nextcloud

Contents

nextcloud

About

Resources

Minimum

4 Cores
4 GiB RAM
Fast Storage
1x 1Gbit/s NIC

Installation

I chose installation via snap

   1 apt install snap
   2 snap install nextcloud

Caveats when using snapd:

You cannot customize the snappy-app
- if you need a certain binary within the snap, that hasn't been bundled, your stuck.
  - Examples:
    - Nextcloud App "OCR Workflow" needs packages ocrmypdf, tesseract-ocr-eng,tesseract-ocr-deu, …
    - Solr + nextant …
- You cannot customize the configuration of the bundles daemons (mysql, redis, apache2, …).
  You can try a workaround with a script that configures the daemons at runtime (e. g. via SQL):
  SET GLOBAL innodb_buffer_pool_size = 1073741824

snap

snap logs

This is an important feature to get info about the internal state of the application

   1 snap logs nextcloud

There are more logs at
/var/snap/nextcloud/current/logs

   1 ll /var/snap/nextcloud/current/logs/*.log
   2 -rw-r----- 1 root root 5054656 Okt  1 10:27 /var/snap/nextcloud/current/logs/apache_access.log
   3 -rw-r----- 1 root root    3800 Sep 28 11:42 /var/snap/nextcloud/current/logs/apache_errors.log
   4 -rw-r----- 1 root root       0 Sep 26 00:03 /var/snap/nextcloud/current/logs/mysql_errors.log
   5 -rw-r----- 1 root root      56 Sep 26 00:03 /var/snap/nextcloud/current/logs/php-fpm_errors.log
   6 -rw-r----- 1 root root       0 Jun 13 00:04 /var/snap/nextcloud/current/logs/php_errors.log
   7 -rw-r----- 1 root root  541447 Okt  1 10:25 /var/snap/nextcloud/current/logs/redis.log

snap get and set

There are some tuneables from the cli that can be queried with snap get

   1 # snap get nextcloud 
   2 Key        Value
   3 mode       production
   4 nextcloud  {...}
   5 php        {...}
   6 ports      {...}
   7 private    {...}
   8 # snap get nextcloud nextcloud
   9 Key                      Value
  10 nextcloud.cron-interval  5m
  11 # snap get nextcloud php      
  12 Key               Value
  13 php.memory-limit  512M
  14 # snap get nextcloud ports
  15 Key          Value
  16 ports.http   80
  17 ports.https  443
  18 Key                Value
  19 private.mode       production
  20 private.nextcloud  {...}
  21 private.php        {...}
  22 private.ports      {...}
  23 private.snap       {...}
  24 # …
  25

They can also be set like this

   1 snap set nextcloud mode=production
   2 snap set nextcloud php.memory-limit=512M

List occ config

With the client

   1 snap run nextcloud.occ config:list|jq . |less -R

Edit the config with the editor of your choice

   1 BACKUP_DST="/var/backups/nextcloud"
   2 [ -d "$BACKUP_DST" ] || mkdir "$BACKUP_DST"
   3 cp -p "/var/snap/nextcloud/current/nextcloud/config/config.php" \
   4         "$BACKUP_DST/config_$(date +%F_%H%M).php"
   5 vim /var/snap/nextcloud/current/nextcloud/config/config.php

Set trusted_proxy

Configuring the variable trusted_proxies correct is crucial when using a reverse proxy and the brute force protection. Otherwise the proxy and therefore any connecting is throttled.

Get current value of trusted_proxies

   1 # snap run nextcloud.occ config:system:get trusted_proxies
   2 172.18.0.33

Set the first value of the array.

   1 # snap run nextcloud.occ config:system:set trusted_proxies 0 --value=178.63.149.229   
   2 System config value trusted_proxies => 0 set to string 178.63.149.229

Access MySQL-Database

Write the access tokens to your users client configuration.

   1 cat /var/snap/nextcloud/20498/mysql/root.ini >> ~root/.my.cnf
   2 
   3 ### NOW CALL YOUR CLIENT
   4 mysql
   5 mysqltuner

Login on Android App

The login on the Android App is probably case sensitive.

Nextcloud Client

Debian has a version in the repo

   1 apt install nextcloud-desktop

There is also an AppImage (pkg, msi, … ) that may be used when you need another version than the one in the repository.

The man-page show the configuration directory.

   1        On Linux distributions:
   2               $HOME/.config/Nextcloud/nextcloud.cfg
   3 
   4        On Microsoft Windows systems:
   5               %APPDATA%\Nextcloud\nextcloud.cfg
   6 
   7        On macOS systems:
   8               $HOME/Library/Preferences/Nextcloud/nextcloud.cfg

When the client is not running, you may change the configuration file. This is useful, if you want to disable synchronization before startup.

nextcloud.cfg

   1 [Accounts]
   2 0\Folders\1\paused=false
   3 1\Folders\2\paused=true

To get some log output you may start the client like this

   1 nextcloud --logflush --logdir /tmp/Nextcloud-logdir
   2 ls -drt1 /tmp/Nextcloud-logdir/* |tail -n1 |xargs tail -f

No Reboot After Installation on Windows

The Nextcloud client schedules a reboot on upgrade, which is totally annoying.
help.nextcloud.com - Why does the Nextcloud Windows client require a restart each update?

I guess this is motivated by the alternative locking mechanisms in Windows.

But there is a workaround
Nextcloud Client Manual - No Reboot After Installation

The Nextcloud Client schedules a reboot after installation to make sure the Explorer extension is correctly (un)loaded. If you’re taking care of the reboot yourself, you can set the REBOOT property:

   1 msiexec /i Nextcloud-x.y.z-x64.msi REBOOT=ReallySuppress

This will make msiexec exit with error ERROR_SUCCESS_REBOOT_REQUIRED (3010). If your deployment tooling interprets this as an actual error and you want to avoid that, you may want to set the DO_NOT_SCHEDULE_REBOOT instead:

   1 msiexec /i Nextcloud-x.y.z-x64.msi DO_NOT_SCHEDULE_REBOOT="1"

NextCloud Apps

Bruteforce Settings App

Install the "Bruteforce Settings App" to configure a whitelist of IPs which is not blocked by the bruteforce protection.

