nextcloud
Contents
About
Resources
Minimum
- 4 Cores
- 4 GiB RAM
- Fast Storage
- 1x 1Gbit/s NIC
Installation
I chose installation via snap
snap
snap logs
This is an important feature to get info about the internal state of the application
1 snap logs nextcloud
There are more logs at
/var/snap/nextcloud/current/logs
1 ll /var/snap/nextcloud/current/logs/*.log
2 -rw-r----- 1 root root 5054656 Okt 1 10:27 /var/snap/nextcloud/current/logs/apache_access.log
3 -rw-r----- 1 root root 3800 Sep 28 11:42 /var/snap/nextcloud/current/logs/apache_errors.log
4 -rw-r----- 1 root root 0 Sep 26 00:03 /var/snap/nextcloud/current/logs/mysql_errors.log
5 -rw-r----- 1 root root 56 Sep 26 00:03 /var/snap/nextcloud/current/logs/php-fpm_errors.log
6 -rw-r----- 1 root root 0 Jun 13 00:04 /var/snap/nextcloud/current/logs/php_errors.log
7 -rw-r----- 1 root root 541447 Okt 1 10:25 /var/snap/nextcloud/current/logs/redis.log
snap get and set
There are some tuneables from the cli that can be queried with snap get
1 # snap get nextcloud
2 Key Value
3 mode production
4 nextcloud {...}
5 php {...}
6 ports {...}
7 private {...}
8 # snap get nextcloud nextcloud
9 Key Value
10 nextcloud.cron-interval 5m
11 # snap get nextcloud php
12 Key Value
13 php.memory-limit 512M
14 # snap get nextcloud ports
15 Key Value
16 ports.http 80
17 ports.https 443
18 Key Value
19 private.mode production
20 private.nextcloud {...}
21 private.php {...}
22 private.ports {...}
23 private.snap {...}
24 # …
25
They can also be set like this
List occ config
With the client
1 snap run nextcloud.occ config:list|jq . |less -R
Edit the config with the editor of your choice
Set trusted_proxy
Configuring the variable trusted_proxies correct is crucial when using a reverse proxy and the brute force protection. Otherwise the proxy and therefore any connecting is throttled.
Get current value of trusted_proxies
Set the first value of the array.
Access MySQL-Database
Write the access tokens to your users client configuration.
Login on Android App
The login on the Android App is probably case sensitive.
Nextcloud Client
Debian has a version in the repo
1 apt install nextcloud-desktop
There is also an AppImage (pkg, msi, … ) that may be used when you need another version than the one in the repository.
The man-page show the configuration directory.
When the client is not running, you may change the configuration file. This is useful, if you want to disable synchronization before startup.
nextcloud.cfg
To get some log output you may start the client like this
No Reboot After Installation on Windows
The Nextcloud client schedules a reboot on upgrade, which is totally annoying.
help.nextcloud.com - Why does the Nextcloud Windows client require a restart each update?
I guess this is motivated by the alternative locking mechanisms in Windows.
But there is a workaround
Nextcloud Client Manual - No Reboot After Installation
The Nextcloud Client schedules a reboot after installation to make sure the Explorer extension is correctly (un)loaded. If you’re taking care of the reboot yourself, you can set the REBOOT property:
1 msiexec /i Nextcloud-x.y.z-x64.msi REBOOT=ReallySuppress
This will make msiexec exit with error ERROR_SUCCESS_REBOOT_REQUIRED (3010). If your deployment tooling interprets this as an actual error and you want to avoid that, you may want to set the DO_NOT_SCHEDULE_REBOOT instead:
1 msiexec /i Nextcloud-x.y.z-x64.msi DO_NOT_SCHEDULE_REBOOT="1"
NextCloud Apps
Bruteforce Settings App
Install the "Bruteforce Settings App" to configure a whitelist of IPs which is not blocked by the bruteforce protection.
NextCloud Talk
WebRTC
WebRTC (Web Real-Time Communication)
Stun and Turn Server
Please refer to this howto matrix#TURN_Server
Signaling Server
Candidates
The only supported signaling server is: Nextcloud Spreed Signaling
There are other unsupported systems in the ecosystem (just for the sake of completeness)
Deprecations
- SimpleWebRTC (frozen)
- webRTC.io (no commit since May 2013)
Nextcloud Spreed Signaling
Clone and build
Create group and user
Create config
Adjust config
uncomment listen
sessions.blockkey
sessions.hashkey
https.certificate
https.key
clients.internalsecret
backend.allowed
backend.secret
nats.url !!!
Old version of the
/etc/signaling/server.conf
1 [http]
2 # IP and port to listen on for HTTP requests.
3 # Comment line to disable the listener.
4 listen = 127.0.0.1:8080
5
6 # HTTP socket read timeout in seconds.
7 #readtimeout = 15
8
9 # HTTP socket write timeout in seconds.
10 #writetimeout = 15
11
12 [https]
13 # IP and port to listen on for HTTPS requests.
14 # Comment line to disable the listener.
15 #listen = 127.0.0.1:8443
16
17 # HTTPS socket read timeout in seconds.
18 #readtimeout = 15
19
20 # HTTPS socket write timeout in seconds.
