Nextcloud, NGINX 1.15.9, OpenSSL 1.1.1 and TLS 1.3


This guide based on the initial Nextcloud installation guide. Following this guide you will harden your Nextcloud server (AMD64/ARM64) even more using NGINX 1.15.9 and OpenSSL 1.1.1 by  adding TLS 1.3 encryption to your SSL configuration as simple as follows:


Preparation

sudo -s
cd /usr/local/src
wget http://nginx.org/keys/nginx_signing.key && apt-key add nginx_signing.key
vi /etc/apt/sources.list

Add the folowing two rows:

UBUNTU:
deb http://nginx.org/packages/mainline/ubuntu/ bionic nginx
deb-src http://nginx.org/packages/mainline/ubuntu/ bionic nginx

DEBIAN:
deb http://nginx.org/packages/mainline/debian/ stretch nginx
deb-src http://nginx.org/packages/mainline/debian/ stretch nginx


OpenSSL

Then update your system repositories and go ahead with the OpenSSL configuration:

apt update
mkdir /usr/local/src/nginx && cd /usr/local/src/nginx/
apt install dpkg-dev -y && apt source nginx
cd /usr/local/src && apt install git -y
git clone https://github.com/openssl/openssl.git
cd openssl && git branch -a

git checkout OpenSSL_1_1_1-stable


NGINX

Now prepare your NGINX binaries. Open the rules file

vi /usr/local/src/nginx/nginx-1.15.9/debian/rules

a) add the following statement two times

--with-openssl=/usr/local/src/openssl

b) change

dh_shlibdeps -a

to

dh_shlibdeps -a --dpkg-shlibdeps-params=--ignore-missing-info

To prevent further warnings edit the gcc:

vi /usr/local/src/nginx/nginx-1.15.9/auto/cc/gcc
#CFLAGS="$CFLAGS -Werror"

Change your directory back and start compiling NGINX:

cd /usr/local/src/nginx/nginx-1.15.9/
apt build-dep nginx -y && dpkg-buildpackage -b

To be ignored:

“dpkg-buildpackage: error: failed to sign .buildinfo file”

Remove any existing NGINX installations/instances:

apt remove nginx nginx-common nginx-full -y --allow-change-held-packages
cd /usr/local/src/nginx/

Install the new built NGINX

dpkg -i nginx_1.15.9*.deb

If the service will be masked please unmask it:

systemctl unmask nginx

Start NGINX

service nginx restart

and prevent NGINX from being updated automatically:

apt-mark hold nginx

Issue

nginx -V

and you will find information about your new NGINX


TLS 1.3

Now open your Nextcloud ssl.conf and enhance this configuration for TLS 1.3 purposes:

vi /etc/nginx/ssl.conf

Change the ssl_protocols to

ssl_protocols TLSv1.2 TLSv1.3;

and add “TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:” to your current ciphers:

ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:...

More secure but less compatible:

ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:...

Restart your NGINX

service nginx restart

and test your Nextcloud server regarding TLS 1.3

in Firefrox ≥ v. 63.0.


Enjoy your personal data in your secured and hardened Nextcloud-Server!

Don’t forget to backup your Nextcloud

Find more instructions here: Nextcloud Backup and Restore



Carsten Rieger

Carsten Rieger

Carsten Rieger is a senior system engineer in full-time and also working as an IT freelancer. He is working with linux environments for more than 13 years, an Open Source enthusiast and highly motivated on linux installation and troubleshooting. Mostly working with Debian/Ubuntu Linux, Nginx and Apache web server, MariaDB/MySQL/PostgreSQL, PHP, Cloud infrastructure (e.g. Nextcloud) and other open source projects (e.g. Roundcube) and in voluntary work for the Dr. Michael & Angela Jacobi Stiftung for more than 7 years.

49 Responses

  1. Aleksandr says:

    Hallo Carsten,

    erstens: vielen Dank für Ihre tutorials, ich finde sie sehr hilfreich!

    Und nun meine Frage: wie bekomme ich key exchange group p-521?
    Genau nach diesem Anleitung kriege ich nur p-256

    Dank im Voraus!

    • Wie lautet die Domain? Wurde dhparam.pem generiert (openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096) und im Webserver aktiviert?

      • Aleksandr says:

        in /etc/nginx/ssl.conf ist default:
        ssl_ecdh_curve prime256v1:secp384r1:secp521r1;

        und wen ich nur secp521r1 nehme:
        ssl_ecdh_curve secp521r1;
        dann kriege ich key exchange group p-521

        dhparam.pem wurde generiert und aktiviert
        $ ls /etc/ssl/certs | grep dhparam.pem
        dhparam.pem

  2. Isaac says:

    Hi Carsten,

    Sometime ago you made a guide wherein OpenSSL can be used directly by the apps? Can you bring that back please?

    Thanks very much again.

