Install Firewall
First of all, you should install a firewall to secure your VPS (if not installed) and allow incoming traffic to port 80/443 and 22 (ssh) only. For Securing ssh-access you can use fail2ban and passwordless authentication. Many guides for this are out there.
apt install ufw -y ufw allow http ufw allow https ufw allow ssh ufw enable
Install MariaDB
MariaDB is default available on Ubuntu, but as this tutorial installs the latest version directly from MariaDB, in your terminal, use the following command to import the GPG Key.
curl -fsSL https://mariadb.org/mariadb_release_signing_key.asc | gpg --dearmor |
sudo tee /usr/share/keyrings/mariadb.gpg > /dev/nullNext, import the repository, and ensure you match the distribution release.
echo deb [arch=amd64,arm64,ppc64el signed-by=/usr/share/keyrings/mariadb.gpg] http://mirror.mariadb.org/repo/10.6/ubuntu/ jammy main | sudo tee /etc/apt/sources.list.d/mariadb.listsudo apt updateTo install MariaDB, you must install the client and the server packages. This can be done as follows:
sudo apt install mariadb-server mariadb-client -yBy default, you will find MariaDB status to be activated. If not, start MariaDB using the following command.
sudo systemctl start mariadb
sudo systemctl stop mariadb
sudo systemctl enable mariadbRun MariaDB 10.6 Security Script on Ubuntu Linux
sudo mysql_secure_installationNote that you use (Y) to remove everything.
Install Apache2
With the following command we will install the Apache-Webserver
sudo apt install -y apache2 apache2-utilsInstall php8.0-fpm an recommended moduls
echo "deb http://ppa.launchpad.net/ondrej/php/ubuntu $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.listsudo apt-key adv --recv-keys --keyserver hkps://keyserver.ubuntu.com:443 4F4EA0AAE5267A6CNow you can install php8.0 and moduls with the following command:
sudo apt update && apt install -y php8.0-cli php8.0-common php8.0-mbstring php8.0-gd php8.0-imagick php8.0-intl php8.0-bz2 php8.0-xml php8.0-mysql php8.0-zip php8.0-dev php8.0-curl php8.0-fpm redis-server php8.0-redis php8.0-smbclient php8.0-ldap php8.0-bcmath php8.0-gmp libmagickcore-6.q16-6-extraConfigure Apache2 and php8.0-fpm
sudo a2enmod proxy_fcgi setenvif mpm_event rewrite headers env dir mime ssl http2sudo a2enconf php8.0-fpmsudo nano /etc/apache2/apache2.confand change the following code:
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
to:
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>To enable HTTP/2, we need to add this line to apache2.conf:
Protocols h2 h2c http/1.1now we have to prepare the php.ini for nextcloud:
sudo nano /etc/php/8.0/fpm/php.iniextend with the following directives:
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1
and adjust the following Lines:
max_execution_time = 300
max_input_time = 600
memory_limit = 512M
upload_max_filesize = 10240MInstall PhpMyAdmin
sudo apt install phpmyadminChoose Apache and on the next screen Configure phpmyadmin database - NO.
All done. PhpMyAdmin has been installed.
Login with root and password what you setup when you were installing MariaDB.
Install Certbot and other tools
sudo apt install -y python3-certbot-apache certbot wget curl sudo unzipDownload Nextcloud and create filesystem
wget https://download.nextcloud.com/server/releases/latest-24.zipunzip latest-24.zipsudo mv nextcloud /var/www/html/
sudo chown -R www-data:www-data /var/www/html/nextcloudsudo rm latest-24.zipsudo mkdir /nextcloud_data
sudo chown -R www-data:www-data /nextcloud_data
Create Apache2 vHost and secure with SSL
sudo nano /etc/apache2/sites-available/001-nextcloud.conf
<VirtualHost *:80>
ServerName nextcloud.your-domain.tld
ServerAdmin webmaster@your-domain.tld
DocumentRoot /var/www/html/nextcloud
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>sudo a2ensite 001-nextcloud.conf sudo a2dissite 000-default.conf sudo systemctl reload apache2
Since we want to reach the site of course via https, we create a LetEncrypt certificate. The easiest way to do this is with Certbot, which we already installed above:
sudo certbot --apache --rsa-key-size 4096In the last query, we confirm with „2“ that a redirect should occur.
sudo nano /etc/apache2/sites-available/001-nextcloud-le-ssl.confwe add the following block under DocumentRoot-directive:
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; preload"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Prevent MIME based attacks
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
</IfModule>
# SSL Configuration - uses strong cipher list - these might need to be downgraded if you need to support older browsers/devices
SSLEngine on
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
<Directory /var/www/html/nextcloud/>
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /var/www/html/nextcloud
SetEnv HTTP_HOME /var/www/html/nextcloud
Satisfy Any
</Directory>then we have to reload the webserver again:
sudo systemctl reload apache2Configure Nextcloud
sudo nano /var/www/html/nextcloud/config/config.phpadd the following code:
'memcache.local' => '\OC\\Memcache\\Redis', 'memcache.locking' => '\\OC\\Memcache\\Redis', 'redis' => array( 'host' => 'localhost', 'port' => 6379, ), 'default_phone_region' => 'UK',
In the basic settings, we customize the background tasks and use cron:
and configure the user’s cron job accordingly www-data(adjust path and/or user if you use another one):
sudo crontab -u www-data -e
*/5 * * * * php8.0 -f /var/www/html/nextcloud/cron.php
sudo systemctl restart apache2 && sudo systemctl restart php8.0-fpm