21 #writetimeout = 15
22
23 # Certificate / private key to use for the HTTPS server.
24 #certificate = /etc/nginx/ssl/server.crt
25 certificate = /etc/letsencrypt/live/coturn.rockstable.it/fullchain.pem
26 #key = /etc/nginx/ssl/server.key
27 key = /etc/letsencrypt/live/coturn.rockstable.it/privkey.pem
28
29 [app]
30 # Set to "true" to install pprof debug handlers.
31 # See "https://golang.org/pkg/net/http/pprof/" for further information.
32 debug = false
33
34 [sessions]
35 # Secret value used to generate checksums of sessions. This should be a random
36 # string of 32 or 64 bytes.
37 hashkey = the-secret-for-session-checksums
38
39 # Optional key for encrypting data in the sessions. Must be either 16, 24 or
40 # 32 bytes.
41 # If no key is specified, data will not be encrypted (not recommended).
42 blockkey = -encryption-key-
43
44 [clients]
45 # Shared secret for connections from internal clients. This must be the same
46 # value as configured in the respective internal services.
47 internalsecret = the-shared-secret-for-internal-clients
48
49
50 [backend]
51 # Comma-separated list of hostnames that are allowed to be used as backend
52 # endpoints.
53 allowed = cloud.rockstable.it,nextcloud1.rockstable.it
54
55 # Allow any hostname as backend endpoint. This is extremely insecure and should
56 # only be used while running the benchmark client against the server.
57 allowall = false
58
59 # Shared secret for requests from and to the backend servers. This must be the
60 # same value as configured in the Nextcloud admin ui.
61 secret = the-shared-secret
62
63 # Timeout in seconds for requests to the backend.
64 timeout = 10
65
66 # Maximum number of concurrent backend connections per host.
67 #connectionsperhost = 8
68 connectionsperhost = 16
69
70 # If set to "true", certificate validation of backend endpoints will be skipped.
71 # This should only be enabled during development, e.g. to work with self-signed
72 # certificates.
73 #skipverify = false
74
75 [nats]
76 # Url of NATS backend to use. This can also be a list of URLs to connect to
77 # multiple backends. For local development, this can be set to ":loopback:"
78 # to process NATS messages internally instead of sending them through an
79 # external NATS backend.
80 #url = nats://localhost:4222
81 url = :loopback:
82
83 [mcu]
84 # The type of the MCU to use. Currently only "janus" is supported.
85 type = janus
86
87 # The URL to the websocket endpoint of the MCU server. Leave empty to disable
88 # MCU functionality.
89 url =
90
91 # The maximum bitrate per publishing stream (in bits per second).
92 # Defaults to 1 mbit/sec.
93 #maxstreambitrate = 1048576
94
95 # The maximum bitrate per screensharing stream (in bits per second).
96 # Default is 2 mbit/sec.
97 #maxscreenbitrate = 2097152
98
99 [turn]
100 # API key that the MCU will need to send when requesting TURN credentials.
101 #apikey = the-api-key-for-the-rest-service
102
103 # The shared secret to use for generating TURN credentials. This must be the
104 # same as on the TURN server.
105 #secret = 6d1c17a7-c736-4e22-b02c-e2955b7ecc64
106
107 # A comma-separated list of TURN servers to use. Leave empty to disable the
108 # TURN REST API.
109 #servers = turn:1.2.3.4:9991?transport=udp,turn:1.2.3.4:9991?transport=tcp
110
111 [geoip]
112 # License key to use when downloading the MaxMind GeoIP database. You can
113 # register an account at "https://www.maxmind.com/en/geolite2/signup" for
114 # free. See "https://dev.maxmind.com/geoip/geoip2/geolite2/"" for further
115 # information.
116 # Leave empty to disable GeoIP lookups.
117 #license =
Newer versions need a different backend configuration. Instead of allow servers and a common shared secret. They define backends with their own configuration and enable them individually. Newer version of the
/etc/signaling/server.conf
1 [http]
2 # IP and port to listen on for HTTP requests.
3 # Comment line to disable the listener.
4 listen = 127.0.0.1:8080
5
6 # HTTP socket read timeout in seconds.
7 #readtimeout = 15
8
9 # HTTP socket write timeout in seconds.
10 #writetimeout = 15
11
12 [https]
13 # IP and port to listen on for HTTPS requests.
14 # Comment line to disable the listener.
15 #listen = 127.0.0.1:8443
16
17 # HTTPS socket read timeout in seconds.
18 #readtimeout = 15
19
20 # HTTPS socket write timeout in seconds.
21 #writetimeout = 15
22
23 # Certificate / private key to use for the HTTPS server.
24 #certificate = /etc/nginx/ssl/server.crt
25 certificate = /etc/letsencrypt/live/coturn.rockstable.it/fullchain.pem
26 #key = /etc/nginx/ssl/server.key
27 key = /etc/letsencrypt/live/coturn.rockstable.it/privkey.pem
28
29
30 [app]
31 # Set to "true" to install pprof debug handlers.
32 # See "https://golang.org/pkg/net/http/pprof/" for further information.