  3. Markus says:

    Hallo Carsten,

    bei der Installation von OpenSSL scheitere ich irgendwie immer am Punkt “Install the new built NGINX”. Hast du eine Erklärung, warum die nginx_1.15.8*.deb nicht vorhanden ist (siehe unten)?

    root@server:/usr/local/src/nginx# dpkg -i nginx_1.15.8*.deb
    dpkg: Fehler: Auf das Archiv »nginx_1.15.8*.deb« kann nicht zugegriffen werden: No such file or directory
    root@server:/usr/local/src/nginx#

    Viele Grüße
    Markus

    • Was ergibt denn: ls -lsa /usr/local/src/nginx/ ?

      • Markus says:

        Moin Carsten,

        hier das Ergebnis meiner beiden Systeme (Nextcloud 15 installation guide):

        ### Start Neuinstallation ###
        total 1132
        4 drwxr-xr-x 3 root root 4096 Jan 19 21:59 .
        4 drwxr-xr-x 4 root root 4096 Jan 19 21:59 ..
        4 drwxr-xr-x 10 root root 4096 Jan 19 22:06 nginx-1.15.8
        112 -rw-r–r– 1 root root 113468 Dez 25 15:36 nginx_1.15.8-1~bionic.debian.tar.xz
        4 -rw-r–r– 1 root root 1510 Dez 25 15:36 nginx_1.15.8-1~bionic.dsc
        1004 -rw-r–r– 1 root root 1027862 Dez 25 15:36 nginx_1.15.8.orig.tar.gz
        #### End Neuinstallation ###

        ### Start laufendes System ###
        total 1132
        4 drwxr-xr-x 3 root root 4096 Jan 20 11:45 .
        4 drwxr-xr-x 5 root root 4096 Jan 20 11:46 ..
        4 drwxr-xr-x 10 root root 4096 Jan 20 11:51 nginx-1.15.8
        112 -rw-r–r– 1 root root 113468 Dez 25 16:36 nginx_1.15.8-1~bionic.debian.tar.xz
        4 -rw-r–r– 1 root root 1510 Dez 25 16:36 nginx_1.15.8-1~bionic.dsc
        1004 -rw-r–r– 1 root root 1027862 Dez 25 16:36 nginx_1.15.8.orig.tar.gz
        ### End laufende System ###

        Schönen Sonntag
        Markus

        • Es wurde kein *.deb erzeugt, also geht etwas bei Kompilieren schief?!
          Lief das denn…
          cd /usr/local/src/nginx/nginx-1.15.8/
          apt build-dep nginx -y && dpkg-buildpackage -b

          …durch?

          • Markus says:

            Mmmh kann es sein das bereits vorher schon der Hase im Pfeffer liegt? Nach mkdir /usr/local/src/nginx && cd /usr/local/src/nginx/ und apt install dpkg-dev -y && apt source nginx bekomme ich:

            dpkg-source: info: extracting nginx in nginx-1.15.8
            dpkg-source: info: unpacking nginx_1.15.8.orig.tar.gz
            dpkg-source: info: unpacking nginx_1.15.8-1~bionic.debian.tar.xz
            W: Der Download wird als root und nicht Sandbox-geschützt durchgeführt, da auf die Datei »nginx_1.15.8-1~bionic.dsc« durch den Benutzer »_apt« nicht zugegriffen werden kann. – pkgAcquire::Run (13: Permission denied)

            cd /usr/local/src/nginx/nginx-1.15.8/ und apt build-dep nginx -y && dpkg-buildpackage -b liefen zwar durch, als Ausgabe gab es dann aber u.a.:
            ./configure: error: invalid option “—with-openssl=/usr/local/src/openssl”
            debian/rules:45: recipe for target ‘config.status.nginx_debug’ failed
            make: *** [config.status.nginx_debug] Error 1
            dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2
            root@server:/usr/local/src/nginx/nginx-1.15.8#

            • Ist openssl denn vorhanden?

              • Markus says:

                Mit openssl version -a habe ich Folgendes erhalten:

                OpenSSL 1.1.0g 2 Nov 2017
                built on: reproducible build, date unspecified
                platform: debian-amd64
                compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR=””/usr/lib/ssl”” -DENGINESDIR=””/usr/lib/x86_64-linux-gnu/engines-1.1″”
                OPENSSLDIR: “/usr/lib/ssl”
                ENGINESDIR: “/usr/lib/x86_64-linux-gnu/engines-1.1”

  4. miklor says:

    Hi Carsten and thank you for this awesome guide 😀
    I have some issues with fail2ban, which does not detect failed logins..

    The day before the release of Nextcloud 15 I followed your guide with Nextcloud 14 and I got everything working as it should. I tested fail2ban with wrong username and password 3 times in a row and got banned for 10 hours. So version 14 and fail2ban was a success.
    I have now tried with Nextcloud 15 and also tried to do a reinstall 4 times, but fail2ban does not react on “brute-force” attempts.

    The output from: fail2ban-regex /var/nc_data/nextcloud.log /etc/fail2ban/filter.d/nextcloud.conf looks correct and it seems like the regex is working.

