Nextcloud 16 or Nextcloud 17 and ISPConfig 3 PHP NGINX directives

Ignis.Dev image
Nextcloud 16 or Nextcloud 17 and ISPConfig 3 PHP NGINX directives 5 min read Alina
Tech

Are you managing your websites using ISPConfig 3, but having problems with proper working of opensource self hosted cloud Nextcloud 16 or Nextcloud 17? Would you like to know how PHP NGINX correct settings look like? Check instructions below.

4385
27/08/2019 17:41

Setting cloud Nextcloud 16 or Nextcloud 17 on your own server is simple, however in combination with ISPConfig 3 there may occur some problems or issues with Nextcloud 16 or Nextcloud 17 functions like unable to upload files or errors while uploading files through Nextcloud Android app.

In this Article:

  1. First steps in ISPConfig 3 panel
  2. Tricky part - edit domain NGINX vhost file

Error example shown in error logs:

[error] 29691#29691: *211 access forbidden by rule, client: XXX.XXX.XXX.XX, server: ncloud.yourdomain.com, request: "MOVE /remote.php/dav/uploads/user/74a00956189887e59756e4e9f26d760c/.file HTTP/1.1", host: "ncloud.yourdomain.com"

Error 403 example visible in access logs:

XXX.XXX.XXX.XX - user [19/Aug/2019:09:37:39 +0100] "MOVE /remote.php/dav/uploads/user/d196927a4d5b73313ca673277031bad9/.file HTTP/1.1" 403 169 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.7.2"

All users want to avoid this, to fully enjoy self hosted cloud Nextcloud 16 or Nextcloud 17. Just a few lines of directives added in appropriate places in the ISPConfig 3 panel should do the trick, check this out.

Tutorial - Nextcloud 16.x and Nextcloud 17.x PHP NGINX directives working with ISPConfig 3

1.

First steps in ISPConfig 3 panel

If you don't have it done already, under ISPConfig 3 panel create website (Sites tab -> Website -> Add new website), for example ncloud.yourdomain.com
Generate Let's encrypt SSL certificate (Let's Encrypt SSL checkbox under Domain tab should be checked)
Place this Custom php.ini settings (Options tab):

memory_limit = 512M
upload_max_filesize = 512M
post_max_size = 512M
always_populate_raw_post_data = -1
max_execution_time = 3600

Place Nginx directives (Options tab):

add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";

# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;

location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
}
location ~ \.php$ {
	try_files /b615814d8f2c19dbcb25b1fbae07ce38.htm @php2;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

# The following rule is only needed for the Social app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/webfinger /public.php?service=webfinger last;

location = /.well-known/carddav {
	return 301 $scheme://$host:$server_port/remote.php/dav;
}
location = /.well-known/caldav {
	return 301 $scheme://$host:$server_port/remote.php/dav;
}

# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;

# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;

error_page 403 {DOCROOT}core/templates/403.php;
error_page 404 {DOCROOT}core/templates/404.php;

location / {
	rewrite ^ /index.php;
}

location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
	deny all;
}
location ~ ^/(?:\.(?!file$)|autotest|occ|issue|indie|db_|console) {
	deny all;
}

location @php2 {
	fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
	try_files $fastcgi_script_name =404;
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_param PATH_INFO $fastcgi_path_info;
	fastcgi_param HTTPS $https;
	{FASTCGIPASS}
	fastcgi_intercept_errors on;
	fastcgi_index index.php;
	fastcgi_buffers 64 64K;
	fastcgi_buffer_size 256k;
	fastcgi_param modHeadersAvailable true;
	fastcgi_read_timeout 7200; 
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+)\.php(?:$|/) {
	fastcgi_split_path_info ^(.+?\.php)(/.*|)$;
	try_files $fastcgi_script_name =404;
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_param PATH_INFO $fastcgi_path_info;
	fastcgi_param HTTPS on;
	# Avoid sending the security headers twice
	fastcgi_param modHeadersAvailable true;
	# Enable pretty urls
	fastcgi_param front_controller_active true;
	#fastcgi_pass php-handler;
	{FASTCGIPASS}
	fastcgi_intercept_errors on;
	fastcgi_request_buffering off;
}

location ~ ^/(?:updater|oc[ms]-provider)(?:$|/) {
	try_files $uri/ =404;
	index index.php;
}

# Adding the cache control header for js, css and map files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
	try_files $uri /index.php$request_uri;
	add_header Cache-Control "public, max-age=15778463";
	# Add headers to serve security related headers (It is intended to
	# have those duplicated to the ones above)
	# Before enabling Strict-Transport-Security headers please read into
	# this topic first.
	add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
	#
	# WARNING: Only add the preload option once you read about
	# the consequences in https://hstspreload.org/. This option
	# will add the domain to a hardcoded list that is shipped
	# in all major browsers and getting removed from this list
	# could take several months.
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Robots-Tag none;
	add_header X-Download-Options noopen;
	add_header X-Permitted-Cross-Domain-Policies none;
	add_header Referrer-Policy no-referrer;

	# Optional: Don't log access to assets
	access_log off;
}

location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
	try_files $uri /index.php$request_uri;
	# Optional: Don't log access to other assets
	access_log off;
}

Save settings and wait until ISPConfig 3 process them!

2.

Tricky part - edit domain NGINX vhost file

Here's the tricky part, as there's no out of the box workaround, you must manually edit vhost file.

Login as root using your favourite SSH client (for example PuTTy) and edit your domain nginx vhost file:

nano /etc/nginx/sites-available/ncloud.yourdomain.com.vhost

comment this part of file by adding "#" at the beginning of each line, so they look like this:

#location ~ /\. {
# deny all;
#}

Note: if you manually change vhost NGINX config file, after each domain modification through ISPConfig 3 panel, under which Nextcloud 16 or Nextcloud 17 is installed, you'll have to comment mentioned above lines again. Don't forget about it!

Restart nginx:

service nginx restart
Do you want to install NextCloud 16 or Nextcloud 17 on your own server?
Contact us!
Cart
0
No products in cart
We use cookies to improve your experience and for marketing purposes. By continuing to use our website, you accept our use of cookies. You can manage your cookie settings in your browser.
Ignisdev Ltd 2025 TOS | Privacy policy