33 #debug = false
34 #debug = true
35
36 [sessions]
37 # Secret value used to generate checksums of sessions. This should be a random
38 # string of 32 or 64 bytes.
39 hashkey = the-secret-for-session-checksums
40
41 # Optional key for encrypting data in the sessions. Must be either 16, 24 or
42 # 32 bytes.
43 # If no key is specified, data will not be encrypted (not recommended).
44 blockkey = -encryption-key-
45
46 [clients]
47 # Shared secret for connections from internal clients. This must be the same
48 # value as configured in the respective internal services.
49 internalsecret = the-shared-secret-for-internal-clients
50
51 [backend]
52 # Comma-separated list of backend ids from which clients are allowed to connect
53 # from. Each backend will have isolated rooms, i.e. clients connecting to room
54 # "abc12345" on backend 1 will be in a different room than clients connected to
55 # a room with the same name on backend 2. Also sessions connected from different
56 # backends will not be able to communicate with each other.
57 #backends = backend-id, another-backend
58 backends = rockstable_nextcloud1, rockstable_cloud
59
60 ### OLD STYLE
61 # Comma-separated list of hostnames that are allowed to be used as backend
62 # endpoints.
63 #allowed = cloud.rockstable.it,nextcloud1.rockstable.it
64
65 # Allow any hostname as backend endpoint. This is extremely insecure and should
66 # only be used while running the benchmark client against the server.
67 allowall = false
68
69 # Common shared secret for requests from and to the backend servers if
70 # "allowall" is enabled. This must be the same value as configured in the
71 # Nextcloud admin ui.
72 #secret = the-shared-secret
73
74 # Timeout in seconds for requests to the backend.
75 timeout = 10
76
77 # Maximum number of concurrent backend connections per host.
78 #connectionsperhost = 8
79 connectionsperhost = 16
80
81 # If set to "true", certificate validation of backend endpoints will be skipped.
82 # This should only be enabled during development, e.g. to work with self-signed
83 # certificates.
84 #skipverify = false
85
86 # Backend configurations as defined in the "[backend]" section above. The
87 # section names must match the ids used in "backends" above.
88 [rockstable_nextcloud1]
89 # URL of the Nextcloud instance
90 url = https://nextcloud1.rockstable.it/
91
92 # Shared secret for requests from and to the backend servers. This must be the
93 # same value as configured in the Nextcloud admin ui.
94 secret = the-shared-secret
95
96 [rockstable_cloud]
97 # URL of the Nextcloud instance
98 url = https://cloud.rockstable.it/
99
100 # Shared secret for requests from and to the backend servers. This must be the
101 # same value as configured in the Nextcloud admin ui.
102 secret = the-shared-secret
103
104 [nats]
105 # Url of NATS backend to use. This can also be a list of URLs to connect to
106 # multiple backends. For local development, this can be set to ":loopback:"
107 # to process NATS messages internally instead of sending them through an
108 # external NATS backend.
109 #url = nats://localhost:4222
110 url = :loopback:
111
112 [mcu]
113 # The type of the MCU to use. Currently only "janus" and "proxy" are supported.
114 # Leave empty to disable MCU functionality.
115 #type = janus
116 type =
117
118 # The URL to the websocket endpoint of the MCU server. Leave empty to disable
119 # MCU functionality.
120 # For type "janus": the URL to the websocket endpoint of the MCU server.
121 # For type "proxy": a space-separated list of proxy URLs to connect to.
122 url =
123
124 # The maximum bitrate per publishing stream (in bits per second).
125 # Defaults to 1 mbit/sec.
126 #maxstreambitrate = 1048576
127
128 # For type "janus": the maximum bitrate per screensharing stream (in bits per
129 # second).
130 # Default is 2 mbit/sec.
131 #maxscreenbitrate = 2097152
132
133 # For type "proxy": timeout in seconds for requests to the proxy server.
134 #proxytimeout = 2
135
136 # For type "proxy": type of URL configuration for proxy servers.
137 # Defaults to "static".
138 #
139 # Possible values:
140 # - static: A space-separated list of proxy URLs is given in the "url" option.
141 # - etcd: Proxy URLs are retrieved from an etcd cluster (see below).
142 #urltype = static
143
144 # For type "proxy": the id of the token to use when connecting to proxy servers.
145 #token_id = server1
146
147 # For type "proxy": the private key for the configured token id to use when
148 # connecting to proxy servers.
149 #token_key = privkey.pem
150
151 # For url type "etcd": Comma-separated list of static etcd endpoints to
152 # connect to.
153 #endpoints = 127.0.0.1:2379,127.0.0.1:22379,127.0.0.1:32379
154
155 # For url type "etcd": Options to perform endpoint discovery through DNS SRV.
156 # Only used if no endpoints are configured manually.
157 #discoverysrv = example.com
158 #discoveryservice = foo
159
160 # For url type "etcd": Path to private key, client certificate and CA
161 # certificate if TLS authentication should be used.
162 #clientkey = /path/to/etcd-client.key
163 #clientcert = /path/to/etcd-client.crt
164 #cacert = /path/to/etcd-ca.crt
165
166 # For url type "etcd": Key prefix of MCU proxy entries. All keys below will be
167 # watched and assumed to contain a JSON document. The entry "address" from this
168 # document will be used as proxy URL, other contents in the document will be
169 # ignored.