    Use failregex filter file : nextcloud, basedir: /etc/fail2ban
    Use log file : /var/nc_data/nextcloud.log
    Use encoding : UTF-8

    Results
    =======

    Failregex: 6 total
    |- #) [# of hits] regular expression
    | 2) [6] ^{“reqId”:”.*”,”level”:2,”time”:”.*”,”remoteAddr”:”.*”,”app”:”core”.*”,”message”:”Login failed: ‘.*’ (Remote IP: ”)”.*}$
    `-

    Ignoreregex: 0 total

    Date template hits:
    |- [# of hits] date format
    | [10] Year-Month-Day[T ]24hour:Minute:Second(?:.Microseconds)?(?:Zone offset)?
    `-

    Lines: 10 lines, 0 ignored, 6 matched, 4 missed
    [processed in 0.02 sec]

    When I test fail2ban on SSH, it works fine. In /var/log/fail2ban.log I can see the SSH attempts, but none from Nextcloud.
    Am I missing something or doing something wrong or has anyone had a similar experience?

    • Please find all configurations and if you are interested in, just download it: fail2ban

      • miklor says:

        My fail2ban config is exactly as in your guide. Have followed your guide with debian/nginx it step by step 4 times, and are not able to get fail2ban working as it should. Now I can figure out why it is not working 🙁

        • What was written to the fail2ban log? Did you change the Nextcloud logpath without having changed the fail2ban-config as well?

          • miklor says:

            #/var/log/fail2ban.log
            2018-12-16 20:50:31,313 fail2ban.server [23264]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.6
            2018-12-16 20:50:31,314 fail2ban.database [23264]: INFO Connected to fail2ban persistent database ‘/var/lib/fail2ban/fail2ban.sqlite3’
            2018-12-16 20:50:31,318 fail2ban.jail [23264]: INFO Creating new jail ‘sshd’
            2018-12-16 20:50:31,345 fail2ban.jail [23264]: INFO Jail ‘sshd’ uses pyinotify {}
            2018-12-16 20:50:31,381 fail2ban.jail [23264]: INFO Initiated ‘pyinotify’ backend
            2018-12-16 20:50:31,384 fail2ban.filter [23264]: INFO Added logfile = /var/log/auth.log
            2018-12-16 20:50:31,387 fail2ban.filter [23264]: INFO Set maxRetry = 5
            2018-12-16 20:50:31,388 fail2ban.filter [23264]: INFO Set findtime = 600
            2018-12-16 20:50:31,388 fail2ban.actions [23264]: INFO Set banTime = 600
            2018-12-16 20:50:31,389 fail2ban.filter [23264]: INFO Set jail log file encoding to UTF-8
            2018-12-16 20:50:31,390 fail2ban.filter [23264]: INFO Set maxlines = 10
            2018-12-16 20:50:31,588 fail2ban.server [23264]: INFO Jail sshd is not a JournalFilter instance
            2018-12-16 20:50:31,601 fail2ban.jail [23264]: INFO Creating new jail ‘nginx-http-auth’
            2018-12-16 20:50:31,602 fail2ban.jail [23264]: INFO Jail ‘nginx-http-auth’ uses pyinotify {}
            2018-12-16 20:50:31,610 fail2ban.jail [23264]: INFO Initiated ‘pyinotify’ backend
            2018-12-16 20:50:31,613 fail2ban.filter [23264]: INFO Added logfile = /var/log/nginx/nextcloud.error.log
            2018-12-16 20:50:31,615 fail2ban.filter [23264]: INFO Added logfile = /var/log/nginx/le.error.log
            2018-12-16 20:50:31,617 fail2ban.filter [23264]: INFO Added logfile = /var/log/nginx/error.log
            2018-12-16 20:50:31,619 fail2ban.filter [23264]: INFO Set maxRetry = 5
            2018-12-16 20:50:31,620 fail2ban.filter [23264]: INFO Set findtime = 600
            2018-12-16 20:50:31,620 fail2ban.actions [23264]: INFO Set banTime = 600
            2018-12-16 20:50:31,621 fail2ban.filter [23264]: INFO Set jail log file encoding to UTF-8
            2018-12-16 20:50:31,638 fail2ban.jail [23264]: INFO Creating new jail ‘nextcloud’
            2018-12-16 20:50:31,638 fail2ban.jail [23264]: INFO Jail ‘nextcloud’ uses pyinotify {}
            2018-12-16 20:50:31,646 fail2ban.jail [23264]: INFO Initiated ‘pyinotify’ backend
            2018-12-16 20:50:31,651 fail2ban.filter [23264]: INFO Added logfile = /var/nc_data/nextcloud.log
            2018-12-16 20:50:31,656 fail2ban.filter [23264]: INFO Set maxRetry = 3
            2018-12-16 20:50:31,656 fail2ban.filter [23264]: INFO Set findtime = 36000
            2018-12-16 20:50:31,657 fail2ban.actions [23264]: INFO Set banTime = 36000
            2018-12-16 20:50:31,657 fail2ban.filter [23264]: INFO Set jail log file encoding to UTF-8
            2018-12-16 20:50:31,682 fail2ban.jail [23264]: INFO Jail ‘sshd’ started
            2018-12-16 20:50:31,691 fail2ban.jail [23264]: INFO Jail ‘nginx-http-auth’ started
            2018-12-16 20:50:31,697 fail2ban.jail [23264]: INFO Jail ‘nextcloud’ started
            2018-12-16 21:01:48,467 fail2ban.filter [23264]: INFO [sshd] Found XX.XX.XX.XX
            2018-12-16 21:01:50,258 fail2ban.filter [23264]: INFO [sshd] Found XX.XX.XX.XX
            2018-12-16 21:01:53,022 fail2ban.filter [23264]: INFO [sshd] Found XX.XX.XX.XX

            I have not changed any logpath. I have just followed your guide step by step 🙂
            If I make a failed SSH login, it is getting logged, but it is not getting logged when I do a failed login from the Nextcloud GUI.

