Setup Nextcloud HTTPS Apache With OpenSSL on FreeBSD

In this article we will set up a NextCloud Server from scratch with the addition of an SSL Certificate. There are lots of tutorials that cover the same topic, but there are very few for configuring Nextcloud on a FreeBSD server that serves SSL certificates. On this occasion the SSL certificate will be served by OpenSSL and the web server that we will use is Apache24. Before you follow the entire guide in this article, make sure the Apache server, MySQL server, PHP, mod PHP and PHP-PFM are installed on your FreeBSD server.

This guide assumes Nextcloud will be accessed via a private IP, https://192.168.5.2/nextcloud. We will place the SSL certificate in the Apache VHOST which refers to the directory path /usr/local/www/nextcloud, where all Nextcloud files are stored.


This Nextcloud installation guide explains installation, configuration and hardening as well as several Nextcloud expansion options on a FreeBSD server. The Nextcloud installation is based on Apache24 and OpenSSL components to serve SSL certificates. You can change the contents of the script in this guide according to your FreeBSD server specifications such as private IP address and domain.

"Before we start, make sure the Apache24 web server, MySQL server, PHP, PHP mod and PHP-PFM are installed and running normally on your FreeBSD server"




1. Create Database Nextcloud

On Nextcloud the database is very important. The database on Nextcloud is used to store all configurations and data that you enter on Nextcloud. Nextcloud supports many databases, but in this article we will use the MySQL server database.

To create a Nextcloud database, you must log in to the MySQL server, after successfully logging in, continue with creating the Nextcloud database. Below is a guide that you can follow.

User: usernextcloud
Host: Localhost
Database name: nextcloud
Password: router123

CREATE DATABASE
root@ns3:~ # mysql -u root -p
Enter password:
root@localhost [(none)]> CREATE DATABASE nextcloud;
root@localhost [(none)]> CREATE USER 'usernextcloud'@'localhost' IDENTIFIED BY 'router123';
root@localhost [(none)]> GRANT ALL PRIVILEGES ON nextcloud.* TO 'usernextcloud'@'localhost';
root@localhost [(none)]> FLUSH PRIVILEGES;
root@localhost [(none)]> exit;
root@ns3:~ #


2. Install Nextcloud

First step, we will install Nextcloud dependencies. This dependency consists of a PHP application that will form a library file.

Install Nextcloud Dependencies
root@ns3:~ # pkg install php82-ctype pkgconf php82-filter php82-iconv php82-xmlwriter php82-bz2 php82-mbstring php82-pdo_mysql php82-opcache php82-xmlreader
root@ns3:~ # pkg install php82-xsl php82-dom php82-gmp php82-pcntl php82-pdo php82-posix php82-simplexml php82-intl php82-ldap php82-sysvsem php82-bcmath
FreeBSD makes it easy for you, because the Nextcloud repository is available in the PKG package or system ports. You can choose one, we recommend using the port system to install Nextcloud. Here's how.

/usr/ports/www/nextcloud
root@ns3:~ # cd /usr/ports/www/nextcloud
root@ns3:/usr/ports/www/nextcloud # make install clean
Change permissions and ownership.

/usr/local/www/nextcloud
root@ns3:/usr/ports/www/nextcloud # chown -R www:www /usr/local/www/nextcloud
root@ns3:/usr/ports/www/nextcloud # chmod -R 775 /usr/local/www/nextcloud


3. Configuration config.php Crontab php.ini

config.php is Nextcloud's main configuration file, you must change the script in this file so that Nextcloud can run perfectly. There are several configurations that you have to do, including:

a. Enable caching

Cache is used to increase Nextcloud speed. The speed difference if you use Nextcloud without cache and with cache is very large. Especially as the number of files and folders increases and more multimedia files hit the server, caching becomes increasingly important to maintain speed and performance. There are many caches used by Nextcloud, APCU, redis and memcached. In this article we will use memcached. Run the following command to install memcached.

/usr/ports/databases/memcached
root@ns3:~ # cd /usr/ports/databases/memcached
root@ns3:/usr/ports/databases/memcached # make install clean
In this section, we will not fully explain the memcached configuration process, you can read our previous article.


Open the config.php file, and add the memcached script below.

/usr/local/www/nextcloud/config/config.php
root@ns3:~ # ee /usr/local/www/nextcloud/config/config.php
  'memcache.local' => '\\OC\\Memcache\\Memcached',
  'memcache.distributed' => '\\OC\\Memcache\\Memcached',
  'memcache.locking' => '\\OC\\Memcache\\Memcached',
  'memcached_servers' => 
  array (
    0 => 
    array (
      0 => '192.168.5.2',
      1 => 11211,
    ),
  ),

b. Enable Pretty links

Just like creating a theme in Joomla or Wordpress, pretty links are not mandatory, but they add to the overall aesthetic of the server. You must enable "Pretty links" in the config.php file.