170 #
171 # Example:
172 # "/signaling/proxy/server/one" -> {"address": "https://proxy1.domain.invalid"}
173 # "/signaling/proxy/server/two" -> {"address": "https://proxy2.domain.invalid"}
174 #keyprefix = /signaling/proxy/server
175
176 [turn]
177 # API key that the MCU will need to send when requesting TURN credentials.
178 #apikey = the-api-key-for-the-rest-service
179
180 # The shared secret to use for generating TURN credentials. This must be the
181 # same as on the TURN server.
182 #secret = 6d1c17a7-c736-4e22-b02c-e2955b7ecc64
183
184 # A comma-separated list of TURN servers to use. Leave empty to disable the
185 # TURN REST API.
186 #servers = turn:1.2.3.4:9991?transport=udp,turn:1.2.3.4:9991?transport=tcp
187 #servers = turn:178.63.149.236:5349?transport=udp,turn:178.63.149.236:5349?transport=tcp
188
189 [geoip]
190 # License key to use when downloading the MaxMind GeoIP database. You can
191 # register an account at "https://www.maxmind.com/en/geolite2/signup" for
192 # free. See "https://dev.maxmind.com/geoip/geoip2/geolite2/" for further
193 # information.
194 # Leave empty to disable GeoIP lookups.
195 #license =
Create, enable and start systemd service
Install nginx-light as reverse proxy
Configure reverse proxy /etc/nginx/sites-available/signaling
1 server {
2 # SSL configuration
3 #
4 listen 443 ssl default_server;
5 listen [::]:443 ssl default_server;
6
7 ssl_certificate /etc/letsencrypt/live/coturn.rockstable.it/fullchain.pem;
8 ssl_certificate_key /etc/letsencrypt/live/coturn.rockstable.it/privkey.pem;
9
10 root /var/www/html;
11
12 # Add index.php to the list if you are using PHP
13 index index.html index.htm index.nginx-debian.html;
14
15 server_name _;
16
17 location / {
18 # First attempt to serve request as file, then
19 # as directory, then fall back to displaying a 404.
20 try_files $uri $uri/ =404;
21 }
22
23 # deny access to .htaccess files, if Apache's document root
24 # concurs with nginx's one
25 #
26 location ~ /\.ht {
27 deny all;
28 }
29
30 location /standalone-signaling/ {
31 proxy_pass http://signaling/;
32 proxy_http_version 1.1;
33 proxy_set_header Host $host;
34 proxy_set_header X-Real-IP $remote_addr;
35 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
36 }
37
38 location /standalone-signaling/spreed {
39 proxy_pass http://signaling/spreed;
40 proxy_http_version 1.1;
41 proxy_set_header Upgrade $http_upgrade;
42 proxy_set_header Connection "Upgrade";
43 proxy_set_header Host $host;
44 proxy_set_header X-Real-IP $remote_addr;
45 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
46 }
47 }
Trouble Shooting Nextcloud Talk
Follow the log
Internal server error after upgrade
Nextcloud shows a HTTP 500 page an the log states
1 SQLSTATE[42P01]: Undefined table: 7 FEHLER: Relation »oc_talk_participants« doesn't exist
There is a problem with the migation of the database schema especially table oc_talk_participants to oc_talk_attendees. This did not work out with v10.0.6 and has been fixed in v10.1.3, which cannot be aquired on the usual way with the webinterface. You need to doenload and install the app manually.
Fix it by upgrading the talk app manually.
Nextcloud is installed in /var/www/html in this case (docker).
Repair Nextcloud
1 snap run nextcloud.occ maintenance:repair --include-expensive
Default phone region
If you are getting the message, that no default phone region has been set, just add the Wiki EN ISO 3166-1 country code to your configuration.
/var/snap/nextcloud/current/nextcloud/config/config.php
A restart/reload should not be necessary.
Collabora Online
About
- Collabora Online is a powerful online office suite, which you can integrate into your own infrastructure. We take digital sovereignty seriously and provide you with all the tools to keep your data secure, without compromising on features.
Links
Web-interface
Find the webinterface at
https://your-office-domain.example.com/browser/dist/admin/admin.html
Installation and Configuration
- Setup DNS names
label office.rockstable.it with CNAME cloud.rockstable.it
Request certificate with LetsEncrypt on reverse proxy
Install docker
- Pull collabora/CODE.
(If you don't want to bind it to the loopback interface
omit 127.0.0.1.)1 docker pull collabora/code:latest
- Start collabora/CODE.