          • miklor says:

            #/var/nc_data/nextcloud.log
            {“reqId”:”0A5254idApaYYGaGaegV”,”level”:2,”time”:”2018-12-14T23:04:43+01:00″,”remoteAddr”:”XX.XX.XX.XX”,”user”:”–“,”app”:”core”,”method”:”POST”,”url”:”/login?user=test”,”message”:”Login failed: ‘test’ (Remote IP: ‘XX.XX.XX.XX’)”,”userAgent”:”Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15″,”version”:”15.0.0.10″}
            {“reqId”:”SLMey8juLRar08s7oRQY”,”level”:2,”time”:”2018-12-14T23:04:51+01:00″,”remoteAddr”:”XX.XX.XX.XX”,”user”:”–“,”app”:”core”,”method”:”POST”,”url”:”/login?user=test”,”message”:”Login failed: ‘test’ (Remote IP: ‘XX.XX.XX.XX’)”,”userAgent”:”Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15″,”version”:”15.0.0.10″}
            {“reqId”:”IpHDxvSO4q1xE5i1FvzM”,”level”:2,”time”:”2018-12-14T23:04:58+01:00″,”remoteAddr”:”XX.XX.XX.XX”,”user”:”–“,”app”:”core”,”method”:”POST”,”url”:”/login?user=test”,”message”:”Login failed: ‘test’ (Remote IP: ‘XX.XX.XX.XX’)”,”userAgent”:”Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15″,”version”:”15.0.0.10″}

            As you can se it is getting logged when I test with a wrong username/password

          • miklor says:

            XXX@nextcloud:~# ls -lsa /var/nc_data/nextcloud.log
            7 -rw-r—– 1 www-data www-data 18799 Dec 16 20:51 /var/nc_data/nextcloud.log
            XXX@nextcloud:~# cat /var/nc_data/nextcloud.log | grep -ic “login failed”
            21

          • miklor says:

            XXX@nextcloud:~# fail2ban-regex /var/nc_data/nextcloud.log /etc/fail2ban/filter.d/nextcloud.conf

            Running tests
            =============

            Use failregex filter file : nextcloud, basedir: /etc/fail2ban
            Use log file : /var/nc_data/nextcloud.log
            Use encoding : UTF-8

            Results
            =======

            Failregex: 21 total
            |- #) [# of hits] regular expression
            | 2) [21] ^{“reqId”:”.*”,”level”:2,”time”:”.*”,”remoteAddr”:”.*”,”app”:”core”.*”,”message”:”Login failed: ‘.*’ (Remote IP: ”)”.*}$
            `-

            Ignoreregex: 0 total

            Date template hits:
            |- [# of hits] date format
            | [25] Year-Month-Day[T ]24hour:Minute:Second(?:.Microseconds)?(?:Zone offset)?
            `-

            Lines: 25 lines, 0 ignored, 21 matched, 4 missed
            [processed in 0.03 sec]

