Nextcloud is a Dropbox-like solution for self-hosted file sharing and syncing. Installing Nextcloud 13 on CentOS 7 is easy. Whether you want to backup, have file-syncing or calendar and contacts syncing, this guide is for you. If you have any suspicion that the big cloud providers are mining your data and selling it to advertisers to better target you then Nextcloud is definitely for you. Running Nextcloud will put you back in control of your data. If you decide to go down this path and value your data may I suggest that you place the Nextcloud data directory on a NFS share hosted on a ZFS storage appliance like FreeNAS. Remember that RAID is not a backup so you would also want to keep an on site or off site backup of you important data. For example I use Backblaze B2 service for off site backups with the option of encryption.

I run everything vitalized on vmWare ESXi and assume you have the knowledge to create a virtual machine and install a minimal version of CentOS 7 server and that if you choose to install the data directory on an NFS share that you know how to do this as well because this how to only focuses to getting Nextcloud installed with Active Directory integration.

It should go without saying that the Nextcloud server must be secure. It’s better to employ a deny all mindset early during the deployment and configuration of your Nextcloud server, including the database. We will be configuring this Nextcloud server with SELinux enforcing and a active firewall. For added security I recommend placing the Nextcloud server behind a reverse proxy. Having a reverse proxy gives you may advantages, such as hosting multiple servers on one IP address. I will do a future blog on setting up a Nginx reverse proxy.

Step 1: Install the required software

The first step in order to install NextCloud 13 is to install a web server, SQl db and PHP. Since CentOS 7 ships with PHP 5.4 by default but NextCloud 13 requires at least PHP 7 we’ll also be installing PHP 7 from a third-party repository. We will also install a NFS client so that we can have the Next Cloud data directory on a NAS. The following procedure will install apache as web server. Input the commands by cut and paste one by one to avoid errors!

SSH in to your server as root and run the following commands.

[root@cloud ~]# yum -y install epel-release wget
[root@cloud ~]# wget http://rpms.remirepo.net/enterprise/remi-release-7.rpm
[root@cloud ~]# rpm -Uvh remi-release-7.rpm epel-release-latest-7.noarch.rpm
[root@cloud ~]# yum -y update
[root@cloud ~]# yum install -y httpd mariadb-server php php-mysql php-dom php-pecl-apcu php-opcache php-mbstring php-gd php-pdo php-json php-xml php-zip php-curl php-mcrypt php-pear php-ldap php-smbclient nfs-utils samba-client samba-common mod_ssl setroubleshoot-server bzip2

Step 2: Setup MariaDB
Now we will install the database that Nextcloud will use and secure it.

[root@cloud ~]# systemctl start mariadb
[root@cloud ~]# systemctl enable mariadb

When configuring the web stack, administrators often overlook the impacts of not hardening the database. Every web server administrator should take the following steps immediately following a successful installation. Once you execute the bellow command you will be asked the password, there is not one so press enter. You will be promoted to change the password for the data base root user. I highly recommend setting a strong root password for security reasons. Answer yes to all of the questions.

[root@cloud ~]# mysql_secure_installation

We are using one server as both your web server and database server so we want to restrict all remote access to the database server. You can do this by binding all traffic to your localhost i.e., 127.0.0.1. We also want to restrict the DB’s ability to load local files. If an attacker is able to gain control of your database we don’t want them to able to load local files. You achieve this by editing your /etc/my.conf file and adding the bind-address and local-infile directive. Add the lines in bold text and save the file.

[root@cloud ~]# vi /etc/my.cnf

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
bind-address=127.0.0.1
local-infile=0

# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mariadb according to the
# instructions in http://fedoraproject.org/wiki/Systemd

[mysqld_safe]
log-error=/var/log/mariadb/mariadb.log
pid-file=/var/run/mariadb/mariadb.pid

#
# include all files from the config directory
#
!includedir /etc/my.cnf.d

Now restart Mariadb so that the new settings take effect.

[root@cloud~]# systemctl restart mariadb

Now we need to create a database for Nextcloud to use. Use the root password you set earlier.

[root@cloud ~]# mysql -u root -p

Now that you are in create a database for Nextcloud

MariaDB [(none)]> CREATE DATABASE nextcloud;

Now you need to create the user that will be used to connect to the database

MariaDB [(none)]> CREATE USER 'nc_user'@'localhost' IDENTIFIED BY 'YOUR_PASSWORD_HERE';

The last step is to grant the privileges to the new user

MariaDB [(none)]> GRANT ALL PRIVILEGES ON nextcloud.* TO 'nc_user'@'localhost';
MariaDB [(none)]> FLUSH PRIVILEGES;

Press Ctrl D to exit

Step 3: Install NextCloud
This step involves getting the Nextcloud software and configure Apache to run it.

[root@cloud ~]# cd /var/www/html
[root@cloud ~]# curl -o nextcloud-13-latest.tar.bz2 https://download.nextcloud.com/server/releases/latest-13.tar.bz2
[root@cloud ~]# tar -xvjf nextcloud-13-latest.tar.bz2
[root@cloud ~]# mkdir nextcloud/data
[root@cloud ~]# chown -R apache:apache nextcloud
[root@cloud ~]# rm nextcloud-13-latest.tar.bz2

Now it’s time to set up the fstab file to auto mount the remote folder for Next Cloud to store all of the user data. I asume you know how to setup a NFS share on your NAS, if not google is your freind.

