.
    MAILTO=""

    Preview generator is a nice Nextcloud app if you upload a lot's of pics and vids and want to see thumbs fast.
    Videos needs ffmpeg installed and with centminmod it's normally installed to /opt/bin.
    So you need to edit phpfpm_pool2.conf and make sure there's /opt/bin.
    Code:
    env[PATH] = /usr/local/bin:/usr/bin:/bin:/opt/bin
    I have set these lines to config.php, but it's possible use more.
    Code:
      'enable_previews' => true,
      'enabledPreviewProviders' =>
      array (
        0 => 'OC\\Preview\\Image',
        1 => 'OC\\Preview\\Movie',
        2 => 'OC\\Preview\\TXT',
      ),
    
    There are some changes to MariaDB also.
    Recommendation for MariaDB · Issue #10159 · nextcloud/server
    MariaDB does not use the transaction isolation level "READ-COMMIT" as default.
    So...
    At least two rows should be added to /etc/my.cnf in the mysqld-section:
    Code:
    [mysqld]
    ...
    transaction_isolation = READ-COMMITTED
    binlog_format = ROW
    ...
    I followed one guide earlier but I can't find it just now. There were told that you have to run next command in MariaDB too.
    Code:
    mysql -u root -p
    ---
    SET GLOBAL TRANSACTION ISOLATION LEVEL READ COMMITTED; SET SESSION TRANSACTION ISOLATION LEVEL READ COMMITTED;
    Do anyone know is that necessary?
    Is it possible that my.cnf can be overwritten when updating MariaDB?

    If someone follows this thread, please report if you see any security or performance related changes in admin's manual or in github.
    Thank You!
     
  7. eva2000

    eva2000 Administrator Staff Member

    35,522
    7,833
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,074
    Local Time:
    8:57 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Actually, just gave long time members editing thread/post permissions in this specific Centmin Mod User Tutorials & Guides forum indefinitely instead of time limited. So you should be able to edit your posts within this thread.
     
    • Like Like x 1
..