Nextcloud, NGINX, OpenSSL 1.1.1 and TLS 1.3


This guide based on the initial Nextcloud installation guide. Following this guide you will harden your Nextcloud server (AMD64/ARM64) even more using NGINX 1.17 and OpenSSL 1.1.1 by  adding TLS 1.3 encryption to your SSL configuration as simple as follows:


Preparation

sudo -s
cd /usr/local/src
wget http://nginx.org/keys/nginx_signing.key && apt-key add nginx_signing.key
vi /etc/apt/sources.list

Add the folowing two rows:

UBUNTU:
deb http://nginx.org/packages/mainline/ubuntu/ bionic nginx
deb-src http://nginx.org/packages/mainline/ubuntu/ bionic nginx

DEBIAN:
deb http://nginx.org/packages/mainline/debian/ stretch nginx
deb-src http://nginx.org/packages/mainline/debian/ stretch nginx


OpenSSL

Then update your system repositories and go ahead with the OpenSSL configuration:

apt update
mkdir /usr/local/src/nginx && cd /usr/local/src/nginx/
apt install dpkg-dev -y && apt source nginx
cd /usr/local/src && apt install git -y
git clone https://github.com/openssl/openssl.git
cd openssl && git branch -a

git checkout OpenSSL_1_1_1-stable


NGINX

Now prepare your NGINX binaries. Open the rules file

vi /usr/local/src/nginx/nginx-1.17.0/debian/rules

a) add the following statement two times

--with-openssl=/usr/local/src/openssl

b) change

dh_shlibdeps -a

to

dh_shlibdeps -a --dpkg-shlibdeps-params=--ignore-missing-info

To prevent further warnings edit the gcc:

vi /usr/local/src/nginx/nginx-1.17.0/auto/cc/gcc
#CFLAGS="$CFLAGS -Werror"

Change your directory back and start compiling NGINX:

cd /usr/local/src/nginx/nginx-1.17.0/
apt build-dep nginx -y && dpkg-buildpackage -b

To be ignored:

“dpkg-buildpackage: error: failed to sign .buildinfo file”

Remove any existing NGINX installations/instances:

apt remove nginx nginx-common nginx-full -y --allow-change-held-packages
cd /usr/local/src/nginx/

Install the new built NGINX

dpkg -i nginx_1.17.0*.deb

If the service will be masked please unmask it:

systemctl unmask nginx

Start NGINX

service nginx restart

and prevent NGINX from being updated automatically:

apt-mark hold nginx

Issue

nginx -V

and you will find information about your new NGINX


TLS 1.3

Now open your Nextcloud ssl.conf and enhance this configuration for TLS 1.3 purposes:

vi /etc/nginx/ssl.conf

Change the ssl_protocols to

ssl_protocols TLSv1.3 TLSv1.2;

and amend your current ciphers and curve:

ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384';
ssl_ecdh_curve X448:secp521r1:secp384r1:prime256v1;

Restart your NGINX

service nginx restart

and test your Nextcloud server regarding TLS 1.3

in Firefrox ≥ v. 63.0.


Enjoy your personal data in your secured and hardened Nextcloud-Server!

Don’t forget to backup your Nextcloud

Find more instructions here: Nextcloud Backup and Restore



Carsten Rieger

Carsten Rieger

Carsten Rieger is a senior system engineer in full-time and also working as an IT freelancer. He is working with linux environments for more than 13 years, an Open Source enthusiast and highly motivated on linux installation and troubleshooting. Mostly working with Debian/Ubuntu Linux, Nginx and Apache web server, MariaDB/MySQL/PostgreSQL, PHP, Cloud infrastructure (e.g. Nextcloud) and other open source projects (e.g. Roundcube) and in voluntary work for the Dr. Michael & Angela Jacobi Stiftung for more than 7 years.