NextCloud Talk

Github nextcloud/spreed

WebRTC

WebRTC (Web Real-Time Communication)

Stun and Turn Server

Please refer to this howto matrix#TURN_Server

Signaling Server

Candidates

The only supported signaling server is: Nextcloud Spreed Signaling

There are other unsupported systems in the ecosystem (just for the sake of completeness)

Deprecations

SimpleWebRTC (frozen)
webRTC.io (no commit since May 2013)

Nextcloud Spreed Signaling

Clone and build

   1 cd /opt
   2 git clone https://github.com/strukturag/nextcloud-spreed-signaling.git
   3 cd nextcloud-spreed-signaling
   4 aptitude install golang-go make curl
   5 make build
   6 ln -s /opt/nextcloud-spreed-signaling/bin/signaling \
   7         /usr/bin/signaling

Create group and user

   1 adduser --system --group \
   2         --home /var/lib/signaling \
   3         --shell /usr/sbin/nologin \
   4         --gecos "Standalone signaling server for Nextcloud Talk.,,," \
   5         signaling
   6 adduser signaling ssl-cert

Create config

   1 install -o root -g signaling -m 0750 -d /etc/signaling
   2 install -o root -g signaling -m 0640 \
   3         /opt/nextcloud-spreed-signaling/server.conf.in \
   4         /etc/signaling/server.conf

Adjust config

uncomment listen
sessions.blockkey
sessions.hashkey
https.certificate
https.key
clients.internalsecret
backend.allowed
backend.secret
nats.url !!!

Old version of the
/etc/signaling/server.conf

   1 [http]
   2 # IP and port to listen on for HTTP requests.
   3 # Comment line to disable the listener.
   4 listen = 127.0.0.1:8080
   5 
   6 # HTTP socket read timeout in seconds.
   7 #readtimeout = 15
   8 
   9 # HTTP socket write timeout in seconds.
  10 #writetimeout = 15
  11 
  12 [https]
  13 # IP and port to listen on for HTTPS requests.
  14 # Comment line to disable the listener.
  15 #listen = 127.0.0.1:8443
  16 
  17 # HTTPS socket read timeout in seconds.
  18 #readtimeout = 15
  19 
  20 # HTTPS socket write timeout in seconds.
  21 #writetimeout = 15
  22 
  23 # Certificate / private key to use for the HTTPS server.
  24 #certificate = /etc/nginx/ssl/server.crt
  25 certificate = /etc/letsencrypt/live/coturn.rockstable.it/fullchain.pem
  26 #key = /etc/nginx/ssl/server.key
  27 key = /etc/letsencrypt/live/coturn.rockstable.it/privkey.pem
  28 
  29 [app]
  30 # Set to "true" to install pprof debug handlers.
  31 # See "https://golang.org/pkg/net/http/pprof/" for further information.
  32 debug = false
  33 
  34 [sessions]
  35 # Secret value used to generate checksums of sessions. This should be a random
  36 # string of 32 or 64 bytes.
  37 hashkey = the-secret-for-session-checksums
  38 
  39 # Optional key for encrypting data in the sessions. Must be either 16, 24 or
  40 # 32 bytes.
  41 # If no key is specified, data will not be encrypted (not recommended).
  42 blockkey = -encryption-key-
  43 
  44 [clients]
  45 # Shared secret for connections from internal clients. This must be the same
  46 # value as configured in the respective internal services.
  47 internalsecret = the-shared-secret-for-internal-clients
  48 
  49 
  50 [backend]
  51 # Comma-separated list of hostnames that are allowed to be used as backend
  52 # endpoints.
  53 allowed = cloud.rockstable.it,nextcloud1.rockstable.it
  54 
  55 # Allow any hostname as backend endpoint. This is extremely insecure and should
  56 # only be used while running the benchmark client against the server.
  57 allowall = false
  58 
  59 # Shared secret for requests from and to the backend servers. This must be the
  60 # same value as configured in the Nextcloud admin ui.
  61 secret = the-shared-secret
  62 
  63 # Timeout in seconds for requests to the backend.
  64 timeout = 10
  65 
  66 # Maximum number of concurrent backend connections per host.
  67 #connectionsperhost = 8
  68 connectionsperhost = 16
  69 
  70 # If set to "true", certificate validation of backend endpoints will be skipped.
  71 # This should only be enabled during development, e.g. to work with self-signed
  72 # certificates.
  73 #skipverify = false
  74 
  75 [nats]
  76 # Url of NATS backend to use. This can also be a list of URLs to connect to
  77 # multiple backends. For local development, this can be set to ":loopback:"
  78 # to process NATS messages internally instead of sending them through an
  79 # external NATS backend.
  80 #url = nats://localhost:4222
  81 url = :loopback:
  82 
  83 [mcu]
  84 # The type of the MCU to use. Currently only "janus" is supported.
  85 type = janus
  86 
  87 # The URL to the websocket endpoint of the MCU server. Leave empty to disable
  88 # MCU functionality.
  89 url =
  90 
  91 # The maximum bitrate per publishing stream (in bits per second).
  92 # Defaults to 1 mbit/sec.
  93 #maxstreambitrate = 1048576
  94 
  95 # The maximum bitrate per screensharing stream (in bits per second).
  96 # Default is 2 mbit/sec.
  97 #maxscreenbitrate = 2097152
  98 
  99 [turn]
 100 # API key that the MCU will need to send when requesting TURN credentials.
 101 #apikey = the-api-key-for-the-rest-service
 102 
 103 # The shared secret to use for generating TURN credentials. This must be the
 104 # same as on the TURN server.
 105 #secret = 6d1c17a7-c736-4e22-b02c-e2955b7ecc64
 106 
 107 # A comma-separated list of TURN servers to use. Leave empty to disable the
 108 # TURN REST API.
 109 #servers = turn:1.2.3.4:9991?transport=udp,turn:1.2.3.4:9991?transport=tcp
 110 
 111 [geoip]
 112 # License key to use when downloading the MaxMind GeoIP database. You can
 113 # register an account at "https://www.maxmind.com/en/geolite2/signup" for
 114 # free. See "https://dev.maxmind.com/geoip/geoip2/geolite2/"" for further
 115 # information.
 116 # Leave empty to disable GeoIP lookups.
 117 #license =

Newer versions need a different backend configuration. Instead of allow servers and a common shared secret. They define backends with their own configuration and enable them individually. Newer version of the
/etc/signaling/server.conf

