Install NextCloud 11.0.2 on CentOS 7 with PHP 7.1 from Remi

JaredBusch

This Guide assumes that you are starting from CentOS 7 R1611 Minimal.

Install CentOS 7 and then either log in as root, su to root, or prepend everything here with sudo. Your choice.

#Update centos
yum update -y

#install helper packages
yum install -y wget nano yum-utils

#install EPEL
yum install -y epel-release

#install Remi 
yum install -y http://rpms.famillecollet.com/enterprise/remi-release-7.rpm

#enable PHP 7.1 by editing the repo file and changing enabled=0 to 1
yum-config-manager --enable remi-php71

Now install all of the packages that will be needed by NextCloud

#Install all required and optional packages
yum -y install httpd mariadb mariadb-server php php-gd php-pdo php-pear php-mbstring php-xml php-pear-Net-Curl php-mcrypt php-intl php-ldap php-smbclient php-imap php-mysql php-pear-MDB2 php-pear-MDB2-Driver-mysqli php-pecl-zip bzip2 policycoreutils-python redis php-pecl-redis

Install NextCloud 11.0.2. Update the wget and tar command to reflect the current version at the time of your installation.

#Create the root directory to extract nextcloud to
mkdir -p /var/www/html/nextcloud

#Get NextCloud
wget https://download.nextcloud.com/server/releases/nextcloud-11.0.2.tar.bz2

#Extract NextCloud
tar xvf nextcloud-11.0.2.tar.bz2 -C /var/www/html

#Create directories not created by extract
mkdir -p /var/www/html/nextcloud/data

#get the nextcloud apache config file
# the current file is currently broken for this guide, use the original commit version below.
#wget -O /etc/httpd/conf.d/nextcloud.conf https://raw.githubusercontent.com/nextcloud/server-packages/master/centos/nextcloud.conf
wget -O /etc/httpd/conf.d/nextcloud.conf https://raw.githubusercontent.com/nextcloud/server-packages/18f3837752589739b53bc62705c45a54faddbb4a/centos/nextcloud.conf

Now set up proper ownership and permissions to the files.

#default everything to root:apache
chown -R root:apache /var/www/html/nextcloud/.

#set default directory and file permissions
find /var/www/html/nextcloud -type d -exec chmod 0750 {} \;
find /var/www/html/nextcloud -type f -exec chmod 0640 {} \;

#change ownership of folders and files
chmod 0755 /var/www/html/nextcloud
chmod 0755 /var/www/html/nextcloud/occ
chown apache:apache /var/www/html/nextcloud/occ
chmod 0644 /var/www/html/nextcloud/.htaccess
chown apache:apache /var/www/html/nextcloud/.htaccess
find /var/www/html/nextcloud/apps -exec chmod 0750 {} \;
chown -R apache:apache /var/www/html/nextcloud/apps
find /var/www/html/nextcloud/updater -exec chmod 0750 {} \;
chown -R apache:apache /var/www/html/nextcloud/updater
find /var/www/html/nextcloud/data -exec chmod 0755 {} \;
chown -R apache:apache /var/www/html/nextcloud/data
find /var/www/html/nextcloud/config -exec chmod 0755 {} \;
chown -R apache:apache /var/www/html/nextcloud/config

Open the firewall and start the database services.

#open the firewall for http
firewall-cmd --zone=public --add-port=http/tcp --permanent
firewall-cmd --reload

#start the mariadb and set to start on boot
systemctl start mariadb
systemctl enable mariadb

#start redis (used for memcache)
systemctl start redis
systemctl enable redis

Create the NextCloud database and then secure the mariadb install.

Change ncuser, ncuserpassword, and somesecurepassword to something private.