- CODE 6 (deprecated)
- CODE 7+
- Setup reverse proxy
CODE 6.4 (deprecated)
/etc/nginx/sites-available/proxy_office_61 ## 2 # You should look at the following URL's in order to grasp a solid understanding 3 # of Nginx configuration files in order to fully unleash the power of Nginx. 4 # https://www.nginx.com/resources/wiki/start/ 5 # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ 6 # https://wiki.debian.org/Nginx/DirectoryStructure 7 # 8 # In most cases, administrators will remove this file from sites-enabled/ and 9 # leave it as reference inside of sites-available where it will continue to be 10 # updated by the nginx packaging team. 11 # 12 # This file will automatically load configuration files provided by other 13 # applications, such as Drupal or Wordpress. These applications will be made 14 # available underneath a path with that package name, such as /drupal8. 15 # 16 # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. 17 ## 18 19 20 upstream office1.1a.rockstable.it { 21 server office1.1a.rockstable.it:9980; 22 } 23 24 ## Redirects all HTTP traffic to the HTTPS host 25 server { 26 ## Either remove "default_server" from the listen line below, 27 ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab 28 ## to be served if you visit any address that your server responds to, eg. 29 ## the ip address of the server (http://x.x.x.x/) 30 listen 0.0.0.0:80; 31 listen [::]:80; 32 server_name office.rockstable.it; ## Replace this with something like gitlab.example.com 33 server_tokens off; ## Don't show the nginx version number, a security best practice 34 # redirect all HTTP requests to HTTPS with a 301 Moved Permanently response. 35 return 301 https://$server_name$request_uri; 36 access_log /var/log/nginx/proxy_office_access.log; 37 error_log /var/log/nginx/proxy_office_error.log; 38 } 39 40 41 # HTTPS host 42 server { 43 listen 443 http2 ssl; 44 #listen [::]:443 ipv6only=on http2 ssl; 45 46 server_name office.rockstable.it; 47 server_tokens off; ## Don't show the nginx version number, a security best practice 48 49 ## Strong SSL Security 50 ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ 51 ssl on; 52 ssl_certificate /etc/letsencrypt/live/office.rockstable.it/fullchain.pem; 53 ssl_certificate_key /etc/letsencrypt/live/office.rockstable.it/privkey.pem; 54 #ssl_trusted_certificate /etc/ssl/CAcert/certs/.pem; 55 56 # Backwards compatible ciphers to retain compatibility with Java IDEs 57 ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 58 ssl_protocols TLSv1.3 TLSv1.2; 59 ssl_prefer_server_ciphers on; 60 ssl_session_cache shared:SSL:10m; 61 ssl_session_timeout 1d; 62 63 ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. 64 ## Replace with your ssl_trusted_certificate. For more info see: 65 ## - https://medium.com/devops-programming/4445f4862461 66 ## - https://www.ruby-forum.com/topic/4419319 67 ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx 68 ssl_stapling on; 69 ssl_stapling_verify on; 70 # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; 71 # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired 72 # resolver_timeout 5s; 73 74 ## [Optional] Generate a stronger DHE parameter: 75 ## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 76 ## 77 ssl_dhparam /etc/ssl/private/dhparam.pem; 78 79 # HSTS (ngx_http_headers_module is required) (63072000 seconds) 80 add_header Strict-Transport-Security "max-age=63072000" always; 81 82 ## Individual nginx logs for this GitLab vhost 83 access_log /var/log/nginx/proxy_office_access.log; 84 error_log /var/log/nginx/proxy_office_error.log; 85 86 #proxy_set_header Host $host; 87 proxy_set_header Host $http_host; 88 proxy_set_header X-Real-IP $remote_addr; 89 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 90 proxy_set_header X-Forwarded-Proto $scheme; 91 proxy_set_header X-Forwarded-Ssl on; 92 93 proxy_set_header Upgrade $http_upgrade; 94 proxy_set_header Connection "Upgrade"; 95 proxy_set_header Host $http_host; 96 97 # 98 #proxy_ssl_certificate /etc/nginx/client.pem; 99 #proxy_ssl_certificate_key /etc/nginx/client.key; 100 #proxy_ssl_trusted_certificate /etc/nginx/trusted_ca_cert.crt; 101 #proxy_ssl_verify on; 102 #proxy_ssl_verify_depth 2; 103 proxy_ssl_session_reuse on; 104 proxy_ssl_protocols TLSv1.3 TLSv1.2; 105 proxy_ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 106 107 client_max_body_size 0; 108 #gzip off; 109 110 ## Some requests take more than 30 seconds. 111 proxy_read_timeout 300; 112 proxy_connect_timeout 300; 113 proxy_redirect off; 114 115 #proxy_http_version 1.1; 116 117 # static files 118 location ^~ /loleaflet { 119 proxy_pass https://office1.1a.rockstable.it; 120 } 121 122 # WOPI discovery URL 123 location ^~ /hosting { 124 proxy_pass https://office1.1a.rockstable.it; 125 } 126 127 # main websocket 128 location ~ ^/lool/(.*)/ws$ { 129 proxy_pass https://office1.1a.rockstable.it; 130 proxy_read_timeout 36000s; 131 } 132 133 # download, presentation and image upload 134 location ~ ^/lool { 135 proxy_pass https://office1.1a.rockstable.it; 136 } 137 138 # Admin Console websocket 139 location ^~ /lool/adminws { 140 proxy_pass https://office1.1a.rockstable.it; 141 proxy_read_timeout 36000s; 142 } 143 144 # Capabilities 145 location ^~ /hosting/capabilities { 146 proxy_pass https://office1.1a.rockstable.it; 147 } 148 }