            |- Missed line(s):
            | {“reqId”:”b503CkToRMo9PG7i0plr”,”level”:3,”time”:”2018-12-14T22:37:46+01:00″,”remoteAddr”:”XX.XX.XX.XX”,”user”:”admin”,”app”:”core”,”method”:”GET”,”url”:”/core/preview?fileId=8&c=8ceecb9b66a521a519828fb5e2fd1a67&x=500&y=500&forceIcon=0″,”message”:{“Exception”:”ImagickException”,”Message”:”FailedToExecuteCommand `’gs’ -sstdout=%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 ‘-sDEVICE=pngalpha’ -dTextAlphaBits=4 -dGraphicsAlphaBits=4 ‘-r72x72’ -dFirstPage=1 -dLastPage=1 ‘-sOutputFile=/tmp/magick-3131KB9dTwSzvuY1%d’ ‘-f/tmp/magick-3131o3GaWYlh5l2M’ ‘-f/tmp/magick-3131s_pUZu4SDE7x” (-1) @ error/delegate.c/ExternalDelegateCommand/462″,”Code”:415,”Trace”:[{“file”:”/var/www/nextcloud/lib/private/Preview/Bitmap.php”,”line”:87,”function”:”readimage”,”class”:”Imagick”,”type”:”->”,”args”:[“/upload_tmp/oc_tmp_TiIiDR-.pdf[0]”]},{“file”:”/var/www/nextcloud/lib/private/Preview/Bitmap.php”,”line”:50,”function”:”getResizedPreview”,”class”:”OC\Preview\Bitmap”,”type”:”->”,”args”:[“/upload_tmp/oc_tmp_TiIiDR-.pdf”,1024,768]},{“file”:”/var/www/nextcloud/lib/private/Preview/GeneratorHelper.php”,”line”:59,”function”:”getThumbnail”,”class”:”OC\Preview\Bitmap”,”type”:”->”,”args”:[“Nextcloud Manual.pdf”,1024,768,false,{“__class__”:”OC\Files\View”}]},{“file”:”/var/www/nextcloud/lib/private/Preview/Generator.php”,”line”:194,”function”:”getThumbnail”,”class”:”OC\Preview\GeneratorHelper”,”type”:”->”,”args”:[{“__class__”:”OC\Preview\PDF”},{“__class__”:”OC\Files\Node\File”},1024,768]},{“file”:”/var/www/nextcloud/lib/private/Preview/Generator.php”,”line”:118,”function”:”getMaxPreview”,”class”:”OC\Preview\Generator”,”type”:”->”,”args”:[{“__class__”:”OC\Files\SimpleFS\SimpleFolder”},{“__class__”:”OC\Files\Node\File”},”application/pdf”]},{“file”:”/var/www/nextcloud/lib/private/PreviewManager.php”,”line”:205,”function”:”getPreview”,”class”:”OC\Preview\Generator”,”type”:”->”,”args”:[{“__class__”:”OC\Files\Node\File”},500,500,true,”fill”,”application/pdf”]},{“file”:”/var/www/nextcloud/core/Controller/PreviewController.php”,”line”:175,”function”:”getPreview”,”class”:”OC\PreviewManager”,”type”:”->”,”args”:[{“__class__”:”OC\Files\Node\File”},500,500,true,”fill”]},{“file”:”/var/www/nextcloud/core/Controller/PreviewController.php”,”line”:147,”function”:”fetchPreview”,”class”:”OC\Core\Controller\PreviewController”,”type”:”->”,”args”:[{“__class__”:”OC\Files\Node\File”},500,500,false,false,”fill”]},{“file”:”/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php”,”line”:166,”function”:”getPreviewByFileId”,”class”:”OC\Core\Controller\PreviewController”,”type”:”->”,”args”:[8,500,500,false,false,”fill”]},{“file”:”/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php”,”line”:99,”function”:”executeController”,”class”:”OC\AppFramework\Http\Dispatcher”,”type”:”->”,”args”:[{“__class__”:”OC\Core\Controller\PreviewController”},”getPreviewByFileId”]},{“file”:”/var/www/nextcloud/lib/private/AppFramework/App.php”,”line”:118,”function”:”dispatch”,”class”:”OC\AppFramework\Http\Dispatcher”,”type”:”->”,”args”:[{“__class__”:”OC\Core\Controller\PreviewController”},”getPreviewByFileId”]},{“file”:”/var/www/nextcloud/lib/private/AppFramework/Routing/RouteActionHandler.php”,”line”:47,”function”:”main”,”class”:”OC\AppFramework\App”,”type”:”::”,”args”:[“OC\Core\Controller\PreviewController”,”getPreviewByFileId”,{“__class__”:”OC\AppFramework\DependencyInjection\DIContainer”},{“_route”:”core.Preview.getPreviewByFileId”}]},{“function”:”__invoke”,”class”:”OC\AppFramework\Routing\RouteActionHandler”,”type”:”->”,”args”:[{“_route”:”core.Preview.getPreviewByFileId”}]},{“file”:”/var/www/nextcloud/lib/private/Route/Router.php”,”line”:297,”function”:”call_user_func”,”args”:[{“__class__”:”OC\AppFramework\Routing\RouteActionHandler”},{“_route”:”core.Preview.getPreviewByFileId”}]},{“file”:”/var/www/nextcloud/lib/base.php”,”line”:987,”function”:”match”,”class”:”OC\Route\Router”,”type”:”->”,”args”:[“/core/preview”]},{“file”:”/var/www/nextcloud/index.php”,”line”:42,”function”:”handleRequest”,”class”:”OC”,”type”:”::”,”args”:[]}],”File”:”/var/www/nextcloud/lib/private/Preview/Bitmap.php”,”Line”:87,”CustomMessage”:”File: /admin/files/Nextcloud Manual.pdf Imagick says:”},”userAgent”:”Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15″,”version”:”15.0.0.10″}
            | {“reqId”:”vUu1UW7lUl9qFdczsFkU”,”level”:3,”time”:”2018-12-14T22:37:46+01:00″,”remoteAddr”:”XX.XX.XX.XX”,”user”:”admin”,”app”:”PHP”,”method”:”GET”,”url”:”/core/preview?fileId=9&c=22f517c4cc29990260b49895c3b4f160&x=500&y=500&forceIcon=0″,”message”:”unlink(/upload_tmp/oc_tmp_mht14R): No such file or directory at /var/www/nextcloud/lib/private/Preview/Movie.php#111″,”userAgent”:”Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15″,”version”:”15.0.0.10″}