# vi /etc/fstab

The file will look something like this. Do not edit anything above the dashed line. Change the IP addres and the path that follows it to point to your NAS.

#
# /etc/fstab
# Created by anaconda on Thu Mar 1 12:56:17 2018
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/cl_cloud-root / xfs defaults 0 0
UUID=037ueya8-e40c-46kt-9592-62556dfgh8ueh /boot xfs defaults 0 0
/dev/mapper/cl_cloud-swap swap swap defaults 0 0
#-----------------------------------------------------------------------------------------------------------------------------------------
#NFS Network shares on NAS Server
192.168.1.1:/path/to/NextCloudData /var/www/html/nextcloud/data nfs rw,auto,noatime,nolock,bg,nfsvers=3,intr,tcp,actimeo=1800 0 0

Once completed exit vi editor and mount the share by running the below command

[root@cloud ~]# mount -a

Now we need to create a new config file and past the bellow text.

[root@cloud ~]# vi /etc/httpd/conf.d/nextcloud.conf
Alias /nextcloud "/var/www/html/nextcloud/"

<Directory /var/www/html/nextcloud/>
Options +FollowSymlinks
AllowOverride All

<IfModule mod_dav.c>
Dav off
</IfModule>

SetEnv HOME /var/www/html/nextcloud
SetEnv HTTP_HOME /var/www/html/nextcloud

</Directory>

Now we want Nextcloud to be at the root of the web server so that to access Nextcloud you’d type cloud.example.com not cloud.example.com/nextcloud

[root@cloud ~]# vi /etc/httpd/conf/httpd.conf

Find the line DocumentRoot “/var/www/html” and change it to

DocumentRoot "/var/www/html/nextcloud"

Step 4: Setting Apache and SELinux
In this step we’ll start (and enable) the web server and we’ll set SELinux up. Now, many tutorials will tell you to disable SELinux (because it is a difficult component to manage). Instead, I suggest you to keep it on and add the rules for Nextcloud.

[root@cloud ~]# setsebool -P httpd_can_network_connect_db 1
[root@cloud ~]# setsebool -P httpd_use_nfs on
[root@cloud ~]# setsebool -P httpd_use_cifs on
[root@cloud ~]# setsebool -P httpd_can_connect_ldap on
[root@cloud ~]# setsebool -P httpd_can_sendmail on
[root@cloud ~]# setsebool -P httpd_can_network_connect on
[root@cloud ~]# semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/data(/.*)?'
[root@cloud ~]# semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/config(/.*)?'
[root@cloud ~]# semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/apps(/.*)?'
[root@cloud ~]# semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/3rdparty(/.*)?'
[root@cloud ~]# semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/.htaccess'
[root@cloud ~]# semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/.user.ini'
[root@cloud ~]# restorecon -Rv '/var/www/html/nextcloud/'

Now that you’ve configured SELinux let’s start and enable Apache:

[root@cloud ~]# systemctl start httpd
[root@cloud ~]# systemctl enable httpd

Step 5: Configuring firewall
This step is essential when your firewall is enabled. CentOS 7 enables the firewall buy defult so you won’t be able to access your NextCloud 13 instance. You can disable the firewall but having a firewall enabled is a good security practice.

To open the ports needed by NextCloud 13 run the following commands.

[root@cloud ~]# firewall-cmd --add-service http --permanent
[root@cloud ~]# firewall-cmd --add-service https --permanent
[root@cloud ~]# firewall-cmd --add-service ldap --permanent
[root@cloud ~]# firewall-cmd --reload

Step 6: Configure Nexcloud
Once you’re done, it’s time to install everything. Head to http://YOUR_IP_ADDRESS and you will be facing the following screen

Select an administrator username and password. Then click on “Storage & Database“, here you can select the data folder, but we have it in the default location so leave the  default value. Enter the database name, database user and enter the password you created during step 2. The port is the default one 3306.

Click finish and if you’ve followed all the steps correctly you should be seeing the Files app

Now we need to configure OPcache. This will improve the performance of Nextcloud. We will use the recommended settings. You can change them as needed down the track.

[root@cloud ~]# vi /etc/php.d/opcache.ini

Change the following settings so that they match whats bellow. Use the vi editors search function to find the settings one at a time. If any of the settings are commented out with a ; delete it or the setting will be ignored.

opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1

Once saved restart the http server so that the changes take effect.

[root@cloud ~]# systemctl restart httpd

Congratulations, now you should have a fully functional Nextcloud server. You will need to head over to the app store and add any of the extra functionality you want like the calendar and contacts app. If you are integrating Nextcould with Active Directory install and ldap module from the app store and configure it. I recommend installing the “Brute-force settings” app and adding your local sub net and that of any proxies you might be using to prevent your users from being slowed down from too may attempts to access the Nextcloud server from the same IP address. This feature to designed to prevent brute force attempts to hack a users password from the internet.

If you have any problems of feed back just leave it in the comments bellow and I’ll get back to you.