   1 [http]
   2 # IP and port to listen on for HTTP requests.
   3 # Comment line to disable the listener.
   4 listen = 127.0.0.1:8080
   5 
   6 # HTTP socket read timeout in seconds.
   7 #readtimeout = 15
   8 
   9 # HTTP socket write timeout in seconds.
  10 #writetimeout = 15
  11 
  12 [https]
  13 # IP and port to listen on for HTTPS requests.
  14 # Comment line to disable the listener.
  15 #listen = 127.0.0.1:8443
  16 
  17 # HTTPS socket read timeout in seconds.
  18 #readtimeout = 15
  19 
  20 # HTTPS socket write timeout in seconds.
  21 #writetimeout = 15
  22 
  23 # Certificate / private key to use for the HTTPS server.
  24 #certificate = /etc/nginx/ssl/server.crt
  25 certificate = /etc/letsencrypt/live/coturn.rockstable.it/fullchain.pem
  26 #key = /etc/nginx/ssl/server.key
  27 key = /etc/letsencrypt/live/coturn.rockstable.it/privkey.pem
  28 
  29 
  30 [app]
  31 # Set to "true" to install pprof debug handlers.
  32 # See "https://golang.org/pkg/net/http/pprof/" for further information.
  33 #debug = false
  34 #debug = true
  35 
  36 [sessions]
  37 # Secret value used to generate checksums of sessions. This should be a random
  38 # string of 32 or 64 bytes.
  39 hashkey = the-secret-for-session-checksums
  40 
  41 # Optional key for encrypting data in the sessions. Must be either 16, 24 or
  42 # 32 bytes.
  43 # If no key is specified, data will not be encrypted (not recommended).
  44 blockkey = -encryption-key-
  45 
  46 [clients]
  47 # Shared secret for connections from internal clients. This must be the same
  48 # value as configured in the respective internal services.
  49 internalsecret = the-shared-secret-for-internal-clients
  50 
  51 [backend]
  52 # Comma-separated list of backend ids from which clients are allowed to connect
  53 # from. Each backend will have isolated rooms, i.e. clients connecting to room
  54 # "abc12345" on backend 1 will be in a different room than clients connected to
  55 # a room with the same name on backend 2. Also sessions connected from different
  56 # backends will not be able to communicate with each other.
  57 #backends = backend-id, another-backend
  58 backends = rockstable_nextcloud1, rockstable_cloud
  59 
  60 ### OLD STYLE
  61 # Comma-separated list of hostnames that are allowed to be used as backend
  62 # endpoints.
  63 #allowed = cloud.rockstable.it,nextcloud1.rockstable.it
  64 
  65 # Allow any hostname as backend endpoint. This is extremely insecure and should
  66 # only be used while running the benchmark client against the server.
  67 allowall = false
  68 
  69 # Common shared secret for requests from and to the backend servers if
  70 # "allowall" is enabled. This must be the same value as configured in the
  71 # Nextcloud admin ui.
  72 #secret = the-shared-secret
  73 
  74 # Timeout in seconds for requests to the backend.
  75 timeout = 10
  76 
  77 # Maximum number of concurrent backend connections per host.
  78 #connectionsperhost = 8
  79 connectionsperhost = 16
  80 
  81 # If set to "true", certificate validation of backend endpoints will be skipped.
  82 # This should only be enabled during development, e.g. to work with self-signed
  83 # certificates.
  84 #skipverify = false
  85 
  86 # Backend configurations as defined in the "[backend]" section above. The
  87 # section names must match the ids used in "backends" above.
  88 [rockstable_nextcloud1]
  89 # URL of the Nextcloud instance
  90 url = https://nextcloud1.rockstable.it/
  91 
  92 # Shared secret for requests from and to the backend servers. This must be the
  93 # same value as configured in the Nextcloud admin ui.
  94 secret = the-shared-secret
  95 
  96 [rockstable_cloud]
  97 # URL of the Nextcloud instance
  98 url = https://cloud.rockstable.it/
  99 
 100 # Shared secret for requests from and to the backend servers. This must be the
 101 # same value as configured in the Nextcloud admin ui.
 102 secret = the-shared-secret
 103 
 104 [nats]
 105 # Url of NATS backend to use. This can also be a list of URLs to connect to
 106 # multiple backends. For local development, this can be set to ":loopback:"
 107 # to process NATS messages internally instead of sending them through an
 108 # external NATS backend.
 109 #url = nats://localhost:4222
 110 url = :loopback:
 111 
 112 [mcu]
 113 # The type of the MCU to use. Currently only "janus" and "proxy" are supported.
 114 # Leave empty to disable MCU functionality.
 115 #type = janus
 116 type =
 117 
 118 # The URL to the websocket endpoint of the MCU server. Leave empty to disable
 119 # MCU functionality.
 120 # For type "janus": the URL to the websocket endpoint of the MCU server.
 121 # For type "proxy": a space-separated list of proxy URLs to connect to.
 122 url =
 123 
 124 # The maximum bitrate per publishing stream (in bits per second).
 125 # Defaults to 1 mbit/sec.
 126 #maxstreambitrate = 1048576
 127 
 128 # For type "janus": the maximum bitrate per screensharing stream (in bits per
 129 # second).
 130 # Default is 2 mbit/sec.
 131 #maxscreenbitrate = 2097152
 132 
 133 # For type "proxy": timeout in seconds for requests to the proxy server.
 134 #proxytimeout = 2
 135 
 136 # For type "proxy": type of URL configuration for proxy servers.
 137 # Defaults to "static".
 138 #
 139 # Possible values:
 140 # - static: A space-separated list of proxy URLs is given in the "url" option.
 141 # - etcd: Proxy URLs are retrieved from an etcd cluster (see below).
 142 #urltype = static
 143 
 144 # For type "proxy": the id of the token to use when connecting to proxy servers.
 145 #token_id = server1
 146 
 147 # For type "proxy": the private key for the configured token id to use when
 148 # connecting to proxy servers.
 149 #token_key = privkey.pem
 150 
 151 # For url type "etcd": Comma-separated list of static etcd endpoints to
 152 # connect to.
 153 #endpoints = 127.0.0.1:2379,127.0.0.1:22379,127.0.0.1:32379
 154 
 155 # For url type "etcd": Options to perform endpoint discovery through DNS SRV.
 156 # Only used if no endpoints are configured manually.
 157 #discoverysrv = example.com
 158 #discoveryservice = foo
 159 
 160 # For url type "etcd": Path to private key, client certificate and CA
 161 # certificate if TLS authentication should be used.
 162 #clientkey = /path/to/etcd-client.key
 163 #clientcert = /path/to/etcd-client.crt
 164 #cacert = /path/to/etcd-ca.crt
 165 
 166 # For url type "etcd": Key prefix of MCU proxy entries. All keys below will be
 167 # watched and assumed to contain a JSON document. The entry "address" from this
 168 # document will be used as proxy URL, other contents in the document will be
 169 # ignored.
 170 #
 171 # Example:
 172 # "/signaling/proxy/server/one" -> {"address": "https://proxy1.domain.invalid"}
 173 # "/signaling/proxy/server/two" -> {"address": "https://proxy2.domain.invalid"}
 174 #keyprefix = /signaling/proxy/server
 175 
 176 [turn]
 177 # API key that the MCU will need to send when requesting TURN credentials.
 178 #apikey = the-api-key-for-the-rest-service
 179 
 180 # The shared secret to use for generating TURN credentials. This must be the
 181 # same as on the TURN server.
 182 #secret = 6d1c17a7-c736-4e22-b02c-e2955b7ecc64
 183 
 184 # A comma-separated list of TURN servers to use. Leave empty to disable the
 185 # TURN REST API.
 186 #servers = turn:1.2.3.4:9991?transport=udp,turn:1.2.3.4:9991?transport=tcp
 187 #servers = turn:178.63.149.236:5349?transport=udp,turn:178.63.149.236:5349?transport=tcp
 188 
 189 [geoip]
 190 # License key to use when downloading the MaxMind GeoIP database. You can
 191 # register an account at "https://www.maxmind.com/en/geolite2/signup" for
 192 # free. See "https://dev.maxmind.com/geoip/geoip2/geolite2/" for further
 193 # information.
 194 # Leave empty to disable GeoIP lookups.
 195 #license =