            | {“reqId”:”UZwF3lvyN8zxrzffjYN2″,”level”:3,”time”:”2018-12-14T22:39:23+01:00″,”remoteAddr”:”XX.XX.XX.XX”,”user”:”admin”,”app”:”core”,”method”:”GET”,”url”:”/core/preview?fileId=8&c=8ceecb9b66a521a519828fb5e2fd1a67&x=500&y=500&forceIcon=0″,”message”:{“Exception”:”ImagickException”,”Message”:”FailedToExecuteCommand `’gs’ -sstdout=%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 ‘-sDEVICE=pngalpha’ -dTextAlphaBits=4 -dGraphicsAlphaBits=4 ‘-r72x72’ -dFirstPage=1 -dLastPage=1 ‘-sOutputFile=/tmp/magick-3130-hFGBWUpyVkX%d’ ‘-f/tmp/magick-3130Skv28AsgUD28’ ‘-f/tmp/magick-3130WWxhcZCQAwKk” (-1) @ error/delegate.c/ExternalDelegateCommand/462″,”Code”:415,”Trace”:[{“file”:”/var/www/nextcloud/lib/private/Preview/Bitmap.php”,”line”:87,”function”:”readimage”,”class”:”Imagick”,”type”:”->”,”args”:[“/upload_tmp/oc_tmp_aDSDhV-.pdf[0]”]},{“file”:”/var/www/nextcloud/lib/private/Preview/Bitmap.php”,”line”:50,”function”:”getResizedPreview”,”class”:”OC\Preview\Bitmap”,”type”:”->”,”args”:[“/upload_tmp/oc_tmp_aDSDhV-.pdf”,1024,768]},{“file”:”/var/www/nextcloud/lib/private/Preview/GeneratorHelper.php”,”line”:59,”function”:”getThumbnail”,”class”:”OC\Preview\Bitmap”,”type”:”->”,”args”:[“Nextcloud Manual.pdf”,1024,768,false,{“__class__”:”OC\Files\View”}]},{“file”:”/var/www/nextcloud/lib/private/Preview/Generator.php”,”line”:194,”function”:”getThumbnail”,”class”:”OC\Preview\GeneratorHelper”,”type”:”->”,”args”:[{“__class__”:”OC\Preview\PDF”},{“__class__”:”OC\Files\Node\File”},1024,768]},{“file”:”/var/www/nextcloud/lib/private/Preview/Generator.php”,”line”:118,”function”:”getMaxPreview”,”class”:”OC\Preview\Generator”,”type”:”->”,”args”:[{“__class__”:”OC\Files\SimpleFS\SimpleFolder”},{“__class__”:”OC\Files\Node\File”},”application/pdf”]},{“file”:”/var/www/nextcloud/lib/private/PreviewManager.php”,”line”:205,”function”:”getPreview”,”class”:”OC\Preview\Generator”,”type”:”->”,”args”:[{“__class__”:”OC\Files\Node\File”},500,500,true,”fill”,”application/pdf”]},{“file”:”/var/www/nextcloud/core/Controller/PreviewController.php”,”line”:175,”function”:”getPreview”,”class”:”OC\PreviewManager”,”type”:”->”,”args”:[{“__class__”:”OC\Files\Node\File”},500,500,true,”fill”]},{“file”:”/var/www/nextcloud/core/Controller/PreviewController.php”,”line”:147,”function”:”fetchPreview”,”class”:”OC\Core\Controller\PreviewController”,”type”:”->”,”args”:[{“__class__”:”OC\Files\Node\File”},500,500,false,false,”fill”]},{“file”:”/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php”,”line”:166,”function”:”getPreviewByFileId”,”class”:”OC\Core\Controller\PreviewController”,”type”:”->”,”args”:[8,500,500,false,false,”fill”]},{“file”:”/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php”,”line”:99,”function”:”executeController”,”class”:”OC\AppFramework\Http\Dispatcher”,”type”:”->”,”args”:[{“__class__”:”OC\Core\Controller\PreviewController”},”getPreviewByFileId”]},{“file”:”/var/www/nextcloud/lib/private/AppFramework/App.php”,”line”:118,”function”:”dispatch”,”class”:”OC\AppFramework\Http\Dispatcher”,”type”:”->”,”args”:[{“__class__”:”OC\Core\Controller\PreviewController”},”getPreviewByFileId”]},{“file”:”/var/www/nextcloud/lib/private/AppFramework/Routing/RouteActionHandler.php”,”line”:47,”function”:”main”,”class”:”OC\AppFramework\App”,”type”:”::”,”args”:[“OC\Core\Controller\PreviewController”,”getPreviewByFileId”,{“__class__”:”OC\AppFramework\DependencyInjection\DIContainer”},{“_route”:”core.Preview.getPreviewByFileId”}]},{“function”:”__invoke”,”class”:”OC\AppFramework\Routing\RouteActionHandler”,”type”:”->”,”args”:[{“_route”:”core.Preview.getPreviewByFileId”}]},{“file”:”/var/www/nextcloud/lib/private/Route/Router.php”,”line”:297,”function”:”call_user_func”,”args”:[{“__class__”:”OC\AppFramework\Routing\RouteActionHandler”},{“_route”:”core.Preview.getPreviewByFileId”}]},{“file”:”/var/www/nextcloud/lib/base.php”,”line”:987,”function”:”match”,”class”:”OC\Route\Router”,”type”:”->”,”args”:[“/core/preview”]},{“file”:”/var/www/nextcloud/index.php”,”line”:42,”function”:”handleRequest”,”class”:”OC”,”type”:”::”,”args”:[]}],”File”:”/var/www/nextcloud/lib/private/Preview/Bitmap.php”,”Line”:87,”CustomMessage”:”File: /admin/files/Nextcloud Manual.pdf Imagick says:”},”userAgent”:”Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15″,”version”:”15.0.0.10″}
            | {“reqId”:”Q2PPySPvaTz5eHbvX4Wv”,”level”:3,”time”:”2018-12-14T23:01:25+01:00″,”remoteAddr”:”XX.XX.XX.XX”,”user”:”admin”,”app”:”PHP”,”method”:”POST”,”url”:”/apps/theming/ajax/updateStylesheet”,”message”:”unlink(/var/nc_data/appdata_oc98imndxn69/css/theming/ca9f-ae11-theming.css): No such file or directory at /var/www/nextcloud/lib/private/Files/Storage/Local.php#227″,”userAgent”:”Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15″,”version”:”15.0.0.10″}
            `-