CODE 7.0+ 21.11
/etc/nginx/sites-available/proxy_office_71 ## 2 # You should look at the following URL's in order to grasp a solid understanding 3 # of Nginx configuration files in order to fully unleash the power of Nginx. 4 # https://www.nginx.com/resources/wiki/start/ 5 # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ 6 # https://wiki.debian.org/Nginx/DirectoryStructure 7 # 8 # In most cases, administrators will remove this file from sites-enabled/ and 9 # leave it as reference inside of sites-available where it will continue to be 10 # updated by the nginx packaging team. 11 # 12 # This file will automatically load configuration files provided by other 13 # applications, such as Drupal or Wordpress. These applications will be made 14 # available underneath a path with that package name, such as /drupal8. 15 # 16 # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. 17 ## 18 19 20 upstream office1.1a.rockstable.it { 21 server office1.1a.rockstable.it:9980; 22 } 23 24 ## Redirects all HTTP traffic to the HTTPS host 25 server { 26 ## Either remove "default_server" from the listen line below, 27 ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab 28 ## to be served if you visit any address that your server responds to, eg. 29 ## the ip address of the server (http://x.x.x.x/) 30 listen 0.0.0.0:80; 31 listen [::]:80; 32 server_name office.rockstable.it; 33 server_tokens off; ## Don't show the nginx version number, a security best practice 34 # redirect all HTTP requests to HTTPS with a 301 Moved Permanently response. 35 return 301 https://$server_name$request_uri; 36 access_log /var/log/nginx/proxy_office_access.log; 37 error_log /var/log/nginx/proxy_office_error.log; 38 } 39 40 41 # HTTPS host 42 server { 43 listen 443 http2 ssl; 44 #listen [::]:443 ipv6only=on http2 ssl; 45 46 server_name office.rockstable.it; 47 server_tokens off; ## Don't show the nginx version number, a security best practice 48 49 ## Strong SSL Security 50 ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ 51 52 ssl_certificate /etc/letsencrypt/live/office.rockstable.it/fullchain.pem; 53 ssl_certificate_key /etc/letsencrypt/live/office.rockstable.it/privkey.pem; 54 #ssl_trusted_certificate /etc/ssl/CAcert/certs/.pem; 55 56 # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs 57 ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 58 ssl_protocols TLSv1.3 TLSv1.2; 59 ssl_prefer_server_ciphers on; 60 ssl_session_cache shared:SSL:10m; 61 ssl_session_timeout 1d; 62 63 ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. 64 ## Replace with your ssl_trusted_certificate. For more info see: 65 ## - https://medium.com/devops-programming/4445f4862461 66 ## - https://www.ruby-forum.com/topic/4419319 67 ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx 68 ssl_stapling on; 69 ssl_stapling_verify on; 70 # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; 71 # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired 72 # resolver_timeout 5s; 73 74 ## [Optional] Generate a stronger DHE parameter: 75 ## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 76 ## 77 ssl_dhparam /etc/ssl/private/dhparam.pem; 78 79 # HSTS (ngx_http_headers_module is required) (63072000 seconds) 80 add_header Strict-Transport-Security "max-age=63072000" always; 81 82 ## Individual nginx logs for this GitLab vhost 83 access_log /var/log/nginx/proxy_office_access.log; 84 error_log /var/log/nginx/proxy_office_error.log; 85 86 #proxy_set_header Host $host; 87 proxy_set_header Host $http_host; 88 proxy_set_header X-Real-IP $remote_addr; 89 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 90 proxy_set_header X-Forwarded-Proto $scheme; 91 proxy_set_header X-Forwarded-Ssl on; 92 93 proxy_set_header Upgrade $http_upgrade; 94 proxy_set_header Connection "Upgrade"; 95 proxy_set_header Host $http_host; 96 97 # 98 #proxy_ssl_certificate /etc/nginx/client.pem; 99 #proxy_ssl_certificate_key /etc/nginx/client.key; 100 #proxy_ssl_trusted_certificate /etc/nginx/trusted_ca_cert.crt; 101 #proxy_ssl_verify on; 102 #proxy_ssl_verify_depth 2; 103 proxy_ssl_session_reuse on; 104 proxy_ssl_protocols TLSv1.3 TLSv1.2; 105 proxy_ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 106 107 client_max_body_size 0; 108 #gzip off; 109 110 ## Some requests take more than 30 seconds. 