Create, enable and start systemd service

   1 install -o root -g signaling -m 0644 \
   2         /opt/nextcloud-spreed-signaling/dist/init/systemd/signaling.service \
   3         /etc/systemd/system/signaling.service
   4 systemctl enable signaling.service
   5 systemctl start signaling.service

Install nginx-light as reverse proxy

   1 aptitude install nginx-light
   2 unlink /etc/nginx/sites-enabled/default

Configure reverse proxy /etc/nginx/sites-available/signaling

   1 server {
   2         # SSL configuration
   3         #
   4         listen 443 ssl default_server;
   5         listen [::]:443 ssl default_server;
   6 
   7         ssl_certificate         /etc/letsencrypt/live/coturn.rockstable.it/fullchain.pem;
   8         ssl_certificate_key     /etc/letsencrypt/live/coturn.rockstable.it/privkey.pem;
   9 
  10         root /var/www/html;
  11 
  12         # Add index.php to the list if you are using PHP
  13         index index.html index.htm index.nginx-debian.html;
  14 
  15         server_name _;
  16 
  17         location / {
  18                 # First attempt to serve request as file, then
  19                 # as directory, then fall back to displaying a 404.
  20                 try_files $uri $uri/ =404;
  21         }
  22 
  23         # deny access to .htaccess files, if Apache's document root
  24         # concurs with nginx's one
  25         #
  26         location ~ /\.ht {
  27                 deny all;
  28         }
  29 
  30         location /standalone-signaling/ {
  31                 proxy_pass http://signaling/;
  32                 proxy_http_version 1.1;
  33                 proxy_set_header Host $host;
  34                 proxy_set_header X-Real-IP $remote_addr;
  35                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  36         }
  37 
  38         location /standalone-signaling/spreed {
  39                 proxy_pass http://signaling/spreed;
  40                 proxy_http_version 1.1;
  41                 proxy_set_header Upgrade $http_upgrade;
  42                 proxy_set_header Connection "Upgrade";
  43                 proxy_set_header Host $host;
  44                 proxy_set_header X-Real-IP $remote_addr;
  45                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  46         }
  47 }

Trouble Shooting Nextcloud Talk

Follow the log

   1 #su - www-data
   2 cd /var/www/html
   3 ./occ log:tail -f |tee /tmp/nc.log

Internal server error after upgrade

After NC Upgrade from 20.0.7 to 20.0.8 "Internal Server Error" and SQL Error "'oc_talk_participants' doesn't exist" · Issue #5324 · nextcloud/spreed - GitHub

Nextcloud shows a HTTP 500 page an the log states

   1 SQLSTATE[42P01]: Undefined table: 7 FEHLER:  Relation »oc_talk_participants« doesn't exist

There is a problem with the migation of the database schema especially table oc_talk_participants to oc_talk_attendees. This did not work out with v10.0.6 and has been fixed in v10.1.3, which cannot be aquired on the usual way with the webinterface. You need to doenload and install the app manually.

Fix it by upgrading the talk app manually.
Nextcloud is installed in /var/www/html in this case (docker).

   1 su www-data
   2 ./occ app:disable spreed
   3 cd /tmp
   4 wget -O https://github.com/nextcloud/spreed/releases/download/v10.1.3/spreed-10.1.3.tar.gz
   5 tar -xzf spreed-10.1.3.tar.gz
   6 mv /var/www/html/spreed/ /tmp/spreed_old; \
   7 mv /tmp/spreed /var/www/html/apps/
   8 ./occ app:enable spreed

Repair Nextcloud

   1 snap run nextcloud.occ maintenance:repair --include-expensive

Default phone region

If you are getting the message, that no default phone region has been set, just add the Wiki EN ISO 3166-1 country code to your configuration.

/var/snap/nextcloud/current/nextcloud/config/config.php

   1 $CONFIG = array (
   2   // DETAILS SKIPPED …
   3   'default_phone_region' => 'DE',
   4 );

A restart/reload should not be necessary.

Collabora Online

About

Collabora Online is a powerful online office suite, which you can integrate into your own infrastructure. We take digital sovereignty seriously and provide you with all the tools to keep your data secure, without compromising on features.
-- https://www.collaboraoffice.com/

Web-interface

Find the webinterface at
https://your-office-domain.example.com/browser/dist/admin/admin.html

Installation and Configuration

Setup DNS names
- label office.rockstable.it with CNAME cloud.rockstable.it
Request certificate with LetsEncrypt on reverse proxy
Install docker
Pull collabora/CODE.
(If you don't want to bind it to the loopback interface
omit 127.0.0.1.)
```
   1 docker pull collabora/code:latest
```

Start collabora/CODE.

