Nextcloud 17 on FreeBSD 12

Additional configuration

Memory caching

Setting up memory caching can improve performance. A few options are available: APCu, Redis, and Memcached. At minimum, you’ll want APCu, though using it in conjuction with Redis can offer some benefits, such as transactional file locking. Let’s go with both:

pkg install -y php73-pecl-APCu php73-pecl-redis redis
sysrc redis_enable="YES"
service redis start

Make sure to restart PHP-FPM to integrate the new extensions. Redis needs some extra configuration to work with Nextcloud. Open /usr/local/etc/redis.conf and change the following settings to make Redis listen on a Unix socket instead of a TCP port for better security:

port 0
unixsocket /tmp/redis.sock
unixsocketperm 777

Restart Redis with service redis restart to apply the changes. Now to enable the memcache in Nextcloud. Edit /usr/local/www/apache24/data/nextcloud/config/config.php and add these settings:

'memcache.local' => '\OC\Memcache\APCu',
'memcache.distributed' => '\OC\Memcache\Redis',
'filelocking.enabled' => true,
'memcache.locking' => '\OC\Memcache\Redis',
'redis' =>
array (
  'host' => '/tmp/redis.sock',
  'port' => 0,
),

To verify the memcache is working, visit https://www.yourdomain.com/nextcloud/index.php/settings/admin/overview and check that there’s no message about memory caching under the security and setup warnings header.

Pretty URLs

Having index.php in the URL is a bit ugly, but with the magic of rewrite rules and Nextcloud’s bundled .htaccess files, that can be easily fixed. This isn’t much different from the official instructions except that the web server user on FreeBSD is www not www-data.

Edit /usr/local/www/apache24/data/nextcloud/config/config.php to modify or add these options:

'overwrite.cli.url' => 'https://www.yourdomain.com/nextcloud',
'htaccess.RewriteBase' => '/nextcloud',

This also requires the mod_rewrite Apache module to be enabled. In /usr/local/etc/apache24/httpd.conf, uncomment the following line and restart the web server:

LoadModule rewrite_module libexec/apache24/mod_rewrite.so

Finally, in the Nextcloud root (/usr/local/www/apache24/data/nextcloud/), run this command to apply the changes:

su -m www -c "php occ maintenance:update:htaccess"

HTTPS

With Let’s Encrypt, adding a valid SSL certificate to a website is a breeze. We’ll use the EFF’s Certbot to get things set up, but first we need to enable SSL support in our web server. Edit /usr/local/etc/apache24/httpd.conf to uncomment or add these lines:

LoadModule ssl_module libexec/apache24/mod_ssl.so
LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so

Make sure mod_rewrite is enabled, too, as it’s necessary for the Certbot HTTP challenge to work. Restart the web server to enable the modules.

Installing a certificate with certbot

Now that SSL support is enabled, install and run Certbot:

pkg install -y py36-certbot-apache
certbot --apache -d yourdomain.com -d www.yourdomain.com

It’s highly recommended that you enable redirects for non-HTTPS requests. You can check the configuration of your site with the Qualys SSL Server Test. Your server should receive an A with the above configuration. To automatically renew the certs, run sysrc weekly_certbot_enable="YES".

Additional web server settings

Nextcloud recommends enabling HTTP Strict Transport Security (HSTS), which can be achieved by adding the following inside the VirtualHost section of /usr/local/etc/apache24/Includes/nextcloud-le-ssl.conf (created by Certbot when it installed our certificate):

<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15552000"
</IfModule>

Alternatively, you can run certbot enhance --hsts to have Certbot apply the configuration for you.

HTTP/2 is another good option for speeding up your server. It can be enabled by uncommenting the LoadModule http2_module libexec/apache24/mod_http2.so line in the Apache HTTP Server configuration. Then, in the SSL Virtual Host configuration file, add Protocols h2 http/1.1 under the VirtualHost section.

You can verify that these settings have taken effect by checking the response headers with curl:

$ curl -I --http2 https://www.yourdomain.com
HTTP/2 200
date: Tue, 15 Oct 2019 20:42:31 GMT
server: Apache/2.4.41 (FreeBSD) OpenSSL/1.1.1a-freebsd
strict-transport-security: max-age=15552000
last-modified: Tue, 15 Oct 2019 17:40:44 GMT
etag: "2d-594f67be48e83"
accept-ranges: bytes
content-length: 45
content-type: text/html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.