#Create a database for nextcloud and a user to access it.
mysql -e "CREATE DATABASE nextcloud;"
mysql -e "CREATE USER 'ncuser'@'localhost' IDENTIFIED BY 'ncuserpassword';"
mysql -e "GRANT ALL ON nextcloud.* TO 'ncuser'@'localhost';"
mysql -e "FLUSH PRIVILEGES;"

#Secure mariadb. These commands do what mysql_secure_installation does interactively
mysql -e "UPDATE mysql.user SET Password=PASSWORD('somesecurepassword') WHERE User='root';"
mysql -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');"
mysql -e "DELETE FROM mysql.user WHERE User='';"
mysql -e "DROP DATABASE test;"
mysql -e "FLUSH PRIVILEGES;"

Tell SELinux that we want to send email and that the data, config, and apps folders need to be writable by the webserver.

#tell SELinux to allow apache to send smtp and network connect
setsebool -P httpd_can_sendmail 1
setsebool -P httpd_can_network_connect 1

#change SELinux permissions for directories that need apache write access.
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/config(/.*)?'
restorecon -R /var/www/html/nextcloud/config
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/apps(/.*)?'
restorecon -R /var/www/html/nextcloud/apps
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/data(/.*)?'
restorecon -R /var/www/html/nextcloud/data
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/updater(/.*)?'
restorecon -R /var/www/html/nextcloud/updater

Restart the webserver

#Restart Apache and enable for reboot.
systemctl restart httpd
systemctl enable httpd

Creating a DNS entry is optional, but when the NextCloud first run wizard happens in the browser, it sets the config.php to trust the URL in the browser. If you do not have DNS setup yet, you will have to go back and add this to yout config.php later anyway.

#create a DNS entry for your server and go to it in your browser to complete the setup
http://nextcloud.domain.com/nextcloud

On the web GUI, enter your desired admin username and password.

Then click the Storage & database dropdown.

Leave the data folder alone unless you know that you changed it when going through the above instructions.

Change the database to MySQL/MariaDB

Then fill it out with the information you used above.

Click the Finish setup button

You will be automatically logged in and greeted with this.

Go back to your SSH session and update the NextCloud config.php file to tell it to use redis for the memory cache and file locking.

#add a line to nextcloud config.php to enable memory cache
nano /var/www/html/nextcloud/config/config.php
'memcache.locking' => '\OC\Memcache\Redis',
'memcache.local' => '\OC\Memcache\Redis',
    'redis' => array(
    'host' => 'localhost',
    'port' => 6379,
),

Restart the webserver

systemctl restart httpd

You now have a fully configured basic install.

JaredBusch

Now you have a nice working basic install, but the URL (http://nextcloud.domain.com/nextcloud) is nasty.
Who always wants to see /nextcloud in the URL all the time?
Also once signed in, you will always see /index.php/ in the URL.
This is simple to resolve.

First update the webserver config and config.php to not use the /nextcloud folder

#remove need to use /nextcloud in URL by changing the document root in apache. This also adds the benefit of giving you a valid page if someone goes to the raw IP.
nano /etc/httpd/conf/httpd.conf
DocumentRoot "/var/www/html" to DocumentRoot "/var/www/html/nextcloud"

#update nextcloud config.php to remove /nextcloud
nano /var/www/html/nextcloud/config/config.php
'overwrite.cli.url' => 'http://nextcloud.domain.com',

Now update the config.php and have it update the .htaccess file to hide the index.php from the URL.

# add this line to the nextcloud config.php to remove the index.php in all the URLS
'htaccess.RewriteBase' => '/',

#then run this to apply it to the .htaccess file
cd /var/www/html/nextcloud && sudo -u apache php occ maintenance:update:htaccess

#restart apache
systemctl restart httpd

Now you can go to your URL without the /nextcloud and links will not have the /index.php/ in them.

#now go to your URL without the /nextcloud
http://nextcloud.domain.com

JaredBusch

So you now have a nice pretty private file sync install, except it is not using SSL!
That is not secure!
Well, the Let's Encrypt project fixes that for us.

