…update history

May 16th, 2019: NGINX, Debian, Ubuntu
– Nextcloud 16.0.1 and beeing more compatible using “ssl_ecdh_curve X448:secp521r1:secp384r1:prime256v1;” in the /etc/nginx/ssl.conf

May 13th, 2019: NGINX, Debian, Ubuntu
– enhanced the msmtp configuration (logrotate and php)

May 10th, 2019: NGINX, Debian, Ubuntu
– switched from postfix to msmtp

May 03rd, 2019: Apache2, NGINX, Debian, Ubuntu
– New cipher (ssl_ecdh_curve X448:secp521r1:secp384r1) – uncaught ImagickException: sed -i “s/rights\=\”none\” pattern\=\”PDF\”/rights\=\”read\|write\” pattern\=\”PDF\”/” /etc/ImageMagick-6/policy.xml

April 28th, 2019: NGINX, Debian, Ubuntu
– Nextcloud 16 and Pre-defined DHE group (https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096)

April 13th, 2019: NGINX, Debian, Ubuntu
– set resolver to (link), thx to Dmitriy

April 11th, 2019: NGINX, Debian, Ubuntu
– check if file exists before moving it (default.conf)

March 18th, 2019: NGINX, Debian, Ubuntu
– acme is used to request and renew ssl certificates from let’s encrypt

March 17th, 2019: NGINX, Debian, Ubuntu
– TLS v. 1.3 per default

March 08th, 2019: NGINX
– changes to ssl.conf

February 27th, 2019: NGINX
– added *.sh to the Nextcloud optimization chapter

February 26th, 2019: NGINX
– updated to NGINX 1.15.9

February 14th, 2019: NGINX
– added to the geoip section

February 01st, 2019: NGINX
– added geoip to nginx to protect your server by verifying the origin-ip

January 31th, 2019:
– mount additional storage to your Nextcloud using the external storage app

January 30th, 2019:
– removed /upload_tmp from PHP to prevent Nextcloud errors

January 25th, 2019:
– removed duplicate entry from my.cnf and sorted alphabetically

January 21st, 2019:
– added logwatch
– DEBIAN: added backports for certbot (Certbot / Let’s Encrypt: February, 13th 2019 end of life for all tls sni 01 validation-support)

January, 17th, 2019: NGINX, APACHE2, GITHUB

– made changes to the header feature policy in the header.conf

January, 11th, 2019: NGINX

– updated nextcloud.conf (woff2?) required from Nextcloud 15.0.1

January, 08th, 2019: NGINX

– updated to PHP 7.3
– smaller ammendments to
my.cnf (innodb_buffer_pool_size=1024M and innodb_io_capacity=4000)

December 21st, 2018: NGINX
– monitor your server using netdata
– mount additional storage to your Nextcloud server
– install postfix and configure system notification mails
– a second factor for ssh (2fa)

December 15th, 2018: APACHE2
– updated headers for Nextcloud 15

December, 12th 2018: NGINX
– ammendmend for the new SOCIAL app in the nextcloud.conf for Nextcloud 15

December, 10th 2018: NGINX, APACHE2
– updated to Nextcloud 15

October, 25th 2018: NGINX
– added ssl early data directive to both: ssl.conf and proxy.conf

October, 17th 2018:
– added a downloadable file for nextclouds fail2ban configuration

October, 10th 2018: NGINX
– made smaller ammendments to the my.cnf regarding mysql logging

October, 7th 2018: NGINX
– more secure using a new header statement: add_header Feature-Policy “geolocation ‘self'”;
find out more about Feature-Policy

October, 05th 2018: NGINX
– cosmetical updates (version series) only

September, 21st 2018: NGINX
– ammendments to nginx.conf: resolver valid=30s; resolver_timeout 5s;

September, 15th 2018: Apache2
– added security headers to <IfModule mod_headers.c>

September, 14th 2018: NGINX
– Disable auth.bruteforce.protection

September, 11th 2018: NGINX
– smaller amendments to external links (Nextcloud 14)
– declared two mountpoints as optional only:
sed -i ‘$atmpfs /tmp tmpfs defaults,noatime,nosuid,nodev,noexec,mode=1777 0 0’ /etc/fstab
sed -i ‘$atmpfs /var/tmp tmpfs defaults,noatime,nosuid,nodev,noexec,mode=1777 0 0’ /etc/fstab