CODE 6 (deprecated)

   1 docker run -t -d \
   2         -p 127.0.0.1:9980:9980 \
   3         -e 'domain=cloud\\.rockstable\\.it' \
   4         --restart always \
   5         --cap-add MKNOD \
   6         collabora/code:latest

CODE 7+

   1 read -r ADMIN_USERNAME
   2 read -r ADMIN_PASSWORD
   3 docker run -t -d \
   4         -p 9980:9980 \
   5         -e "aliasgroup1=https://cloud\\.rockstable\\.it" \
   6         -e "username=$ADMIN_USERNAME" \
   7         -e "password=$ADMIN_PASSWORD" \
   8         --restart always \
   9         collabora/code

Setup reverse proxy

CODE 6.4 (deprecated)
/etc/nginx/sites-available/proxy_office_6

   1 ##
   2 # You should look at the following URL's in order to grasp a solid understanding
   3 # of Nginx configuration files in order to fully unleash the power of Nginx.
   4 # https://www.nginx.com/resources/wiki/start/
   5 # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
   6 # https://wiki.debian.org/Nginx/DirectoryStructure
   7 #
   8 # In most cases, administrators will remove this file from sites-enabled/ and
   9 # leave it as reference inside of sites-available where it will continue to be
  10 # updated by the nginx packaging team.
  11 #
  12 # This file will automatically load configuration files provided by other
  13 # applications, such as Drupal or Wordpress. These applications will be made
  14 # available underneath a path with that package name, such as /drupal8.
  15 #
  16 # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
  17 ##
  18 
  19 
  20 upstream office1.1a.rockstable.it {
  21     server office1.1a.rockstable.it:9980;
  22 }
  23 
  24 ## Redirects all HTTP traffic to the HTTPS host
  25 server {
  26   ## Either remove "default_server" from the listen line below,
  27   ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
  28   ## to be served if you visit any address that your server responds to, eg.
  29   ## the ip address of the server (http://x.x.x.x/)
  30   listen        0.0.0.0:80;
  31   listen        [::]:80;
  32   server_name   office.rockstable.it; ## Replace this with something like gitlab.example.com
  33   server_tokens off; ## Don't show the nginx version number, a security best practice
  34   # redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
  35   return 301    https://$server_name$request_uri;
  36   access_log    /var/log/nginx/proxy_office_access.log;
  37   error_log     /var/log/nginx/proxy_office_error.log;
  38 }
  39 
  40 
  41 # HTTPS host
  42 server {
  43         listen          443 http2 ssl;
  44         #listen         [::]:443 ipv6only=on http2 ssl;
  45 
  46         server_name     office.rockstable.it;
  47         server_tokens   off; ## Don't show the nginx version number, a security best practice
  48 
  49         ## Strong SSL Security
  50         ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
  51         ssl on;
  52         ssl_certificate                 /etc/letsencrypt/live/office.rockstable.it/fullchain.pem;
  53         ssl_certificate_key             /etc/letsencrypt/live/office.rockstable.it/privkey.pem;
  54         #ssl_trusted_certificate        /etc/ssl/CAcert/certs/.pem;
  55 
  56         # Backwards compatible ciphers to retain compatibility with Java IDEs
  57         ssl_ciphers                     "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  58         ssl_protocols                   TLSv1.3 TLSv1.2;
  59         ssl_prefer_server_ciphers       on;
  60         ssl_session_cache               shared:SSL:10m;
  61         ssl_session_timeout             1d;
  62 
  63         ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
  64         ## Replace with your ssl_trusted_certificate. For more info see:
  65         ## - https://medium.com/devops-programming/4445f4862461
  66         ## - https://www.ruby-forum.com/topic/4419319
  67         ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
  68         ssl_stapling on;
  69         ssl_stapling_verify on;
  70         # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
  71         # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
  72         # resolver_timeout 5s;
  73 
  74         ## [Optional] Generate a stronger DHE parameter:
  75         ##   sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
  76         ##
  77         ssl_dhparam /etc/ssl/private/dhparam.pem;
  78 
  79         # HSTS (ngx_http_headers_module is required) (63072000 seconds)
  80         add_header Strict-Transport-Security "max-age=63072000" always;
  81 
  82         ## Individual nginx logs for this GitLab vhost
  83         access_log  /var/log/nginx/proxy_office_access.log;
  84         error_log   /var/log/nginx/proxy_office_error.log;
  85 
  86         #proxy_set_header        Host               $host;
  87         proxy_set_header         Host               $http_host;
  88         proxy_set_header         X-Real-IP          $remote_addr;
  89         proxy_set_header         X-Forwarded-For    $proxy_add_x_forwarded_for;
  90         proxy_set_header         X-Forwarded-Proto  $scheme;
  91         proxy_set_header         X-Forwarded-Ssl    on;
  92 
  93         proxy_set_header         Upgrade            $http_upgrade;
  94         proxy_set_header         Connection         "Upgrade";
  95         proxy_set_header         Host               $http_host;
  96 
  97         #
  98         #proxy_ssl_certificate          /etc/nginx/client.pem;
  99         #proxy_ssl_certificate_key      /etc/nginx/client.key;
 100         #proxy_ssl_trusted_certificate  /etc/nginx/trusted_ca_cert.crt;
 101         #proxy_ssl_verify               on;
 102         #proxy_ssl_verify_depth         2;
 103         proxy_ssl_session_reuse        on;
 104         proxy_ssl_protocols            TLSv1.3 TLSv1.2;
 105         proxy_ssl_ciphers              "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
 106 
 107         client_max_body_size 0;
 108         #gzip off;
 109 
 110         ## Some requests take more than 30 seconds.
 111         proxy_read_timeout      300;
 112         proxy_connect_timeout   300;
 113         proxy_redirect          off;
 114 
 115         #proxy_http_version 1.1;
 116 
 117         # static files
 118         location ^~ /loleaflet {
 119                 proxy_pass https://office1.1a.rockstable.it;
 120         }
 121 
 122         # WOPI discovery URL
 123         location ^~ /hosting {
 124                 proxy_pass https://office1.1a.rockstable.it;
 125         }
 126 
 127         # main websocket
 128         location ~ ^/lool/(.*)/ws$ {
 129                 proxy_pass https://office1.1a.rockstable.it;
 130                 proxy_read_timeout 36000s;
 131         }
 132 
 133         # download, presentation and image upload
 134         location ~ ^/lool {
 135                 proxy_pass https://office1.1a.rockstable.it;
 136         }
 137 
 138         # Admin Console websocket
 139         location ^~ /lool/adminws {
 140                 proxy_pass https://office1.1a.rockstable.it;
 141                 proxy_read_timeout 36000s;
 142         }
 143 
 144         # Capabilities
 145         location ^~ /hosting/capabilities {
 146                 proxy_pass https://office1.1a.rockstable.it;
 147         }
 148 }