Note: If you are running behind a proxy on another local host, there is no need to setup SSL as your proxy should handle the SSL termination.

I need to clean this up to use some sed commands to simplify but did not have time to test that.

#install certbot with the apache plugin for SSL
yum -y install mod_ssl python-certbot-apache

#restart apache
systemctl restart httpd

#open the firewall for https
firewall-cmd --zone=public --add-port=https/tcp --permanent
#reload the firewall
firewall-cmd --reload

Now you can run certbot

#run certbot to get your SSL certificate, you will a warning that it could not update a vhost file. That is because there is not one named to match the domain. That is beyond the scope of this guide.
certbot --apache certonly --email [email protected] --domain nexcloud.domain.com --agree-tos --non-interactive

now update apache to look for the cert files.

#update ssl.conf
nano /etc/httpd/conf.d/ssl.conf
#replace
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/letsencrypt/live/nextcloud.domain.com/cert.pem

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.domain.com/privkey.pem

SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
SSLCertificateChainFile /etc/letsencrypt/live/nextcloud.domain.com/chain.pem

#restart apache
systemctl restart httpd

remove the ability to use http by removing the allow in the firewall.

#remove the allow for http
firewall-cmd --zone=public --remove-port=80/tcp --permanent
#reload the firewall
firewall-cmd --reload

#navigate to your site via SSL
https://nextcloud.domain.com

JaredBusch

If you are running your Nexcloud instance behind a reverse proxy that handles the SSL, then your links may all be going out as http instead of https.

This is because Nextcloud tries to figure this out on its own and it only sees the http connection hitting it. You can override this default behavior by updating the Nextcloud config.php to contain the following line.

'overwriteprotocol' => 'https',

Alex Sage

@JaredBusch I'll be texting in a few hours

JaredBusch

If I have time today, I will do this again and get some screenshots of the browser wizard filled out with the examples as listed above.

Alex Sage

@JaredBusch I am thinking about scripting it out, unless you already have started on it?

JaredBusch

@aaronstuder said in Install NextCloud 11.0.2 on CentOS 7 with PHP 7.1 from Remi:

@JaredBusch I am thinking about scripting it out, unless you already have started on it?

There is no point in something like that. If you want an invisible install, use the official appliance.
https://nextcloud.com/install/#instructions-server
https://www.techandme.se/nextcloud-vm/

Guides like this are for education as well as to provide clear instructions for a manual setup.

Once I spend a few minutes figuring out the proper sed statements, this entire thing can be concatenated into a one liner with ; separators. That is not the point.

Alex Sage

@JaredBusch said in Install NextCloud 11.0.2 on CentOS 7 with PHP 7.1 from Remi:

There is no point in something like that. If you want an invisible install, use the official appliance.

I could, but I trust you, and I have no idea what is in the official appliance

Also it runs on Ubuntu, and I like Cent OS since I am studying for my RHCSA.

scottalanmiller

@aaronstuder said in Install NextCloud 11.0.2 on CentOS 7 with PHP 7.1 from Remi:

@JaredBusch I am thinking about scripting it out, unless you already have started on it?

Going to Ansible or something like that is like a scripted install, but more automated and, if created idempotently, can be used to enforce consistency down the road. If you were to take the time to script the install here, it's worth considering moving to that approach. No need for an infrastructure to do that, you can just store an Ansible playbook on GIT or similar (there is free hosting out there for that) then just pull it from there.

scottalanmiller

@aaronstuder said in Install NextCloud 11.0.2 on CentOS 7 with PHP 7.1 from Remi:

@JaredBusch I'll be texting in a few hours

Hopefully not while driving

Alex Sage

@scottalanmiller hey it was 4AM lol

scottalanmiller

@aaronstuder said in Install NextCloud 11.0.2 on CentOS 7 with PHP 7.1 from Remi:

@scottalanmiller hey it was 4AM lol

Way too late to be texting then

Emad R

Hi,

I did the above steps starting from Centos 7 1611 minimal updated.