          • miklor says:

            I guess that fail2ban should be able to ban an IP for a given time as the config says?
            [nextcloud]
            backend = auto
            enabled = true
            port = 80,443
            protocol = tcp
            filter = nextcloud
            maxretry = 3
            bantime = 36000
            findtime = 36000
            logpath = /var/nc_data/nextcloud.log

            [nginx-http-auth]
            enabled = true

            I know it is strange and that everything looks good and the output from fail2ban-regex seems right. I can only conclude that no IP is getting banned if someone tries to bruteforce the login. 🙁

          • miklor says:

            Okay, thank you for taking time to walk through this. I really appreciate it!

  5. Dirk says:

    Hello Carsten,
    first of all: thank you very much for your tutorials, I find them very helpful!

    I have tried to solve my problem for many hours: I’m trying to set up TLS 1.3 with nginx on Debian, I followed your tutorial and set up everything correctly (built nginx with openssl 1.1.1b-dev, set TLSv1.3, and ciphers (just like you) in my nginx vhost and restarted nginx, but still Firefox 63 and Chrome 71 display TLSv1.2 and not TLSv1.3, also running the openssl command with tls_1_3 gives me an error, and ssllabs also only says YES for TLSv1.2…
    It’s quite annoying…

    Do you know what the problem might be?

    Thanks for your help!
    Dirk

    • Please post your output: nginx -V

      • Dirk says:

        Here it is:

        nginx version: nginx/1.15.7
        built by gcc 8.2.0 (Debian 8.2.0-9)
        built with OpenSSL 1.1.1b-dev xx XXX xxxx
        TLS SNI support enabled
        configure arguments: –prefix=/etc/nginx –sbin-path=/usr/sbin/nginx –modules-path=/usr/lib/nginx/modules –conf-path=/etc/nginx/nginx.conf –error-log-path=/var/log/nginx/error.log –http-log-path=/var/log/nginx/access.log –pid-path=/var/run/nginx.pid –lock-path=/var/run/nginx.lock –http-client-body-temp-path=/var/cache/nginx/client_temp –http-proxy-temp-path=/var/cache/nginx/proxy_temp –http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp –http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp –http-scgi-temp-path=/var/cache/nginx/scgi_temp –user=nginx –group=nginx –with-compat –with-file-aio –with-threads –with-http_addition_module –with-http_auth_request_module –with-http_dav_module –with-http_flv_module –with-http_gunzip_module –with-http_gzip_static_module –with-http_mp4_module –with-http_random_index_module –with-http_realip_module –with-http_secure_link_module –with-http_slice_module –with-http_ssl_module –with-http_stub_status_module –with-http_sub_module –with-http_v2_module –with-mail –with-mail_ssl_module –with-stream –with-stream_realip_module –with-stream_ssl_module –with-stream_ssl_preread_module –with-cc-opt=’-g -O2 -fdebug-prefix-map=/usr/local/src/nginx/nginx-1.15.7=. -specs=/usr/share/dpkg/no-pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC’ –with-ld-opt=’-specs=/usr/share/dpkg/no-pie-link.specs -Wl,-z,relro -Wl,-z,now -Wl,–as-needed -pie’ –with-openssl=/usr/local/src/openssl –with-openssl-opt=enable-tls1_3

        • The last statement (–with-openssl-opt=enable-tls1_3) points to differences according to my instructions. Please double check your nginx rules file.

          • Dirk says:

            I compiled it using your statements first and it also didn’t work, then I found this “enable-tls_1_3) and compiled nginx with that, but no luck. I also amended the nginx-options-ssl file in /etc/letsencrypt…

            Is it necessary to reissue the ssl certificate my for domain?

            • no, it isn’t necessary. find the diff’s between your rules-file and mine and follow this guide again step by step – that will solve your issue.
              What errors are thrown while compiling NGINX as i described?