/usr/local/www/nextcloud/config/config.php
root@ns3:~ # ee /usr/local/www/nextcloud/config/config.php
'overwrite.cli.url' => 'https://192.168.5.2/nextcloud',
'htaccess.RewriteBase' => '/nextcloud',

c. Enable Phone Region

Enable the default phone region, it is very necessary to validate the phone number in Nextcloud profile settings. You can add "default_phone_region" with each region's ISO 3166-1 code to the config.php configuration file. Adjust the code to your country.

/usr/local/www/nextcloud/config/config.php
root@ns3:~ # ee /usr/local/www/nextcloud/config/config.php
'default_phone_region' => 'US',

d. Enable Maintenance Window

The maintenance process is very important, you can start configuring the Nextcloud maintenance window. This process will perform intensive daily background work during Nextcloud's prime usage time. Since you are using a FreeBSD server, we recommend setting it to low usage time, so that users are not too affected by the load caused by heavy tasks.

/usr/local/www/nextcloud/config/config.php
root@ns3:~ # ee /usr/local/www/nextcloud/config/config.php
'maintenance_window_start' => 1,

e. Enable Crontab

After installing Nextcloud, background tasks are performed using AJAX when users visit Nextcloud pages. This will prevent you from running scheduler tasks when there is no activity. To resolve this issue, open the crontab file and add the script below.

/etc/crontab
root@ns3:~ # ee /etc/crontab
*/15 * * * * /usr/local/bin/php -f /usr/local/www/apache24/data/nextcloud/cron.php
*/5 * * * * php -f /usr/local/www/nextcloud/occ dav:send-event-reminders



f. PHP Opcache

On FreeBSD servers the PHP Opcache setting is very necessary to cache previously compiled bytecode. Setting PHP Opcache properly will improve Nextcloud performance. Activate the script below in the php.ini file.

/usr/local/etc/php.ini
root@ns3:~ # ee /usr/local/etc/php.ini
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1
memory_limit = 512M
cgi.fix_pathinfo=0
post_max_size = 32M
upload_max_filesize = 32M

g. Enable Nextcloud Providers

Enabling the "Nextcloud Providers" option aims to speed up preview creation using external microservices. To implement this option, you need to deploy a service and ensure that it cannot be accessed from outside your server. Then you can configure Nextcloud to use Imaginary by editing the config.php file.

/usr/local/www/nextcloud/config/config.php
root@ns3:~ # ee /usr/local/www/nextcloud/config/config.php
'enable_previews' => true,
  'enabledPreviewProviders' => 
  array (
    0 => 'OCPreviewPNG',
    1 => 'OCPreviewJPEG',
    2 => 'OCPreviewGIF',
    3 => 'OCPreviewBMP',
    4 => 'OCPreviewXBitmap',
    5 => 'OCPreviewMarkDown',
    6 => 'OCPreviewMP3',
    7 => 'OCPreviewTXT',
    8 => 'OCPreviewIllustrator',
    9 => 'OCPreviewMovie',
    10 => 'OCPreviewMSOffice2017',
    12 => 'OCPreviewMSOfficeDoc',
    13 => 'OCPreviewOpenDocument',
    14 => 'OCPreviewPDF',
    15 => 'OCPreviewPhotoshop',
    16 => 'OCPreviewPostscript',
    17 => 'OCPreviewStarOffice',
    18 => 'OCPreviewSVG',
    19 => 'OCPreviewTIFF',
    20 => 'OCPreviewFont',
  ),
You can see the complete script of the "config.php" file below.

/usr/local/www/nextcloud/config/config.php
<?php
$CONFIG = array (
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/usr/local/www/nextcloud/apps',
      'url' => '/apps',
      'writable' => true,
    ),
    1 => 
    array (
      'path' => '/usr/local/www/nextcloud/apps-pkg',
      'url' => '/apps-pkg',
      'writable' => false,
    ),
  ),
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'memcache.local' => '\\OC\\Memcache\\Memcached',
  'instanceid' => 'oc4umminut1v',
  'passwordsalt' => 'B+tTSN3tC1SdPMaRxkZVZPXe+Bg0Lp',
  'secret' => 'unz4KEhJPBuXC+lrRZx8brzvlFlHJimMC6zv+XmlzS7gNc4L',
  'trusted_domains' => 
  array (
    0 => '192.168.5.2',
  ),
  'datadirectory' => '/usr/local/www/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '28.0.3.2',
  'overwrite.cli.url' => 'https://192.168.5.2/nextcloud',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'mary',
  'dbpassword' => 'mary123',
  'installed' => true,
  'memcache.distributed' => '\\OC\\Memcache\\Memcached',
  'memcache.locking' => '\\OC\\Memcache\\Memcached',
  'memcached_servers' => 
  array (
    0 => 
    array (
      0 => '192.168.5.2',
      1 => 11211,
    ),
  ),
  'htaccess.RewriteBase' => '/nextcloud',
  'default_phone_region' => 'US',
  'maintenance_window_start' => 1,