111 proxy_read_timeout 300; 112 proxy_connect_timeout 300; 113 proxy_redirect off; 114 115 #proxy_http_version 1.1; 116 117 # static files 118 location ^~ /browser { 119 proxy_pass https://office1.1a.rockstable.it; 120 proxy_set_header Host $http_host; 121 } 122 123 # WOPI discovery URL 124 location ^~ /hosting/discovery { 125 proxy_pass https://office1.1a.rockstable.it; 126 proxy_set_header Host $http_host; 127 } 128 129 # Capabilities 130 location ^~ /hosting/capabilities { 131 proxy_pass https://office1.1a.rockstable.it; 132 proxy_set_header Host $http_host; 133 } 134 135 # main websocket 136 location ~ ^/cool/(.*)/ws$ { 137 proxy_pass https://office1.1a.rockstable.it; 138 proxy_set_header Upgrade $http_upgrade; 139 proxy_set_header Connection "Upgrade"; 140 proxy_set_header Host $http_host; 141 proxy_read_timeout 36000s; 142 } 143 144 # download, presentation and image upload 145 location ~ ^/(c|l)ool { 146 proxy_pass https://office1.1a.rockstable.it; 147 proxy_set_header Host $http_host; 148 } 149 150 # Admin Console websocket 151 location ^~ /cool/adminws { 152 proxy_pass https://office1.1a.rockstable.it; 153 proxy_set_header Upgrade $http_upgrade; 154 proxy_set_header Connection "Upgrade"; 155 proxy_set_header Host $http_host; 156 proxy_read_timeout 36000s; 157 } 158 }
Download and configure CollaboraOnline App in NextCloud
- Done
Update Colabora Online
- Load updated image
1 docker pull collabora/code:latest
- Identify and stop old container
- (optionally) Save username and password
/etc/default/collabora_code
- Set correct permissions
- Start new container
1 #docker network create \ 2 # --subnet 172.27.0.0/24 \ 3 # --gateway 172.27.0.1 \ 4 # --opt com.docker.network.bridge.name=br-collabora \ 5 # collabora 6 source /etc/default/collabora_code 7 #read -r ADMIN_USERNAME 8 #read -r ADMIN_PASSWORD 9 docker run -t -d \ 10 --name collabora \ 11 -p 9980:9980 \ 12 -e "aliasgroup1=https://cloud\\.rockstable\\.it" \ 13 -e "username=$ADMIN_USERNAME" \ 14 -e "password=$ADMIN_PASSWORD" \ 15 --restart always \ 16 collabora/code 17 ### Attach to previously created network, 18 ### instead of default bridge 19 #--network collabora \ 20 ### Starts the container with rights required 21 ### for faster jail creation via bind mount. 22 #--privileged \ 23
- Delete old containers
Make sure the admin panel is password protected:
https://office.rockstable.it/browser/dist/admin/admin.html
Have fun!
Trouble Shooting
Cannot sync due to invalid modification time
In German:
"Synchronisierung wegen ungültiger Änderungszeit nicht möglich"
For usage with the nextcloud "snap"
1 data_dir="/var/snap/nextcloud/common/nextcloud/data"
2 db_type="mysql"
3 db_host="localhost"
4 db_user="root"
5 read db_pwd
6 db_name="nextcloud"
7 #action="${7:-list}"
8 #scan_action="${8:-noscan}"
9 #use_birthday="${9:-dont_use_birthday}"
10 #verbose="${10:-noverbose}"
11
12 # Usage: ./solvable_files.sh <data_dir> \
13 # <mysql|pgsql> <db_host> <db_user> <db_pwd> <db_name> \
14 # <fix,list> <scan,noscan> <use_birthday,dont_use_birthday>
15
16 ### LIST FILES WITH INVALID TIME
17 ./solvable_files.sh \
18 "$data_dir" \
19 "$db_type" "$db_host" \
20 "$db_user" "$db_pwd" \
21 "$db_name" \
22 list
23
24 ### FIX FILES WITH INVALID TIME (TODAY)
25 ./solvable_files.sh \
26 "$data_dir" \
27 "$db_type" "$db_host" \
28 "$db_user" "$db_pwd" \
29 "$db_name" \
30 fix
31 ### TRIGGER A SCAN OF THE FIXED FILES
32 ./solvable_files.sh \
33 "$data_dir" \
34 "$db_type" "$db_host" \
35 "$db_user" "$db_pwd" \
36 "$db_name" \
37 scan
38
39 ### THE SCAN DID NOT WORK OUT IN MY CASE
40 ### SO I TRIGGERED THE SCAN WITH
41 snap run nextcloud.occ files:scan --all
Problem fixed.
nextcloud desktop client hangs
Disable upload bandwidth limit.
[Bug]: setting speed limit causes client hang. #5242
Nextcloud emails are not sent
Nextcloud emails send duriong polls never arrive.
The following error is shown in
/var/log/mail.log
Workaround
Nextcloud is configured to relay emails via localhost:25. So this introduces no security issue.
Disable opportunistic TLS in
/etc/postfix/main.cf
Reload postfix
1 postfix reload
Try again - works.
I haven't figured out the Nextcloud bug, yet.
Failed to connect to localhost port 8080
The nextcloud heartbeat fails.
The error can be triggered by clicking on Administration > Overview, which starts a selftest.
1 ConnectException cURL error 7: Failed to connect to localhost port 8080: Connection refused (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for http://localhost:8080/index.php/heartbeat
Workaround
Use the firewall to mangle the hearbeat packages.
Watch out - Firewalling ahead
Don't lock yourself out.