        • Dirk says:

          I recompiled nginx strictly following your tutorial. This is my output of nginx -V now:

          nginx version: nginx/1.15.7
          built by gcc 8.2.0 (Debian 8.2.0-9)
          built with OpenSSL 1.1.1b-dev xx XXX xxxx
          TLS SNI support enabled
          configure arguments: –prefix=/etc/nginx –sbin-path=/usr/sbin/nginx –modules-path=/usr/lib/nginx/modules –conf-path=/etc/nginx/nginx.conf –error-log-path=/var/log/nginx/error.log –http-log-path=/var/log/nginx/access.log –pid-path=/var/run/nginx.pid –lock-path=/var/run/nginx.lock –http-client-body-temp-path=/var/cache/nginx/client_temp –http-proxy-temp-path=/var/cache/nginx/proxy_temp –http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp –http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp –http-scgi-temp-path=/var/cache/nginx/scgi_temp –user=nginx –group=nginx –with-compat –with-file-aio –with-threads –with-http_addition_module –with-http_auth_request_module –with-http_dav_module –with-http_flv_module –with-http_gunzip_module –with-http_gzip_static_module –with-http_mp4_module –with-http_random_index_module –with-http_realip_module –with-http_secure_link_module –with-http_slice_module –with-http_ssl_module –with-http_stub_status_module –with-http_sub_module –with-http_v2_module –with-mail –with-mail_ssl_module –with-stream –with-stream_realip_module –with-stream_ssl_module –with-stream_ssl_preread_module –with-cc-opt=’-g -O2 -fdebug-prefix-map=/usr/local/src/nginx/nginx-1.15.7=. -specs=/usr/share/dpkg/no-pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC’ –with-ld-opt=’-specs=/usr/share/dpkg/no-pie-link.specs -Wl,-z,relro -Wl,-z,now -Wl,–as-needed -pie’ –with-openssl=/usr/local/src/openssl

          This is the error output after compiling nginx:

          dpkg-genchanges: info: binary-only upload (no source code included)
          dpkg-source –after-build .
          dpkg-buildpackage: info: binary-only upload (no source included)
          signfile nginx_1.15.7-1~stretch_amd64.buildinfo
          gpg: skipped “Konstantin Pavlov “: No secret key
          gpg: dpkg-sign.hMnxXkSw/nginx_1.15.7-1~stretch_amd64.buildinfo: clear-sign failed: No secret key

          dpkg-buildpackage: error: failed to sign .buildinfo file

          Nothing out of the ordinary, right?

          But after restarting nginx, chrome says for my nextcloud still:

          Connection – secure (strong TLS 1.2)
          The connection to this site is encrypted and authenticated using TLS 1.2 (a strong protocol), ECDHE_RSA with X25519 (a strong key exchange), and AES_256_GCM (a strong cipher).

          It really doesn’t make any sense…

          • Please send me your URL – i will double check this. Did you ammend your ssl.con either?

            • Thank you for your URL: you forgot to add the new cipher etc. as mentioned “TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:” to your current ciphers”

          • Dirk says:

            … I did that but still no luck. I tried to put the ssl settings (cipher, TLSv.13,… everywhere, in the /etc/letsencrypt/options-ssl-nginx.conf, in /etc/nginx/nginx.conf and in my vhost in /etc/nginx/sites-enabled/

            And it still does not work… It’s crazy. Do you have any hint?

  6. isaac says:

    hello Carsten,

    how do we upgrade nginx with this guide, nginx version is now 1.15.6 previously i built it with 1.15.5

    thanks very much

  7. Alex says:

    I like your posts! You help is very appreciated! All the best for you.

    THANKS! THANKS! THANKS! THANKS!

  8. Lars van Ravenzwaaij says:

    Hi Carsten,
    First, many thanks for all of your helpfull guides on setting up nextcloud!
    This guide for implementing openssl 1.1.1 is based on your ubuntu-setup. Can it also be used on your debian-setup?

    Thanks

    Lars

  9. isaac says:

    Hi Carsten,

    I tried to compile nginx 1.15.5 with openssl 1.1.1 but added the nginx-cahce purge module with it based on your previous guide
    … it successfully compiled, any reason why you did not include anymore with the new tutorial?

    Problem is, upon testing with ssl labs, I get an orange warning of HTTP server test failed due to HTTP forwarded— too many redirection!
    does the nginx cache purge module have anything to do with this?

    thanks very much

    • from time to time i recognized it either on different systems. it is related to Nextclouds database. Please doublecheck it very simple:
      move your current config.php
      mv /var/www/nextcloud/config.php /var/www/nextcloud/config.php.bak
      then re-run the check. The warnings will disappear. Don’t forget to copy the config back
      cp /var/www/nextcloud/config.php.bak /var/www/nextcloud/config.php
      If your Nextcloud DB is still empty/not productive you may also create an empty new Nextcloud db and re-run the check successfully.
      Regarding the ngx_cache_purge-module – i do not maintain the previous guide any longer … but feel free to compile nginx containing this module!

  10. isaac says:

    Hi Carsten,
    Thank you for this wonderful guide. Using TLS 1.3 and openssl 1.1.1 seem to reduce the score we get with SSL labs. It weakens the key exchange and cipher strength
    score only to 90%. I just thought you should know and the problem seem to be related to this ….. https://github.com/ssllabs/ssllabs-scan/issues/636

    thanks again

Leave a Reply

Your email address will not be published. Required fields are marked *