If this is your first time looking at a post from this series, have a look at this summary: Server Setup 0: Contents
Before enabling public access to Nextcloud, lets take a moment to improve things a little.
Apache Config
First up, let’s force the use of the HTTPS and make sure we haven’t left any security holes by stripping back the HTTP config file to it’s bare bones.
sudoedit /etc/apache2/sites-available/nextcloud.conf
<VirtualHost *:80>
ServerName nextcloud.example.org
Redirect permanent / https://nextcloud.example.org/
</VirtualHost>
The default Apache configuration gives access to a little too much – we can lock that down, and just open up the bits we want later with the site-specific configuration files.
sudoedit /etc/apache2/apache2.conf
Look for this section and put a #
at the beginning of every line so they’re ignored.
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
Now we have to give access back just where want it:
sudoedit /etc/apache2/sites-available/nextcloud-le-ssl.conf
Before the ErrorLog
line, add this:
<Directory /var/www/nextcloud>
Require all granted
</Directory>
Then do the same for the WordPress config:
sudoedit /etc/apache2/sites-available/wordpress-le-ssl.conf
Before the ErrorLog
line, add this:
<Directory /var/www/wordpress>
Require all granted
</Directory>
Restart Apache (you should know how to do that by now – look back through the previous posts until you find it.)
Nextcloud Administration Warnings
Log into your nextcloud administrator account, click on the circle with your initial in the top right corner, choose setttings. On the page that pops up, pick Overview from the menu on the right.
The system will think for a moment, then show a list of warnings:
If your list is the same as mine, I’ll show you how to fix the first 2, but you can work through the others on your own if you like.
PHP Memory Limit
“The PHP memory limit is below the recommended value of 512MB.”
It isn’t essential to fix this, and if you’re running nextcloud on an old, lower powered machine I wouldn’t recommend it, because that’s the limit per script, and a script fires up every time someone access your site, so with a few users doing heavy things, you’ll have a problem.
If you do want to do it, edit the PHP configuration file:
sudoedit /etc/php/7.3/apache2/php.ini
Find this line and change the number to what you want:
memory_limit = 512M
Then restart Apache
Enable HSTS
“The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.”
You can follow that link in the tip to find out the details of how we fix this, but these are the steps:
Enable the Apache headers module:
sudo a2enmod headers
Modify the Nextcloud apache configuration:
sudoedit /etc/apache2/sites-available/nextcloud-le-ssl.conf
Add this after the ServerName line:
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
And reload Apache
Re-enable public access
Now we’ve dealt with a few potential security issues, you can enable access to Nextcloud from outside you network.
sudoedit /etc/apache2/sites-available/nextcloud-le-ssl.conf
Either delete, or comment out these 3 lines. You can make a line into a comment by putting a # at the beginning of the line. That means it will be ignored.
<Location />
Require ip xxx.xxx.xxx.0/24
</Location>
Reload apache and you’re done!