Nextcloud, NGINX 1.17.2, OpenSSL 1.1.1 and TLS 1.3


This guide based on the initial Nextcloud installation guide. Following this guide you will harden your Nextcloud server (AMD64/ARM64) even more using NGINX 1.17.2 and OpenSSL 1.1.1x by  adding TLS 1.3 encryption to your SSL configuration as simple as follows:


sudo -s
cd /usr/local/src
wget && apt-key add nginx_signing.key
vi /etc/apt/sources.list

Add the folowing two rows:

deb bionic nginx
deb-src bionic nginx

deb stretch nginx
deb-src stretch nginx


Then update your system repositories and go ahead with the OpenSSL configuration:

apt update
mkdir /usr/local/src/nginx && cd /usr/local/src/nginx/
apt install dpkg-dev -y && apt source nginx
cd /usr/local/src && apt install git -y
git clone
cd openssl && git branch -a

git checkout OpenSSL_1_1_1-stable


Now prepare your NGINX binaries. Open the rules file

vi /usr/local/src/nginx/nginx-1.17.2/debian/rules

a) add the following statement two times


b) change

dh_shlibdeps -a


dh_shlibdeps -a --dpkg-shlibdeps-params=--ignore-missing-info

To prevent further warnings edit the gcc:

vi /usr/local/src/nginx/nginx-1.17.2/auto/cc/gcc

Change your directory back and start compiling NGINX:

cd /usr/local/src/nginx/nginx-1.17.2/
apt build-dep nginx -y && dpkg-buildpackage -b

To be ignored:

“dpkg-buildpackage: error: failed to sign .buildinfo file”

Remove any existing NGINX installations/instances:

apt remove nginx nginx-common nginx-full -y --allow-change-held-packages
cd /usr/local/src/nginx/

Install the new built NGINX

dpkg -i nginx_1.17.2*.deb

If the service will be masked please unmask it:

systemctl unmask nginx


service nginx restart

and prevent NGINX from being updated automatically:

apt-mark hold nginx


nginx -V

and you will find information about your new NGINX

TLS 1.3

Now open your Nextcloud ssl.conf and enhance this configuration for TLS 1.3 purposes:

vi /etc/nginx/ssl.conf

Change the ssl_protocols to

ssl_protocols TLSv1.3 TLSv1.2;

and amend your current ciphers and curve:

ssl_ecdh_curve X448:secp521r1:secp384r1:prime256v1;

Restart your NGINX

service nginx restart

and test your Nextcloud server regarding TLS 1.3

in Firefrox ≥ v. 63.0.

Enjoy your personal data in your secured and hardened Nextcloud-Server!

Don’t forget to backup your Nextcloud

Find more instructions here: Nextcloud Backup and Restore

Carsten Rieger

Carsten Rieger

Carsten Rieger is a senior system engineer in full-time and also working as an IT freelancer. He is working with linux environments for more than 15 years, an Open Source enthusiast and highly motivated on linux installation and troubleshooting. Mostly working with Debian/Ubuntu Linux, Nginx and Apache web server, MariaDB/MySQL/PostgreSQL, PHP, Cloud infrastructure (e.g. Nextcloud) and other open source projects (e.g. Roundcube) and in voluntary work for the Dr. Michael & Angela Jacobi Stiftung for more than 7 years.