'enable_previews' => true,
  'enabledPreviewProviders' => 
  array (
    0 => 'OCPreviewPNG',
    1 => 'OCPreviewJPEG',
    2 => 'OCPreviewGIF',
    3 => 'OCPreviewBMP',
    4 => 'OCPreviewXBitmap',
    5 => 'OCPreviewMarkDown',
    6 => 'OCPreviewMP3',
    7 => 'OCPreviewTXT',
    8 => 'OCPreviewIllustrator',
    9 => 'OCPreviewMovie',
    10 => 'OCPreviewMSOffice2017',
    12 => 'OCPreviewMSOfficeDoc',
    13 => 'OCPreviewOpenDocument',
    14 => 'OCPreviewPDF',
    15 => 'OCPreviewPhotoshop',
    16 => 'OCPreviewPostscript',
    17 => 'OCPreviewStarOffice',
    18 => 'OCPreviewSVG',
    19 => 'OCPreviewTIFF',
    20 => 'OCPreviewFont',
  ),
  
);


4. Setting up SSL using OpenSSL

As we wrote in the title above, Nextcloud is configured with https, therefore you need to create an SSL certificate. If CA signing is not required, a self-signed certificate can be generated. To do this, let's first create RSA private key that we will use to create a CSR or CRT certificate. But before we create an SSL certificate, first create an SSL directory.

/usr/local/etc/apache24
root@ns3:~ # cd /usr/local/etc/apache24
root@ns3:/usr/local/etc/apache24 # mkdir -p ssl
root@ns3:/usr/local/etc/apache24 # cd ssl
root@ns3:/usr/local/etc/apache24/ssl #
Setelah itu, anda lanjutkan dengan membuat sertifikat SSL.

/usr/local/etc/apache24/ssl
root@ns3:/usr/local/etc/apache24/ssl # openssl genrsa -out server.key 2048
root@ns3:/usr/local/etc/apache24/ssl # openssl req -new -key server.key -out server.csr
root@ns3:/usr/local/etc/apache24/ssl # openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
root@ns3:/usr/local/etc/apache24/ssl # cat server.crt server.key > server.bundle.pem
Change permissions.

/usr/local/etc/apache24/ssl
root@ns3:/usr/local/etc/apache24/ssl # chmod -R 640 /usr/local/etc/apache24/ssl


5. Create Vhost SSL Apache
Because the Apache24 web server is running normally, we can immediately activate Vhost. Open the httpd.conf file and activate the scripts below.

/usr/local/etc/apache24/httpd.conf
root@ns3:~ # ee /usr/local/etc/apache24/httpd.conf
Listen 80
ServerAdmin datainchi@gmail.com
ServerName datainchi.com
LoadModule ssl_module libexec/apache24/mod_ssl.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
Include etc/apache24/extra/httpd-ssl.conf
Now we're going to set up Apache with a self-signed certificate as part of the Nextcloud installation, so for this guide we'll use that. Open the httpd-ssl.conf file and delete all the scripts then replace them with the script below.

/usr/local/etc/apache24/extra/httpd-ssl.conf
root@ns3:~ # ee /usr/local/etc/apache24/extra/httpd-ssl.conf
Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLHonorCipherOrder on 
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog  builtin
SSLSessionCache        "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout  300

SSLUseStapling On
SSLStaplingCache "shmcb:/var/run/ssl_stapling(32768)"
SSLStaplingStandardCacheTimeout 3600
SSLStaplingErrorCacheTimeout 600
SSLCompression          off

<VirtualHost _default_:443>
DocumentRoot "/usr/local/www/apache24/data"
ServerName www.example.com:443
ServerAdmin you@example.com
ErrorLog "/var/log/httpd-error.log"
TransferLog "/var/log/httpd-access.log"

SSLEngine on

SSLCertificateFile "/usr/local/etc/apache24/mycert/server.crt"
SSLCertificateKeyFile "/usr/local/etc/apache24/mycert/server.key"

 <IfModule mod_headers.c>
 Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
    </IfModule>

   Alias /nextcloud /usr/local/www/nextcloud
        AcceptPathInfo On
        <Directory /usr/local/www/nextcloud>
Options Indexes ExecCGI FollowSymLinks
            AllowOverride All
            Require all granted

<IfModule mod_dav.c>
Dav off
</IfModule>
        Header unset Content-Security-Policy
        Header always unset Content-Security-Policy
SetEnv HOME /usr/local/www/nextcloud
SetEnv HTTP_HOME /usr/local/www/nextcloud
Satisfy Any
        </Directory>

<Directory /usr/local/www/nextcloud/apps/sip_trip_phone/phone/>
             DirectoryIndex index.html
        </Directory>


<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/www/apache24/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>


BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog "/var/log/httpd-ssl_request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

After you have finished configuring everything, now is the time to run Nextcloud. Open Google Chrome and type "https://192.168.5.2/nextcloud/". See the results on your monitor screen. If there is nothing wrong with the configuration, the Nextcloud server will appear on your monitor screen.

In this comprehensive tutorial, we have explained the process of enabling an SSL certificate on Apache with OpenSSL. By following all the guidelines in this article, you can ensure that your web server is using the latest and most secure version of the TLS protocol, thereby improving the security and performance of your Nextcloud server.
Iwan Setiawan

I Like Adventure: Mahameru Mount, Rinjani Mount I Like Writer FreeBSD

Post a Comment

Previous Post Next Post