Got the above results ...

I tried disabling selinux
Changing permissions to 0777 on /var/www/html/nextcloud
disabling the firewalld
same results

I made sure that I am doing everything as above

Thank you for your hard work, and guide. I prefer using it cause your are using PHP7 unlike the rest.

scottalanmiller

Do a netstat -tulpn to see what it is listening for.

Alex Sage

@msff-amman-Itofficer also double check the firewall

JaredBusch

@msff-amman-Itofficer at what point in the guide are you?

scottalanmiller

@aaronstuder said in Install NextCloud 11.0.2 on CentOS 7 with PHP 7.1 from Remi:

@msff-amman-Itofficer also double check the firewall

The forbidden error means that the firewall is open.

JaredBusch

The default log file is nextcloud.log located in /var/www/html/nextcloud/data.

tail /var/www/html/nextcloud/data/nextcloud.log

JaredBusch

Here is what my systemlooks like:

ls -lZ /var/www/html
drwxr-xr-x. root apache unconfined_u:object_r:httpd_sys_content_t:s0 nextcloud

ls -lZ /var/www/html/nextcloud/
drwxr-x---. root   apache unconfined_u:object_r:httpd_sys_content_t:s0 3rdparty
drwxr-x---. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 apps
drwxr-x---. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 assets
-rw-r-----. root   apache unconfined_u:object_r:httpd_sys_content_t:s0 AUTHORS
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 config
-rw-r-----. root   apache unconfined_u:object_r:httpd_sys_content_t:s0 console.php
drwxr-x---. root   apache unconfined_u:object_r:httpd_sys_content_t:s0 core
-rw-r-----. root   apache unconfined_u:object_r:httpd_sys_content_t:s0 cron.php
lrwxrwxrwx. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 data -> /home/nc_data
-rw-r-----. root   apache unconfined_u:object_r:httpd_sys_content_t:s0 db_structure.xml
drwxr-x---. root   apache unconfined_u:object_r:httpd_sys_content_t:s0 etc
-rw-r-----. root   apache unconfined_u:object_r:httpd_sys_content_t:s0 index.html
-rw-r-----. root   apache unconfined_u:object_r:httpd_sys_content_t:s0 index.php
drwxr-x---. root   apache unconfined_u:object_r:httpd_sys_content_t:s0 l10n
drwxr-x---. root   apache unconfined_u:object_r:httpd_sys_content_t:s0 lib
-rwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 occ
drwxr-x---. root   apache unconfined_u:object_r:httpd_sys_content_t:s0 ocs
drwxr-x---. root   apache unconfined_u:object_r:httpd_sys_content_t:s0 ocs-provider
-rw-r-----. root   apache unconfined_u:object_r:httpd_sys_content_t:s0 public.php
-rw-r-----. root   apache unconfined_u:object_r:httpd_sys_content_t:s0 remote.php
drwxr-x---. root   apache unconfined_u:object_r:httpd_sys_content_t:s0 resources
-rw-r-----. root   apache unconfined_u:object_r:httpd_sys_content_t:s0 robots.txt
drwxr-x---. root   apache unconfined_u:object_r:httpd_sys_content_t:s0 settings
-rw-r-----. root   apache unconfined_u:object_r:httpd_sys_content_t:s0 status.php
drwxr-x---. root   apache unconfined_u:object_r:httpd_sys_content_t:s0 themes
drwxr-x---. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 updater
-rw-r-----. root   apache unconfined_u:object_r:httpd_sys_content_t:s0 version.php

Since I made a symlink to my data directory I had to deviate a bit from the guide personally.

ls -lZ /home/
drwxrwx---. root apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 nc_data

ls -lZ /home/nc_data/
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 appdata_ocuy4ccap2ee
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 files_external
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 index.html
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 jbusch
-rw-r-----. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 nextcloud.log
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 themedinstancelogo