Continuing last post, we will finish the installation of Nextcloud, create a self-signed HTTPS certs, and port-forwarding 443 to our server so that we can access it from the public internet.
Install Nextcloud
dietpi-software
Then go to Software Optimised, under Cloud/Backups, hit spacebar to select Nextcloud, then back to the main menu, select Install.
If it installs correctly, you can now access Nextcloud from:
http://your-server-ip/nextcloud
It should show you the login page. The server ip is list under LAN IP whenever you login to DietPi.
By default, the Nextcloud’s data directory is on /mnt/dietpi_userdata/nextcloud_data, as listed in /var/www/nextcloud/config/config.php, meaning that the files we upload to the cloud will store on the SD-card, which is not what we want, we want it to store on the RAID array!
The simplest way to move the data directory, I figure, is to force NextCloud to generate a new config file. To do this, we can simply rename the config file to something else:
root@DietPi:~# cd /var/www/nextcloud/config
root@DietPi:/var/www/nextcloud/config# mv config.php config.php.bak
Before we continue, we want to drop the database Nextcloud generated for a new one. We can view the database credentials from config.php.bak, mark down the following lines:
'dbname' => 'nextcloud',
'dbuser' => 'oc_admin',
'dbpassword' => 'N5hG9g489IOUFGHg'
Then:
root@DietPi:/var/www/nextcloud/config# mysql -u oc_admin -p
Enter password: #Enter the password from dbpassword
MariaDB [(none)]> DROP DATABASE nextcloud;
MariaDB [(none)]> exit
Create a data directory for NextCloud on the array:
mkdir /mnt/md0/nextcloud
chown -R www-data:www-data /mnt/md0/nextcloud
Now, visit http://your-server-ip/nextcloud again and we can create a new admin user, change the data directory, and configure the database.
For data folder, use the directory we just created: /mnt/md0/nextcloud
Database user: dbuser from *config.php.bak*
Database password; dbpassword from *config.php.bak*
Database name: dbname from *config.php.bak*
Database Host: the default *localhost* is fine
Generate a self-signed cert for HTTPS
By default, the web server use HTTP, which is not secure. To use HTTPS, we need to create a self-signed cert. The web server by default on DietPi is lighttpd, the config file is on /etc/lighttpd/lighttpd.conf. Let’s generate a self-signed cert:
root@DietPi:~# cd /etc/lighttpd/
root@DietPi:/etc/lighttpd# mkdir ssl
root@DietPi:/etc/lighttpd# cd ssl
root@DietPi:/etc/lighttpd/ssl# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
root@DietPi:/etc/lighttpd/ssl# chown 600 server.pem
I like to use Mozilla SSL Configuration Generator for SSL configuration on lighttpd. I use the “modern” configuration. Just two things to keep in mind:
- comment out the line with ssl.ca-file
- edit the path of ssl.pemfile to the cert we just created
# generated 2020-06-22, Mozilla Guideline v5.4, lighttpd 1.4.55, OpenSSL 1.1.1d, modern configuration
# https://ssl-config.mozilla.org/#server=lighttpd&version=1.4.55&config=modern&openssl=1.1.1d&guideline=5.4
$SERVER["socket"] == ":80" {
url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
}
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
# pemfile is cert+privkey, ca-file is the intermediate chain in one file
ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
#ssl.ca-file = "/path/to/intermediate_certificate"
# modern configuration
ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1, -TLSv1.2")
ssl.cipher-list = ""
ssl.honor-cipher-order = "disable"
# HTTP Strict Transport Security (63072000 seconds)
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=63072000"
)
}
Copy the above configuration and paste it to the end of /etc/lighttpd/lighttpd.conf, then restart the service.
systemctl restart lighttpd.service
If you visit http://your-server-ip/nextcloud again, you will probably see a warning about the cert, which is fine since we’re using a self-signed cert. To use a proper cert we will need to register a personal domain.
After loggin I suggest heading to Settings > Overview to review Security & setup warnings. I also suggest configuring some firewall rules before open the NextCloud to the public internet:
apt install ufw -y
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 443
sudo ufw enable
The above configuration restrict access other than SSH, HTTP, HTTPS connecting into your server.
DDNS and Port Forwarding
The reason to use DDNS is that often our home internet use dynamic IP. We need to use a service to map a domain to that dynamic IP so that we can always connect to our home network. Using a MikroTik this is a matter of single command:
ip cloud set ddns-enabled=yes
ip cloud print
Which will provide a unique domain name for you that is always mapped to the WAN IP. If you have a personal domain, you can add a CNAME record to point your domain toward this unique domain name. Most router vendors nowadays provide this service, but if your router do not, then you may consider using a third-party service such as no-ip.
Next, if you would like to access Nextcloud from the internet you need to forward the request to your server, on MikroTik router it’s a single command:
/ip firewall nat add chain=dstnat in-interface-list=WAN dst-port=443 action=dst-nat protocol=tcp to-address=(my-server-ip) to-port=443
The exact configuration for other routers would vary, but the idea is the same:
- DSTNAT or Port Forwarding
- Incoming port: WAN port
- Desination port: 443
- Forwarding IP address: Your server’s IP
- Forwarding port: 443(HTTPS)
I didn’t set a source address because our public IP may change from time to time if our ISP only provide dynamic IP.
This is it for this guide on how to set up a home server for Nextcloud. This is quite fun. I’ve been learning Docker recently so perhaps to take a step further I can create a docker file for the installation process as a fun little project!