CODE 7.0+ 21.11
/etc/nginx/sites-available/proxy_office_7

   1 ##
   2 # You should look at the following URL's in order to grasp a solid understanding
   3 # of Nginx configuration files in order to fully unleash the power of Nginx.
   4 # https://www.nginx.com/resources/wiki/start/
   5 # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
   6 # https://wiki.debian.org/Nginx/DirectoryStructure
   7 #
   8 # In most cases, administrators will remove this file from sites-enabled/ and
   9 # leave it as reference inside of sites-available where it will continue to be
  10 # updated by the nginx packaging team.
  11 #
  12 # This file will automatically load configuration files provided by other
  13 # applications, such as Drupal or Wordpress. These applications will be made
  14 # available underneath a path with that package name, such as /drupal8.
  15 #
  16 # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
  17 ##
  18 
  19 
  20 upstream office1.1a.rockstable.it {
  21     server office1.1a.rockstable.it:9980;
  22 }
  23 
  24 ## Redirects all HTTP traffic to the HTTPS host
  25 server {
  26   ## Either remove "default_server" from the listen line below,
  27   ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
  28   ## to be served if you visit any address that your server responds to, eg.
  29   ## the ip address of the server (http://x.x.x.x/)
  30   listen        0.0.0.0:80;
  31   listen        [::]:80;
  32   server_name   office.rockstable.it;
  33   server_tokens off; ## Don't show the nginx version number, a security best practice
  34   # redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
  35   return 301    https://$server_name$request_uri;
  36   access_log    /var/log/nginx/proxy_office_access.log;
  37   error_log     /var/log/nginx/proxy_office_error.log;
  38 }
  39 
  40 
  41 # HTTPS host
  42 server {
  43         listen          443 http2 ssl;
  44         #listen         [::]:443 ipv6only=on http2 ssl;
  45 
  46         server_name     office.rockstable.it;
  47         server_tokens   off; ## Don't show the nginx version number, a security best practice
  48 
  49         ## Strong SSL Security
  50         ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
  51 
  52         ssl_certificate                 /etc/letsencrypt/live/office.rockstable.it/fullchain.pem;
  53         ssl_certificate_key             /etc/letsencrypt/live/office.rockstable.it/privkey.pem;
  54         #ssl_trusted_certificate        /etc/ssl/CAcert/certs/.pem;
  55 
  56         # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
  57         ssl_ciphers                     "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  58         ssl_protocols                   TLSv1.3 TLSv1.2;
  59         ssl_prefer_server_ciphers       on;
  60         ssl_session_cache               shared:SSL:10m;
  61         ssl_session_timeout             1d;
  62 
  63         ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
  64         ## Replace with your ssl_trusted_certificate. For more info see:
  65         ## - https://medium.com/devops-programming/4445f4862461
  66         ## - https://www.ruby-forum.com/topic/4419319
  67         ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
  68         ssl_stapling on;
  69         ssl_stapling_verify on;
  70         # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
  71         # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
  72         # resolver_timeout 5s;
  73 
  74         ## [Optional] Generate a stronger DHE parameter:
  75         ##   sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
  76         ##
  77         ssl_dhparam /etc/ssl/private/dhparam.pem;
  78 
  79         # HSTS (ngx_http_headers_module is required) (63072000 seconds)
  80         add_header Strict-Transport-Security "max-age=63072000" always;
  81 
  82         ## Individual nginx logs for this GitLab vhost
  83         access_log  /var/log/nginx/proxy_office_access.log;
  84         error_log   /var/log/nginx/proxy_office_error.log;
  85 
  86         #proxy_set_header        Host               $host;
  87         proxy_set_header         Host               $http_host;
  88         proxy_set_header         X-Real-IP          $remote_addr;
  89         proxy_set_header         X-Forwarded-For    $proxy_add_x_forwarded_for;
  90         proxy_set_header         X-Forwarded-Proto  $scheme;
  91         proxy_set_header         X-Forwarded-Ssl    on;
  92 
  93         proxy_set_header         Upgrade            $http_upgrade;
  94         proxy_set_header         Connection         "Upgrade";
  95         proxy_set_header         Host               $http_host;
  96 
  97         #
  98         #proxy_ssl_certificate          /etc/nginx/client.pem;
  99         #proxy_ssl_certificate_key      /etc/nginx/client.key;
 100         #proxy_ssl_trusted_certificate  /etc/nginx/trusted_ca_cert.crt;
 101         #proxy_ssl_verify               on;
 102         #proxy_ssl_verify_depth         2;
 103         proxy_ssl_session_reuse        on;
 104         proxy_ssl_protocols            TLSv1.3 TLSv1.2;
 105         proxy_ssl_ciphers              "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
 106 
 107         client_max_body_size 0;
 108         #gzip off;
 109 
 110         ## Some requests take more than 30 seconds.
 111         proxy_read_timeout      300;
 112         proxy_connect_timeout   300;
 113         proxy_redirect          off;
 114 
 115         #proxy_http_version 1.1;
 116 
 117         # static files
 118         location ^~ /browser {
 119                 proxy_pass https://office1.1a.rockstable.it;
 120                 proxy_set_header Host $http_host;
 121         }
 122 
 123         # WOPI discovery URL
 124         location ^~ /hosting/discovery {
 125                 proxy_pass https://office1.1a.rockstable.it;
 126                 proxy_set_header Host $http_host;
 127         }
 128 
 129         # Capabilities
 130         location ^~ /hosting/capabilities {
 131                 proxy_pass https://office1.1a.rockstable.it;
 132                 proxy_set_header Host $http_host;
 133         }
 134 
 135         # main websocket
 136         location ~ ^/cool/(.*)/ws$ {
 137                 proxy_pass https://office1.1a.rockstable.it;
 138                 proxy_set_header Upgrade $http_upgrade;
 139                 proxy_set_header Connection "Upgrade";
 140                 proxy_set_header Host $http_host;
 141                 proxy_read_timeout 36000s;
 142         }
 143 
 144         # download, presentation and image upload
 145         location ~ ^/(c|l)ool {
 146                 proxy_pass https://office1.1a.rockstable.it;
 147                 proxy_set_header Host $http_host;
 148         }
 149 
 150         # Admin Console websocket
 151         location ^~ /cool/adminws {
 152                 proxy_pass https://office1.1a.rockstable.it;
 153                 proxy_set_header Upgrade $http_upgrade;
 154                 proxy_set_header Connection "Upgrade";
 155                 proxy_set_header Host $http_host;
 156                 proxy_read_timeout 36000s;
 157         }
 158 }

