How to Install Nextcloud 11 on Ubuntu 16.04 with Nginx

We had published a tutorial on how to install Nextcloud on Ubuntu 16.04 with Apache web server back in June 2016, shortly after the first public release of Nextcloud. But many folks want to use Nginx rather than Apache as the web server. So in this tutorial we will see how to install Nextcloud 11 on Ubuntu 16.04 with Nginx.

Prerequisites

First, you should check out this LEMP install tutorial for Ubuntu 16.04 if you haven’t installed LEMP yet. Once it’s installed, come back here and read on.

Step 1: Download NextCloud 11

Download the NextCloud server zip archive onto your server. The latest stable version is 11.0.2 at time of this writing. You may need to change the version number. Go to https://nextcloud.com/install and click the download button to check out the latest version.

wget https://download.nextcloud.com/server/releases/nextcloud-11.0.2.zip

Extract it.

sudo apt install unzip

unzip nextcloud-11.0.2.zip

A new directory named nextcloud will be created in the current working directory. Move the new directory and all of its content to the document root of Nginx web server

sudo mv nextcloud /usr/share/nginx/

Then you also need to give Nginx user (www-data) write permission.

sudo chown www-data:www-data /usr/share/nginx/nextcloud/ -R

Step 2: Create a Database and User in MariaDB

Log into MariaDB database server with the following command:

mysql -u root -p

Then create a database for Nextcloud. This tutorial name the database nextcloud. You can use whatever name you like.

create database nextcloud;

Create the database user. Again, you can use your preferred name for this user. Replace your-password with your preferred password.

create user nextclouduser@localhost identified by 'your-password';

Grant this user all privileges on the nextcloud database.

grant all privileges on nextcloud.* to nextclouduser@localhost identified by 'your-password';

Flush privileges and exit.

flush privileges;

exit;

Step 3: Enable Binary Logging in MariaDB

Edit the mysqld configuration file.

sudo nano /etc/mysql/mariadb.conf.d/50-server.cnf

Add the following three lines in [mysqld] section.

log-bin        = /var/log/mysql/mariadb-bin
log-bin-index  = /var/log/mysql/mariadb-bin.index
binlog_format  = mixed

The format of binary log must be mixed. Save and close the file. Then restart MariaDB service.

sudo systemctl restart mysql

Now binary log is enabled in MariaDB.

Step 4: Create an Nginx Config File for Nextcloud

Create a nextcloud.conf file in /etc/nginx/conf.d/ directory.

sudo nano /etc/nginx/conf.d/nextcloud.conf

Put the following text into the file. Replace the red-colored text with your actual data. Don’t forget to set A record for the domain name.

server {
    listen 80;
    server_name nextcloud.your-domain.com;

    # Add headers to serve security related headers
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    # Path to the root of your installation
    root /usr/share/nginx/nextcloud/;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
    # last;

    location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
       return 301 $scheme://$host/remote.php/dav;
    }

    location ~ /.well-known/acme-challenge {
      allow all;
    }

    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Disable gzip to avoid the removal of the ETag header
    gzip off;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;

    location / {
       rewrite ^ /index.php$uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
       deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
       deny all;
     }

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
       include fastcgi_params;
       fastcgi_split_path_info ^(.+\.php)(/.*)$;
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
       fastcgi_param PATH_INFO $fastcgi_path_info;
       #Avoid sending the security headers twice
       fastcgi_param modHeadersAvailable true;
       fastcgi_param front_controller_active true;
       fastcgi_pass unix:/run/php/php7.0-fpm.sock;
       fastcgi_intercept_errors on;
       fastcgi_request_buffering off;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
       try_files $uri/ =404;
       index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~* \.(?:css|js)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=7200";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
   }

   location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
   }
}

Save and close the file. Test Nginx configuration, then reload Nginx for the changes to take effect.

sudo nginx -t

sudo systemctl reload nginx

Step 5: Install and Enable PHP Modules

Run the following commands to install needed PHP modules.

sudo apt install php7.0-common php7.0-gd php7.0-json php7.0-curl  php7.0-zip php7.0-xml php7.0-mbstring

Step 6: Enable HTTPS

Now you can access the Nextcloud web install wizard in your browser by entering the domain name for your Nextcloud installation.

nextcloud.your-domain.com

nextcloud ubuntu 16.04 nginx

But before entering any sensitive information, we should enable secure HTTPS connection on Nextcloud. We can obtain a free TLS certificate from Let’s Encrypt.