September, 06th 2018: NGINX
Nextcloud 14 released

July, 31st 2018: NGINX
– added two occ statements for databse optimizations

July, 27th 2018: NGINX
– changes to the header.conf (add_header Referrer-Policy “no-referrer” always;)

July, 20th 2018: NGINX
– new MariaDB version (10.3.8) and MariaDB configuration

July, 19th 2018: NGINX
– minor amendments to the spamhaus-script

July, 10th 2018: NGINX
– added chapter 6.1 (thx to @ank0m): harden your Nextcloud using the spamhaus project

July, 8th 2018: NGINX
– MariaDB changes: transaction_isolation = READ-COMMITTED, binlog_format = ROW

June, 21st 2018: NGINX
– made changes to the renewal procedure regarding certbot

June, 14th 2018: NGINX
– made changes to the ssl.conf and to the procedure to obtain ssl-certificates from let’s encrypt

June, 13th 2018: NGINX
– updated the nginx.conf and added a “server security verification

June, 10th 2018: NGINX
– updated the ssl.conf: changed the ssl_cipher and ssl_ecdh_curve to become more compatible and gain 100% at Qualys SSL Labs

June, 6th 2018: NGINX
– updated to NGINX 1.15

June, 3rd 2018: NGINX
– Ammendmends to fail2ban (added [nginx-http-auth])

May, 27th 2018: NGINX
– change the NGINX repository from xenial to bionic

May, 17th 2018: NGINX
– ammendment to the renewal cronjob

May, 3rd 2018: NGINX
– added an optimize.sh to run a second Nextcloud cron

April, 30th 2018: NGINX
– Nextcloud silent installation
– modifications to the config.php

April, 17th, 2018: NGINX
– updated to nginx 1.14 stable

April, 10th 2018: NGINX
– added two statements regarding php sessionclean:
(“sed -i “s/09,39.*/# &/” /etc/cron.d/php” and “(crontab -l ; echo “09,39 * * * * /usr/lib/php/sessionclean 2>&1”) | crontab -u root -“)

April, 6th 2018: NGINX
– ammend a fail2ban regex regarding trusted domain errors

March 27th, 2018: NGINX
– ERROR FOUND regarding the APC changes fom March, 26th, 2018:
please create a new directory /usr/local/tmp/apc, ammend the setting in the php.ini from /tmp/apc to /usr/local/tmp/apc and add the new directory to your /etc/fstab

March 26th, 2018: NGINX
– created /tmp/apc and made further PHP performance tweaks regarding APCu Object Cache (thx to markus-blog.de)

March 25th, 2018: NGINX
– added vhost files including netdata (Nextcloud 13 advanced guide only!)
hint for Android users to decrease cipher strength and eliptic curve if troubles with e.g. CalDAV/CardDAV would occur.

March 23rd, 2018: NGINX
– made changes to the config.php: ‘oc’ to ‘oc_
– added an egrep statement for the origin params to be paste in the new config.php

March 21st, 2018: NGINX
– added ‘share_folder’ => ‘/Shares’, to the new ordered config.php

March 18th, 2018: NGINX
– Nextcloud download now points to the latest release

March 14th, 2018: NGINX
– made changes to the /etc/fstab

March 13th, 2018: NGINX
– security enhancements to redis and Nextclouds config.php

March 11th, 2018: NGINX
– added a second Nextcloud cronjobs to “cleanup” app-data

March 09th, 2018: NGINX
– added a second nextcloud.conf to run Nextcloud in a subdir of your webserver

Feb. 28th, 2018: NGINX
– mysql_secure_installation – added a description
– optimization.conf: added “fastcgi_read_timeout 3600;”

Feb. 26th, 2018: NGINX
– ammendments to the nextcloud.conf (“proxy_set_header Host $host;” and “location ~ \.(?:css|js|woff|svg|gif|png|html|ttf|ico|jpg|jpeg)$”)

Enjoy your personal data in your secured and hardened Nextcloud-Server!

Don’t forget to backup your Nextcloud

Find more instructions here: Nextcloud backup and restore

Carsten Rieger