Download and configure CollaboraOnline App in NextCloud
Done

Update Colabora Online

Load updated image
```
   1 docker pull collabora/code:latest
```
Identify and stop old container
```
   1 docker container ls \
   2         --filter ancestor=collabora/code \
   3         --no-trunc
   4 docker container stop __your_container_name
```
(optionally) Save username and password
1. /etc/default/collabora_code
```
   1 ADMIN_USERNAME="__your_CODEUSER"
   2 ADMIN_PASSWORD="__your_CODEADMINS_STRONG_PASSWORD"
```
2. Set correct permissions
```
   1 chown root:root /etc/default/collabora_code
   2 chmod 640 /etc/default/collabora_code
```

Start new container

   1 #docker network create \
   2 #        --subnet 172.27.0.0/24 \
   3 #        --gateway 172.27.0.1 \
   4 #        --opt com.docker.network.bridge.name=br-collabora \
   5 #        collabora
   6 source /etc/default/collabora_code
   7 #read -r ADMIN_USERNAME
   8 #read -r ADMIN_PASSWORD
   9 docker run -t -d \
  10         --name collabora \
  11         -p 9980:9980 \
  12         -e "aliasgroup1=https://cloud\\.rockstable\\.it" \
  13         -e "username=$ADMIN_USERNAME" \
  14         -e "password=$ADMIN_PASSWORD" \
  15         --restart always \
  16         collabora/code
  17         ### Attach to previously created network,
  18         ### instead of default bridge
  19         #--network collabora \
  20         ### Starts the container with rights required
  21         ### for faster jail creation via bind mount.
  22         #--privileged \
  23

Delete old containers

   1 docker container ls \
   2         --filter status=exited \
   3         --filter ancestor=collabora/code \
   4         --no-trunc
   5 docker container ls \
   6         --filter status=exited \
   7         --filter ancestor=collabora/code \
   8         --format "{{.ID}}" \
   9         |xargs docker container rm

Make sure the admin panel is password protected:
https://office.rockstable.it/browser/dist/admin/admin.html

Have fun!

Trouble Shooting

Polls app loads extremly long

Polls with more than 1000 options also inhibit londing the polls dashboard.

Fix it by deleting huge polls. you could count the the number of options in nextcloud.oc_polls_polls.

In my case I new, which ones to delete.

   1 mysql
   2 use nextcloud
   3 select id,type,title from oc_polls_polls;
   4 delete from oc_polls_polls where id=1;
   5 delete from oc_polls_polls where id=2;

Cannot sync due to invalid modification time

In German:
"Synchronisierung wegen ungültiger Änderungszeit nicht möglich"

github.com nextcloud/desktop Wiki - How to fix the error invalid or negative modification date

For usage with the nextcloud "snap"

   1 data_dir="/var/snap/nextcloud/common/nextcloud/data"
   2 db_type="mysql"
   3 db_host="localhost"
   4 db_user="root"
   5 read db_pwd
   6 db_name="nextcloud"
   7 #action="${7:-list}"
   8 #scan_action="${8:-noscan}"
   9 #use_birthday="${9:-dont_use_birthday}"
  10 #verbose="${10:-noverbose}"
  11 
  12 # Usage: ./solvable_files.sh <data_dir> \
  13 #               <mysql|pgsql> <db_host> <db_user> <db_pwd> <db_name> \
  14 #               <fix,list> <scan,noscan> <use_birthday,dont_use_birthday>
  15 
  16 ### LIST FILES WITH INVALID TIME
  17 ./solvable_files.sh \
  18         "$data_dir" \
  19         "$db_type" "$db_host" \
  20         "$db_user" "$db_pwd" \
  21         "$db_name" \
  22         list
  23 
  24 ### FIX FILES WITH INVALID TIME (TODAY)
  25 ./solvable_files.sh \
  26         "$data_dir" \
  27         "$db_type" "$db_host" \
  28         "$db_user" "$db_pwd" \
  29         "$db_name" \
  30         fix
  31 ### TRIGGER A SCAN OF THE FIXED FILES
  32 ./solvable_files.sh \
  33         "$data_dir" \
  34         "$db_type" "$db_host" \
  35         "$db_user" "$db_pwd" \
  36         "$db_name" \
  37         scan
  38 
  39 ### THE SCAN DID NOT WORK OUT IN MY CASE
  40 ### SO I TRIGGERED THE SCAN WITH
  41 snap run nextcloud.occ files:scan --all

Problem fixed.

nextcloud desktop client hangs

Disable upload bandwidth limit.
[Bug]: setting speed limit causes client hang. #5242

Nextcloud emails are not sent

Nextcloud emails send during polls never arrive.

The following error is shown in
/var/log/mail.log

   1 Jul  5 09:43:51 nextcloud1 postfix/smtpd[589111]: connect from localhost[::1]                                                                          
   2 Jul  5 09:43:51 nextcloud1 postfix/smtpd[589111]: lost connection after STARTTLS from localhost[::1]                                                                                                                                                                                                           
   3 Jul  5 09:43:51 nextcloud1 postfix/smtpd[589111]: disconnect from localhost[::1] ehlo=1 starttls=1 commands=2

Workaround

Nextcloud is configured to relay emails via localhost:25. So this introduces no security issue.

Disable opportunistic TLS in
/etc/postfix/main.cf

   1 #smtpd_use_tls = yes
   2 smtpd_tls_security_level = none

Reload postfix

   1 postfix reload

Try again - works.

I haven't figured out the Nextcloud bug, yet.

Failed to connect to localhost port 8080

The nextcloud heartbeat fails.

The error can be triggered by clicking on Administration > Overview, which starts a selftest.

   1 ConnectException cURL error 7: Failed to connect to localhost port 8080: Connection refused (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for http://localhost:8080/index.php/heartbeat

Workaround

Use the firewall to mangle the hearbeat packages.

Watch out - Firewalling ahead

Don't lock yourself out.

Install nftables

   1 apt install nftables

The idea is to select the heartbeat packages tightly

   1 21:37:37.925151 IP 127.0.0.1.52378 > 127.0.0.1.8080: Flags [S], seq 4012198676, win 65495, options [mss 65495,sackOK,TS val 396720046 ecr 0,nop,wscale 7], length 0
   2 21:37:37.925158 IP 127.0.0.1.8080 > 127.0.0.1.52378: Flags [R.], seq 0, ack 4012198677, win 0, length 0
   3 21:37:38.312336 IP 127.0.0.1.52382 > 127.0.0.1.8080: Flags [S], seq 1736532941, win 65495, options [mss 65495,sackOK,TS val 396720433 ecr 0,nop,wscale 7], length 0
   4 21:37:38.312344 IP 127.0.0.1.8080 > 127.0.0.1.52382: Flags [R.], seq 0, ack 1736532942, win 0, length 0
   5 21:37:39.273218 IP 127.0.0.1.33410 > 127.0.0.1.8080: Flags [S], seq 176669381, win 65495, options [mss 65495,sackOK,TS val 396721394 ecr 0,nop,wscale 7], length 0
   6 21:37:39.273225 IP 127.0.0.1.8080 > 127.0.0.1.33410: Flags [R.], seq 0, ack 176669382, win 0, length 0
   7 21:37:39.289932 IP 127.0.0.1.33412 > 127.0.0.1.8080: Flags [S], seq 3599050308, win 65495, options [mss 65495,sackOK,TS val 396721411 ecr 0,nop,wscale 7], length 0
   8 21:37:39.289937 IP 127.0.0.1.8080 > 127.0.0.1.33412: Flags [R.], seq 0, ack 3599050309, win 0, length 0
   9 …

From and to localhost
dport 8080
SYN -> RST+ACK

Packages originating on the same host are not subject to routing, and thus are not subject of the chains of type nat, which only offer the NAT statements dnat, redirect, snat, and masquerade. As a workaround the idea is to

alter the inbound (on lo) packages' destination-port from 8080 to 80 and<<BR>
alter the outbound packages' source-port from 80 to 8080

/etc/nftables.conf

   1 #!/usr/sbin/nft -f
   2 
   3 flush ruleset
   4 
   5 #### IFACES
   6 define IF_1A = { "enp1s0" }
   7 define IF_LO = { "lo" }
   8 
   9 #### HOSTS
  10 define LOCALHOST_V4 = 127.0.0.1
  11 
  12 table inet filter {
  13         chain input {
  14                 type filter hook input priority filter; policy drop;
  15                 tcp dport { 22 } accept
  16                 ip protocol icmp accept
  17                 ### SET LOCAL REQUESTS ON DPORT 8080 TO 80
  18                 iifname $IF_LO meta nfproto ipv4 ip daddr $LOCALHOST_V4 ip saddr $LOCALHOST_V4 tcp dport 8080 tcp dport set 80 comment "Redirect NC heartbeat request"
  19                 iifname $IF_LO log prefix "nftables ip filter input " accept;
  20                 iifname $IF_1A ct state established,related accept
  21                 ct state vmap { new: continue, established: accept, related: accept, invalid: drop }
  22                 tcp dport { 80, 443 } accept comment "Allow access to nginx reverse-proxy"
  23                 tcp dport { 9980 } accept comment "Allow docker container"
  24                 log prefix "nftables ip filter input drop: " flags all counter packets 0 bytes 0
  25         }
  26 
  27         chain forward {
  28                 type filter hook forward priority filter; policy accept;
  29                 #log prefix "nftables ip filter forward drop: " flags all counter packets 0 bytes 0
  30         }
  31 
  32         chain output {
  33                 type filter hook output priority filter; policy accept;
  34                 ### RESET LOCAL RESPONSES FROM SPORT 80 TO 8080
  35                 meta nfproto ipv4 ip daddr $LOCALHOST_V4 ip saddr $LOCALHOST_V4 tcp sport 80 tcp sport set 8080 comment "Redirect NC heartbeart response"
  36                 #log prefix "nftables ip filter output accept: " flags all counter packets 0 bytes 0
  37         }
  38         chain prerouting {
  39                 type nat hook prerouting priority 0; policy accept;
  40                 ### REDIRECT REMOTE REQUESTS ON DPORT 8080 TO 80
  41                 #meta nfproto ipv4 tcp dport 8080 redirect to :80
  42                 #meta nfproto ipv4 tcp th tcp dport 8080 dnat to $LOCALHOST_V4:80
  43                 #log prefix "nftables ip nat PREROUTING final " flags all counter packets 0 bytes 0
  44         }
  45 }

Yeah, could be written with more basic chains, but I think you get the point. Actually not a entirly bad firewall-script for a stand-alone nextcloud instance.

Check and apply the configuration

   1 ### CHECK CONFIG
   2 nft -c -f /etc/nftables.conf
   3 ### APPLY CONFIG
   4 nft -f /etc/nftables.conf

These commands may be useful (e.g. in tmux when testing)

   1 tcpdump -i any 'port (8080 or 80)'
   2 tail -f /var/log/kern.log| grep -v DPT=443
   3 LOCALHOST_V4 = 127.0.0.1
   4 while sleep 1; do nc -vzw 1 $LOCALHOST_V4 8080; done

Finally enable the nftables service on boot.

   1 systemctl enable nftables.service
   2 systemctl status nftables.service

Browser freezes and stalls

Close the tab with the nextcloud admininstrative protocol page.

Import and sync contacts and calenders to your mobile

DAVx5

On Android install DAVx⁵ from F-Droid.

If you just click on the link the appointments will imported to a existing calender and no synchronization will happen.

With public links

Open DAVx⁵
Add a new account
1. Chose "Extended Login"
2. Paste the public link to the URL field
3. Leave Username/Password and client certificate unchecked
Withing the new account select caldav and the calender to be be imported.

With a nextcloud account

Open DAVx⁵
Add a new account
1. Chose "Login with URL and Username"
2. Paste the baselink link to the URL field
3. Enter Username and Password
Withing the new account select caldav and the calender to be be imported.

Using Google

The Google Calender App has no Button "Add a new calender". But the web-version has an integrated CalDAV client, which can import and sync the calender with its source and publish it via the Google services to your smartphone.

Well than we also could have used a native Google Calender, right. Privacy aspects are not honored anymore.

nextcloud

About

Resources

Installation

snap

snap logs

snap get and set

List occ config

Set trusted_proxy

Access MySQL-Database

Login on Android App

Nextcloud Client

No Reboot After Installation on Windows

NextCloud Apps

Bruteforce Settings App

NextCloud Talk

WebRTC

Stun and Turn Server

Signaling Server

Candidates

Nextcloud Spreed Signaling

Trouble Shooting Nextcloud Talk

Internal server error after upgrade

Repair Nextcloud

Default phone region

Collabora Online

About

Links

Web-interface

Installation and Configuration

Update Colabora Online

Trouble Shooting

Polls app loads extremly long

Cannot sync due to invalid modification time

nextcloud desktop client hangs

Nextcloud emails are not sent

Workaround

Failed to connect to localhost port 8080

Workaround

Browser freezes and stalls

Import and sync contacts and calenders to your mobile

DAVx5

Using Google