Install certbot (Let’s Encrypt) client from Ubuntu 16.04 repository.

sudo apt install letsencrypt

Next, run the following command to obtain a free TLS certificate using the webroot plugin.

sudo letsencrypt certonly --webroot --agree-tos --email your-email-address -d nextcloud.your-domain.com -w /usr/share/nginx/nextcloud/

Within a few seconds, you shall see a message like below, which means the TLS certificate was successfully obtained.

nextcloud 11 nginx

Now let’s install the TLS certificate. Edit nextcloud.conf file.

sudo nano /etc/nginx/conf.d/nextcloud.conf

Change the configuration as follows to redirect HTTP to HTTPS.

server {
    listen 80;
    server_name nextcloud.your-domain.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name nextcloud.your-domain.com;
 
    ssl_certificate /etc/letsencrypt/live/nextcloud.your-domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/nextcloud.your-domain.com/privkey.pem;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    add_header Strict-Transport-Security "max-age=15768000;preload" always;
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    # Path to the root of your installation
    root /usr/share/nginx/nextcloud/;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
    # last;

    location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
       return 301 $scheme://$host/remote.php/dav;
    }

    location ~ /.well-known/acme-challenge {
      allow all;
    }

    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Disable gzip to avoid the removal of the ETag header
    gzip off;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;

    location / {
       rewrite ^ /index.php$uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
       deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
       deny all;
     }

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
       include fastcgi_params;
       fastcgi_split_path_info ^(.+\.php)(/.*)$;
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
       fastcgi_param PATH_INFO $fastcgi_path_info;
       #Avoid sending the security headers twice
       fastcgi_param modHeadersAvailable true;
       fastcgi_param front_controller_active true;
       fastcgi_pass unix:/run/php/php7.0-fpm.sock;
       fastcgi_intercept_errors on;
       fastcgi_request_buffering off;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
       try_files $uri/ =404;
       index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~* \.(?:css|js)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=7200";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        add_header Strict-Transport-Security "max-age=15768000;preload" always;
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
   }

   location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
   }
}

Save and close the file. Test Nginx configuration, then reload Nginx for the changes to take effect.

sudo nginx -t

sudo systemctl reload nginx

Finish the Installation in your Web Browser

Now you can access the Nextcloud web install wizard using HTTPS connection. To complete the installation, you need to create an admin account, enter the path of Nextcloud data folder, enter database details created earlier.

The data folder is where users’ files are stored. For security, it’s best to place the data directory outside of Nextcloud web root. So instead of storing users’ files under /usr/share/nginx/nextcloud/data/, we can change it to /usr/share/nginx/nextcloud-data. which can be created with the following command:

sudo mkdir /usr/share/nginx/nextcloud-data

Then make sure Nginx user (www-data) has write permission to the data directory.

sudo chown www-data:www-data /usr/share/nginx/nextcloud-data -R

nextcloud nginx config

Once it’s done, you will see the Web interface of Nextcloud. Congrats! You can start using it as your private cloud storage.

install nextcloud nginx

That’s it!

I hope this tutorial helped you install Nextcloud on Ubuntu 16.04 with Nginx config. As always, if you found this post useful, then subscribe to our free newsletter. You can also follow us on Google+Twitter or like our Facebook page.

Rate this tutorial
[Total: 4 Average: 4]