Install nftables
1 apt install nftables
The idea is to select the heartbeat packages tightly
1 21:37:37.925151 IP 127.0.0.1.52378 > 127.0.0.1.8080: Flags [S], seq 4012198676, win 65495, options [mss 65495,sackOK,TS val 396720046 ecr 0,nop,wscale 7], length 0
2 21:37:37.925158 IP 127.0.0.1.8080 > 127.0.0.1.52378: Flags [R.], seq 0, ack 4012198677, win 0, length 0
3 21:37:38.312336 IP 127.0.0.1.52382 > 127.0.0.1.8080: Flags [S], seq 1736532941, win 65495, options [mss 65495,sackOK,TS val 396720433 ecr 0,nop,wscale 7], length 0
4 21:37:38.312344 IP 127.0.0.1.8080 > 127.0.0.1.52382: Flags [R.], seq 0, ack 1736532942, win 0, length 0
5 21:37:39.273218 IP 127.0.0.1.33410 > 127.0.0.1.8080: Flags [S], seq 176669381, win 65495, options [mss 65495,sackOK,TS val 396721394 ecr 0,nop,wscale 7], length 0
6 21:37:39.273225 IP 127.0.0.1.8080 > 127.0.0.1.33410: Flags [R.], seq 0, ack 176669382, win 0, length 0
7 21:37:39.289932 IP 127.0.0.1.33412 > 127.0.0.1.8080: Flags [S], seq 3599050308, win 65495, options [mss 65495,sackOK,TS val 396721411 ecr 0,nop,wscale 7], length 0
8 21:37:39.289937 IP 127.0.0.1.8080 > 127.0.0.1.33412: Flags [R.], seq 0, ack 3599050309, win 0, length 0
9 …
- From and to localhost
- dport 8080
SYN -> RST+ACK
Packages originating on the same host are not subject to routing, and thus are not subject of the chains of type nat, which only offer the NAT statements dnat, redirect, snat, and masquerade. As a workaround the idea is to
alter the inbound (on lo) packages' destination-port from 8080 to 80 and<<BR>
- alter the outbound packages' source-port from 80 to 8080
/etc/nftables.conf
1 #!/usr/sbin/nft -f
2
3 flush ruleset
4
5 #### IFACES
6 define IF_1A = { "enp1s0" }
7 define IF_LO = { "lo" }
8
9 #### HOSTS
10 define LOCALHOST_V4 = 127.0.0.1
11
12 table inet filter {
13 chain input {
14 type filter hook input priority filter; policy drop;
15 tcp dport { 22 } accept
16 ip protocol icmp accept
17 ### SET LOCAL REQUESTS ON DPORT 8080 TO 80
18 iifname $IF_LO meta nfproto ipv4 ip daddr $LOCALHOST_V4 ip saddr $LOCALHOST_V4 tcp dport 8080 tcp dport set 80 comment "Redirect NC heartbeat request"
19 iifname $IF_LO log prefix "nftables ip filter input " accept;
20 iifname $IF_1A ct state established,related accept
21 ct state vmap { new: continue, established: accept, related: accept, invalid: drop }
22 tcp dport { 80, 443 } accept comment "Allow access to nginx reverse-proxy"
23 tcp dport { 9980 } accept comment "Allow docker container"
24 log prefix "nftables ip filter input drop: " flags all counter packets 0 bytes 0
25 }
26
27 chain forward {
28 type filter hook forward priority filter; policy accept;
29 #log prefix "nftables ip filter forward drop: " flags all counter packets 0 bytes 0
30 }
31
32 chain output {
33 type filter hook output priority filter; policy accept;
34 ### RESET LOCAL RESPONSES FROM SPORT 80 TO 8080
35 meta nfproto ipv4 ip daddr $LOCALHOST_V4 ip saddr $LOCALHOST_V4 tcp sport 80 tcp sport set 8080 comment "Redirect NC heartbeart response"
36 #log prefix "nftables ip filter output accept: " flags all counter packets 0 bytes 0
37 }
38 chain prerouting {
39 type nat hook prerouting priority 0; policy accept;
40 ### REDIRECT REMOTE REQUESTS ON DPORT 8080 TO 80
41 #meta nfproto ipv4 tcp dport 8080 redirect to :80
42 #meta nfproto ipv4 tcp th tcp dport 8080 dnat to $LOCALHOST_V4:80
43 #log prefix "nftables ip nat PREROUTING final " flags all counter packets 0 bytes 0
44 }
45 }
Yeah, could be written with more basic chains, but I think you get the point. Actually not a entirly bad firewall-script for a stand-alone nextcloud instance.
Check and apply the configuration
These commands may be useful (e.g. in tmux when testing)
Finally enable the nftables service on boot.
Browser freezes and stalls
Close the tab with the nextcloud admininstrative protocol page.
Import and sync contacts and calenders to your mobile
DAVx5
On Android install DAVx⁵ from F-Droid.
If you just click on the link the appointments will imported to a existing calender and no synchronization will happen.
With public links
Open DAVx5
- Add a new account
- Chose "Extended Login"
- Paste the public link to the URL field
- Leave Username/Password and client certificate unchecked
- Withing the new account select caldav and the calender to be be imported.
With a nextcloud account
Open DAVx5
- Add a new account
- Chose "Login with URL and Username"
- Paste the baselink link to the URL field
- Enter Username and Password
- Withing the new account select caldav and the calender to be be imported.
Using Google
The Google Calender App has no Button "Add a new calender". But the web-version has an integrated CalDAV client, which can import and sync the calender with its source and publish it via the Google services to your smartphone.
Well than we also could have used a native Google Calender, right. Privacy aspects are not honored anymore.