• Your cart is empty

Nextcloud 16 and ISPConfig 3 PHP NGINX directives

Blog

Setting cloud Nextcloud 16 on your own server is simple, however in combination with ISPConfig 3 there may occur some problems or issues with Nextcloud 16 functions like unable to upload files or errors while uploading files through Nextcloud Android app.

Error example shown in error logs:

[error] 29691#29691: *211 access forbidden by rule, client: XXX.XXX.XXX.XX, server: ncloud.yourdomain.com, request: "MOVE /remote.php/dav/uploads/user/74a00956189887e59756e4e9f26d760c/.file HTTP/1.1", host: "ncloud.yourdomain.com"

Error 403 example visible in access logs:

XXX.XXX.XXX.XX - user [19/Aug/2019:09:37:39 +0100] "MOVE /remote.php/dav/uploads/user/d196927a4d5b73313ca673277031bad9/.file HTTP/1.1" 403 169 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.7.2"

All users want to avoid this, to fully enjoy self hosted cloud Nextcloud 16. Just a few lines of directives added in appropriate places in the ISPConfig 3 panel should do the trick, check this out.

Short tutorial - Nextcloud 16.x PHP NGINX directives working with ISPConfig 3

1.

First steps in ISPConfig 3 panel

If you don't have it done already, under ISPConfig 3 panel create website (Sites tab -> Website -> Add new website), for example ncloud.yourdomain.com
Generate Let's encrypt SSL certificate (Let's Encrypt SSL checkbox under Domain tab should be checked)
Place this Custom php.ini settings (Options tab):

memory_limit = 512M
upload_max_filesize = 512M
post_max_size = 512M
always_populate_raw_post_data = -1
max_execution_time = 3600

Place Nginx directives (Options tab):

add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";

# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;

location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ \.php$ {
try_files /b615814d8f2c19dbcb25b1fbae07ce38.htm @php2;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

# The following rule is only needed for the Social app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/webfinger /public.php?service=webfinger last;

location = /.well-known/carddav {
return 301 $scheme://$host:$server_port/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host:$server_port/remote.php/dav;
}

# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;

# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;

error_page 403 {DOCROOT}core/templates/403.php;
error_page 404 {DOCROOT}core/templates/404.php;

location / {
rewrite ^ /index.php$request_uri;
}

location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.(?!file$)|autotest|occ|issue|indie|db_|console) {
deny all;
}

location @php2 {
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS $https;
{FASTCGIPASS}
fastcgi_intercept_errors on;
fastcgi_index index.php;
fastcgi_buffers 64 64K;
fastcgi_buffer_size 256k;
fastcgi_param modHeadersAvailable true;
fastcgi_read_timeout 7200;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*|)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
# Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
# Enable pretty urls
fastcgi_param front_controller_active true;
#fastcgi_pass php-handler;
{FASTCGIPASS}
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}

location ~ ^/(?:updater|oc[ms]-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}

# Adding the cache control header for js, css and map files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;

# Optional: Don't log access to assets
access_log off;
}

location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}

Save settings and wait until ISPConfig 3 process them!

2.

Tricky part - edit domain NGINX vhost file

Here's the tricky part, as there's no out of the box workaround, you must manually edit vhost file.

Login as root using your favourite SSH client (for example PuTTy) and edit your domain nginx vhost file:

nano /etc/nginx/sites-available/ncloud.yourdomain.com.vhost

comment this part of file by adding "#" at the beginning of each line, so they look like this:

#location ~ /\. {
# deny all;
#}

Note: if you manually change vhost NGINX config file, after each domain modification through ISPConfig 3 panel, under which Nextcloud 16 is installed, you'll have to comment mentioned above lines again. Don't forget about it!

Restart nginx:

service nginx restart
Do you want to install NextCloud 16 on your own server?
Contact us!

User Rating: 0 / 5

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive