How to install Nextcloud on FreeNAS in an iocage jail with hardened security

I’ve recently been through the process of standing up my own personal cloud server, and found that there were a few points of difficulty not directly covered in existing guides on the topic (such as improving security/hardening the server), and a number of the guides on the topic suggested implementing bad practices, such as the use of mod_php (I’ll be using php-fpm!). My aim here is to be as explicit as possible about the process I followed so that even a relatively new beginner is able to follow them. A lot of this is adapted from dureal99d’s post on the same topic, who did a great job at explaining the process, however it discussed the installation of Nextcloud 13, and the certificate installation process was unsuccessful for me so my thought is to share my learnings to save the next person the trouble. The target audience for this guide is the person with very little exposure to the command line in either Linux or FreeBSD. With this in mind, my aim is to be complete as possible with the information I provide, and also to provide some context about why certain tasks are being undertaken rather than just direction on which commands to run. A disclaimer to this is that I am by no means an expert, and am still learning, so if you spot any errors or have any suggestions please leave a comment below!

One thing I’ve noticed a lot of people get hung up on is dataset structure, so to be explicit, I’ll describe my configuration. I have two data pools (Storage > Pools). One, titled “vault”, is my primary storage pool, comprised of 6x4TB WD Red drives. The second, “jailhouse”, is a 500GB Samsung SSD, and is the pool I store all of my jails on so that they benefit from the faster IO operations an SSD affords. The final dataset structure I have is as follows:

├── vault
│   └── cloud
└── jailhouse
    ├── apps
    │   ├── nextcloud
    │   │   ├── config
    │   │   ├── themes
    │   │   ├── db
    └── iocage
        ├── ...
        ├── jails
        │   └── nextcloud
        └── ...

According to the Nextcloud Documentation, there are four things required to restore a Nextcloud installation:

  1. The configuration directory
  2. The data directory
  3. The database
  4. The theme directory

Therefore, it makes sense to make this data independent of the jail (more on this later). This means that if for whatever reason your Nextcloud jail has been broken or deleted, you should be able to restore back to your previous configuration with minimal hassle. Note that this doesn’t serve as a backup for the purposes of upgrading, however it will afford you some ability to nuke the jail without risking the loss of data. In the above structure, the ‘cloud’ directory represents the data directory; this is where all of your files will be stored. It’s important that this is on your primary storage pool so that it can grow in size as required. I’ve stored the remaining data in their own datasets on my jailhouse pool. To organise this, I’ve created an ‘app’ dataset which holds a dataset for each jail I create. As can be seen, there is a dataset named ‘nextcloud’, which then contains ‘config’, ‘themes’ and ‘db’ datasets for the required information.

The remaining dataset is the ‘iocage’ dataset. This is created automatically when you create a jail, so you don’t need to worry about doing anything here, however it is important to note that this is where the local storage for your iocage jails is held. Specifically, in jails > jailname, or in this case jails > nextcloud. A number of other datasets are created within the iocage dataset, however these aren’t particularly relevant to this guide, so if you see them and wonder if they’re supposed to be there; don’t stress, they are.

I’m sure many of you will have organised your datasets differently – that’s fine; this has worked well for me, feel free to adopt it, or don’t; it will be the context in which I explain this guide though. For those of you who do want to adopt it, and are confused about how to go about it, I’ll explain it below.

Create Your Datasets

Storage Dataset

On the left navigation bar, select Storage > Pools

Expand your primary storage pool. In the right most column of the resulting table, locate the three dots on the row of your primary storage dataset (vault in my case):

Select “Add Dataset”. Populate the form with the following:

Name: cloud
Compression level: lz4
Enable atime: Off 

i.e:

Note that the atime value is set to off, which is different from the default. From the FreeNAS User Guide, disabling atime prevents the production of log traffic while files are being read, and results in significant performance gains, which is desirable for our data folder.

Leave the rest of the values as default and press “Save”. This creates the dataset /vault/cloud

Application Dataset

If you don’t already have a folder for your application data, go ahead and create that now. If you don’t have a dedicated pool for your jails or an SSD, it’s not crucial, so just put this on whatever pool is most appropriate for you. My recommendation would be to maintain the data structure listed earlier however, so have an entirely separate dataset earmarked for this purpose.

Select “Add Dataset”. Populate the form with the following:

Name: apps
Compression level: lz4
Enable atime: On 

Note that here, atime is set to the default value of ‘on’. It is enabled here because application data is considered less critical as lower performance here won’t impact the usability experience materially.

Leave the rest of the values as default and press “Save”. In my case, I’ve placed this on the jailhouse pool and this creates the dataset /jailhouse/apps

Nextcloud Application Data Dataset

As described previously, select the “apps” dataset and select “Add Dataset”

Populate the form with the following:

Name: nextcloud
Compression Level: lz4
Enable atime: On

Leave the rest of the values as default and press “Save”. This creates the dataset /jailhouse/apps/nextcloud

Nextcloud Database Dataset

Select the “apps/nextcloud” dataset and select “Add Dataset”

Populate the form with the following:

Name: db
Compression Level: lz4
Enable atime: Off

Again, note that in this case atime is off. Leave the rest of the values as default and press “Save”. The database will see steady read and write operations, so performance is a factor here. This creates the dataset /jailhouse/apps/nextcloud/db, and will be used to store the nextcloud database

Nextcloud Configuration Dataset

Select the “apps/nextcloud” dataset and select “Add Dataset”

Populate the form with the following:

Name: config
Compression Level: lz4
Enable atime: On

Leave the rest of the values as default and press “Save”. This creates the dataset /jailhouse/apps/nextcloud/config, and will store configuration settings for Nextcloud

Nextcloud Themes Dataset

Select the “apps/nextcloud” dataset and select “Add Dataset”

Populate the form with the following:

Name: themes
Compression Level: lz4
Enable atime: On

Leave the rest of the values as default and press “Save”. This creates the dataset /jailhouse/apps/nextcloud/themes

Create users and set permissions

Navigate to Accounts > Users, and press the big “+” to add a user:

Populate the resulting form as follows:

Username: mysql
Full Name: MySQL User
User ID: 88
New Primary Group: Checked
Enable Password login: No

Now press Save. Navigate back to your “apps” dataset: Storage > Pools, and expand jailhouse > apps > nextcloud. To edit the permissions, select the three dots in the rightmost column corresponding to each dataset, and select “Edit Permissions” as shown below:

Now, for each dataset we want to make the following changes:

db dataset:

User: mysql
Group: mysql

config dataset: Note that the ‘www’ user and group should already exist, there is no need to create them.

User: www
Group: www

themes dataset:

User: www
Group: www

Create an iocage jail:

Now it’s time to create the jail. This can be done with the web UI, however I prefer to use the command line interface, and so the rest of these instructions will be presented there. This guide, will therefore present the instructions for the command line interface. First, you’ll need to SSH into your FreeNAS host. Instructions on how to configure SSH are available here. The gist of this is that you’ll need to enable the SSH service in the FreeNAS UI and configure the public/private key pair for your user, and then make a connection. From a unix terminal (macOS, Linux), this will look like the following, assuming a FreeNAS host local IP of 192.168.0.9:

$ ssh root@192.168.0.9

If you’re using Windows, you’ll need to use PuTTy or Cygwin. Refer to the guide linked above for more detail. Once you have established a SSH connection, you’ll need to use the iocage command to create the jail as follows:

$ iocage create -n nextcloud -r 11.3-RELEASE ip4_addr="vnet0|192.168.0.10/24" defaultrouter="192.168.0.1" vnet="on" allow_raw_sockets="1" boot="on"

To provide some insight as to what this is doing; the -n flag allows the specification of the jail name, in this case “nextcloud”, the -r flag specifies the release of FreeBSD to be installed in the jail (Note that this version must be the same or lower than your version of FreeNAS. For example, If your FreeNAS version is 11.1, then you would need to pass 11.1-RELEASE as a parameter instead of 11.3-RELEASE; using 11.3-RELEASE would break the jail due to differences in the respective kernels), ip4_addr is the networking specification – in this case the IP/Mask for the jail (192.168.0.10/24), and the interface to use, vnet0. Set this IP value to something convenient to you on the subnet you wish it to be on – the selection is arbitrary, though if you’re new to this, it is advisable for simplicity that you choose an IP on the same subnet as your router. To illustrate this, if your router is 192.168.0.1, then choose an IP of the form 192.168.0.x, where x is a number between 0 and 254. The defaultrouter parameter specifies the router for your network; typically this will be 192.168.0.1 by default, but if it’s something else put that here. vnet=“on” enables the vnet interface, which is required as we previously specified vnet0 as the interface. allow_raw_sockets=“1” enables raw sockets, which enables the use of functions such as ping and traceroute within the jail, and enables interaction with various network subsystems. boot=“on” enables the jail to be auto-started at boot time. More detail on all of the parameters that can be used to configure a jail on creation can be found in the man page for iocage. If the jail doesn’t start automatically after issuing this command, start it manually:

$ iocage start nextcloud

Add storage to the iocage jail

As I mentioned previously, it’s possible to mount a device from one file system into another. This is done by creating an entry in the file system table (fstab) of the receiving file system. More information about fstab is available here. In our case, this enables data edited inside the jail to be stored outside the jail, so that if the jail needs to be destroyed or rebuilt, we still have the configuration data we need to get it back to the previous state with minimal effort. This is achieved using the fstab command.

The goal is to mount the datasets you created earlier into the jail, which can be achieved as follows:

$ iocage exec nextcloud mkdir -p /mnt/data
$ iocage exec nextcloud mkdir -p /var/db/mysql
$ iocage exec nextcloud mkdir -p /usr/local/www/nextcloud/config
$ iocage exec nextcloud mkdir -p /usr/local/www/nextcloud/themes
$ iocage fstab -a nextcloud /mnt/vault/cloud /mnt/data nullfs rw 0 0
$ iocage fstab -a nextcloud /mnt/jailhouse/apps/nextcloud/db /var/db/mysql nullfs rw 0 0
$ iocage fstab -a nextcloud /mnt/jailhouse/apps/nextcloud/config /usr/local/www/nextcloud/config nullfs rw 0 0
$ iocage fstab -a nextcloud /mnt/jailhouse/apps/nextcloud/themes /usr/local/www/nextcloud/themes nullfs rw 0 0

The format these take are:

$ iocage fstab -a jailname source_location destination_location nullfs (rw/ro) 0 0

where source_location is the dataset location on your FreeNAS host, and destination_location is the mount location within the jail. rw/ro refers to the permissions the jail has for the mounted dataset; rw is read/write and ro is read only. Choose ro if the jail needs to read the data but shouldn’t be able to alter it. Obviously, in the case of Nextcloud, we want to give all of these mounts read write access. The -a flag is to add an item to the jails fstab file. The -e flag can be used to edit an entry once made:

$ iocage fstab -e nextcloud

This will open the fstab file in vi (if you just entered, type :q! enter to quit). If you’re not familiar with vi, or prefer not to use it (the commands take some getting used to), this can be changed by using the setenv command with the EDITOR flag:

$ setenv EDITOR /usr/local/bin/nano

This will change the default editor to use the text editor nano for this session. Other alternatives include ee, emacs, vim. Choose one based on your own preferences and what you have installed. I will be using nano for this guide as it’s relatively intuitive to understand.

Set primary cache in FreeNAS UserSpace Shell

$ zfs set primarycache=metadata jailhouse/apps/nextcloud/db

This setting provides some optimisations specific to database storage, and should only be applied to your database directory. Since MariaDB has it’s own internal cache, it would be a waste of memory to cache the same thing in ZFS as well.

Further reading on the impact of tweaking this setting can be found on PatPro[1][2]. TLDR; Only ever set this to ‘metadata’ for database applications, and ‘all’ for everything else, otherwise you’ll have significant performance degradation.

Okay, now on to configuring the jail!

Jail Setup

Confirm that the jail has been set up and is running by running:

$ iocage list

iocage list will present a table that looks like the following:

+-----+--------------+-------+--------------+----------------+
| JID |     NAME     | STATE |   RELEASE    |      IP4       |
+=====+==============+=======+==============+================+
| 1   | nextcloud    | up    | 11.3-RELEASE | 192.168.0.10   |
+-----+--------------+-------+--------------+----------------+

We can now use the name field to enter the jail using the following command:

$ iocage console nextcloud

This will spawn the default shell (in my case it was csh), and you should be presented with something similar to the following:

root@freenas:~ $ iocage console nextcloud
FreeBSD 11.3-RELEASE-p7 (FreeNAS.amd64) #0 r325575+ca0f1a6ba25(HEAD): Tue Apr 21 20:46:20 UTC 2020

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
root@nextcloud:~ $

Okay, so what we’re going to do here is set up what’s known as a FAMP stack. This is a derivation of the LAMP stack, which is a popular web server environment configuration. LAMP is an acronym for Linux Apache MySQL PHP. In this case, we’re obviously not using Linux, so this becomes the FAMP stack; FreeBSD, Apache, MySQL and PHP.

Install required packages

Now that the pkg repository has been updated, we can go ahead and install the necessary packages. The packages we will install are as follows:

  • nano: a text editor
  • wget: a download client
  • ca_root_nss: The Mozilla bundle of root certificates to enable https connections to be verified
  • Apache 2.4: the web server to make your next cloud instance visible in the web ui
  • MariaDB: The mysql database package
  • Nextcloud: the cloud application!
  • Redis: caching package

You can install these by running the following commands:

$ pkg update
$ pkg install nano
$ pkg install wget ca_root_nss
$ pkg install apache24
$ sysrc apache24_enable=yes
$ service apache24 start
$ pkg install mariadb104-server
$ sysrc mysql_enable=yes

Set up MySQL (MariaDB)

Before continuing, we’ll need to modify the MySQL configuration to create a socket in the right location. Open /usr/local/etc/mysql/my.cnf as follows:

$ nano /usr/local/etc/mysql/my.cnf

Now find the line that shows:

socket  = /var/run/mysql/mysql.sock

Modify it to match the following:

socket  = /tmp/mysql.sock

Now save and exit (Ctrl + X). Now start the MySQL service and go through the set up process:

$ service mysql-server start
$ mysql_secure_installation --socket=/tmp/mysql.sock

NOTE: If you get the following error at this point:

ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)

Follow this procedure: 1. Press Ctrl + C to stop the script 2. Enter the following command to stop the mysql server

$ /usr/local/etc/rc.d/mysql-server stop
  1. Then enter the following command:
$ mysqld_safe --skip-grant-tables & 
$ /usr/local/etc/rc.d/mysql-server start
  1. Once again stop the script by pressing Ctrl + C
  2. Re-run the wizard script
$ mysql_secure_installation

This should resolve this issue. Provide the following answers to the prompts:

Enter current password for root (enter for none):

Press enter as there is no password

Switch to unix_socket authentication [Y/n] y
Set root password? [Y/n] y
New password: 

Enter a new password of your choice (don’t forget it!)

Re-enter new password: 

Re-enter the password

Remove anonymous users? [Y/n] y
Disallow root login remotely? [Y/n] y
Remove test database and access to it? [Y/n] y
Reload privilege tables now? [Y/n] y

MariaDB is now configured. At this stage, the installer should have created a user named ‘mysql’, and a group named ‘mysql’ within the jail, with UID=88 and GID=88 respectively. You’ll recall earlier in the guide, we created a mysql user and group with these UID and GID. It is imperative that the UID and GID of the user and group created earlier on the FreeNAS host, and the user and group created during the mysql installation within the jail match. If they don’t, you will run into permission issues, so go ahead and change the ID of the user and group on the FreeNAS host if this is the case for you.

Installing Nextcloud

Now, It’s time to install Nextcloud. Previous iterations of this guide made use of FreeBSDs package manager pkg to do this. The motivation behind this was to make it easy to upgrade. Unfortunately, this was not my experience, predominantly because:

  • Using the web updater caused a disconnect between the pkg version and the actual version of Nextcloud
  • Running the upgrade process failed consistently
  • The pkg distribution of Nextcloud didn’t maintain stable streams of major Nextcloud versions. To illustrate this, Nextcloud presently maintains versions 17, 18 and 19. nextcloud-php74 only provides an option to install Nextcloud 19, so as soon as another major version is released, you would be forced to upgrade. This presents difficulties in upgrading to the latest version if you had fallen behind. Since Nextcloud doesn’t allow upgrading across multiple major versions, being able to install or upgrade to releases in each of the currently supported major versions is important.

With this in mind, the method I’m now proposing is a manual installation. This will ideally allow the web updater to be used effectively, and in the event that the web updater doesn’t work, Nextcloud maintains a large archive of versions to allow you to choose specifically what you want to install or use to upgrade.

The first step is to download the latest Nextcloud release and it’s associated hash into the /tmp directory:

root@nextcloud:~ $ cd /tmp
root@nextcloud:/tmp $ wget https://download.nextcloud.com/server/releases/latest.tar.bz2
root@nextcloud:/tmp $ wget https://download.nextcloud.com/server/releases/latest.tar.bz2.sha512

If you’re new to *nix type systems, these file extensions may look strange to you. .tar.bz2 files are known as compressed tarballs. The .tar component of the file extension indicates an uncompressed archive, and the .bz2 portion indicates that it has been compressed using the bzip2 algorithm. In short, they’re compressed archives (similar to zip), however on *nix systems they maintain file system parameters such as names, timestamps, ownership and access permissions. Now, confirm that the file you downloaded hasn’t been corrupted or tampered with by comparing it against the hash:

root@nextcloud:/tmp $ shasum -a 512 -c latest.tar.bz2.sha512
latest.tar.bz2: OK

If the result you get is OK, then you can move on. Otherwise, attempt to re-download the latest Nextcloud release. Now, uncompress the archive to /usr/local/www/nextcloud as follows:

root@nextcloud:/tmp $ tar -xf latest.tar.bz2 -C /usr/local/www

Unfortunately the archive was not created with the user ownership we need for this directory, so lets go ahead and change the owner to the www user:

root@nextcloud:/tmp $ chown -R www:www /usr/local/www/nextcloud

Installing PHP

The following command installs PHP 7.4 and the packages that Nextcloud requires to run:

$ pkg install php74 php74-bz2 php74-ctype php74-curl php74-dom php74-exif php74-fileinfo php74-filter php74-gd php74-iconv php74-intl php74-json php74-ldap php74-mbstring php74-opcache php74-openssl php74-pdo php74-pdo_mysql php74-pecl-APCu php74-pecl-imagick php74-pecl-redis php74-posix php74-session php74-simplexml php74-xml php74-xmlreader php74-xmlwriter php74-xsl php74-zip php74-zlib php74-bcmath php74-gmp

To use a newer version of PHP, these packages will need to be replaced with the appropriate version. An example might be that when PHP 7.5 is released and you want to upgrade, you would remove php74-bz2 and install php75-bz2.

Installing Redis

Now install Redis as follows:

$ pkg install redis
$ sysrc redis_enable=yes
$ service redis start

The function of the previous commands should have been relatively self explanatory. To provide a little more detail, “pkg update” downloads the latest list of packages in the repository, “pkg install” installs a package, “sysrc” adds an item to rc.conf, which in this case ensures that these services start on boot, and “service start” starts a given service.

Now that we have everything we need installed, lets get configuring!

Configure MySQL

Login to MySQL to create Nextcloud Database and User

$ mysql -u root -p

Enter the password you made for root during the MariaDB 10.1 Setup. Then enter each of the following commands one by one:

CREATE DATABASE nextcloud;
CREATE USER 'nextcloud_admin'@'localhost' IDENTIFIED BY 'your-password-here';
GRANT ALL ON nextcloud.* TO 'nextcloud_admin'@'localhost';
FLUSH PRIVILEGES;
exit

Where ‘your-password-here’ is the password you just used to log in to mysql. It’s important that you include the semi-colon ‘;’ at the end of each statement. If you don’t it won’t know when to terminate each command.

Configure Apache for PHP with php-fpm

Many other guides on this and similar topics suggest the use of mod_php to configure Apache to handle php files, however Apache recommends the use of proxy_fcgi and php-fpm above all other recipes. This is due to its ability to enable diagnosis of php problems more quickly, and significantly reduce the memory footprint of the httpd server as it can facilitate more scalable threaded MPM’s such as event or worker. This is in contrast to mod_php, which poses some difficulty in maintaining a thread-safe php library. If this is not done, child processes are prone to memory leaks which are likely to consume large amounts of RAM and deplete the available system resources. Additionally, mod_php has certain vulnerabilities that allow uninitialised memory to be turned into executable code. This vulnerability is mitigated by using FastCGI and php-fpm.

php-fpm should have been installed along with php when you installed Nextcloud, so lets go ahead and add it to the startup script (rc.conf) and start the php-fpm service:

$ sysrc php_fpm_enable=yes
$ service php-fpm start

Now lets enable the proxy_fcgi modules. Open the Apache config file:

$ nano /usr/local/etc/apache24/httpd.conf

Search (Ctrl + W) for and uncomment the following two lines (remove the leading ‘#’) to enable fastCGI:

LoadModule proxy_module libexec/apache24/mod_proxy.so
LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so

Save and quit

Ctrl + X
y
enter

Now reload Apache gracefully:

$ apachectl graceful

This ensures that whenever a php file is loaded, Apache will use the php installation to parse the contents (with the appropriate VirtualHost entry, discussed later). Without this, the php file will download without loading – not very useful. For more information and different configuration options available for php-fpm, see the Apache documentation.

Create a test Virtual Host File

The virtual host file handles the site specific configuration. This will be discussed in more detail later for the Nextcloud specific configuration. For now, lets just create a test vhost configuration so we can test our php configuration. Create a new vhost file:

$ nano /usr/local/etc/apache24/Includes/test.conf

Copy and paste the following

<VirtualHost *:80>
    DocumentRoot "/usr/local/www/apache24/data"
    ServerName 192.168.0.10
    ProxyPassMatch ^/(.*.php(/.*)?)$ fcgi://127.0.0.1:9000/usr/local/www/apache24/data/$1
    DirectoryIndex /index.php index.php
</VirtualHost>

Change the ServerName directive to match the IP you chose for this jail, then Save and Exit (Ctrl + X).

Configure php.ini

$ cd /usr/local/etc

Create php.ini by copying the php.ini-production file (a template with production appropriate security configuration) to a new file named php.ini:

$ cp php.ini-production php.ini

Now, edit php.ini:

$ nano /usr/local/etc/php.ini

Use the search command in nano (Ctrl + W) to uncomment and make sure the following parameters have these values. Comments can be removed by deleting the “;” at the beginning of the line:

cgi.fix_pathinfo=1
date.timezone=Country/City

SEE: http://php.net/manual/en/timezones.php for the timezone relevant to you. An example would be Australia/Sydney

post_max_size = 1999M
upload_max_filesize = 1999M
memory_limit = 512M

Uncomment and update the following values as well, which provide the php configuration for caching data:

opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1

Save and Exit:

Ctrl + X
Y
ENTER

Restart Apache and php-fpm

$ service php-fpm restart
$ service apache24 restart

Test the php configuration

Navigate to /usr/local/www/apache24/data:

$ cd /usr/local/www/apache24/data
$ nano info.php

Paste the following into info.php

<?php
phpinfo(); //display all info
?>

This is a simple function that will display all php info for testing purposes. Save and exit:

Ctrl + X
Y
ENTER

Now, open a browser and navigate to http://JAIL_IP/info.php, where JAIL_IP is the IP you gave to this jail when you created it using iocage create, for example http://192.168.0.10/info.php. You should see a page displaying information about your PHP installation. If this works, congratulations! If it doesn’t, go back over the previous steps and try to work out where you’ve gone wrong.

Nextcloud configuration

Configure Apache for Nextcloud

Nextcloud will have been installed to /usr/local/www/nextcloud, which is not the default web root for apache (place where apache looks for index.php). This will need to be changed to the Nextcloud directory so that the Nextcloud web UI can be loaded. You can do this by editing apache’s configuration file:

$ nano /usr/local/etc/apache24/httpd.conf

Change the following two lines

DocumentRoot "/usr/local/www/apache24/data"
<Directory "/usr/local/www/apache24/data">

To

DocumentRoot "/usr/local/www/nextcloud"
<Directory "/usr/local/www/nextcloud">

Now enable the .htaccess file within this block. The changes you’ve just made should yield a block that looks as follows:

DocumentRoot "/usr/local/www/nextcloud"
<Directory "/usr/local/www/nextcloud">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    #
    Options Indexes FollowSymLinks

    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   AllowOverride FileInfo AuthConfig Limit
    #
    AllowOverride None

    #
    # Controls who can get stuff from this server.
    #
    Require all granted
</Directory>

To enable the .htaccess file to be used for configuration, change the AllowOverride value to ‘all’:

AllowOverride all

Save and Exit (Ctrl + X).

Permissions

Ensure the installation folder and data folders have the correct permissions so that you can read and write configuration settings, files, and perform updates.

chown -R www:www /usr/local/www/nextcloud /mnt/data

This command changes the ownership recursively of the specified folder (folder and all sub folders) to user “www” and group “www”. The arguments are:

chown -R user:group /path/to/directory

Create a VirtualHost definition for Nextcloud

A Virtual Host (or vhost) definition determines how a server processes an incoming request. This is where a range of configuration options for a site can be set, depending on both the IP and port which a request comes through on. A Virtual Host definition begins with the directive, which takes both an IP and a port as a parameter. As an example, the following definition processes requests for IP 192.168.0.10 on port 80:

<VirtualHost 192.168.0.10:80>

For our purposes, we will use a wildcard (*) for the IP, which means that our vhost definition will be evaluated for all IPs, but we will specify port 80 specifically, which is the port used for HTTP traffic. There are two types of vhost matching, IP-based matching and Name-based matching. Because we’re accepting all IP addresses in this configuration, we’re relying on the ServerName field for Name-based matching.

For these examples, I’m going to use mydomain.com, and the subdomain cloud.mydomain.com. If for example you’re using a DDNS (more on this later), you might replace all instances of cloud.mydomain.com with something like cloud.no-IP.org. Navigate to the apache Includes directory:

cd /usr/local/etc/apache24/Includes

First, lets remove the configuration file we created earlier; we won’t need it anymore.

$ rm /usr/local/etc/apache24/Includes/test.conf

Now, create the new site configuration file:

$ nano cloud.mydomain.com.conf

Add the following content to the file:

<VirtualHost *:80>
    DocumentRoot "/usr/local/www/nextcloud"
    ServerName cloud.mydomain.com
    <FilesMatch \.php$>
        SetHandler "proxy:fcgi://127.0.0.1:9000/"
    </FilesMatch>
    DirectoryIndex /index.php index.php
</VirtualHost>

Remember to replace cloud.mydomain.com with the domain relevant to you. Save and Exit (Ctrl + X). Now, lets discuss what’s going on here. The first line, DocumentRoot, defines the “root”, or top level directory from which to serve content. This means that using the URL http://cloud.mydomain.com will direct a user to files contained within this path; in this case /usr/local/www/nextcloud. Additionally, subdirectories within the DocumentRoot directive will be accessible as a path specification to the URL. As an example, lets assume there is a directory /usr/local/www/nextcloud/data, containing a file test.php. This would be accessible from http://cloud.mydomain.com/data/test.php. It’s important that the DocumentRoot points to the top level of the Nextcloud installation, as this is where index.php lies, which will present the Nextcloud user interface.

The ServerName is relatively self descriptive – this is the domain name of your server. It’s important to note that this name must have a valid DNS entry. This means that either this server is available on the Internet, and can be navigated to, OR there is a host entry in your routers DNS Resolver to direct queries to this URL to your web server IP. Alternatively, if this server is only going to be available on your local network, you can replace this with your servers local IP, i.e.:

ServerName 192.168.0.10

To be clear here:

  1. If your domain is available on the internet, cloud.mydomain.com must resolve to a public IP
  2. If your domain is only available locally, cloud.mydomain.com must resolve to a local IP
  3. OR, it must be a local IP.

The next directive, <FilesMatch>, matches all files containing .php in the title and assigns the fastCGI proxy module we set up earlier as the handler. This allows us to use php files, and serve php content using php-fpm.

More reading on Virtual Host definitions are available in the Apache documentation [3] [4] [5].

Test your configuration

Restart Apache:

$ service apache24 restart

Now, navigate to http://JAIL_IP/, i.e. http://192.168.0.10/ again to confirm you can see the setup screen for Nextcloud. If you can, well done! We’re most of the way there.

Web Configuration

Set up your admin account with a username and password you choose, then populate the fields as follows:

Data folder = /mnt/data
Database user = nextcloud_admin
Database password = MADEUP_PASSWORD_FROM_BEFORE
Database name = nextcloud
Database host = localhost:/tmp/mysql.sock

Add external domain as a trusted domain

In the terminal, navigate to the Nextcloud config file:

$ nano /usr/local/www/nextcloud/config/config.php

This should look similar to the following:

<?php
$CONFIG = array (
  'instanceid' => 'ocp08umeaycm',
  'passwordsalt' => 'OReCjQueLIb0X7mwn33XiklPPPdE/4',
  'secret' => 'RlWiGbC46jxnfK00Mrjp5NHlYySls8YkaGyJKngG3IkNyJ3K',
  'trusted_domains' =>
  array (
    0 => '192.168.0.10',
  ),
  'datadirectory' => '/mnt/data',
  'dbtype' => 'mysql',
  'version' => '19.0.0.12',
  'overwrite.cli.url' => 'http://192.168.0.10',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost:/tmp/mysql.sock',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud_admin',
  'dbpassword' => 'Default123!',
  'installed' => true,
  'updater.release.channel' => 'stable',
);

Add your domain name to the trusted domains array. You can do this either manually, or with the command below, replacing the domain with whatever is appropriate for you:

root@nextcloud:~ $ su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set trusted_domains 1 --value="cloud.mydomain.com"'

The result of this looks like the following:

<?php
$CONFIG = array (
  'instanceid' => 'ocp08umeaycm',
  'passwordsalt' => 'OReCjQueLIb0X7mwn33XiklPPPdE/4',
  'secret' => 'RlWiGbC46jxnfK00Mrjp5NHlYySls8YkaGyJKngG3IkNyJ3K',
  'trusted_domains' =>
  array (
    0 => '192.168.0.10',
    1 => 'cloud.mydomain.com',
  ),
  'datadirectory' => '/mnt/data',
  'dbtype' => 'mysql',
  'version' => '19.0.0.12',
  'overwrite.cli.url' => 'http://192.168.0.10',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost:/tmp/mysql.sock',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud_admin',
  'dbpassword' => 'Default123!',
  'installed' => true,
  'updater.release.channel' => 'stable',
);

The line of interest here is within the trusted_domains array:

1 => 'cloud.mydomain.com',

Fix the annoying Apache errors

To get rid of the following error message when starting and stopping the Apache server:

AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
Syntax OK
Stopping apache24.
Waiting for PIDS: 80591.
Performing sanity check on apache24 configuration:
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
Syntax OK
Starting apache24.
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message when stating apache do the following:

Open the Apache configuration file:

$ nano /usr/local/etc/apache24/httpd.conf

Search for the phrase “ServerName”, and enter your jails ip and port 80 such that it appears as follows:

ServerName JAIL_IP:80

ie

ServerName 192.168.0.10:80

Uncomment this line, and the message should no longer appear. To test this, restart apache

$ service apache24 restart

This should produce a clean restart message:

Performing sanity check on apache24 configuration:
Syntax OK
Stopping apache24.
Waiting for PIDS: 12933.
Performing sanity check on apache24 configuration:
Syntax OK
Starting apache24.

Configure Cron jobs:

Cron is one of the most useful utilities in FreeBSD. It’s a utility that runs in the background and regularly checks “/etc/crontab” for tasks to execute and searches “/var/cron/tabs” for custom crontab files. These files are used to schedule tasks which cron runs at the specified times. Each entry in a crontab defines a task to run, and is known as a cron job. There are two types of configuration files, the system crontab, and the user crontab.

A crontab can be edited with the command

$ crontab -u <user> -e

In this case, we will configure the crontab of the “www” user, and add an entry to run the nextcloud cron script. Before we do this, lets change the environment editor to nano.

$ setenv EDITOR nano
$ crontab -u www -e

Add the following (assuming it’s blank, if not just add the job). The crontab header describes what each field in the cronjob represents, and is courtesy of squarism.

# minute (0-59),
# |     hour (0-23),
# |     |       day of the month (1-31),
# |     |       |       month of the year (1-12),
# |     |       |       |       day of the week (0-6 with 0=Sunday).
# |     |       |       |       |       commands
  */15      *       *       *       *       /usr/local/bin/php -f /usr/local/www/nextcloud/cron.php

Save and Exit (Ctrl + X), and the www crontab should be configured.

Caching and Redis

Redis is an in-memory data structure store, used as a database, cache and message broker. This will provide performance improvements in terms of accessing your data. To find out more, read the Redis Documentation. Lets update redis.conf to run on the unix socket. Execute the following command:

$ nano /usr/local/etc/redis.conf

Inside this file, find the “port” value and change it from its default value to 0. This will stop Redis from listening on a TCP port so we can configure it to listen on a unix socket.

port 0

Additionally, uncomment the following by removing the “#” in front of each statement and changing the values as appropriate:

unixsocket /var/run/redis/redis.sock
unixsocketperm 770

And then confirm that the following statement is uncommented (No leading ‘#’):

bind 127.0.0.1

This ensures that Redis can only operate on the local interface, as a security precaution. Save and Exit (Ctrl + X).

Now, restart the service

$ service redis restart

Now, confirm Redis is in the feedback list by running the following command:

$ ls -al /var/run/redis

You should see redis.sock in the feedback list as follows:

srwxrwx---  1   redis   redis   0   MMM     D   HH:MM   redis.sock

If you run into troubles here, please consult the Nextcloud documentation and the Redis Documentation on configuring Redis.

Now, install the following packages:

$ pkg install php74-pecl-redis
$ pkg install php74-pecl-APCu

These packages are extensions providing an API to allow php to communicate with the Redis database, and also for user caching using APC. Note that the versions of these packages need to match the PHP version you have installed. Lets adjust the Redis and caching configuration using the following commands. Note that these are order specific:

$ su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set redis host --value="/var/run/redis/redis.sock"'
$ su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set redis port --value=0 --type=integer'
$ su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set memcache.local --value="\OC\Memcache\APCu"'
$ su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set memcache.locking --value="\OC\Memcache\Redis"'

These commands switch user to the user “www”, where the su flag -m leaves the environment unmodified. The -c flag specifies a command to be run within the new user shell. In this case, it runs the program “occ”, and passes some configuration options as a parameter. See the su man page for more information.

Now, add the www user to the redis group to allow it to access the redis socket:

$ pw usermod www -G redis

Restart the Apache service:

$ service apache24 restart

At this stage, your Nextcloud server should be ready to go for local network use. However, there may be some security warnings present in the Administration panel. Some common advisories include:

The database is missing some indexes. Due to the fact that adding indexes on big tables could take some time they were not added automatically. By running “occ db:add-missing-indices” those missing indexes could be added manually while the instance keeps running. Once the indexes are added queries to those tables are usually much faster.

This can be rectified by executing:

$ su -m www -c 'php /usr/local/www/nextcloud/occ db:add-missing-indices'

Some columns in the database are missing a conversion to big int. Due to the fact that changing column types on big tables could take some time they were not changed automatically. By running ‘occ db:convert-filecache-bigint’ those pending changes could be applied manually. This operation needs to be made while the instance is offline.

This can be rectified by executing:

$ su -m www -c 'php /usr/local/www/nextcloud/occ db:convert-filecache-bigint'

Beyond this, there are a range of security considerations that will be dealt with in the remainder of the guide. These are very important, especially if you intend to open the server to the web.

Security

Given that your new private cloud is likely to house a lot of your sensitive data, security is a paramount consideration, especially if you’re planning on making it visible to the internet. Here I will discuss a number of security considerations.

Nextcloud recommends a number of steps be taken to harden your server: 1. Give PHP read access to /dev/urandom 2. Enable hardening modules 3. Place data directory outside of the web root 4. Disable preview image generation 5. Use HTTPS 6. Redirect all unencrypted traffic to HTTPS 7. Enable HTTP Strict Transport Security (HSTS) 8. Use proper SSL configuration 9. Use a dedicated domain for Nextcloud 10. Ensure that your Nextcloud instance is installed in a DMZ 11. Serve security related headers by the Web server

There are a number of useful sites to help you test the security of your nextcloud instance, here are a few: – Nextclouds own security scannerSSL LabsMozilla Observatory

Make sure you evaluate the security of your site with at least one of these tools after making the changes below; you don’t want all of your data to be vulnerable. nachoparker of Own Your Bits does an excellent breakdown of the results you’re likely to see from these platforms, and offers methods to rectify some of the common issues.

I’ll now discuss each of the above hardening tips and how this has/can be implemented in FreeNAS.

Give PHP read access to /dev/urandom

This should be available by default, but to confirm, enter the following command:

$ ls -l /dev/urandom

This should return the following

lrwxr-xr-x  1 root  wheel  6 Nov 25 10:43 /dev/urandom -> random

The part of interest here is “lrwxr-xr-x”. Ignoring the leftmost “l”, this is a representation of the directory permissions, in three groups of “rwx”; one each for the owner (user), owner (group), and other. In this case, the owning user is root, and the owning group is wheel. Since the Nextcloud user, “www”, falls into neither of these groups, it is part of the “other” set of permissions. This means we’re most interested in the rightmost three characters. In this case, these are “r-x”. This means that any user has the permissions to read from this directory, and execute files in this directory, but not to write to this directory. Since “www” can read, this requirement is satisfied.

If this is not the case, however, run the following command:

$ chmod o+r /dev/urandom

chmod changes a files modes. The arguments passed here are o for other users and +r to add read.

If you want more detail on how permissions in unix, or more specifically FreeBSD work, here is some background reading.

Enable hardening modules

Mandatory Access Control (MAC)

The Nextcloud documentation recommends the use of hardening modules such as SELinux. SELinux (Security-Enhanced Linux) is a Linux kernel security module, that provides a mechanism for supporting access control security policies, including mandatory access controls. FreeBSD is obviously not Linux, and so does not include the SELinux modules. However, it does have it’s own system called Mandatory Access Control. This allows an administrator to ensure that a user will not be permitted to change security attributes at will. All user utilities, programs and scripts are required to work within the constraints of the access rules provided by the selected security policy modules. The Nextcloud Documentation provides some configuration advice for SELinux, namely:

  • Enable updates via the web interface (don’t do this for FreeBSD)
  • Disallow write access to the whole web directory
  • Allow access to a remote database
  • Allow access to LDAP server
  • Allow access to remote network
  • Allow access to network memcache
  • Allow access to SMTP/sendmail

At the time of writing, I’m not certain how to reliably implement this with MAC in FreeBSD, and so is considered beyond the scope of this guide. This may form the content of a future blog post on the topic.

Enable Common Technical Controls

There are a number of system hardening modules that FreeBSD offers at install time. Unfortunately, since this is a jail, we were not presented with these options. The options are as follows:

  1. Hide processes running as other users
  2. Hide processes running as other groups
  3. Disable reading kernel message buffer for unprivileged users
  4. Disable process debugging facilities for unprivileged users
  5. Randomize the PID of newly created processes
  6. Insert stack guard page ahead of growable segments
  7. Clean the /tmp filesystem on startup
  8. Disable opening syslogd network socket (disables remote logging)
  9. Disable SendMail service

Andrew Volpe of BSD Adventures suggests that these should all be enabled unless there is a good reason not to. An example of a good reason is that if you have a remote logging server, you would want to disable option 8 (so that opening syslogd network sockets is enabled). We will configure these as follows. First, open the kernel parameter configuration file:

$ nano /etc/sysctl.conf

Paste the following values into the file:

security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=$(jot -r 1 9999)
security.bsd.stack_guard_page=1

This enables options 1-6. To enable options 7-9, run the following commands:

$ sysrc clear_tmp_enable=YES
$ sysrc sendmail_enable="NONE"
$ sysrc sendmail_submit_enable="NO"
$ sysrc sendmail_outbound_enable="NO"
$ sysrc sendmail_msp_queue_enable="NO"
$ sysrc syslogd_flags="-c -ss"

It’s important to note that the majority of these should have these values set already by default, but this ensures that these settings will have the values we want. Additionally, Nextcloud does not require SendMail to be enabled to send mail; it has its own libraries for this.

Tamper Detection

Andrew Volpe of BSD Adventures also suggests the use of a tamper detection package to keep track of any changes made to configuration files in the event an unauthorised user gains access and tries to change your server configuration, or even just when a valid user makes changes. This can be achieved with the AIDE package:

$ pkg install aide

Then, once installed, the configuration options can be customised using /usr/local/etc/aide.conf. The default options should do a reasonable job of securing the jail. If you want to make modifications beyond the default, you can learn how to customise the configuration using the official AIDE documentation. Now, to finish the installation/configuration, navigate to the aide database directory and run the following commands:

$ cd /var/db/aide
$ aide --init
$ mv databases/aide.db.new databases/aide.db

To compare the database to the current configuration files, run the following command

$ aide

This will give you an output identifying any differences. If you run this immediately after installing, you should get a statement to the following effect:

AIDE found NO differences between database and filesystem. Looks okay!!

Unfortunately, to reset the recorded differences, you need to create a new database and replace aide.db with it. To simplify this process, it can be automated! To implement this, we’ll need to create a script to create the new database, archive the old database, and replace it with the new one. We can then have the script email you the change log, so you can be notified if someone has tampered with files. The mailing portion is optional, however there would be nothing to stop a malicious actor from altering the aide database if your only copy is stored locally within the jail, so this is recommended. Lets create this script, courtesy of Bob Aiello:

$ mkdir -p /scripts/aide
$ nano /scripts/aide/chkaide.sh

Paste the following:

#! /bin/sh
#chkaide.sh - Bob Aiello, modified for FreeBSD by Samuel Dowling
MYDATE=`date +%Y-%m-%d`
MYFILENAME="Aide-"$MYDATE.txt
UPDATE_NAME="aide_update.txt"
/bin/echo "Aide check !! `date`" > /tmp/$MYFILENAME
/usr/local/bin/aide --check > /tmp/myAide.txt
/bin/cat /tmp/myAide.txt|/usr/bin/grep -v failed >> /tmp/$MYFILENAME
/bin/echo "**************************************" >> /tmp/$MYFILENAME
/usr/bin/tail -20 /tmp/myAide.txt >> /tmp/$MYFILENAME
/bin/echo "****************DONE******************" >> /tmp/$MYFILENAME
/usr/bin/mail -s"$MYFILENAME `date`" john.smith75@gmail.com < /tmp/$MYFILENAME
/usr/local/bin/aide --update >> /tmp/$UPDATE_NAME
mv /var/db/aide/databases/aide.db /var/db/aide/databases/archive/aide-$MYDATE.db
mv /var/db/aide/databases/aide.db.new /var/db/aide/databases/aide.db

Change the email john.smith75@gmail.com to the recipient email you would like these change logs sent to. Save and Exit (Ctrl + X).We need to create a directory for the archived logs, and change the permissions so that it can be executed by the root user:

$ mkdir /var/db/aide/databases/archive
$ chmod 700 /scripts/aide/chkaide.sh
$ chown root:wheel /scripts/aide/chkaide.sh

This script essentially creates a text file containing the output of the aide --check command, and emails the contents to you. It then updates the database so that each email will only contain the changes since the last time you received an email. Now lets create a cronjob so that this can be run

$ crontab -e 

Add the following entry:

06 01 * * * /scripts/aide/chkaide.sh

This will set the chkaide script to run at 1:06 AM every day. Now, this won’t work just yet. First we need to ensure a Mail Transfer Agent (MTA) is installed. If you already have one installed, you can skip this step.

Installing a Mail Transfer Agent

One option for an MTA would be to use FreeBSD’s default, SendMail. However, due to security concerns associated with SendMail, we will be using Postfix instead. You’re welcome to use another MTA such as Exim if you would prefer, however Postfix is what this guide will cover.

First, install postfix

$ pkg install postfix-sasl

During the installation, you’ll be prompted with the following:

Would you like to activate Postfix in /usr/local/etc/mail/mailer.conf [n]? y

Make sure you provide ‘y’ as the answer. Now, to make postfix the default mail client, make sure that sendmail has been disabled:

$ sysrc sendmail_enable="NONE"
$ sysrc sendmail_submit_enable="NO"
$ sysrc sendmail_outbound_enable="NO"
$ sysrc sendmail_msp_queue_enable="NO"

This should be the case from an earlier step, but confirm that these are the values. Add postfix to the startup sequence:

$ sysrc postfix_enable="YES"

Stop the sendmail service:

$ service sendmail stop

If it isn’t started, you may get a response similar to the following:

Cannot 'stop' sendmail. Set sendmail_enable to YES in /etc/rc.conf or use 'onestop' instead of 'stop'.
Cannot 'stop' sendmail_msp_queue. Set sendmail_msp_queue_enable to YES in /etc/rc.conf or use 'onestop' instead of 'stop'.

If you do, this means it’s already stopped, and you can move on. Start the postfix service:

$ service postfix start

Some extra configuration is needed as Sendmail is so ubiquitous that some software assumes it is already installed and configured. Check /etc/periodic.conf and make sure that these values are set to NO. If this file does not exist, create it with these entries:

$ nano /etc/periodic.conf
daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"

Save and Exit (Ctrl + X). FreeBSD uses /etc/mail/mailer.conf to map the expected Sendmail binaries to the location of the new binaries, and so we need to update this file to point to the right location. Note that this likely isn’t a necessary step if you deviated from the guide and installed postfix using ports, as this file is updated during the installation process. If you installed using pkg however (as this guide suggested), open the mailer configuration file:

$ nano /etc/mail/mailer.conf

Comment out the current entries, and paste the new binary locations below it. The file should end up looking like this:

# $FreeBSD: releng/11.2/etc/mail/mailer.conf 327765 2018-01-10 09:06:07Z delphij $
#
# Execute the "real" sendmail program, named /usr/libexec/sendmail/sendmail
#
#sendmail       /usr/libexec/sendmail/sendmail
#mailq          /usr/libexec/sendmail/sendmail
#newaliases     /usr/libexec/sendmail/sendmail
#hoststat       /usr/libexec/sendmail/sendmail
#purgestat      /usr/libexec/sendmail/sendmail

#
# Execute the Postfix sendmail program, named /usr/local/sbin/sendmail
#
sendmail        /usr/local/sbin/sendmail
send-mail       /usr/local/sbin/sendmail
mailq           /usr/local/sbin/sendmail
newaliases      /usr/local/sbin/sendmail

Save and exit (Ctrl + X). Navigate the postfix directory /usr/local/etc/postfix:

$ cd /usr/local/etc/postfix

Open the configuration file for editing:

$ nano main.cf

Search for the following phrase:

#alias_maps = hash:/etc/aliases

Uncomment this line by removing the ‘#’ at the beginning. Now scroll to the end of the file (shortcut: Ctrl+_ , then Ctrl + V), and paste the following configuration parameters as suggested by Marin Nikolov:

# Manual configuration for Gmail

## SASL Options
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl_passwd

## TLS Options
smtp_use_tls = yes
smtp_tls_security_level = encrypt
tls_random_source = dev:/dev/urandom
 
## Relay host
relayhost = [smtp.gmail.com]:587

Save and Exit (Ctrl + X). Note that the email address I’m configuring this email to be sent from will be gmail. If you prefer a different provider, your relayhost and port will change (587 is for TLS, 465 is for SSL), and you’ll have to use values appropriate for you. Now, set the appropriate permissions for the postfix directory:

$ postfix -c /usr/local/etc/postfix set-permissions

Create the alias maps:

$ newaliases
$ postalias /etc/aliases

Now we need to configure the gmail authentication settings. Create a new file for these settings:

$ nano /usr/local/etc/postfix/sasl_passwd

Add the following line:

smtp.gmail.com    <username>:<password>

Replace with your gmail email, i.e. user@gmail.com, and with the password for the account. Save and Exit (Ctrl + X). Now hash the file so postfix can use it:

$ postmap /usr/local/etc/postfix/sasl_passwd

Secure the file so that only the root user can read or edit it:

$ chmod 0600 /usr/local/etc/postfix/sasl_passwd
$ chown root:wheel /usr/local/etc/postfix/sasl_passwd

And finally, you’ll need to enable “Less Secure Apps” in the Gmail application. Refer to the google documentation on allowing less secure apps to achieve this. Now all that’s left to do is confirm that everything works. Send a test email:

$ echo "Test Email Contents" | mail -s "Postfix Test Email" recipient_user@domain.com

Replace recipient_user@domain.com with the email address to receive the test email, and confirm that the email was received. It may also be worth inspecting the logs to ensure that no errors are present:

$ nano /var/log/maillog

Scroll to the end (Ctrl+_ , Ctrl + V) to view the most recent logs. If the test email doesn’t work, this is your first stop to debugging any errors you may have. Unfortunately due to the large variety of error messages, I can’t address them all and you’ll have to debug this yourself. For more information on mail functions, see the mail(1) man page.

Now, confirm that the aide script works by running it:

$ /bin/sh /scripts/aide/chkaide.sh

If you receive an email with the output, you know it’s working!

Postfix hardening

To further improve the security of your postfix configuration, Linux Audit suggests the following changes:

$ postconf -e disable_vrfy_command=yes
$ postconf -e inet_interfaces=loopback-only
$ postconf -e mynetworks="127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128"
$ postconf -e smtpd_helo_required=yes

disable_vrfy_command prevents others from being able to verify whether an email is a valid email on the system. Setting inet_interfaces to loopback-only means that postfix will only listen on the local interface, which is what we want because we are only interested in sending outgoing emails. Changing the mynetworks value to the network address of the local network prevents spammers from leveraging an open relay system in your client. The last configuration setting configures the smtpd daemon to require a “HELO” command, which will prevent communication with other mail servers that have either been improperly configured, or are spammers.

Place data directory outside of the web root

In our case, the web root is:

/usr/local/www/nextcloud

Our data directory is:

/mnt/data

Since data is not within the webroot hierarchy, this requirement is already satisfied.

Disable preview image generation

For high security deployments, Nextcloud recommends the disabling of preview generation for common file types. You’ll need to determine your own security requirements to determine whether this is worth enabling for you. Essentially, the risk is that in order to display thumbnails, a directory of these thumbnails needs to be maintained. Typically, these thumbnails don’t have the same permission settings as the files themselves, so it may be possible for a user to determine the contents of a file without having permission to access the file itself.

If this is something that you think might provide benefit to you, you can disable preview image generation as follows. First, open the Nextcloud config file:

$ nano /usr/local/www/nextcloud/config/config.php

Navigate to the end of the file, and right before the

);

statement, add the following:

'enable_previews' => false,

so the end of the config file should be similar to the following:

    ...
    'theme' => '',
    'loglevel' => 2,
    'enable_previews' => false,
);

Preview image generation can be re-enabled by changing the value of ‘enable_previews’ to ‘true’.

SSL/TLS

Due tot he interralated nature of items 5-8, they will all be dealt with in this section, where we will discuss the configuration of HTTPS/SSL/TLS for your domain. Note that if you only plan on using this locally (not remotely, over the internet), it is still good practice to use SSL, however it is less necessary as your threat profile is diminished. Configuring TLS for local use if you don’t have a domain name is a different process, where you will have to self sign a certificate, and so it won’t be addressed here. This part assumes that you have a public domain pointing at your web server (i.e. you can access cloud.example.com from the internet). This is critical, as certbot will not be able to issue a certificate if your domain is only available on your LAN. Some Dynamic DNS providers will give you a free subdomain; scroll down to the section dealing with DDNS for more information before undertaking this step, if that’s something you’re interested in.

The first step in configuring HTTPS is to set up a jail to run a reverse proxy. Follow the guide that I wrote on the subject, and when you get to the necessary step, populate /usr/local/etc/nginx/vdomains/cloud.example.com.conf in the reverse proxy jail with the following server block:

server {
        listen 443 ssl http2;

        server_name cloud.example.com;
        access_log /var/log/nginx/cloud.access.log;
        error_log /var/log/nginx/cloud.error.log;

        include snippets/example.com.cert.conf;
        include snippets/ssl-params-intermediate.conf;

        location / {
                include snippets/proxy-params.conf;
                proxy_pass http://192.168.0.10;
        }
        location /.well-known/carddav {
                return 301 $scheme://$host/remote.php/dav;
        }
        location /.well-known/caldav {
                return 301 $scheme://$host/remote.php/dav;
        }
}

Replace the server_name directive and proxy_pass address as appropriate for your Nextcloud server. This will forward all requests to your Nextcloud server. Importantly, this configuration also includes overrides for service discovery of the CalDAV and CardDAV services as suggested by the Nextcloud documentation.

When you’ve completed this, you’ll need to set the reverse proxy as a trusted proxy so that your Nextcloud instance can be accessed by it. Execute the following command, replacing the IP value with the IP of your reverse proxy jail:

root@nextcloud:~ $ su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set trusted_proxies 0 --value="192.168.0.11"'

Now, if you want to force the server to only use HTTPS (and I recommend that you do), run the following command:

root@nextcloud:~ $ su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set overwriteprotocol --value="https"'

Note that this means that your Nextcloud instance won’t be available at the jails IP anymore, so if you need that feature, don’t set the overwriteprotocol field.

If you don’t want to configure a reverse proxy to enable HTTPS, a previous version of this guide addresses how to do that. Note however, that this is no longer maintained as it is no longer the recommended process.

Use a dedicated domain for Nextcloud

Using a dedicated domain, such as cloud.domain.com instead of domain.com/nextcloud, offers a number of benefits associated with the Same-Origin-Policy. This is primarily that it preventing clients from reading responses from different domains, which is important in preventing malicious code in other tabs you may have executing on your Nextcloud instance. Hendrik Brummermann illustrated this with a good example in his Stack Overflow answer:

Assume you are logged into Facebook and visit a malicious website in another browser tab. Without the same origin policy JavaScript on that website could do anything to your Facebook account that you are allowed to do. For example read private messages, post status updates, analyse the HTML DOM-tree after you entered your password before submitting the form.

It’s obvious that giving any other tab you have open permission to act as your user is undesirable.

Ensure that your Nextcloud instance is installed in a DMZ

A DMZ, or demilitarized zone, is a physical or logical subnetwork that contains and exposes external facing services to an untrusted network such as the internet. The purpose of this is to add an additional layer of security to a LAN. This is achieved by placing a firewall between the LAN and the DMZ, limiting the exposure to the LAN if the DMZ is compromised. See here for more detail. One possible configuration for this is depicted below:

In essence, this is a process that doesn’t provide any additional security to your Nextcloud instance directly. In general, it would, however, provide a second line of defence to prevent access to the rest of your LAN if the Nextcloud instance is compromised. In the case of running Nextcloud in a FreeNAS jail, the efficacy of this is in question. According to iXsystems, the entire LAN accessible to the FreeNAS host would be routable by a compromised jail, making this segregation of jail from host an exercise in futility.

For these reasons, and due to the uncertainty around the benefit this would actually have to our configuration, we will skip the implementation of a DMZ.

Nextcloud has been kind enough to ensure a range of basic security headers as part of the default environment, including: – X-Content-Type-Options: no sniff – Prevents browsers from interpreting text files as JavaScript – X-XSS-Protection: 1; mode=block – Instructs browsers to enable their browser side Cross-Site-Scripting filter – X-Robots-Tag: none – Instructs search machines not to index these pages – X-Frame-Options: SAMEORIGIN – Prevents Nextcloud from being embedded within an iframe from a different domain – Referrer-Policy: no-referrer – Instructs browser not to send referrer information along with requests to any origin

For optimal security, these can be served by the web server to enforce them on response. To do this, open the apache configuration file:

$ nano /usr/local/etc/apache24/httpd.conf

Now, ensure that the following two lines are uncommented (remove the ‘#’ from the beginning of the line as necessary):

LoadModule env_module libexec/apache24/mod_env.so
LoadModule headers_module libexec/apache24/mod_headers.so

Save and Exit (Ctrl + W). Restart the web server to implement these changes:

$ service apache24 restart

It is important to note that at the time of writing and in the current configuration, Nextcloud will fail the Content Security Policy tests on the security testing websites listed earlier. This is due to the fact that it allows ‘unsafe-eval’. Currently, there is not a fix to this that won’t break your Nextcloud server. However, a fix to this has been implemented in Nextcloud 15, so there’s nothing that needs to be done here.

Configure DDNS updates:

Now, if you’re self hosting, and you have a residential internet plan with your ISP, your IP address is likely not static. If it is static, you can disregard this. What this means is that your ISP may periodically change your public IP. This can be problematic if you’re hosting a web server, as the DNS Servers will not update as your IP changes, breaking the link to your web server. To address this, there are two alternatives. The first is to use a Dynamic DNS (DDNS) service and use either the FreeNAS DDNS service or your router to keep it updated, or update the DNS servers directly. Free examples of DDNS providers include No-IP, Free DNS and Easy DNS, which may also provide you with a domain – I know that No-IP does. In lieu of buying domain name, the domain provided by the DDNS provider will be sufficient, and this applies to the entirety of the previous instructions that have dealt with domain names. If you already own a domain name that you want to use, you just need to add a CNAME record for the DDNS domain to the DNS record for your domain. As an example, if your DDNS domain is cloud.no-IP.org, you would add a record pointing from cloud.mydomain.com to cloud.no-IP.org. Since this is very specific to each users configuration and registrar etc., I won’t address any more here.

However, I use Route 53, so I’ll discuss how to manually update the IP in your A record for your cloud domain using Route 53 and the AWS command line interface (CLI) tools. For this, you will need your Hosted Zone ID and the Record Set name. Will Warren provides a great guide and bash script that you can use to achieve this.

First, create a new directory called scripts, and a subdirectory for update-route53 in your root directory, i.e:

$ mkdir -p /scripts/update-route53

The -p flag allows you to create both of these directories at once. Now, create the script:

$ nano /scripts/update-route53/update-route53.sh

Copy the following shell script, courtesy of Will Warren, into the file:

#!/usr/local/bin/bash

# (optional) You might need to set your PATH variable at the top here
# depending on how you run this script
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

# Hosted Zone ID e.g. BJBK35SKMM9OE
ZONEID="enter zone id here"

# The CNAME you want to update e.g. hello.example.com
RECORDSET="enter cname here"

# More advanced options below
# The Time-To-Live of this recordset
TTL=300
# Change this if you want
COMMENT="Auto updating @ `date`"
# Change to AAAA if using an IPv6 address
TYPE="A"

# Get the external IP address from OpenDNS (more reliable than other providers)
IP=`dig +short myip.opendns.com @resolver1.opendns.com`

# Handle for current date
DATE=`date '+%Y-%m-%d %H:%M:%S'`

function valid_ip()
{
    local  ip=$1
    local  stat=1

    if [[ $ip =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then
        OIFS=$IFS
        IFS='.'
        ip=($ip)
        IFS=$OIFS
        [[ ${ip[0]} -le 255 && ${ip[1]} -le 255
            && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
        stat=$?
    fi
    return $stat
}

# Get current dir
# (from http://stackoverflow.com/a/246128/920350)
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
LOGFILE="/var/log/update-route53.log"
IPFILE="$DIR/update-route53.ip"

if ! valid_ip $IP; then
    echo "$DATE     Invalid IP address: $IP" >> "$LOGFILE"
    exit 1
fi

# Check if the IP has changed
if [ ! -f "$IPFILE" ]
    then
    touch "$IPFILE"
fi

if grep -Fxq "$IP" "$IPFILE"; then
    # code if found
    echo "$DATE     IP is still $IP. Exiting" >> "$LOGFILE"
    exit 0
else
    echo "$DATE     IP has changed to $IP" >> "$LOGFILE"
    # Fill a temp file with valid JSON
    TMPFILE=$(mktemp /tmp/temporary-file.XXXXXXXX)
    cat > ${TMPFILE} << EOF
    {
      "Comment":"$COMMENT",
      "Changes":[
        {
          "Action":"UPSERT",
          "ResourceRecordSet":{
            "ResourceRecords":[
              {
                "Value":"$IP"
              }
            ],
            "Name":"$RECORDSET",
            "Type":"$TYPE",
            "TTL":$TTL
          }
        }
      ]
    }
EOF

    # Update the Hosted Zone record
    aws route53 change-resource-record-sets
        --hosted-zone-id $ZONEID
        --change-batch file://"$TMPFILE" >> "$LOGFILE"
    echo "" >> "$LOGFILE"

    # Clean up
    rm $TMPFILE
fi

# All Done - cache the IP address for next time
echo "$IP" > "$IPFILE"

Replace the ZONEID and RECORDSET values with values relevant to your AWS Hosted Zone. This script essentially uses the “dig” command to identify your current IP address, and update the record set for your domain with the return value of this IP address. For this to work, there are a few requirements. First, you need dig installed. FreeBSD does not ship with dig, so you’ll need to install it using the following command:

$ pkg install bind-tools

Secondly, if, like me you route all of your WAN traffic over a VPN, you’ll need to make sure this jail does not route over the VPN. If you don’t, the script will pull the VPN IP and not your WAN IP, which will not direct to your server (unless your VPN provider supports port forwarding; mine doesn’t). Now, you need to add this script as a cron job so it runs every 30 minutes.

$ crontab -e

Add the following line:

*/30 * * * * /scripts/update-route53/update-route53.sh

You will be able to view all of the changes to your ip in the log file that is created by this script at /var/log/update-route53.log.

How much does it cost?

There are a range of free DDNS providers, and so this may be the cheapest option for you if you don’t already have a Route53 Hosted Zone. The Amazon Route 53 Pricing Page indicates that a new hosted zone will cost you $0.50/month. I already have a Route53 hosted zone associated with my domain, so this was no additional cost to me and makes things simpler by not introducing additional services.

AND THAT’S IT! YOU’RE DONE! If everything works correctly, give yourself a pat on the back because this was a pretty involved process. If you’ve noticed any errors with this guide, or if you think certain steps could be improved with more clarity, or you just have some feedback, please leave a comment to let me know.

Upgrading

Nextcloud recommends that you update your server regularly, for all minor and major releases. This will reduce the pain of upgrading later, as major releases cannot be skipped. There are two ways to upgrade based on the installation procedure we’ve followed:

  1. Web Updater
  2. Manually

Please refer to these links for up-to-date information on how to go through the process. Bear in mind that the majority of the commands listed in these guides are for Linux, and so will vary somewhat from what’s required in FreeBSD. If you go back through this guide, you should find exemplars of how these commands should be used to adapt them appropriately. One example of a difference is their usage of the www-data user; in FreeBSD this is the www user.

Using the web updater is a trivial process and so it is left as an exercise for the user. I will however, demonstrate an example of upgrading manually from 18.0.6 to 19.0.0. This is a major version upgrade, at the most recent minor version for version 18. This is the only condition from which you should attempt a major version upgrade. Additionally, it’s very important to make sure all of the apps you have installed are compatible with the version you’re aiming to upgrade to. This has been a cause of many failed upgrades for me in the past.

  1. First, enter maintenance mode
root@nextcloud:~ $ su -m www -c 'php /usr/local/www/nextcloud/occ maintenance:mode --on'
  1. Back up your existing Nextcloud Server database, data directory and config.php file.
cd /tmp
root@nextcloud:/tmp $ rsync -Aahx --info=progress2 /mnt/data/ nextcloud-databkp_`date +"%Y%m%d"`/
root@nextcloud:/tmp $ rsync -Aahx --info=progress2 /usr/local/www/nextcloud/ nextcloud-dirbkp_`date +"%Y%m%d"`/
root@nextcloud:/tmp $ mysqldump --single-transaction -u root -p nextcloud > nextcloud-sqlbkp_`date +"%Y%m%d"`.bak

This will make copies of /mnt/data, /usr/local/www/nextcloud, and the MySQL database.

  1. Download and unpack the desired Nextcloud Server release from https://download.nextcloud.com/server/releases/ into /tmp
root@nextcloud:/tmp $ wget https://download.nextcloud.com/server/releases/nextcloud-19.0.0.tar.bz2
root@nextcloud:/tmp $ wget https://download.nextcloud.com/server/releases/nextcloud-19.0.0.tar.bz2.sha512
root@nextcloud:/tmp $ shasum -a 512 -c nextcloud-19.0.0.tar.bz2.sha512
nextcloud-19.0.0.tar.bz2: OK
  1. Stop your web server
root@nextcloud:/tmp $ service apache24 stop
  1. In case you are running a cron-job for nextcloud’s house-keeping disable it by commenting the entry in the crontab file
root@nextcloud:/tmp $ crontab -u www -e

Modify the following entry by appending a #:

#  */15          *               *               *               *               /usr/local/bin/php -f /usr/local/www/nextcloud/cron.php
  1. Rename your current Nextcloud directory:
root@nextcloud:/tmp $ mv /usr/local/www/nextcloud /usr/local/www/nextcloud-old
  1. Unpack the new archive to the original location of the old server so that there once again exists /usr/local/www/nextcloud:
root@nextcloud:/tmp $ tar -xf nextcloud-19.0.0.tar.bz2 -C /usr/local/www
  1. Copy your config.php file in to the new Nextcloud installation
root@nextcloud:/usr/local/www/nextcloud $ cp /usr/local/www/nextcloud-old/config/config.php /usr/local/www/nextcloud/config/config.php
  1. If you are using 3rd party applications, it may not always be available in the upgraded Nextcloud instance. To check this, compare the list of apps in /usr/local/www/nextcloud with those in /usr/local/www/nextcloud-old, and copy any not present in /usr/local/www/nextcloud/apps from /usr/local/www/nextcloud-old/apps to /usr/local/www/nextcloud/apps.

  2. If you’re using any 3rd party themes, make sure to copy them from /usr/local/www/nextcloud-old/themes to /usr/local/www/nextcloud/themes.

  3. Update the file ownership and file permissions of your /usr/local/www/nextcloud directory:

root@nextcloud:/tmp $ chown -R www:www /usr/local/www/nextcloud
root@nextcloud:/tmp $ find /usr/local/www/nextcloud -type d -exec chmod 750 {} \;
root@nextcloud:/tmp $ find /usr/local/www/nextcloud -type f -exec chmod 640 {} \;
  1. Restart the web server
root@nextcloud:/tmp $ service apache24 start
  1. Launch the upgrade from the command line using the occ tool. Note that this must be executed from within the Nextcloud installation directory:
root@nextcloud:/tmp $ cd /usr/local/www/nextcloud
root@nextcloud:/usr/local/www/nextcloud $ su -m www -c 'php occ upgrade'
  1. Re-enable the cron job that was previously disabled
root@nextcloud:/usr/local/www/nextcloud $ crontab -u www -e

Modify the entry by removing the # so that it looks as follows:

  */15          *               *               *               *               /usr/local/bin/php -f /usr/local/www/nextcloud/cron.php
  1. Finally, turn maintenance mode off
root@nextcloud:/usr/local/www/nextcloud $ su -m www -c 'php /usr/local/www/nextcloud/occ maintenance:mode --off'
  1. Now, log in to the Administration dashboard and verify the new version number. At this point, you may have additional warnings such as:

Last background job execution ran 1 hour ago. Something seems wrong.

This can be ignored. This will be rectified within 15 minutes when the next cron job is executed.

The database is missing some indexes. Due to the fact that adding indexes on big tables could take some time they were not added automatically. By running “occ db:add-missing-indices” those missing indexes could be added manually while the instance keeps running. Once the indexes are added queries to those tables are usually much faster.

As before, execute:

root@nextcloud:/usr/local/www/nextcloud $ su -m www -c 'php /usr/local/www/nextcloud/occ db:add-missing-indices'

The database is missing some optional columns. Due to the fact that adding columns on big tables could take some time they were not added automatically when they can be optional. By running “occ db:add-missing-columns” those missing columns could be added manually while the instance keeps running. Once the columns are added some features might improve responsiveness or usability.

As discussed previously, execute:

root@nextcloud:/usr/local/www/nextcloud $ su -m www -c 'php /usr/local/www/nextcloud/occ db:add-missing-columns'

It’s possible that other warnings will appear. Follow the instructions provided in the warning using the syntax we have used for the occ command previously to rectify them. Additionally, if things go wrong, refer to the Nextcloud documentation on restoring from backup to restore the files we backed up earlier. Otherwise, refer to the Nextcloud documentation describing the manual upgrade process for additional information.

Debugging

During this process, you may run into errors that I have not addressed. My suggestion is that for your first port of call, check the logs. Here are the locations of some log files.

  1. Nextcloud logs
/var/log/nextcloud/nextcloud.log
  1. Apache logs
/var/log/httpd-error.log

These are the two most likely places an error will be logged. PHP errors will be logged in the Apache error log by default. The level of log detail for PHP can be configured in /usr/local/etc/php.ini. The level of log detail for Apache can be configured in /usr/local/etc/apache24/httpd.conf.

Use these logs to identify what the problem with your configuration is. Then, use some keywords from the error to search google and see if anybody else has found a solution to the problem. If you can’t find a solution, or you’re having trouble interpreting the solutions provided, make reference to the “Support” section at the end of this article and ask for help in one of the suggested locations.

From my experience, most of the errors I ran into were with configuring Redis. This manifested as an “Internal Server Error 500” in both instances. In the first instance, Redis was not running and I had not realised. You can check the status of a service using the following command:

$ service <service> status

This will tell you if it is running or not.

Support

There are a number of places you can seek help regarding any issues you might be having with Nextcloud on FreeNAS:

  1. Nextcloud Forums
  2. FreeNAS Forums
  3. Reddit
    1. r/nextcloud
    2. r/freenas
  4. Freenode IRC – server: irc.freenode.net, and the following channels
    • #nextcloud
    • #freenas
    • #freebsd
    • ##letsencrypt

I’ve found IRC to be a better platform for issues that need to be discussed in some detail, however the communities on the forums and also reddit are typically larger.

This guide is also hosted on GitHub. If you find any bugs or have any suggestions, please feel free to raise an issue, or submit your own pull request!

   Send article as PDF   

739 thoughts on “How to install Nextcloud on FreeNAS in an iocage jail with hardened security

    1. Unfortunately the overwhelming amount documentation for Nextcloud is for Apache. I’ll consider this as the topic of a future blog post, however these are the broad strokes of what you’ll need to look for in the mean time:

      • Configure php-fpm for nginx
      • Configure nginx to forward port 80 traffic to port 443 for SSL
      • Configure nginx SSL:
        ** Use a modern SSL Protocol, i.e. TLS v1.2
        ** Use a modern SSL CipherSuite
        ** Configure stock .htaccess options in nginx, such as headers to be passed.

      The last part of this is the most verbose, but Nextcloud do provide some documentation to help configure the configuration files

    2. Thanks for the very detailed guide Samuel! I probably spent a good week reading through it again and again before embarking on setting up Nextcloud 21.

      One question I have is that although I followed your steps to set up a ‘jailhouse’ dataset and the sub-directories, it appears that nextcloud jail was installed in the existing iocage that houses my UniFi and Plex jails. I really like your strategy for separating the stored data (nextcloud files, plex media, etc.) and the databases separately. Is there a way to migrate iocage and all of the jails to the SSD?

  1. Many thanks for the tutorial. I managed it until the security section where it reads:
    “At this stage, your nextcloud server should be ready to go for local network use. There are, however, a range of security considerations that will be dealt with in the remainder of the guide. These are very important, especially if you intend to open the server to the web.”

    However by trying to access my local nextcloud-ip I constantly get following error message in firefox (chrome dito):
    “The page isn’t redirecting properly
    Firefox has detected that the server is redirecting the request for this address in a way that will never complete.”

    Where could I look for help, a internet search was not successful?

    1. Hi there! At the bottom of the article I list a number of places for support. This isn’t an error I’ve come across, and without more information it will be difficult to help you debug. As a first step, my suggestion would be to go back through the previous steps to make sure everything is configured as it should be. You mention you run into issues at the “Security” section – did you have any issues configuring NC through the web ui? Or have you not been able to navigate to the nextcloud web ui at all? If not, were you able to see the php test page earlier in the steps? How have you configured the ServerName? Are the php-fpm and apache services running? (service apache24 status, service php-fpm status). Try to locate the specific location in the guide where things stop working. As a second step, if double checking your configuration doesn’t yield a solution, I’d suggest asking in the #nextcloud or #freenas IRC channels; you’ll be able to engage in a dialog with someone to help work through your specific problem. This is where I’ve found the most helpful support in solving problems 🙂

  2. I had the same issue as Astmohn. At the “Web Configuration” section I’m able to get to the NextCloud admin page for the initial setup, put in the correct data and click Finish Setup. However this eventually results in the redirection error Astmohn mentions and any further access to the NextCloud URL gets the same.

    My searches turned up configuration issues that were not present in my http.conf (i.e. your instructions properly sets the values that all my research states are the source of this problem). Eventually I grew tired of trying to fix it and destroyed the jail to some day try again from a fresh start.

    I have no doubt that the problem is related to some small issue with the apache configuration but I don’t have much experience with apache or web apps in general. The things that stuck out in my mind:

    You mention you changed the pkg repo to latest branch (though you state it’s optional) and say that you did so to fix a bug. However you never elaborate on what bug you were resolving in this fashion. I suspect this may be part of the problem and intend to change to the latest branch with my next test to see if that’s the case. Would have been nice for at least some elaboration on the bug you are referring to so your readers could make a more informed decision on this step.
    Domain name vs. IP. This one annoys me greatly with NextCloud because they seem to assume you are going to have a legitimate domain name and access your NC server from outside your network. I use a non-real domain name for my home network (lastname.home) to prevent any possible domain collisions and honestly as long as it resolves internally (which it does) then it shouldn’t matter. However NC config seems to dislike the use of a raw IP (I use a fixed IP for all my always-on services) and I wonder if it’s getting hung up on my non-standard domain name.

    Interestingly when I access the NC web interface using the IP it displayed an initial page but then redirects and immediately dies with the redirect error again.

    I’ll be giving your instructions another go here in the future with the latest pkg repo and see if that makes a difference.

    1. Hmm, interesting! Given two of you have had the same issue, I’m going to give the installation another go myself to make sure the instructions are correct. It’s unlikely to be the issue I referenced; that was related to fresh installations of Nextcloud 14.0.1 not including the appropriate configuration for the ‘apps’ field in the config.php file, which was rectified in 14.0.1_1 iirc. Switching to the “latest” branch allowed me to pull 14.0.1_1 instead of 14.0.1. Since we’re on 14.0.4 now, this shouldn’t be a consideration. However, you make a good point so I’ll revise the post to include some discussion of this for troubleshooting purposes.

      With regards to the domain name and IP, you’re exactly right and I do provide this clarification in the article. You can enter any domain for these settings, including the local IP of the jail, provided that your DNS Server can resolve the jail IP. To use your example, lastname.home should work perfectly well if you have a DNS Resolver entry redirecting lastname.home to your jail IP, i.e. 192.168.0.10. In pfSense this can be configured in Services > DNS Resolver > Host Overrides > Add. If you do intend to access it this way, you would need to add lastname.home to your trusted domains as discussed in the article.

      1. Just got bit with the redirect bug too. Chrome, Firefox, Safari

        Did the the step WEB CONFIGURATION then clicked finished setup and boom. Redirect hell

        1. When I nano /usr/local/www/nextcloud/config/config.php
          It is way different than yours

          <?php
          $CONFIG = array (
          ‘instanceid’ => ‘redacted’,
          ‘passwordsalt’ => ‘redacted’,
          ‘secret’ => ‘redacted/’,
          ‘trusted_domains’ =>
          array (
          0 => ‘redacted’,
          ),
          ‘datadirectory’ => ‘/mnt/data’,
          ‘dbtype’ => ‘mysql’,
          ‘version’ => ‘15.0.0.10’,
          ‘overwrite.cli.url’ => ‘redacted,
          ‘dbname’ => ‘nextcloud’,
          ‘dbhost’ => ‘localhost:/tmp/mysql.sock’,
          ‘dbport’ => ”,
          ‘dbtableprefix’ => ‘oc_’,
          ‘mysql.utf8mb4’ => true,
          ‘dbuser’ => ‘nextcloud_admin’,
          ‘dbpassword’ => ‘redacted’,
          ‘installed’ => true,
          );

          1. Huh. That’s interesting. I’m guessing since you’re using Nextcloud 15.0.0, you’re on the quarterly branch (latest is at 15.0.5), which means that the issues I discuss above with respect to 14.0.1 aren’t fixed by a version upgrade. This must mean that it’s more specific to brnrd’s release than Nextcloud. To fix it, you have two options.

            1. Start the installation again (nuke the jail and remake it), but this time switch to the latest branch (can confirm this has worked for me many times), OR
            2. You could try to repair this installation by adding the following to your config.php file:
              'apps_paths' =>
              array (
                0 =>
                array (
                  'path' => '/usr/local/www/nextcloud/apps',
                  'url' => '/apps',
                  'writable' => true,
                ),
                1 =>
                array (
                  'path' => '/usr/local/www/nextcloud/apps-pkg',
                  'url' => '/apps-pkg',
                  'writable' => false,
                ),
              ),
            

            This should go BELOW

            <?php
             $CONFIG = array (
            

            and ABOVE

            ‘instanceid’ => ‘redacted’,
            

            Once you’ve done this, restart Apache and see if this fixes it (service apache24 restart). If it doesn’t, I’m not sure what the fix is. You could try debugging this yourself (a good place to start would be looking at the revisions to 14.0.1) or asking in the #freebsd (for freebsd pkg’s) or #httpd (for apache server) IRC channels. I’d suggest it might just be simpler to install from the latest branch though, rather than quarterly.

          2. Scratch what I’ve said; It’s not caused by the quarterly branch package. I’ve just been through a fresh install and I haven’t been able to reproduce your issues. I tested with both nextcloud-php71 and nextcloud-php72, both of which worked fine using the steps I’ve provided. Which nextcloud distribution did you install? Did you skip any steps? Also, where are your redirects trying to redirect to? In Firefox right click > Inspect element > Network tab. With this new window open, navigate to your nextcloud jail ip, and observe the file path in the “File” column

          3. Which nextcloud distribution did you install?
            — nextcloud-php72

            Did you skip any steps?
            — No but did have to use mkdir to make the fstab section to work. On a fresh install mnt/data, …/mysql, config, themes, are not created.

            I am going to start over, take everything I learned and try again this afternoon.

            Freenas version FreeNAS-11.2-U2.1

          4. Fresh Start with php 71 same redirect issue after finish setup.

            Redirect file:
            /index.php/apps/files

          5. Yet again I was missing stuff in the config so I did the ” You could try to repair this installation by adding the following to your config.php file:”
            Which fixed the redirect but gave me this error
            Internal Server Error

            The server was unable to complete your request.

            If this happens again, please send the technical details below to the server administrator.

            More details can be found in the server log.Internal Server Error

            The server was unable to complete your request.

            If this happens again, please send the technical details below to the server administrator.

            More details can be found in the server log.

            httpd-error.log
            [Thu Mar 21 12:55:44.801257 2019] [mpm_prefork:notice] [pid 73653] AH00163: Apache/2.4.38 (FreeBSD) configured — resuming normal operations
            [Thu Mar 21 12:55:44.802019 2019] [core:notice] [pid 73653] AH00094: Command line: ‘/usr/local/sbin/httpd -D NOHTTPACCEPT’
            [Thu Mar 21 13:15:56.199095 2019] [mpm_prefork:notice] [pid 73653] AH00171: Graceful restart requested, doing restart
            AH00558: httpd: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message
            [Thu Mar 21 13:15:56.207272 2019] [mpm_prefork:notice] [pid 73653] AH00163: Apache/2.4.38 (FreeBSD) configured — resuming normal operations
            [Thu Mar 21 13:15:56.207293 2019] [core:notice] [pid 73653] AH00094: Command line: ‘/usr/local/sbin/httpd -D NOHTTPACCEPT’
            [Thu Mar 21 13:27:24.130109 2019] [mpm_prefork:notice] [pid 73653] AH00169: caught SIGTERM, shutting down
            [Thu Mar 21 13:27:24.254491 2019] [mpm_prefork:notice] [pid 80260] AH00163: Apache/2.4.38 (FreeBSD) configured — resuming normal operations
            [Thu Mar 21 13:27:24.254944 2019] [core:notice] [pid 80260] AH00094: Command line: ‘/usr/local/sbin/httpd -D NOHTTPACCEPT’
            [Thu Mar 21 13:35:23.695450 2019] [mpm_prefork:notice] [pid 80260] AH00169: caught SIGTERM, shutting down
            [Thu Mar 21 13:35:23.838368 2019] [mpm_prefork:notice] [pid 82076] AH00163: Apache/2.4.38 (FreeBSD) configured — resuming normal operations
            [Thu Mar 21 13:35:23.838802 2019] [core:notice] [pid 82076] AH00094: Command line: ‘/usr/local/sbin/httpd -D NOHTTPACCEPT’

          6. The apache log doesn’t show anything of much use. Can you look at the contents of the nextcloud log to see if there’s anything there? it’s at /var/log/nextcloud/nextcloud.log. Also, when posting code, it formats much more nicely if you begin and end it with a triple back tick; ```

          7. /var/log/nextcloud/nextcloud.log.

            No log found in that location

            Should service httpd be running?
            service httpd status
            —httpd does not exist in /etc/rc.d or the local startup
            directories (/usr/local/etc/rc.d), or is not executable

          8. the httpd service is apache24. Try locating the nextcloud log: locate nextcloud.log; this should return the path where this file exists. If it doesn’t exist it will return blank to a new line.

    2. Okay, so I just went through the guide again and surprisingly, it looks like 14.0.1 is still the current version in the quarterly branch so you were right, this was the issue. Switching to the latest branch resolves what you were experiencing. Incidentally, the latest branch is 15.0.0, and so I have made a couple of minor adjustments to ensure compatibility. I’ve tested the guide for 15.0.0, and everything seems to be working as expected. Pay special attention when it comes to configuring the nextcloud config.php file for use with Redis/APCu; this has been the main cause of the issues I’ve run into so far.

      1. I also have the ‘Internal Server Error issue’ . Followed steps exactly as above (save I have found I need to ensure FreeBSD 12.2 is installed on the jail as 11.3 appears to not work. Everything works fine up until your instruction to install php74-pecl-redis and php74-pecl-APCu (response is latest package already installed) and then after following the su -m www steps, I get ‘Internal Server Error
        The server was unable to complete your request.”. Am now stuck… any help would be really appreciated.

  3. First of all I would like to say thank you for creating this details guide !
    I’m very new to all this stuff especially with the all the command. So please help!!
    My question is: in the add storage to iocage jail section. What should I be entering for this specific command line (assuming I adopted the structure you used when creating all the datasets
    iocage fstab -a jailname source_location destination_location nullfs (rw/ro) 0 0
    would it be something like this:
    iocage fstab -a nextcloud mnt/vault/cloud mnt/jailhouse/apps/nextcloud nullfs (rw/ro) 0 0

    Also, is there any way that you could contact you directly because I know for sure I will be needing a lot help in the future. Thank you so much !!!

    1. Hi there! If you’ve adopted the directory structure I use, I provide the exact commands you need to use immediately before the command you’ve just provided me. The commands you need to use are:

      $ iocage fstab -a nextcloud /mnt/vault/cloud /mnt/data nullfs rw 0 0
      $ iocage fstab -a nextcloud /mnt/jailhouse/apps/nextcloud/db /var/db/mysql nullfs rw 0 0
      $ iocage fstab -a nextcloud /mnt/jailhouse/apps/nextcloud/config /usr/local/www/nextcloud/config nullfs rw 0 0
      $ iocage fstab -a nextcloud /mnt/jailhouse/apps/nextcloud/themes /usr/local/www/nextcloud/themes nullfs rw 0 0

      With regards to what you’ve proposed: iocage fstab -a nextcloud mnt/vault/cloud mnt/jailhouse/apps/nextcloud nullfs (rw/ro) 0 0

      You’re almost there, but not quite. With this, you’ve specified:
      – source_location: mnt/vault/cloud
      – destination_location: mnt/jailhouse/apps/nextcloud

      The source location is good, that’s what you would want to specify, but the destination location is wrong. This is because inside the jail, there is no directory /mnt/jailhouse/apps/nextcloud (this is the path on your FreeNAS host! Outside the jail!)

      What we want to do is specify a location within the jail, to make the content inside /mnt/vault/cloud available. In the commands I’ve provided above, this location within the jail would be /mnt/data (this will automatically be created). Hope this helps!

      With regards to direct contact, either here or the corresponding FreeNAS forum post are the best places to contact me for support for this guide. The benefit of using the FreeNAS Forums is that other people also might be able to provide support where I’m slow to reply.

      Hope this helps!

      1. “I’ve provided above, this location within the jail would be /mnt/data (this will automatically be created”

        I have had mostly success starting this guide but I have noticed the /mnt/data on my system was not automatically created. I was wondering how do I create it?

        1. It’s created within your jail environment if you’ve used the fstab entries that I’ve specified. If you’re not within the jail, you won’t see it at /mnt/data. From the host, it would be located at /mnt/iocage/jails/nextcloud/root/mnt/data/

          1. When I run the fstab I get this message “Destination: /mnt/jailhouse/iocage/jails/nextcloud/root/mnt/data does not exist!”

          2. Okay, time to start troubleshooting then. This shouldn’t happen. I suppose an easy fix to that immediate problem would be to create the directory from your host by executing mkdir /mnt/jailhouse/iocage/jails/nextcloud/root/mnt/data, or just mkdir /mnt/data from within the jail. This might fix the issue; if it doesn’t it indicates that something bigger is going on with your fstab entries. Run iocage list to make sure that nextcloud shows up, and that its status is online.

            Following this, it would be prudent to confirm that your fstab entry is actually correct. Run iocage fstab -l nextcloud from your freenas host, and paste the output here. It should look like the following:

            root@freenas:~ # iocage fstab -l nextcloud
            +-------+--------------------------------------------------------------------------------------------------------------------+
            | INDEX |                                                    FSTAB ENTRY                                                     |
            +=======+====================================================================================================================+
            | 0     | /mnt/vault/cloud /mnt/iocage/jails/nextcloud/root/mnt/data nullfs rw 0 0                                           |
            +-------+--------------------------------------------------------------------------------------------------------------------+
            | 1     | /mnt/jailhouse/apps/nextcloud/db /mnt/iocage/jails/nextcloud/root/var/db/mysql nullfs rw 0 0                       |
            +-------+--------------------------------------------------------------------------------------------------------------------+
            | 2     | /mnt/jailhouse/apps/nextcloud/config /mnt/iocage/jails/nextcloud/root/usr/local/www/nextcloud/config nullfs rw 0 0 |
            +-------+--------------------------------------------------------------------------------------------------------------------+
            | 3     | /mnt/jailhouse/apps/nextcloud/themes /mnt/iocage/jails/nextcloud/root/usr/local/www/nextcloud/themes nullfs rw 0 0 |
            +-------+--------------------------------------------------------------------------------------------------------------------+
            
            
          3. The mkdir worked allowed me to finish my fstab
            Thanks !

            +——-+——————————————————————————————————————————+
            | INDEX | FSTAB ENTRY |
            +=======+==============================================================================================================================+
            | 0 | /mnt/jailhouse/apps/nextcloud/db /mnt/jailhouse/iocage/jails/nextcloud/root/var/db/mysql nullfs rw 0 0 |
            +——-+——————————————————————————————————————————+
            | 1 | /mnt/jailhouse/apps/nextcloud/config /mnt/jailhouse/iocage/jails/nextcloud/root/usr/local/www/nextcloud/config nullfs rw 0 0 |
            +——-+——————————————————————————————————————————+
            | 2 | /mnt/jailhouse/apps/nextcloud/themes /mnt/jailhouse/iocage/jails/nextcloud/root/usr/local/www/nextcloud/themes nullfs rw 0 0 |
            +——-+——————————————————————————————————————————+
            | 3 | /mnt/digital-documents/cloud /mnt/jailhouse/iocage/jails/nextcloud/root/mnt/data nullfs rw 0 0 |
            +——-+——————————————————————————————————————————+

  4. Hi,
    I recently upgraded my FreeNAS to 11.2, which broke my Nextcloud so that SMB external storages no longer seem to work. If I follow this guide, will that installation include SMB support?
    If not, do you know of a way to get it working?

    1. Hi Andreas, Unfortunately not. All of my storage is local to my FreeNAS host, so this wasn’t something I had to explore. Having said that, it appears that this is additional configuration after the setup process, not something that needs to be established during the traditional setup procedure. My advice would be to refer to the documentation regarding the configuration; after a brief look, it seems to be relatively descriptive. You can view the documentation here: SMB/CIFS, Configuring External Storage. Good luck!

  5. Thanks for your reply. I just installed NC 15 following your guide. That worked very well, thank you so very much for a well written guide. It´s now among my bookmarks 🙂
    I am having one problem left to solve, and I thought I´d ask you if maybe you have seen it before or can understand what is happening.

    It´s the configuration of postfix. I can´t get it to work. I´ve been over the steps a dozen times, and I can´t find anything wrong.

    I´m trying to send an email from nc@domain.com to user@domain.com using tls and port 587. The only place I´ve entered the sender email address is as username in /usr/local/etc/postfix/sasl_passwd.

    When sending the test email I get this error:
    Username nc@domain.comand sender root@nextcloud.localdomain doesnt match (in reply to MAIL FROM command)).
    Why is it using root@nexcloud.localdomain as sender? Am I supposed to change the sender address somewhere other than /usr/local/etc/postfix/sasl_passwd?

  6. Nevermind. it worked once i set everything up in Settings in the GUI. I was so focused on the terminal it didn´t appear to me until now.
    Thanks again!

  7. THIS is brilliant!
    This is the best guide I have seen on iocage/nextcloud.
    Not only does it work flawlessly (I installed nextcloud 15 using PHP7.2) but the security bit is invaluable.

    Thanks a lot for this!

  8. Hi again.
    I have a new question. Why is it necessary to do upgrades via console instead of the web based one? What will break if I use the web based one instead?
    I never updated pkg to tha latest branch, if that matters…

    1. Hi Andreas,

      It’s more a semantic thing than anything else. If you install with the package manager, you should keep it maintained with the package manager. I have experimented with web updates, and the minor update I tested on appeared to work, but the package manager went out of sync and didn’t receive any new information about the update. You’re welcome to try, but be aware you may run into issues down the road. That’s not to say that upgrading via the console is a walk in the park either; I seem to run into issues every time I do that as well. It doesn’t seem to be a polished process in either case. An alternative to what I’ve presented in this guide is to not use FreeBSD ports, or the package manager pkg, and just download Nextcloud from their website directly. I would imagine that you would use the web updater to stay up to date this way, but it wasn’t the path I took so I can’t provide any specific advice.

      Not switching to the latest branch shouldn’t impact you at all (i.e. staying on quarterly, provided you’re not running 14.0.1 as discussed in the guide) except to say that obviously you’re not going to receive updates as quickly. Quarterly in fact. if you want to switch to the latest branch you can follow the instructions I provide at any stage and then run the upgrade commands. At the moment the pkg repo is at 15.0.0, and I’m expecting 15.0.1 or 15.0.2 in the next few days.

      Cheers.

  9. This has got to be one of the most comprehensive install guide that I have read. Will definitely be giving it a go over the weekend. Thank you for sharing….

  10. I rarely comment on blogs but i wanted to say that i really appreciate the effort and detail you put into this guide! It fit my exact scenario and allowed me to quickly rebuild my Nextcloud instance better than it was before! i especially appreciate the explanations as to why the commands are being ran. A very helpful guide!!

  11. This install guide is by far the best I was able to find to install Nextcloud on FreeNAS in a jail.
    There are only two errors /informations I cannot fix.
    Nextcloud complains that the webserver is not configured correctly to be able to resolve “/.well-known/caldav” and “/.well-known/carddav”.
    I know the document root is not the apache default.
    The documentation I followed is this https://docs.nextcloud.com/server/15/admin_manual/issues/general_troubleshooting.html#service-discovery
    I tried to patch the .htaccess in the nextcloud directory as described but this did not work.

    It would be great if you could help me and maybe you it is woth to extend the guide in this point.

    Many thanks especially for this very helpful guide

    1. Hi Michael, from memory the CalDAV and CardDAV settings to suppress the warnings you’re getting are indeed contained within the .htaccess file that ships with Nextcloud by default. If my recollection is correct, then this means that something you’ve done is interfering with this. In my guide, I specify setting the AllowOverride directive to ‘all’, i.e. “AllowOverride all”, which should allow apache to use the .htaccess file – did you do this? If not, do this and see if that resolves your issue. If it doesn’t, then, did you use a virtual host entry from another site? Some of the examples I’ve seen have “AllowOverride None” in them, which will override the change in httpd.conf. Also, have you made sure that all of the paths are correct and pointing to the Nextcloud webroot (/usr/local/www/nextcloud)? As far as the guide goes, I’ve confirmed that the steps work to enable the .htaccess file a number of times, so I’d suggest you go back through the steps to make sure you haven’t missed anything.

      Cheers

      1. Hi, I’ve been following this manual and issues:

        Your web server is not properly set up to resolve “/.well-known/caldav”.
        Your web server is not properly set up to resolve “/.well-known/carddav”.

        were solved by uncommenting:

        LoadModule rewrite_module libexec/apache24/mod_rewrite.so

        from:

        /usr/local/etc/apache24/httpd.conf

        This item is explained in section “SSL” from this manual.

        Because, without this, the rewrites that .htaccess nextcloud provides, won’t work – at least, in my case.

        P.s: Samuel.Downling, to gain a better understanding of this, is it possible for you to test it with ” LoadModule rewrite_module libexec/apache24/mod_rewrite.so” commented to confirm this error? And, if it’s confirmed, I suggest that you update the section “Configure Apache for Nextcloud” with a remark to uncomment this rewrite_module. Thanks.

        1. Hi Enioh,

          Everything in the guide worked as written for me with no errors as of Nextcloud 15.0.1. I haven’t updated to the latest version yet, so it’s possible that there are differences between my guide and what’s required by the newer versions. I’m hoping to get a chance to sit down and upgrade in the next few weeks, so if I run into the same issues I’ll be sure to update the guide 🙂

          Cheers,

          Sam

  12. Awesome guide, thanks. I’ve configured postfix per your instructions and rechecked it, however I’m getting the following errors when running # echo “Test Email Contents” | mail -s “Postfix Test Email” johndoe@gmail.com

    Do you have any idea if I’m missing something?

    Jan 29 17:51:22 nextcloud postfix/pickup[34700]: 6BB70221A3: uid=0 from=
    Jan 29 17:51:22 nextcloud postfix/cleanup[39094]: 6BB70221A3: message-id=20190130016722.6BB70221A3@nextcloud.localdomain
    Jan 29 17:51:22 nextcloud postfix/qmgr[34701]: 6BB70221A3: from=root@nextcloud.localdomain, size=362, nrcpt=1 (queue active)
    Jan 29 17:51:22 nextcloud postfix/smtp[39096]: 6BB70221A3: SASL authentication failed; server smtp.gmail.com[74.125.20.109] said: 535-5.7.8 Username and Password not accepted. Le$
    Jan 29 17:51:23 nextcloud postfix/smtp[39096]: 6BB70221A3: to=johndoe@gmail.com, relay=smtp.gmail.com[74.125.20.108]:587, delay=0.86, delays=0.06/0.02/0.78/0, dsn$

    It looks like its trying to send from root@nextcloud.localdomain instead of the user name in /usr/local/etc/postfix/sasl_passwd

    What am I missing

    1. Hi Edmond, reading through the log snippet you’ve posted, it says “SASL authentication failed; server smtp.gmail.com[74.125.20.109] said: 535-5.7.8 Username and Password not accepted”. It seems like you’re getting a response from the gmail smtp server telling you that you’ve put in an incorrect username and password. No need to worry about the root@nextcloud.localdomain, this is just your local user and jail host name. If you enter in a valid username/password combination you should be good to go. Cheers.

      1. Hello Samuel! This is an amazing tutorial. I too am having the same issue with the SASL authentication failed. I’ve doubled checked the username and password. All are good. I’ve tried it with using less secure apps and with an app specific password. Still no luck. How can I troubleshoot?

        1. Hi Phil, honestly I’ve never run into this issue before so I’m not able to provide you with a solution unfortunately. It doesn’t seem to be specific to Nextcloud or FreeBSD, but perhaps it is specific to postfix and gmail. This thread seems to indicate that the log may provide you with a link that provides more detail about the problem with the authentication (I can see that this is present in Edmonds log snippet, but is truncated by the text editor – see the Username and Password not accepted. Le$; here $ means that there’s more to the line). Unfortunately it seems that you’ve tried the solutions presented in the linked thread, but my suggestion would be to have a look through var/log/maillog to see what errors postfix is giving you, and explore solutions to those errors individually. If you can find the Learn more at 530 5.5.1 https://support.google.com/mail/?p=WantAuthError statement, perhaps it would be worth going to this link and seeing what description it gives you of the error messages. At the end of the article, I provide a few places that you can go for more detailed support. As an example, the #postfix IRC channel has a population of 317 at the time of writing; here would be a good place to start asking questions. IRC is where I go for support with issues like these; the people there are typically very knowledgable, and some are willing to help work through a problem.

          Edit: Have you made sure to re-run $ postmap /usr/local/etc/postfix/sasl_passwd after changing your credentials? It’s critical that you do this; it re-creates sasl_passwd.db, which is how the credentials are read by postfix.

          1. Thanks Samuel. Still working on the email piece, but I have everything else working. Fantastic guide! I can’t thank you enough for all of the effort you put into this.

    2. I ran into this problem as well, as a result of typing in the wrong user. I had to edit
      smtp.gmail.com user@gmail.com:password112

      and then rerun this
      postmap /usr/local/etc/postfix/sasl_passwd

  13. I ran through this tutorial using NextCloud 15 on FreeNAS 11.2-RELEASE-U1. The only things I deviate from were I created the jail using the gui in FreeNAS, I created the storage locations manually via the zfs command, and I used DHCP for the jail IP because I use DHCP reservations on my network instead of static IPs. For DNS, I used ddns.net with a CNAME from my own domain. The letsencrypt test command works if your server is accessible over HTTP first by its DNS name before you try to get the certificate.

    Thanks for a great howt0.

    1. Nice one! I’m glad you could deviate from what I presented, adjust it for your needs and get it working. Cheers 🙂

  14. Thank you very much for this. I went through multiple tutorials and this has been the most educational and least frustrating. You explained everything very clearly.

    Cheers Mate

  15. Excellent post! I used this to migrate my Nextcloud from a Raspberry Pi to a FreeNAS jail.

    Just one question. I found periodic.conf in /etc/defaults/
    Should I modify the one in there?

    1. Hi Andrew, no you don’t want to modify /etc/defaults/periodic.conf. This is the system default as per hier(7) and isn’t intended to be modified. You just want to create a new one in /etc/, i.e. /etc/periodic.conf. Hope this helps.

  16. Been working great. This machine is just a practice run for me to learn on. I don’t have a UPS for this machine. I had a brief power failure. Freenas boots ok, nextcloud wont start up. What steps do i need to take to troubleshoot? This is the error message that popped up when I tried to start nextcloud from the jails interface in Freenas:

    Error: concurrent.futures.process._RemoteTraceback:
    “””
    Traceback (most recent call last):
    File “/usr/local/lib/python3.6/concurrent/futures/process.py”, line 175, in _process_worker
    r = call_item.fn(*call_item.args, **call_item.kwargs)
    File “/usr/local/lib/python3.6/site-packages/middlewared/worker.py”, line 128, in main_worker
    res = loop.run_until_complete(coro)
    File “/usr/local/lib/python3.6/asyncio/base_events.py”, line 468, in run_until_complete
    return future.result()
    File “/usr/local/lib/python3.6/site-packages/middlewared/worker.py”, line 88, in _run
    return await self._call(f'{service_name}.{method}’, serviceobj, methodobj, params=args, job=job)
    File “/usr/local/lib/python3.6/site-packages/middlewared/worker.py”, line 81, in _call
    return methodobj(*params)
    File “/usr/local/lib/python3.6/site-packages/middlewared/worker.py”, line 81, in _call
    return methodobj(*params)
    File “/usr/local/lib/python3.6/site-packages/middlewared/schema.py”, line 668, in nf
    return f(*args, **kwargs)
    File “/usr/local/lib/python3.6/site-packages/middlewared/plugins/jail.py”, line 542, in start
    iocage.start()
    File “/usr/local/lib/python3.6/site-packages/iocage_lib/iocage.py”, line 1654, in start
    callback=self.callback
    File “/usr/local/lib/python3.6/site-packages/iocage_lib/ioc_start.py”, line 66, in __init__
    self.__start_jail__()
    File “/usr/local/lib/python3.6/site-packages/iocage_lib/ioc_start.py”, line 391, in __start_jail__
    silent=self.silent)
    File “/usr/local/lib/python3.6/site-packages/iocage_lib/ioc_common.py”, line 81, in logit
    _callback(content, exception)
    File “/usr/local/lib/python3.6/site-packages/iocage_lib/ioc_common.py”, line 64, in callback
    raise callback_exception(message)
    RuntimeError: mount_nullfs: /mnt/vault: No such file or directory
    jail: /sbin/mount -t nullfs -o rw /mnt/vault/cloud /mnt/Vault/iocage/jails/nextcloud/root/mnt/data: failed

    “””

    The above exception was the direct cause of the following exception:

    Traceback (most recent call last):
    File “/usr/local/lib/python3.6/site-packages/middlewared/main.py”, line 161, in call_method
    result = await self.middleware.call_method(self, message)
    File “/usr/local/lib/python3.6/site-packages/middlewared/main.py”, line 1109, in call_method
    return await self._call(message[‘method’], serviceobj, methodobj, params, app=app, io_thread=False)
    File “/usr/local/lib/python3.6/site-packages/middlewared/main.py”, line 1046, in _call
    return await self._call_worker(serviceobj, name, *args)
    File “/usr/local/lib/python3.6/site-packages/middlewared/main.py”, line 1073, in _call_worker
    job,
    File “/usr/local/lib/python3.6/site-packages/middlewared/main.py”, line 1004, in run_in_proc
    return await self.run_in_executor(self.__procpool, method, *args, **kwargs)
    File “/usr/local/lib/python3.6/site-packages/middlewared/main.py”, line 989, in run_in_executor
    return await loop.run_in_executor(pool, functools.partial(method, *args, **kwargs))
    RuntimeError: mount_nullfs: /mnt/vault: No such file or directory
    jail: /sbin/mount -t nullfs -o rw /mnt/vault/cloud /mnt/Vault/iocage/jails/nextcloud/root/mnt/data: failed

    1. Hi Phil,

      Looking at the Tracebacks you’ve provided it looks like fstab can’t find the dataset’s you’ve specified, so when it tries to mount your host dataset into the jail it’s throwing an error. Specifically, the cause of your issue is the line
      RuntimeError: mount_nullfs: /mnt/vault: No such file or directory.
      I’ve noticed that the last line in each traceback;
      jail: /sbin/mount -t nullfs -o rw /mnt/vault/cloud /mnt/Vault/iocage/jails/nextcloud/root/mnt/data: failed
      has two different dataset names. For the first path specification you’ve used /mnt/vault, and the second you’ve used /mnt/Vault. Is it possible you forgot to capitalise the “V” in “Vault” for the first path in your fstab entry for this mount? You can edit this by running the following commands from your FreeNAS hosts shell:
      $ setenv EDITOR nano
      $ iocage fstab -e nextcloud
      Then make the appropriate changes. My guess (you might have to adapt this for your actual circumstances) is that the entry should look like this:
      /mnt/Vault/cloud /mnt/Vault/iocage/jails/nextcloud/root/mnt/data nullfs rw 0 0
      Hope this helps!

      1. Hello Samuel!
        Thank you for responding and helping. I admit I am a newbie here. I understand very little. I made the changes you mentioned. You are correct. The one mistake I did make is using the capital V when I created the pool. I did make those changes. It looks like I have a deadlock error. What might cause that?

        Error: concurrent.futures.process._RemoteTraceback:
        “””
        Traceback (most recent call last):
        File “/usr/local/lib/python3.6/concurrent/futures/process.py”, line 175, in _process_worker
        r = call_item.fn(*call_item.args, **call_item.kwargs)
        File “/usr/local/lib/python3.6/site-packages/middlewared/worker.py”, line 128, in main_worker
        res = loop.run_until_complete(coro)
        File “/usr/local/lib/python3.6/asyncio/base_events.py”, line 468, in run_until_complete
        return future.result()
        File “/usr/local/lib/python3.6/site-packages/middlewared/worker.py”, line 88, in _run
        return await self._call(f'{service_name}.{method}’, serviceobj, methodobj, params=args, job=job)
        File “/usr/local/lib/python3.6/site-packages/middlewared/worker.py”, line 81, in _call
        return methodobj(*params)
        File “/usr/local/lib/python3.6/site-packages/middlewared/worker.py”, line 81, in _call
        return methodobj(*params)
        File “/usr/local/lib/python3.6/site-packages/middlewared/schema.py”, line 668, in nf
        return f(*args, **kwargs)
        File “/usr/local/lib/python3.6/site-packages/middlewared/plugins/jail.py”, line 542, in start
        iocage.start()
        File “/usr/local/lib/python3.6/site-packages/iocage_lib/iocage.py”, line 1654, in start
        callback=self.callback
        File “/usr/local/lib/python3.6/site-packages/iocage_lib/ioc_start.py”, line 66, in __init__
        self.__start_jail__()
        File “/usr/local/lib/python3.6/site-packages/iocage_lib/ioc_start.py”, line 391, in __start_jail__
        silent=self.silent)
        File “/usr/local/lib/python3.6/site-packages/iocage_lib/ioc_common.py”, line 81, in logit
        _callback(content, exception)
        File “/usr/local/lib/python3.6/site-packages/iocage_lib/ioc_common.py”, line 64, in callback
        raise callback_exception(message)
        RuntimeError: mount_nullfs: /mnt/Vault/iocage/jails/nextcloud/root/mnt/data: Resource deadlock avoided
        jail: /sbin/mount -t nullfs -o rw /mnt/Vault/cloud /mnt/Vault/iocage/jails/nextcloud/root/mnt/data: failed

        “””

        The above exception was the direct cause of the following exception:

        Traceback (most recent call last):
        File “/usr/local/lib/python3.6/site-packages/middlewared/main.py”, line 161, in call_method
        result = await self.middleware.call_method(self, message)
        File “/usr/local/lib/python3.6/site-packages/middlewared/main.py”, line 1109, in call_method
        return await self._call(message[‘method’], serviceobj, methodobj, params, app=app, io_thread=False)
        File “/usr/local/lib/python3.6/site-packages/middlewared/main.py”, line 1046, in _call
        return await self._call_worker(serviceobj, name, *args)
        File “/usr/local/lib/python3.6/site-packages/middlewared/main.py”, line 1073, in _call_worker
        job,
        File “/usr/local/lib/python3.6/site-packages/middlewared/main.py”, line 1004, in run_in_proc
        return await self.run_in_executor(self.__procpool, method, *args, **kwargs)
        File “/usr/local/lib/python3.6/site-packages/middlewared/main.py”, line 989, in run_in_executor
        return await loop.run_in_executor(pool, functools.partial(method, *args, **kwargs))
        RuntimeError: mount_nullfs: /mnt/Vault/iocage/jails/nextcloud/root/mnt/data: Resource deadlock avoided
        jail: /sbin/mount -t nullfs -o rw /mnt/Vault/cloud /mnt/Vault/iocage/jails/nextcloud/root/mnt/data: failed

        1. Phil, this is difficult for me to debug because I don’t have all the details about your system that would require me to help. On the face of it, this error is caused by “nullfs avoiding a deadlock of the system by doing a duplicate mount”. One possible cause for this would be trying to mount the same directory twice; did you replace the existing fstab entry with what I suggested, or just add it to what was already there?

          In tackling these problems in the future, often the easiest way is just to google the error message you’re getting. In this case the error you’re interested in is indicated by the line beginning with RuntimeError. Simply analysing this line and googling “Resource deadlock avoided FreeNAS” provided a number of links that indicated what the problem may be. That’s all I’m doing! Also, as I’ve mentioned in the blog post, the #freenas IRC channel is immensely helpful for these kinds of questions – people are able to help debug in real time, and are much more knowledgeable than I am 🙂

          I suspect that this is an issue with the fstab file, and it’s entries. If worst comes to worst, you could just delete the contents of this file (using iocage fstab -e nextcloud as discussed before), and go over the section of the guide addressing the construction of these mounts again, paying special attention to the differences in naming conventions between your configuration and mine. You may also need to reboot your system to free any locked resources, or manually unmount the rogue entry. I would suggest a reboot is the simpler way to go though.

          1. Hello Samuel! Thank you for all of the help. I ended up doing a clean install of FreeNas and ran through your tutorial again. All is well! Scored well on the test sites. Amazing tutorial! Thank you!

  17. Hi Samuel,

    Fantastic guide and very nice work! I installed on my freenas machine in a jail without problem and got A+ security rating from the nextcloud scan.

    I’m wondering if you have any tips or recommendation on how I can use a reverse proxy jail to put nextcloud behind one. I asking mainly about changing my current configuration of the nextcloud jail so it works with a reverse proxy.

    1. Hi Magnus, Unfortunately, I’ve never set up a reverse proxy jail so no advice to give. I did find this thread on the FreeNAS forums that might be helpful though 🙂 Hope it helps, good luck! Cheers

  18. Hi Samuel. Just a quick question. I’d like to reboot my server, any potential issues I need to look out for while I do this?

    1. Nope! It’s probably a good idea to reboot to identify any misconfigurations you may have (if you have them) anyway 🙂

  19. Hi Samuel

    Great guide by the way. I must have taken forever to write it up. I not sure I would have had the patience, however thanks.

    That said I’d like to touch on a few points since it took me about 2 whole days to set some things up that are a little different than yours. I’m on FreeNAS 11.2

    I installed nextcloud-php72 and can say that everything is working. I didn’t try nextcloud-php73
    I really enjoyed the way you described your dataset layout. In your guide when you mounted the respective directories in the jail, I just wanted to let you know this can be done also within the FreeNAS GUI. I’m not much of a GUI guy however when directories are manually mounted on the command line, they never show within the FreeNAS GUI. It’s helpful months later to go back to the GUI and see what directories are mounted since I usually forget the command line statements. I’m specifically referring to the iocage fstab portion of the guide
    Mysql — arg!!! How many times can I say I messed this portion up after forgetting the passwords. Not to fear however, this process can totally be undone. This isn’t the only command so I would suggest the user may want to google however
    mysql -e “drop database nextcloud” -p
    will drop the entire database table for nextcloud. The following statement will also drop the nextcloud_admin user from the database
    DROP USER ‘nextcloud_admin’@’localhost’
    If you totally forget the root password to the mysql database (yep did that to,) it can be reset as well. I’d refer to the bottom section of this link of google the process. There is a lot of tutorials:
    https://dev.mysql.com/doc/refman/8.0/en/resetting-permissions.html
    redis — Yikes – Major stumbling block here. I had to chown a few of the files and change attributes. I pick this up through tail -f /var/log/nextcloud
    chown redis:wheel /tmp/redis.sock
    chmod 777 /tmp/redis.sock
    chown redis:wheel /usr/local/etc/redis.conf
    chmod 777 /usr/local/etc/redis.con
    sudo service redis restart
    — Side note to all users. Watching log files are unfortunately a necessary evil when installing these things because things break. What I like to do is pop open at least 2 terminal windows and either use ssh or the jail exec (Jail#) bash to login to the jail. Within one terminal window you can enter the commands as set in this guide. Within either the 1 or 2 additional terminal windows I use the command tail -f which puts the realtime output onto the screen. Its really helpful.
    Note on my directory structure. The guide is written so the principle domain name is linked to nextcloud. In my particular installation, I didn’t want my website to be served like this. Using the domain name mydomain.com as an example, I wanted http://www.mydomain.com and mydomain.com to be linked to the “main” website, and nextcloud.mydomain.com to actually be linked to the nextcloud installation. I took me a while to figure this one out, however its totally possible to do this.
    Within /usr/local/www there is a nextcloud directory which will serve as the DocumentRoot for nextcloud.mydomain.com
    Also within /usr/local/www I created a subdirectory called main which will serve as the DocumentRoot for http://www.mydomain.com (and mydomain.com).
    Within the /usr/local/etc/apache24/Includes directory, I needed to actually create two files nextcloud.mydomain.com.conf and mydomain.com.conf. I pretty much followed all of your statements but had to make the following changes to get things to work:
    Within the mydomain.com.conf – change if to something like this (assuming SSL is installed):

    ServerName http://www.mydomain.com
    ServerAlias mydomain.com

    DocumentRoot “/usr/local/www/main”

    Redirect permanent / https://www.mydomain.com/

    ServerAdmin @.com
    ServerName http://www.mydomain.com
    ServerAlias mydomain.com
    DocumentRoot /usr/local/www/main #<—-Notice the directory — this can be changed to the directory or directory mount that holds the main website files
    …… <—————————- This means include all the other stuff after these statements

    Within the nextcloud.mydomain.com.conf file I did something like:

    ServerName nextcloud.mydomain.com

    DocumentRoot “/usr/local/www/nextcloud”

    Redirect permanent / https://nextcloud.mydomain.com/

    ServerAdmin @.com
    ServerName nextcloud.mydomain.com
    DocumentRoot /usr/local/www/nextcloud #<—–Notice the directory for this subdomain
    …….. <——-Put all other config statements here

    I wanted to touch on the LetsEncrypt section. Another very painful step. I wasn’t using Amazon or any DNS resolver so this section wasn’t working for me. Some tips however. Personally I bought a domain name and have it registered with noip.com. I have the following domains — http://www.mydomain.com, mydomain.com and nextcloud.mydomain.com. The all resolve however to the same IP address since I’m running a home server on FreeNAS. I’m using the FreeNas DynamicDNS client to update these domains. I had a previous old webserver which I set up LetsEncrypt certs and I copied the entire directory to /usr/local/etc/letsencrypt. Just to be sure that within this directory there are subdirectories called accounts, archive, csr, keys, live, renewal, renewal-hooks. Whether you are copying the certs or creating them from scratch you need to also however create a couple of subdirectories for either the activation or renewal process to work. (This is probably why you mentioned the process didn’t work for you).

    Within /usr/local/www/main (If you have this directory structure you have to do this):
    mkdir -p /usr/local/www/main/.well-known
    mkdir -p /usr/local/www/main/.well-known/acme-challenge
    chown -R www:www /usr/local/www/main

    Within /usr/local/www/nextcloud:
    mkdir -p /usr/local/www/nextcloud/.well-known
    mkdir -p /usr/local/www/nextcloud/.well-known/acme-challenge
    chown -R www:www /usr/local/www/nextcloud
    After making these directory structures, you can then either create or renew the letsencrypt certificates.
    Admittedly this isn’t the only way to do this, however what I wanted was for my http://www.mydomain.com and mydomain.com certs to be associated with mydomain .com (which the DocumentRoot for this domain is /usr/local/www/main) and the nextcloud.mydomain.com to be associated with nextcloud.mydomain.com (which the DocumentRoot for this domain is /usr/local/www/nextcloud). What is needed however is for the .well-known/acme-challenge directory structure to be in place for what ever domains and webroots you are associating with you certificates or the process will fail.
    After I copied my letsencrypt directory to the new server, I needed to forward ports 80 and 443 to the router to point at the machine and then reran something similar to the following to allow the certs to be setup for my particular structures:
    certbot certonly –cert-name mydomain.com -d mydomain.com, http://www.mydomain.com, nextcloud.mydomain.com

    I also tested the security of my ssl setup at https://www.ssllabs.com/ssltes. Based on your settings and the link for the Mozilla site I received A+. Thanks for your tips

  20. Thank you very much for this guide, in particular for the stating the reasonings for your configuration steps in detail.
    However, I’m currently quite doubtful which approach I should take for installing Nextcloud on FreeNAS 11.2 for a small private family cloud (eg. syncing contacts, backing up images from the smartphone and so on). Although I have some experience on Linux systems I’m rather new to FreeNAS/BSD. And it seems to me that at the moment the FreeNAS community is missing a real roadmap for Nextcloud. There is the Nextcloud plugin, the danb35 installation script, your excellent guide and the idea of using a Docker VM with a Nextcloud template. All very confusing. Do you know anything about the status of the plugin? Does it include any of your security considerations? Have you ever considered to get involved in the maintenance of the plugin?

    1. Hi Markus,

      As far as installation alternatives you’ve essentially hit the nail on the head; these are the options you have. This isn’t specific to Nextcloud though; you have these options for most programs that you would install on FreeNAS. It comes down to what you’re looking to get out of it I guess; manual installation using the method I’ve presented gives you some confidence about what you’re installing and you’ll know exactly what security precautions have been taken – you can then add or remove from this as you see appropriate for your use case. You’ve correctly identified that this is somewhat less obvious in the case of the plugin. I’ve never used the plugin, so I can’t really comment on it’s current status, but I know that it has previously been subject to a poor maintenance schedule, and has fallen behind the release schedule by quite a margin. By all accounts this isn’t presently the case, but it’s something to consider. If you’re not interested in having the manual control and understanding provided by configuring everything yourself, danb35’s script is a good solution. At least with this script you’ll have much broader support and an ability to fix any configuration issues in a more traditional way (it’s just a FreeBSD jail; you can find support for this in the freebsd community); problems with the plugin can be difficult to identify and fix (at least for me), and are less straight forward to rectify if you’re relying on the plugin maintainer to make changes.

      Plugin maintenance is something I’ve not had any exposure to, so it’s not something I’m presently considering. I am considering adding some of the security configurations to danb35’s script, but I have a lot of other things on my plate to keep me busy at this stage 🙂 Hope this helps.

      1. Hi Samuel,
        Guess what: If followed your guide and it works perfectly. I’m on FreeNAS 11.2 and tried to always use the latest packages: mariadb10.3, php7.3, nextcloud 15 and everything runs fine. I only had problems to get py36-certbot running probably because I just don’t get it how python 3.6 is activated. Nonetheless py27-certbot works.
        Thank you very much, Markus

  21. Hi Sam, one other question I have. You stated, “The second, “jailhouse”, is a 500GB Samsung SSD, and is the pool I store all of my jails on so that they benefit from the faster IO operations an SSD affords.” But later you say, “The remaining dataset is the ‘iocage’ dataset. This is created automatically when you create a jail, so you don’t need to worry about doing anything here, however it is important to note that this is where the local storage for your iocage jails is held.” So I’m a little confused about your configuration. Do you actually store the jails in the “jailhouse” pool or the “iocage” dataset? Thanks!

    1. Hi Andrew, In my configuration the iocage dataset is stored under the jailhouse root dataset of the jailhouse pool. The jailhouse pool is associated with the SSD. Each pool will have a root level dataset associated with it with the same name. You might have to specify the jail root to be the jailhouse pool. Does this clear things up? I’ve realised the directory structure in the post is a bit misleading so I’ve fixed that up. Cheers

  22. I may have missed something, but under the “…” menu for the nextcloud datasets that I’ve created, I do not have “Edit Permissions”. The available choices are, from top to bottom: “Add Dataset”, “Add Zvol”, “Edit Options”, “Delete Dataset”, and “Create Snapshot.” Any ideas?

    1. I’ve answered my own question. If you create the nextcloud datasets within the “iocage” dataset, as I mistakenly did, then apparently there is no “Edit Permissions” option. So, I will delete and recreate these sets outside of “iocage”. I am, however, confused: why wouldn’t we want to create the jail first, then use the directory structure that exists within the jail?

      1. Hi Oscar, as I discuss (perhaps later) in the guide, the reason we use a directory structure outside of the jail is so that the data we’re storing is independent of the jail. If you used the jail directory structure all your data would be erased every time you nuked the jail. This way, if you have to upgrade your jail, or misconfigure it irreparably, it’s trivial to create a new jail and be back up and running relatively quickly. Note that the jail directory structure is deleted when a jail is deleted. Of course, you’re welcome to forge your own path as well; this was just how I preferred to set it up.

  23. Based on recent nextcloud updates, I think you should add also this command to the guide:
    su -m www -c ‘php /usr/local/www/nextcloud/occ db:convert-filecache-bigint’

    The settings page of nextcloud requested it.

    Thanks for the guide!

        1. I don’t think it’s that straight forward. I had to do the same conversion upgrading from 14.0.3 to 15.0.1. I’ll have to do some testing to see when it’s required.

      1. At the end. Once you’ve got everything else set up and working, if you navigate to Settings > Overview in the web browser and see an error message indicating that this command needs to be run (The error message literally has the command you need to run in it), then you’ll need to run this command to upgrade your database schema.

          1. Yes, just as he has it. It runs a command as the www user. The quotes allow you to be explicit about what command to run as www, namely everything contained by the quotes.

  24. Many thanks for this really grat guide!
    I just recently did an upgrade from Freenas 11.0 to 11.2 which sort of broke all of my warden jails so I decided not to maintain these soon to be obsolete ones anymore and jump the iocage train instead.
    This made me switch some of the apps I used to newer/better alternatives (eg. Transmission>qBittorrent) and also set up a Nextcloud from scratch as i want to know what’s happening under the hood especially when things are facing the interwebs.
    Your guide really helped me a lot – mainly the security hardening part which I found very coprehensive and straightforward.
    Can’t see any donation option on your site so as a thank you I’ll post some info on problems I had to deal with during the process and which I think someone may find useful.

    Nextcloud installation breaks after a HTTP 504 “Gateway Timeout” error.

    – Uninstall the nextcloud pkg and remove its configuration
    – In MariaDB execute:
    DROP USER ‘nextcloud_admin’@’localhost’;
    DROP DATABASE nextcloud;
    Then start again from setting up the DB and installing Nextcloud

    Postfix configuration

    – Do not use google aliases like username+alias@gmail.com to log in to gmail account
    – Try to send a test email and look closely at postfix log, If everything is fine with the configuration it should eventually say that you need to issue an application specific password for Nextcloud’s Postfix in your Google Account’s “Security” tab.
    – Update the sasl_passwd file to include google app specific password and re-run postmap /usr/local/etc/postfix/sasl_passwd

    (This one is network setup specific for those who are on the routers without reverse NAT)
    After setting up the SSL certificate and forcing HTTPS connection you will loose possibility to connect to Nextcloud locally via its IP address as when trying to connect you will be redirected to Nextcloud’s HTTPS domain name and the connection will eventually fail.

    – Add another port (eg. 7777) to /usr/local/etc/apache24/httpd.conf on which you will connect to Nextcloud via local IP (eg. 192.168.0.7):

    Listen 80
    Listen 443
    Listen 7777
    ….

    Add a vhost declaration to your domain config in /usr/local/etc/apache24/Includes/your_domain.conf:

    ServerName 192.168.0.7
    DocumentRoot “/usr/local/www/nextcloud”

    SetHandler “proxy:fcgi://127.0.0.1:9000/”

    DirectoryIndex /index.php index.php

    Now you should be able to connect both locally using 192.168.0.7:7777 as well as from the web using Nextcloud’s domain name.

    Bigint conversion the proper way (using occ maintenance mode):
    su -m www -c ‘php /usr/local/www/apache24/data/nextcloud/occ maintenance:mode –on’
    su -m www -c ‘php /usr/local/www/apache24/data/nextcloud/occ db:convert-filecache-bigint’
    su -m www -c ‘php /usr/local/www/apache24/data/nextcloud/occ maintenance:mode –off’
    Watch closely for typos and if you happen to set up Nextcloud using Freenas jails shell and you want to copy some of the code from this guide to text files on Nextcloud storage using Windows PC and then “cat >>” this code to your config files – remeber to clean the text files from Windows specific hidden characters.

    – show hidden chars:
    cat -e /mnt/data/admin/files/file.txt
    – install converter:
    pkg install unix2dos
    – remove hidden chars:
    dos2unix /mnt/data/admin/files/file.txt

    In my case everything else went smooth (even the cert issuing part) on Nextcloud 15 / php 7.2.15 / openssl 1.0.2o / apache 2.4.38 / python 2.7.15
    Thanks again Samuel for your work!

  25. Great guide , I actually had it up and running for a short bit, but when I get to CACHING AND REDIS now the site just comes up with

    Internal Server Error

    The server encountered an internal error and was unable to complete your request.
    Please contact the server administrator if this error reappears multiple times, please include the technical details below in your report.
    More details can be found in the webserver log.

    I’ve looked into the logs and there wasn’t anything in it.

    Apache error

    [proxy_fcgi:error] [pid 54466] [client 192.168.10.254:8673] AH01071: Got error ‘PHP message: PHP Parse error: syntax error, unexpected ‘array’ (T_ARRAY), expecting ‘)’ in /usr/local/www/nextcloud/config/config.php on line 12\n’
    [Tue Mar 05 20:13:30.992060 2019] [proxy_fcgi:error] [pid 54468] [client 192.168.10.254:8675] AH01071: Got error ‘PHP message: PHP Parse error: syntax error, unexpected ‘array’ (T_ARRAY), expecting ‘)’ in /usr/local/www/nextcloud/config/config.php on line 12\n’
    [Tue Mar 05 20:13:31.759532 2019] [proxy_fcgi:error] [pid 54469] [client 192.168.10.254:8676] AH01071: Got error ‘PHP message: PHP Parse error: syntax error, unexpected ‘array’ (T_ARRAY), expecting ‘)’ in /usr/local/www/nextcloud/config/config.php on line 12\n’

    I’m not 100% where I went wrong after the initial configuration and install it was all working I’m sure I stuffed something up somewhere I installed PHP72 on the box left me scratching my head any pointers would be appreciated. Thanks again.

    1. It looks like your config.php file is messed up. Probably missing a semicolon or parentheses. Did you try looking at the file closely?

  26. Hey Kevdog,
    you were totally right my friend, I missed the ‘domain.com’, after 1 => i’m such an idiot, I was in there like 10 times to and just didn’t notice thanks a lot everyone up and running, onto securing it now thanks again.

  27. Fantastic, detailed walkthrough article. It is hard to find how-to articles that go into the how’s and why’s of what given settings are. I’m sure it took you a lot of extra time to include the extra detail, but not only do I now have Nextcloud migrated from being hosted on a Raspberry Pi to my FreeNAS box I understand more of the inner workings as well. A+, thank you very much

  28. I’m sorry to ask a silly question but i get as far as imputing the following code:

    su -m www -c ‘php /usr/local/www/nextcloud/occ config:system:set redis host –value=”/tmp/redis.sock”‘

    but it gives me the error:

    Could not open input file: /usr/local/www/nextcloud/occ

    if i try to move forward with the next step it keeps giving me this error.

    if it helps to solve this, i think a part of my problem is that i imputed the following 2 lines first but forgot to change it to php72.

    $ pkg install php71-pecl-redis
    $ pkg install php71-pecl-APCu

    i went back and changed it to php72 and reimputed the 2 lines but i think the damage has been done. can anyone help me with this.

    1. A couple of things to check:
      1. Are you copying the command directly from the post? You should. In what you’ve posted here, you just have -value, it should be --value
      2. Do you actually have Nextcloud installed? Navigate to /usr/local/www/nextcloud to see if the program occ is actually present, i.e:

      $ cd /usr/local/www/nextcloud
      $ ls -l

      Try to find occ in the resulting list. If nextcloud isn’t installed, nothing will appear at this point. It’s possible that by uninstalling php71-pecl-redis and php71-pecl-APCu, necessary packages to nextcloud were also removed, or nextcloud was removed. It might be worth just starting over again to avoid some of these debugging headaches.

      Cheers.

      1. Thank you for the info Samuel. i copied the command directly from the post but if it needs the — i will insert it when i try it again. Also, when i paste the commands you gave me it does not show the occ, so it looks like i have to start over on this =(. thank you for all your help, you are awesome!

  29. root@bgnas:~ # iocage list
    +—–+———–+——-+————–+————+
    | JID | NAME | STATE | RELEASE | IP4 |
    +=====+===========+=======+==============+============+
    | 2 | nextcloud | up | 11.1-RELEASE | 10.0.0.230 |
    +—–+———–+——-+————–+————+
    root@bgnas:~ # jexec 2 tcsh
    root@nextcloud:/ # ee /etc/pkg/FreeBSD.conf
    ^[ (escape) menu ^y search prompt ^k delete line ^p prev li ^g prev page
    ^o ascii code ^x search ^l undelete line ^n next li ^v next page
    ^u end of file ^a begin of line ^w delete word ^b back 1 char ^z next word
    ^t top of text ^e end of line ^r restore word ^f forward char
    ^c command ^d delete ESC-Enter: exit
    =====line 11 col 48 lines f ===========================

    $FreeBSD: releng/11.1/etc/pkg/FreeBSD.conf 320745 2017-07-06 17:22:33Z gjb $

    #

    To disable this repository, instead of modifying or removing this file,

    create a /usr/local/etc/pkg/repos/FreeBSD.conf file:

    #

    mkdir -p /usr/local/etc/pkg/repos

    echo “FreeBSD: { enabled: no }” > /usr/local/etc/pkg/repos/FreeBSD.conf

    #

    FreeBSD: {
    url: “pkg+http://pkg.FreeBSD.org/${ABI}/latest”,
    mirror_type: “srv”,
    signature_type: “fingerprints”,
    fingerprints: “/usr/share/keys/pkg”,
    enabled: yes
    }

    “/etc/pkg/FreeBSD.conf” 16 lines, 503 characters
    root@nextcloud:/ # pkg update
    The package management tool is not yet installed on your system.
    Do you want to fetch and install it now? [y/N]: y
    Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/latest, please wait…
    pkg: Error fetching http://pkg.FreeBSD.org/FreeBSD:11:amd64/latest/Latest/pkg.txz: No address record
    A pre-built version of pkg could not be found for your system.
    Consider changing PACKAGESITE or installing it from ports: ‘ports-mgmt/pkg’.
    root@nextcloud:/ # pkg: Error fetching http://pkg.FreeBSD.org/FreeBSD:11:amd64/latest/Latest/pkg.txz: No address record
    pkg:: Too many arguments.
    root@nextcloud:/ # A pre-built version of pkg could not be found for your system.
    A: Command not found.
    root@nextcloud:/ # Consider changing PACKAGESITE or installing it from ports: ‘ports-mgmt/pkg’.
    root@nextcloud:/ # pkg install nano
    The package management tool is not yet installed on your system.
    Do you want to fetch and install it now? [y/N]: y
    Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/latest, please wait…
    ^C
    root@nextcloud:/ # ping pkg.FreeBSD.org
    ping: cannot resolve pkg.FreeBSD.org: Host name lookup failure
    root@nextcloud:/ # vi /etc/resolv.conf

    Generated by resolvconf

    search com
    nameserver 10.0.0.201
    nameserver 10.0.0.202
    nameserver 8.8.8.8

    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    :q
    root@nextcloud:/ # ifconfig
    lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    groups: lo
    epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8
    ether 02:ff:60:ba:b5:82
    hwaddr 02:05:a0:00:06:0b
    inet 10.0.0.230 netmask 0xff000000 broadcast 10.255.255.255
    nd6 options=1
    media: Ethernet 10Gbase-T (10Gbase-T )
    status: active
    groups: epair

    Dear,
    I am new to these iocage configuration but I stuck up here while following ur methed. I feel i am not able to connect internet or Free BSD package repository. somthing wrong while creating VNET.
    please guid. Now I have to install all
    following
    $ pkg update
    $ pkg install nano
    $ pkg install apache24
    $ sysrc apache24_enable=yes
    $ service apache24 start

    $ pkg install mariadb102-server
    $ sysrc mysql_enable=yes
    $ service mysql-server start
    $ mysql_secure_installation

    1. Hi Naufal,

      This isn’t something I can effectively help you debug in this forum. It looks like your analysis of this is right; it looks like your jail doesn’t have internet connectivity. Some steps you can take are to try to ping your name servers, i.e. ping 8.8.8.8 to see if you get a response, and then see if you can contact the freebsd servers: nslookup freebsd.org, and if neither of those work, see if you can ping your Freenas host or router, ping 192.168.0.2 (replace with freenas ip), ping 192.168.0.1 (replace with router ip). It might be worth executing ifconfig on your freenas host to see if the jail vnet interface is present in bridge0 along with your network interface. In my case, my network interface is igb0, yours might be different. If it’s not there, you’ll need to add your network interface to the bridge so your jails have internet access. This is all speculation on my part though, if you want to resolve this I’d really recommend visiting the freenas forums or the #freenas IRC channel.

      Good luck!

  30. Hey Samuel

    I know about the upgrade options however I’m pretty much trying to stick to the freebsd of pkg update cycle and not upgrade through nextcloud itself. I recently saw some my packages for nextcloud were pushed and installed through pkg. I’m now presented with this option through nextcloud — https://imagebin.ca/v/4amQEKNji7Vj

    Is there anything specific I need to do at this point like put occ in maintainence mode or anything prior to proceeding? I’m asking because upgrades have screwed my prior install before in the distant past.

    1. Kevdog,

      My experience with the upgrade procedure is that it hasn’t been smooth, and I think you might have to accept some risk in breaking your installation (hence the advice to back everything up before attempting in the image you linked). Putting your installation in maintenance mode does seem prudent, especially if you have other users using your cloud service. The problems I’ve had in the past have been related to app configuration not updating properly; I’m not sure if this was an issue with the freebsd pkg or Nextcloud itself, though. I wish I had better advice for you, but it’s not a process I’ve had a significant amount of experience with yet 🙂 Good luck!

  31. Question since I can’t seem to find an answer. I upgraded nextcloud and now I’m getting within the apps section – says no apps found for your version. https://pasteboard.co/I6xj80H.png

    I’m not sure what to do. I restarted the apache24, redis, and php-fpm services.

    Personal rant — nextcloud updating sucks!! The system seems very easy to break. Nextcloud not very robust.

    1. I feel you dude. I had issues when I last upgraded to 15.0.0. As far as apps go, prior to updating there is a check done to make sure there is a compatible app version for the proposed upgrade:

      This indicates that all of the apps that I have installed are compatible with 15.0.5, but you probably have a more expansive set of apps installed, which is where the problems are arising. Nextcloud’s robustness seems to be it’s primary disadvantage. It was something that I hadn’t really considered too closely when writing this guide, and so it may in fact be better to install it directly from nextcloud’s distribution rather than from pkg. You could then just use the web updater, which seems like it may provide a better upgrade experience (I have limited experience with this though, and I have heard that it has been not-so-great in the past; it seems like these issues may have been fixed but I’m really not sure).

      Regardless, to help solve your current problem, you can go through the problem apps configuration xml in /usr/local/www/nextcloud/apps-pkg/<name of app here>/appinfo/info.xml. Have a poke around and see if you can identify what’s wrong there. What fixed an issue in the past for me was that this file had a max-version="14" property, which caused errors upgrading to 15. Changing it allowed me to start nextcloud up and get everything working, but it triggered integrity check warnings, as the hashes of these files no longer matched the files because I edited it. I never worked out a solution to this, but I suspect it would have involved installing each app again from source so that the hashes matched what was listed and the integrity checks passed.

      Moving forward though, I strongly suggest checking out the #nextcloud IRC channel on freenode. There are a number of very knowledgable and helpful users you can have a real time dialogue with about problems there; this is usually my first stop for support when things go wrong that I don’t know anything about.

  32. Hi Team, after getting everything working, i did a restart on my Freenas server and now the nextcloud iocage will not start. any ideas why?

    root@freenas:~ # iocage list
    +—–+———–+——-+————–+———–+
    | JID | NAME | STATE | RELEASE | IP4 |
    +=====+===========+=======+==============+===========+
    | – | nextcloud | down | 11.1-RELEASE | 10.0.0.15 |
    +—–+———–+——-+————–+———–+
    root@freenas:~ # iocage start nextcloud
    * Starting nextcloud
    + Start FAILED
    mount_nullfs: /mnt/cloud: No such file or directory
    jail: /sbin/mount -t nullfs -o rw /mnt/cloud /mnt/iocage/jails/nextcloud/root/mnt/data: failed

    root@freenas:~ #

    1. Hi David,

      Head to your terminal and type

      root@freenas:~ # ls /mnt/cloud
      

      I think you’ll find that you don’t have a dataset named this. In the guide I provide, it’s /mnt/vault/cloud, where vault is the name of the pool that the cloud dataset lives on. You can edit the fstab for nextcloud by running:

      
      root@freenas:~ # setenv EDITOR nano
      root@freenas:~ # iocage fstab -e nextcloud
      

      Make the necessary changes, try to restart the jail:

      
      root@freenas:~ # iocage start nextcloud
      

      Then restart your NAS to make sure that these changes will persist moving forward.

        1. So after i updated the fstab i was able to start up the Jail again and i looked like i was able to access nextcloud but after i restarted my freenas server the jail still comes up and its running but i can no longer access my nextcloud. I have tried restarting my Jail and restarting freenas but with no luck.
          I’m stuck in the trouble shooting process and i can use some guidance on this.

          Here is what i have to help with this. please let me know what other info i can provide you.

          root@freenas:~ # iocage list
          +—–+———–+——-+————–+———–+
          | JID | NAME | STATE | RELEASE | IP4 |
          +=====+===========+=======+==============+===========+
          | 4 | nextcloud | up | 11.1-RELEASE | 10.0.0.15 |
          +—–+———–+——-+————–+———–+

          root@nextcloud:/ # service -e
          /etc/rc.d/cleanvar
          /etc/rc.d/netif
          /etc/rc.d/newsyslog
          /etc/rc.d/syslogd
          /etc/rc.d/virecover
          /etc/rc.d/motd
          /usr/local/etc/rc.d/redis
          /usr/local/etc/rc.d/postfix
          /usr/local/etc/rc.d/php-fpm
          /usr/local/etc/rc.d/mysql-server
          /usr/local/etc/rc.d/apache24
          /etc/rc.d/cron

          root@nextcloud:/ # /var/log/nextcloud/nextcloud.log
          /var/log/nextcloud/nextcloud.log: Permission denied.

          root@nextcloud:/ # /var/log/httpd-error.log
          /var/log/httpd-error.log: Permission denied.

          1. Hi David, can you be more explicit about what you mean by “can no longer access my nextcloud”? What’s the nature of your inability to access; authentication? Can’t get the the web ui? You can’t see any files? What are the symptoms.

            Looking through the logs are what you want to do, so good start there. The problem is you’ve just specified a directory without an application, which is why you’re getting Permission denied.. Change you commands to:

            root@nextcloud:/ # nano /var/log/nextcloud/nextcloud.log
            root@nextcloud:/ # nano /var/log/httpd-error.log
            
  33. Sorry for not being specific. i’m not able to access the web ui ether by the HTTPS site or by typing in the Jail IP address.

    thank you for clarifying nano. I was able to pull up both logs but the first one “nextcloud.log” was blank. however this is what the “httpd-error.log” is showing:

    [Sat Mar 23 11:20:15.625039 2019] [mpm_prefork:notice] [pid 57360] AH00163: Apache/2.4.38 (FreeBSD) configured — resuming normal operati$
    [Sat Mar 23 11:20:15.625240 2019] [core:notice] [pid 57360] AH00094: Command line: ‘/usr/local/sbin/httpd -D NOHTTPACCEPT’
    [Sat Mar 23 11:32:49.986022 2019] [mpm_prefork:notice] [pid 57360] AH00171: Graceful restart requested, doing restart
    AH00558: httpd: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive gl$
    [Sat Mar 23 11:32:49.988657 2019] [mpm_prefork:notice] [pid 57360] AH00163: Apache/2.4.38 (FreeBSD) configured — resuming normal operati$
    [Sat Mar 23 11:32:49.988664 2019] [core:notice] [pid 57360] AH00094: Command line: ‘/usr/local/sbin/httpd -D NOHTTPACCEPT’
    [Sat Mar 23 11:40:21.506731 2019] [mpm_prefork:notice] [pid 57360] AH00169: caught SIGTERM, shutting down
    [Sat Mar 23 11:40:21.568723 2019] [mpm_prefork:notice] [pid 58895] AH00163: Apache/2.4.38 (FreeBSD) configured — resuming normal operati$
    [Sat Mar 23 11:40:21.568923 2019] [core:notice] [pid 58895] AH00094: Command line: ‘/usr/local/sbin/httpd -D NOHTTPACCEPT’
    [Sat Mar 23 11:40:59.954695 2019] [proxy_fcgi:error] [pid 58896] [client 10.0.0.12:63840] AH01071: Got error ‘Primary script unknown\n’
    [Sat Mar 23 11:41:11.834753 2019] [proxy_fcgi:error] [pid 58897] [client 10.0.0.12:63839] AH01071: Got error ‘Primary script unknown\n’
    [Sat Mar 23 11:46:16.582755 2019] [proxy_fcgi:error] [pid 58920] [client 185.235.245.21:33644] AH01071: Got error ‘Primary script unknown$
    [Sat Mar 23 11:54:12.727978 2019] [proxy_fcgi:error] [pid 58921] [client 213.81.189.88:39175] AH01071: Got error ‘Primary script unknown\$
    [Sat Mar 23 11:56:20.608675 2019] [mpm_prefork:notice] [pid 58895] AH00169: caught SIGTERM, shutting down
    [Sat Mar 23 11:56:20.670193 2019] [mpm_prefork:notice] [pid 60338] AH00163: Apache/2.4.38 (FreeBSD) configured — resuming normal operati$
    [Sat Mar 23 11:56:20.670376 2019] [core:notice] [pid 60338] AH00094: Command line: ‘/usr/local/sbin/httpd -D NOHTTPACCEPT’
    [Sat Mar 23 12:02:33.831677 2019] [mpm_prefork:notice] [pid 60338] AH00169: caught SIGTERM, shutting down
    [Sat Mar 23 12:02:33.892662 2019] [mpm_prefork:notice] [pid 60731] AH00163: Apache/2.4.38 (FreeBSD) configured — resuming normal operati$
    [Sat Mar 23 12:02:33.892865 2019] [core:notice] [pid 60731] AH00094: Command line: ‘/usr/local/sbin/httpd -D NOHTTPACCEPT’
    [Sat Mar 23 12:10:06.097636 2019] [mpm_prefork:notice] [pid 60731] AH00169: caught SIGTERM, shutting down
    [Sat Mar 23 12:10:06.157707 2019] [mpm_prefork:notice] [pid 60949] AH00163: Apache/2.4.38 (FreeBSD) configured — resuming normal operati$
    [Sat Mar 23 12:10:06.157909 2019] [core:notice] [pid 60949] AH00094: Command line: ‘/usr/local/sbin/httpd -D NOHTTPACCEPT’
    [Sat Mar 23 13:50:12.089278 2019] [mpm_prefork:notice] [pid 60949] AH00169: caught SIGTERM, shutting down
    [Sat Mar 23 13:50:12.156588 2019] [ssl:warn] [pid 65295] AH01882: Init: this version of mod_ssl was compiled against a newer library (Ope$
    [Sat Mar 23 13:50:12.165242 2019] [ssl:warn] [pid 65296] AH01882: Init: this version of mod_ssl was compiled against a newer library (Ope$
    [Sat Mar 23 13:50:12.165294 2019] [ssl:warn] [pid 65296] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
    [Sat Mar 23 13:50:12.167213 2019] [mpm_prefork:notice] [pid 65296] AH00163: Apache/2.4.38 (FreeBSD) OpenSSL/1.0.2k-freebsd configured — $
    [Sat Mar 23 13:50:12.167237 2019] [core:notice] [pid 65296] AH00094: Command line: ‘/usr/local/sbin/httpd -D NOHTTPACCEPT’
    [Sat Mar 23 13:53:19.511197 2019] [mpm_prefork:notice] [pid 65296] AH00169: caught SIGTERM, shutting down
    [Sat Mar 23 13:53:19.579399 2019] [ssl:warn] [pid 65389] AH01882: Init: this version of mod_ssl was compiled against a newer library (Ope$
    [Sat Mar 23 13:53:19.588815 2019] [ssl:warn] [pid 65390] AH01882: Init: this version of mod_ssl was compiled against a newer library (Ope$
    [Sat Mar 23 13:53:19.590617 2019] [mpm_prefork:notice] [pid 65390] AH00163: Apache/2.4.38 (FreeBSD) OpenSSL/1.0.2k-freebsd configured — $
    [Sat Mar 23 13:53:19.590639 2019] [core:notice] [pid 65390] AH00094: Command line: ‘/usr/local/sbin/httpd -D NOHTTPACCEPT’
    [Sat Mar 23 13:58:59.548214 2019] [mpm_prefork:notice] [pid 65390] AH00169: caught SIGTERM, shutting down
    [Sun Mar 24 12:07:24.685236 2019] [ssl:warn] [pid 53014] AH01882: Init: this version of mod_ssl was compiled against a newer library (Ope$
    [Sun Mar 24 12:07:24.699021 2019] [ssl:warn] [pid 53015] AH01882: Init: this version of mod_ssl was compiled against a newer library (Ope$
    [Sun Mar 24 12:07:24.700922 2019] [mpm_prefork:notice] [pid 53015] AH00163: Apache/2.4.38 (FreeBSD) OpenSSL/1.0.2k-freebsd configured — $
    [Sun Mar 24 12:07:24.700953 2019] [core:notice] [pid 53015] AH00094: Command line: ‘/usr/local/sbin/httpd -D NOHTTPACCEPT’
    [Sun Mar 24 12:11:26.157426 2019] [mpm_prefork:notice] [pid 53015] AH00169: caught SIGTERM, shutting down
    [Sun Mar 24 12:13:24.488585 2019] [ssl:warn] [pid 3395] AH01882: Init: this version of mod_ssl was compiled against a newer library (Open$
    [Sun Mar 24 12:13:24.498179 2019] [ssl:warn] [pid 3396] AH01882: Init: this version of mod_ssl was compiled against a newer library (Open$
    [Sun Mar 24 12:13:24.499759 2019] [mpm_prefork:notice] [pid 3396] AH00163: Apache/2.4.38 (FreeBSD) OpenSSL/1.0.2k-freebsd configured — r$
    [Sun Mar 24 12:13:24.499796 2019] [core:notice] [pid 3396] AH00094: Command line: ‘/usr/local/sbin/httpd -D NOHTTPACCEPT’
    [Sun Mar 24 12:22:26.381658 2019] [mpm_prefork:notice] [pid 3396] AH00169: caught SIGTERM, shutting down
    [Sun Mar 24 12:22:31.549252 2019] [ssl:warn] [pid 9808] AH01882: Init: this version of mod_ssl was compiled against a newer library (Open$
    [Sun Mar 24 12:22:31.558508 2019] [ssl:warn] [pid 9809] AH01882: Init: this version of mod_ssl was compiled against a newer library (Open$
    [Sun Mar 24 12:22:31.560092 2019] [mpm_prefork:notice] [pid 9809] AH00163: Apache/2.4.38 (FreeBSD) OpenSSL/1.0.2k-freebsd configured — r$
    [Sun Mar 24 12:22:31.560133 2019] [core:notice] [pid 9809] AH00094: Command line: ‘/usr/local/sbin/httpd -D NOHTTPACCEPT’

    1. What’s the error message you get when you go to the browser? Internal Server error? Too many redirects? Could not find the web page? Nothing much in the logs is standing out to me – SIGTERM indicates that apache is crashing/restarting but the last log is March 24; 2 days ago. You could try increasing the log verbosity to see if anything extra falls out.

      My suggestion would be to visit the #nextcloud channel in IRC though, some of those guys are likely to be better positioned to help, I can’t see much going on at this point. Can you ping your jail ip from outside? Can you ping your router from the jail? Can you ping google?

      1. March 24 was the last day it worked for me. the error i get when i try to pull up the web page with the IP or the HTTPS is:

        This site can’t be reached 10.0.0.15 took too long to respond.
        Try:

        Checking the connection
        Checking the proxy and the firewall
        Running Windows Network Diagnostics
        ERR_CONNECTION_TIMED_OUT

        When i try to ping the IP address it says the following which is pretty confusing. its like it can ping it, but it pulls a different IP address. here is what the ping shows:

        C:\Users\David>ping 10.0.0.15

        Pinging 10.0.0.15 with 32 bytes of data:
        Reply from 10.0.0.12: Destination host unreachable.
        Reply from 10.0.0.12: Destination host unreachable.
        Reply from 10.0.0.12: Destination host unreachable.
        Reply from 10.0.0.12: Destination host unreachable.

        Ping statistics for 10.0.0.15:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

        how would i go about increasing the log verbosity to see if anything extra falls out?

        1. This looks like it’s a problem with the networking for the jail, not something specific to nextcloud. Try pinging your router and computer from inside the jail to confirm. I’m guessing that 10.0.0.12 is your router? I think this message means that there’s no route from your router to the jail – strange. I’m not sure how to fix this to be honest; the Freenas forums or #freenas on IRC are your best bets.

          Not that you’ll need it now, but iirc the log verbosity can be changed in php.ini for php related error messages, and httpd.conf for apache related messages.

          1. that is so strange. you are right, i’m not able to ping out of the Jail. i will need to figure this one out. Thank you so much again for your help.

  34. Hey, I have tried to follow your instruction to the point and sadly I ran into any number of issues
    1. Order of creating virtual folders + wont work at the early stage you suggested since nextcloud dont exists yet
    2. Ran into the same issues of not being able to connect to the nextcloud interface once entering the initial details
    ( browser throws unreachable…. same as others brought forward)
    (Somehow I managed to find a workaround, but forgot what I did atm 🙁 )
    3. Biggest headache I had was when installing php71-pecl-redis & php71-pecl-APCu
    Installing these packages blew away my entire nextcloud installation *i.e nextcloud itself
    Only thing remaining what the config and .htaccess
    * I think I understand whats happening, but a bit of warning would have been nice.
    — what happened: 1. I initially opted for php72 and without really thinking I applied 71 resulting in that the entire nextcloud blew away.
    I managed to recover by taking a copy of the config and .htaccess and then reinstalling nextcloud as per your earlier instruction. – That brought nc back but with lost *in particular .htaccess
    So reapplied my backup and everything was back.

    Now stuck on the email sendout using chkaide.sh. It wont work under nc, but do work under root.
    Nothing mentioned who/what should run this so wonder if its meant to be a scheduled job under nc or under root?
    The test “echo “Test Email Contents” | mail -s “Postfix Test Email “xxx@domain.com” dont send out anything under nc *log keep complaining about “Domain of sender address root@nextcloud.localdomain does not exist”
    Doing the same thing ssh into root and it works, but the shell script still wont work under root

    Still trying to work out bigint issues and “/.well-known/caldav” reported in nc – struggling with that
    Doco points to oc command and that throws “not found”

    1. Hi Martin,

      Everything is to be run as root. When you log in via jexec <JID> tcsh, you’re automatically logged in as the root user, so I’m not sure what you’re doing but you should follow the guide exactly to make sure it works. With regards to the chkaide.sh script, what is the error you get? What do you mean when you say it “won’t work”?

      As far as the big int issues, you run the command as specified in the error message, or more verbosely:

      su -m www -c ‘php /usr/local/www/nextcloud/occ maintenance:mode –on’
      su -m www -c ‘php /usr/local/www/nextcloud/occ db:convert-filecache-bigint’
      su -m www -c ‘php /usr/local/www/nextcloud/occ maintenance:mode –off’
      

      The caldav issue is due to apache not using the .htaccess file provided by nextcloud; go back to the section in the guide addressing enabling .htaccess and make sure all the settings are as specified.

      Also, if the occ executable isn’t in your nextcloud directory, i.e. at /usr/local/www/nextcloud/occ, then it sounds like your installation may be broken. If this is the case, I’d suggest starting again.
      Cheers.

      1. thanks for the bigint update = will try that later

        As for the mail sendout…
        1. followed all your instructions within the jail jexec where folder and script got created – Just assumed that would be 100% tied to nextcloud without risking interfering with existing stuff
        So effectively the script and location is within the nc containter
        When I tried to run the echo test and script this is thrown
        Mar 26 13:13:05 nextcloud postfix/postfix-script[94794]: starting the Postfix mail system
        Mar 26 13:13:05 nextcloud postfix/master[94796]: daemon started — version 3.3.3, configuration /usr/local/etc/postfix
        Mar 26 13:17:12 nextcloud postfix/pickup[94797]: 9CBF325B35: uid=0 from=
        Mar 26 13:17:12 nextcloud postfix/cleanup[95248]: 9CBF325B35: message-id=20190326051712.9CBF325B35@nextcloud.localdomain
        Mar 26 13:17:12 nextcloud postfix/qmgr[94798]: 9CBF325B35: from=root@nextcloud.localdomain, size=46479, nrcpt=1 (queue active)
        Mar 26 13:17:12 nextcloud postfix/smtp[95250]: warning: database /usr/local/etc/postfix/sasl_passwd.db is older than source file /usr/local/etc/postfix/sasl_passwd
        Mar 26 13:17:12 nextcloud postfix/smtp[95250]: 9CBF325B35: to=redacted, relay=smtp.iinet.net.au[203.0.178.192]:587, delay=0.17, delays=0.03/0.03/0.09/0.02, dsn=5.0.0, status=bounced (host smtp.iinet.net.au[203.0.178.192] said: 553 #5.1.8 Domain of sender address root@nextcloud.localdomain does not exist (in reply to MAIL FROM command))
        Mar 26 13:17:12 nextcloud postfix/cleanup[95248]: C7F1425B37: message-id=20190326051712.C7F1425B37@nextcloud.localdomain
        Mar 26 13:17:12 nextcloud postfix/bounce[95252]: 9CBF325B35: sender non-delivery notification: C7F1425B37
        Mar 26 13:17:12 nextcloud postfix/qmgr[94798]: C7F1425B37: from=<>, size=48651, nrcpt=1 (queue active)
        Mar 26 13:17:12 nextcloud postfix/qmgr[94798]: 9CBF325B35: removed

        I tried to run it as root outside the jail and the echo command worked fine, but the script obviously required me to qualify inside the nc container – but if, like you suggested this should reside at a root level, then I guess it makes sense – script and folder creations should in effect be /scripts/aide/ vs /mnt/JailSSD/iocage/jails/nextcloud/root/scripts/aide/
        Does the same apply for aide installation or… ? Installed aide within the nc jail

      2. Just posted a reply to this but now its gone???
        Anyways…
        thanks for the hints on sorting the db issues.
        As for the error thrown when running the script, this is what thrown back when issuing the echo and running the script within the nc container

        It works on a root level, but the script wont resolve anything
        cloud postfix/postfix-script[94794]: starting the Postfix mail system
        Mar 26 13:13:05 nextcloud postfix/master[94796]: daemon started — version 3.3.3, configuration /usr/local/etc/postfix
        Mar 26 13:17:12 nextcloud postfix/pickup[94797]: 9CBF325B35: uid=0 from=
        Mar 26 13:17:12 nextcloud postfix/cleanup[95248]: 9CBF325B35: message-id=20190326051712.9CBF325B35@nextcloud.localdomain
        Mar 26 13:17:12 nextcloud postfix/qmgr[94798]: 9CBF325B35: from=root@nextcloud.localdomain, size=46479, nrcpt=1 (queue active)
        Mar 26 13:17:12 nextcloud postfix/smtp[95250]: warning: database /usr/local/etc/postfix/sasl_passwd.db is older than source file /usr/local/etc/postfix/sasl_passwd
        Mar 26 13:17:12 nextcloud postfix/smtp[95250]: 9CBF325B35: to=<[edited]@[edited].com>, relay=smtp.[edited][x.x.x.x]:587, delay=0.17, delays=0.03/0.03/0.09/0.02, dsn=5.0.0, status=bounced (host smtp.[edited].[edited][xxx.x.x.xxx] said: 553 #5.1.8 Domain of sender address root@nextcloud.localdomain does not exist (in reply to MAIL FROM command))
        Mar 26 13:17:12 nextcloud postfix/cleanup[95248]: C7F1425B37: message-id=20190326051712.C7F1425B37@nextcloud.localdomain
        Mar 26 13:17:12 nextcloud postfix/bounce[95252]: 9CBF325B35: sender non-delivery notification: C7F1425B37
        Mar 26 13:17:12 nextcloud postfix/qmgr[94798]: C7F1425B37: from=<>, size=48651, nrcpt=1 (queue active)
        Mar 26 13:17:12 nextcloud postfix/qmgr[94798]: 9CBF325B35: removed

        As per most recent reply, tried to move the script out of the nc container into root level *same directory structure) but that throws this….
        root@freenas[/scripts/aide]# /bin/sh /scripts/aide/chkaide.sh
        /scripts/aide/chkaide.sh: /usr/local/bin/aide: not found
        /scripts/aide/chkaide.sh: /usr/local/bin/aide: not found
        mv: rename /var/db/aide/databases/aide.db to /var/db/aide/databases/archive/aide-2019-03-26.db: No such file or directory
        mv: rename /var/db/aide/databases/aide.db.new to /var/db/aide/databases/aide.db: No such file or directory
        root@freenas[/scripts/aide]#

        1. Okay, to clarify, everything I describe runs as root within the nextcloud jail. aide is installed within the jail, checkaide.sh is at /scripts/aide within the jail (so absolute path is /mnt/JailSSD/iocage/jails/nextcloud/root/scripts/aide/ – but you should not be using this; at no point do I indicate that you should leave the jail). The postfix configuration is undertaken within the nextcloud jail. The issue you’re getting at the end there is that aide is not installed on the freenas host; which makes sense because that’s not where it should be installed.

          Did you configure postfix to use a gmail account?

          1. Installing inside the nc container (jail) is exactly what I did, but like I said the “echo…” test and script throws errors in the log pointing to “root@nextcloud.localdomain does not exist ”
            The script runs, but wont send out the email.

            qmail or not…? No, I did not use qmail – thought I would be able to use my own private mail and provider (which still works performing the “echo…” test outside the jail (root), but again throws the “root@nextcloud.localdomain does not exist ” when running it inside the nc jail.

          2. You probably can use another email provider, but there is likely different configuration required to what I’ve presented. It looks like FreeNAS uses sendmail, so if you set your email up through the GUI it either uses that or their own implementation, which is also possible, and neither of these are postfix like I use in my guide. My advice would be to set up a gmail account specifically for server based notifications, and use that. Or don’t, but I’m afraid I don’t know enough about configuring MTA’s to help you get that working sorry.

            If you do want to go down the rabbit hole and work out how to configure this for your provider, this is where I would start.

            Good luck!

  35. Just moved the script out of the nc container same directory structure, but @ root level
    output:
    root@freenas[/scripts/aide]# /bin/sh /scripts/aide/chkaide.sh
    /scripts/aide/chkaide.sh: /usr/local/bin/aide: not found
    /scripts/aide/chkaide.sh: /usr/local/bin/aide: not found
    mv: rename /var/db/aide/databases/aide.db to /var/db/aide/databases/archive/aide-2019-03-26.db: No such file or directory
    mv: rename /var/db/aide/databases/aide.db.new to /var/db/aide/databases/aide.db: No such file or directory
    root@freenas[/scripts/aide]#

    BTW. sent some stuff across in my previous reply pointing out my email to the world – anyway to edit posts or…?

    1. Reinstalled everything and keep running into issues with mariadb – service refuse to start up now.
      Blown away the jail to start from scratch, but issue persist.
      Right now I decided to blow the jail away and apply my most recent config that dont include nextcloud – started the installation process and same issue
      Just refuse to start and Im buggered if I can figure out why.
      maria error log show…
      2019-03-27 17:22:14 0 [Note] InnoDB: The first innodb_system data file ‘ibdata1’ did not exist. A new tablespace will be created!
      2019-03-27 17:22:14 0 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
      2019-03-27 17:22:14 0 [Note] InnoDB: Uses event mutexes
      2019-03-27 17:22:14 0 [Note] InnoDB: Compressed tables use zlib 1.2.11
      2019-03-27 17:22:14 0 [Note] InnoDB: Number of pools: 1
      2019-03-27 17:22:14 0 [Note] InnoDB: Using generic crc32 instructions
      2019-03-27 17:22:14 0 [Note] InnoDB: Initializing buffer pool, total size = 128M, instances = 1, chunk size = 128M
      2019-03-27 17:22:14 0 [Note] InnoDB: Completed initialization of buffer pool
      2019-03-27 17:22:14 0 [Note] InnoDB: Setting file ‘./ibdata1’ size to 12 MB. Physically writing the file full; Please wait …
      2019-03-27 17:22:14 0 [Note] InnoDB: File ‘./ibdata1’ size is now 12 MB.
      2019-03-27 17:22:14 0 [Note] InnoDB: Setting log file ./ib_logfile101 size to 50331648 bytes
      2019-03-27 17:22:14 0 [Note] InnoDB: Setting log file ./ib_logfile1 size to 50331648 bytes
      2019-03-27 17:22:14 0 [Note] InnoDB: Renaming log file ./ib_logfile101 to ./ib_logfile0
      2019-03-27 17:22:14 0 [Note] InnoDB: New log files created, LSN=45786
      2019-03-27 17:22:14 0 [Note] InnoDB: Doublewrite buffer not found: creating new
      2019-03-27 17:22:14 0 [Note] InnoDB: Doublewrite buffer created
      2019-03-27 17:22:14 0 [Note] InnoDB: 128 out of 128 rollback segments are active.
      2019-03-27 17:22:14 0 [Note] InnoDB: Creating foreign key constraint system tables.
      2019-03-27 17:22:14 0 [Note] InnoDB: Creating tablespace and datafile system tables.
      2019-03-27 17:22:14 0 [Note] InnoDB: Creating sys_virtual system tables.
      2019-03-27 17:22:14 0 [Note] InnoDB: Creating shared tablespace for temporary tables
      2019-03-27 17:22:14 0 [Note] InnoDB: Setting file ‘./ibtmp1’ size to 12 MB. Physically writing the file full; Please wait …
      2019-03-27 17:22:14 0 [Note] InnoDB: File ‘./ibtmp1’ size is now 12 MB.
      2019-03-27 17:22:14 0 [Note] InnoDB: Waiting for purge to start
      2019-03-27 17:22:14 0 [Note] InnoDB: 10.3.13 started; log sequence number 0; transaction id 7
      2019-03-27 17:22:14 0 [Note] Plugin ‘FEEDBACK’ is disabled.
      2019-03-27 17:22:14 0 [ERROR] Could not open mysql.plugin table. Some plugins may be not loaded
      2019-03-27 17:22:14 0 [ERROR] Can’t open and lock privilege tables: Table ‘mysql.servers’ doesn’t exist
      2019-03-27 17:22:14 0 [Note] Server socket created on IP: ‘::’.
      2019-03-27 17:22:14 0 [ERROR] Fatal error: Can’t open and lock privilege tables: Table ‘mysql.user’ doesn’t exist

      Any assistance sorting this would be highly appreciated – its driving me nuts atm – failing this I will blow the entire nas away and start again – something I dont want 🙁

      1. Are you deleting your datasets and re-creating them when starting again? If not, your db files will be persistent and are probably interfering with the set up of the new database. Until you have something worth restoring, it’s probably best to nuke the datasets you mount into the jail with fstab to get a clean start. I.e: /mnt/vault/cloud, /mnt/jailhouse/apps/nextcloud/db, /mnt/jailhouse/apps/nextcloud/config, /mnt/jailhouse/apps/nextcloud/themes. After you do have something worth restoring, you would have to go through the restoration process: https://docs.nextcloud.com/server/14/admin_manual/maintenance/restore.html

        1. hm, yes, I’ve nuked everything except the directories vault/ (keeping predefined cloud)* jailhouse/apps/nextcloud/* (keeping existing directories *config, themes & db)
          All directories 100% cleaned up – yet service refuse to start
          Tried this like 5 times now, and finally resorted to reverted to a clean config – but same issue persist
          No idea whats going on here – In effect theres nothing left tied to nextcloud jail (starting to think theres something outside affecting this now *but no idea why and have followed these instruction to the letter (over and over again 🙁 )

          1. Im confused, are you saying you have or havent deleted the db dataset? If you havent, you should

          2. Just decided to take u up on the idea of nuking everything *including the apps/config, db and themes.
            No issues deleting the config and themes pool – BUT the db throws “ERROR deleting dataset”
            hm… something is hogging this directory causing issues *like initial post describing my issues starting mariadb
            This error using the web interface dont give me anything but the “Error deleting dataset”
            Moving up one level trying to do the same with the nextcloud pool results in the same error
            Owner of the apps/nextcloud is root
            weirdly enough the owner of the db was “user” = tried to change that to root, but still cant delete either pools

  36. I have * and I did!!!! I left the folders though – now managed to delete the entire apps/nextcloud structure and will try to re-create everything from scratch again – hopefully it sorts itself

    1. once I removed the pools and started again it seem to work *as far as starting the maria service * – trust the rest would work out

      A bit weird that pools empty ones would cause issues, but who knows …. I sure tell tale of something driving someone up the wall throwing things – weird

      1. As mentioned earlier, they werent empty. They contain the files necessary to restore an existing nextcloud installation. Deleting them meant you could start fresh

      2. Ok, Finally back on track – experienced the same issue with redirect issue once entered the cloud initial setup
        Work around was to: su -m www -c “php /usr/local/www/nextcloud/occ app:enable twofactor_backupcodes”
        That fixed the issue and I could proceed with setting things up inside nc

        Another really weird issue I came across is the fstab frequently dropping all its definition
        * Actually what happens is that the fstab gets corrupt where previous definitions ends up in a long string that wont be recognized by the system start
        Common thing seem to be when you add nested folders and/or decide to edit a mount point – Had this happening like 10 times now where I had to re-create most mount points.
        Usually one or two def still linger where the rest end up in a loooooong string inside the fstab
        * possible a bug
        Simple test:
        1. create a folder inside the jail and create a mount point using iocage
        2a. add another nested folder and point that to a different location and add the mount point
        *Disaster!!!!
        1. create a folder inside the jail and create a mount point using iocage
        2. enter the web interface for the jail and bring up the mount points – then edit one of them by renaming the jail folder
        * Disaster!!!!
        Results in fstab entries being screwed up

  37. @Martin
    I’m glad you got the nextcloud issue resolved. Just a few things — the directory structure under /usr/local/www/nextcloud should always be www:www. Sometimes if you edit files as a different user, your editor will save the file under a different user — for example su will save the files as root:root or root:wheel. You need to make sure if youre having issues the file permissions and ownerships are correct

    In terms of the mount point disaster. I can’t say for certain what your issue is. I can only offfer something else you may want to try. I created all my datasets within the FreeNAS gui itself, and not on the command line. By creating all the mount points within the FreeNAS gui and then sharing the selected datasets with the jail as configured through the gui, I never actually had to edit any fstab files. In my limited experience, jails can be kind of tricky to use. Although the iocage fstab commands should always technically “work”, if things are done manually on the command line, they don’t always show up within the freenas gui. I’ve found by doing mounting most of the datasets using the FreeNas gui, the mountpoints seem more robust. I have no explanation why using the GUI is more robust since behind the scenes I believe it is using the same fstab commands, other than it just seems to be more reliable in my experience.

    If you are having issues with fstab mount points becoming corrupted, why don’t you try sharing the dataset (or mountpoint) using the GUI rather then using the iocage fstab commands. After you try this, I’m OK if you tell me my idea is full of s**t.

    1. Its actually the gui that is corrupting t he fstab – NOT the iocage command itself.

      Still have some issues to sass out though.
      Like putting nc in maintenance mode.
      When I run the command: su -m www -c ‘php /usr/local/www/nextcloud/occ maintenance:mode –on’
      It throws back an error: Too many arguments, expected arguments “command”.

      I also struggle with how I could mount pools that in effect should be owned by individual users *accessible from both local file systems and nextcloud.
      Adding a mount point and then map it to a group tied to a user makes it visible to user logged on to nc. But its only READ ONLY access.
      The other way around would be to copy old shared content across to the users container inside nc i.e vault/cloud//files/
      That would make the content fully accessible by the user logged on to nc.
      Problem with this approach is that any content created from within nc ends up with www:www (owner/group) that prevent the user from modifying any of the files from outside nc
      I would also need to create a SMB share to the folder structure vault/cloud//files/
      But permission would be a major issue
      In effect I want a private user shares to be fully manageable by set users from within nc and outside where content created from with nc should have the user and owner (not www:www as it is now)

      1. Ok, Think I worked the shares out – simply need to enforce the ownership as part of the SMB share creation under the aux (force user = www) – Then I can set the ownership to the user in question with a group of www as part of the pool creation – works! – happy with that – Now both the user using the nc cloud app as well as user switching to their smb share over the local network can work freely with whats there

        My next challenge is to secure the nc and change it to use https (not familar with apache when it comes to this – quite simple setting it up on lighttpd that I used in the past – but now theres new challenges with different ways of doing things – never ends does it 😉

  38. yea – all hm most actually good
    One small issue that screws with my head

    When logging on using my public ip i.e https://xxx.xxx.xxx.xxx:port and I want to recover a lost password, no email is sent through to the user.
    Doing the same via my local ip works perfectly

    Sending a test email as admin from the public gateway works as well

    What is going on with that????

    User have valid email registered and nothing ends up in a spam folder *dont think the email is being sent at all
    Checked the nc logs and nothing indicating any errors or issues

    suggestions…?

    Sort of become an important feature for users to recover/reset lost passwords using the public gateway

    1. Sorry mate, looks like you’ve hit a point beyond my expertise. I’d recommend heading over to the Nextcloud forums or #nextcloud in IRC.

  39. I have only had to run this installation once and everything works like a charm. It is the best instruction I have read so far in the internet. On everything. Hands down.

    Only thing missing is that I now get two notifications:

    This instance is missing some recommended PHP modules. For improved performance and better compatibility it is highly recommended to install them.
    imagick

    Some columns in the database are missing a conversion to big int. Due to the fact that changing column types on big tables could take some time they were not changed automatically. By running ‘occ db:convert-filecache-bigint’ those pending changes could be applied manually. This operation needs to be made while the instance is offline. For further details read the documentation page about this.
    filecache.mtime
    filecache.storage_mtime

    If these could be fixed…I’ll get a whole keg not just a beer 🙂

    1. Hi Alpha, to resolve the bigint conversion issue, execute the following commands:

      su -m www -c 'php /usr/local/www/nextcloud/occ maintenance:mode –on'
      su -m www -c 'php /usr/local/www/nextcloud/occ db:convert-filecache-bigint'
      su -m www -c 'php /usr/local/www/nextcloud/occ maintenance:mode –off'
      

      To resolve the imagick issue, I’m pretty sure you just install the imagick php package for the php version you chose, i.e. pkg install php72-pecl-imagick, changing php72 for whatever is relevant for you (make sure you’re inside the jail). I’m pretty sure this was the solution when I resolved it for myself; these are things on my backlog to add to the guide when I get time, but I’ve been pretty swamped recently so I just haven’t had a chance.

    2. Hi together, regarding the imagick issue I suggest to wait for another nextcloud update. Imagick has some security issues and the developers want to remove the hint in the Info page of NC. ->Google

  40. Good evening !

    Thank you for your post, it’s actually very helpful, can’t find better.

    Everything is very well explicated…but…yes there is a but (unfornately just for me I guess).

    I try to find a solution by myself but I can’t find anything on the Web, hope you’ll could help me.

    So, I followed all your instructions and I cannot reach my NextCloud page by HTTPS on my domain. Everything worked fine in local at the beginning but I can’t even connect to my page locally.

    Here is my httpd-error.log :
    [Sat Mar 30 23:43:01.640184 2019] [core:info] [pid 91289] AH00096: removed PID file /var/run/httpd.pid (pid=91289)
    [Sat Mar 30 23:43:01.640234 2019] [mpm_prefork:notice] [pid 91289] AH00169: caught SIGTERM, shutting down
    [Sat Mar 30 23:43:01.791370 2019] [ssl:info] [pid 91550] AH01887: Init: Initializing (virtual) servers for SSL
    [Sat Mar 30 23:43:01.791666 2019] [ssl:info] [pid 91550] AH01914: Configuring server subdomain.mydomain.com:443 for SSL protocol
    [Sat Mar 30 23:43:01.791683 2019] [ssl:debug] [pid 91550] ssl_engine_init.c(1748): AH10083: Init: (subdomain.mydomain.com:443) mod_md support is unavailable.
    [Sat Mar 30 23:43:01.791848 2019] [ssl:debug] [pid 91550] ssl_engine_init.c(478): AH01893: Configuring TLS extension handling
    [Sat Mar 30 23:43:01.792007 2019] [ssl:debug] [pid 91550] ssl_util_stapling.c(868): AH01960: OCSP stapling initialized
    [Sat Mar 30 23:43:01.792415 2019] [ssl:debug] [pid 91550] ssl_util_ssl.c(476): AH02412: [subdomain.mydomain.com:443] Cert matches for name ‘subdomain.mydomain.com’ [subject: CN=subdomain.mydomain.com / issuer: CN=Let’s Encrypt Authority X3,O=Let’s Encrypt,C=US / serial: 0323374E984CE4C11536F2B0F3115BCAC378 / notbefore: Mar 30 17:24:12 2019 GMT / notafter: Jun 28 17:24:12 2019 GMT]
    [Sat Mar 30 23:43:01.792435 2019] [ssl:info] [pid 91550] AH02568: Certificate and private key subdomain.mydomain.com:443:0 configured from /usr/local/etc/letsencrypt/live/subdomain.mydomain.com/fullchain.pem and /usr/local/etc/letsencrypt/live/subdomain.mydomain.com/privkey.pem
    [Sat Mar 30 23:43:01.792755 2019] [ssl:info] [pid 91550] AH01876: mod_ssl/2.4.38 compiled against Server: Apache/2.4.38, Library: OpenSSL/1.0.2o-freebsd
    [Sat Mar 30 23:43:01.812073 2019] [socache_shmcb:debug] [pid 91551] mod_socache_shmcb.c(398): AH00821: shmcb_init allocated 32768 bytes of shared memory
    [Sat Mar 30 23:43:01.812101 2019] [socache_shmcb:debug] [pid 91551] mod_socache_shmcb.c(412): AH00822: for 32680 bytes (32768 including header), recommending 2 subcaches, 10 indexes each
    [Sat Mar 30 23:43:01.812117 2019] [socache_shmcb:debug] [pid 91551] mod_socache_shmcb.c(449): AH00824: shmcb_init_memory choices follow
    [Sat Mar 30 23:43:01.812131 2019] [socache_shmcb:debug] [pid 91551] mod_socache_shmcb.c(451): AH00825: subcache_num = 2
    [Sat Mar 30 23:43:01.812145 2019] [socache_shmcb:debug] [pid 91551] mod_socache_shmcb.c(453): AH00826: subcache_size = 16336
    [Sat Mar 30 23:43:01.812159 2019] [socache_shmcb:debug] [pid 91551] mod_socache_shmcb.c(455): AH00827: subcache_data_offset = 256
    [Sat Mar 30 23:43:01.812173 2019] [socache_shmcb:debug] [pid 91551] mod_socache_shmcb.c(457): AH00828: subcache_data_size = 16080
    [Sat Mar 30 23:43:01.812187 2019] [socache_shmcb:debug] [pid 91551] mod_socache_shmcb.c(459): AH00829: index_num = 10
    [Sat Mar 30 23:43:01.812205 2019] [socache_shmcb:info] [pid 91551] AH00830: Shared memory socache initialised
    [Sat Mar 30 23:43:01.812226 2019] [socache_shmcb:debug] [pid 91551] mod_socache_shmcb.c(398): AH00821: shmcb_init allocated 512000 bytes of shared memory
    [Sat Mar 30 23:43:01.812240 2019] [socache_shmcb:debug] [pid 91551] mod_socache_shmcb.c(412): AH00822: for 511912 bytes (512000 including header), recommending 32 subcaches, 88 indexes each
    [Sat Mar 30 23:43:01.812255 2019] [socache_shmcb:debug] [pid 91551] mod_socache_shmcb.c(449): AH00824: shmcb_init_memory choices follow
    [Sat Mar 30 23:43:01.812269 2019] [socache_shmcb:debug] [pid 91551] mod_socache_shmcb.c(451): AH00825: subcache_num = 32
    [Sat Mar 30 23:43:01.812282 2019] [socache_shmcb:debug] [pid 91551] mod_socache_shmcb.c(453): AH00826: subcache_size = 15992
    [Sat Mar 30 23:43:01.812296 2019] [socache_shmcb:debug] [pid 91551] mod_socache_shmcb.c(455): AH00827: subcache_data_offset = 2128
    [Sat Mar 30 23:43:01.812310 2019] [socache_shmcb:debug] [pid 91551] mod_socache_shmcb.c(457): AH00828: subcache_data_size = 13864
    [Sat Mar 30 23:43:01.812324 2019] [socache_shmcb:debug] [pid 91551] mod_socache_shmcb.c(459): AH00829: index_num = 88
    [Sat Mar 30 23:43:01.812407 2019] [socache_shmcb:info] [pid 91551] AH00830: Shared memory socache initialised
    [Sat Mar 30 23:43:01.812423 2019] [ssl:info] [pid 91551] AH01887: Init: Initializing (virtual) servers for SSL
    [Sat Mar 30 23:43:01.812437 2019] [ssl:info] [pid 91551] AH01914: Configuring server subdomain.mydomain.com:443 for SSL protocol
    [Sat Mar 30 23:43:01.812452 2019] [ssl:debug] [pid 91551] ssl_engine_init.c(1748): AH10083: Init: (subdomain.mydomain.com:443) mod_md support is unavailable.
    [Sat Mar 30 23:43:01.812633 2019] [ssl:debug] [pid 91551] ssl_engine_init.c(478): AH01893: Configuring TLS extension handling
    [Sat Mar 30 23:43:01.812652 2019] [ssl:debug] [pid 91551] ssl_util_stapling.c(868): AH01960: OCSP stapling initialized
    [Sat Mar 30 23:43:01.813067 2019] [ssl:debug] [pid 91551] ssl_util_ssl.c(476): AH02412: [subdomain.mydomain.com:443] Cert matches for name ‘subdomain.mydomain.com’ [subject: CN=subdomain.mydomain.com / issuer: CN=Let’s Encrypt Authority X3,O=Let’s Encrypt,C=US / serial: 0323374E984CE4C11536F2B0F3115BCAC378 / notbefore: Mar 30 17:24:12 2019 GMT / notafter: Jun 28 17:24:12 2019 GMT]
    [Sat Mar 30 23:43:01.813087 2019] [ssl:info] [pid 91551] AH02568: Certificate and private key subdomain.mydomain.com:443:0 configured from /usr/local/etc/letsencrypt/live/subdomain.mydomain.com/fullchain.pem and /usr/local/etc/letsencrypt/live/subdomain.mydomain.com/privkey.pem
    [Sat Mar 30 23:43:01.813413 2019] [ssl:info] [pid 91551] AH01876: mod_ssl/2.4.38 compiled against Server: Apache/2.4.38, Library: OpenSSL/1.0.2o-freebsd
    [Sat Mar 30 23:43:01.815156 2019] [proxy:debug] [pid 91552] proxy_util.c(1925): AH00925: initializing worker proxy:reverse shared
    [Sat Mar 30 23:43:01.815192 2019] [proxy:debug] [pid 91552] proxy_util.c(1982): AH00927: initializing worker proxy:reverse local
    [Sat Mar 30 23:43:01.815247 2019] [proxy:debug] [pid 91552] proxy_util.c(2033): AH00931: initialized single connection worker in child 91552 for ()
    [Sat Mar 30 23:43:01.815428 2019] [proxy:debug] [pid 91553] proxy_util.c(1925): AH00925: initializing worker proxy:reverse shared
    [Sat Mar 30 23:43:01.815458 2019] [proxy:debug] [pid 91553] proxy_util.c(1982): AH00927: initializing worker proxy:reverse local
    [Sat Mar 30 23:43:01.815507 2019] [proxy:debug] [pid 91553] proxy_util.c(2033): AH00931: initialized single connection worker in child 91553 for (
    )
    [Sat Mar 30 23:43:01.815777 2019] [mpm_prefork:notice] [pid 91551] AH00163: Apache/2.4.38 (FreeBSD) OpenSSL/1.0.2o-freebsd configured — resuming normal operations
    [Sat Mar 30 23:43:01.815807 2019] [mpm_prefork:info] [pid 91551] AH00164: Server built: unknown
    [Sat Mar 30 23:43:01.815849 2019] [core:notice] [pid 91551] AH00094: Command line: ‘/usr/local/sbin/httpd -D NOHTTPACCEPT’
    [Sat Mar 30 23:43:01.815865 2019] [core:debug] [pid 91551] log.c(1568): AH02639: Using SO_REUSEPORT: no (1)
    [Sat Mar 30 23:43:01.815881 2019] [mpm_prefork:debug] [pid 91551] prefork.c(918): AH00165: Accept mutex: flock (default: flock)
    [Sat Mar 30 23:43:01.816043 2019] [proxy:debug] [pid 91554] proxy_util.c(1925): AH00925: initializing worker proxy:reverse shared
    [Sat Mar 30 23:43:01.816069 2019] [proxy:debug] [pid 91554] proxy_util.c(1982): AH00927: initializing worker proxy:reverse local
    [Sat Mar 30 23:43:01.816115 2019] [proxy:debug] [pid 91554] proxy_util.c(2033): AH00931: initialized single connection worker in child 91554 for ()
    [Sat Mar 30 23:43:01.816275 2019] [proxy:debug] [pid 91555] proxy_util.c(1925): AH00925: initializing worker proxy:reverse shared
    [Sat Mar 30 23:43:01.816301 2019] [proxy:debug] [pid 91555] proxy_util.c(1982): AH00927: initializing worker proxy:reverse local
    [Sat Mar 30 23:43:01.816348 2019] [proxy:debug] [pid 91555] proxy_util.c(2033): AH00931: initialized single connection worker in child 91555 for (
    )
    [Sat Mar 30 23:43:01.816663 2019] [proxy:debug] [pid 91556] proxy_util.c(1925): AH00925: initializing worker proxy:reverse shared
    [Sat Mar 30 23:43:01.816689 2019] [proxy:debug] [pid 91556] proxy_util.c(1982): AH00927: initializing worker proxy:reverse local
    [Sat Mar 30 23:43:01.816733 2019] [proxy:debug] [pid 91556] proxy_util.c(2033): AH00931: initialized single connection worker in child 91556 for ()
    [Sat Mar 30 23:43:06.560526 2019] [ssl:info] [pid 91552] [client 81.49.167.221:57804] AH01964: Connection to child 0 established (server subdomain.mydomain.com:443)
    [Sat Mar 30 23:43:06.596909 2019] [ssl:info] [pid 91553] [client 81.49.167.221:57805] AH01964: Connection to child 1 established (server subdomain.mydomain.com:443)
    [Sat Mar 30 23:43:07.006621 2019] [proxy:debug] [pid 91557] proxy_util.c(1925): AH00925: initializing worker proxy:reverse shared
    [Sat Mar 30 23:43:07.006685 2019] [proxy:debug] [pid 91557] proxy_util.c(1982): AH00927: initializing worker proxy:reverse local
    [Sat Mar 30 23:43:07.006737 2019] [proxy:debug] [pid 91557] proxy_util.c(2033): AH00931: initialized single connection worker in child 91557 for (
    )
    [Sat Mar 30 23:43:08.068583 2019] [proxy:debug] [pid 91558] proxy_util.c(1925): AH00925: initializing worker proxy:reverse shared
    [Sat Mar 30 23:43:08.068642 2019] [proxy:debug] [pid 91558] proxy_util.c(1982): AH00927: initializing worker proxy:reverse local
    [Sat Mar 30 23:43:08.068694 2019] [proxy:debug] [pid 91558] proxy_util.c(2033): AH00931: initialized single connection worker in child 91558 for ()
    [Sat Mar 30 23:43:08.068825 2019] [proxy:debug] [pid 91559] proxy_util.c(1925): AH00925: initializing worker proxy:reverse shared
    [Sat Mar 30 23:43:08.068883 2019] [proxy:debug] [pid 91559] proxy_util.c(1982): AH00927: initializing worker proxy:reverse local
    [Sat Mar 30 23:43:08.068927 2019] [proxy:debug] [pid 91559] proxy_util.c(2033): AH00931: initialized single connection worker in child 91559 for (
    )
    [Sat Mar 30 23:43:25.501091 2019] [ssl:info] [pid 91554] [client 81.49.167.221:57806] AH01964: Connection to child 2 established (server subdomain.mydomain.com:443)
    [Sat Mar 30 23:43:44.406529 2019] [ssl:info] [pid 91555] [client 81.49.167.221:57807] AH01964: Connection to child 3 established (server subdomain.mydomain.com:443)
    [Sat Mar 30 23:43:45.229783 2019] [proxy:debug] [pid 91560] proxy_util.c(1925): AH00925: initializing worker proxy:reverse shared
    [Sat Mar 30 23:43:45.229842 2019] [proxy:debug] [pid 91560] proxy_util.c(1982): AH00927: initializing worker proxy:reverse local
    [Sat Mar 30 23:43:45.229894 2019] [proxy:debug] [pid 91560] proxy_util.c(2033): AH00931: initialized single connection worker in child 91560 for ()
    [Sat Mar 30 23:44:03.310910 2019] [ssl:info] [pid 91556] [client 81.49.167.221:57808] AH01964: Connection to child 4 established (server subdomain.mydomain.com:443)
    [Sat Mar 30 23:44:03.901537 2019] [proxy:debug] [pid 91744] proxy_util.c(1925): AH00925: initializing worker proxy:reverse shared
    [Sat Mar 30 23:44:03.901611 2019] [proxy:debug] [pid 91744] proxy_util.c(1982): AH00927: initializing worker proxy:reverse local
    [Sat Mar 30 23:44:03.901666 2019] [proxy:debug] [pid 91744] proxy_util.c(2033): AH00931: initialized single connection worker in child 91744 for (
    )
    [Sat Mar 30 23:44:06.587670 2019] [ssl:debug] [pid 91552] ssl_engine_io.c(1370): (70007)The timeout specified has expired: [client 81.49.167.221:57804] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
    [Sat Mar 30 23:44:06.587740 2019] [ssl:info] [pid 91552] [client 81.49.167.221:57804] AH01998: Connection closed to child 0 with abortive shutdown (server subdomain.mydomain.com:443)
    [Sat Mar 30 23:44:06.694884 2019] [ssl:debug] [pid 91553] ssl_engine_io.c(1370): (70007)The timeout specified has expired: [client 81.49.167.221:57805] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
    [Sat Mar 30 23:44:06.694942 2019] [ssl:info] [pid 91553] [client 81.49.167.221:57805] AH01998: Connection closed to child 1 with abortive shutdown (server subdomain.mydomain.com:443)
    [Sat Mar 30 23:44:22.215315 2019] [ssl:info] [pid 91557] [client 81.49.167.221:57810] AH01964: Connection to child 5 established (server subdomain.mydomain.com:443)
    [Sat Mar 30 23:44:25.509141 2019] [ssl:debug] [pid 91554] ssl_engine_io.c(1370): (70007)The timeout specified has expired: [client 81.49.167.221:57806] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
    [Sat Mar 30 23:44:25.509238 2019] [ssl:info] [pid 91554] [client 81.49.167.221:57806] AH01998: Connection closed to child 2 with abortive shutdown (server subdomain.mydomain.com:443)
    [Sat Mar 30 23:44:41.120410 2019] [ssl:info] [pid 91558] [client 81.49.167.221:57815] AH01964: Connection to child 6 established (server subdomain.mydomain.com:443)
    [Sat Mar 30 23:44:44.416981 2019] [ssl:debug] [pid 91555] ssl_engine_io.c(1370): (70007)The timeout specified has expired: [client 81.49.167.221:57807] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
    [Sat Mar 30 23:44:44.417080 2019] [ssl:info] [pid 91555] [client 81.49.167.221:57807] AH01998: Connection closed to child 3 with abortive shutdown (server subdomain.mydomain.com:443)
    [Sat Mar 30 23:45:00.022003 2019] [ssl:info] [pid 91559] [client 81.49.167.221:57833] AH01964: Connection to child 7 established (server subdomain.mydomain.com:443)
    [Sat Mar 30 23:45:03.349918 2019] [ssl:debug] [pid 91556] ssl_engine_io.c(1370): (70007)The timeout specified has expired: [client 81.49.167.221:57808] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
    [Sat Mar 30 23:45:03.349995 2019] [ssl:info] [pid 91556] [client 81.49.167.221:57808] AH01998: Connection closed to child 4 with abortive shutdown (server subdomain.mydomain.com:443)
    [Sat Mar 30 23:45:18.926668 2019] [ssl:info] [pid 91560] [client 81.49.167.221:57838] AH01964: Connection to child 8 established (server subdomain.mydomain.com:443)
    [Sat Mar 30 23:45:22.307392 2019] [ssl:debug] [pid 91557] ssl_engine_io.c(1370): (70007)The timeout specified has expired: [client 81.49.167.221:57810] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
    [Sat Mar 30 23:45:22.307513 2019] [ssl:info] [pid 91557] [client 81.49.167.221:57810] AH01998: Connection closed to child 5 with abortive shutdown (server subdomain.mydomain.com:443)
    [Sat Mar 30 23:45:37.831702 2019] [ssl:info] [pid 91744] [client 81.49.167.221:57855] AH01964: Connection to child 9 established (server subdomain.mydomain.com:443)
    [Sat Mar 30 23:45:41.154260 2019] [ssl:debug] [pid 91558] ssl_engine_io.c(1370): (70007)The timeout specified has expired: [client 81.49.167.221:57815] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
    [Sat Mar 30 23:45:41.154365 2019] [ssl:info] [pid 91558] [client 81.49.167.221:57815] AH01998: Connection closed to child 6 with abortive shutdown (server subdomain.mydomain.com:443)
    [Sat Mar 30 23:45:56.737935 2019] [ssl:info] [pid 91552] [client 81.49.167.221:57858] AH01964: Connection to child 0 established (server subdomain.mydomain.com:443)
    [Sat Mar 30 23:46:00.030865 2019] [ssl:debug] [pid 91559] ssl_engine_io.c(1370): (70007)The timeout specified has expired: [client 81.49.167.221:57833] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
    [Sat Mar 30 23:46:00.030970 2019] [ssl:info] [pid 91559] [client 81.49.167.221:57833] AH01998: Connection closed to child 7 with abortive shutdown (server subdomain.mydomain.com:443)
    [Sat Mar 30 23:46:18.987485 2019] [ssl:debug] [pid 91560] ssl_engine_io.c(1370): (70007)The timeout specified has expired: [client 81.49.167.221:57838] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
    [Sat Mar 30 23:46:18.987583 2019] [ssl:info] [pid 91560] [client 81.49.167.221:57838] AH01998: Connection closed to child 8 with abortive shutdown (server subdomain.mydomain.com:443)
    [Sat Mar 30 23:46:37.834633 2019] [ssl:debug] [pid 91744] ssl_engine_io.c(1370): (70007)The timeout specified has expired: [client 81.49.167.221:57855] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
    [Sat Mar 30 23:46:37.834725 2019] [ssl:info] [pid 91744] [client 81.49.167.221:57855] AH01998: Connection closed to child 9 with abortive shutdown (server subdomain.mydomain.com:443)
    [Sat Mar 30 23:46:41.111877 2019] [ssl:info] [pid 91553] [client 81.49.167.221:57862] AH01964: Connection to child 1 established (server subdomain.mydomain.com:443)
    [Sat Mar 30 23:46:56.856564 2019] [ssl:debug] [pid 91552] ssl_engine_io.c(1370): (70007)The timeout specified has expired: [client 81.49.167.221:57858] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
    [Sat Mar 30 23:46:56.856687 2019] [ssl:info] [pid 91552] [client 81.49.167.221:57858] AH01998: Connection closed to child 0 with abortive shutdown (server subdomain.mydomain.com:443)
    [Sat Mar 30 23:47:00.017634 2019] [ssl:info] [pid 91554] [client 81.49.167.221:57864] AH01964: Connection to child 2 established (server subdomain.mydomain.com:443)
    [Sat Mar 30 23:47:41.194563 2019] [ssl:debug] [pid 91553] ssl_engine_io.c(1370): (70007)The timeout specified has expired: [client 81.49.167.221:57862] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
    [Sat Mar 30 23:47:41.194668 2019] [ssl:info] [pid 91553] [client 81.49.167.221:57862] AH01998: Connection closed to child 1 with abortive shutdown (server subdomain.mydomain.com:443)
    [Sat Mar 30 23:48:00.039653 2019] [ssl:debug] [pid 91554] ssl_engine_io.c(1370): (70007)The timeout specified has expired: [client 81.49.167.221:57864] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
    [Sat Mar 30 23:48:00.039755 2019] [ssl:info] [pid 91554] [client 81.49.167.221:57864] AH01998: Connection closed to child 2 with abortive shutdown (server subdomain.mydomain.com:443)

    It seems that my problem is linked to my SSL, I can’t figure how. Let’s Encrypt seems working perfectly.

    Hope someone could help me, thank you !

    P.S : Sorry for my poor english. Be french and be stuck on this problem for hours don’t help for this 😀

    1. Hi Maxime, I’m not sure what’s causing your problem unfortunately, nothing really stands out in your logs aside from perhaps:

      [Sat Mar 30 23:47:41.194563 2019] [ssl:debug] [pid 91553] ssl_engine_io.c(1370): (70007)The timeout specified has expired: [client 81.49.167.221:57862] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
      

      or perhaps

      [Sat Mar 30 23:43:01.791683 2019] [ssl:debug] [pid 91550] ssl_engine_init.c(1748): AH10083: Init: (subdomain.mydomain.com:443) mod_md support is unavailable.
      [Sat Mar 30 23:43:01.791848 2019] [ssl:debug] [pid 91550] 
      

      I’ve never run into either of these issues though so I’m not going to be much help. I’d advise heading over to the #httpd channel on IRC; they’ll be able to help you work through it.

      Cheers

      1. Good morning !

        I found the solution during this week. It’s not link to NextCloud at all, it was an hairpinning.

        If you meet the same problem as me, try to connect to your subdomain.domain.com from Tor or your cellphone in 4G. If it’s working on it but not on your local network, you have an hairpin problem.

        To solve this, I had to change my router, hope you will not have to do this.

        Thank you very much for your help anyway

  41. Any ideas on what’s causing this error?

    mount_nullfs: /mnt/jailhouse: No such file or directory
    jail: /sbin/mount -t nullfs -o rw /mnt/jailhouse/apps/nextcloud/db /mnt/BigDrive1/iocage/jails/nextcloud/root/var/db/mysql: failed

    1. Sure, it doesn’t look like you have a dataset named jailhouse; did you set up your directory structure the same way I described? It looks like you need to replace the instances of jailhouse with BigDrive1

      1. I see the mistake now. I changed jailhouse to BigDrive1 all the way through but a made the mistake of doing the first mount point like the example, so I had 5 mount points instead 4. Everything was working until I installed the last freenas update then it broke. Now I can’t delete the mount point using the GUI. The error I get is “name ‘collections’ is not defined”. It looks like I’m stuck until the next update comes out.

        https://www.ixsystems.com/community/threads/nameerror-name-collections-is-not-defined-after-update.74058/

  42. Good afternoon,

    I can use some help with my current problem with this install. I have eavrything working great and all is well except when i try to up load a file that is 35 gigabytes nextcloud. i have tried uploading via a WebDAV mapped drive and the web interface but it keeps telling me that the file is too large. the steps i took to resolve this is to update the $ nano /usr/local/etc/php.ini and change the size values below to 50G

    post_max_size = 50G
    upload_max_filesize = 50G

    then i restart Apache and php-fpm

    $ service php-fpm restart
    $ service apache24 restart

    but it still will not take the 35 gb file. any advice on this would be greatly appreciated.

    Thank you.

    1. David, I suspect that because we enabled the use of .htaccess files, the default values in the nextcloud .htaccess is overriding what’s in php.ini. Try opening /usr/local/www/nextcloud/.htaccess and adjust the same parameters you need to here, reload the server and see if there are any changes. I also remember reading somewhere that changes may take up to 5 mins to propagate.

      Cheers

      1. Thank you Samual for info on the .htaccess file. i did the changes you suggested reset the server and waiting 10 min but it still is not letting me upload large files. can you take a look at the file below and see if there is anythign else i can cange on it that would posably make this work? Does it have anything to do with the Memory_limit 512M?

        Let browsers cache WOFF files for a week

        Header set Cache-Control “max-age=604800”

        php_value upload_max_filesize 50G
        php_value post_max_size 50G
        php_value memory_limit 512M
        php_value mbstring.func_overload 0
        php_value always_populate_raw_post_data -1
        php_value default_charset ‘UTF-8’
        php_value output_buffering 0

        SetEnv htaccessWorking true

        php_value upload_max_filesize 50G
        php_value post_max_size 50G
        php_value memory_limit 512M
        php_value mbstring.func_overload 0
        php_value default_charset ‘UTF-8’
        php_value output_buffering 0

        SetEnv htaccessWorking true

  43. Hello Samuel,
    This is by far the best Guide to install Nextcloud on freenas.

    Actually everything worked very well until the end.

    But after the login on the GUI I get a forwarding error.

    The GUI redirects me to http://www.mydomain.com/Apps/files/ and I get the error message of the redirection error.

    What could be the reason?

    Thomas

    1. Thomas, can you post the contents of your config.php file? I suspect it’s missing the appropriate apps-pkg redirects. Explicitly, make sure it contains this at the top:

       'apps_paths' =>
        array (
          0 =>
          array (
            'path' => '/usr/local/www/nextcloud/apps',
            'url' => '/apps',
            'writable' => true,
          ),
          1 =>
          array (
            'path' => '/usr/local/www/nextcloud/apps-pkg',
            'url' => '/apps-pkg',
            'writable' => false,
          ),
        ),
      

      This should go BELOW

      <?php
       $CONFIG = array (
      

      and ABOVE

      ‘instanceid’ => ‘redacted’,
      

      Also, can you share the details of your installation method? I.e., did you install from the quarterly or latest branch? Did you install nextcloud-php71, nextcloud-php72, or nextcloud-php73? Any other information that would describe some of the choices you made when installing would also be appreciated.

      Cheers

      1. Hi Samuel,
        at first, thanks for your help.
        I’ve installed nextcloud-php71-

        I’ve forget to paste the following part in config.php.
        ‘apps_paths’ =>
        array (
        0 =>
        array (
        ‘path’ => ‘/usr/local/www/nextcloud/apps’,
        ‘url’ => ‘/apps’,
        ‘writable’ => true,
        ),
        1 =>
        array (
        ‘path’ => ‘/usr/local/www/nextcloud/apps-pkg’,
        ‘url’ => ‘/apps-pkg’,
        ‘writable’ => false,
        ),

        After I’ve added this I get an “Internal Server Error” Message from my Nextcloud GUI.
        No Login possible anymore.

        Here is my config.php:
        I’ve removed the passwords and domain.

        <?php
        $CONFIG = array (
        ‘apps_paths’ =>
        array (
        0 =>
        array (
        ‘path’ => ‘/usr/local/www/nextcloud/apps’,
        ‘url’ => ‘/apps’,
        ‘writable’ => true,
        ),
        1 =>
        array (
        ‘path’ => ‘/usr/local/www/nextcloud/apps-pkg’,
        ‘url’ => ‘/apps-pkg’,
        ‘writable’ => false,
        ),
        ),
        ‘logfile’ => ‘/var/log/nextcloud/nextcloud.log’,
        ‘memcache.local’ => ‘\OC\Memcache\APCu’,
        ‘instanceid’ => ‘oc7a4ybhff7f’,
        ‘passwordsalt’ => ‘xxx’,
        ‘secret’ => ‘xxx’,
        ‘trusted_domains’ =>
        array (
        0 => ‘192.168.1.10’,
        1 => ‘mydomain.com’,
        ),
        ‘datadirectory’ => ‘/mnt/data’,
        ‘dbtype’ => ‘mysql’,
        ‘version’ => ‘15.0.5.3’,
        ‘overwrite.cli.url’ => ‘http://192.168.1.10’,
        ‘dbname’ => ‘nextcloud’,
        ‘dbhost’ => ‘localhost:/tmp/mysql.sock’,
        ‘dbport’ => ”,
        ‘dbtableprefix’ => ‘oc_’,
        ‘mysql.utf8mb4’ => true,
        ‘dbuser’ => ‘nextcloud_admin’,
        ‘dbpassword’ => ‘xxx’,
        ‘installed’ => true,
        ‘redis’ =>
        array (
        ‘host’ => ‘/tmp/redis.sock’,
        ‘port’ => 0,
        ),
        ‘memcache.local’ => ‘\OC\Memcache\APCu’,
        ‘memcache.locking’ => ‘\OC\Memcache\Redis’,
        ‘enable_previews’ => false,
        );

        1. Thomas,

          That’s progress. I’d suggest looking in the nextcloud log to see if anything stands out. Everything in your config.php file looks okay, though you might have some luck changing the instances of APCu to Redis. The log should indicate if there are any errors with caching though.

          Cheers

        2. Hi Thomas,
          Did you ever get this redirecting error figured out? My situation is similar to yours and Garrett’s . I’m trying to install nextcloud 17.0 using nextcloud-php72 on FreeNAS 11.2. I had a completely working installation but then I realized my fstab wasn’t correctly configured (like Garrett’s problem earlier) so I uninstalled apache24 and nextcloud so I could re-install them in the correct location. Everything was going OK and I was able to get through the web configuration again but I haven’t been able to get to the login screen. I added the apps_paths redirects in my config.php file as Samuel suggested but I still get an internal server error. If I don’t include that app_paths section then I can’t load the login page due to redirect errors ( e.g., http://www.mydomain.com/Apps/files/).

          1. I think I figured it out, at least for my particular situation. When I specified a static jail IP I had an endless redirect problem. When I specified DHCP for the nextcloud jail and gave it a static IP in pfSense, then it worked.

            Thanks, Samuel, for the excellent tutorial!

            PS- this might save someone some time too someday. When I followed the fstab steps ($ iocage fstab -a nextcloud /mnt/vault/cloud /mnt/data nullfs rw 0 0) I used tab to auto-complete the source directories. That left a trailing backslash on the source directory (e.g., “/mnt/vault/cloud/”) which seemed to cause issues like what Garrett described around 21 March 2019. When I rebuilt the mounting table without those unintentional trailing slashes then everything worked as expected.

  44. Hello,

    Many thanks for this tuto that was very helpful!!
    I’ve just got one question/problem : with certbot, it appears that if you do a permanent redirect with the http (:80) on the VirtualHost to HTTPS, certbot cannot renew the certificate (“failed authorization procedure” error). Is there a way to let the certificate renew without having to desactivate temporarily SSL?

    Thanks again!

    1. Not to my (limited) knowledge Adrien. This sounds like a good question for the ##letsencrypt IRC channel though. As mentioned in the blog, I renew via DNS so this isn’t a problem that I’ve had to tackle.

  45. Hi, Samuel!

    EXCELLENT guide – I found it incredibly helpful!

    I’m running into just one small issue that I cannot figure out, despite a couple of hours of trial-and-error and experimenting.

    Here’s a quick rundown of my setup:
    NextCloud 15
    Running on FreeBSD 11.2-RELEASE-p9
    Duck DNS DynDNS Service with Port Forwarding Working

    I have two Apache rules in a configuration file:

    ServerName DuckDNS_address
    Redirect permanent / https://DuckDNS_address
    and

    ServerAdmin me@here.com
    ServerName server_name

    SetHandler “proxy:fcgi://127.0.0.1:9000/”

    DirectoryIndex /index.php index.php
    DocumentRoot “/usr/local/www/nextcloud”
    SSLCertificateFile correct_path
    SSLCertificateKeyFile correct_path
    SSLEngine on

    Header always set Strict-Transport-Security “max-age=15552000; >

    When I first start apache, and I use either http://DuckDNS_address or https://DuckDNS_address, it works (always directing to https://DuckDNS_address) from either within my network or from outside of it. However, after about 20 seconds, the UI will no longer resolve from within my network, but it continues to work fine from outside my network.

    If I add an additional directive in the CONF file, matching the local IP address of the NextCloud instance (and port 80), I can get it to work internally. However, this causes a problem with mobile devices: I either have to use the local address and not have the instance work outside my network) or the DuckDNS address (and not have the instance work while I’m connected to my local network).

    I can reliably reproduce this behavior, but cannot for the life of me figure out what might be failing. I’d be grateful for any help or guidance!

    1. It seems like the issue is that you can only have one specification of server address for your server. The way I dealt with this was to, instead of using the IP address of the external server, use the DNS name. i.e. cloud.ddns.net (or whatever it is). This should resolve correctly when you’re outside of your home network. To make it accessible from within your home network as well, add a DNS Resolver entry to your router (assuming you use pfSense!) such that any internal dns query to cloud.ddns.net returns your servers internal address, i.e. 192.168.0.10. This just means that your router intercepts your DNS request and provides you with the preferred internal IP rather than the external IP.

      Hope this helps.

      Cheers.

  46. Hi Samuel,

    Thank you for putting in the effort to write this excellent guide. I got everything installed and configured but once I got to the Nextcloud setup screen on my browser, entered all the credentials and tried to ‘Finish Setup’ I received a ‘Can’t create or write into the data directory /mnt/data ‘ error. I triple checked the entire setup and can’t find my mistake. I entered the ‘chown -R www:www /usr/local/www/nextcloud /mnt/data’ command to set permissions but I wonder if maybe there is there another directory that needs permissions?

    I’d be very grateful for any insights you could provide.

    1. Hi Parrish, you can list the permissions associated with all directories in mnt by passing the -l flag to ls, i.e: ls -l /mnt/. This should show you all of the rwx permissions for each directory inside /mnt. Ideally, you want /mnt/data to have at least rwx------ permissions (first three listed is owner, second three is group, third three is other), or some variation thereof where either the www user OR the www group has write permission, so rwxrwxr-- or something similar. It’s hard for me to explain how the permissions work in this format, so it might be easier if you just read the documentation on FreeBSD permissions. If the www user doesn’t have rw permissions on the folder, you can use the chmod command to edit these. For your data directory I’d suggest 770 (rwxrwx---) would probably be appropriate (this means that anyone in the www user or group is able to read, write or execute, but users outside of this group can’t read, write or execute anything), so you can execute chmod -R 770 /mnt/data, and this will apply these permissions recursively to all files in the /mnt/data directory.

      This shouldn’t have been required if you followed the way I set the datasets up, but if you had existing datasets you wanted to use then its possible you may not have had the correct permissions already on the dataset. If this doesn’t solve your issue, I’d suggest heading to the #freenas, #freebsd or #nextcloud channels in IRC for support, as it won’t be easy for me to help troubleshoot in this format.

      Cheers.

  47. Hello Samuell,

    I am following your guide and until now it is working like a charm! I am at the point of configuring the 15Min Cron Job for the www user. You are describing the configuration direct in the shell. Would there be any differences planing the same Cron Job through the FreeNAS-GUI, or even just ticking the dialog-box in the Preferences of the Nextcloud-GUI?

    Many regards

    Costis

    1. Hi Costis, I’m not sure! I’ve never set it using either of these methods, but I’d be keen to hear what you find out if you give it a go 🙂 Let me know!

      Cheers

      1. Hi Samuel,

        I tried both methods, through the FreeNAS GUI and through Shell (as you describe on this page). In the first case I kept getting the warning from nextcloud, that no cronjob was recorded for over 24Std. With the shell configuration there are no warnings anymore.

        Meanwhile Nextcloud ist configured and running with letsencrypt certificate according to your guide (I could skip the Route 53 part), although at the beginning I lost access to nextcloud over the local IP and “cloud.mydomain.com”. It worked after changing port forwarding in the router from 80->80 which, as you said was needed for certbot, to 80->443 for SSL. This I don’t understand completely. I thought the following lines in the cloud.medomain.com.config file should take care of that(?) Am I doing something wrong?

        DocumentRoot “/usr/local/www/nextcloud”
        ServerName cloud.mydomain.com
        Redirect permanent / https://cloud.mydomain.com/

        …(rest configuration)…

        Many Greetings

        1. Hi Costis,

          Perhaps I’m not understanding you properly – I don’t talk about a GUI configuration at all, but I’m glad it’s working after configuring it using the shell. With regards to the port forwarding, what I advocate is WAN:80 -> LAN:80 and WAN:443 -> LAN:443, not WAN:80 -> LAN:443. You’re correct, the redirect in the vhost is sufficient to direct the user to an SSL socket, but when your router receives a request for the site over port 443, you need to make sure that the request is directed to the correct host, over port 443 as well.

          Hope this helps.

          Cheers

  48. When I execute the command…

    certbot certonly –webroot -w /usr/local/www/nextcloud -d cloud.mydomain.com
    .
    ..I receive the error…

    certbot: Command not found.

    I am attempting this on Freenas 11.2 with your instructions amended only to use PHP 7.2 instead of 7.1 from the guide. I have removed the certbot package and reinstalled, as well as restarted the entire jail, but I receive the same error when I execute above command. Any help/ideas?

    1. Hi Tony,

      This means that Certbot isn’t installed. Try running the installation command again: pkg install py27-certbot. Pay special attention to any messages you’re given during the installation process. I just spun up a new jail and confirmed that the package isn’t broken or anything, so all you should have to do is install it and the certbot command should be available.

      If this still doesn’t work, run ls -l /usr/local/bin/*certbot*. This should list all installed programs containing ‘certbot’ in the name. Doing this on my system shows:

      lrwxr-xr-x  1 root  wheel   11 Apr  3 10:31 /usr/local/bin/certbot -> certbot-2.7
      -rwxr-xr-x  1 root  wheel  393 Apr  3 10:31 /usr/local/bin/certbot-2.7
      

      This means that what pkg install py27-certbot is actually installing is certbot-2.7. It then creates a symbolic link to certbot. Perhaps this symbolic link creation is failing in your installation, so you might be able to try replacing certbot with certbot-2.7, i.e. certbot-2.7 certonly ....

      Hope this helps.

      Cheers.

      1. Thanks so much. That was exactly the problem.

        BTW, I was able to use an A name on Cloudflare for DynDNS with the script found here…

        https://github.com/jonegerton/cloudflare-ddns/blob/master/cf-ddns.sh

        …with the thing to note about the script being that the cfhost entry has to be in the subdomain.domain.com format and not just the entry name. Then add it to crontab with the line…

        */5 * * * * bash {set file location here}/cf-ddns.sh >/dev/null 2>&1

        …to update every 5 minutes. If there’s no change in public IP (it’s cached), no requests are sent.

        Also, I was finally able to get certbot and LetsEncrypt to succeed by manually creating the <.well-known> folder in the webroot (…/www/nextcloud/.well-known) and manually setting the ownership to www:www

        Thanks for the help and I hope this extra info helps someone else, if you want to add it to the guide.

      2. Yea certbot is now installed on freebsd versions as certbot-2.7. I suppose there is a certbot-3.5 but I haven’t checked (2.7 refers to python version (2.7 or 3.5 respectively)). I had to create a symbolic link since at least with my install certbot was not linked to certbot-2.7. The question was answered above so I guess I’m late to the game.

        1. Strange that you had to do this manually – as I said, I spun up a new jail to test installation of the certbot package and the symbolic link was created automatically. To anybody struggling with this, you can create the symbolic link for python 2.7 with the following command (replace 2.7 with 3.x as required):

          ln -s /usr/local/bin/certbot /usr/local/bin/certbot-2.7
          
  49. Hello i followed your steps with php7.2 and worked perfectly. now i have 2 questions if you are able to help me with.
    1. when i open the jail i get you have mail how can i view that mail ?
    2. i only have 1 jail in DMZ im able to push publicly how can i have other virtual hosts ? i downloaded wordpress in /www/wp and created wp.domain.com.conf with the same code you have for nextcloud but changed the diricitory but i got “You don’t have permission to access / on this server.”

    1. Hi Sulayman,

      1. type mail at the terminal prompt within the jail
      2. My setup doesn’t tell you to put your jail in a DMZ, and in fact suggests that this may be a futile effort to begin with. If you want to use multiple web servers within the same jail, there are a number of ways to achieve this. First is by name or port virtual host entries. Refer to the documentation on how to achieve this. The second (perhaps better?) way to do this would be to set up a reverse proxy. Have a read of the documentation and see how you go. I’ve never done either though, so I’m not an expert on this. I run all of my web servers in separate jails, and my only publicly facing one is nextcloud.
  50. Hey everyone, i’ve got all the way to the last part of the install go to the local ip to continue the setup of nextclould but get this not sure where i have gone wrong.
    <?php
    /**
    *
    * Your webserver seems to be not configured to use PHP or PHP is not installed.
    * Please contact your administrator or follow our documentation:
    * https://docs.nextcloud.com/server/13/admin_manual/installation/source_installation.html
    *
    * @copyright Copyright (c) 2016, ownCloud, Inc.
    *
    * @author Georg Ehrke oc.list@georgehrke.com
    * @author Joas Schilling coding@schilljs.com
    * @author Jörn Friedrich Dreyer jfd@butonic.de
    * @author Lukas Reschke lukas@statuscode.ch
    * @author Morris Jobke hey@morrisjobke.de
    * @author Robin Appelman robin@icewind.nl
    * @author Sergio Bertolín sbertolin@solidgear.es
    * @author Thomas MÃŒller thomas.mueller@tmit.eu
    * @author Vincent Petry pvince81@owncloud.com
    *
    * @license AGPL-3.0
    *
    * This code is free software: you can redistribute it and/or modify
    * it under the terms of the GNU Affero General Public License, version 3,
    * as published by the Free Software Foundation.
    *
    * This program is distributed in the hope that it will be useful,
    * but WITHOUT ANY WARRANTY; without even the implied warranty of
    * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    * GNU Affero General Public License for more details.
    *
    * You should have received a copy of the GNU Affero General Public License, version 3,
    * along with this program. If not, see http://www.gnu.org/licenses/
    *
    */

    require_once DIR . ‘/lib/versioncheck.php’;

    try {

    require_once __DIR__ . '/lib/base.php';

    OC::handleRequest();

    } catch(\OC\ServiceUnavailableException $ex) {
    \OC::$server->getLogger()->logException($ex, array(‘app’ => ‘index’));

    //show the user a detailed error page
    OC_Template::printExceptionErrorPage($ex, 503);

    } catch (\OC\HintException $ex) {
    try {
    OC_Template::printErrorPage($ex->getMessage(), $ex->getHint(), 503);
    } catch (Exception $ex2) {
    try {
    \OC::$server->getLogger()->logException($ex, array(‘app’ => ‘index’));
    \OC::$server->getLogger()->logException($ex2, array(‘app’ => ‘index’));
    } catch (Throwable $e) {
    // no way to log it properly – but to avoid a white page of death we try harder and ignore this one here
    }

    //show the user a detailed error page
    OC_Template::printExceptionErrorPage($ex, 500);
    }

    } catch (\OC\User\LoginException $ex) {
    OC_Template::printErrorPage($ex->getMessage(), $ex->getMessage(), 403);
    } catch (Exception $ex) {
    \OC::$server->getLogger()->logException($ex, array(‘app’ => ‘index’));

    //show the user a detailed error page
    OC_Template::printExceptionErrorPage($ex, 500);

    } catch (Error $ex) {
    try {
    \OC::$server->getLogger()->logException($ex, array(‘app’ => ‘index’));
    } catch (Error $e) {
    http_response_code(500);
    header(‘Content-Type: text/plain; charset=utf-8’);
    print(“Internal Server Error\n\n”);
    print(“The server encountered an internal error and was unable to complete your request.\n”);
    print(“Please contact the server administrator if this error reappears multiple times, please include the technical details below in your report.\n”);
    print(“More details can be found in the webserver log.\n”);

    throw $ex;
    }
    OC_Template::printExceptionErrorPage($ex, 500);

    }
    should i just delete the jail and start again as i’ve retraced my steps everything is running i can get the php info up left me scratching my head a bit

    1. Hi Mike, I’ve never seen this error before unfortunately. I’d recommend starting again, and if it persists, seek help in #nextcloud or #php channels on IRC. This isn’t an easy forum to help you debug the issues you’re having. One thing you could check is the apache error log, and make sure the config.php file for nextcloud matches what I’ve detailed.

      Cheers.

  51. Has anyone had problems upgrading to Version 16 of nextcloud? I see it’s available, but I am a bit reluctant to take the plunge…

    1. I haven’t yet, but It’s probably prudent to wait until 16.0.1 is released, .0 versions are risky because the bugs haven’t been discovered and patched yet. Also, I haven’t had great experiences upgrading nextcloud. My last upgrade broke a couple of apps, and getting it working again resulted in an integrity error because the app hashes didn’t match. Proceed with caution!

  52. Hi Martinus,

    I installed Version 16 fresh (no upgrade) with Samuel’s guide for 14/15 without problems.

  53. Hello Samuel. This has been working great for months. I moved into a new house over the weekend and now have a new internet provider. I have my DNS updated to my new external ip.

    My question is how do i go about updating my nextcloud internal ip? Do I use the FreeNas Gui or do I need to SSH?

    1. Hi Phil,

      I’m not sure what you mean by updating the ‘nextcloud internal IP’; Are you talking about the LAN IP of your FreeNAS host or your jail? The jail should have a static IP as per the first steps in the guide when we created it, specifically this command:

      iocage create -n nextcloud -r 11.2-RELEASE ip4_addr="vnet0|192.168.0.10/24" defaultrouter="192.168.0.1" vnet="on" allow_raw_sockets="1" boot="on"
      

      This would have set the jail to have the IP 192.168.0.10. If you’re talking about your FreeNAS host, then you may need to make a static DHCP entry in your router.

      Cheers,

      Sam

      1. Sam,
        Yes correct. I didn’t explain it well. I’m talking about the the LAN IP of the nextcloud jail itself . I used the command you listed above when I first set everything up so it worked well, but I moved into a new house with a different internet provider so my LAN IP number format changed from 10.0.0.x (Comcast) to 192.168.1.x (WOW). So I wanted to change my Jail IP from the 10.0.0.x format to the 192.168.1.x format if possible.

        Hopefully that makes sense.

        1. Phil, as per the iocage documentation, the command you need is:

          root@freenas:~ # iocage set ip4_addr="vnet0|192.168.1.10/24" nextcloud
          

          Replace the IP with the IP you wish the jail to have. Also note that this is issued from the FreeNAS host, not inside the jail. I’ve never used this before though, so I hope it works 🙂

  54. Hi Samuel,

    An awesome guide. I’m grateful. I’m going through it, and got the point where I found an issue, not with your instructions, but my setup. The /vault/cloud/ share I want to be able to use with NextCloud, seats on a FreeNAS server and it’s mirrored (read only) from a DROBO NAS via Resilio Sync. The files are owned by the rslsync user and group (rslsync:rslsync) which presents a problem, because if I change user and group ownership to www, as your guide suggests, it would effectively break write access to Resilio Sync replication. I haven’t spent too long thinking about a work around,and I was curious as to your approach to such a problem. Regards, Angelo C.

    1. Angelo, it should be fine if you just add the www user to your rslsync group and give the group the same permissions as the user (774 or something). I wouldn’t advise keeping the permissions as read only though, this will probably present issues or significantly diminish the functionality you get out of nextcloud.

      Another alternative if you need rslsync to have read only privileges, would be to make www the owning user and group, and just let rslsync be a member of the other group, and give it read only privileges (i.e. www:www 774).

  55. Hi Samuel

    I got two things:
    1. the title UPGRADING is spelled wrong 🙂
    2. How can I remove this message:
    The database is missing some indexes. Due to the fact that adding indexes on big tables could take some time they were not added automatically. By running “occ db:add-missing-indices” those missing indexes could be added manually while the instance keeps running. Once the indexes are added queries to those tables are usually much faster.
    Missing index “twofactor_providers_uid” in table “oc_twofactor_providers”.
    Missing index “version” in table “oc_whats_new”.
    Missing index “cards_abid” in table “oc_cards”.
    Missing index “cards_prop_abid” in table “oc_cards_properties”.

    Thanks for your help!

    1. Hi Richard,

      Thanks for noticing. I’ve updated it accordingly. With respect to the error message you’re getting, you just need to run the command it’s telling you to run as the php user. Namely:

      su -m www -c 'php /usr/local/www/nextcloud/occ db:add-missing-indices'
      

      Cheers.

  56. This is a great tutorial and I have it all working well on my localhost.

    However, I do not understand enough to work out the following
    To be clear here:

    “If your domain is available on the internet, cloud.mydomain.com must resolve to a public IP
    If your domain is only available locally, cloud.mydomain.com must resolve to a local IP
    OR, it must be a local IP.”

    My question is this – where could I find the needed guidance to set up an external domain “example.net” and point it to my nextcloud server. Obviously I want to set up SSL and whatever reverse DNS to accomplish this – but I seem to be missing this piece of the puzzle.

    It’s probably obvious, but any help is aprecciated.

    1. Hi Nic,

      To set up an external domain, you’ll first need to buy the domain name. You can do this through any domain registrar, but if you’re interested in following my guide specifically, it might be worth buying it through AWS. Then, you need to configure that domain name to point at your public IP address. With Amazon Web Services, this can be achieved by placing your public IP in an A record for the domain using Route 53. When configuring DDNS in the guide, I do talk about this briefly.

      Alternatively, you could use a service such as DynDNS or NoIP which will provide you with a free subdomain (example: nic.noip.com), which you can use to point at your public IP. As discussed in the guide, it’s important that you configure Dynamic DNS, as most ISPs only provide residential users with a temporary, dynamic IP address. A Dynamic DNS (DDNS) service changes the IP address to which it points when the ISP allocated you a new public IP address.

      Hope this helps.

      1. Samuel,

        Thanks very much. I will try that route.

        The specific area of the guide that I believe this is very relevant to is the section on Virtualhost and the section on Adding external domain to NC.

        If you could let me know which config(s) have data in them relating to those two sections I think I would be able to figure the rest out. Will be using the Amazon solution you go over, have an external domain….

        Nic

        1. If you’re using AWS and Route 53, everything you need should be in the DDNS section. Otherwise, you can look for guides on setting up FreeNAS’s DDNS service to update an external DDNS service.
          Cheers

          1. One little bug:

            I cannot get the update-route53.sh to run – I get
            update-route53.sh: 27: Syntax error: “(” unexpected
            and I cannot figure what I did wrong.
            Rebuilt the root crontab and the other two cron tasks – cerbot and checkaide are running fine.
            Any suggestions?
            Everything else is running flawlessly.

          2. Hi Nic, what’s the crontab command that you’re using, and where are you reading this error? Note that this script needs to be executed with bash, but it looks like you’re trying to execute it with /bin/sh. A couple of things to check:
            1. Make sure the shebang is present at the top of update-route53.sh file, i.e. the very first line is:

            #!/usr/local/bin/bash
            
            1. Second, make sure that bash is present in /usr/local/bin/bash, i.e.
            ls /usr/local/bin/bash
            

            If it’s not present (I think it should be by default, I don’t remember having to install it and I tested this guide multiple times just following the instructions here), but if it’s not, you can install it with

            pkg install bash
            

            Then, to test it’s working you can execute the following commands:

            cd /scripts/update-route53
            ./update-route53.sh
            

            or, more explicitly:

            /usr/local/bin/bash /scripts/update-route53/update-route53.sh
            

            Hope this helps.

            Cheers,

            Sam

        2. Samuel,

          Once again, many thanks.

          I installed BASH, it was indeed missing, don’t know why…

          In any case – it looks like all is working, except, I cant inspect my crontabs – when I look for crontab as root it shows up as empty. I’m sure there is a simple reason for this.

          Appreciate your patient advice.

          1. When you say you can’t inspect your crontab, what do you mean? How are you trying to inspect it? crontab -e should display the crontab as currently installed for the user you’re logged in as (root in this case)

          2. Samuel,

            Thanks – not sure what I did, but yes opening the Tab as root I repasted the three cron tasks and they all seem to be working fine now. In short, everything is working now!

  57. Hey, I had a power cut recently, and my install of nextcloud 15 is stuck in maintenance mode. nothing I have tried has fixed my issue.
    When I go to the web ui I get a page stating that the server was unable to complete my request and that more details can be found in the log. I’m not sure where to find the log.

    When I connect via the android app I get a notification at the top sating that the server is in maintenance mode.

    1. Hi Daniel, you can turn maintenance mode off by executing the following from the jail shell (provided you installed using my guide, otherwise fix the path to occ as appropriate):

      su -m www -c 'php /usr/local/www/nextcloud/occ maintenance:mode –off'
      

      It’s a bit strange that it doesn’t tell you it’s in maintenance mode from the web ui though, so it would definitely be worth checkout out the logs to see what’s going on. I have a list of the log locations at the end of the post, under ‘Support’
      Cheers.

      1. Thanks for the reply Samuel, but that command didn’t seem to work. ended up throwing an error

        root@nextcloud:/ # su -m www -c ‘php /usr/local/www/nextcloud/occ maintenance:mode -off’
        An unhandled exception has been thrown:
        RedisException: Connection refused in /usr/local/www/nextcloud/lib/private/RedisFactory.php:84
        Stack trace:
        #0 /usr/local/www/nextcloud/lib/private/RedisFactory.php(84): Redis->connect(‘127.0.0.1’, 6379, 0)
        #1 /usr/local/www/nextcloud/lib/private/RedisFactory.php(100): OC\RedisFactory->create()
        #2 /usr/local/www/nextcloud/lib/private/Memcache/Redis.php(42): OC\RedisFactory->getInstance()
        #3 /usr/local/www/nextcloud/lib/private/Memcache/Factory.php(136): OC\Memcache\Redis->__construct(‘327952c145e682d…’)
        #4 /usr/local/www/nextcloud/lib/private/Server.php(861): OC\Memcache\Factory->createLocking(‘lock’)
        #5 /usr/local/www/nextcloud/3rdparty/pimple/pimple/src/Pimple/Container.php(118): OC\Server->OC{closure}(Object(OC\Server))
        #6 /usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php(117): Pimple\Container->offsetGet(‘OCP\Lock\ILocki…’)
        #7 /usr/local/www/nextcloud/lib/private/ServerContainer.php(132): OC\AppFramework\Utility\SimpleContainer->query(‘OCP\Lock\ILocki…’)
        #8 /usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php(165): OC\ServerContainer->query(‘OCP\Lock\ILocki…’)
        #9 /usr/local/www/nextcloud/3rdparty/pimple/pimple/src/Pimple/Container.php(114): OC\AppFramework\Utility\SimpleContainer->OC\AppFramework\Utility{closure}(Object(OC\Server))
        #10 /usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php(117): Pimple\Container->offsetGet(‘LockingProvider’)
        #11 /usr/local/www/nextcloud/lib/private/ServerContainer.php(132): OC\AppFramework\Utility\SimpleContainer->query(‘LockingProvider’)
        #12 /usr/local/www/nextcloud/lib/private/Server.php(1804): OC\ServerContainer->query(‘LockingProvider’)
        #13 /usr/local/www/nextcloud/lib/private/Files/View.php(116): OC\Server->getLockingProvider()
        #14 /usr/local/www/nextcloud/lib/private/Server.php(221): OC\Files\View->__construct()
        #15 /usr/local/www/nextcloud/3rdparty/pimple/pimple/src/Pimple/Container.php(118): OC\Server->OC{closure}(Object(OC\Server))
        #16 /usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php(117): Pimple\Container->offsetGet(‘OCP\Encryption\…’)
        #17 /usr/local/www/nextcloud/lib/private/ServerContainer.php(132): OC\AppFramework\Utility\SimpleContainer->query(‘OCP\Encryption\…’)
        #18 /usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php(165): OC\ServerContainer->query(‘OCP\Encryption\…’)
        #19 /usr/local/www/nextcloud/3rdparty/pimple/pimple/src/Pimple/Container.php(114): OC\AppFramework\Utility\SimpleContainer->OC\AppFramework\Utility{closure}(Object(OC\Server))
        #20 /usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php(117): Pimple\Container->offsetGet(‘EncryptionManag…’)
        #21 /usr/local/www/nextcloud/lib/private/ServerContainer.php(132): OC\AppFramework\Utility\SimpleContainer->query(‘EncryptionManag…’)
        #22 /usr/local/www/nextcloud/lib/private/Server.php(1277): OC\ServerContainer->query(‘EncryptionManag…’)
        #23 /usr/local/www/nextcloud/lib/base.php(845): OC\Server->getEncryptionManager()
        #24 /usr/local/www/nextcloud/lib/base.php(730): OC::registerEncryptionWrapper()
        #25 /usr/local/www/nextcloud/lib/base.php(1068): OC::init()
        #26 /usr/local/www/nextcloud/console.php(46): require_once(‘/usr/local/www/…’)
        #27 /usr/local/www/nextcloud/occ(11): require_once(‘/usr/local/www/…’)

        1. Hi Daniel, I’ve never seen this issue before so I’m not sure how much help I can be. A brief look into the issue indicates that it’s a socket issue with redis (used for caching your files for quick access). My suggestion would be to go back over the Redis section of the guide and make sure that all of your configuration files match what I’ve specified. I don’t think it’s likely, but perhaps it’s possible that your configuration was lost with the power outage? I’m not sure.

          As I said before though, check out the logs – that will likely tell you what’s going wrong specifically. Also, I recommend checking out the #freenas and #nextcloud channels on free node IRC for interactive help in debugging this. That’s where I go for help 🙂

          Cheers

  58. Hi all,
    I’ve tried to renew the certificate of the certbot.
    Unfortunately I get an error and don’t know how to fix it.
    I’m not familiar with it.
    But I think there is a problem with any config, because certbot try to fetch something on this domain: cloud.mydomain.com
    My own domain is xxx.de.
    Maybe someone can help me.

    Thanks in advance.

    Regards,
    Thomas

    root@nextcloud:/ # certbot renew
    Saving debug log to /var/log/letsencrypt/letsencrypt.log

    Processing /usr/local/etc/letsencrypt/renewal/xxx.de.conf

    Cert is due for renewal, auto-renewing…
    Plugins selected: Authenticator webroot, Installer None
    Renewing an existing certificate
    Performing the following challenges:
    http-01 challenge for xxx.de
    Waiting for verification…
    Cleaning up challenges
    Attempting to renew cert (xxx.de) from /usr/local/etc/letsencrypt/renew al/xxx.de.conf produced an unexpected error: Failed authorization procedure. xxx.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://cloud.mydomain.com/.well-known/acme-challenge/xyz: dns :: DNS problem: NXDOMAIN looking up A for cloud.mydomain.com. Skipping.
    All renewal attempts failed. The following certs could not be renewed:
    /usr/local/etc/letsencrypt/live/xxx.de/fullchain.pem (failure)

    All renewal attempts failed. The following certs could not be renewed:
    /usr/local/etc/letsencrypt/live/xxx.de/fullchain.pem (failure)

    1 renew failure(s), 0 parse failure(s)

    IMPORTANT NOTES:
    – The following errors were reported by the server:

    Domain: xxx.de
    Type: connection
    Detail: Fetching
    https://cloud.mydomain.com/.well-known/acme-challenge/xyz
    dns :: DNS problem: NXDOMAIN looking up A for cloud.mydomain.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

    1. Thomas, it sounds like when you ran through the guide you missed an instance of cloud.mydomain.com when replacing it with your own domain name. I’m not sure where this is located, but as a blunt tool, you could find it by running the following command from the nextcloud jail shell:

      root@nextcloud:/ # grep -rnw '/' -e 'cloud.mydomain.com'
      

      This might take a few minutes to run, but at the end it will show you all the files in which this phrase appears. Once it’s finished, just replace cloud.mydomain.com in these files with your domain name, and try to renew the certificate again. See how you go, hope it helps.

      1. Hi Samuel,
        unfrotunately the grep does not work.

        root@nextcloud:/ # grep -rnw ‘/’ -e ‘cloud.mydomain.com’
        grep: /tmp/mysql.sock: Operation not supported

        1. Hi Thomas,

          I’m not sure why you’re getting this; I don’t get the same behaviour on mine. Regardless, you could try narrowing your search path to /etc or /usr, i.e.:

          grep -rnw '/etc' -e ‘cloud.mydomain.com’
          

          The aim here is to find instances of ‘cloud.mydomain.com` so that you can replace them with your .de domain.

          1. Hi Samuel,
            I’ve found the failure in /usr/local/etc/apache24/Includes/xxx.conf

            Thanks a lot for your help!

            Thomas

  59. Hi Samuel

    thanks for keeping up at responding, I really appreciate it. I followed your tutorial but something that I seem not to get is the email section. Everytime I log into Nextcloud via SSH I get this:

    root@freenas[~]# jexec 5 tcsh
    You have mail.

    But where is the mail and how can I read it?

    Cheers

    1. Hi Richard,
      You can view the mail by executing the mail(1) command from the Nextcloud shell:

      mail
      

      Then select the message number to view the mail (See linked docs above for more detail). You’ll get mail here for things like security run outputs, and any errors that have been identified with the cron jobs you’ve set up.

      Cheers.

        1. No, the only mail being sent is what we specify above, ie the nightly aide summaries. A lot of what will be contained in the local mailbox will be system notifications. Have a look to confirm.

  60. Hi Samuel,

    Excellent Guide. Thank you for the wonderful work. Just have a small query :

    I was reading in the nextcloud doc that we can map nextcloud data directory to local drive in windows. I used the following command but it fails.
    net use Z: \192.168.1.99\nextcloud\remote.php\dav\files\USERNAME

    But it fails to map.
    When I use
    net use Z: \192.168.1.99\nextcloud\

    It gives me the prompt to enter username and password but just fails after that.
    I am able to access through browser.
    Also I am planning to buy a smart TV. Can I play movies stored in nextcloud data directory in the TV. What settings I need to do in nextcloud. What link should I use in the smart Tv to access it.

    Regards,
    Ashima

    1. Hi Ashima, this is well beyond the scope of my guide. I don’t use windows or a smart tv, so I’m not able to provide any advice on how to achieve what you’re asking. I don’t keep any media in Nextcloud; I have additional, separate datasets for my media. I then host a PLEX server in a separate jail and use the client applications to view the content. I find this a much cleaner solution than what you’re proposing, so it might be worth looking into. The FreeNAS forums provide a lot of discussion on configuring plex, so head over there and check it out.

      An SMB share might provide the functionality you’re after RE: mapping drives, but I only access it through the Nextcloud client, and from macOS no less, so I’m not sure how to help you with windows.

      Cheers

  61. Hi,
    Thanks for your job, it’s very interesting. I have a question. Why your Apps dataset is in your SSD and not in your vault. Your SSD is a SPOC. If your SSD craches, you will need to recreate all your netxtcloud’s database or do you have script backup to avoid it ?

    1. No, you’re right. This is a weakness of my current design. My intention has been to mirror the SSD for some redundancy, but I haven’t gotten around to it yet. A backup script is probably a prudent idea while I sort myself out 🙂

      Cheers.

  62. Hello Samuel! I really do appreciate this guide and all of your help over the last few months! Something new has popped up. I’m hoping you can help.
    Each night at 1:05 I receive my Aide email with the database changes. Normally there is little to no changes, but over the last 4 weeks or so I’m seeing these added entries regarding lets encrypt:

    f++++++++++++: /usr/local/etc/letsencrypt/csr/0030_csr-certbot.pem
    f++++++++++++: /usr/local/etc/letsencrypt/csr/0031_csr-certbot.pem
    f++++++++++++: /usr/local/etc/letsencrypt/keys/0030_key-certbot.pem
    f++++++++++++: /usr/local/etc/letsencrypt/keys/0031_key-certbot.pem

    Each day the number sequence goes up. My Let’s Encrypt cert isn’t due to expire until 7/11. I’m not sure if it’s tied to that or not. Any ideas what might be going on here? As always thanks for the help!

    1. Hi Phil,

      I’m not sure about this specifically; it might be worth going to ##letsencrypt on IRC to work out what’s going on if you think this warrants the effort. I don’t see messages like this at the same frequency that you do, though a quick inspection indicates that there are 17 such certificate signing requests in the folder you indicated on my machine. Bear in mind that the cronjob we added will attempt to renew your certificate twice a day, so perhaps there’s something about your site configuration that lets it generate CSR’s on a daily basis? I’m really not sure. This is a LetsEncrypt issue though, so definitely check out IRC or their forums if you want to dig into it further

  63. Hello Samuel. Another question. How do I go about backing up this installation? You mention
    The config folder
    The data folder
    The theme folder
    The database

    How do I restore these items? Thank you sir!

      1. Thanks Samuel. So from the documentation, I’m looking at the following command:

        mysqldump –single-transaction -h [server] -u [username] -p[password] [db_name] > nextcloud-sqlbkp_date +"%Y%m%d".bak

        A few noob questions:
        1. Based on your guide, is the server name Nextcloud
        2. Is the db-name MariaDB?
        3. How do I specify where this backup is saved?

        Thanks Samuel

        1. Phil,

          1. Host name is ‘localhost’
          2. Username is ‘nextcloud_admin’
          3. Password is as specified by you
          4. db_name is ‘nextcloud’

          This is all detailed under the ‘Configure MySQL’ heading for reference. The way this has been configured (in the guide I provide at least) has been to store the database information in the following dataset:
          /mnt/jailhouse/apps/nextcloud/db
          This is external to your nextcloud jail, so it serves as the database backup. Without having looked at this procedure in detail, I would imagine that all that’s required would be to import this database dataset into a fresh mysql (MariaDB in this case) installation.. It looks like the command you’re looking to run is designed to backup the current database; I’m not sure that’s required. Having said that, happy to be wrong. Like I said, I haven’t looked at it in any great detail.

          Hope this helps.

          Cheers

          1. Samuel,
            Thank you for your help. I really appreciate it. All is updated to 16.0.3 and working well.

  64. I can’t get past this her

    root@VolTank1[~]# iocage fstab -a nextcloud /mnt/VolTank1/cloud /mnt/data nullfs rw 0 0
    Destination: /mnt/VolTank1/iocage/jails/nextcloud/root/mnt/data does not exist or is not a directory.
    root@VolTank1[~]#

    1. gio, to run this command you might need to stop the jail if it’s running. Otherwise you could try creating the directory manually, though you shouldn’t need to:

      mkdir /mnt/VolTank1/iocage/jails/nextcloud/root/mnt/data
      
  65. Hi Samuel, i have been running nextcloud for 3 months and i love it. Your tutorial and help has been amazing and i cannot praise you and your site enough. I wanted to ask your advice on upgrading. I see that under “Version” it is now prompting me to upgrade to Nextcloud 16.0.2 under the stable channel. If I click the “Open Updater” button, will it work with this install/do you foresee any issues with doing this, or should I leave well enough alone and just keep it at 15.0.5?

    1. Hi David,

      I’ve had problems upgrading in the past, and one downside of the methodology that I’ve presented is that using the web updater puts the freebsd package and installed version out of sync. Because of this, I’d recommend using pkg upgrade to upgrade your nextcloud package, and then following the printed instructions to upgrade the installation using occ. As mentioned, I’ve had issues with the before though and the upgrade process doesn’t seem especially stable, so I can’t provide any further advice. I’m still on 15.0.1.

      Cheers.

  66. Hi Samuel

    When trying to log in via the browser I am getting a warning and am being told that it is an unsecure connection:

    NET::ERR_CERT_COMMON_NAME_INVALID
    Subject: worldwidehustle.dynu.com

    Issuer: Let’s Encrypt Authority X3

    Expires on: 28.06.2019

    Current date: 11.07.2019

    PEM encoded chain:

    Then it follows some garble 🙂 Why isn’t the certificate renewed, any idea?

    Cheers

    1. Richard,

      You can confirm whether certbot has successfully renewed your certificate by running the following command:

      openssl x509 -enddate -noout -in /usr/local/etc/letsencrypt/live/cloud.mydomain.com/fullchain.pem
      

      If the date printed is a date in the past, then certbot is having an issue renewing your certificate. You can try to renew manually by executing:

      certbot renew
      

      If the date is a date in the future, then you likely just need to restart Apache:

      service apache24 restart
      

      Hope this helps. Cheers

      1. Hi Samuel

        “certbot renew” didn’t work and I got the following error:

        root@nextcloud:/ # certbot renew
        Saving debug log to /var/log/letsencrypt/letsencrypt.log

        Processing /usr/local/etc/letsencrypt/renewal/worldwidehustle.dynu.com.conf

        Cert is due for renewal, auto-renewing…
        Plugins selected: Authenticator webroot, Installer None
        Renewing an existing certificate
        Performing the following challenges:
        http-01 challenge for worldwidehustle.dynu.com
        Waiting for verification…
        Cleaning up challenges
        Attempting to renew cert (worldwidehustle.dynu.com) from /usr/local/etc/letsencrypt/renewal/worldwidehustle.dynu.com.conf produced an unexpected error: Failed authorization procedure. worldwidehustle.dynu.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://worldwidehustle.dynu.com.well-known/acme-challenge/ECJJhrZguVc0b8IhUmWlieuGtLAIFlYgilHhTA1S3TY: Invalid host in redirect target “worldwidehustle.dynu.com.well-known”. Check webserver config for missing ‘/’ in redirect target.. Skipping.
        All renewal attempts failed. The following certs could not be renewed:
        /usr/local/etc/letsencrypt/live/worldwidehustle.dynu.com/fullchain.pem (failure)

        All renewal attempts failed. The following certs could not be renewed:
        /usr/local/etc/letsencrypt/live/worldwidehustle.dynu.com/fullchain.pem (failure)

        1 renew failure(s), 0 parse failure(s)

        IMPORTANT NOTES:
        – The following errors were reported by the server:

        Domain: worldwidehustle.dynu.com
        Type: connection
        Detail: Fetching
        https://worldwidehustle.dynu.com.well-known/acme-challenge/ECJJhrZguVc0b8IhUmWlieuGtLAIFlYgilHhTA1S3TY:
        Invalid host in redirect target
        “worldwidehustle.dynu.com.well-known”. Check webserver config for
        missing ‘/’ in redirect target.

        To fix these errors, please make sure that your domain name was
        entered correctly and the DNS A/AAAA record(s) for that domain
        contain(s) the right IP address. Additionally, please check that
        your computer has a publicly routable IP address and that no
        firewalls are preventing the server from communicating with the
        client. If you’re using the webroot plugin, you should also verify
        that you are serving files from the webroot path you provided.

        I am using a DynDNS service dynu.com.

        Hope this helps to figure out what’s wrong. I also would like to send you some beer for all your help 😉

        1. Richard, it looks like you’re using a http challenge. As I mention in the blog post, I struggled to get this to work and found it easier to use a DNS challenge instead. I believe http challenge makes a request to port 80 to find the challenge key, but in the configuration I’ve specified HTTP requests are forwarded to HTTPS; you may need to play around with this. Also, try the suggested fixes in the error message as appropriate.

          For more specific help, I’d recommend checking out ##letsencrypt on IRC. It’s an unofficial support channel, and is relatively slow, but the folks there seem pretty knowledgable. I don’t share the same configuration as you unfortunately, so I’m not sure I can be too much help.

    1. Hi Richard,

      This command needs to be executed from the nextcloud web root, where the occ program is located:

      /usr/local/www/nextcloud/occ
      

      The command you probably want to run is as the www user though (this can be run from any directory as the path to occ is absolute):

      su -m www -c 'php /usr/local/www/nextcloud/occ config:app:set previewgenerator squareSizes –value="32 256"'
      

      Cheers

  67. A brilliant article Samuel thank you. I’ve had success all the way through except for scheduling the automatic renewal of certbot with “0 0,12 * * * /usr/local/bin/python3.6 -c ‘import random; import time; time.sleep(random.random() * 3600)’ && /usr/local/bin/certbot renew –quiet”.
    I’ve modified the script due to using nextcloud with php 3.6 however in using the code I get a Pattern not found message. Any idea?

    1. James, I assume you mean python 3.6 not php 3.6, and this is probably why it’s not working. Have you got python3.6 installed? Otherwise, I’d suggest that your modifications aren’t python3.6 compliant. This cronjob just runs the renewal script at some random time after the 0th and 12th hours of a day. You could just exclude python completely and change it to the following:

      0 0,12 * * * /usr/local/bin/certbot renew --quiet
      

      Or, use it as I’ve listed in the guide.

      Cheers.

  68. Hey Samuel. I’ve tried your guide and was able to get it working locally. But now I wanted to make it online and configure it so that friends and family can access it from outside of my local network too. I have read on some stuff about route 53 and I’m planning on buying a domain and configure the DNS there too. Is there anything that I need to configure after buying the domain name on route 53. I have no idea about hosted zone and how to map my ip address to the domain name that I’m about to purchase. Anything I can read up more on to get a better understand. Thank you!

  69. is it possible or does it male sense to have it like this:

    physical router 192.168.3.1
    physical hyperv host 192.168.3.2 (server 2019 datacenter)
    freenas 192.168.3.3 (VM, LSI passthrough, handling all storage stuff)
    virtual firewall (pfsense) 192.168.3.5 -> DMZ -> reverse proxy VM (192.168.178.*) -> VMs webserves 1-X- & iocage of Freenas VM)
    ?
    I use to have a seperate machine to manage my domains and to do https2 (reverse proxy).

    I might need to attach 2 virtual Lan adapters then to the FreeNas VM so the iocage gets its own (which is connected to the provate DMZ lan )

    Suggestions?

    1. Hi Krautmaster, I’ve never been through the process of configuring collabora unfortunately, so I’m not able to provide any specific advice. I’d recommend checkout out the FreeNAS forums though; I’ve seen the topic mentioned a number of times there.

      Cheers.

  70. THANK YOU!!!
    I have been beating my head against the wall to get Nextcloud working and this awesome set of instructions got me there and even got my https and SSL working.

    I’ve tried the plugin and the semi-automated script from github. I think the scrpt was too automated so when it went wrong because of my setup, I couldn’t figure out where.

    BTW, I installed Nextcloud 16.0.3 and php 7.3 using these instructions. Apache 2.4.39. Worked like a champ.

    1. I did hit one snag. It was running great, but then I restarted the jail, and I got the dreaded Nextcloud screen saying an error occurred, and the NextCloud server logs it were filled with Redis connection refused errors.
      The first work around I found was I could ssh into the jail and run:
      redis-server
      as root, and that got NextCloud working again (until the next time jail was restarted). This was sub-optimal , because I did not want Redis running with root privileges, not to mention having to ssh in whenever the jail got re-started. For the record, I do not recommend anyone do this, except to see if you have the same symptoms as I did, and it is NOT a permanent fix (read on for the actual fix).
      What I did eventually find in the iX community forums (thanks to dureal99d) was that the newer version of Nextcloud does not need the line:
      ‘memcache.locking’ => ‘\OC\Memcache\Redis’,
      in the config file for redis to work.
      So I commented it out, and viola Nextcloud is working again, even after I re-booted the server completely just to make sure.
      Again, many thanks to Samuel.Dowling for this incredibly detailed guide!
      I would suggest that for NextCloud 16 at least that users DO NOT RUN this command listed in the guide:
      su -m www -c ‘php /usr/local/www/nextcloud/occ config:system:set memcache.locking –value=”\OC\Memcache\Redis”‘
      Not sure if the line is needed for NextCloud15.
      Also, to get certbot to work, I had to install a different version than what the guide states (following the directions on certbot.org for FreeBSD):
      pkg install py36-certbot
      Using the version in the guide gave me errors (sorry don’t remember the specific errors now).

  71. Hi Samuel

    For some reason, I messed up my installation and cannot access the GUI anymore, neither via web nor via app. However, the instance is running, I can access it via SSH. How would I get the accessibility back? Could I just re-install following your guide but leave out the db , config and themes part?

    Thanks in advance for your help!

    1. Hi Richard,

      I’m not sure what could be causing this. It sounds like something has changed about the web server configuration, or the web server is no longer running. It seems like the installation process still works for 16.0.3, so you could always nuke the jail and start again from scratch, but if you do this, you’ll need to replace the database setup with the database import process detailed in the Nextcloud documentation. When I get some free time, I’ll probably update this guide with some more explicit instructions to do this, but for now the documentation is your primary guide. There are also some previous comments on this article that talk about some of the details.

      As far as debugging the issues go, this is difficult for me to replicate because I’m still on 15.x, and haven’t had time to go through the update process, so I’m not sure how much help I can provide you. The first thing that I would do is restart the web server to make sure that it’s running:
      service apache24 restart

      Then, if this doesn’t work, as I’ve suggested in my guide, you should inspect the logs:
      /var/log/httpd-error.log
      /var/log/nextcloud/nextcloud.log
      The relevant entries are likely at the end of the apache log, given that you’re having problems with the web server. Read what it says, and google the error message – this will likely give you some clues about changes that you can make to fix the error you’re getting. If you still don’t find anything from here, I’d check out the IRC channels #httpd and ##nextcloud and ask for help there – the support will be interactive which I’ve found useful in getting quick results. Honestly, I recommend going through the debugging procedure instead of just re-installing if you have the time; it’s what will help you learn more about how everything works, which was the intention of this guide to begin with.

      Hope this helps.

      Cheers

      1. Hi Samuel

        I tried the apache command and get the following:

        root@nextcloud:/ # service apache24 restart
        Performing sanity check on apache24 configuration:
        AH00526: Syntax error on line 14 of /usr/local/etc/apache24/Includes/worldwidehustle.dynu.com.conf:
        SSLCertificateFile: file ‘/usr/local/etc/letsencrypt/live/worldwidehustle.dynu.com/fullchain.pem’ does not exist or is empty

        Maybe just fixing this would bring back the GUI?

        Cheers
        Richard

        1. Running /var/log/httpd-error.log gives:

          [Wed Aug 07 00:00:54.295318 2019] [ssl:error] [pid 65702] AH01936: stapling_check_response: response times invalid
          [Wed Aug 07 00:00:54.453769 2019] [ssl:error] [pid 65702] AH01943: stapling_renew_response: error in retrieved response!
          [Wed Aug 07 00:12:54.342972 2019] [ssl:error] [pid 34745] AH01936: stapling_check_response: response times invalid
          [Wed Aug 07 00:12:54.388235 2019] [ssl:error] [pid 34745] AH01943: stapling_renew_response: error in retrieved response!
          [Wed Aug 07 00:24:54.336571 2019] [ssl:error] [pid 74051] AH01936: stapling_check_response: response times invalid
          [Wed Aug 07 00:24:54.395297 2019] [ssl:error] [pid 74051] AH01943: stapling_renew_response: error in retrieved response!
          [Wed Aug 07 00:25:12.715832 2019] [mpm_prefork:notice] [pid 1426] AH00169: caught SIGTERM, shutting down

          August is about when it stopped working.

          Running /var/log/nextcloud/nextcloud.log gives

          {“reqId”:”vB6m9JkB9QgevE0Zzzui”,”level”:1,”time”:”2019-08-02T23:20:40+00:00″,”remoteAddr”:””,”user”:”–“,”app”:”updater”,”method”:””,”url”:”–“,”message”:”\OC\Repair::step: Repair step: Cleanup cypress files from viewer app”,”userAgen$
          {“reqId”:”vB6m9JkB9QgevE0Zzzui”,”level”:1,”time”:”2019-08-02T23:20:52+00:00″,”remoteAddr”:””,”user”:”–“,”app”:”updater”,”method”:””,”url”:”–“,”message”:”\OC\Updater::startCheckCodeIntegrity: Starting code integrity check…”,”userAg$
          {“reqId”:”vB6m9JkB9QgevE0Zzzui”,”level”:1,”time”:”2019-08-02T23:20:57+00:00″,”remoteAddr”:””,”user”:”–“,”app”:”updater”,”method”:””,”url”:”–“,”message”:”\OC\Updater::finishedCheckCodeIntegrity: Finished code integrity check”,”userAg$
          {“reqId”:”vB6m9JkB9QgevE0Zzzui”,”level”:1,”time”:”2019-08-02T23:20:57+00:00″,”remoteAddr”:””,”user”:”–“,”app”:”updater”,”method”:””,”url”:”–“,”message”:”\OC\Updater::updateEnd: Update successful”,”userAgent”:”–“,”version”:”16.0.3.0$
          {“reqId”:”vB6m9JkB9QgevE0Zzzui”,”level”:1,”time”:”2019-08-02T23:20:57+00:00″,”remoteAddr”:””,”user”:”–“,”app”:”updater”,”method”:””,”url”:”–“,”message”:”\OC\Updater::maintenanceDisabled: Turned off maintenance mode”,”userAgent”:”–“$
          {“reqId”:”vB6m9JkB9QgevE0Zzzui”,”level”:1,”time”:”2019-08-02T23:20:57+00:00″,”remoteAddr”:””,”user”:”–“,”app”:”updater”,”method”:””,”url”:”–“,”message”:”\OC\Updater::resetLogLevel: Reset log level to Warning(2)”,”userAgent”:”–“,”ve$
          {“reqId”:”8Knq6SgkCO4RZwtB05uy”,”level”:3,”time”:”2019-08-04T09:59:19+00:00″,”remoteAddr”:”31.165.6.111″,”user”:”achmetinternet”,”app”:”no app in context”,”method”:”PUT”,”url”:”\/remote.php\/dav\/uploads\/achmetinternet\/64a35f1e2f351c3$
          $/lib\/Connector\/Sabre\/Directory.php”,”line”:156,”function”:”put”,”class”:”OCA\DAV\Connector\Sabre\File”,”type”:”->”,”args”:[null]},{“file”:”\/usr\/local\/www\/nextcloud\/apps-pkg\/dav\/lib\/Upload\/UploadFolder.php”,”line”:45,”fu$

        2. this is your problem. the apache server is not running because it cant find your https certificate file. go through the certbot process again and see if that helps

    2. If you are running the NextCloud 16 try editing your config file:
      nano /usr/local/www/apache24/data/nextcloud/config/config.php
      Then search for this line:
      ‘memcache.locking’ => ‘\OC\Memcache\Redis’,

      Place a # in front of the line to comment it out, and save the file. Then try your site again (if that doesn’t work stop and re-start the jail).

  72. Lets get to the bottom of this though. Anyone have a clue? Sam what about you. Richard did you ever manage to get it fixed?

  73. This tutorial worked very well for me! So thank you very much!!

    Now, what if I add files to the nextcloud data via FileZilla or SMB. How do I make Nextcloud scan for new files without corrupting existing data?

    1. Hi Bernhard, Nextcloud isn’t designed to be used this way. You should only make changes to the Nextcloud dataset using the directories synced with your client. I also don’t see any advantage in using an smb or scp protocol to access the files; presumably you could just make the changes locally (in the synced directories) and you’d see them propagate to the server. Having said this, I haven’t tried to use it that way; you could always give it a try and if it breaks your system, just nuke everything and set it up again 🙂

      FWIW – I have datasets that I use as mounted drives that are separate from my Nextcloud folders. For me, Nextcloud handles all the personal files that I’m likely to need on a day to day basis and can be duplicated on my laptop and desktop hard drives. This enables me to work on and add files that I need access to across machines seamlessly, with varying levels of internet connectivity. I use other mounted datasets for things like storing music, movies/videos and large raw photo libraries – things that I don’t want replicated on my computer drives.

      Cheers.

  74. Samuel, several months in and everything is still working great. However – I just upgraded my network, with a pfSense box as router, and I cannot get my Nextcloud installation to show up. I have checked my A record with Route 53, I can get into the Nextcloud install via SSH locally and I can ping it on the network – and I have tried to set up a NAT rule to access the Nextcloud install from the NET, but it’s not working quite yet. I am sure this a pfSense newbie error – but do you have any suggestions?

    1. Hi Nic, you’re right this sounds like a NAT issue. You’ll want the following port forward rules:
      Rule 1:
      – Interface: WAN
      – Protocol: TCP/UDP
      – Source Address: *
      – Source Ports: *
      – Dest Address: WAN address
      – Dest Ports: 443
      – NAT IP: (Note: Probably worth setting up an alias for this so it’s more readable and adding that here instead)

      Rule 2 is identical to rule 1 except for port 80 instead of 443. This will also change if you have other services that you make public; in that case you would set these up to forward to your reverse proxy which would direct traffic internally. Hope this helps.

      1. Thanks Samuel – I tried that and no joy yet. What seems to be happening is a larger problem with my Freenas box seeing the WAN at all. I can ping my pfSense router, but I cannot ping out to the NET. Anyway this is beyond your guide, I know. But if you know of any posts regarding getting freenas and pfSense to play nice I’d appreciate it.

        1. You’re right, a bit off topic for this post but I’ll give you somewhere to start. I’m by no means a pfSense expert, but this could be caused by a number of things. You could look for more information by doing the following:
          1. SSH into your pfSense box, can you ping out from there?
          2. Check your NAT/Outbound mappings: Do you have a mapping for the subnet that your Freenas box is on?
          3. Filter your firewall logs by your freenas IP; is it being blocked from getting out? If so, which rule is preventing it?
          4. is DNS configured correctly on your freenas box? On your pfsense router?

          If you’re stuck, it’s probably worth asking in #pfsense on IRC.

          Hope this helps!

          Cheers.

  75. I followed your post to install Nextcloud in a FreeNAS Jail (16.0.4)
    https://www.samueldowling.com/2018/12/08/install-nextcloud-on-freenas-iocage-jail-with-hardened-security/

    Things were all good until I attempted to upload any large file to the server in an iOS client.
    I kept getting this error:

    Upload file 408

    [/details]

    Nextcloud version (16.0.4):
    Operating system and version (jail FreeBSD 11.2-STABLE):
    Apache (2.4.25):
    PHP version (7.3.6):

    Possible solution after much digging

    Added this code to my httpd.conf file.

    <IfModule reqtimeout_module>
    RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
    </IfModule>

    See:
    https://serverfault.com/questions/500467/apache2-proxy-timeout

    Steps to replicate it:

    iOS App: upload any file that takes more that ~30 seconds to upload will generate the error.
    Upload failed repeatedly.

    The relevant output of Nextcloud log in /var/log/nextcloud/nextcloud.log:

    [webdav] Fatal: Sabre\DAV\Exception\BadRequest: expected filesize 473556426 got 90472448 at <<closure>>

    0. /usr/local/www/nextcloud/apps/dav/lib/Connector/Sabre/Directory.php line 156
    OCA\DAV\Connector\Sabre\File->put(null)
    1. /usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 1096
    OCA\DAV\Connector\Sabre\Directory->createFile("Video-2019.07.11--16.59.11--3557.mp4", null)
    2. /usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php line 525
    Sabre\DAV\Server->createFile("Photos/2019/07/ ... 4", null, null)
    3. <<closure>>
    Sabre\DAV\CorePlugin->httpPut(Sabre\HTTP\Reque ... "}, Sabre\HTTP\Response {})
    4. /usr/local/www/nextcloud/3rdparty/sabre/event/lib/EventEmitterTrait.php line 105
    undefinedundefinedcall_user_func_array([Sabre\DAV\CorePlugin {},"httpPut"], [Sabre\HTTP\Requ ... }])
    5. /usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 479
    Sabre\Event\EventEmitter->emit("method:PUT", [Sabre\HTTP\Requ ... }])
    6. /usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 254
    Sabre\DAV\Server->invokeMethod(Sabre\HTTP\Reque ... "}, Sabre\HTTP\Response {})
    7. /usr/local/www/nextcloud/apps/dav/appinfo/v1/webdav.php line 80
    Sabre\DAV\Server->exec()
    8. /usr/local/www/nextcloud/remote.php line 163
    undefinedundefinedrequire_once("/usr/local/www/ ... p")

    PUT /remote.php/webdav/Photos/2019/07/Video-2019.07.11--16.59.11--3557.mp4
    from 192.x.x.x by fred at 2019-08-31T04:43:28+00:00

    The relevant output of the Apache log in /var/log/httpd_error.log:

    (70007)The timeout specified has expired: [client 192.x.x.xxx] nnnnn: Error dispatching request to nnnn

  76. First thanks so much for these guides, it’s so helpful. I manage to have install up an running, but after this part it fall apart:
    Now, install the following packages:

    $ pkg install php71-pecl-redis
    $ pkg install php71-pecl-APCu

    These packages are extensions providing an API to allow php to communicate with the Redis database, and also for user caching using APC. Note that if you installed nextcloud-php72, the packages you install here will need to be modified for the correct php version, i.e. php72-pecl-redis. Lets adjust the Redis and caching configuration using the following commands. Note that these are order specific:

    root@nextcloud:~ # su -m www -c ‘php /usr/local/www/nextcloud/occ config:system:set memcache.local –value=”\OC\Memcache\APCu”‘

    That’s the error I get
    Could not open input file: /usr/local/www/nextcloud/occ

    1. Hi gioriv, try navigating to

      /usr/local/www/nextcloud
      

      and see if the occ command is available. If you run into issues navigating here, it looks like you may have uninstalled nextcloud inadvertently. This seems to have happened to others when uninstalling any of the php packages.

      1. Ok, sorry but I’m not sure how to run that command I went inside the jails folder files and there is a file there call occ with this arguments:
        #!/usr/bin/env php
        <?php
        /**
        * Copyright (c) 2013 Thomas Müller thomas.mueller@tmit.eu
        * This file is licensed under the Affero General Public License version 3 or
        * later.
        * See the COPYING-README file.
        */

        //$argv = $_SERVER[‘argv’];
        require_once DIR . ‘/console.php’;

        I also re-install everything and now I get this:

        root@nextcloud:~ # su -m www -c ‘php /usr/local/www/nextcloud/occ config:system:set redis host –value=”/tmp/redis.sock”‘
        An unhandled exception has been thrown:
        ParseError: syntax error, unexpected ‘datadirectory’ (T_STRING), expecting ‘)’ in /usr/local/www/nextcloud/config/config.php:28
        Stack trace:
        #0 /usr/local/www/nextcloud/lib/private/Config.php(63): OC\Config->readData()
        #1 /usr/local/www/nextcloud/lib/base.php(140): OC\Config->__construct(‘/usr/local/www/…’)
        #2 /usr/local/www/nextcloud/lib/base.php(577): OC::initPaths()
        #3 /usr/local/www/nextcloud/lib/base.php(1056): OC::init()
        #4 /usr/local/www/nextcloud/console.php(46): require_once(‘/usr/local/www/…’)
        #5 /usr/local/www/nextcloud/occ(11): require_once(‘/usr/local/www/…’)

        1. Ok, never mind I found what I did wrong I actually forgot to put ‘ at the end on the array

          1 => ‘0cloud.mydoain.com’,

          I was able to accomplished successfully with that part now, what I previously did wrong was that I used php72 and used php71 on these:
          $ pkg install php71-pecl-redis
          $ pkg install php71-pecl-APCu
          Which apparently dis configured everything. Thanks again!

          I’m going to start with the security part now. Wish me good luck!

  77. Hi Samuel!

    Tanks you so much for you work I have learn lot of thinks 😉

    I tried to upgrade my nextcloud from 16.0.4 to 17.0 , I had followed you step-by-step to do it but when it finish my login page is good but when I connect to my account home page is raw version of home page without graphic elements.

    When I go to “cat /var/log/nextcloud/nextcloud.log” I don’t see clearly what is informations in, maybe useragents informations.
    When I go to “cat /var/log/httpd-error.log” last message it show is :

    [Mon Oct 07 14:20:20.946704 2019] [authz_core:error] [pid 84891] [client IPXX.XX.XX.XX:XXXXX] AH01630: client denied by server configuration: /usr/local/www/nextcloud/config

    and this message have not link with my problem because when I refresh nextcloud page it don’t generate new warning message.

    Have you an idea to resolve this problem.
    Thank you.

    1. No idea to resolve it?

      How can I properly install nextcloud again please?
      I’m sorry but I need nextcloud to work.

      1. The Brave(chromum) console show lot of Js errors:

        cloud.DOMAIN.fr/:1 Refused to apply style from 'https://cloud.DOMAIN.fr/index.php/apps/files/' because its MIME type ('text/html') is not a supported stylesheet MIME type, and strict MIME checking is enabled.
        
        (truncated for privacy/brevity by samuel.dowling)
        
        1. Tris, this is probably what’s causing your issue. Your browser has strict MIME checking enabled and the style sheets in apps/files have the mime type ‘text/html’. You might need to look at changing the MIME type to something supported for stylesheets or relaxing your browser preferences for MIME types

      2. Hi Tris, I’m sorry I don’t think I’ll be much help; I’m still on 15.0.1! I haven’t been through the upgrade process, so I’m not familiar with any of the corresponding issues. Have you tried installing from scratch rather than upgrading? Alternatively, I’d suggest checking out the #nextcloud channel on freenode, you’ll probably be able to get more specific support there

        1. I have fond solution, very dirty but all work now.

          In config.php I had replace this lines:
          ‘path’ => ‘/usr/local/www/nextcloud/apps,
          ‘url’ => ‘/apps’,

          by that:
          ‘path’ => ‘/usr/local/www/nextcloud/apps/files’,
          ‘url’ => ‘/apps/files’,

          I think some thing had no work properly when upgrading and some elements have not been installed.
          When I changed lines and refresh nexcloud page I think nexcloud had not liked this situation and has propose to me tu upgrade again nextcloud to NC 17 without addons.
          I tried return to normal path, nextcloud asked to me to upgrade again but at end of upgrade I had technical error message.
          I’ll leave this dirty config or maybe try to create /usr/local/www/nextcloud/apps2, and delete /usr/local/www/nextcloud/apps to recreate apps folder with above manipulation.

          1. Good to hear you found a solution. I’ve had issues upgrading in the past as well; the next time I do it I think I’m going to try to identify a smooth way and update the blog post appropriately

          2. Hi Samuel,
            Sorry for no replay to you, lot of work after my Nextcloud issu.

            When I had this issu I’d reading the Nextcloud forum and I saw at this time an important bug information. They said they had found one installation issu by upgrading Nextcloud by WebUI if admins had install “Foldergoup” plug-in.
            After install nextcloud users has not maintenance page in browser, the solution they given consist to use your command line in ssh ” su -m www -c “php ./occ upgrade” “.
            Maybe one smooth solution to upgrading well Nextcloud could be to find solution for disable all plug-in by command line or in the webUI, an after upgrading will be done activate all plug-in one by one and refreash nextcloud browser page between each plug-in activation.

            After my solution found, I had new strange issu, my Nextcloud user account (not my admin account) has configuration button broken, when I click on it come-back me on the home page, admin account haven’t this issu.
            I haven’t got time at this moment to investigate to found the solution maybe next weekend. If I dont find smooth solution maybe I’ll re-create one new user account and see if that resolve this problem and find other solution to migrate my documents to the new account easily.
            If you know yet when can be the problem I’m interesting to know, if not I come back when I start to investigate.

            Thanks.

          3. Hi,
            I had tried to resolve my not showing settings pages, I had create new user and I have same problem.
            In admin account side at log part don’t show alert about settings on my new account, only errors about folder for new user without reason:
            “[workflow_pdf_converter] Fatal: could not convert /Tris2/files/Photos/Coast.jpg, reason: []
            at 2019-11-19T15:30:55+01:00”
            “[workflow_pdf_converter] Fatal: could not convert /Tris2/files/Photos, reason: []
            at 2019-11-19T15:30:55+01:00”

            I think it’s permission problem, I recall I can have settings page in my Admin account but ont for regular users.
            At this point if you are like me and haven’t idea where the problem is, can you tell me what is process tu rebuild nextcloud and keep my users accounts and files, need i to delete my nextcloud jail, recreate one and enter my database infos, folder where are store my files?

  78. Can you say me at you side if your mime.type file in apache24 have this line or different one:
    nano /usr/local/etc/apache24/mime.types
    text/html html htm

  79. Is it possible to get a certificate signing request made with this install to use a purchased SSL certificate?

    1. You don’t need a certificate signing request with a purchased SSL certificate…it’s already signed. You should with your purchased key have a few files..your private key, domain cert, possible intermediate cert, possible certificate authority cert or something called a fullchain file. In production you really only need the private key file..sometimes called privkey.pem and the fullchain.pem file. The fullchain.pem file contains information who signed your domain certificate. You can purchase an ssl certificaticate for your domain or obtain one free from a certificate authority such as let’s encrypt

  80. Hi Samuel,

    I thank you for the work you have done doing this guide. I feel my written English is translated by google translate. Following the steps I stay in the mysql installation. All the while he shows me access denied and it took me two days to find out what’s going on. Erase the jail, I create the jail and I give myself a head on it. Would you be so kind as to give some light to this mistake?

    service mysql-server start
    Starting mysql.
    su: /bin/csh: Permission denied
    /usr/local/etc/rc.d/mysql-server: WARNING: failed to start mysql

    Thanks

    1. I don’t know why, when you create a clean Jail and start the mysql-server service you don’t have permission in the / bin folder. You make a chmod 777 0 765 /bin on that folder and the service starts without any problem. Samuel has done a good job for those of us who are novices in freenas.
      Thanks

  81. Hello thank you for the amazing guide! But atm i’m stuck at one part: at a moment right after you deleted the test config file for the ip stuff you are going to the jails ip and get nextcloud open, well for me it does open a web page but it’s blank and it only says:
    Index of /
    config/
    themes/
    I also looked at this folder
    DocumentRoot “/usr/local/www/nextcloud”

    since it was mentioned in the guide to change it to this but when i go in this folder i only see 2 empty folders:
    config
    themes
    Then I also looked in my extra dataset which contains the db, themes and config folder where themes and config are both empty
    Thanks for helping!

    1. Hi, it looks like you may have missed the nextcloud installation command. A few steps prior to testing the config, you should have executed pkg install nextcloud-php73 (or your desired php version). I can’t think of another reason why /usr/local/www/nextcloud would be empty. Or perhaps you removed some other packages that inadvertently removed nextcloud?

  82. Hello, Just want to see if you can help ,e with this error I get after I updated: I’m using nextcloud-php73

    Error: 1
    Set log level to debug
    Turned on maintenance mode
    Updating database schema
    Updated database
    UnexpectedValueException: The files of the app “viewer” were not correctly replaced before running the update
    Update failed
    Maintenance mode is kept active
    Reset log level

    Error: 2
    Starting php_fpm.
    /usr/local/sbin/php-fpm: Undefined symbol “setproctitle_fast@FBSD_1.5”
    [08-Nov-2019 22:19:26] ERROR: no data have been read from pipe
    /usr/local/etc/rc.d/php-fpm: WARNING: failed to start php_fpm
    root@nextcloud:~ # nano /usr/local/sbin/php-fpm

  83. Ok, so I delete everything to see if a fresh install would fix my problem after updating. The answer is no here is all the unusual warning and error messages I get. I did not see these messages when I first install Nextcloud, everything were running perfectly fine. I’m thinking it has to do with Nextcloud 17 being the only option on the nextcloud-php pkg or may be FreeNAS not up to date with the iocage kernel as it shows:

    WARNING: FreeBSD 11.2-RELEASE HAS PASSED ITS END-OF-LIFE DATE.
    Any security issues discovered after Wed Oct 30 20:00:00 EDT 2019
    will not have been corrected.
    Installing updates… done.
    Default configuration missing, creating one
    nextcloud successfully created!
    * Starting nextcloud
    + Started OK
    + Configuring VNET OK
    + Starting services OK

    Newer FreeBSD version for package pkg:
    To ignore this error set IGNORE_OSVERSION=yes
    – package: 1103000
    – running kernel: 1102000
    Ignore the mismatch and continue? [Y/n]:

    Newer FreeBSD version for package floatator:
    To ignore this error set IGNORE_OSVERSION=yes
    – package: 1103000
    – running kernel: 1102000

    After MariDB Install :
    Switch to unix_socket authentication

    root@nextcloud:~ # sysrc php_fpm_enable=yes
    php_fpm_enable: -> yes
    root@nextcloud:~ # service php-fpm start
    Performing sanity check on php-fpm configuration:
    [09-Nov-2019 10:58:18] NOTICE: configuration file /usr/local/etc/php-fpm.conf test is successful

    Starting php_fpm.
    /usr/local/sbin/php-fpm: Undefined symbol “setproctitle_fast@FBSD_1.5”
    [09-Nov-2019 10:58:18] ERROR: no data have been read from pipe
    /usr/local/etc/rc.d/php-fpm: WARNING: failed to start php_fpm
    root@nextcloud:~ #

    1. Gioriv,
      Did you manage to resolve the error message for Undefined symbol “setproctitle_fast@FBSD_1.5”
      [09-Nov-2019 10:58:18] ERROR: no data have been read from pipe
      /usr/local/etc/rc.d/php-fpm: WARNING: failed to start php_fpm.
      I’ve upgraded to nextcloud 17 and was working fine, suddenly it has stopped with the same error.

      1. No not yet and there is nothing on the forums regarding this issue. It started to happen as soon as I updated. It never started php again. I did about 3 different new install and no luck. I also install beta FreeNAS 11.3 to see and nada…

    2. Hi gioriv, unfortunately I’ve never run into this issue and I haven’t been able to uncover anything in some brief research. I’d recommend asking in the #freenas, #freebsd and/or #nextcloud channels on IRC for support to see if anyone there has any ideas.

      Would be interested to hear how you go.

      Cheers

        1. Ok so,I found the problem and half of solution.

          Let’s start from beginning, my nextcloud was running perfectly fine. On the nextcloud gui it offered me the update for nextcloud. I didn’t do it that way. Instead I ssh into the jail and ran an pkg update. Some how that cause the problem of my nextcloud failure. That’s when I got this:
          Set log level to debug
          Turned on maintenance mode
          Updating database schema
          Updated database
          UnexpectedValueException: The files of the app “viewer” were not correctly replaced before running the update
          Update failed
          Maintenance mode is kept active
          Reset log level

          Error: 2
          Starting php_fpm.
          /usr/local/sbin/php-fpm: Undefined symbol “setproctitle_fast@FBSD_1.5”
          [08-Nov-2019 22:19:26] ERROR: no data have been read from pipe
          /usr/local/etc/rc.d/php-fpm: WARNING: failed to start php_fpm
          root@nextcloud:~ # nano /usr/local/sbin/php-fpm

          After that I did a pkg search nextcloud and instead of giving me:
          nextcloud-php71-16.0.4
          nextcloud-php72-16.0.4
          nextcloud-php73-16.0.4
          I was showing :
          nextcloud-php71-17.0.1
          nextcloud-php72-17.0.1
          nextcloud-php73-17.0.1

          I did the update but it fail and gave me this
          When I perform a pkg update it started to give me this:
          root@nextcloud:~ # sysrc php_fpm_enable=yes
          php_fpm_enable: -> yes
          root@nextcloud:~ # service php-fpm start
          Performing sanity check on php-fpm configuration:
          [09-Nov-2019 10:58:18] NOTICE: configuration file /usr/local/etc/php-fpm.conf test is successful

          Starting php_fpm.
          /usr/local/sbin/php-fpm: Undefined symbol “setproctitle_fast@FBSD_1.5”
          [09-Nov-2019 10:58:18] ERROR: no data have been read from pipe
          /usr/local/etc/rc.d/php-fpm: WARNING: failed to start php_fpm

          After many attempt I did a fresh install and it gave me this error:
          Newer FreeBSD version for package floatator:
          To ignore this error set IGNORE_OSVERSION=yes
          – package: 1103000
          – running kernel: 1102000
          Which basically is a miss match version I search for ways to install package: 1103000 but no luck.

          I then install the FreeNAS 11.3 beta and instead of creating the jail with:
          iocage create -n nextcloud -r 11.3-RELEASE….

          I did iocage create -n nextcloud -r 11.2-RELEASE using 11.2 instead of 11.3 and the error persist obviously…
          So than I realize it and install the freeNAS 11.3 beta again and creat a new jail this time using:
          iocage create -n nextcloud -r 11.3-RELEASE……

          The installation ran smoothly and succesfully php-fpm start and also instea of;

          nextcloud-php71-17.0.1
          nextcloud-php72-17.0.1
          nextcloud-php73-17.0.1

          on pkg search nextcloud I got this:
          nextcloud-php71-16.0.4
          nextcloud-php72-16.0.4
          nextcloud-php73-16.0.4
          as it spouse.

          Well accordingly to iXSystem forum iocage can still be update it with out updating FreeBSD I was not able to do that. So the only solution is to run FreeNAS 11.3 beta. and I don’t think anyone would want to run a FreeNAS production BOX on BETA….

          If anyone fine a different solution PLEASE SHARE!!! Otherwise we would have to wait for FreeNAS 11.3 stable update or install nextcloud else where.

    3. Hi Gioriv,
      Out of a guess I install nextcloud-php7.2 over the top of current 7.3 build adn everything is now working again. I have no idea if this was a bad move however I can see my data again.

        1. No I’m still having the same issue on my end.

          Starting php_fpm.
          /usr/local/sbin/php-fpm: Undefined symbol “setproctitle_fast@FBSD_1.5”
          [12-Nov-2019 21:01:25] ERROR: no data have been read from pipe
          /usr/local/etc/rc.d/php-fpm: WARNING: failed to start php_fpm

          1. Just did the same as James (installed nextcloud-php72 after error came up with php73). No error anymore.

  84. Thank you for your perfect instruction! A while ago I used it to setup my nextcloud instalation.
    At the moment I use PHP 7.2 but as the first plugin needs php 7.3 in the next release I am wondering what the best way would be to upgrade to php 7.3?

    1. Unfortunately this isn’t a process I’ve been through, so I can’t really advise. Honestly though, the easiest route may be to just nuke the jail and set it up again, installing it with nextcloud-php73, and then importing your database. The alternative seems like it would probably require you to sift through the dependencies, and may require a reinstallation of nextcloud such that it uses php73 anyway. This was part of the reason I set it up this way – it should be easy to tear down and set the jail back up again without worrying about losing data.

      Hope this helps.

      Cheers.

  85. Hello got it working so far got SSL setup but still got small problem:
    -when I enter my domain to go to the nextcloud ui it loads slowly about 30s to load it all or could that be because it is one of the first times?
    -when I try to send a mail with the whole log it just keeps loading in my ssh (I mean with this command /bin/sh /scripts/aide/chkaide.sh the test mail is working with no problems)
    -when I upload a file it says ‘Redis server went away” and I did a service redis start and this was the output:”redis already running? (pid=62004).”
    I also checked what the nextcloud Security & setup warnings is outputting and it gives me this:
    This server has no working Internet connection: Multiple endpoints could not be reached. This means that some of the features like mounting external storage, notifications about updates or installation of third-party apps will not work. Accessing files remotely and sending of notification emails might not work, either. Establish a connection from this server to the Internet to enjoy all features.
    This instance is missing some recommended PHP modules. For improved performance and better compatibility it is highly recommended to install them.
    imagick
    Also is there any way how I can support you for your work you put into this?

    1. i got the message of imagick fixed but didn’t do anything to the other problems. I did pkg install php72-pecl-imagick I’ll keep looking to fix the other problems

  86. I got the redis problem fixed I forgot to change the value in the file from 700 to 777 and the internet speed also seems to be gone but still can’t get the post fix working i’m letting do it’s job and it’s already freezing for about 20 minits

    1. Good to see you were able to resolve most of your issues. Is anything printed to the console when you run the script? Have you made sure that you copied it correctly? Are there any files named Aide-2019-11-xx.txt in /tmp? if so, what do they contain?

      1. Thanks for helping.I’ve got it fixed I think I forgot a . in my script in my e-mail address since I always use my numpad and it doesn’t work in nano. I recreated the script reinstalled aide and recreated the files and that did the job. Also maybe put in your guide when you create the ssl config trough mozilla how you can check your versions of apache and open-ssl and that you have to put your document root and all that stuff in the script it would make it easier for newbies like me since I wasn’t easy to get it working. Still, great and best guide I’ve seen about such complicated projects. Is there also a way how I can donate you for your work you’ve put into this?

  87. Hello Samuel, Ok so finally got it back working ‘temporary”. Happens to be that FreeNAS is behind on the FreeBSD iocage update…

    So my fixed was to use this:
    url: “pkg+http://pkg.FreeBSD.org/${ABI}/release_3”

    Instead of:
    url: “pkg+http://pkg.FreeBSD.org/${ABI}/latest” OR url: “pkg+http://pkg.FreeBSD.org/${ABI}/quarterly”

    That would match the kernel Version..

    So now my problem is this one after trying to set the cron job I get this error…
    crontab: installing new crontab
    “/tmp/crontab.HMtjsA2svv”:7: bad minute
    crontab: errors in crontab file, can’t install
    Do you want to retry the same edit?

    1. Hi giorev, that makes sense. I should have thought of that; it tends to be the common solution when there’s a new major release and FreeNAS lags behind FreeBSD somewhat. Good to see you’ve sorted it out though! I’m still running NC 15.x, and won’t be in a position to upgrade to test for at least a few weeks. The error message you’re getting though indicates that something is wrong with the syntax, specifically in the “minute” entry of the cron job. Perhaps check to make sure you haven’t missed anything. To reiterate, it should look like this:

      # minute (0-59),
      # |     hour (0-23),
      # |     |       day of the month (1-31),
      # |     |       |       month of the year (1-12),
      # |     |       |       |       day of the week (0-6 with 0=Sunday).
      # |     |       |       |       |       commands
      */15    *       *       *       *       /usr/local/bin/php -f /usr/local/www/nextcloud/cron.php
      
    2. Hi,

      I also suffered this php-fpm issue (no data have been read from pipe), but going to release_3 did not solve it. My issue appeared after a power outage, not immediately after upgrading (though upgrade I did, but a while ago).Luckily, FreeNAS 11.3 stable was released in the mean time, so I upgraded. After that, the issue with php-fpm went away.

      I’m running NC 17.02 on php73 with mariaDB.

      Many thanks to the author and all the contributors.

    3. This issue has come up again. I’m on FreeNas 11-3 U5 and the jail is 11.3-RELEASE-p14. pkg bootstrap complains about kernel versions. The fix for me was to use
      url: “pkg+http://pkg.FreeBSD.org/${ABI}/release_4”

      Note _4 instead of _3, this go around.

  88. Thanks so much, I really appreciate for you sharing with us and stick with so many people at the same time guiding them. It most to take a lot of time for.

    I was actually having a type format error I was able to solved the problem. Thanks!
    This line instead of look like this:
    */15 * * * * /usr/local/bin/php -f /usr/local/www/nextcloud/cron.php
    It was:
    */15 * * * *
    /usr/local/bin/php -f /usr/local/www/nextcloud/cron.php

    Also I’ve try to update Nextcloud to 17 and is actually running fine seems like the problem is with the latest iocage kernel update that FreeNAS is using. Let’s see how l;ong does it last me Lol! At least now I know how to troubleshoot that part.

    The only thing it never works for me is the email part, for some reason it never worked. I had to use the default Nextcloud.

    Once again Thanks!

  89. Hi all,
    I’ve a new problem and can’t find a solution.
    I’ve rebooted my FreeNAS.
    After that, I can’t connect to my Nextcloud.
    In http-error.log I can find the following error:
    [proxy_fcgi:error] [pid 4659] [client XXX.XXX.XXX.XXX:58937] AH01071: Got error ‘PHP message: PHP Fatal error: Class ‘PDO’ not found in /usr/local/www/nextclo/3rdparty/doctrine/dbal/lib/Doctrine/DBAL/DriverManager.php on line 181\n’

    Maybe someone got a clue how to fix this problem?

    Thanks in advance.
    Thomas

  90. Have had success with this guide and have had Nextcloud running stably for several months.
    Recently upgraded to NC 17.0 with no issues – updated through CLI of Freenas, not through the app itself as you suggested.
    Also, did install php72-pecl-imagick as the app said it was missing for some reason.
    Thanks again for the guide and continued support.

  91. Hi,

    Once upon a time I followed this guide, and the setup has worked great ever since. It´s now running NC 17 and PHP 7.1. As the PHP version will be EOL soon, I am trying to make a plan to upgrade. I can´t find a decent guide on doing this. You´ve probably done this a few times, do would you happen to have any instruction and/or information on upgrading? And which version to choose?

  92. First of all, Thank you! I followed this pretty much to the letter and I now have Nextcloud 17.01 running on ssl with all the hardening. Tried it in the past and I kept messing up. I tried with php73 and it failed but 72 was fine.

    Some things I did a bit differently, I used the following different packages:

    pkg install vim-tiny (because it is what I was raised on linux editor wise)
    pkg install mariadb104-server
    pkg install nextcloud-php72

    The rest of it was as according to the guide and I have no errors, no log files bloating with hidden errors and https://scan.nextcloud.com/ reports an A+

    Certbot worked without a hitch too and I have a domain name pointing to my static IP which made things easier.

    I consider myself an very average Linux/BSD user so for this to go without a hitch is a credit to the guide. The only suggestion I would have is to update the section on Redis where you say “You have to do this in this order or the First Order will hunt you down” or something similar. I had to read that a few times to be sure and then it was a bit fingers crossed.

  93. This guide is AMAZING! I used it before and since I had my files and database in a separate folder from my jail. I was using the PHP71, and its EOL. So I just deleted the jail and followed the instructions installing all of the php-73. After I inputted all the commands all the users and information was exactly how it was before. The users never even noticed downtime!

  94. This worked like a charm, thanks so much for the very detailed article and step-by-step instructions. I also really appreciated the explanations at each step as to what was happening and what each command did. Thanks for all the time you’ve put into this!

    I got everything up and running and the web interface was working great. Then I installed the Nextcloud Desktop app and started uploading things to an account and the app keeps giving me 504 Gateway Timeout errors. While I’m uploading the web interface is likewise unreachable and gives a Gateway Timeout error.

    In the “nextcloud.log” file I see a couple of things that stand out:

    {“reqId”:”MYyrDbFGWyNgJuou2RQc”,”level”:4,”time”:”2020-01-04T14:11:29+00:00″,”remoteAddr”:”192.168.0.31″,”user”:”atiumDave”,”app”:”webdav”,”method”:”PUT”,”url”:”\/remote.php\/dav\/files\/atiumDave\/01_Projects\/Aedis%20Archi
    tects_09\/1809.72%20-%20Brownell%20MS%20Modernization\/07_Engineering\/03_Ltg\/Inc%201%20-%20T24\/2016-NRCC-LTO-03-E-OutdoorLightingPowerAllowance.pdf”,”message”:{“Exception”:”Sabre\DAV\Exception\BadRequest”,”Message”:”Ex
    pected filesize of 1322336 bytes but read (from Nextcloud client) and wrote (to Nextcloud storage) 122880 bytes. Could either be a network problem on the sending side or a problem writing to the storage on the server side.”,
    “Code”:0,”Trace”:[{“file”:”\/usr\/local\/www\/nextcloud\/apps-pkg\/dav\/lib\/Connector\/Sabre\/Directory.php”,”line”:156,”function”:”put”,”class”:”OCA\DAV\Connector\Sabre\File”,”type”:”->”,”args”:[null]},{“file”:”\/usr\/
    local\/www\/nextcloud\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php”,”line”:1096,”function”:”createFile”,”class”:”OCA\DAV\Connector\Sabre\Directory”,”type”:”->”,”args”:[“2016-NRCC-LTO-03-E-OutdoorLightingPowerAllowance.pdf
    “,null]},{“file”:”\/usr\/local\/www\/nextcloud\/3rdparty\/sabre\/dav\/lib\/DAV\/CorePlugin.php”,”line”:525,”function”:”createFile”,”class”:”Sabre\DAV\Server”,”type”:”->”,”args”:[“files\/atiumDave\/01_Projects\/Aedis Archit
    ects_09\/1809.72 – Brownell MS Modernization\/07_Engineering\/03_Ltg\/Inc 1 – T24\/2016-NRCC-LTO-03-E-OutdoorLightingPowerAllowance.pdf”,null,null]},{“function”:”httpPut”,”class”:”Sabre\DAV\CorePlugin”,”type”:”->”,”args”:[
    {“absoluteUrl”:”http:\/\/192.168.0.208\/remote.php\/dav\/files\/atiumDave\/01_Projects\/Aedis%20Architects_09\/1809.72%20-%20Brownell%20MS%20Modernization\/07_Engineering\/03_Ltg\/Inc%201%20-%20T24\/2016-NRCC-LTO-03-E-Outdoo
    rLightingPowerAllowance.pdf”,”class“:”Sabre\HTTP\Request”},{“class“:”Sabre\HTTP\Response”}]},{“file”:”\/usr\/local\/www\/nextcloud\/3rdparty\/sabre\/event\/lib\/EventEmitterTrait.php”,”line”:105,”function”:”call_
    user_func_array”,”args”:[[{“class“:”Sabre\DAV\CorePlugin”},”httpPut”],[{“absoluteUrl”:”http:\/\/192.168.0.208\/remote.php\/dav\/files\/atiumDave\/01_Projects\/Aedis%20Architects_09\/1809.72%20-%20Brownell%20MS%20Modern
    ization\/07_Engineering\/03_Ltg\/Inc%201%20-%20T24\/2016-NRCC-LTO-03-E-OutdoorLightingPowerAllowance.pdf”,”class“:”Sabre\HTTP\Request”},{“class“:”Sabre\HTTP\Response”}]]},{“file”:”\/usr\/local\/www\/nextcloud\/3r
    dparty\/sabre\/dav\/lib\/DAV\/Server.php”,”line”:479,”function”:”emit”,”class”:”Sabre\Event\EventEmitter”,”type”:”->”,”args”:[“method:PUT”,[{“absoluteUrl”:”http:\/\/192.168.0.208\/remote.php\/dav\/files\/atiumDave\/01_Proj
    ects\/Aedis%20Architects_09\/1809.72%20-%20Brownell%20MS%20Modernization\/07_Engineering\/03_Ltg\/Inc%201%20-%20T24\/2016-NRCC-LTO-03-E-OutdoorLightingPowerAllowance.pdf”,”class“:”Sabre\HTTP\Request”},{“class“:”Sab
    re\HTTP\Response”}]]},{“file”:”\/usr\/local\/www\/nextcloud\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php”,”line”:254,”function”:”invokeMethod”,”class”:”Sabre\DAV\Server”,”type”:”->”,”args”:[{“absoluteUrl”:”http:\/\/192.16
    8.0.208\/remote.php\/dav\/files\/atiumDave\/01_Projects\/Aedis%20Architects_09\/1809.72%20-%20Brownell%20MS%20Modernization\/07_Engineering\/03_Ltg\/Inc%201%20-%20T24\/2016-NRCC-LTO-03-E-OutdoorLightingPowerAllowance.pdf”,”_
    _class__”:”Sabre\HTTP\Request”},{“class“:”Sabre\HTTP\Response”}]},{“file”:”\/usr\/local\/www\/nextcloud\/apps-pkg\/dav\/lib\/Server.php”,”line”:317,”function”:”exec”,”class”:”Sabre\DAV\Server”,”type”:”->”,”args”:[]
    },{“file”:”\/usr\/local\/www\/nextcloud\/apps-pkg\/dav\/appinfo\/v2\/remote.php”,”line”:35,”function”:”exec”,”class”:”OCA\DAV\Server”,”type”:”->”,”args”:[]},{“file”:”\/usr\/local\/www\/nextcloud\/remote.php”,”line”:163,”ar
    gs”:[“\/usr\/local\/www\/nextcloud\/apps-pkg\/dav\/appinfo\/v2\/remote.php”],”function”:”require_once”}],”File”:”\/usr\/local\/www\/nextcloud\/apps-pkg\/dav\/lib\/Connector\/Sabre\/File.php”,”Line”:228,”CustomMessage”:”–“},
    “userAgent”:”Mozilla\/5.0 (Windows) mirall\/2.6.2stable-Win64 (build 20191224) (Nextcloud)”,”version”:”17.0.2.1″}

    Which seems to imply that it’s expecting a certain file size but uploading a different file size, which seems to be problematic.

    And this one:

    {“reqId”:”v0aDNbKIbqXjJ46x2CXw”,”level”:3,”time”:”2020-01-04T04:11:50+00:00″,”remoteAddr”:”192.168.0.31″,”user”:”mainoAdmin”,”app”:”index”,”method”:”GET”,”url”:”\/index.php\/apps\/theming\/img\/core\/filetypes\/video.svg?v=0
    “,”message”:{“Exception”:”OCP\Files\NotPermittedException”,”Message”:”Could not create folder”,”Code”:0,”Trace”:[{“file”:”\/usr\/local\/www\/nextcloud\/lib\/private\/Files\/AppData\/AppData.php”,”line”:155,”function”:”newF
    older”,”class”:”OC\Files\Node\Folder”,”type”:”->”,”args”:[“0”]},{“file”:”\/usr\/local\/www\/nextcloud\/apps-pkg\/theming\/lib\/ImageManager.php”,”line”:155,”function”:”newFolder”,”class”:”OC\Files\AppData\AppData”,”typ
    e”:”->”,”args”:[“0”]},{“file”:”\/usr\/local\/www\/nextcloud\/apps-pkg\/theming\/lib\/ImageManager.php”,”line”:170,”function”:”getCacheFolder”,”class”:”OCA\Theming\ImageManager”,”type”:”->”,”args”:[]},{“file”:”\/usr\/local\
    /www\/nextcloud\/apps-pkg\/theming\/lib\/Controller\/IconController.php”,”line”:87,”function”:”getCachedImage”,”class”:”OCA\Theming\ImageManager”,”type”:”->”,”args”:[“icon-core-filetypes_video.svg”]},{“file”:”\/usr\/local\
    /www\/nextcloud\/lib\/private\/AppFramework\/Http\/Dispatcher.php”,”line”:170,”function”:”getThemedIcon”,”class”:”OCA\Theming\Controller\IconController”,”type”:”->”,”args”:[“core”,”filetypes\/video.svg”]},{“file”:”\/usr\/
    local\/www\/nextcloud\/lib\/private\/AppFramework\/Http\/Dispatcher.php”,”line”:99,”function”:”executeController”,”class”:”OC\AppFramework\Http\Dispatcher”,”type”:”->”,”args”:[{“class“:”OCA\Theming\Controller\IconC
    ontroller”},”getThemedIcon”]},{“file”:”\/usr\/local\/www\/nextcloud\/lib\/private\/AppFramework\/App.php”,”line”:126,”function”:”dispatch”,”class”:”OC\AppFramework\Http\Dispatcher”,”type”:”->”,”args”:[{“class“:”OCA\T
    heming\Controller\IconController”},”getThemedIcon”]},{“file”:”\/usr\/local\/www\/nextcloud\/lib\/private\/AppFramework\/Routing\/RouteActionHandler.php”,”line”:47,”function”:”main”,”class”:”OC\AppFramework\App”,”type”:”:
    :”,”args”:[“OCA\Theming\Controller\IconController”,”getThemedIcon”,{“class“:”OC\AppFramework\DependencyInjection\DIContainer”},{“app”:”core”,”image”:”filetypes\/video.svg”,”_route”:”theming.Icon.getThemedIcon”}]},{
    “function”:”invoke”,”class”:”OC\AppFramework\Routing\RouteActionHandler”,”type”:”->”,”args”:[{“app”:”core”,”image”:”filetypes\/video.svg”,”_route”:”theming.Icon.getThemedIcon”}]},{“file”:”\/usr\/local\/www\/nextcloud\/l
    ib\/private\/Route\/Router.php”,”line”:297,”function”:”call_user_func”,”args”:[{“__class
    “:”OC\AppFramework\Routing\RouteActionHandler”},{“app”:”core”,”image”:”filetypes\/video.svg”,”_route”:”theming.Icon.getThemedIcon”}
    ]},{“file”:”\/usr\/local\/www\/nextcloud\/lib\/base.php”,”line”:997,”function”:”match”,”class”:”OC\Route\Router”,”type”:”->”,”args”:[“\/apps\/theming\/img\/core\/filetypes\/video.svg”]},{“file”:”\/usr\/local\/www\/nextclou
    d\/index.php”,”line”:42,”function”:”handleRequest”,”class”:”OC”,”type”:”::”,”args”:[]}],”File”:”\/usr\/local\/www\/nextcloud\/lib\/private\/Files\/Node\/Folder.php”,”Line”:162,”CustomMessage”:”–“},”userAgent”:”Mozilla\/5.0
    (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/79.0.3945.88 Safari\/537.36″,”version”:”17.0.2.1″}

    Which seems like it’s having trouble creating a folder. I’ve checked all the permissions and the config, themes, and data folder are all under the www user and group. The /var/db/mysql folder is under the mysql user and group. Any suggestions folks might have to solve this would be greatly appreciated.

    Thanks!

    1. Both of these errors look like they’re being caused by permissions issues.. I’m not sure what to say but triple check the permissions? Make sure your /mnt/data directory is owned by the www user, which can be achieved using the following command:

      chown -R www:www /usr/local/www/nextcloud /mnt/data
      

      /mnt/data is the jails internal mount for the hosts /mnt/cloud directory; the permissions need to match both sides for it to work correctly.

  95. Samuel,

    Everything has been running smoothly with my Nextcloud configuration.

    However with the latest upgrade to 17.02 I am getting an alert saying :

    “Some columns in the database are missing a conversion to big int. Due to the fact that changing column types on big tables could take some time they were not changed automatically. By running ‘occ db:convert-filecache-bigint’ those pending changes could be applied manually. This operation needs to be made while the instance is offline. For further details read the documentation page about this.”

    Do you happen to know how to run this within Freenas?

    Any advice appreciated

    1. Hi Nic, yep, from the shell in your jail just run the command they tell you to! As follows:

      su -m www -c ‘php /usr/local/www/nextcloud/occ maintenance:mode –on’
      su -m www -c 'php /usr/local/www/nextcloud/occ db:convert-filecache-bigint'
      su -m www -c ‘php /usr/local/www/nextcloud/occ maintenance:mode –off’
      

      It looks a bit different here because you need to run the command as the www user, and specify the full path to the occ program because it isn’t locatable in the environment PATH variable. The other two commands just put your server into and out of maintenance mode. Hope this helps.

  96. My Nextcloud jail ist working fine. The certificate renewal with the “certbot renew” command is also working fine, so I tried with the “crontab -e” command to add the suggested chronjob,at which point the command window only shows:
    ~
    ~
    ~
    ~
    ~
    and I am not able to edit anything. Do you have any suggestions how to get past the problem?

    1. Yep, switch your default editor to nano as it indicates earlier in the guide:

      setenv EDITOR /usr/local/bin/nano
      

      Then try to open your crontab.

      1. the cronjob worked. The certificate now expires sometime in April 2020. However, today while accessing Nextcloud, I got the warning that the certificate expired on 23.01.2019 HH:MM. The new certificate was loaded only after I restarted the jail. Is it possible to incorporate a restart/onerestart command for the jail in the certificate renewal cronjob?

          1. Thanks a lot. So adding the line
            –deploy-hook “service apache24 restart”
            after the rest of the cron should do the job?
            I ´ve done the changes. Now I ‘ll wait till the next renewal.

    1. Hi,
      I don’t get this error so I suspect it’s something specific to your configuration. See this thread/comment for more details: https://help.nextcloud.com/t/security—host-prefix-cookie-setting/9740/6. With that said, these are the proxy settings I use for my reverse proxy without issue:

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-Host $server_name;
      proxy_set_header X-Forwarded-Ssl on;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_http_version 1.1;
      

      Hope this helps!

  97. Excellent – Thanks a lot and great job with your tutorial. For me it worked like a charm with the following:
    FreeNAS 11.2
    Nextcloud 18
    PHP 72

  98. Hello,
    great guide, I am missing installation and configuration of TURN server for Nextcloud Talk app,
    but I manage it by myself, so video calls over internet are working fine.
    (freenas 11.3 + Nextcloud 18)

    1. What was the process you used to install the TURN server. Did you use the existing nextcloud jail or did you create a new one?

      1. Can you explain how you did it? Did you use the same jail or make a new one? Which packages did you use?

  99. Slightly off t0pic, but how do I get my pfsense to see my nextcloud. It seems like it’s not seeing it because it’s a vnet? It’s set up with 192.168.1.10 per the tutorial

    1. It won’t show up as a DHCP lease because it’s not requesting one, it sets it’s IP manually. I’d just add a static mapping for it in pfSense.

  100. @Nic Greene
    If Samuel can’t help you with that topic, I can. I’d ask however you just re-post your question in the FreeNas Forums under the Networking section. I can help you there. Please post your network config for your jail. And the IP addresses associated with your network.

  101. Awesome guide. Thanks so much for the effort and detail you’ve put into this.

    Having weird issues getting google to authenticate the log email. On a previous install it worked fine. Using the same exact email accounts, I keep getting authentication error on mail log(I’m 100% certain the gmail/password info is correct).

    So I accidentally removed the /var/log/maillog/ and now when I attempt to send a test email, there is no log to review. Any idea how to fix either of these problems?

    1. Not having experienced either of these issues, there’s a couple of things you could try:
      1. Recreating /var/log/maillog:

      touch /var/log/maillog
      
      1. Enabling and re-enabling ‘less secure apps’ in your gmail settings

      See how you go with those.

  102. @Soygen
    Here is an example of how I configured my postfix:
    Take out some of the comments depending on what you want for port
    Also smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt <— This is what it is for linux, please look up above what it is for FreeBSD. I can’t recall off top of my head

    tls_preempt_cipherlist = no

    SASL Option

    smtp_sasl_auth_enable = yes
    smtp_sasl_security_options = noanonymous

    Global Client TLS Options

    tls_random_source = dev:/dev/urandom
    smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
    smtp_use_tls = yes

    SMTP Parameters – (Modern) – Valid for Gmail

    #smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2
    #smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2

    SMTP Parameters – (Medium) – Valid for Mailgun and Gmail

    smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtp_tls_mandatory_ciphers = medium
    tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

    TLS Option (Port 587)

    #smtp_tls_security_level = encrypt
    #Gmail SMTP
    #relayhost = [smtp.gmail.com]:587
    #smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd_GMAIL_587

    End TLS Options (Port 587)

    TLS Option (Port 465)

    #smtp_tls_security_level = encrypt
    #smtp_tls_wrappermode = yes
    #Gmail SMTP
    #relayhost = [smtp.gmail.com]:465
    #smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd_GMAIL_465

    End TLS Option (Prot 465)

  103. Hello Samuel – And massive thank you again for the tutorial.
    I got everything to run and was setting up the “Hardening” steps, until SSL decided to make my life complicated !…
    I didn’t go for the option to setup a Reverse proxy (well I tried, but given up) so I kept following the steps in this page of your tutorial.
    I managed to get Certbot to issue the certificate just fine, so skipped the steps with AWS.
    Note: I access my server publicly via a No-IP redirect to my router, then a port forwarding to my NextCloud jail.

    When I reach the step where I need to restart Apache, it fails. In httpd-error log, I can see the following:
    “init this version of mod_ssl was compiled against a newer library (OpenSSL 1.0.2s-freebsd 28 May 2019, version currently loaded is OpenSSL 1.0.2o-freebsd 27 Mar 2018) – may result in undefined or erroneous behavior
    “[ssl:emerg] [pid 51540] AH02231: No SSL protocols available [hint: SSLProtocol]”
    “[ssl:emerg] [pid 51540] AH02312: Fatal error initialising mod_ssl, exiting.”

    The content of my site conf is:

    ServerName cartan.hopto.org
    Redirect permanent / https://cartan.hopto.org

    ServerAdmin *********
    DocumentRoot “/usr/local/www/nextcloud”
    ServerName cartan.hopto.org

    SetHandler “proxy:fcgi://127.0.0.1:9000/”

    DirectoryIndex /index.php index.php
    SSLCertificateFile /usr/local/etc/letsencrypt/live/cartan.hopto.org/fullchain.pem
    SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/cartan.hopto.org/privkey.pem
    SSLEngine on

    # modern configuration from ssl-config.mozilla.org
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
    SSLHonorCipherOrder off
    SSLSessionTickets off
    SSLUseStapling On
    SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

    <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=155520000; includeSubDomains"
    </IfModule>

    I’ve tried to see if a package upgrade would fix the issue, but nothing seems related to SSL. I looked for this error on internet and it always relate to a config issue rather than a real version mismatch.
    Would you have any what I missed ?

    Thanks for any assistance,
    Tanguy

    1. Sorry, some bit did not display properly when copying the content of my site conf file. I do have :
      “” and “” for the first 2 lines, and then:
      “” and closing is for the rest.

    2. It looks like you’re running quite an old version of OpenSSL, and perhaps your modern configuration’s selection of protocols isn’t supported by that version of OpenSSL. From the looks of it, it only supports TLSv1.3? You could try going back to the intermediate configuration. Alternatively, you could try to upgrade openssl. I’m not 100% clear on the process to do this. It looks like openssl is installed by default and not managed by pkg.. As a test I installed it using:

      pkg install openssl
      

      and this indeed installed v1.1.1d, which is more than recent enough for the error message you’re getting. However, it installed it to /usr/local/bin, which is preceded in the PATH environment variable by /usr/bin, meaning it finds the default installation, /usr/bin/openssl (the old version) before it finds the new one. I haven’t tested any of this with apache, and I’m not sure how to change the PATH to persist the new version being identified before the old version for the www user, given it doesn’t have a login shell. That said, I’m sure it just requires more research. It might mean that openssl needs to be built with ports to override the default, I’m not sure. The easy solution is probably just to roll back your SSL configuration to intermediate until you update your jail (I’m assuming you’re running something reasonably old). Anyway, I hope this helps!

  104. AAAArrrgh ! Ok, I think you undersand that the instructions “Virtualhost *:80 ” and “VirtualHost *:443” are not displayed using this comment box I’m writtin in….

  105. Hi Sam. I have everything installed and running great(including the reverse proxy and certbot). Only a minor issue left. Most icons are not displaying in NextCloud(ie: they are showing like broken image links). If I go to the image URL directly, it loads, so it’s clearly accessible on my server. Any idea what would cause nextcloud to block these and how I can have them show up?

    Some example URLs:

    http://cloud.example.com/index.php/apps/theming/img/core/filetypes/image.svg?v=0
    http://cloud.example.com/core/img/actions/mail.svg

    Thanks in advance for your help.

    1. Hi Soygen, off the top of my head you might want to check to see if you’ve disabled image previews. Open /usr/local/www/nextcloud/config/config.php and make sure you have the following line:

      ...
          'enable_previews' => true,
      );
      
      1. Thanks. That fixed the previews for images in the actual file folders, but for sections of the UI(like “Activity” for instance), it still shows broken image links. Will keep digging.

  106. Dear Sam
    First of all many thanks for this really great and detailed tutorial.
    I took me several starts to complete my set up as I would like to have; but now I am happy with my installation, nevertheless there are still some items to be solved, but it works so far and I have to do some more detailed finishing.
    So know I have installed based on FreeNAS 11.3 Release:
    Apache 2.4.41
    MariaDB 10.3.22
    PHP 7.2.28
    Nextcloud 18.0.1

    Some tasks I did slightly different than you proposed in your tutorial:

    Create users and set permissions:
    According to my understanding, based on the FreeNAS documentation, all users, not members of FreeNAS itself , should become ID’s greater than 1000.
    So I defined my mysql user and group with an ID of 1000.
    Consequently the user and group in the jail got the same ID’s.
    When you do this prior you install MariaDB, MariaDB will use the existing user and group named mysql.

    Add storage to the iocage jail:
    I performed this task via GUI because for me the relation between the paths in and out of the jail are more easly to read and understand.

    Change pkg repo to latest branch
    When you open the file FreeBSD.conf, you should notice the advise;
    To disable this repository, instead of modifying or removing this file, create a /usr/local/etc/pkg/repos/FreeBSD.conf file.
    I followed this advise.

    Install required packages
    When I installed MariaDB102 I got a notice:
    This port is deprecated; you may wish to reconsider installing it:
    Port will be removed when 10.5 is added, please switch to a newer version.
    It is scheduled to be removed on or after 2020-07-01.
    I decided to delete this pkg and install MariaDB 103 instead.

    Web Configuration
    After configuring Nextcloud itself I add the APP “External storage support” and got the info in Nextcloud that access via smb is not installed or not working.
    I installed the pkg php72-pecl-smbclient and access to data stored outside of the jail is working.

    So far so good, but I am not really sure if I did everything correct with redis.
    The service is running, but during performing the section “Caching and Redis” I got some output I am not able to assign that correct:
    After the command:

    su -m www -c ‘php /usr/local/www/nextcloud/occ config:system:set redis host –value=”/tmp/redis.sock”‘

    I got the following output:

    The process control (PCNTL) extensions are required in case you want to interrupt long running commands – see http://php.net/manual/en/book.pcntl.php
    System config value redis => host set to string /tmp/redis.sock
    root@nextcloud:~ # su -m www -c ‘php /usr/local/www/nextcloud/occ config:system:set redis port –value=0 –type=integer’su -m www -c ‘php /usr/local/www/nextcloud/occ config:system:set memcache.local –value=”\OC\Memcache\APCu”‘
    The process control (PCNTL) extensions are required in case you want to interrupt long running commands – see http://php.net/manual/en/book.pcntl.php

    In SetConfig.php line 167:

    Invalid type

    config:system:set [–output [OUTPUT]] [–type TYPE] [–value VALUE] [–update-only] [–] …

    Feedback, if possible, on this would be highly appreciated.

    Once again many thanks for the time you spend to write down this tutorial, I was able to learn a huge amount on knowledge on jails FreeBSD and FreeNAS.

    All the best and many thanks in advance for your support from Austria.
    Bernhard

    1. Hi Bernhard,

      I wrote this guide some time ago, and it looks like you’ve made some sensible changes. With respect to Redis, it appears that the error you’re getting is actually due to the occ command, not redis. This GitHub issue seems to indicate that it’s not actually an issue, but you might want to do some further research on your own in this area; I’ve never had the issue before. Glad you got everything working otherwise 🙂

      Cheers

      1. Dear Sam

        Many thanks for your replay.
        I assumed an answer like this, because my installation was stable in the meantime without any other error message.
        I will invest some more time to research on this issue.
        To be honest I did not cover all of your guide, especially the hardening of security is an open task to be covered.
        My server is actually running only locally in my home network.
        I do not have an active home page and it is not on my focus to implement such a homepage.
        My intention is to make connection to the internet via port forwarding to a DynDNS Server.
        If there has somebody covered this task already it would be great to get advise to do the required steps.

        Cheers

  107. Best receipe I’ve ever seen! More than that: For me as FreeNAS beginner a helpful hands-on tutotial. Just finished the installation with minor changes (names, php- and mariadb-versions, …) successfully. Much better than any script that leaves you helpless in case that anything don’t work as expected.
    Thank you very much! Unfortunately I didn’t found a donation button.

  108. Samuel, thank you for the work you put into that.

    I had one issue with using the Nextcloud jail behind an nginx reverse proxy, though. I could log into Nextcloud when using the jail IP, mit it did not work when using the (public) domain and thus go through the proxy. The solution for this is actually pretty simple – you need to add a ‘trusted_proxies’ => [‘192.168.0.5’] line to config/config.php (the IP address must be replaced by the IP of the reverse proxy, of course). That solved it for me up to now (though I still have to fix the .well-known stuff in the reverse proxy).

    For reference, I used nextcloud 18.0.1

    Cheers,
    Marco

  109. One other thing which may help some people (at least it helped with myinstallation): when checking your installation using scan.nextcloud.com, you will presumably see a problem with __Host-prefix in the “Hardening” section of the results. For me, it helped to set session.cookie_secure = 1 in the php.ini (this setting was commented out in the installed version of that file). Now I get an “A+” rating from the scanner.

    Used php-74 (that means, pkg install nextcloud-php74 from the latest repo).

    Cheers, Marco

    1. I used php-72. Is there any good reason to try to update to php-74 by now? If so, how woudl I do that?

      1. Hi Bernhard, at this stage there’s no particular reason to upgrade to php 7.4. PHP 7.2 won’t be marked End of Life (EOL) until 30/11/2020, at which point it will stop getting security updates. As far as upgrading goes, I’m not sure there’s presently a good way. You could try just updating each of the php packages to 7.4 individually, but I’m not sure if this would work. I haven’t tried, so I’m not sure. The obvious, though inconvenient, upgrade solution is to tear your jail down and build it again. This is a struggle I’ve had with Nextcloud, though, I haven’t researched it recently – perhaps the upgrade process is smoother in newer versions. Hope this helps.

        1. My fresh install was with nextcloud-php74 and I can’t remember any serious problems, I just had to replace 71 with 74.

        2. Dear Sam, Marco and Bernhard
          I have done some research regarding update of the jail and would share it with you for discussion.
          An upgrade or update should be done only by using the host system, in this case FreeBSD 11.3-RELEASE-p7 (in my case).
          According to Sam I would like to say: It is not a good idea to do updating or upgrading manually.
          I started with Nextcloud 18.0.1 by installing nextcloud-php72.
          In the meantime Nextcloud is available in version 18.0.3.
          I proceed the following steps, via FreeNAS GUI:
          – In section Jails, I stooped the jail nextcloud and start update
          – In the shell of the jail nextcloud I entered: pkg upgrade
          – Back in FreeNAS GUI I restarted the jail nextcloud

          Now when you access your nextcloud server nextcloud will start update to version 18.0.3, and after that, your server is up to date.

          I assume doing these steps in regular intervals, with EOL of php72, the next update or upgrade will change that files to the next valid version automatically.

          Hope this helps.

          #Sam: Only as a note: There seams to be to participations with name Bernhard in your system.

          Cheers, Bernhard from Austria

          1. Hi Bernhard, updating manually or automatically isn’t the issue when updating nextcloud. The issue is that it bundles the nextcloud package with php – you’ll have noticed this with the naming convention nextcloud-php72, nextcloud-php73, nextcloud-php74. My read on what this does is that it installs nextcloud as a package, and all of the required php7x packages along side it. The problem with this is, that a simple pkg upgrade is not going to be useful for upgrading php from 7.2 to 7.3, to 7.4 etc. If you install nextcloud-php72 and then run pkg upgrade, you will indeed get the latest version of nextcloud, an upgrade from 18.0.1 to 18.0.3 in your case. You will also get the latest packages for PHP 7.2. It won’t upgrade you to the latest version of php. This is why I have some uncertainty about best practice here – it might be best to just manage your php packages separately, and use the binary distributable from nextcloud directly rather than installing the pkg. This is an idea I’m thinking about experimenting with going forward.

            With that said, what you’ve done is fine, provided you remember to run the occ command to make the nextcloud application aware of the changes that were made – occ upgrade from memory.

            Also note that you’ve done two things – you’ve upgraded the jail, and nextcloud. These steps can be separated from each other, and it might be desirable to do so depending on current compatibilities between kernel versions, jail distributions, and nextcloud. For example, if you’re running FreeNAS 11.3, you don’t want to upgrade your jail to FreeBSD 12.0-RELEASE. These have incompatible kernels, and would cause your jail to become nonfunctional.

  110. Help! I got the message that MariaDB is going to get removed, and removed the package after I stopped it, installed version 10.4, restarted the service and tried to run mysql_upgrade, and despite being logged in as root it tells me “access denied for user ‘root’@’localhost’ (using password: NO) FATAL ERROR: upgrade failed”. Did we not install mariadb as root? Can anyone help?

    1. Ok, so the password I set started with a character that needed the -p flag to be put in ‘quotationmarks’… ahh, the details…

  111. Very nice guide, due to some newer packages I run into some small problems (certbot vs. certbot-2.7 etc.), but now everything is up and running.
    But the http and nextcloud logs keep growing and growing, is there any change to configure a kind of rollover for this?

    1. Hi Michael, I’m honestly not sure! Not that I’m aware of, though you could do your research for both Nextcloud and apache individually. I’d be curious to hear what you find 🙂

      Cheers,

      Sam

  112. @BERNHARD

    I’m aware of the upcoming EOL for php7.2. I don’t think however the jail will automatically update to 7.3 when 7.2 has reached its EOL. Working with FreeNAS jails is always a challenge. The sometimes have a different version of software than the FreeNAS parent and can become “out of sync”. FreeNAS 11.1 changed some of these issues however didn’t totally rectify the problem. I was told over on the FreeNAS forums, jails weren’t specifically to be used if you wanted to run something “permanently”. I’m not sure if the commentator was having a bad day but I never really found more explanation to this comment when I asked further f/u questions. I’m betting a complete teardown of the jail would be needed with reinstallation of packages within a new jail. Another option I’m considering would be to virtualize “Nextcloud” and then mount the needed datasets inside of the virtualized “Nextcloud” so I can still take advantage of Freenas ZFS snapshotting abilities. To my knowledge FreeNAS and docker don’t mix well so I’m kind of stuck for the moment with my virtualized “Nextcloud” plans. I believe some time in the near future FreeNAS is going to make an announcement about their distribution that will include a linux variant. I believe this would include a variant built with OpenZFS. That would make virtualizing “Nextcloud” much easier while still maintaining the abilities of ZFS snapshots on the host.

    1. Kev, the virtualisation that you’re talking about in this post is exactly what I do in my guide. A jail is a container that shares the kernel of the host; it is virtualisation. Similarly, the way in which I configure datasets at the beginning of the guide is exactly what you’re talking about wrt mounting datasets. The fstab configuration steps describe the process of mounting these datasets on the host into the jail, so depending on how you configure snapshots on your dataset, you can already take advantage of FreeNAS’s snapshotting abilities. This also allows you to destroy the jail and maintain all of your Nextcloud data; it just needs to be reimported when you reinstall nextcloud and it’s dependencies. The desirable aspect of docker is its portability, not its virtualisation. You can update the image and be confident things will work. The process that we have here at the moment would be exactly the same as docker if you couldn’t just pull a new image from docker hub, and were forced to update everything inside the docker container manually.

      The challenge with tearing down and building up a nextcloud instance to my understanding is mostly just reimporting the database into a fresh installation of MariaDB, which is probably independent of any virtualisation, just an artefact of mariadb’s usability for importing existing databases.

      Hope this makes things clearer.

      1. Hi Sam and Kev
        Thanks for your reply, may be I do not know the complete context, because I am still a novice in administrating FreeNAS and jails within.
        Only to make my way of thinking clear:
        According FreeNAS documentation chapter 15: “By default, jails run the FreeBSD operating system. These jails are independent instances of FreeBSD. …The jail installs FreeBSD software management utilities so FreeBSD packages or ports can be installed from the jail command line. This allows for FreeBSD ports to be compiled and FreeBSD packages to be installed from the command line of the jail.”
        If i am not mistaken, that the installed FreeBSD release has the same benefits as a completely full FreeBSD installation regarding maintaining the packages and ports.
        So far so good.
        If you are doing now an update for a certain jail, as I have done from the FreeNAS GUI, you will not change the FreeBSD release, but you will get the actual patches as described in chapter 15.3.1 of the FreeNAS documentation.
        At this stage the documentation of FreeNAS ends, a further support, will supply the documentation of FreeBSD, in the valid release.
        According to that documentation, chapter 23.2.3.2, packages can be updated by using “pkg upgrade”.
        I have currently installed 11.3-RELEASE-p7 for my Nextcloud jail and I assume along with this release php72 will remain the valid version.
        As soon as FreeNAS will use the the release 11.4 or even 12, the jail release can be upgraded as well and the php packages will be, due to maintaining of the ports, upgraded to the valid version as well.
        This is how I read the documentation and I hope I am not wrong.
        Interested to keep on learning.

          1. As I wrote, I am a novice in the world of FreeNAS and FreeBSD, and interested to learn.
            Especially from users like you, with knowledge far ahead from mine.
            So I am comparing documentation and actions , as described in your guideline, and try to understand how the system can be administrated.

            When you look at the man page of pkg-upgrade you will find following within the section description:
            .. pkg upgrade compares the versions of all or specific packages installed on the system to what is available in the configured package repositories. Any out of date packages are added to a work list for processing.

            So my understanding in this case:
            As long as you do “pkg upgrade” (without any optional argument) nextcloud-php72 will be at a certain time out of date and should be replaced by the version defined from the maintainer of the repository.

            So lets keep an eye on this topic and wait what will happen.
            Happy Eastern!

          2. I’m running an out of date version currently; When running pkg upgrade -n, it indicates that nextcloud is staged to be removed because it’s no longer a tracked version, and nothing is staged to replace it. So it looks like when the php version becomes EOL the entire package just gets dropped.

  113. Sam, I am running a more or less up to date system with Nextcloud 18.0.3 based on version of php72.
    My last pkg upgrade (without any optional parameter) I did in the last week.
    I run today pkg upgrade -F an got the following output:

    root@nextcloud:~ # pkg upgrade -F
    Updating FreeBSD repository catalogue…
    FreeBSD repository is up to date.
    All repositories are up to date.
    Checking for upgrades (2 candidates): 100%
    Processing candidates (2 candidates): 100%
    The following 2 package(s) will be affected (of 0 checked):

    Installed packages to be UPGRADED:
    ca_root_nss: 3.51 -> 3.51.1
    fontconfig: 2.13.92,1 -> 2.13.92_1,1

    Number of packages to be upgraded: 2

    671 KiB to be downloaded.

    Proceed with this action? [y/N]: n

    So I stopped to do an upgrade because it is actually not essential to my system.

    The last paragraph of Description in the man page of pkg-upgrade:
    Finally, the work list is executed in dependency order. Package reinstall or update jobs are processed by removing the currently installed package and immediately installing the replacement. New dependencies are processed as installation jobs as part of the work list.

    So based on this the output, of “pkg upgrade -F” in your case, would be interesting.

  114. Another question.
    I need everything in ENABLE SSL CACHING but there is nothing in /var/log/apache, even after some days of usage.
    Is this OK?

  115. Hello Samuel,

    Today I moved my Nextcloud Jail on a new pool, after backing up a working image of my actaul setup (Nextcloud 16.0.0 php 7.3.4). I cleared the old iocage, created the iocage on the new pool with jail Release 11.2 as the Nextcloud jail. After reimporting the jail, everything was working fine.

    I wanted to update Nextcloud from within the shell, as in your tutorial, with “pkg upgrade Nextcloud-php73” ignoring the fact that Nextcloud is already in Release 18.0. Bad idea. The upgrade broke up and my instalation stuck in maintence mode…

    No panic. I killed the jail. I killed the iocage and set it up again. I moved my image in the new iocage and imported it again. I even restarted FreeNAS…. Nextcloud was still in maintenance mode allthough i used a jail image, that wasn´t touched by the upgrade attempt! I found finally how to change the maintenance mode from true to false in php.config and everything is running again. Here are my questions:

    How could the “untouched” image of the jail after reimporting on a new iocage be stuck in maintenance mode?? I was pretty sure I was safe with my backup.
    Now after “pkg update” and “pkg search Nextcloud” I only get “nextcloud-php73-16.0.4” as the newest version, no php74 or 17/18 anymore. And after trying to upgrade to 16.0.4 from 16.0.0 I get the error: “pkg: http://pkg.FreeBSD.org/FreeBSD:11:amd64/latest/All/nextcloud-php73-16.0.4.txz: Not Found”. Any ideas what might be going wrong?

    Greetings,

    Costis

    1. I suspect the reason it was in maintenance mode is that any changes to your nextcloud configuration are propagated outside of the jail. This is a design feature of the setup I’ve presented. Specifically, the fstab section where you mount the folder /mnt/jailhouse/apps/nextcloud/config into your nextcloud jail, at /usr/local/www/nextcloud/config. As for upgrading, I don’t currently have a good solution for you. This is something I’m planning to explore in the near future when my study load subsides a bit. As for the error message you’re getting, you’re getting it because the package doesn’t exist. You can confirm this by navigating to http://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/ and searching for nextcloud-php73-16.0.4.txz – it’s not there. The current version is nextcloud-php74-18.0.3.txz. I suspect that this means that your pkg update command isn’t working properly. I’m not sure why this might be, but hopefully this gives you a starting point for future research 🙂

      HTH.

  116. For future reference,

    I followed all the steps above in Freenas 11.3, with nextcloud-7.2. Once everything is setup, i could not log in using the webapp. This gives a 401 error when trying to grant access.

    The apache server configuration was missing modwrite in other to pass the authentication through for the webdav basic auth. as per link: https://help.nextcloud.com/t/client-login-fails-with-401/29378/7

    steps required:
    nano /usr/local/etc/apache24/httpd.conf
    find rewrite_module and uncomment the line: LoadModule rewrite_module libexec/apache24/mod_rewrite.so

    return to modify your virtual host file
    cd /usr/local/etc/apache24/Includes
    Add the following lines into the virtual hosts, it should look something like this (note, i’ve changed my php-fpm to use a socket):

    <VirtualHost *:80>
    DocumentRoot "/usr/local/www/nextcloud"
    ServerName IP
    <FilesMatch \.php$>
    SetHandler "proxy:unix:/var/run/php-fpm.sock|fcgi://localhost/"
    </FilesMatch>
    DirectoryIndex /index.php index.php

    RewriteEngine On
    RewriteCond %{HTTP:Authorization} ^(.*)
    RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
    </VirtualHost>

    Boom, the web-app should work and you’ll be able to log in from the application. From reading over the comment thread, the basic authentication is not being passed through, leading to a 401 error.

    Hope this helps someone. I spent a good 3-4 hours searching on the nextcloud help, and ending up with many threads which did not have a solution. It may be worth it up to update the guide above aswell.

    Cheers!

    1. Thanks Stephen, I’ve added this to the list of issues with the guide, and if I can replicate it I’ll update it with your changes soon 🙂 Cheers

  117. I know the guide mentions apache as the web server for apache. I’m just going to post this as reference here since I went ahead and just switched my webserver to nginx rather than apache. I did this since all my reverse proxies were running nginx so it was just much easier for me to maintain nginx rather than nginx apache. Most of this was taken directly from the nextcloud documentation with a few changes to accomodate what @samuel_dowling had implemented above. This should avoid having to look for certain apache modules (which is both a strength and weakness of apache).

    upstream php-handler {
    server 127.0.0.1:9000;
    #server unix:/var/run/php/php7.2-fpm.sock;
    }

    server {
    listen 80;
    listen [::]:80;
    server_name cloud.example.com;
    # enforce https
    return 301 https://$server_name:443$request_uri;
    }

    server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name cloud.example.com;

    access_log /var/log/nginx/cloud.example.com.access.log main buffer=32k;
    error_log /var/log/nginx/cloud.example.com.error.log;

    # Use Mozilla's guidelines for SSL/TLS settings
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
    # NOTE: some settings below might be redundant

    include snippets/cloud.example.com.cert.conf;
    include snippets/ssl-params.conf;
    include snippets/nextcloud-headers.conf;

    # Path to the root of your installation
    root /usr/local/www/nextcloud;

    location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

    # The following rule is only needed for the Social app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;

    location = /.well-known/carddav {
    return 301 $scheme://$host:$server_port/remote.php/dav;
    }
    location = /.well-known/caldav {
    return 301 $scheme://$host:$server_port/remote.php/dav;
    }

    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    location ~ .php$ {

    fastcgi_pass 127.0.0.1:9000;

    fastcgi_index index.php;

    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

    include fastcgi_params;

    }

    location / {
    rewrite ^ /index.php;
    }

    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
    deny all;
    }
    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
    deny all;
    }

    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
    fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
    set $path_info $fastcgi_path_info;
    try_files $fastcgi_script_name =404;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $path_info;
    fastcgi_param HTTPS on;
    # Avoid sending the security headers twice
    fastcgi_param modHeadersAvailable true;
    # Enable pretty urls
    fastcgi_param front_controller_active true;
    fastcgi_pass php-handler;
    fastcgi_intercept_errors on;
    fastcgi_request_buffering off;
    }

    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
    try_files $uri/ =404;
    index index.php;
    }

    # Adding the cache control header for js, css and map files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
    try_files $uri /index.php$request_uri;
    add_header Cache-Control "public, max-age=15778463";

    include snippets/nextcloud-headers.conf;

    # Optional: Don't log access to assets
    access_log off;
    }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
    try_files $uri /index.php$request_uri;
    # Optional: Don't log access to other assets
    access_log off;
    }

    }

  118. Hi – I’d finally like to add the concern over the upcoming EOL of php7.2. This issue was bothering me since I really wanted to avoid tearing down and rebuilding the jail.

    I’d like to document the process I’ve used to upgrade in place php72 to php74. For reference my FreeNAS installation runs 11.3-U2-1. My iocage jails had been updated to an 11.3 base. The pkg repo was updated to the latest release and not the quarterly release (this step was documented above)

    Preparation

    – Make sure you create a snapshot of the iocage nextcloud jail and a snapshot of the datasets used by nextcloud (ie jailhouse tree) in case something goes wrong
    – Additionally save a copy of /usr/local/www/nextcloud/config/config.php in case something goes wrong
    – Put nextcloud in maintanence mode: sudo -u www php occ maintenance:mode –on

    Pkg Install

    – sudo pkg install nextcloud-php74-18.0.3
    You’ll be presented with a list of all the conflicting files between 7.2 and 7.4. Make a note of what php files are not included in the 7.4 list that are included in the 7.2 list. You’ll need to manually install these.

    I let the installation complete
    I then had to manually install the following files (this was based on the step above):
    sudo pkg install php74-pcntl php74-pecl-imagick php74-pecl-redis php74-phar php74-tokenizer

    The only package that didn’t have a match was php72_wddx. There was no corresponding php74 version

    Change ownership of the /usr/local/www/nextcloud directory
    sudo chown -R www:www /usr/local/www/nextcloud
    Take nextcloud out of maintainence mode
    sudo -u www php occ maintenance:mode –off
    Potential problems – Complete step only if this problem occurs to you
    Prior to upgrading I was running nextcloud php72-18.0.4.2 and this process install php74-18.0.3.0. On accessing either nextcloud through the browser or through a sudo -u www php occ status — I was receiving error: Downgrading is not supported and is likely to cause unpredictable issues (The installation downgraded my 18.0.4.2 version to 18.0.3.0)

    For a workaround —
    As root – edit /usr/local/etc/nextcloud/config/config.php and look for version line — change the line to look like the follwoing:
    ‘version’ => ‘18.0.3.0’,

    Perform a manual upgrade on command line:
    sudo -u www php occ upgrade

    The above command should restore to the latest nextcloud version.

    Verify php7.4 is now being used (Optional)

    – At command line: php –version
    — From browser – create an info.php file and place it inside your nextcloud root directory (/usr/local/www/nextcloud)
    The contents of info.php are:

    Browse to your nextloud domain –> For example nextcloud.example.com/info.php. This should display the php version as well.

    Hopefully that will help some people along the way.

    1. Kev, thanks a lot for this. I was talking about this issue with the folks in #freebsd a few days ago and this was the suggested fix; I thought there had to be a better way to upgrade than tearing a jail down and rebuilding, so thanks for going through the effort to test this method. I’ll add this to the list of issues and update the guide to include your suggestions soon 🙂

  119. You can remove the packages manually if you want but during the installation of the 7.4 packages the package manager will list the 7.2 packages as being in conflict with the new 7.4 requested packages. It will prompt you if you want to proceed and remove the older packages or cancel the process. I just told the package manager to proceed. Just be aware however that for me at least I still had to install some 7.4 packages manually. So be sure to make a list of all the 7.2 packages you have currently installed and also keep a list of the corresponding 7.4 packages to make sure you’ve replaced all the old packages with newer corresponding versions. I believe I touched upon this step in the instructions above.

    1. Worked great! Updated from 7.2 to 7.4. I did have to manually install the php74-gmp and php74-pecl-redis packages. There were two packages that didn’t have a 7.4 match: php72-hash and php72-wddx. Everything else installed just fine. info.php shows me using 7.4.5. Thanks for the help!

  120. Hi Samuel,

    Last year I was able to install successfully NC following your steps. It worked fine, but the hardware and resources were substandard, so deciced to upgrade my FreeNAS server.

    In my second attempt to building Nextcloud following your guide, including storage pool configutaion, right after I completing the Web Configuration, instead of the NC GUI, I keep getting:

    Internal Server Error

    The server encountered an internal error and was unable to complete your request.
    Please contact the server administrator if this error reappears multiple times, please include the technical details below in your report.

    More details can be found in the webserver log.

    Users have reported getting this error after in-place upgrades, or after component updates. In most cases it’d appear related to memcache settings. My system has the following installed:

    Nextcloud 11.3rP8
    Apache Server version: Apache/2.4.43 (FreeBSD)
    MariaDB Server version: 10.4.12-MariaDB FreeBSD Ports
    nextcloud-php72
    redis: 5.0.9

    I’ve tried suggestions found online to no avail. Have been stuck debating whether to scrap the install altogether, or to try again using older releases, as they seemed to work fine in the past. Will keep investigating and will update this thread if successful.

    Thanks again for a magnificent guide!

    Angelo C.

  121. This is an update from the previous comment by Angelo C.

    After enabling debugging on the Nextcloud log, here’s a more detailed error (still researching)

    Internal Server Error

    The server was unable to complete your request.
    If this happens again, please send the technical details below to the server administrator.
    More details can be found in the server log.
    Technical details

    Remote Address: 10.0.1.101
    Request ID: WOKWUNeg7z4bxh3WsMO1
    Type: OCP\Files\NotFoundException
    Code: 0
    Message:
    File: /usr/local/www/nextcloud/lib/private/legacy/helper.php
    Line: 488

    Trace

    #0 /usr/local/www/nextcloud/apps-pkg/files/lib/Controller/ViewController.php(138): OC_Helper::getStorageInfo(‘/’, false)
    #1 /usr/local/www/nextcloud/apps-pkg/files/lib/Controller/ViewController.php(186): OCA\Files\Controller\ViewController->getStorageInfo()
    #2 /usr/local/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php(170): OCA\Files\Controller\ViewController->index(”, ”, NULL, false)
    #3 /usr/local/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php(99): OC\AppFramework\Http\Dispatcher->executeController(Object(OCA\Files\Controller\ViewController), ‘index’)
    #4 /usr/local/www/nextcloud/lib/private/AppFramework/App.php(125): OC\AppFramework\Http\Dispatcher->dispatch(Object(OCA\Files\Controller\ViewController), ‘index’)
    #5 /usr/local/www/nextcloud/lib/private/AppFramework/Routing/RouteActionHandler.php(47): OC\AppFramework\App::main(‘OCA\Files\Contr…’, ‘index’, Object(OC\AppFramework\DependencyInjection\DIContainer), Array)
    #6 [internal function]: OC\AppFramework\Routing\RouteActionHandler->__invoke(Array)
    #7 /usr/local/www/nextcloud/lib/private/Route/Router.php(299): call_user_func(Object(OC\AppFramework\Routing\RouteActionHandler), Array)
    #8 /usr/local/www/nextcloud/lib/base.php(1008): OC\Route\Router->match(‘/apps/files/’)
    #9 /usr/local/www/nextcloud/index.php(38): OC::handleRequest()
    #10 {main}

    1. The issue you’re having, just reading those logs, is that /usr/local/www/nextcloud/lib/private/legacy/helper.php doesn’t exist. I’m not sure why this would be the case, I haven’t experienced this issue at all. One question I do have, is why are you installing Nextcloud 11.3? This is a version that was out of date when I wrote the guide a few years ago; I believe the current version available on fresh ports is 18.0.4_1; perhaps it would be worth installing that? Actually, perhaps this was just you misreading the versions – 11.3-p8 looks like the freebsd release, not a nextcloud version.

      I’m hoping to revise this guide to be more current in the next few weeks; hopefully I’ll uncover any issues in the process and update the guide accordingly. With respect to your specific problem and steps that may help you resolve it – dig around in the nextcloud folder and see if anything else is missing, and google around to see if anybody else has had similar problems. Perhaps try installing nextcloud in a completely fresh jail and see if that file exists when you do. If it doesn’t, you could try installing an older version. A discussion on how to do this can be found here.

      Cheers

  122. Hi Samuel, good to hear back.

    I did misstate Nextcloud’s version. I probably got FreeBSD’s jail tabled as NC. I’m running 18.0.3.0:

    root@nextcloud:/usr/local/www/nextcloud # cat version.php
    <?php
    $OC_Version = array(18,0,3,0);

    The helper.php file the error references, does indeed exist, and in the expected location:

    root@nextcloud:/usr/local/www/nextcloud # ls -al /usr/local/www/nextcloud/lib/private/legacy/helper.php
    -rw-r–r– 1 www www 17405 Mar 11 10:52 /usr/local/www/nextcloud/lib/private/legacy/helper.php

    I tried adding and subtracting privs to no avail.

    I’m curious, are the files in the data directory, in this case /mnt/data/, supposed to have no privileges at all?

    At the moment, /mnt/data contents are not available to anyone:

    root@nextcloud:/usr/local/www/nextcloud # ls -al /mnt/data
    total 60
    drwxrwx—+ 5 www www 8 May 16 17:39 .
    drwxr-xr-x 3 root wheel 3 Apr 25 14:47 ..
    ———- 1 www www 542 May 11 10:12 .htaccess
    ———- 1 www www 0 May 11 10:12 .ocdata
    d———+ 3 www www 3 May 16 17:21 appdata_oczgys0fbsko
    d———+ 2 www www 2 May 16 15:52 files_external
    ———- 1 www www 0 May 11 10:12 index.html
    d———+ 2 www www 2 May 11 10:12 ncadmin

    Will try a fresh install of 18.0.4_1, before investing much more time + effort in Mr. Bizarro’s Cloud.

    Regards,

    AC

    1. No, these permissions are incorrect. This is what I have:

      root@nextcloud:~ # ls -al /mnt/data
      total 113
      drwxr-xr-x   2 www   www        2 Feb  6 23:10 __groupfolders
      drwxrwx---  10 www   www       17 Feb  6 23:10 .
      drwxr-xr-x   3 root  wheel      3 Nov  2  2018 ..
      -rwxrwx---   1 www   www      324 Dec 28  2018 .htaccess
      -rwxrwx---   1 www   www        0 Dec 28  2018 .ocdata
      drwxrwx---  10 www   www       10 Nov  2  2018 appdata_oc0ydnchlafa
      drwxrwx---   6 www   www        6 Nov  2  2018 appdata_ocgep044ojhd
      -rw-r--r--   1 www   www        0 Dec 28  2018 audit.log
      drwxr-xr-x   7 www   www        7 Mar 17  2019 user1
      drwxr-xr-x   7 www   www        7 Nov  5  2018 user2
      drwxrwx---   2 www   www        3 Dec 28  2018 files_external
      -rwxrwx---   1 www   www        0 Dec 28  2018 index.html
      drwxrwx---   3 www   www        3 Nov  2  2018 nc_admin
      -rwxrwx---   1 www   www     6273 Nov  2  2018 nextcloud.log
      drwxr-xr-x   4 www   www        5 Nov 24  2018 updater-oc0ydnchlafa
      -rw-r--r--   1 www   www    20273 Jan 22 08:39 updater.log
      

      I’m not sure what would lead to the permissions you’ve detailed though. Try looking at the permissions of the dataset outside the nextcloud jail. If you followed my dataset setup, this would be /mnt/vault/cloud on the FreeNAS host. FWIW the permissions I have appear exactly the same here.

      1. Angelo,
        I was having the same the issue and have been battling it for some time and i found that if in freenas you have and ACL then it was causing my issues. I stripped the ACL of /mnt/vault/cloud and then CHMOD 770 and that seems to have fixed the issues for me.

        1. Hey Chad, thank you for replying. You were correct, as soon as I deleted ACL settings, it stopped with the error described above. Another one came up!

          Your data directory is invalid
          Ensure there is a file called “.ocdata” in the root of the data directory.

          An .ocdata file is present, but obviously is NOT valid. So the saga continues, will probably start fresh with a new Jail and new datasets. Thanks again,

          Angelo C.

  123. Hey Samuel,
    First of all, like many others have said, you’ve made an awesome walk through here, I wish all walk throughs were this thorough and explanatory. Sadly I’ve run into an unusual problem that google isn’t helping with. I’m a novice when it comes to web server configs but fairly competent when it comes to using and configuring unix systems.

    The issue I’m having is when I get to the “Web Configuration” part of your walk through, I go to the jail IP in a web browser and it displays the entire index.php file as plain text. I have gone step by step and verified I did all the steps correctly. The only thing I did different was installing nextcloud-php74 instead of php71. I had no issues running the php test file making me think the issues is on the nextcloud side of things. Please let me know the next troubleshooting step as I’m about out of ideas.

    Thank you!

    Josh

    1. Hey Josh,

      Really strange issue! It’s weird that it loads the php test page but not the file; this would seem to indicate that the web server is handling php files correctly, but obviously it’s not in the case of the nextcloud index. Have you confirmed that the php-fpm service is running?

      service php-fpm status

      Other things you could try are checking the apache log or nextcloud log for any errors:

      less /var/log/httpd-error.log
      less /var/log/nextcloud/nextcloud.log

      Or perhaps try installing nextcloud with php73 or php72 to rule language version incompatibilities with the configuration out? Hope this helps.
      Cheers

      1. Samuel,

        I appreciate your quick reply, it really says something that you’re still replying to comments on a year and a half old post.

        Per your recommendations, php-fpm was running and I didn’t see anything significant in either of the logs. I decided to burn down the jail and start over. The previous time I had installed mariadb102, this time I decided to install the latest, mariadb104, instantly I was having problems getting mysql set up. After some troubleshooting and trying to figure out what was going on, I realized that all of my previous mysql configs were still there, then went back and looked at all the commands I had run and noticed that mysql was installed on one of the initial mounts we set up (lol), I ran ‘rm -rf *’ from that directory then burned down the jail again and started over. This time I was able to get a fully fresh install of everything and got all the way to the same point as last time, web configuration. This time I got a 403 forbidden error on the web page, I ran chmod +x .htaccess, didn’t seem to fix the problem, then remembered noticing something as I was installing nextcloud-php74:

        /!\ The FreeBSD package REQUIRES the apps_paths configuration as /!\
        /!\ seen in config/config.sample.php to function /!\

        Please note that everything has been installed in /usr/local/www/nextcloud.

        You will probably want to add an alias to your httpd.conf file,
        something like this:

        Alias /nextcloud /usr/local/www/nextcloud
        AcceptPathInfo On
        <Directory /usr/local/www/nextcloud>
        AllowOverride All
        Require all granted
        </Directory>

        And restart Apache. Nextcloud will start the bundled installer on first
        access. Once the bundled installer finishes, further configuration can
        be done via ‘Settings’, ‘Administration’. Additional configuration
        options are available in

        /usr/local/www/nextcloud/config/config.php

        You can find annotated configuration options in config.documented.php
        in the same directory. Nextcloud’s configuration documentation is at

        https://docs.nextcloud.com/server/18/admin_manual/configuration_server

        The caching options require additional Nextcloud configuration.

        I added that alias to the bottom of the httpd.conf file and boom, it started working! I went through the rest of the walk through no problem and am now troubleshooting some weirdness with your reverse-proxy set up you suggested. I’m not exactly sure what went wrong last time, the issues I ran into each time were completely different. I can say the previous time I had decided to use my own handle in setting up the nextcloud_admin account in mysql, and I had installed mariadb102. I don’t think either of those would cause the page to display as plain text, if anything they would have caused issues trying to set it up in the web config. ¯_(ツ)_/¯

        These are some of the best walk-throughs I’ve ever been through, please keep making them. My purpose of setting all this up is for the learning experience and I’m learning so much more by using your walk-throughs!

        Thanks again

        Josh

  124. Very nice guide, I did almost the same on a debian based system and was wondering what are the differences on FreeBSD. I’m looking forward to see the updated version of this. I was also thinking to move my debian installation on a virtual machine on the FreeNAS installation, but I don’t know if that will work well. What do you guys think?

    1. Hi Stefan,
      If you’re thinking about a move to FreeNAS, I’d suggest running nextcloud in a jail as described here. Jails are FreeBSD’s containerisation system, not too dissimilar to docker or LXC containers in linux (obviously there are differences, though). This means that all of the resources of the host are shared natively with the container, which eliminates the need to provision resources specifically. If you were to use a VM you would have to assign some number of vCPU’s and RAM to the VM, which would tie those resources up. Additionally, you won’t have to install an entire operating system to run a program, so you minimise the bloat associated with that. Not every application will be able to run in a jail, but when they can I’d suggest it’s probably best to use them 🙂

      Hope this helps. Cheers.

  125. Hey,
    this is a great tutorial, thanks for that.
    But i have one problem. I would like to connect my Windows 10 machine via WebDAV.
    Nextcloud supports this natively like Windows 10. But the connection is refused, trying to connect to it.
    My Nextcloud instance is reachable via Webbrowser locally and world wide.
    Can you Help?

    Greetings
    Johannes

    1. I am actually in the same boat. Installed Nextcloud as per the tutorial, AMAZING work btw, very helpful. However I can’t get my Windows 10 box to connect to the WebDAV configuration. Keeps asking which certificate to use, but I have my certs through LetsEncrypt.

  126. After some package upgrades and a restart my nextcloud does not start anymore, database and php-frm logs seems to be OK, but

    root@nextcloud:/usr/local/www/nextcloud # su -m www -c “php ./occ ”
    An unhandled exception has been thrown:
    Doctrine\DBAL\DBALException: Failed to connect to the database: An exception occurred in driver: SQLSTATE[HY000] [2002] No such file or directory in /usr/local/www/nextcloud/lib/private/DB/Connection.php:68
    Stack trace:
    #0 /usr/local/www/nextcloud/3rdparty/doctrine/dbal/lib/Doctrine/DBAL/Connection.php(420): OC\DB\Connection->connect()
    #1 /usr/local/www/nextcloud/3rdparty/doctrine/dbal/lib/Doctrine/DBAL/Connection.php(380): Doctrine\DBAL\Connection->getDatabasePlatformVersion()
    #2 /usr/local/www/nextcloud/3rdparty/doctrine/dbal/lib/Doctrine/DBAL/Connection.php(324): Doctrine\DBAL\Connection->detectDatabasePlatform()
    #3 /usr/local/www/nextcloud/3rdparty/doctrine/dbal/lib/Doctrine/DBAL/Connection.php(683): Doctrine\DBAL\Connection->getDatabasePlatform()
    #4 /usr/local/www/nextcloud/lib/private/DB/Connection.php(155): Doctrine\DBAL\Connection->setTransactionIsolation()
    #5 /usr/local/www/nextcloud/3rdparty/doctrine/dbal/lib/Doctrine/DBAL/DriverManager.php(195): OC\DB\Connection->__construct()
    #6 /usr/local/www/nextcloud/lib/private/DB/ConnectionFactory.php(157): Doctrine\DBAL\DriverManager::getConnection()
    #7 /usr/local/www/nextcloud/lib/private/Server.php(749): OC\DB\ConnectionFactory->getConnection()
    #8 /usr/local/www/nextcloud/3rdparty/pimple/pimple/src/Pimple/Container.php(118): OC\Server->OC{closure}()
    #9 /usr/local/www/nextcloud/lib/private/ServerContainer.php(125): Pimple\Container->offsetGet()
    #10 /usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php(162): OC\ServerContainer->query()
    #11 /usr/local/www/nextcloud/3rdparty/pimple/pimple/src/Pimple/Container.php(114): OC\AppFramework\Utility\SimpleContainer->OC\AppFramework\Utility{closure}()
    #12 /usr/local/www/nextcloud/lib/private/ServerContainer.php(125): Pimple\Container->offsetGet()
    #13 /usr/local/www/nextcloud/lib/private/Server.php(1666): OC\ServerContainer->query()
    #14 /usr/local/www/nextcloud/lib/private/Server.php(422): OC\Server->getDatabaseConnection()
    #15 /usr/local/www/nextcloud/3rdparty/pimple/pimple/src/Pimple/Container.php(118): OC\Server->OC{closure}()
    #16 /usr/local/www/nextcloud/lib/private/ServerContainer.php(125): Pimple\Container->offsetGet()
    #17 /usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php(70): OC\ServerContainer->query()
    #18 /usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php(100): OC\AppFramework\Utility\SimpleContainer->buildClass()
    #19 /usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php(115): OC\AppFramework\Utility\SimpleContainer->resolve()
    #20 /usr/local/www/nextcloud/lib/private/ServerContainer.php(150): OC\AppFramework\Utility\SimpleContainer->query()
    #21 /usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php(70): OC\ServerContainer->query()
    #22 /usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php(100): OC\AppFramework\Utility\SimpleContainer->buildClass()
    #23 /usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php(115): OC\AppFramework\Utility\SimpleContainer->resolve()
    #24 /usr/local/www/nextcloud/lib/private/ServerContainer.php(150): OC\AppFramework\Utility\SimpleContainer->query()
    #25 /usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php(162): OC\ServerContainer->query()
    #26 /usr/local/www/nextcloud/3rdparty/pimple/pimple/src/Pimple/Container.php(114): OC\AppFramework\Utility\SimpleContainer->OC\AppFramework\Utility{closure}()
    #27 /usr/local/www/nextcloud/lib/private/ServerContainer.php(125): Pimple\Container->offsetGet()
    #28 /usr/local/www/nextcloud/lib/private/Server.php(434): OC\ServerContainer->query()
    #29 /usr/local/www/nextcloud/3rdparty/pimple/pimple/src/Pimple/Container.php(118): OC\Server->OC{closure}()
    #30 /usr/local/www/nextcloud/lib/private/ServerContainer.php(125): Pimple\Container->offsetGet()
    #31 /usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php(162): OC\ServerContainer->query()
    #32 /usr/local/www/nextcloud/3rdparty/pimple/pimple/src/Pimple/Container.php(114): OC\AppFramework\Utility\SimpleContainer->OC\AppFramework\Utility{closure}()
    #33 /usr/local/www/nextcloud/lib/private/ServerContainer.php(125): Pimple\Container->offsetGet()
    #34 /usr/local/www/nextcloud/lib/private/Server.php(1542): OC\ServerContainer->query()
    #35 /usr/local/www/nextcloud/lib/private/Server.php(802): OC\Server->getUserSession()
    #36 /usr/local/www/nextcloud/3rdparty/pimple/pimple/src/Pimple/Container.php(118): OC\Server->OC{closure}()
    #37 /usr/local/www/nextcloud/lib/private/ServerContainer.php(125): Pimple\Container->offsetGet()
    #38 /usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php(162): OC\ServerContainer->query()
    #39 /usr/local/www/nextcloud/3rdparty/pimple/pimple/src/Pimple/Container.php(114): OC\AppFramework\Utility\SimpleContainer->OC\AppFramework\Utility{closure}()
    #40 /usr/local/www/nextcloud/lib/private/ServerContainer.php(125): Pimple\Container->offsetGet()
    #41 /usr/local/www/nextcloud/lib/private/Server.php(1837): OC\ServerContainer->query()
    #42 /usr/local/www/nextcloud/lib/private/legacy/app.php(347): OC\Server->getAppManager()
    #43 /usr/local/www/nextcloud/lib/private/legacy/app.php(114): OC_App::getEnabledApps()
    #44 /usr/local/www/nextcloud/lib/base.php(645): OC_App::loadApps()
    #45 /usr/local/www/nextcloud/lib/base.php(1089): OC::init()
    #46 /usr/local/www/nextcloud/console.php(48): require_once(‘/usr/local/www/…’)
    #47 /usr/local/www/nextcloud/occ(11): require_once(‘/usr/local/www/…’)

    Any idea where to start checking?

    1. MICHAEL ILLGNER
      I had this happen to me also when i upgraded mariadb. I searched and tried to figure out how to get it fixed however i was unable to figure it out.
      What I did was just use FreeNas snapshots and rolled it back to get everything to where it was and working for the time being.
      If you or anyone else knows what is causing this I would also like to know as I am a little cautious to do anymore upgrades.
      Chad.

      1. I upgraded mariadb a few days ago which led to a non-functional nextcloud server… took me some days to figure that out. Check your my.cnf file, after the update, that file had a path like /var/run/mysql/mysql.sock for the socket. Since the mariadb server could not create that socket due to permissions of /var/run, the database was not there anymore. I changed the path in my.cnf to /tmp/myqsl.sock and voilá, everything works again.

        hope that helps!

        1. I could solve the problem now, first problem was that mariadb did’nt start, after a complete restart of the Nextcloud jail, mariadb was running again, I think this was related to the changed socket path described by Marco. But I did not find any hints related to this in the logs.
          The other problem was the in nextcloud config.php the changed socket path has to be configured as well.
          No everything is running fine again, I even managed to upgrade to Nexcloud 19

  127. Guys,
    finally I was able to give this a try, I had success till the setup screen of nextcloud where we put a user, a data folder etc.
    After populating the info, which by the way is as in the guide, I get an internal server error like this:

    Internal Server Error

    The server encountered an internal error and was unable to complete your request.
    Please contact the server administrator if this error reappears multiple times, please include the technical details below in your report.
    More details can be found in the server log.
    In nextcloud.log I get a message like this:

    {“reqId”:”BkHMptdWyx7Xdg4oICdN”,”level”:3,”time”:”2020-06-15T06:50:37+00:00″,”remoteAddr”:”192.168.120.1″,”user”:”–“,”app”:”core”,”method”:”GET”,”url”:”/index.php/login”,”message”:{“Exception”:”RuntimeException”,”Message”:”Could not get appdata folder for js”,”Code”:0,”Trace”:[{“file”:”/usr/local/www/nextcloud/lib/private/Files/AppData/AppData.php”,”line”:157,”function”:”getAppDataFolder”,”class”:”OC\Files\AppData\AppData”,”type”:”->”},{“file”:”/usr/local/www/nextcloud/lib/private/Template/JSCombiner.php”,”line”:100,”function”:”newFolder”,”class”:”OC\Files\AppData\AppData”,”type”:”->”},{“file”:”/usr/local/www/nextcloud/lib/private/Template/JSResourceLocator.php”,”line”:116,”function”:”process”,”class”:”OC\Template\JSCombiner”,”type”:”->”},{“file”:”/usr/local/www/nextcloud/lib/private/Template/JSResourceLocator.php”,”line”:72,”function”:”cacheAndAppendCombineJsonIfExist”,”class”:”OC\Template\JSResourceLocator”,”type”:”->”},{“file”:”/usr/local/www/nextcloud/lib/private/Template/ResourceLocator.php”,”line”:79,”function”:”doFind”,”class”:”OC\Template\JSResourceLocator”,”type”:”->”},{“file”:”/usr/local/www/nextcloud/lib/private/TemplateLayout.php”,”line”:344,”function”:”find”,”class”:”OC\Template\ResourceLocator”,”type”:”->”},{“file”:”/usr/local/www/nextcloud/lib/private/TemplateLayout.php”,”line”:173,”function”:”findJavascriptFiles”,”class”:”OC\TemplateLayout”,”type”:”::”},{“file”:”/usr/local/www/nextcloud/lib/private/legacy/OC_Template.php”,”line”:185,”function”:”__construct”,”class”:”OC\TemplateLayout”,”type”:”->”},{“file”:”/usr/local/www/nextcloud/lib/private/Template/Base.php”,”line”:132,”function”:”fetchPage”,”class”:”OC_Template”,”type”:”->”},{“file”:”/usr/local/www/nextcloud/lib/private/legacy/OC_Template.php”,”line”:334,”function”:”printPage”,”class”:”OC\Template\Base”,”type”:”->”},{“file”:”/usr/local/www/nextcloud/index.php”,”line”:63,”function”:”printExceptionErrorPage”,”class”:”OC_Template”,”type”:”::”}],”File”:”/usr/local/www/nextcloud/lib/private/Files/AppData/AppData.php”,”Line”:118,”CustomMessage”:”–“},”userAgent”:”Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0″,”version”:”19.0.0.12″}

    In apache’s http-access.log I get this:
    [15/Jun/2020:08:51:26 +0200] “GET /index.php/login HTTP/1.1” 500 289

    Now in the nextcloud.log this line brings my attention:
    Could not get appdata folder for js…

    Does anyone have an idea what could be wrong?

    P.S. During installation of php, mariadb and apache I chose the latest versions available.

  128. FreeBSD Jail upgrade to nextcloud-php74-19.0.0. Now the WebInterface is destroy and can’t used.
    What can I do now to repair the WebInterface!

    1. You’ll need to be more specific about what you’ve done. How did you upgrade? What version did you upgrade from?

      1. pkg upgrade
        Nextcloud 18.0.0.4 PHP74 –> Nextcloud 19.0.0.0 PHP74
        su -m www -c “php ./occ upgrade”

        Nextcloud is running whitout errors only the WebInterface is not full loaded and can’t be used.

        1. I had the same problems and I had to disable some of the Nextcloud apps which are not readay for Nextcloud 19 , especially the Office stuff and everything related to Textsearch. If you need these apps, you could rollback to the correct zfs snapshot and wait util this apps are ready for Nextcloud 19 .

  129. Really nice guide… good work. Since you are a pfSense user I was wondering if you had considered putting your NextCloud behind HAProxy (which has a pfSense plug-in). I am trying to set something like this up, but am not comfortable with my setup being wide open on the internet. AFAIK, HAProxy can be set up to use client side TLS certs which should be very effective at keeping the system secure. Unless you need to have a wide audience for your NextCloud, HAProxy should be very effective at keeping your attack surface to almost zero (Only authorized certificate holders, or a targeted attack after stealing a user’s cert – and then if the network is configured well, the attacker still needs to break into NextCloud, and break out of the jail. )

    1. Hi Barry,

      HAProxy didn’t make it in to my consideration at all. It’s probably just as valid an option, I’m sure it would work fine. My primary motivation to setting this up using nginx was to learn about it as it’s one of the more frequently used web servers (pfSense uses it!), and a common recommendation for reverse proxies. A few things though if I may:

      1. Certificates do nothing to keep the system secure. These certificates are used to provide authenticity (confirm the server is who it says it is) and a public encryption key to encrypt communication with the server. So, they don’t keep the system secure, but they keep any communication that you have with the system secure.
      2. I’m not aware of anything unique to HAProxy that minimises your attack surface. As you mentioned, it’s able to use HTTPS, which is great for encrypting your traffic, but there’s no unique benefit here – all web servers are capable of utilising certificates to serve traffic over HTTPS. This is what I’ve done with nginx, using LetsEncrypt to issue a certificate.
      3. Certificates are issued to domains, and are stored on the server. Users aren’t in possession of these certificates, and so there’s nothing to steal. Even if it was stolen, the certificate is made available to anybody who requests it anyway. It contains a public key, and is necessary for the client to encrypt their traffic in a way that can be decrypted by the server. The private key is the sensitive information in all of this, and this is stored on the server. If an attacker was to obtain access and was able to utilise or substitute the private key with their own, you would probably have bigger problems than worrying about secure communication; they would already have all of your data.

      With all of that said, if you don’t want to open your server to the internet, you’re still able to enable HTTPS to encrypt your traffic. There are a couple of options:

      1. If you own a domain, you can do a DNS challenge and obtain a certificate exactly as I outline in my nginx reverse proxy guide. This requires no access to the actual web server as it would query the DNS server directly, and is the most desirable option, as the certificate is signed by LetsEncrypt as the Certificate Authority.
      2. You can self sign a certificate with OpenSSL (this means that no third party is verifying that your server is who it says it is, which is probably fine for internal use). Digital ocean seem to have a good guide on how to do this on ubuntu, otherwise you can refer to the FreeBSD documentation on OpenSSL for information more specific to FreeBSD/FreeNAS.

      If you don’t feel comfortable using the command line, you can create a certificate using pfSense, which I’m sure you could then use with HAProxy.

      Hope this helps.

      Cheers,

      Sam

    2. Hi Barry

      Barry it’s definitely possible to use HAProxy on pfSense in leui of using nginx. If you create the SSL certs with pfsense, they will be available to the HAProxy implementation within pfSense. I tried exactly what you wanted to do several months ago and I was able to make it work — kind of. HAProxy is a reverse proxy similar to nginx, Caddy, traefik, etc. The only special situation in your case is that HAProxy is part of the pfSense package (not meaning to disparage Squid since that’s also a proxy you could use which is also contained within the pfSense installation). My only issue was I found the configuration of HAProxy to be very convoluted and resources lacking. I’m sure I could have tried and tried to make it work, however as a beginner there just wasn’t as many resources on the internet (site documentation, reddit, HAProxy Forums) to help me with my configuration as there was with Nginx. I could get a basic HAProxy to work, however when things for configuring it to work with Nextcloud for example — I couldn’t get that to work. In addition the HAProxy versions (there are two – regular and developmental packages) are many versions behind the current release version of HAProxy. Some of the solutions I found referenced commands available in more modern versions, and since I couldn’t force pfSense to install newer release versions I was kind of stuck.

      Nginx might be slightly complicated– (meaning Caddy in some respects might actually be easier to use and configure since it automatically obtains and renews Let’s Encrypt certs and the syntax is much less verbose), however there are a lot of resources and people willing to help you to make your configuration work. Yes it’s disadvantageous you’ll probably need to run nginx within a VM or other such apparatus separate than pfSense, you technically you should run public facing servers on their own separate network separate than your LAN VMs as a matter of practical security. (You could do this with VLANs if you have the hardware or use VSPs if not wanting to host the VMs). Both these methods are like running the servers in a DMZ (demilitarized zone). In addition if you really wanted to get complex, you could run configure your sites to use SSL client certs (these are definitely different than server certs) and/or use some time of front end that provides 2factor authentication (something like Authelia or the equivalent). Some services like Bitwarden, Nextcloud have 2FA built into them — just depends what services you are running.

      HAProxy really is no more or less secure than running a reverse proxy behind pfSense. HAProxy runs on top of FreeBSD so any vulnerabilities within the host OS are potential attack vectors. With appropriate Firewall rules I believe you could setup a VM/Nginx installation behind pfSense which would be equivalently secure.

  130. Hi Samuel
    As Kevdog says client certificates are different than server certificates and they do verify identity. Keys provide a sort of automated 2FA.

    I use identity certificates with my remote access VPN-Two in fact… there is a general TLS key, and without presenting that key on the initial connect attempt, there is no reply and login can’t proceed. For a UDP VPN, it looks like a stealth (nonexistent) port, for TLS it looks like a closed port. If that key is presented, then a second key personal key (unique to the user) is required which will then give you the right to use your password and complete login.

    What @Jimp from Netgate said on the VPN hangout was NOT to use public certificates for a private system. Certificates signed with your own signing key guarantee that an attacker can not create a valid certificate unless they can steal your private key/certificate. There are also ways of getting your IP address without a domain. No domain is one less pointer for attackers to find you.

    Hi Kevdog
    As you said, there are equally secure ways of doing it on the back end, and you have inspired me to give it a second look. HAProxy did look very convenient since I would like to have a bunch of web services all sharing one public IP, but without the a battery sucking VPN on my mobile device. VPN is also a great idea as well. Thanks.

  131. Hey Samuel, big thx for the detailed tutorial for getting set nextcloud on freenas.

    My nextcloud shoes no issues, everything fine, but i cant sync files either on web or client (Android/Desktop).

    I got following errors:
    nextcloud 413 request entity too large
    Error transferring https://mydomain.com/remote.php/dav/files

    Do you have an idea?

    Thx for your time and your help!!

    1. Alex, this sounds like it could be a problem with either your Nextcloud jail or your reverse proxy jail (assuming you set it up this way). I suspect that it’s reverse proxy though. Add the following line to /usr/local/etc/nginx/nginx.conf in your reverse proxy jail:

      client_max_body_size 20G;
      

      This will set the maximum size of a request to 20GB. If this doesn’t work, search back through the guide for the post_max_size and upload_max_filesize directives, and set them to 20G, or a value more appropriate for you. It should be in /usr/local/etc/php.ini in your Nextcloud jail:

      post_max_size = 20G
      upload_max_filesize = 20G
      

      Hope this helps.

  132. Hi Alex, if you are using nginx as web server (or as a reverse proxy), be sure to set the client_max_body_size parameter in the configuration file, for instance to allow uploads of files sized 1GB max:

    client_max_body_size 1000M;

    HTH
    Marco

  133. Hi all,

    I just installed the Nextcloud client (Windows, V2.6.4) on another Win10 system. After installation, I had no explorer integration and no sync icons showing up, but the client itself was working fine (that means, syncing worked).

    Remedy for this problem was pretty easy after half an hour of cursing 🙂 Install the latest MSVC redistributable (can be downloaded from Microsoft). Be sure to have the version for MSVC2015/2017/2019 if you use the latest NC client. Then, open a command window on the machine (be sure to “run as administrator”), change to c:\program files\nextcloud\shellext (adjust to your installation directory) and then register the OCContextMenu.dll and OCOverlays.dll files (by calling regsvr32 ). This should give you the context menu in file explorer as well as the sync icons.

    This is not directly related to the contents of Samuels blog here, but maybe it helps someone after having finished the NC installation.

    Cheers,
    Marco

  134. So received a phone call from my isp today asking questions about emails they received *some 6K emails over a short time :blush:
    Looking in the logs I found repeated messages in my mail log pointing to successfully sent emails, but where the recipient is www@iinet.net.au *just happened to be a valid email with my isp.
    the www user seem to be tied to the cron job running as www scheduled every 15 minutes

    crontab -u www -e

    minute (0-59),

    | hour (0-23),

    | | day of the month (1-31),

    | | | month of the year (1-12),

    | | | | day of the week (0-6 with 0=Sunday).

    | | | | | commands

    */15 * * * * /usr/local/bin/php -f /usr/local/www/nextcloud/cron.php

    The mail log show this…

    Jul 2 17:50:00 nextcloud postfix/pickup[32599]: B35FC1CAD8: uid=80 from=
    Jul 2 17:50:00 nextcloud postfix/cleanup[33792]: B35FC1CAD8: message-id=20200702095000.B35FC1CAD8@nextcloud.localdomain
    Jul 2 17:50:00 nextcloud postfix/qmgr[32600]: B35FC1CAD8: from=www@iinet.net.au, size=748, nrcpt=1 (queue active)
    Jul 2 17:50:01 nextcloud postfix/smtp[33794]: B35FC1CAD8: to=www@iinet.net.au, orig_to=, relay=smtp.iinet.net.au[203.0.178.192]:587, delay=1, delays=0.66/0.01/0.18/0.19, dsn=2.0.0, status=sent (250 ok: Message 304972311 accepted)
    Jul 2 17:50:01 nextcloud postfix/qmgr[32600]: B35FC1CAD8: removed

    As you see there;s an attempt to send a email out to www@iinet.net.au that never reach me.
    Dont understand why this is happening since the cron job simply is intended to refresh data – not actually send out an email.

    postfix has been configured as this… *but still dont understand why an email is sent as part of the cron job ?

    SENDING MAIL

    The myorigin parameter specifies the domain that locally-posted

    mail appears to come from. The default is to append $myhostname,

    which is fine for small sites. If you run a domain with multiple

    machines, you should (1) change this to $mydomain and (2) set up

    a domain-wide alias database that aliases each user to

    user@that.users.mailhost.

    #

    For the sake of consistency between sender and recipient addresses,

    myorigin also specifies the default domain name that is appended

    to recipient addresses that have no @domain part.

    #
    #myorigin = $myhostname
    #myorigin = $mydomain
    myorigin = iinet.net.au

    Suspect that the owner *that should be www owner of the cron task ends up being the recipient when postfix builts its email and no idea how I can change this

    Using FreeNAS 11.3-STABLE
    nextcloud installed in its own jail.
    Installed nextcloud: 19.0.0.12 (php73 version)

    1. Hi Martin, some quick research indicated that if a MTA has been configured, cron will send an email to the user informing them of any errors in the output of a Cron Job. I think you should be able to rectify this by diverting any errors (output to stderr) to /dev/null from the command executed in the Cron Job. You can achieve this by modifying the Cron Job entry to be as follows:

      */5 * * * * /usr/local/bin/php -f /usr/local/www/nextcloud/cron.php 2>/dev/null
      

      I haven’t tested this, but see how it goes 🙂

      Edit: you could also try adding MAILTO="" to the beginning of the www users crontab. This should stop the cron daemon from sending email. Read here for more info

  135. Hi Samuel!

    Thank you for this great guide, I setup and have been running this for quite a while now, it’s been pretty rock solid. However, I ran into an issue once before and was unable to solve it, going back to an earlier snapshot solved the issue, but I ran into another issue today while upgrading the packages in the jail, running into this error: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247717 and then trying to rollback to earlier jail snapshots and am still having a problem.

    I’m running into an “internal server error” that appears as far as I can tell, to be somewhere with php-fpm/redis but I’m unable to figure it out as they’re mostly foreign to me. I’ve verified that apache can serve files (I can pull .html files just fine, and disabling the handler for the proxy serves raw text php), but as soon as the proxy is in the mix again, I am unable to get anything other than the error. https://i.imgur.com/v5622SA.png

    I verified my redis settings were set to socket (somehow it got changed to a port number, maybe a package upgrade?) and that it was running with a redis.sock, php-fpm’s log, nextcloud’s log, nor apache’s error log seem to show anything. When I stop php-fpm, apache’s error log shows that there was a connection failure, and the only logs in php-fpm are from startup saying that the config test was successful and it’s running and ready to handle connections.

    I’m at a loss of what to look at/try to fix next. Any input/insight you may have would be great.

    If you’re also on IRC or something else that would help the convo, I’m glad to touch base there.

    Thank you!

  136. I just want to follow-up on my last comment. After going through everything I could think of, I found that somehow the mysql sock location didn’t match what nextcloud was using.

    Nextcloud said:
    'dbhost' => 'localhost:/tmp/mysql.sock'

    Updating to the following solved this issue:
    'dbhost' => 'localhost:/var/run/mysql/mysql.sock'

    1. Hi Michael, glad you solved the issue. The guide has probably undergone revision since you last read it, and dealing with this is actually one of the steps 🙂 If you upgraded your MariaDB installation, it’s likely it installed a configuration file in /usr/local/etc/mysql/my.cnf, which specifies the startup of the mysql socket at /var/run/mysql/mysql.sock. In my guide, I advise changing this back to /tmp/mysql.sock because it seems like some of the mysql binaries don’t use this file to look for the socket (i.e., mysql_secure_installation still tries to look at /tmp/mysql.sock regardless of the contents of my.cnf). There might be a proper solution to this, but the easiest way around it for me was to just change the value in my.cnf. Bear this in mind if you upgrade and need to set things up again!

      Cheers

      1. Thanks for the reply! I’ve been looking at it again a bit as I figured out this issue, cleaning up/changing some of the redis/etc settings to match what you currently have. I could probably do with trying to setup another jail, but I think this is alright, I’ll work on modifying as needed.

  137. My nextcloud is working fine, I got sometimes Bad request 400 error on MOVE because of wrong characters.
    Do you have an idea how to fix it?

    1. Hi Alex, not really enough information here to make any kind of assessment. Does the nextcloud log hint at anything?

  138. Thank you for this very detailed guide. If you want to run Nextcloud for an extended period of time, you need to get your hands dirty eventually, so a detailed guide like this is essential!
    I’ve installed Nextcloud a long time ago by running danb35’s script but after a while I’ve noticed some packages were out of date even though I regularly upgrade them all. I’m talking about php and mariadb series: php72 is no longer recommended now and my mariadb 10.3 ipackages are no longer the most bleeding edge.
    Can you please add instructions how to migrate between minor versions of said software? (See https://www.php.net/manual/en/migration73.php and https://mariadb.com/kb/en/upgrading-from-mariadb-103-to-mariadb-104/
    Or at least mention the fact that just running pkg update && pkg upgrade is not enough to keep your Nextcloud service up to date.
    To go from php72 to php74, I ran pkg info | grep php to get a list of all php packages installed in the jail, then pkg deleted them one by one and pkg installed php74 counterparts one by one, but some of them have changed their name slightly, so it’s a manual process that you might want to mention. Now I’m looking into mariadb. Please note that I’m no web developer so I don’t really know exactly what I’m doing. I’m learning as I go.

  139. Hi Samuel
    Thanks for putting this guide together. I am a complete noob to Freenas but we all have to start somewhere! I am having trouble with setting up MariaDB. I have modified the line in the /usr/local/etc/mysql/my.cnf file to
    socket = /tmp/mysql.sock
    However I am still getting the following error
    ERROR 2002 (HY000): Can’t connect to local MySQL server through socket ‘/var/run/mysql/mysql.sock
    I have checked that the mysql.sock file is located as /tmp/mysql.sock any idea of what I can try next?
    Regards
    Paul

    1. Hi Paul, can you post detailed steps to reproduce either here or in a github issue? It’s hard for me to tell if you’re just entering a command incorrectly, another command needs to be added or if something else is going on without knowing exactly what you’re doing 🙂

      Cheers

        1. Paul, as mentioned on the GitHub issue, the solution is to execute mysql_secure_installation --socket=/tmp/mysql.sock. I’ve added more detail in the GitHub issue, and the guide has been updated. Thanks for pointing this out; the issue was due to an update to the MariaDB package.

          Cheers.

      1. Well, looks like game over for me. I got stuck at the ERROR2002 too, did what you updated (mysql_secure_installation), but still get the error. What a shame, because the Truenas Nextcloud plugin is total garbage.
        I’ve checked the permissions and they look ok to me.

        1. Hi Xaver, can you provide more information about how you’re attempting to install? Is it a new installation or a migration? Which command provides this output for you (exactly)? Is the mysql service running (service mysql-server status)? Is the socket created in /tmp/mysql.sock?

    2. One thing to try before you go too far is to restart the jail and/or the whole freenas server and recheck. I ran into a similar issue and you must restart for it to recognize the changes made.
      Chad.

  140. Hi Sam. I’m stuck with error in installing mysql.

    Enter current password for root (enter for none):
    ERROR 2002 (HY000): Can’t connect to local MySQL server through socket ‘/var/run/mysql/mysql.sock’ (2)

    I followed every step and stuck with this error.

    Thanks

  141. Hello Samuel
    I am not exactly an expert oFreeNas but I am running mine seince a while without any problems with a couple jails fro Plex, Subsonic, Tautulli and others. I was searching form some guidance to enable a cloud-like and just found your post. Thanks for taking time to put this together.
    Well, I read it entirelly to understand the end-to-end process and copied most commands to a text file so I could make the changes to match my Pool naming convention. Everything went well until I entered the Jail to start doing the updates.
    root@nextcloud:/ # pkg update
    Updating FreeBSD repository catalogue…
    [nextcloud] Fetching meta.conf: 100% 163 B 0.2kB/s 00:01
    [nextcloud] Fetching packagesite.txz: 100% 6 MiB 3.3MB/s 00:02
    Processing entries: 100%
    FreeBSD repository update completed. 32045 packages processed.
    All repositories are up to date.
    root@nextcloud:/ # pkg install wget ca_root_nss
    Updating FreeBSD repository catalogue…
    FreeBSD repository is up to date.
    All repositories are up to date.
    Updating database digests format: 100%
    The following 6 package(s) will be affected (of 0 checked):

    New packages to be INSTALLED:
    ca_root_nss: 3.54
    gettext-runtime: 0.20.2
    indexinfo: 0.3.1
    libidn2: 2.3.0_1
    libunistring: 0.9.10_1
    wget: 1.20.3

    Number of packages to be installed: 6

    The process will require 8 MiB more space.
    2 MiB to be downloaded.

    Proceed with this action? [y/N]: y
    [nextcloud] [1/6] Fetching wget-1.20.3.txz: 100% 654 KiB 669.9kB/s 00:01
    [nextcloud] [2/6] Fetching ca_root_nss-3.54.txz: 100% 285 KiB 291.5kB/s 00:01
    [nextcloud] [3/6] Fetching indexinfo-0.3.1.txz: 100% 6 KiB 5.8kB/s 00:01
    [nextcloud] [4/6] Fetching libidn2-2.3.0_1.txz: 100% 110 KiB 112.7kB/s 00:01
    [nextcloud] [5/6] Fetching libunistring-0.9.10_1.txz: 100% 519 KiB 531.1kB/s 00:01
    [nextcloud] [6/6] Fetching gettext-runtime-0.20.2.txz: 100% 162 KiB 166.0kB/s 00:01
    Checking integrity… done (0 conflicting)
    [nextcloud] [1/6] Installing indexinfo-0.3.1…
    [nextcloud] [1/6] Extracting indexinfo-0.3.1: 100%
    [nextcloud] [2/6] Installing libunistring-0.9.10_1…
    [nextcloud] [2/6] Extracting libunistring-0.9.10_1: 100%
    [nextcloud] [3/6] Installing libidn2-2.3.0_1…
    [nextcloud] [3/6] Extracting libidn2-2.3.0_1: 100%
    [nextcloud] [4/6] Installing gettext-runtime-0.20.2…
    [nextcloud] [4/6] Extracting gettext-runtime-0.20.2: 100%
    [nextcloud] [5/6] Installing wget-1.20.3…
    [nextcloud] [5/6] Extracting wget-1.20.3: 100%
    [nextcloud] [6/6] Installing ca_root_nss-3.54…

    [nextcloud] [6/6] Extracting ca_root_nss-3.54: 100%

    Message from ca_root_nss-3.54:


    FreeBSD does not, and can not warrant that the certification authorities
    whose certificates are included in this package have in any way been
    audited for trustworthiness or RFC 3647 compliance.

    Assessment and verification of trust is the complete responsibility of the
    system administrator.

    This package installs symlinks to support root certificates discovery by
    default for software that uses OpenSSL.

    This enables SSL Certificate Verification by client software without manual
    intervention.

    If you prefer to do this manually, replace the following symlinks with
    either an empty file or your site-local certificate bundle.

    /etc/ssl/cert.pem
    /usr/local/etc/ssl/cert.pem
    /usr/local/openssl/cert.pem
    root@nextcloud:/ # pkg install apache24
    Updating FreeBSD repository catalogue…
    pkg: http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly/meta.txz: No address record
    repository FreeBSD has no meta file, using default settings
    pkg: http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly/packagesite.txz: No address record
    Unable to update repository FreeBSD
    Error updating repositories!

    So I did some research for a while and have found some threads on solutions but the one listed here didi not work https://www.ixsystems.com/community/threads/new-in-freenas-unable-to-do-pkg-update.49672/ and this suggested solution is being a debate that is not recommended https://www.justinsilver.com/random/fix-pkg-on-freenas-11-2/

    My current system details
    Version: FreeNAS-11.3-U4
    Jail: 11.3-RELEASE-p11
    Intel(R) Atom(TM) CPU C2750 @ 2.40GHz

    I am wondering if I have missed something. I haven’t go the the whole comments session though. I am going bottom up and decided to write you as this might be something I just missed.

    Thank you
    Marcelo

    1. Hi Marcelo, this isn’t an issue I’ve run in to. It’s especially strange because it works the first time, and then not the second time. I found this thread discussing the issue, indicating that it could be an issue with resolv.conf inside the jail – perhaps try the suggestions there and see if it works for you? Another thing to try could be going to that site to see if you can download the packagesite.txz file. It looks like a connectivity issue. Can you ping your router? Can you ping google? Can you resolve pkg.freebsd.org? Try:

      host pkg.freebsd.org
      

      Sorry I couldn’t help more! This is really a question for the FreeNAS forums

      1. That is fine Samuel.
        Yes, I have my resolv.conf properly and from inside the jail I can ping external websites without any problem. I will follow the mentioned thread and see what I can find. If I manage to get this solved, I will put the solutin here.

        Thanks,

        1. Hello Samuel
          As promised, I managed to get around the problem with the pkg. I followed this instructions https://www.justinsilver.com/random/fix-pkg-on-freenas-11-2/ and I managed to go all way to instal until the next cloud configuration.
          During the nextcloud admin account creation, I got the message that it could ot connect to the database despite the fact I was sure I have the correct password (set previously). In fact going back to terminal I am able to login to MySql as root.
          Well, anyway because I have been messing up with the jail configurtion I thought on the easy way and the reason for having jails per application right? I just deleted the entire jail and started from scratch.
          First Surprise: Even creating everything from scratch, when I reach the moment to create the database and user, I got an error telling the database and user already exists! They are not supposed t be wiped out when the jail is destroyed? Well, anyway, I checked and the database and user were there and the password worked good and I proceed.

          Second Surprise: Everything on Apache was working until pache configuration for nextcloud was concluded. When I tried to access, I got this error

          Internal Server Error
          The server encountered an internal error and was unable to complete your request.
          Please contact the server administrator if this error reappears multiple times, please include the technical details below in your report. More details can be found in the server log.

          root@nextcloud:/var/log # cat httpd-error.log
          [Tue Jul 28 13:05:32.184640 2020] [mpm_prefork:notice] [pid 29560] AH00163: Apache/2.4.43 (FreeBSD) configured — resuming normal operations
          [Tue Jul 28 13:05:32.185391 2020] [core:notice] [pid 29560] AH00094: Command line: ‘/usr/local/sbin/httpd -D NOHTTPACCEPT’
          [Tue Jul 28 13:36:17.464577 2020] [mpm_prefork:notice] [pid 29560] AH00171: Graceful restart requested, doing restart
          AH00558: httpd: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message
          [Tue Jul 28 13:36:17.474243 2020] [mpm_prefork:notice] [pid 29560] AH00163: Apache/2.4.43 (FreeBSD) configured — resuming normal operations
          [Tue Jul 28 13:36:17.474273 2020] [core:notice] [pid 29560] AH00094: Command line: ‘/usr/local/sbin/httpd -D NOHTTPACCEPT’
          [Tue Jul 28 13:42:17.085472 2020] [mpm_prefork:notice] [pid 29560] AH00169: caught SIGTERM, shutting down
          [Tue Jul 28 13:42:17.313229 2020] [mpm_prefork:notice] [pid 31847] AH00163: Apache/2.4.43 (FreeBSD) configured — resuming normal operations
          [Tue Jul 28 13:42:17.314220 2020] [core:notice] [pid 31847] AH00094: Command line: ‘/usr/local/sbin/httpd -D NOHTTPACCEPT’
          [Tue Jul 28 14:44:09.802701 2020] [mpm_prefork:notice] [pid 31847] AH00169: caught SIGTERM, shutting down
          [Tue Jul 28 14:44:10.026335 2020] [mpm_prefork:notice] [pid 33345] AH00163: Apache/2.4.43 (FreeBSD) configured — resuming normal operations
          [Tue Jul 28 14:44:10.027080 2020] [core:notice] [pid 33345] AH00094: Command line: ‘/usr/local/sbin/httpd -D NOHTTPACCEPT’

          From the log, seems to me that the HTTPD file got someting wrong and I have double checked and it is exactly as my very first attempt that worked.
          Any advice?
          Thanks

  142. Wow! Thanks so much for updating these instructions! I was able to update my previous install (that used the original instructions) using this set to get up to date to php 7.4 and FreeNAS 11.3.

    I did have to deviate in one respect. I had to use ariadb103-server rather than mariadb104-server, as the my sql service would fail. I also upgraded my jail to 11.3 from root system using the iocage upgrade command.

  143. Hi Samuel,
    Have been using the nextcloud for about 6 month and have noticed the Jail pool was getting full. When I looked I have found it looks like I have the users data duplicated at both the data pool and the jail pool. Created a folder in nextcloud and it appeared in both locations.
    This is my fstab
    root@freenas[~]# iocage fstab -l nextcloud
    +——-+—————————————————————————————————————————————————+
    | INDEX | FSTAB ENTRY |
    +=======+===================================================================================================================================================+
    | 0 | /mnt/vault/cloud /mnt/jailhouse/iocage/jails/nextcloud/root/mnt/data nullfs rw 0 0 |
    +——-+—————————————————————————————————————————————————+
    | 1 | /mnt/jailhouse/apps/nextcloud/db /mnt/jailhouse/iocage/jails/nextcloud/root/var/db/mysql nullfs rw 0 0 |
    +——-+—————————————————————————————————————————————————+
    | 2 | /mnt/jailhouse/apps/nextcloud/config /mnt/jailhouse/iocage/jails/nextcloud/root/usr/local/www/nextcloud/config nullfs rw 0 0 |
    +——-+—————————————————————————————————————————————————+
    | 3 | /mnt/jailhouse/apps/nextcloud/themes /mnt/jailhouse/iocage/jails/nextcloud/root/usr/local/www/nextcloud/themes nullfs rw 0 0 |
    +——-+—————————————————————————————————————————————————+

    and this is my permissions
    root@nextcloud:/ # ls -al /mnt/data
    total 34
    drwxrwx— 8 www www 11 May 6 19:38 .
    drwxr-xr-x 3 root wheel 3 May 3 23:19 ..
    -rw-r–r– 1 www www 542 Jul 27 20:49 .htaccess
    -rw-r–r– 1 www www 0 Jul 27 20:49 .ocdata
    drwxr-xr-x 7 www www 7 Jun 10 20:57 adamvnz
    drwxr-xr-x 11 www www 11 May 5 20:15 appdata_ocg56ilv8jba
    drwxr-xr-x 6 www www 6 May 6 19:40 ben
    drwxr-xr-x 5 www www 5 May 6 19:37 denplus
    drwxr-xr-x 2 www www 3 Jul 22 22:11 files_external
    -rw-r–r– 1 www www 0 Jul 27 20:49 index.html
    drwxr-xr-x 5 www www 5 May 4 20:13 ncadmin

    Nextcloud is version 19.0.1
    Any ideas?
    I only have two jails running in the 500GB ssd pool and its now 92% full.
    Hope to hear from you soon and thanks for your great tutorial.

  144. Hey Samuel,

    thx a lot. My nextcloud is working like a a charm.
    I sometimes get error504 on the app, but I know how to fix that.

    Can you please do a Collabora Tutorial? I think a lot people who are working
    with your tutorial, would appreciate that.

    Best regards,
    Alex

  145. Hi Sam

    Fantastic guide both nextcloud installation and reverse proxy.
    My nextcloud is up and running.

    I run Nextcloud Security Scan and got an “A” rating.
    It failed ” __Host-Prefix ”
    How can I fix this to get an “A+” rating?

    Thanks

  146. Reply to myself:
    Just tried it. I had to fix some permissions prior to update, once I did that update through the web interface went smoothly.

  147. This was a great guide! Very well thought out and despite the few errors I encountered, I was able to work out the errors from my own mistakes or modifications that were not part of the original guide. Also, I followed the reverse proxy guide which was great however I opted to use acme.sh since it supports FreeDNS which I already had configured for DDNS and various domains. That being said, I would like to thank you for putting this all together in such a comprehensive manner!

  148. Hi!
    I’m comparing your instructions with my Nextcloud installation that I did a long time ago by blindly running a script I found on the FreeNAS forum.
    I just noticed that my redis.sock file has 777 permissions instead of the 770 suggested by you.
    Also, user www doesn’t belong to the redis group, most likely because there was no need, due to the liberal permissions of redis.sock.
    Should I be worried?
    Should I set unixsocketperm 770 in /usr/local/etc/redis.conf and add user www to the redis group?
    Thanks.

    1. Hi,

      This was the configuration I had originally, and it does pose a security vulnerability. Whether you should be worried depends on how likely you are to be targeted I guess, but it’s always better to proactively improve your security posture. If you’re referring to danb35’s script, I actually fixed this security vulnerability in this pull request.

      Part of the challenge is that when the socket is set up to run in /tmp, it inherits the ownership redis:wheel, and that doesn’t seem to be easily changeable. To “restrict” the permissions in this case, you would need to add the www user to the wheel group – which poses it’s own security concerns. The solution to this is to move the socket to /var/run/redis, where it will inherit redis:redis ownership, where there is no danger in adding the www user to the redis group. You either adapt the process I’ve laid out to fix the issue, or have a look at the commit on the pull request and you should see just the relevant changes.

      Hope this helps.

      1. Hi,

        I just tried to do the same (move the socket to /var/run/redis and add user www to the redis group). Worked – but suddenly, I could not create any new files or directories in the file view; Nextcloud suddenly was “write-only”.
        Problem was that on my system, /var/run/redis had 755 permissions (since I never changed them, this must have been an installation default). Changing them to 775 fixed the problem. I assume that your /var/run/redis directory already had 775 permissions then?

        Cheers,
        Marco

        1. Hi Marco,

          In the “Caching and Redis” section, I specify changing unixsocketperm to 770 in /usr/local/etc/redis.conf, which should give the socket 770 permissions.

          Cheers.

          1. Hi Samuel,

            yes, the socket has 770 permissions – but the directory /var/run/redis had 755 permissions which led to the problem that NC could not generate new files in the database (since ‘www’ is in group ‘redis’ and the group access for ‘redis’ was r-x only). I had to change the permissions of the /var/run/redis directory; the socket permissions are fine…

          2. Hi Marco,

            This isn’t how it works afaik. File permissions take precedence over directory permissions. Since you’re not creating new files in the /var/run/redis directory, it shouldn’t matter that you don’t have write access to it. You have write access to the redis.sock file, which is all that should be required. I’m not sure why changing this would have solved your issue; I’m currently running my server with the default 755 permissions on /var/run/redis without any problems.

      2. Right you are: it was an old version of danb35’s script! Thank your for helping him and the community in general!
        I did everything you suggested and everthing worked out fine, but then I read this page https://docs.nextcloud.com/server/19/admin_manual/configuration_server/caching_configuration.html#small-private-home-server that recommends using only APCu for small/home deployments like mine because “APCu is faster at local caching than Redis”.
        My knowledge of memory caches is so poor that I wouldn’t know who to trust, but I ended up disabling redis completely in config.php and everything seems to be working just fine. If I had unlimited time and knew how, I’d love to test the performance of Nextcloud with and without APCu/redis, but as it is I’m content with what I’ve accomplished so far.

  149. Hi, all.

    Thanks for all the hard work, Samuel. This is the best post on installing nextcloud in freenas bar none.

    My certbot renewal has stopped working throwing an error “AttributeError: ‘module’ object has no attribute ‘Locale'”.

    This appears to be a python exception however has not occurred before. I have recently upgraded to nextcloud version 19.0.3 as it became available in pkg. Other packages have been upgraded including python as they become available.

    Not sure if anyone’s come across this issue before – a search turned up nothing and I couldn’t see anything in the forum here. Wondering if this is a bug or that it’s time to upgrade python? Any thoughts?

    Thanks,
    Sven

    I’m still running php72.

    Locale is set as follows (default I expect):
    LANG=en_US.UTF-8
    LC_CTYPE=”en_US.UTF-8″
    LC_COLLATE=”en_US.UTF-8″
    LC_TIME=”en_US.UTF-8″
    LC_NUMERIC=”en_US.UTF-8″
    LC_MONETARY=”en_US.UTF-8″
    LC_MESSAGES=”en_US.UTF-8″
    LC_ALL=

    Full error received is:
    root@nextcloud:/ # certbot-2.7 renew –dry-run
    Traceback (most recent call last):
    File “/usr/local/bin/certbot-2.7”, line 11, in
    load_entry_point(‘certbot==1.7.0’, ‘console_scripts’, ‘certbot’)()
    File “/usr/local/lib/python2.7/site-packages/pkg_resources/init.py”, line 489, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
    File “/usr/local/lib/python2.7/site-packages/pkg_resources/init.py”, line 2852, in load_entry_point
    return ep.load()
    File “/usr/local/lib/python2.7/site-packages/pkg_resources/init.py”, line 2443, in load
    return self.resolve()
    File “/usr/local/lib/python2.7/site-packages/pkg_resources/init.py”, line 2449, in resolve
    module = import(self.module_name, fromlist=[‘name‘], level=0)
    File “/usr/local/lib/python2.7/site-packages/certbot/main.py”, line 2, in
    from certbot._internal import main as internal_main
    File “/usr/local/lib/python2.7/site-packages/certbot/_internal/main.py”, line 21, in
    from certbot._internal import cert_manager
    File “/usr/local/lib/python2.7/site-packages/certbot/_internal/cert_manager.py”, line 16, in
    from certbot._internal import storage
    File “/usr/local/lib/python2.7/site-packages/certbot/_internal/storage.py”, line 79, in
    def add_time_interval(base_time, interval, textparser=parsedatetime.Calendar()):
    File “/usr/local/lib/python2.7/site-packages/parsedatetime/init.py”, line 270, in init
    self.ptc = Constants()
    File “/usr/local/lib/python2.7/site-packages/parsedatetime/init.py”, line 2381, in init
    self.locale = get_icu(self.localeID)
    File “/usr/local/lib/python2.7/site-packages/parsedatetime/pdt_locales/icu.py”, line 56, in get_icu
    result[‘icu’] = icu = pyicu.Locale(locale)
    AttributeError: ‘module’ object has no attribute ‘Locale’

  150. Thanks for the quick response, Samuel!

    I’ll try and confirm upgrading python as per your reverse proxy tutorial. I’m also going to take the plunge and recreate the jail with php 74 considering versions of nextcloud greater than 19 will no longer support php72.

    Thanks again.
    Sven

  151. I’ve been running the update-route53.sh script for some time now successfully for many months now, but it looks like since 8/1 I’m getting the following message: Invalid IP address: ;; connection timed out; no servers could be reached.

    Not sure why. My IP and Zone ID have not changed.
    Any ideas ?

    1. Hi Phil, the offending command is probably this one:

      dig +short myip.opendns.com @resolver1.opendns.com
      

      Try running that in isolation and see what it returns. It may be that your computer just can’t reach OpenDNS.com for whatever reason.

      Cheers

  152. Hello Samuel. Question about the new upgrade procedure. I’m currently using the FreeBSD pkg manager to handle updates based on your earlier guide. As you mention in your explanation, I only have the option from upgrading from 19.0.3 to 20.0.0. I don’t want to make the jump to version 20 just yet. Version 19.0.4 is not available. Is upgrading manually with your new procedure possible, or will it cause issues?

    Thanks in advance, and as always, I appreciate your help!

    1. @ Phil
      I remain with the previous version from Samuel with the pkg manager for my nextcloud jail as well.
      The reason is because I am actually not such skilled to follow the new “manual way” Sam is proposing, I feel more comfortable with the old way.
      On my server are running:
      FreeNAS 11.3-U5; within jails
      11.3-RELEASE-p14 and
      Nextcloud 19.0.3

      I would like to tell you my approach to updates as far as I have good experiences since today.
      So I assume you are using FreeNAS Jails along with nextcloud.
      As far as I have learned in the meantime there are at least two steps to perform to manage updates.

      You have to keep your jails, as mentioned by Kevdoc, up to date. That means you have to select within the GUI of FreeNAS for the relevant Jail, in my case it is nextcloud, the option UPDATE. This option will check the pkg’s of the FreeBSD version you have installed in your jail and update them.
      The actual version from FreeNAS is now 11.3 and my jails are running 11.3-RELEASE-p14.
      Your are using the pkg manager within your jail to keep the pkg’s up to date, so you should not use any other procedure to update your pkg’s because I believe there may some dependencies gonna lost. The way I am using is: Via GUI from FreeNAS press the option Shell and enter “pkg upgrade -F” with this command you can evaluate if there is a new version of the installed pkg’s prior you execute. When new version is available enter “pkg upgrade” and you will do the update.

      Kevdog is correct when he is saying freebsd pkg is lagging behind nextcloud releases. That means you will see a new available version of nextcloud within your nextcloud screen but the pkg for freebsd will not be shown when you type “pkg upgrade -F” in the FreeNAS GUI.
      But my experiences with the “old” version: You can work fine without any restrictions as well until the FreeBSD team has done there job and then start the update.

    2. Hi Phil, upgrading manually is possible. You’ll have to remove the current installation as installed with pkg, and then download and install your desired version. If you broadly follow what’s in the “Upgrading” section, that should get you most of the way there – you may need to make sure you’re installing all of the required packages etc after you have removed the pkg installation. I didn’t rebuild my jail from scratch when I transitioned to a manual installation, so it certainly is possible.

      @Kev: I deliberately moved away from the pkg system to avoid adding complexity. In this case, where multiple trains are supported by Nextcloud, the pkg system doesn’t seem to handle it all that well, and it appears much simpler to just manually install and maintain the software 🙂

      Cheers

      1. Thank you Samuel. That makes sense. I may give that a shot, or maybe start a new jail just to see how it works compared to what I’m doing now.

      2. Hello Samuel, I’m going to go ahead and attempt to update manually. I’m going to keep my current jail. As you suggested, I need to remove my current pkg installation. That would be uninstalling the nextcloud-php74 package correct? Do I need to put Nextcloud into maintenance mode before i do this, or is it a moot point since I’m uninstalling and then reinstalling?

        My plan is to follow your upgrade suggestions:
        1. Turn on Maintenance mode. Make copies of the /mnt/data, /usr/local/www/nextcloud, and the MySQL database by using the rsync and mysqldump commands.
        2. Stop Apache, and the cron job.
        3. Rename my current directory nextcloud-old
        4. Uninstall the nextcloud-php74 module and then install nextcloud 19.0.4 using the commands you’ve outlined in this guide.
        5. Check for and install any missing packages and copy over any 3rd party apps.
        6. Would I then perform the su -m www -c “php ./occ upgrade” command or is it not needed?
        7. Turn on cron job and apache.
        8. Turn off Maintenance mode.

        Any insights you can offer based on your experience when you updated your jail? As always, Thank you!

  153. @Phil — Hey I’m aware there are a few different ways to upgrade nextcloud. Just a couple things to be aware of:
    1. Make sure your jails are up to date. I’d point you to the link on the freenas forums how to do this, however for some reason ixsystems is down. I believe 11.4 is the base of the jails right now if using freenas
    2. Usually the nextcloud packages within freebsd/jails lags behind the official nextcloud release by a few months. I kind of got tired of waiting for freebsd to upgrade their packages. (I see on reviewing the guide Samuel has actually modified his guide and no longer really mentions the pkg system for installing nextcloud — I sware that was in there before!! :)). I manually locked the nextcloud packages within pkg to prevent pkg from trying to upgrade nextcloude
    3. I then proceeded with the upgrade using the web online updater although occasionally I’ve used the occ method. You can upgrade anytime you like manually using either system. I’m currently on 19.04. I’m just curious why this isn’t available for you??

    1. Thanks for replying Kevdog. Unfortunately, as I understand it, once a new major version for Nextcloud is available, that’s what is available in the freebsd pkg manger.

  154. @phil…I’m just a little confused what you want to do…I’m aware you want to upgrade…but from what version to what version? Are you trying to upgrade the base jail? Or the freenas version? Or the associated php version?

    1. Sorry for the confusion Kevdog. I’m wanting to upgrade my nextcloud version from 19.0.3 to 19.0.4. Up to this point I’ve used the pkg manager to do this (Samuel’s old method of upgrading). It works fine, but I would like more control when updating. For instance right now nextcloud-php74 19.0.4 is not available using the pkg manager. It jumped from nextcloud-php74 19.0.3 to 20.0.0. I’d like to wait a bit before upgrading to version 20.

      Samuel’s new upgrade procedure walks us through this by downloading a version from the Nextcloud website. My concern is if I simply download and install nextcloud ver 19.0.4 from nextcloud’s website it will cause issues or conflicts with my pkg installation. Perhaps I’m wrong? I’m certainly a novice here.

      I’m using php74 and my jails are up to date. I’m using Truenas Core 12.0-RC1.

  155. @Phil — I’ll just let you know what I did since I used this guide well over a year ago to install nextcloud from the pkg archives. I think your backup strategy is sound (since it totally protects your system), however I guess I was a little bit careless since I didn’t really do any type of backup. Within the pkg manager I put the nextcloud package on hold (so it wasn’t automatically upgraded or searched for when doing pkg updates). I then just used the Nextcloud GUI to update my system. I pretty much do this everytime. I believe there was some incident in the distant past where I did have to do a manual upgrade b/c of a package conflict (put in maintenance mode, occ update, etc), and that strategy works as well. In my experience, it’s not going to create a problem unless for example let’s say your were on 19.03 and somehow you updated to 20.0 and then along the line you “upgraded” to 19.04. I know that scenario is stupid and seems impossible but I’ve read about people trying to update from multiple sources and the sources weren’t in sync. I’m currently on 19.04 upgraded via the GUI. It shouldn’t cause pkg problems — but put package on hold — syntax is pkg lock . https://forums.freebsd.org/threads/exclude-packages-from-pkg-upgrade.45590/ and https://www.freebsd.org/cgi/man.cgi?query=pkg-lock&sektion=8&manpath=freebsd-release-ports.

    BTW — I haven’t upgraded from FreeNAS to TrueNAS yet. I always get paranoid about major upgrades with jails breaking, etc. I heard the VLAN stuff is a little screwed up in RC1, so I’m probably going to wait a while for the bugs to get worked before doing a major upgrade. I’ve also had problems with certain jails not surviving a major upgrade in the past (which sucks). I’m honestly following the TrueNAS SCALE project which will be TrueNAS but only run on a Linux kernel rather than FreeBSD kernel. You should be able to run Docker natively on a Linux Kernel which in my opinion is a perfect option for something like Nextcloud. The application will totally be separate than the data, and upgrades will simply be upgrading to the latest docker Nextcloud image — no more worrying about dependencies, php versions, package manager dependencies, etc.

    1. Thanks for all of the info Kevdog! Great stuff. I’ll give it a shot.
      I’ve been fortunate that I haven’t had any issues with Truenas. Truenas Scale looks like a great project as well. I have a number of services that I run on my Debian machine.

  156. Hi,

    awesome tutorial, thanks a lot for it. I set it up on TrueNAS-12.0 final and at the first moment it looked like everything works well. There is only one thing – I experience some issues with playing mp4 files. Sometimes they’re loading infinit or I get “Error loading xxxyyyzzz.mp4. Sometimes I press reload and the same file loads immediately. Also some moments later the same file doesn’t work again.

    Nextcloud: 20.0.1 (manual)
    Jail: 12.1-RELEASE-p10
    PKG:
    * aide
    * apache24
    * ca_root_nss
    * mariadb105-client
    * mariadb105-server
    * php74
    * php74-bcmath
    * php74-bz2
    * php74-ctype
    * php74-curl
    * php74-dom
    * php74-exif
    * php74-fileinfo
    * php74-filter
    * php74-gd
    * php74-gmp
    * php74-iconv
    * php74-intl
    * php74-json
    * php74-ldap
    * php74-mbstring
    * php74-opcache
    * php74-openssl
    * php74-pdo
    * php74-pdo_mysql
    * php74-pecl-APCu
    * php74-pecl-imagick
    * php74-pecl-redis
    * php74-posix
    * php74-session
    * php74-simplexml
    * php74-xml
    * php74-xmlreader
    * php74-xmlwriter
    * php74-xsl
    * php74-zip
    * php74-zlib
    * pkg
    * postfix-sasl
    * redis
    * wget

    Any ideas?

    1. Hey, unfortunately not. I don’t use my web client or nextcloud for media. A better place to ask would probably be the nextcloud forums, the nextcloud GitHub page, or the Freenas forums. Some resources that might direct your research:

      Sorry I couldn’t be more help. For what it’s worth, I just tried doing this with my server – firefox was being temperamental, but I was able to use safari without issue. I get similar sort of behaviour with youtube though, so I’m not convinced the issues I had with Firefox were unique to nextcloud.

      Cheers.

      1. Hi,
        Many thanks for your reply. Sadly, I missed the notification about it. I’ll let you know in case I found a solution.

        Best,
        Arne

      2. Hey,

        just want to give some feedback. Finally it was the problem of my HAProxy module in my opnsense firewall. I extended the log files and figured out that there was sometimes no traffic reaching the nextcloud jail. As soon as I removed it and replaced it with your described way (using an extra jail for the proxy) everything works fine now.

        Thanks again for that awesome tutorial.
        Best,
        Arne

  157. Hello,

    in the old version, there was part how to install letsencypt, get certificate and configure web server to use https in the nextcloud jail. I have only nextcloud jail accessible to the internet so I don’t want install new reverse proxy jail just for this one jail. Can you add back this section to this “How-to”?

    Thank you!

  158. Samuel,

    Thanks again for your guide. I’ve been running into a situation where my NC will go into maintenance mode and looking in the log I get: General error: 1712 Index oc_filecache is corrupted

    I haven’t found a terminated fix for this. Any ideas?

    Nic

    1. Hi Nic,

      I’ve never had this issue before, but generally just searching the error message on google will give you some good results to guide your research. Here are some relevant threads to read through:
      https://help.nextcloud.com/t/server-unavailable-oc-filecache-is-corrupted/92621
      https://help.nextcloud.com/t/corrupt-db-tables/77784
      https://help.nextcloud.com/t/db-index-corrupted/41459
      https://help.nextcloud.com/t/solved-corrupted-oc-filecache/30100 (this one looks the most promising)

      Hope this helps.

  159. Hello,
    as I am using Talk,so I need turnserver, coturn package require mysql57-client-5.7.32 so I used mysql57-server-5.7.32 for nextcloud db instead of mariadb, all is working OK. Is there any special advatage to use mariadb over mysql?

    B.

    p.s: here is turnserver config which works OK behing my NAT network:
    root@nextcloud:/ # cat /usr/local/etc/turnserver.conf
    listening-port=3478
    fingerprint
    use-auth-secret
    static-auth-secret=
    realm=
    total-quota=100
    bps-capacity=0
    stale-nonce
    no-multicast-peers
    no-tls
    no-dtls
    no-stun
    no-cli

  160. Hi Samuel

    First, I want to echo all the comments thanking you for this guide. I’m glad for the explanations of why to use certain commands and what they do. I don’t understand them all but every time I read the guide or try something, it becomes a little clearer. There may be hope for me yet! 🙂

    I have a question regarding the creation of the iocage jail. You mention that you have 2 pools with one running on an SSD and reserved for jails. I am trying to do the same thing, but when I run the “iocage create -n nextcloud -r 11.3-RELEASE ip4_addr=”vnet0|192.168.x.xx/24″ defaultrouter=”192.168.0.1″ vnet=”on” allow_raw_sockets=”1″ boot=”on”” command, it always installs the jail on my main pool. I assume there is some command to run to select the specific pool you want to use, but can’t find it in your document. I’ve tried the “iocage activate ” command but not sure if this is the correct approach.

    Is this the right way or should I be doing something different?

    Thanks

    1. Hi Doug,

      You’re right I don’t think this is covered in the guide. Go to the FreeNAS/TrueNAS web Gui and navigate to the “Jails” tab on the left hand navigation menu. To the right of the screen, to the right of the “Add” button is a cog icon for settings management. If you click this, it will let you select which pool to use for your jails.

      Cheers,

      Sam

      1. Thanks for the tip. I’ll try that next time.

        I have another issue I’m hoping I can get guidance on. Like others here, I’m getting an “Internal Server Error” when trying to access the Nextcloud desktop. However in my case it seems to occur at a different point. I’ve nuked the jail and reprocessed all the steps a number of times, but keep getting the error at the same point.

        It occurs during the Caching and Redis set of steps. In order to isolate the exact point of the error, I refreshed the login page as well as logged in and out after processing each command.

        When processing these 4 commands:

        $ su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set redis host --value="/var/run/redis/redis.sock"'
        $ su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set redis port --value=0 --type=integer'
        $ su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set memcache.local --value="\OC\Memcache\APCu"'
        $ su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set memcache.locking --value="\OC\Memcache\Redis"'

        After each of the first three lines, I was able to get the login page as well as login and out of the app. When I entered the 4th command, refreshing the login page returned the “Internal Server Error”.

        I looked for the nextcloud.log file and found 2 occurances. One is in /mnt/NASData/cloud/nextcloud.log and the other in /mnt/NASData/iocage/jails/nextcloud/root/usr/local/www/nextcloud/data/nextcloud.log. The time stamp on the latter file is about 10 minutes before I got the error. The other file has a more recent time stamp and has this info.

        {"reqId":"M8tbScBgo5l61sO4eHtR","level":3,"time":"2020-11-16T13:20:24+00:00","remoteAddr":"192.168.50.61","user":"--","app":"no app in context","method":"GET","url":"/index.php/csrftoken","message":{"Exception":"OCP\\AppFramework\\QueryException","Message":"Could not resolve OCA\\Files_Versions\\Versions\\IVersionManager! Class can not be instantiated","Code":0,"Trace":[{"file":"/usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php","line":126,"function":"resolve","class":"OC\\AppFramework\\Utility\\SimpleContainer","type":"->"},{"file":"/usr/local/www/nextcloud/lib/private/AppFramework/DependencyInjection/DIContainer.php","line":455,"function":"query","class":"OC\\AppFramework\\Utility\\SimpleContainer","type":"->"},{"file":"/usr/local/www/nextcloud/lib/private/AppFramework/DependencyInjection/DIContainer.php","line":427,"function":"queryNoFallback","class":"OC\\AppFramework\\DependencyInjection\\DIContainer","type":"->"},{"file":"/usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php","line":56,"function":"query","class":"OC\\AppFramework\\DependencyInjection\\DIContainer","type":"->"},{"file":"/usr/local/www/nextcloud/apps/files_versions/lib/AppInfo/Application.php","line":119,"function":"get","class":"OC\\AppFramework\\Utility\\SimpleContainer","type":"->"},{"file":"/usr/local/www/nextcloud/apps/files_versions/lib/AppInfo/Application.php","line":106,"function":"loadBackend","class":"OCA\\Files_Versions\\AppInfo\\Application","type":"->"},{"file":"/usr/local/www/nextcloud/lib/private/AppFramework/Bootstrap/FunctionInjector.php","line":68,"function":"registerVersionBackends","class":"OCA\\Files_Versions\\AppInfo\\Application","type":"->"},{"file":"/usr/local/www/nextcloud/lib/private/AppFramework/Bootstrap/BootContext.php","line":52,"function":"injectFn","class":"OC\\AppFramework\\Bootstrap\\FunctionInjector","type":"->"},{"file":"/usr/local/www/nextcloud/apps/files_versions/lib/AppInfo/Application.php","line":91,"function":"injectFn","class":"OC\\AppFramework\\Bootstrap\\BootContext","type":"->"},{"file":"/usr/local/www/nextcloud/lib/private/AppFramework/Bootstrap/Coordinator.php","line":168,"function":"boot","class":"OCA\\Files_Versions\\AppInfo\\Application","type":"->"},{"file":"/usr/local/www/nextcloud/lib/private/legacy/OC_App.php","line":191,"function":"bootApp","class":"OC\\AppFramework\\Bootstrap\\Coordinator","type":"->"},{"file":"/usr/local/www/nextcloud/lib/private/legacy/OC_App.php","line":131,"function":"loadApp","class":"OC_App","type":"::"},{"file":"/usr/local/www/nextcloud/apps/dav/lib/AppInfo/Application.php","line":113,"function":"loadApps","class":"OC_App","type":"::"},{"file":"/usr/local/www/nextcloud/lib/private/AppFramework/Bootstrap/Coordinator.php","line":168,"function":"boot","class":"OCA\\DAV\\AppInfo\\Application","type":"->"},{"file":"/usr/local/www/nextcloud/lib/private/legacy/OC_App.php","line":191,"function":"bootApp","class":"OC\\AppFramework\\Bootstrap\\Coordinator","type":"->"},{"file":"/usr/local/www/nextcloud/lib/private/legacy/OC_App.php","line":131,"function":"loadApp","class":"OC_App","type":"::"},{"file":"/usr/local/www/nextcloud/lib/private/legacy/OC_Util.php","line":201,"function":"loadApps","class":"OC_App","type":"::"},{"file":"/usr/local/www/nextcloud/lib/private/Files/Filesystem.php","line":267,"function":"setupFS","class":"OC_Util","type":"::"},{"file":"/usr/local/www/nextcloud/lib/private/Server.php","line":377,"function":"getMountManager","class":"OC\\Files\\Filesystem","type":"::"},{"file":"/usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php","line":155,"function":"OC\\{closure}","class":"OC\\Server","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/usr/local/www/nextcloud/3rdparty/pimple/pimple/src/Pimple/Container.php","line":118,"function":"OC\\AppFramework\\Utility\\{closure}","class":"OC\\AppFramework\\Utility\\SimpleContainer","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php","line":122,"function":"offsetGet","class":"Pimple\\Container","type":"->"},{"file":"/usr/local/www/nextcloud/lib/private/ServerContainer.php","line":156,"function":"query","class":"OC\\AppFramework\\Utility\\SimpleContainer","type":"->"},{"file":"/usr/local/www/nextcloud/lib/private/Server.php","line":407,"function":"query","class":"OC\\ServerContainer","type":"->"},{"function":"OC\\{closure}","class":"OC\\Server","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/usr/local/www/nextcloud/lib/private/Files/Node/LazyFolder.php","line":63,"function":"call_user_func"},{"file":"/usr/local/www/nextcloud/lib/private/Files/Node/LazyFolder.php","line":143,"function":"__call","class":"OC\\Files\\Node\\LazyFolder","type":"->"},{"file":"/usr/local/www/nextcloud/lib/private/Files/AppData/AppData.php","line":142,"function":"get","class":"OC\\Files\\Node\\LazyFolder","type":"->"},{"file":"/usr/local/www/nextcloud/lib/private/Template/JSCombiner.php","line":97,"function":"getFolder","class":"OC\\Files\\AppData\\AppData","type":"->"},{"file":"/usr/local/www/nextcloud/lib/private/Template/JSResourceLocator.php","line":116,"function":"process","class":"OC\\Template\\JSCombiner","type":"->"},{"file":"/usr/local/www/nextcloud/lib/private/Template/JSResourceLocator.php","line":72,"function":"cacheAndAppendCombineJsonIfExist","class":"OC\\Template\\JSResourceLocator","type":"->"},{"file":"/usr/local/www/nextcloud/lib/private/Template/ResourceLocator.php","line":79,"function":"doFind","class":"OC\\Template\\JSResourceLocator","type":"->"},{"file":"/usr/local/www/nextcloud/lib/private/TemplateLayout.php","line":364,"function":"find","class":"OC\\Template\\ResourceLocator","type":"->"},{"file":"/usr/local/www/nextcloud/lib/private/TemplateLayout.php","line":194,"function":"findJavascriptFiles","class":"OC\\TemplateLayout","type":"::"},{"file":"/usr/local/www/nextcloud/lib/private/legacy/OC_Template.php","line":183,"function":"__construct","class":"OC\\TemplateLayout","type":"->"},{"file":"/usr/local/www/nextcloud/lib/private/Template/Base.php","line":132,"function":"fetchPage","class":"OC_Template","type":"->"},{"file":"/usr/local/www/nextcloud/lib/private/legacy/OC_Template.php","line":332,"function":"printPage","class":"OC\\Template\\Base","type":"->"},{"file":"/usr/local/www/nextcloud/index.php","line":63,"function":"printExceptionErrorPage","class":"OC_Template","type":"::"}],"File":"/usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php","Line":111,"CustomMessage":"Could not boot files_versionsCould not resolve OCA\\Files_Versions\\Versions\\IVersionManager! Class can not be instantiated"},"userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36","version":"20.0.1.1"}

        The content of httpd-error.log is

        [Sun Nov 15 20:20:27.985109 2020] [proxy_fcgi:error] [pid 30997] (70007)The timeout specified has expired: [client 192.168.50.61:50017] AH01075: Error dispatching request to : (polling)
        [Sun Nov 15 20:27:55.555297 2020] [mpm_prefork:notice] [pid 30992] AH00169: caught SIGTERM, shutting down
        [Sun Nov 15 20:27:55.612009 2020] [mpm_prefork:notice] [pid 31256] AH00163: Apache/2.4.46 (FreeBSD) configured -- resuming normal operations
        [Sun Nov 15 20:27:55.612190 2020] [core:notice] [pid 31256] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT'

        Do you have any ideas on what is causing this and how to get around it?

        Doug

        1. As a followup, I commented out the line that the 4th command above ($ su -m www -c ‘php /usr/local/www/nextcloud/occ config:system:set memcache.locking –value=”\OC\Memcache\Redis”‘) added to the nextcloud config.php file and I no longer get the internal server error message.

          So in my case that error is definitely linked to this line (‘memcache.locking’ => ‘\OC\Memcache\Redis’,) in the nextcloud/config/config.php file.

          1. Hi Doug, one thing you could check is if the redis service is actually running. Otherwise I’m not sure why this might be occurring – it works for me with the stated configuration, but I’m still running 19.0.1. I’ll add this as something to take note of for future versions of the guide.
            Cheers.

          2. Did you manage to resolve this – I just saw this comment and this is exactly my issue. I commented out the offending line in config.php and it the Nextcloud console now loads up again. Any further thoughts on this?

          3. Ben F
            December 13, 2020 at 1:35 am

            Did you manage to resolve this – I just saw this comment and this is exactly my issue. I commented out the offending line in config.php and it the Nextcloud console now loads up again. Any further thoughts on this?

            I did resolve but I don’t know what I did!

            I left the line commented and completed the rest of the setup. At some point after it was done and I was able to access the app, I went back and removed the comment. And now was able to access without getting the message.

            I suspect that some later instruction “fixes” the issue but I don’t know which one. Either that, or as the old adage says “Time heals all wounds” 🙂

            I should add that I didn’t implement the reverse proxy portion of these instructions. When I got to that point, I followed instead the link to the previous guide which uses SSL directly. I did change a few things from that set, mostly to use newer versions of software (for example, py37-certbot). Also, I’m using NOIP as my ddns service so skipped all the AWS related stuff.

            At some point, I’m going to build a new Nextclould instance and try the reverse proxy. I’ll see if the issue still occurs, and if so, at what point it fixes itself.

            Doug

          4. I got the same problem. If I just do this like you ,problem not solved.

            I changed 2 line in /usr/local/www/nextcloud/config/config.php :

            ‘memcache.local’ => ‘\OC\Memcache\APCu’,

            ‘memcache.locking’ => ‘\OC\Memcache\Redis’,

            TO:

            ‘memcache.local’ => ‘\OC\Memcache\APCu’,

            ‘memcache.locking’ => ‘\OC\Memcache\Redis’,

            and all worked seems no problems until now.

          5. I got the same problem. If I just do this like you ,problem not solved.

            I changed 2 line in /usr/local/www/nextcloud/config/config.php :

            ‘memcache.local’ => ‘\\OC\\Memcache\\APCu’,

            ‘memcache.locking’ => ‘\\OC\\Memcache\\Redis’,

            TO:

            ‘memcache.local’ => ‘\OC\Memcache\APCu’,

            ‘memcache.locking’ => ‘\OC\Memcache\Redis’,

            and all worked seems no problems until now.

  161. Hello again,

    It´s been a while since I posted anything here, but I got som really good help in the past, and I thought I´d try it again.
    MY NC server, created uding this guide, has been running great for years. A couple of weeks ago, I upgraded my FreeNAS to TrueNAS 12.0 Core, and also upgraded my Nextcloud jail to 11.4. At first, everything worked fine. But since wednesday, I have an Internal Server Error immediately after logging in to the NC web.

    I found this error message in the log: MySQL server has gone away at /usr/local/www/nextcloud/3rdparty/doctrine/dbal/lib/Doctrine/DBAL/Driver/PDOStatement.php#117″

    However, I don´t know how to fix it. Any guidance would be greatly appreciated.
    Thanks!

  162. Thanks for this detailed howto.

    I would have a question regarding the upgrade part : Why choosing rsync data backup instead of a zfs dataset snapshot* ?!?
    I mean you dedicated a dataset for data earlier that you nullfs-mounted , so a dataset snapshot seems more quicker and more space efficient. Am I wrong ?

    [*]For MySQL DB zfs snapshot backup approach, only cold backup are recommended, otherwise , mysqldump/xtrabackup options are far better for hot backups.

    1. Hey, using the zfs snapshot is probably just as valid. Backup however you want to. I have snapshotting tasks on the datasets set to occur every couple of weeks, it just seemed easier to me to have a temporary local copy that I can work with for the upgrading process, rather than rolling a snapshot back. As far as the database goes, it was much more straightforward to export the db and then import it again. I don’t claim that this is the only way to do any of this, just that it’s a way, and it’s a way that I can tell you works and works well 🙂

  163. Dear Samuel and community, Thanks you for this amazing how-to!!
    I have used the earlier version of the guide to set up my nextcloud years ago and it ran perfectly. Now I set up a new jail (primarily to update php and apply all the new tweaks you describe) and used the reverse proxy server together with Route53 to handle the certificates. Getting the wildcard certificate worked and inside my network everything also works perfectly. If I connect from the Internet using my Routers IP-Address, it works as well (with a certificate warning of course). For some reason my domain is not resolved and redirected to my routers IP Address. The Script you suggested works without error, the current IP Address is correctly logged into the file. My domain is managed through another website, so I inserted the Nameservers of my hosted Route53 zone into the configuration. Do I need to change additional settings in the AWS console except for the hosted zones? I am sure I am just missing one small step, but I cannot figure out which one it is. Maybe anyone can help. Since I don’t see any error messages, I am not sure what kind of logfile would be useful here, maybe my mistake is apparent to one of you from my description. Thank you : -)

    1. Hi Florian, I’m not really clear what issue it is you’re having. It sounds like you’re trying to access nextcloud remotely and you’re unsuccessful. Your route53 hosted zone should contain an A record to direct requests to cloud.example.com to your public IP. This domain should match the wildcard you’ve been issued. This will mean that when a user requests https://cloud.example.com, your AWS hosted zone should resolve this to mean <your public ip>:443, and forward the request to that IP with the ‘Host’ header set to Host: cloud.example.com. Your router should be configured to forward all traffic on port 443 to your reverse proxy, so your reverse proxy will receive this request. It will inspect the value of the Host header, and match it with the server directive specified in your vdomains/cloud.example.com.conf file. This will then proxy_pass to your nextcloud server, which will issue a response to the request. Hopefully this will help you identify where in your chain things aren’t happening for you 🙂

      Hope this helps.

      Cheers.

  164. You can set an app password under security at accounts.google.com. I just tested and it works. So no need to enable less secure access or turn off 2-step verification.

    1. Thanks for letting me know Chris, this would be a good improvement to include in the next version. I’ve raised a GitHub issue to track this so I can investigate when I get some time. Cheers

  165. Hello, thanks for updating this guide, I have the same problem as Doug has, when I do the commands of the “CACHING AND REDIS” part my nc gets bricked and shows an internal error on the page.
    Cheers
    YaMoef

      1. Hi after finishing my NextCloud setup yesterday, I came today against a error: when uploading large files to NextCloud, I was getting “413 request entity too large”. I managed to solve it with including “clinet_max_body_size 10240M;” to the reverse proxy file of NextCloud. I’m not sure though if it was a mistake that I’ve made while configuring the reverse proxy/NextCloud

        1. I did the same. If you search the comments you’ll see that it’s come up and that Samuel addressed it there. So nothing you did was wrong.

        2. Hi YaMoef, as Chris mentioned this has been addressed in the comments, but I also have an outstanding GitHub issue to add this to the guide. Glad you solved the issue though.

    1. Hi Jason, do those paths exist? you can check using ls:

      ls -al <insert path here>
      

      If you get a return the path exists. this should point you in the right direction (if the path doesn’t exist, you’ll need to make sure the datasets/paths exist. Refer to the mkdir commands immediately prior to the fstab commands in the guide)

      1. um… next problem. my mariadb password contains “;”, which mariadb now thinks indicates the end of a command when used in the cli.

        e.g.
        $ mysql -u root -p
        ERROR 1049 (42000): Unknown database ‘
        command not found

        I’m surprised mariadb allowed such a password. I’d call that a bug.

        I’m not stuck yet, but can you tell me how to change the root pw?

        1. okay, another issue. part of what I just typed out above is missing b/c i use the “greater than” and “less than” to indicate a description. e.g. “less than” my password “greater than”. apparently your website deletes anything in those brackets.

  166. Issue about comments on the website

    Samuel I follow this blog pretty closely and receive email notification when someone posts. I received an email today dated 12-23-2020 about a Redis caching issue. When I go to your blog however the last comment I see at the end of the site is dated 12-5-2020. I tried on a few different browsers to make sure it wasn’t a caching issue but it doesn’t seem like that is the problem. Any idea why the blog for me hasn’t show comments for awhile

    1. Hey Kev, it’s a limitation of the way WordPress handles comments by default. As Doug mentioned, it’s ordered by the date the comment thread started, i.e. the date of the first comment in a thread. The notification you got was a reply to a thread so the reply will be further up. I’m working on a new site that has comment filters that will hopefully make it easier to navigate, but yeah for now your best bet is probably to ctrl+f for the username or date.

  167. Hi Samuel,

    Thanks so much for the super detailed guide, as it helped me move out of my plugin installation of Nextcloud! Instructions were super clear and I loved how you included additional explanation each segment!

    Happy holidays!

  168. Hi Samuel,
    I’ve followed your guide and been happily running Nextcloud on my home server for quite a while now.

    I’ve been facing an issue though, the file upload and download speed is low, 130mbit roughly.
    I have an gigabit internet connection (which turns into 800/800 mbit roughly). Both my server and my laptop are connected through cable.

    I’ve been playing with enabling Sendfile (and disable MMAP), but it doesn’t seem to make a difference. Any chance you have a lead on what’s going on?

    My home server (home as in: it is located in my home) is a dual for 16 cores/32 threads. I set cpuset=all on my jail and I noticed that when I’m downloading a 1GB file from NextCloud, apache24 uses 13% of the CPU (which seems excessive!). I also have 32 GB available and the system load is essentially 0% the entire time. All this to say, I doubt this is a hardware problem. When downloading the same file through SFTP, I get ~800 mbit in download speed, while I understand it’s a different protocol, there is something that could be done for sure to improve nextcloud upload/download speed.

    I’ll post also on the nextcloud forums and reddit, I’d love to see what they say.

    1. Francesco, are you doing this from inside or outside of your home network? If outside, one thing to look at might be your router – is it able to handle the traffic? You could try and do an iperf test with server/client either side of it. Otherwise, a quick search yielded a possible solution in disabling http2:

      https://help.nextcloud.com/t/slow-upload-speed-i-need-advice/60909/15

      So try just removing that instruction from the Nginx vdomain server block. Report back if this solves your issue, I’d be very interested to know the answer!

      Cheers,

      Sam

  169. Mr. Dowling-
    I’m really stuck. Is there any chance you can help me?
    I’m to the point where it says:

    “At this stage, your Nextcloud server should be ready to go for local network use. However, there may be some security warnings present in the Administration panel. Some common advisories include:”

    When I go to the local IP (192.168.50.70) Here’s what NextCloud says:
    “Internal Server Error
    The server was unable to complete your request.

    If this happens again, please send the technical details below to the server administrator.

    More details can be found in the server log.

    Technical details
    Remote Address: 192.168.50.214

    Request ID: 5I3RsM4e0bg1b5Ivuc2K”

    One clue might be that “remote access” is 192.168.50.214.
    I have no idea what the 214 is. local IP for NextCloud is 192.168.50.70.

    Any ideas what I can do to fix this? thank you.

    1. Hi Jason,

      Could you run two commands for me?

      $ ls -al /tmp/redis.sock
      
      $ ls -al /var/run/redis/redis.sock
      

      Can you tell me which one, if either, returns a value?

      Cheers,

      Sam

      1. Sure. The first one comes back as “no such file or directory”.
        The second one comes back as:
        srwxrwx— 1 redis redis 0 Dec 16 02:32 /var/run/redis/redis.sock

        1. Is the following present in /usr/local/www/nextcloud/config/config.php?

          'redis' =>
            array (
              'host' => '/var/run/redis/redis.sock',
              'port' => 0,
            ),
            'memcache.local' => '\\OC\\Memcache\\APCu',
            'memcache.locking' => '\\OC\\Memcache\\Redis',
          
          1. That’s really strange. Can you have a look in /usr/local/www/nextcloud/data/nextcloud.log and see if anything stands out to you?

  170. Jason, I had a very similar problem, no idea if the reason is the same, but if you search in the comments you will see a discussion I had. In short, it was the line ‘su -m www -c…. memcache.locking —value=”\OC\Memcache\Redis”’ which broke my install. If that one line was skipped over everything worked fine (but do not know what other consequences there may be in skipping that line). Where I am up to is the reverse proxy to enable HTTPS which has completely gone over my head, so at present using it for local network only until I sort out this issue. Good luck!

    1. Dear Sam,

      Thank you so much for this guide – been pouring over it for two weeks now – it’s really my first introduction to *nix systems so I am learning entirely from the ground up. – it’s a great way to learn and the explanation along were really helpful.

      Just FYI, as stated above when following your guide step-by-step on a brand new install of TrueNAS core (as many must be), all works fine ( save I worked out I need to install FreeBSD 12.2 on the jail as 11.3 causes problems later on down the line) up until “memcache.locking –value=”\OC\Memcache\Redis” which broke the install and gave the Internal Server Error- I see other users have picked this up (‘eg TheMadScientist’). I skipped this line and all seemed to work well.

      Anyway, as others reported – after setting up and configuring my users, uploading files, out of curiosity (after snapshotting admin>config just in case) I tried again to amend config.php to include the memcache-locking Redis config. This time all worked and no problems. I’m obviously pleased it works, but thought the info would be useful for you if and when you update your guide. I don’t know nearly enough to know why it didn’t work before but does now, but thought the update would be useful for you.

      Not yet tried to configure SSL. That seems more difficult again…

      Thanks for the effort on this, I’ve really enjoyed working on this project (particularly during lockdown!)

      Thanks, Ben

      1. =========================================

        Just FYI, as stated above when following your guide step-by-step on a brand new install of TrueNAS core (as many must be), all works fine ( save I worked out I need to install FreeBSD 12.2 on the jail as 11.3 causes problems later on down the line) up until “memcache.locking –value=”\OC\Memcache\Redis” which broke the install and gave the Internal Server Error- I see other users have picked this up (‘eg TheMadScientist’). I skipped this line and all seemed to work well.

        I got the same problem. If I just do this like you ,problem not solved.

        I changed 2 line in /usr/local/www/nextcloud/config/config.php :

        ‘memcache.local’ => ‘\OC\Memcache\APCu’,

        ‘memcache.locking’ => ‘\OC\Memcache\Redis’,

        TO:

        ‘memcache.local’ => ‘\OC\Memcache\APCu’,

        ‘memcache.locking’ => ‘\OC\Memcache\Redis’,

        and all worked seems no problems until now.

      2. correction

        I got the same problem. If I just do this like you ,problem not solved.

        I changed 2 line in /usr/local/www/nextcloud/config/config.php :

        ‘memcache.local’ => ‘\\OC\\Memcache\\APCu’,

        ‘memcache.locking’ => ‘\\OC\\Memcache\\Redis’,

        TO:

        ‘memcache.local’ => ‘\OC\Memcache\APCu’,

        ‘memcache.locking’ => ‘\OC\Memcache\Redis’,

        and all worked seems no problems until now.

  171. I think i got this copied right. kinda hard since one line won’t fix on a screen.

    {“reqId”:”fxIWXqexzfkDiUf9bi8A”,”level”:2,”time”:”2020-12-16T06:58:43+00:00″,”remoteAddr”:”192.168.50.207″,”user”:”–“,”app”:”no app in context”,”method”:”GET”,”url”:”/”,”message”:”Could not detect any host in http:///data/htaccesstest.txt“,”userAgent”:”Mozilla/5.0 (compatible; PRTG Network Monitor (www.paessler.com); Windows)”,”version”:””}

    1. another thing: 192.168.50.214 is the computer I’m trying to use to access nextcloud.
      Also, I’m not using mozilla… I’m using chrome.
      I’ve tried restarting apache24 and redis,

  172. Mr. Dowling-
    I just got to the part about SSL. So I have to decide if I want my Nextcloud to be accessible over the internet.

    I am very concerned about my home network getting hacked, but I do also want remote access to NextCloud.

    I have a Linode vps that my friend set up for me. I was wondering if it’s possible, and if it’s beneficial to do the following:

    Set up something where my domain name points to my vps, and the vps authenticates connections with 2FA, then connects to my LAN at home on the backend. And my LAN only accepts connections from my Linode IP address. So the VPS acts as a gate keeper for NextCloud. No one can access my LAN from any other IP address.

    Someone told me I could do that with Nginx, but I don’t know anything about it.

    Would that provide any benefit over just letting anyone connect directly to my LAN? and is it something a novice could do?

    If that’s not an option for a novice, is there any way to set up 2FA in NextCloud?

    1. Dr. Downling-
      LOL I see your guide walks through setting up nginx on the home network.
      I’m still curious to know if there are benefits to setting up the reverse proxy outside the home network. In the meantime though, I’m going to continue to follow your guide. I really appreciate the time you put into this project, especially the explanations along the way.

  173. There is definitely two factor with nextcloud. You could also put an authentication gateway in front of your nextcloud. I’ve used a project known as authelia and it works well and I need to sign in with a duo push…Google authenticator also supported. You could look in to using client ssl certs however that’s kind of a pain if using mobile devices. You could also look into putting your nextcloud behind a VPN which is what I do. I use openvpn and it works well both on phone, tablet and computer. Wire guard is another choice although the project isn’t as mature. You could also incorporate fail2ban. A lot of ways to tackle your issue just beware of running public facing server. I don’t know what benefit of running your connection through a reverse proxy located on a cloud vpn would give you unless you are doing some type of user, ip, domain filtering at the level of the reverse proxy

  174. Mr. Dowling-
    I finally have everything up and running. I followed your guide, including running nextcloud through nginx.

    Can you tell me if nextcloud’s brute force protection, and optional geo based ip blocking still work, given that nginx is handling the requests from outside the network? I’m guessing nextcloud needs to know the public IP making the request for either of these to function properly. I have 2FA on, but it would still be nice to use these additional protections.

    Thanks,
    Jason

    1. About geo based IP blocking, you can implement it in nginx reverse proxy by adding directives such as:
      allow 192.168.0.1/24; # whatever your LAN is
      allow 15.16.17.18; # Your workplace IP
      allow 64.41.200.0/24; # ssllabs.com
      deny all;

  175. Hey Sam,

    Thanks for the incredible Nextcloud tutorial. I struggled upgrading my older jail from the GUI and decided to just do a fresh jail. Everything was going well, as I was able to do the web configuration and see all my previous users and file structure. Great success! I continued on with your guide, adding Redis, at which point I got an Internal Server Error. Turns out redis wasn’t running, so restarted it and seemed like everything was back to normal. However, I wasn’t able to see any of my files, just the web interface. A pop-up in the corner said Connection to server lost, and the Security & setup warnings had Your web server is not yet properly set up to allow file synchronization, because the WebDAV interface seems to be broken.. Looking at the Logging through the nextcloud GUI, it shows a RedisException: No such file or directory. I’ve confirmed that I have a file at /var/run/redis/redis.sock and not at /tmp/redis.sock.

    Any ideas?

    Thanks!

  176. Awesome guide! Agree that setting this up is such an involved process which took me a couple of weeks but I have learnt so much!!! thank you Sam… you are the best 😉

  177. Great write up. I’ve got Nextcloud up and running on my Freenas box. Just after doing this, I noticed my Emby plugin (media server), which is in a jail, was corrupted, so I removed it. Now when I try to install it, I am not able to, as I get an error “emby_jail has a missing configuration, please check that the dataset is mounted”. I’ve tried to install another plug-in and also get told the dataset ins’t mounted. I’m not familiar enough with the iocage commands you’ve used (and some of the others) to recognise where I might have damaged something. (I have two drives fitted but not mounted which may have had jails on them in a previous configuration)?

    1. Andy your last thought sounds like it matches the symptoms. Have you set your default jail dataset to be the one that’s not currently mounted? If so, it may be trying to create a dataset on an old pool. Regardless, this doesn’t sound related to the nextcloud guide – these instructions just create a new jail, and the changes are mostly localised to that jail. I’d recommend asking a question on the truenas forums if changing your default jail pool doesn’t solve your issues.

  178. Hi Samuel

    I used both this guide and your reverse proxy guide to help install Nextcloud in my Truenas box. It took awhile but I’ve had both running with seemingly no issues for couple of months now. I also used them as a template to install additional jails
    I recently decided to install the Nextcloud app on my cell phone and tablet in order to take advantage of the auto-upload feature and upload my photos and videos as they occur. And ran smack into the “Request Entity too large” issue. It would upload smaller files with no issues, but any large file got hung up.
    After some research, I found that there are settings both in Nextcloud / Apache as well as Nginx for the reverse proxy that must be changed. I am including them here in case somebody else is running into the same issue. You might also want to touch on this when you update your document.

    Changes in Nextcloud are:
    Update the php.ini file (/usr/local/etc/php.ini)
    Change the post_max_size and upload_max_filesize settings from 1999M as outlined in your document to 16G. 16G might be a bit high, but I found most of my images were greater than 2G. This size will also allow me to save bigger videos and such.

    Update .user.ini (/usr/local/www/nextcloud/.user.ini)
    Add the same lines to that file

    Changes in Nginx reverse proxy jail
    According to what I’ve read online, it seems that Nginx has a default max size of 1G, so any higher limit has to be explicitly stated.

    Update Nginx.conf (/usr/local/etc/nginx/nginx.conf)
    Update the http { } section to add the following line
    client_max_body_size 16400M;

    The new http section looks like
    http {
    client_max_body_size 16400M;
    include mime.types;
    default_type application/octet-stream;
    sendfile on;
    keepalive_timeout 65;

    # Redirect all HTTP traffic to HTTPS
    server {
    listen 80 default_server;
    listen [::]:80 default_server;

    return 301 https://$host$request_uri;
    }

    # Import server blocks for all subdomains
    include "vdomains/*.conf";

    }

    Once I made these changes and restarted the respective services, all my cell phones and tablets synced and uploaded all the files to Nextcloud with no issues.

    Once again, thanks for all the work you put into creating these how-to’s. They were immensely helpful .

    Doug

    1. I’ve done some additional tests and it looks like it’s not necessary to update the .user.ini file. Updating the Nextcloud php.ini and the nginx nginx.conf file still allows large files to be uploaded.

      Doug

  179. Thank you for this in depth writeup. Together with this and your tutorial on setting up a reverse proxy I was able to successfully install Nextcloud on my FreeNAS system and get everything up and running.

    I have run into one issue with certificates though:
    My certificate is for my DDNS domain, so for mydomain.duckdns.org. This is the domain I have used in all the configs as well and I can reach my Nextcloud without issue and the certificate is valid. I even got an A+ on SSLLabs, so I’m happy 😉

    I have now set up a CNAME record for my personal domain (cloud.mydomain.com to mydomain.duckdns.org). The redirect works fine, but I get an “This connection is not private” error, as the certificate is for the duckdns domain and not for my personal domain.

    I am confused what to do here – should I instead have used my personal domain in all the settings? Or do I simply need to add another certbot for my personal domain (wich already has a let’s encrypt certificate through my webhoster)?

    Thank you for your help!

  180. Hey Samuel,

    everything is working so far, but I got freezes when uploading big files in gui.
    I got stuck at processing. Filelimit and timeouts are increased.
    After reloading the page, everything seems to be uploaded.

    Nothing special in nextcloud.log

    Do you have an idea?

  181. I noticed that for the nextcloud install you show the install of version 11.3. Will these instructions still function for Truenas with FreeBSD 12.2-release to install NextCloud 21, and mysql 8.0?

    1. I haven’t tested it but the process is pretty generic and I doubt there are any substantial differences between an 11.3 iocage jail and a 12.2 iocage jail. Sometimes there are idiosyncratic differences in configuration for application version upgrades, so MySQL is probably the likely candidate for any differences. Note that I use mariadb. Hope this helps, cheers.

  182. Any experience with upgrading to Nextcloud 21? I’ve heard a lot of problems on other platforms. I’ve yet to make the jump.

  183. Hello everyone!
    Performed a small pkg update/upgrade tonight (like most Fridays). I can’t remember exactly what packages were updated, but nothing I haven’t seen before. Anyway it seemed minor.
    I can’t find my nextcloud log. I don’t have a /var/log/nextcloud directory for some reason. Hoping someone can help.

    There’s a mention here which is interesting from my httpd-error.log: Uncaught Error: Class ‘OCA\DAV\Connector\Sabre\ExceptionLoggerPlugin’ not found in /usr/local/www/nextcloud/remote.php:61\nStack trace:\n#0 /usr/local/www/nextcloud/remote.php(169): handleException()\n#1 {main}\n thrown in /usr/local/www/nextcloud/remote.php on line 61′

    In looking at the remote.php file line 61 states:
    $server->addPlugin(new ExceptionLoggerPlugin(‘webdav’, \OC::$server->getLogger()));

    Here are some logs:
    Nginx error log:
    2021/03/05 17:17:34 [error] 4773#100864: *434 kevent() reported that connect() failed (61: Connection refused) while connecting to upstream, client: 192.168.150.1, server: cloud.mydomain.com, request: “GET /status.php HTTP/1.1”, upstream: “http://192.168.150.23:80/status.php”, host: “cloud.mydomain.com”

    httpd-error.log:
    [Fri Mar 05 17:46:16.251016 2021] [mpm_prefork:notice] [pid 6011] AH00169: caught SIGTERM, shutting down
    [Fri Mar 05 17:46:16.341116 2021] [mpm_prefork:notice] [pid 6794] AH00163: Apache/2.4.46 (FreeBSD) configured — resuming normal operations
    [Fri Mar 05 17:46:16.341507 2021] [core:notice] [pid 6794] AH00094: Command line: ‘/usr/local/sbin/httpd -D NOHTTPACCEPT’

    [Fri Mar 05 18:52:13.144605 2021] [proxy_fcgi:error] [pid 6797] [client 192.168.150.15:15879] AH01071: Got error ‘PHP message: PHP Fatal error: Uncaught Error: Class ‘OCA\DAV\Connector\Sabre\ExceptionLoggerPlugin’ not found in /usr/local/www/nextcloud/remote.php:61\nStack trace:\n#0 /usr/local/www/nextcloud/remote.php(169): handleException()\n#1 {main}\n thrown in /usr/local/www/nextcloud/remote.php on line 61′

    This is what happens when I try to run an occ command:
    An unhandled exception has been thrown:
    Doctrine\DBAL\DBALException: Failed to connect to the database: An exception occurred in driver: SQLSTATE[HY000] [2002] No such file or directory in /usr/local/www/nextcloud/lib/private/DB/Connection.php:72
    Stack trace:
    #0 /usr/local/www/nextcloud/3rdparty/doctrine/dbal/lib/Doctrine/DBAL/Connection.php(1449): OC\DB\Connection->connect()
    #1 /usr/local/www/nextcloud/3rdparty/doctrine/dbal/lib/Doctrine/DBAL/Connection.php(892): Doctrine\DBAL\Connection->getWrappedConnection()
    #2 /usr/local/www/nextcloud/lib/private/DB/Connection.php(202): Doctrine\DBAL\Connection->executeQuery()
    #3 /usr/local/www/nextcloud/3rdparty/doctrine/dbal/lib/Doctrine/DBAL/Query/QueryBuilder.php(206): OC\DB\Connection->executeQuery()
    #4 /usr/local/www/nextcloud/lib/private/DB/QueryBuilder/QueryBuilder.php(217): Doctrine\DBAL\Query\QueryBuilder->execute()
    #5 /usr/local/www/nextcloud/lib/private/AppConfig.php(345): OC\DB\QueryBuilder\QueryBuilder->execute()
    #6 /usr/local/www/nextcloud/lib/private/AppConfig.php(110): OC\AppConfig->loadConfigValues()
    #7 /usr/local/www/nextcloud/lib/private/AppConfig.php(301): OC\AppConfig->getApps()
    #8 /usr/local/www/nextcloud/lib/private/legacy/OC_App.php(949): OC\AppConfig->getValues()
    #9 /usr/local/www/nextcloud/lib/private/Server.php(668): OC_App::getAppVersions()
    #10 /usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php(155): OC\Server->OC{closure}()
    #11 /usr/local/www/nextcloud/3rdparty/pimple/pimple/src/Pimple/Container.php(118): OC\AppFramework\Utility\SimpleContainer->OC\AppFramework\Utility{closure}()
    #12 /usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php(122): Pimple\Container->offsetGet()
    #13 /usr/local/www/nextcloud/lib/private/ServerContainer.php(156): OC\AppFramework\Utility\SimpleContainer->query()
    #14 /usr/local/www/nextcloud/lib/private/Server.php(1677): OC\ServerContainer->query()
    #15 /usr/local/www/nextcloud/lib/private/Server.php(1017): OC\Server->getMemCacheFactory()
    #16 /usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php(155): OC\Server->OC{closure}()
    #17 /usr/local/www/nextcloud/3rdparty/pimple/pimple/src/Pimple/Container.php(118): OC\AppFramework\Utility\SimpleContainer->OC\AppFramework\Utility{closure}()
    #18 /usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php(122): Pimple\Container->offsetGet()
    #19 /usr/local/www/nextcloud/lib/private/ServerContainer.php(156): OC\AppFramework\Utility\SimpleContainer->query()
    #20 /usr/local/www/nextcloud/lib/private/Server.php(1977): OC\ServerContainer->query()
    #21 /usr/local/www/nextcloud/lib/private/Files/View.php(118): OC\Server->getLockingProvider()
    #22 /usr/local/www/nextcloud/lib/private/Server.php(395): OC\Files\View->__construct()
    #23 /usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php(155): OC\Server->OC{closure}()
    #24 /usr/local/www/nextcloud/3rdparty/pimple/pimple/src/Pimple/Container.php(118): OC\AppFramework\Utility\SimpleContainer->OC\AppFramework\Utility{closure}()
    #25 /usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php(122): Pimple\Container->offsetGet()
    #26 /usr/local/www/nextcloud/lib/private/ServerContainer.php(156): OC\AppFramework\Utility\SimpleContainer->query()
    #27 /usr/local/www/nextcloud/lib/private/Server.php(1324): OC\ServerContainer->query()
    #28 /usr/local/www/nextcloud/lib/base.php(595): OC\Server->boot()
    #29 /usr/local/www/nextcloud/lib/base.php(1091): OC::init()
    #30 /usr/local/www/nextcloud/console.php(49): require_once(‘/usr/local/www/…’)
    #31 /usr/local/www/nextcloud/occ(11): require_once(‘/usr/local/www/…’)
    #32 {main}root@nextcloud:/usr/local/www/nextcloud/config #

    Thanks in advance!

    1. Should have mentioned that I’m getting an internal server error. It’s been working fine for over 2 years now. No issues.

      1. It looks like my mysql.sock is no longer in /tmp. I’m not able to connect to the database. I’m not able to find it. How do I get it back?

          1. problem is that actual packages are build for 12.2, so the new database binary was not compatible with the jail anymore..
            A ‘sudo iocage upgrade -r 12.2-RELEASE nextcloud’ fixed the problem

  184. Hi @SAMUEL.DOWLING and thanks for this awesome tutorial !
    Nextcloud works perfectly and I’m now trying to integrate onlyoffice.
    My onlyoffice server is up and running but it looks like it is blocked my nextcloud.

    I can link my onlyoffice server to nextcloud but when I try to edit a document it looks like nextcloud just blocked this access to onlyoffice. Do you have any idea ? I guess it is linked to the hardened security of nextcloud.

    Thanks 🙂

    1. Hi Marwane,

      I’m not sure specifically what the issue is, but I suspect that the reverse proxy needs to forward additional endpoints to the nextcloud server when you’re trying to edit documents. I don’t use only office, so I can’t provide any specific advice, but you could start by doing some research in to reverse proxy settings for only office. If worst comes to worst, you can open up the “Inspect Element” tab, and inspect network traffic – which endpoints are requests going to, and adding these to your reverse proxy config. This is more time consuming, so prioritise finding some documented configuration if you can.

      Hope this helps.

      Cheers

  185. Hi Samuel,
    thank you for this great tutorial. I have my nextcloud up and running.
    I have a question about a particular case: I use my nextcloud, among other things, for clients to share big amounts of data with me.
    It would be great if I could simply create a share to the cloud dataset so I can manually move those files to a different dataset once I’ve received them. As it stands, I have to either download or sync them locally first and then move them back to the FreeNas system, onto their target dataset, which obviously isn’t a great way of doing it – especially with big amounts of data.

    But the only way to create a share to the cloud dataset would be to allow samba authentification for the www user, and I’m not sure I should do that? Do you have a suggestion on how I could & should handle this?

    Thanks!

    1. Oh, and another question on AIDE:
      I have set everything up as described in the tutorial, but I’m receiving an email every night saying my database has been modified. It’s usually the same entry, saying:

      AIDE found differences between database and filesystem!!

      Removed entries:

      c————: /dev/fd/5

      What does this mean?

      1. Hi Markus, it means that a file descriptor has opened or closed. Since everything on unix is represented as a file, aide is picking this up as a difference. I get the same behaviour, and I don’t think it’s anything to worry about – I’m pretty sure it’s caused by creating a temporary file containing the contents to email. I haven’t tested this, but I think you could probably add /dev/fd/5 E to /usr/local/etc/aide.conf to ignore changes to this file descriptor. I’m still confirming that this will make the appropriate change though.

    2. Hi Markus! I definitely don’t recommend creating a smb share to the cloud dataset – nextcloud assumes it has complete control over it, so I’m not sure how adaptive it will be if changes are being made (a possibility you open up by creating a share to it). If your usecase can be simplified to a workflow such as “I want all files in folder X to be moved to folder Y”, you could set this up relatively simply using rsync and a cron job. rsync is a tool that helps you synchronise the file structure of one directory with another. This is a guide that should provide you with some broad guidance on how to achieve this: https://www.howtogeek.com/135533/how-to-use-rsync-to-backup-your-data-on-linux/

      Note that it’s an example using linux, so the rsync command line options may vary (they may not, I haven’t confirmed this). I’ve noted that they also use the -delete command line option to remove files in the target folder to maintain an exact mirror of the source directory in it’s current state. It sounds like this might not be what you’re after, so just remove that flag if that’s the case. For more information on rsync, see man rsync.

      Hope this helps.

      Cheers.

  186. Thanks for this guide, I wished I could have finished it. But no matter how careful I follow it, I can’t get past the MariaDB inital setup and get stuck with the “ERROR 2002 (HY000): Can’t connect to local MySQL server through socket” error.
    I’m on TrueNas 12.1, maybe it’s different here as I’m almost convinced, this is a permission/ownership issue. But I don’t know, how to get to the bottom of this. So no Nextcloud for me… 😩

    1. Hi Max,

      I’ve tried to reproduce this and haven’t been able to. Is this a brand new installation or are you migrating from an old one? Have you confirmed that the socket exists at /tmp/mysql.sock? Have you confirmed that the mysql server is actually running? service mysql-server status? If it is running, what are the permissions? ls -al /tmp/mysql.sock – I wouldn’t imagine that this is a permissions issue since you’re using the root account, but stranger things have happened.

      1. In the end, as it is so often the case, the fault lay somewhere else entirely. Probably only a beginner like me makes such a stupid mistake.

        When creating the jail, I had declared a wrong FreeBSD version number and simply overridden it. As a result, nothing worked anymore, of course and I got loads of error messages. After I corrected that, everything worked pretty smoothly.

        Nextcloud 21 is up and running now, but there are still a few open issues:
        – internally via cloud.mydomain.com not reachable
        – not reachable from the outside
        – no SSL encryption
        (all issues worked perfectly on my Ubuntu installation, so they will probably work here too – eventually)

        access to my SMB share (probably via external drive)

        One more question:
        Is there an easy way to change the db password of the nextcloud_admin user?

        Thanks for all the work behind a tutorial like this!

  187. Ok, it’s me once more.

    In the meantime, I made a reinstall (again) but this everything runs smoothly… so far. Even the remote access. I’ve got 2 questions please:

    what is the proper chmod for the redis.sock?
    After following the install, the permissions were
    srwx—— 1 redis redis 0 Mar 29 18:36 redis.sock and resulted in a server error (couldn’t reach…)
    In Samuel’s guide they are: srwxrwx— 1 redis redis 0 MMM D HH:MM redis.sock
    After changing the permissions to chmod 777 they became srwxrwxrwx 1 redis redis 0 Mar 29 18:36 redis.sock and NC was available again. So far so godd, but isn’t 777 the everything open setting and a security risk?
    What would be the proper chmod setting for the redis.sock file?

    On my Ubuntu install, it was fairly easy to install a Let’s encrypt certificate. Wouldn’t something similar be possible here too? The syntax was:

    create Let’s Encrypt SSL-Certificate

    #install certbot
    apt install certbot python3-certbot-apache

    certbot –apache -m master@domain.com -d cloud.domain.com

    Thank you

    1. Hi Max, I suggest you go over the guide again, I do have a section that deals explicitly with the redis issue. Essentially, you don’t chmod the socket because the socket is ephemeral (it will revert to default perms whenever it is recreated, i.e. when the redis service restarts). With this in mind, you set the unixsocketperm value in redis.conf to 770 so that it has 770 perms when created. You can then add the www user (user that runs nextcloud) to the redis group such that it has the required access.

      Similarly, I do address configuration of SSL certificates by setting up a reverse proxy jail. This has the benefit of being the central point of management for SSL certs for all of your services, and it uses certbot to achieve this. See the relevant section of the nextcloud guide for nextcloud specific configuration of this, and the reverse proxy guide for details on how to set everything up.

      Note that if you don’t want to set up a reverse proxy, a previous version of the guide addressed setting this up in the nextcloud jail directly. All previous versions of this guide are tagged on GitHub – you can see the relevant version here.

      Hope this helps.

      Cheers.

  188. Hello, i have been running Nextcloud installed as a plugin on a FreeNAS server or quite some time nowusing acme certs and haproxy to access it via my own FQDN from outside which has worked really well. In this time, i have managed to fix all issues i came accross, also with the help of this tutorial and the comments except for these 2:

    Your web server is not properly set up to resolve “/.well-known/caldav”.
    Your web server is not properly set up to resolve “/.well-known/carddav”.

    which didn’t bother me too much since i wasn’t using this functionality anyways.

    Recently, i did a completely new install on a new server and again, managed to get all the security and setup warnings removed except for the above and 2 new ones:

    Your web server is not properly set up to resolve “/.well-known/webfinger”.
    Your web server is not properly set up to resolve “/.well-known/nodeinfo”.

    This time, i am determined to also get this resolved. I did pay close attention during the setup and i have 2 observations:

    these notifications were not there after the initial installation. They only appeared after i added ‘overwriteprotocol’=> ‘https’, to config.php which is needed to allow the mobile app versions to connect to the server via the FQDN and after which i routed the FQDN to the internal server IP via HAproxy.
    I only get these notifications when i access nextcloud via my firefox browser or Edge (just for checking). I do not see them popping up when accessing nextcloud via Safari on my Macbook.

    I have looked at all the possible provided solutions but all seems ok. I would really appreciate if someone could point me in the right direction on where to look next.

    Many thanks, Dominique

    1. Hi Dominique, as I discuss in my guide, the caldav and carddav endpoints need to be added to your reverse proxy config. In nginx, it looks like this:

      server {
              listen 443 ssl http2;
      
              ... snip ...
      
              location /.well-known/carddav {
                      return 301 $scheme://$host/remote.php/dav;
              }
              location /.well-known/caldav {
                      return 301 $scheme://$host/remote.php/dav;
              }
      }
      

      I suspect that you also need entries for the webfinger and nodeinfo endpoints, but I’ve never seen these before so I have no idea what they refer to or what the appropriate redirection would be.

      Hopefully this helps direct your research though!

      Cheers.

      1. so since i am using the haproxy package in pfsense as my reverse proxy, i would need to look there? I fear this is a bit unexplored territory for me as i have done the complete setup via the pfsense GUI. Never had to go on shell level in pfsense.

        1. I’m not sure what interface pfsense provides for haproxy – I guess whether you’ll need to delve into the shell and haproxy config files will depend on how exhaustive the pfsense-provided GUI is. What you’ll need to do is work out how to redirect requests to those endpoints (i.e. /.well-known/carddav) using a 301 redirect to the remote.php file in your nextcloud web root, with the /dav endpoint (example, redirect to: http://192.168.0.30/remote.php/dav, where the IP is the IP of your jail – details of this will be different for your specific situation – it sounds like you’re using https for example). This problem is arising essentially because your reverse proxy doesn’t know how to route requests for these services (I think this is essentially because it assumes an apache web server is receiving the requests, which is why requests go to the /.well-known/... endpoint). Anyway, your research should probably focus on how to configure haproxy to do this. I know a number of people have attempted this on the freenas/truenas forums, so that’s probably a better place for support. It’s worth noting that you’re probably going to get advice to switch to a scripted/manual installation though – the plugin wasn’t updated very regularly last time I checked and it overly complicates the process unnecessarily.

          1. well, you did hint me in the right direction here. I never considered that haproxy had something to do with it. Some research lead me to the netgate forums where it was suggested to add http-request redirect code 301 location /remote.php/dav/ if { path -m reg “^/.well-known/(cal|card)dav” } to the “advanced pass through” in the HAproxy frontend setup and that worked perfect.

            Now i still have to find out the 2 others:

            Your web server is not properly set up to resolve “/.well-known/webfinger”.
            Your web server is not properly set up to resolve “/.well-known/nodeinfo”.

            If i find it, i will post the solution here for future reference.

  189. Hey Samuel, nice guide! Thanks for your hard work. I followed the instructions and installed Nextcloud 21 together with PHP 8 (according to the nextcloud homepage, v21 works with PHP 8 now). During the setup it looked like everything worked, but unfortunately I can not login via the webinterface. Nothing happens. Without an error message I am directly redirected to the login page. Do you have any idea what the problem could be? I can’t find anything useful in the log files.
    Thank you very much in advance!

  190. Hello
    I’ve confused with the crontab/cronjobs please.

    The inital 15m cronjob, as described above, is the system crontab, executed by the www user, right? Additional cronjobs will be stored in the user crontab, executed by the logged in user, in my case the root user, also right? That would mean, I leave the system crontab untouched and store all other jobs in the user crontab, by calling crontab -e?

    Does the syntax in the crontab itself goes with or without the dashed and stars? The 15m default cronjob has
    */15 * * * * /usr/local/bin/php…..
    The check aide script further below uses
    06 01 * * * /scripts….

    The script runs flaw free manually executed, but not with the cronjob. Right now, I’ve got it placed in the system crontab, right under the 15m default cronjob with the */06 */01 * * * syntax, which is probably wrong (syntax and file).

    I also wanted to add a Letsencrypt renew job by adding
    */47 */02 * * * certbot renew –quiet –post-hook ‘service apache24 restart’

    Is that correct?
    Is there a log, where I could check if it works or not?

    Thank you

  191. I did it. And it worked before I rebooted the server.
    I also used the commands before rebooting:
    su -m www -c ‘php /usr/local/www/nextcloud/occ config:system:set trusted_proxies 0 –value=”192.168.1.111″‘
    root@nextcloud:~ $ su -m www -c ‘php /usr/local/www/nextcloud/occ config:system:set overwriteprotocol –value=”https”‘
    Now I have a white screen on cloud.example.com and I cannot access nextcloud IP address
    what should i do?

    1. Hi Alex, you’ve configured it to overwrite the protocol to use https. This won’t work if you don’t have a certificate, which even if you do have, won’t have for the IP address – it will be for a domain. you’ll need to access it via the domain name/host name you gave it, i.e. https://cloud.mydomain.com

        1. I’m not sure sorry – this looks like a Nextcloud error beyond my experience. Just trying to interpret the stack trace indicates that it’s failing when trying to call loadConfigValues – maybe check for syntax errors in <web root>/nextcloud/config/config.php and see if anything else stands out. Otherwise you could try going through the guide again from scratch or asking for help on the nextcloud forums.

          Sorry I couldn’t be more helpful!

          Cheers

          Sam

  192. Thank you. I didn’t find any error, but I did it again and everything works. You are the best!
    Please follow the installation guide for Bitwarden.

  193. Thanks so much for this guide. I’m really in awe of the depth and detail.

    I’ve run into an issue. The first time I tried to use wget, I get this:

    /lib/libc.so.7: version FBSD_1.6 required by /usr/local/bin/wget not found

    When I google this error, some websites suggest that I need to upgrade freebsd, but if I understood you correctly, the jail version can’t be a higher version than the host. I’m running FreeNAS-11.3-U5 and my jails are configured as 11.3-RELEASE.

    I will keep digging but not sure at the moment I’m not sure what to do. Thanks!

    1. Perhaps I need to upgrade to TrueNAS first and then follow this guide. It seems this is a common issue now that 11.3 is EOL

  194. Hello, long time I don’t come around here. I went to update nextcloud manual and is giving me this error:

    root@nextcloud:/usr/local/www/nextcloud # chown -R www:www /usr/local/www/nextcloud
    root@nextcloud:/usr/local/www/nextcloud # find /usr/local/www/nextcloud -type d -exec chmod 750 {} \;
    root@nextcloud:/usr/local/www/nextcloud # find /usr/local/www/nextcloud -type f -exec chmod 640 {} \;
    root@nextcloud:/usr/local/www/nextcloud # cd
    root@nextcloud:~ # /usr/local/www/nextcloud $ su -m www -c ‘php occ upgrade’
    /usr/local/www/nextcloud: Permission denied.

  195. Hello

    Has somebody upgraded from PHP 7.4 to 8.0 yet and would like to share his “how-to” and his/her experience? Since I’ve never done that before, I’d rather ask for anything to think of, than ruin a nicely running system. Also, does it make sense to upgrade or isn’t there any benefit?

    I was thinking of

    backup php.ini
    then uninstall/remove all 7.4 php packages
    install all 8.0 packages
    restore/paste php.ini
    restart php-fpm
    pray that everything works

    This seems almost too easy. Would there be more to it?

    Thank you

  196. Hello together,

    i have installed the new Nextcloud version 21.0.1 with this toturial.
    But i have problems wirth redis.
    when i register redis in the config.php i cant get acces to the nextcloud.
    whats the Problem with redis ?
    ich installed php74

  197. Hi again,

    when i ignore the ” su -m www -c ‘php /usr/local/www/nextcloud/occ config:system:set memcache.locking –value=”\OC\Memcache\Redis”‘ ” for the config.php then nextcloud runs

  198. Hello
    I’m also trying to install coturn, but don’t really know how.

    I could install in the same jail as nextcloud, but then it will probably mess up db, since I have maria-db installed.
    Installing it in an own jail requires an own ssl-certificate – I think.

    So not quite sure what to do. Most how-to’s are for Linux. Would be fantastic, if it would be part of this guide.

  199. Hi all,

    Thanks Samuel!

    I have installed the Nextcloud on TrueNAS step-by-step with this guide.

    As I just want to use locally, and I don’t have a domain name. I want to create a self sign certificate by Openssl and use in Nextcloud.

    I already generate the key, but I don’t know how to config the NGINX in order to get it work.

    Does anyone know how to cofig it? Thanks!

  200. Hi All,

    I got the issues:
    Your web server is not properly set up to resolve “/.well-known/caldav”.
    Your web server is not properly set up to resolve “/.well-known/carddav”.

    And this problem solved by edit the “cloud.example.com.conf” in Nginx reverse proxy.
    Both line
    return 301 $scheme://$host/remote.php/dav;
    To
    return 301 $scheme://$server_name/remote.php/dav;

    I don’t know why “$host” not work for me, but after change to “$server_name” it seems ok now.

  201. Turning public access on and off.

    Hi Samuel, thanks for sharing your expertise with everyone who is interested.

    One suggestion or question. If I decide for any reason I want to turn off public access and have Nextcloud continue to work by point to 192.168.x.x local IP.
    Is there a set of steps I can do? Basically to revert back to every step before the SSL/TLS section.

    My thinking are:
    1. Turn off “ReverseProxy” jail
    2. Turn off port forwarding on 443 and 80.
    3… what do I need to do for nextcloud only visit local IP?

    Missing something or any steps not necessary?

    1. Hi Peter,

      The reverse proxy is designed to serve more services than just nextcloud, so doing this would disable all of those if you also have others. The more robust method is covered in the reverse proxy guide. Namely, pay attention to the creation of snippets/internal-access-rules.conf. This file can be included in your location block to deny requests from outside your local network.

      Cheers.

      1. Thanks, mate. By the way, I think I found out a way to do host override on regular router for someone who doesn’t have Pfsense yet. I will leave a replay in your other blog post to help others.
        Best,

  202. Turn myself in for the universe of pros for help and pointers.
    I have been working on this for a while. Just did a two days marathon and now kind of stuck.

    Issue: not able to access outside my network. Behind the router, everything works fine with a domain via https://cloud.domain.com

    Repo: use cellphone data and chrome to hit https://cloud.domain.com
    Result: Error 522. Cloudflare page reporting “connection timed out.” Host error.

    Background:
    Followed this page and the other reverse proxy guide from the awesome author Samuel.
    1 Difference is Samuel used aws route53, and I am using cloudflare. Both have certbot plugin for generating certificate. Fact that I am able to run locally means my cert is ok.. I think..
    2 difference no DDNS configruation yet. I will do this later. My ISP does change my IP, but it is not an issue now. Rather have end-to-end working.

    Cloudflare DNS setting:
    Type A record with hostname point to content (my real IP issued by ISP). TTL set to Auto and Proxy status is “proxied”. (Cloudflare is masking my real IP)

    I debugged the following:

    in reverse proxy jail: /var/log/nginx/cloud.error.log showed no error

    /var/log/nginx/cloud.access.log nohting suspicious

    in nextcloud jail:/var/log/httpd-error.log

    AH01797: client denied by server configuration: /usr/local/www/nextcloud/config
    but time doesn’t match

    In Cloudflare I changed DNS status setting from “proxied” to DNS only. Still the same. Do I need to wait for changes to propagate?

    I think something wrong on the router side?
    As it points out here?
    https://community.cloudflare.com/t/community-tip-fixing-error-522-connection-timed-out/42325

    But I can’t find obvious settings on Asus router to allow this.

    When behind the router, dig cloud.domain.com gives me reverse-proxy’s jail ip. Means the host-resolver(dnsmasq) worked.
    When outside home network, dig cloud.domain.com gives cloudflare masked IP(Cloudflare-proxied) or my WAN-IP(Cloudflare-DNSonly). Neither works anyway.

    Can anyone shine some light here? Like what log to look for or enable, what keyword to search in google?

    I feel like we are at the last mile here. This is the furthest I got in all my attempts.

    1. Hey Peter, sounds like you’re making progress. If dig is returning the correct IPs that you expect to see, then it sounds like DNS resolution isn’t the issue. It does take time for changes to propagate to other DNS servers though. To rule out any DNS funky business, you could modify the hosts file on your client computer when connected to an external network, i.e., edit /etc/hosts (on macOS/linux), and add the following entry to the bottom:

      <Your WAN IP> cloud.example.com
      

      This will mean that your computer won’t try to resolve this with cloudflare, and instead will try to hit your WAN IP directly. Note that in this example, cloud.example.com must match the server_name directive value in your nginx config. If this works, it’s a problem with your cloudflare set up and I can’t help you. It sounds like it’s resolving the correct IP addresses though so hopefully this doesn’t work and we can rule cloudflare out as a problem.

      Connection timed out indicates that the request is getting lost somewhere – are you correctly port forwarding 80 and 443 from your WAN IP -> reverse proxy? This seems to be the likely candidate if DNS proves not to be the issue. This won’t be a certificate error – in the case of an invalid certificate you would get very specific error messages. Also note that if you still have include snippets/internal-access-rules.conf embedded in your vdomain config then you’ll get 403 Unauthorized responses when trying to access the service externally.

      HTH.

      Cheers.

      1. I run my nextcloud behind Cloudflare via a proxy setting so I can tell you the process works. It sounds like you may be having a DNS issue or proxy issue or firewall issue or reverse proxy or router port forwarding issue. In my opinion you want to kind of dumb down your setup. Try just setting up a webserver to serve a static page (like remove nextcloud from the equation).

        Use dig to confirm DNS is setup and confirm IP addresses are OK. Try accessing your WAN IP directly via IP address (to remove the cloudflare reverse proxy from the equation) and see if your forwarded to your web page. (Browser might complain about HTTPS issues but just continue). Accessing your WAN IP directly via IP address takes CF out of the equation.

        Test your connection to your webpage from inside and outside your LAN. If your router has the ability to access logs that might also be helpful. It you want to determine if your stumbling block is your router, your reverse proxy, or your webserver. Youre correct in looking at the timestamps for new entries .

        1. I got it working. yay. Boost so much of my confidence in this sort of thing.
          It was port forwarding value had a typo.

          Editing host value on the client machine, or directly hitting WAN IP both I rule Cloudflare out I think. I went with the browser directly hitting the IP addr.

          I think the request goes through this flow for the next person trying to debug this.

          1.DNS server –> 2.Firewall on router or your local environment –> 3.port forwarding –> 4.reverse proxy –> 5.webserver(next cloud)

          To rule out 1. edit the host file on the machine or hit WAN IP directly
          to rule out 2. if you are using Cloudflare check out this link: https://community.cloudflare.com/t/community-tip-fixing-error-522-connection-timed-out/42325

          to rule out 3. double-check port forwarding value? If you are able to see the webpage via direct hitting WAN IP, port forwarding probably works. For me, directly hitting WAN IP can’t send my request from the router to reverse proxy. Basically, 2 is not getting to 4 from the above flow.

          To rule out 4, double-check Samuel’s awesome blog on the reverse proxy.
          To rule out 5, as Kev said, serve a simple static page. On this blog page, there is a step after you set up Apache. The Apache status page. That can be the “simple static page”.

          I can go ahead and enjoy the next cloud I build and move on to the next project. :thumbs-up;

  203. @Peter
    I run my nextcloud behind Cloudflare via a proxy setting so I can tell you the process works. It sounds like you may be having a DNS issue or proxy issue or firewall issue or reverse proxy or router port forwarding issue. In my opinion you want to kind of dumb down your setup. Try just setting up a webserver to serve a static page (like remove nextcloud from the equation).

    Use dig to confirm DNS is setup and confirm IP addresses are OK. Try accessing your WAN IP directly via IP address (to remove the cloudflare reverse proxy from the equation) and see if your forwarded to your web page. (Browser might complain about HTTPS issues but just continue). Accessing your WAN IP directly via IP address takes CF out of the equation.

    Test your connection to your webpage from inside and outside your LAN. If your router has the ability to access logs that might also be helpful. It you want to determine if your stumbling block is your router, your reverse proxy, or your webserver. Youre correct in looking at the timestamps for new entries .

  204. Thanks for the very detailed guide Samuel! I probably spent a good week reading through it again and again before embarking on setting up Nextcloud 21.

    One question I have is that although I followed your steps to set up a ‘jailhouse’ dataset and the sub-directories, it appears that nextcloud jail was installed in the existing iocage that houses my UniFi and Plex jails. I really like your strategy for separating the stored data (nextcloud files, plex media, etc.) and the databases separately. Is there a way to migrate iocage and all of the jails to the SSD? Right now, though I followed your instructions, my directory structure looks like this:

    SOURCE:
    /mnt/jailhouse/apps/nextcloud/config
    DESTINATION:
    /mnt/DATAVAULT/iocage/jails/nextcloud/root/usr/local/www/nextcloud/config

    SOURCE:
    /mnt/jailhouse/apps/nextcloud/db
    DESTINATION:
    /mnt/DATAVAULT/iocage/jails/nextcloud/root/var/db/mysql

    SOURCE:
    /mnt/jailhouse/apps/nextcloud/themes
    DESTINATION:
    /mnt/DATAVAULT/iocage/jails/nextcloud/root/usr/local/www/nextcloud/themes

    SOURCE:
    /mnt/DATAVAULT/cloud
    DESTINATION:
    /mnt/DATAVAULT/iocage/jails/nextcloud/root/mnt/data

    Could I be running into this issue because I already had UniFi and Plex jails installed in the traditional IOCAGE location?

  205. Hi, I tried to follow your steps but got in trouble right at the beginning of installing the database.
    I got the following error after entering the command “service mysql-server start”:
    Installing MariaDB/MySQL system tables in ‘/var/db/mysql’ …
    ld-elf.so.1: /usr/local/libexec/mysqld: Undefined symbol “memalign@FBSD_1.6”

    Running in a 12.2 jail with mariadb104 like you discribed below…

    1. Try using the more recent version mariadb105-server. All the commands should still worke the same way. You can uninstall mariadb104 with “pkg delete mariadb104-server && pkg autodelete”

      1. I tried yesterday mariadb102, without success. But after upgrading the jail on 12.2 it worked fine… kind of magic for me…

        now im struggling with the configuration of redis. after adding the lines in nextcloud config.php I get an error on loading the site. your described commands lead to this lines in the config-file:
        ‘redis’ =>
        array (
        ‘host’ => ‘/var/run/redis/redis.sock’,
        ‘port’ => 0,
        ),
        ‘memcache.local’ => ‘\OC\Memcache\APCu’,
        ‘memcache.locking’ => ‘\OC\Memcache\Redis’,

        is that all right? redis service is started without errors.

        1. For some reason I used double back slashes like this ‘\OC\Memcache\Redis’ and ‘\OC\Memcache\APCu’
          I don’t know why.
          Make sure you give the redis group permission to the service by editing the line ‘unixsocketperm 770’ in /usr/local/etc/redis.conf and you add the user www to redis group with “pw usermod www -G redis”

          1. Oh, the double back slashes are removed by the blogs website. You propably did it correct.

  206. Tried to update from 21.0.2 to 21.0.3 using the manual method (like I always do). I get the following error with i run the command: su -m www -c ‘php occ upgrade’

    An unhandled exception has been thrown:
    OC\HintException: [0]: Memcache \OC\Memcache\APCu not available for local cache (Is the matching PHP module installed and enabled?)

    I restored back to 21.0.2 for now. Has anyone seen this error? I currently have php74-pecl-APCu-5.1.20 installed.

    1. Ugh… yes. I just nuked the jail and planned to try again in the morning when I saw your post. I updated to TrueNAS and installed 12.2-RELEASE in the jail and was getting that error installing latest Nextcloud. Thanks for the tip regarding 21.0.2 as previously working. I’ll try to install that version instead.

    2. I had this same issue and after some research I found that you can append –define apc.enable_cli=1 to the cron job and that correct the issue for me. I know you can also apply this in the php.ini file however i wasnt able to find apcu in there. I had tried to just not use APCu and use Redis instead for local caching but that resulted in a internal server error. I am not sure if what I did is good for a long term fix however all is now working properly. So to clarify your current cron job will look like */15 * * * * /usr/local/bin/php -f /usr/local/www/nextcloud/cron.php
      Mine now looks like this */15 * * * * /usr/local/bin/php -f /usr/local/www/nextcloud/cron.php –define apc.enable_cli=1

  207. i ‘ve got cron problem updating to Nextcloud version 21.0.3

    For me the solution was apc.enable_cli = 1 in php.ini
    edititin with
    nano /usr/local/etc/php.ini
    service php-fpm restart
    service apache24 restart

    1. I used the apc.enable_cli=1 in php.ini to fix it like Othergo did. The latest Nextcloud Admin document has a note about doing this or the cron fix like Chad did.

  208. i updated with pgk update and upgrade my jail this afternoon. Mariadb 10.4.17 to 19 i think

    Any how my database does not start any more.
    Any Ideas? I posted lot of screenshots and stuff here. No sockx and not not even finding a log why it doesnt start.
    service mysql-server start
    -> fine
    service mysql-server status
    not running.
    https://www.computerbase.de/forum/threads/mariadb-startet-nach-update-nicht.2030752/post-25800436

    you could also respond here if you have an idea. Im tried already 10h to solve this out

  209. Hi, thanks for this brilliant tuto !
    I managed to get my nextcloud up and runninng behind reverse-proxy, but at a point I lost connectivity for accessing from the LAN. Reverse-proxy ip is redirecting me to the global url and nextcloud local ip is not reachable.
    Any chances to achieve this goal ?

    1. Yep you’ll need to make sure there’s a host override for the server url to your reverse proxy ip in your local DNS – should be able to do this on your router or hosts file

  210. If anyone has a problem accessing cardDAV or calDAV after updating to NC22:
    nano /usr/local/etc/apache24/httpd.conf
    in the section add:
    CGIPassAuth on
    Cheers

  211. php8 does not work yet, can’t finish the setup. internal server error.
    solution: pkg delete php80
    install php74
    restart jail
    works as a charm.

      1. How did you install php8? Did you do a full install of Nextcloud with that version, or did you upgrade to php8 later? If upgrade, what steps did you follow?

        Thanks

        1. I replaced all of the commands for PHP74 with php8 and installed from scratch. I don’t recall the actual command…I think I saved it in a word doc. I’ll try and dig it up.

          1. Ok, no need to dig it up. I have the commands as well.

            I was more interested in knowing if I could just install the php8 without having to reinstall the complete Nextcloud instance.

            Thanks for the info!

          2. I would like to see that. I tried to do it before but there was something which failed. Don’t remember what it was, I think a module was missing.

  212. Guys,
    anyone having issues with cron execution after 21.0.3 update? It looks like after the update the nextcloud setting page is saying that the cron is not running. If I run it manually in the console I have no errors but the webpage is still reporting an error. Before with the old versions I have never seen this error. Did someone have an issue like that?
    Versions:
    Nextcloud: 21.0.3
    PHP: 7.4.0.21
    Apache: Apache/2.4.48
    Redis: 6.0.14

      1. My Cron job:
        */5 * * * * php -f /usr/local/www/nextcloud/cron.php –define apc.enable_cli=1

        It apparently has issues running with APC and redis.

        This solves it for me, running 22.0 with php7.4
        I don’t recall the source of this solution.

        1. thanks, I applied this solution but I modified my php.ini, found it in the comments of the blog
          It seems that it resolved the solution but the weird thing is that sometimes cron fails, sometimes not after that.

          1. The only thing i can provide, because it is strange it works sometimes is to read source of my solution:
            https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/caching_configuration.html

            the other solution in there:
            APCu is disabled by default on CLI which could cause issues with nextcloud’s cron jobs. Please make sure you set the apc.enable_cli to 1 on your php.ini config file or append –define apc.enable_cli=1 to the cron job call.

            I have that cronjob, and the above in my config.php

  213. Strangely enough, this does not solve it for me. If I downgrade to to 21.0.2 then cron is fine and works. I added this line to the cron job and to the php.ini config. Restarted the server and still have the annoying message about cron. Any other ideas?

    1. My setup also didn’t work by simply adding ‘–define apc.enable_cli=1’ to the www crontab. Once and awhile, it seems to process properly but I couldn’t narrow it down to a specific reason it would process properly. So, I left the www crontab default as above and looked for other solutions.

      The solution for me was to edit the apc.ini file for php that is specific for FreeBSD jail installs using the information gathered from https://help.nextcloud.com/t/where-can-i-find-apc-enable-cli/85168 I found it in ‘/usr/local/etc/php/’ and the file was called ‘ext-20-apcu.ini’. The original file only had 1 line in it ‘extension=apcu.so’. I edited the file to contain the below and then restarted the jail and NextCloud now sees the cron job running properly.

      extension=apcu.so
      apc.enabled=1
      apc.shm_size=32M
      apc.ttl=7200
      apc.enable_cli=1

      Hope this helps…

      1. Hi Andrew, I came to the same conclusion recently and edited the same file but only with:
        apc.enable_cli=1.
        My cron jobs are also running fine now. Thanks for sharing this, I also wanted to do a follow up but wanted to make sure it will last.

  214. Hi everyone,
    Any of you managed to get their nextcloud working with onlyoffice server ?
    I have an external onlyoffice server running fine. all of my others nextcloud can connect to it but with that setup I get the folowing error: Error while downloading the document file to be converted.

    1. I have it working but my onlyoffice is a docker container. I don’t know if this is your case or not. Maybe you can provide some more detail about your issue? What type of file and what are you doing at the moment that you see the error?

      1. Well, the error occurs when I try to setup my onlyoffice connector in nextcloud. I enter the address of my remote onlyoffice server, the passphrase and I get this error. To me it means that the connector can’t connect to the remote server but if I try to browse https://my.onlyofficeserver.fr in firefox it is working fine so that must be an internal issue or maybe something to do with reverse-proxy ?

  215. I just tried the upgrade to 22 and updated php and mysql as well, now nextcloud can’t connect to the database anymore

    {“reqId”:”68EbzR9Q8pfSgwYD5Z73″,”level”:4,”time”:”2021-08-15T08:39:18+00:00″,”remoteAddr”:”213.144.147.23″,”user”:”–“,”app”:”webdav”,”method”:”PROPFIND”,”url”:”/remote.php/dav/files/fillg1/”,”message”:”Doctrine\DBAL\Exception: Failed to connect to the database: An exception occurred in the driver: SQLSTATE[HY000] [2002] Connection refused”,”userAgent”:”Mozilla/5.0 (Macintosh) mirall/3.3.0git (build 6760) (Nextcloud, osx-20.6.0 ClientArchitecture: x86_64 OsArchitecture: x86_64)”,”version”:”22.0.0.11″,”exception”:{“Exception”:”Sabre\DAV\Exception\ServiceUnavailable”,”Message”:”Doctrine\DBAL\Exception: Failed to connect to the database: An exception occurred in the driver: SQLSTATE[HY000] [2002] Connection refused”,”Code”:0,”Trace”:[{“file”:”/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php”,”line”:182,”function”:”check”,”class”:”OCA\DAV\Connector\Sabre\Auth”,”type”:”->”},{“file”:”/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php”,”line”:137,”function”:”check”,”class”:”Sabre\DAV\Auth\Plugin”,”type”:”->”},{“file”:”/usr/local/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php”,”line”:89,”function”:”beforeMethod”,”class”:”Sabre\DAV\Auth\Plugin”,”type”:”->”},{“file”:”/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php”,”line”:456,”function”:”emit”,”class”:”Sabre\DAV\Server”,”type”:”->”},{“file”:”/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php”,”line”:253,”function”:”invokeMethod”,”class”:”Sabre\DAV\Server”,”type”:”->”},{“file”:”/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php”,”line”:321,”function”:”start”,”class”:”Sabre\DAV\Server”,”type”:”->”},{“file”:”/usr/local/www/nextcloud/apps-pkg/dav/lib/Server.php”,”line”:332,”function”:”exec”,”class”:”Sabre\DAV\Server”,”type”:”->”},{“file”:”/usr/local/www/nextcloud/apps-pkg/dav/appinfo/v2/remote.php”,”line”:35,”function”:”exec”,”class”:”OCA\DAV\Server”,”type”:”->”},{“file”:”/usr/local/www/nextcloud/remote.php”,”line”:166,”args”:[“/usr/local/www/nextcloud/apps-pkg/dav/appinfo/v2/remote.php”],”function”:”require_once”}],”File”:”/usr/local/www/nextcloud/apps-pkg/dav/lib/Connector/Sabre/Auth.php”,”Line”:161,”CustomMessage”:”–“}}

    I’m able to connect with mysql cli, so the database is up.
    Any hints where to look?

    1. does the location of mysql.sock match what’s specified in nextcloud’s config.php? Given that you’re getting Connection Refused errors, you might also want to check the permissions of the socket and confirm that the www user is able to access it.

      1. I think both match
        # grep sock /usr/local/etc/mysql/my.cnf
        socket = /tmp/mysql.sock

        grep sock config.php

        ‘dbhost’ => ‘localhost:/tmp/mysql.sock’,
        ‘host’ => ‘/tmp/redis.sock’,

        ls -al /tmp/mysql.sock

        srwxrwxrwx 1 mysql wheel 0 Aug 15 17:42 /tmp/mysql.sock

  216. Hello,

    I think I have everything working, but am having an issue with a 401 error when granting access via the iOS and Android app. No recent logs in the nextcloud.log file to give a clue.

    I have tried:
    changing ‘overwrite.cli.url’ => ‘http://nextcloud.example.com’ to https
    adding ‘overwritehost’ => ‘nextcloud.com:443′
    adding ‘overwriteprotocol’ => https (This I left as it was missing)
    adding
    RewriteEngine On
    RewriteCond %{HTTP:Authorization} ^(.)
    RewriteRule . – [e=HTTP_AUTHORIZATION:%1]
    To my cloud.server.com.conf virtualhost file
    My earlier issue was to be stuck on “Grant Access” indefinitely which I think overwriteprotocol fixed.

    I think these might be the most relevant files /usr/local/www/nextcloud/config/config.php:
    <?php
    $CONFIG = array (
    ‘instanceid’ => ‘ocenqcecds1o’,
    ‘passwordsalt’ => ‘password’,
    ‘secret’ => ‘secret’,
    ‘trusted_domains’ =>
    array (
    0 => ‘192.168.0.9’,
    1 => ‘cloud.domain.com’,
    ),
    ‘datadirectory’ => ‘/mnt/data’,
    ‘dbtype’ => ‘mysql’,
    ‘version’ => ‘22.1.0.1’,
    ‘overwrite.cli.url’ => ‘http://192.168.0.10’,
    ‘overwriteprotocol’ => ‘https’,
    ‘dbname’ => ‘nextcloud’,
    ‘dbhost’ => ‘localhost:/tmp/mysql.sock’,
    ‘dbport’ => ”,
    ‘dbtableprefix’ => ‘oc_’,
    ‘mysql.utf8mb4’ => true,
    ‘dbuser’ => ‘nextcloud_admin’,
    ‘dbpassword’ => ‘password’,
    ‘installed’ => true,
    ‘redis’ =>
    array (
    ‘host’ => ‘/var/run/redis/redis.sock’,
    ‘port’ => 0,
    ),
    ‘memcache.local’ => ‘\OC\Memcache\APCu’,
    ‘memcache.locking’ => ‘\OC\Memcache\Redis’,
    );

    And /usr/local/etc/apache24/Includes/cloud.domain.com.conf:

    DocumentRoot “/usr/local/www/nextcloud”
    ServerName cloud.domain.com

    SetHandler “proxy:fcgi://127.0.0.1:9000/”

    DirectoryIndex /index.php index.php

    RewriteEngine On
    RewriteCond %{HTTP:Authorization} ^(.*)
    RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

    I am able to login via desktop and upload/download files, but I do have other issues in case they are relevant:
    Can’t upload file more than 1MB (1999M is set…)
    … actually that’s it, there were two other errors related to http.
    Much appreciate any help anyone can provide.

    1. Well, this seems to be a bit embarrassing, but restarting the server seems to have cleared the issue up. I guess I must not have restarted one of the services that got modified in the process.

  217. Just wanted to say thank you so much for this tutorial!

    I initially used the Truenas plugin but kept running into various issues and was anxious about the security.

    This tutorial was so clear and helped me understand how nextcloud is actually configured, and I am now even able to use the latest version of nextcloud and php8.0!

    Thanks again, one of the best tutorials I’ve read.

  218. Hello Samuel, and thanks for this wonderful guide. Thank you in advance for helping me on this issue.
    I am having a problem installing postfix-sasl. I am receiving the following error:

    root@cloud:/usr # pkg install postfix-sasl
    Updating FreeBSD repository catalogue…
    FreeBSD repository is up to date.
    All repositories are up to date.
    pkg: No packages available to install matching ‘postfix-sasl’ have been found in the repositories

  219. Getting error ERROR 2002 (HY000): Can’t connect to local MySQL server through socket ‘/tmp/mysql.sock’
    After upgrading mariadb. I know this is simple to fix, but I dont know how….

        1. Nic, there’s a set of commands that need to be run after you upgrade Mariadb. I can’t remember what they are right now but it’s indicated in the notes that display after you upgrade the package.

          I’ll see if I made note of it somewhere, but hopefully somebody else remembers and can answer.

          Doug

          1. mariadb-upgrade -u root
            if you use a password, use -p
            if you have problems try –skip-version-check or –force

  220. I wanted to add some clarification on upgrading to php8.0

    Simple explanation:
    Yes — This upgrade works in place. It’s actually pretty easy to do. Previously I was running php7.4. I believe your Nextcloud version needs to be Nextcloud 21 or higher to do this (so don’t try if you want to run an older version of nextcloud).

    #Uninstall php7.4 (This will remove all the php7.4 dependencies as well):
    $ sudo pkg delete php74

    #Install php8.0 packages
    $ sudo pkg install php80 php80-bcmath php80-bz2 php80-ctype php80-curl php80-dom php80-exif php80-fileinfo php80-filter php80-gd php80-gmp php80-iconv php80-intl php80-extensions php80-ldap php80-mbstring php80-opcache php80-openssl php80-pcntl php80-pdo php80-pdo_mysql php80-pecl-APCu php80-pecl-imagick php80-pecl-redis php80-posix php80-session php80-simplexml php80-tokenizer php80-xml php80-xmlreader php80-xmlwriter php80-xsl php80-zip php80-zlib

    I rebooted jail at this point

    Long winded explanation.
    Reference as a Source: https://docs.nextcloud.com/server/13/admin_manual/maintenance/manual_upgrade.html

    I had followed Samuel’s old version of the guide where nextcloud was originally installed via package. If you have installed nextcloud via the old instructions or via the package manager, there is definitely going to be some extra steps, but don’t fear data is safe via the wonderful way Samuel constructed his guide.

    Stop your webserver

    $ sudo service nginx stop
    $ sudo service apache24 stop

    Move the old /usr/local/www/nextcloud to a backup directory

    $ sudo mv /usr/local/www/nextcloud /usr/local/www/nextcloud-old

    #Uninstall the previous pkg manager version of nextcloud (I’m removing php74, however cater this to your setup)
    $ sudo pkg unlock nextcloud-php74
    $ sudo pkg delete nextcloud-php74

    Download latest version of nextcloud found here: https://nextcloud.com/install/ – Example is using 22.1.1.zip

    Download and extract to a directory that is outside the /usr/local/www

    $ cd /tmp
    $ wget https://download.nextcloud.com/server/releases/latest.tar.bz2
    $ wget https://download.nextcloud.com/server/releases/latest.tar.bz2.sha512

    #Verify hash
    $ shasum -a 512 -c latest.tar.bz2.sha512

    Extract tarball to /usr/local/www/nextcloud

    $ tar -xf latest.tar.bz2 -C /usr/local/www

    Copy old /usr/local/www/nextcloud/config directory to new installation

    $ cp -R /usr/local/www/nextcloud-old/config/* /usr/local/www/nextcloud/config/

    If you are using 3rd party applications, look in your new nextcloud/apps/ directory to see if they are there. If not, copy them from your old apps/ directory to your new one. Make sure the directory permissions of your third party application directories are the same as for the other ones.

    So basically recursively copy any app directories contained within /usr/local/www/nextcloud-old/apps to /usr/local/www/nextcloud/apps

    An example of one of the many apps I needed to copy is shown below:

    $ cd /usr/local/www/nextcloud-old/apps
    $ sudo cp -R richdocumentscode /usr/local/www/nextcloud/apps/

    Change php permissions to allow running commands from command line

    $ sudo vim /usr/local/etc/php/ext-20-apcu.ini

    My ext-20-apcu.ini looks like the following:

    extension=apcu.so
    apc.enable_cli=1
    apc.shm_size=64M

    Change Nextcloud File Ownerships to www:www user

    $ cd /usr/local/www
    $ sudo chown -R www:www nextcloud
    $ sudo find nextcloud/ -type d -exec chmod 750 {} \;
    $ sudo find nextcloud/ -type f -exec chmod 640 {} \;

    #Restart web server
    $ sudo service nginx start
    $ sudo service apache24 start

    Manually upgrade any packages

    $ cd /usr/local/www/nexcloud
    $ sudo -u www php occ upgrade

    You can also upgrade this way:

    $ cd /usr/local/www/nextcloud
    $ sudo -u www php ./updater/updater.phar

    You might need to turn off maintenance mode as well at the conclusion

    $ cd /usr/local/www/nextcloud
    $ sudo -u www php occ maintenance:mode –off

    Hopefully that helps.

    1. Hi Kevdog.
      I was getting ready to update php7.4 to php8.0 following your instructions, and have a couple of questions.
      I compared the various php7.4 packages that were installed as per Samuel’s guide to the files you had listed in your instructions and noted some differences.
      First, the initial instructions said to install php74-json, which doesn’t have a php80 equivalent in your list. As well, your list has 3 files which did not have a php74 equivalent in the initial guide (php80-extensions, php80-pcntl, & php80-tokenizer).

      I was curious to know if those files are needed, possibly to support new functionality?

      Secondly, are the instructions following the “long winded explanation” part of the php upgrade, or is that needed only if upgrading nextcloud to version 22?

      Thanks

      Doug

    2. Thanks for your post. It helped me to upgrade my installation to PHP8 and after that I was able to upgrade my nextcloud to 22.2.2 successfully. Before,I was having issues with apache, it was always going to internal server error after installing 22.2.2 from the nextcloud GUI. I was struggling a bit as in the logs I was not able to find what the reason is exactly.

  221. I had an error after updating Mariadb – ERROR 2002 (HY000): Can’t connect to local MySQL server through socket ‘/tmp/mysql.sock’ (2)
    I spent a good bit of time trying to find a fix. So I decided to reinstall my Nextcloud from scratch.
    Using Samuels tutorial and with a clean install into a new iocage jail I am up to:
    $ mysqld_safe –skip-grant-tables &
    $ /usr/local/etc/rc.d/mysql-server start
    And I am still getting the same error. I checked if my users and groups were correct and they are…
    Scratching head… Jail is Release 12.2
    Any ideas

    1. I didn’t think the mysql socket was by default mounted in /tmp…perhaps someone can clarify..isn’t it /var/run or something? When you install the mysql pkg I thought there was a message after the pkg installation that indicated where the default socket is located?

      1. I changed the socket to /tmp/mysql.sock
        just following Samuels tutorial
        then I get this:
        root@nextcloud:~ # service mysql-server start
        Starting mysql.
        root@nextcloud:~ # service mysql-server status
        mysql is not running.
        root@nextcloud:~ #

  222. I changed the socket to /tmp/mysql.sock
    just following Samuels tutorial
    then I get this:
    root@nextcloud:~ # service mysql-server start
    Starting mysql.
    root@nextcloud:~ # service mysql-server status
    mysql is not running.
    root@nextcloud:~ #

    I had to remove and reinstall the db pool and then this worked

    1. Nic,
      I’ve got the same issue. Can you pls describe in more detail, how you removed and reinstalled the db pool?
      Thank you
      Chris

  223. Hi everybody,
    I get the following message on the nextcloud web interface:
    “file could not be loaded, check your internet connexion”
    Apparently it is an issue with nginx reverse proxy but I am not sure where to apply a fix .
    Any of you have came across this issue ? how di you fix it ?

  224. Hello Samuel,

    First, as everyone else I greatly appreciated your through writeup! Great to have members of the community such as yourself contributing in such a way to keep security first.

    I am hoping to pick your brain on an issues that I am having from WebDav. I am using Windows 10 boxes, but unable to get them to connect to my instance. The Web UI works internally and externally, the iOS application and desktop applications work. Additionally I do have a LetsEncrypt certificate, so I am not using self signed. However when I attempt to connect a network share to the WebDAV, I get errors.

    Initially I was being promped to select a certificate from my personal store after entering my credentials. Once I removed the stored certs, as well as on another box that was fresh, it only asks for my credentials but then gives me a “The network logon failed”, or “A device attached to the system is not functioning” errors.

    Can you provide some tips to look into?

    1. Thought I would leave an update. Using WinSCP I am able to connect via WebDAV just fine. So there is something with the way Windows 10 connects to the service.

          1. Did have it started and tried the keys noted in the guide but still having an issue. Seems to be directed to a Windows problem and not the install thankfully since I can connect with a client via WebDAV, and the Nextcloud desktop app works.

          2. did you try to connect with the following link
            \yournextcloud@SSL\DavWWWRoot\remote.php\dav\files\username

  225. Hi Sam,
    I converted an old desktop to TrueNas last week and installed NextCloud plugin under the default “iocage” jail created by the TrueNas system. so the storage config is similar to what you described at the beggining of your guide. Pool->iocage (dataset)->Jails->NextCloudJail.
    the install was fine and I was able to auto upload photos and videos from my iPad to my TrueNas NextCloudJail root. the only problem is the default upload size seems to be 512M and I just can’t figure out how to get this changed. any advise where to start? I did a “find / -name php.ini” but found nothing. after reading the admin manual from nextcloud, seems that I need to adjust “/nextclould/.user.ini” instead of the “php.ini”? I did that anyway but still getting the 413 Error “the file is too large” error in my IOS NextCloud App log file …

  226. It may be different when using the plugin, but I believe what I did was update the php.ini file (found in /usr/local/etc) as follows:
    post_max_size = 16G
    upload_max_filesize = 16G
    memory_limit = 768M Note that the guide states the memory limit should be 512M. I changed it to 768 but I can’t remember the reason why. In my case at least everything works. I’m able to upload big files from any desktop plus pictures and videos from my cell phones are synced to my server without any problems.

  227. @Doug

    The steps prior to long winded explanation are just for the php 7.4 to 8.0 upgrade. In terms of the packages you listed — that’s honestly a very good questions. I didn’t install the 3 you mentioned and I haven’t noticed much of a difference however I have thoroughly tested the system. When in doubt its always ok to install more packages. Just be sure to query the package system and remove any of the old php7.4 stuff and try to replace with 8.0 packages. Sometimes there aren’t equivalent package names so some google fu is necessary.

  228. Thanks to @KEVDOG for you upgrade tutorial.
    I followed every step. But when I try “sudo -u www php occ upgrade”, I get the following error

    ‘/usr/local/lib/php/20200930/zip.so: Undefined symbol “zip_compression_method_supported”‘

    It seem’s like there’s a incompability in the zip.so-Library. Any ideas?

  229. @MRE

    What php80 pkgs do you have installed? Are you sure you don’t have any other php version zip packages installed? I haven’t run across this error so I’m kind of grasping at possible problems

  230. Thank’s for the incredible quick response KEVDOG!

    Meanwhile I’ve found the following article:
    https://bugs.php.net/bug.php?id=80351

    And I don’t excatly know, what I did right. But I updated the underlying freebsd version to 12.2 Release, installed “libzip” and reinstalled “php80-zip”. After that it fortunately worked!

    Thank’s to all participants for the incredible work (especially to samuel!)!

  231. Many thanks for this guide.
    I am using TrueNAS-12.0-U6 and arrived at this command, su -m www -c ‘php / usr / local / www / nextcloud / occ config: system: set memcache.locking –value = “\ OC \ Memcache \ Redis “‘
    I got this error “An unhandled exception has been thrown:
    OC \ HintException: [0]: Memcache \ OC \ Memcache \ APCu not available for local cache (Is the matching PHP module installed and enabled?) ”
    After some research time this was corrected by adding ”
    extension = apcu.so
    apc.enable_cli = 1
    in /usr/local/etc/php/ext-20-apcu.ini
    Thank you again to all for this wonderful work.

  232. Hi Samuel,
    Hi Everyone,

    I’m following your tutorial to set a home nextcloud (many thanks for your work) .
    But following the steps, I encounter this error I can’t figure out the solution after many search on the web, I decide to post here.
    here is the message :
    root@nextcloud:~ # chown -R www:www /usr/local/www/nextcloud /mnt/data
    chown: /mnt/data/.zfs/snapshot: Operation not supported
    chown: /mnt/data/.zfs: Operation not supported

    Can Anyonehelp, please.

    Thank you in advance.

  233. After some time I did a fresh installation of nextcloud using your guide and guess what it is still an excellent guide. Thank you very much.

    When I came into trouble configuring postfix, I did some deeper research and want to share some of my findings.

    Probably, most of the people following this guide want to setup a machine in a local home network using a DSL dialup line and use dynamic DNS to point the outside world (probably through NGINX see Samuel’s other guide) to the local nextcloud machine.

    From a security perspective we do not want to configure postfix as a fully functional mail server flooded with SPAM from the outside world. Therefore, this guide configures postfix to relay all mails send by local scripts (

    Now, one has to understand that your ISP hopefully configures his mail server as a smarthost checking whether an incoming mail comes from a user/system he is responsible for. One of the steps to take in order to get accepted by the ISP smarthost is the SASL configuration described by Samuel. However, the smarthost at your ISP also checks if the sender specified in the email corresponds to the ISP account user (or at least the domain part of the sender’s mail address have to match).

    The test mail command provided in the guide does not specify the sender address and therefore the default sender address of the current user, probably root@hostname.localdomain, is used and the ISP smarthost rejects the email.

    Fortunately, postfix can be configured to change the sender address before transferring emails to the ISP smarthost with a mechanism called “address rewriting”. However, there are many places in the path of an email through the system, where address rewriting can take place. http://www.postfix.org/ADDRESS_REWRITING_README.html gives a good overview.

    Although, on the internet one can find a lot of different suggestions how to get the sender address changed in the above described scenario, I believe the best practice according to the postfix manual should be to append
    smtp_generic_maps = hash:/usr/local/etc/postfix/generic
    to /usr/local/etc/postfix/main.cf

    In my case, the address mapping in /usr/local/etc/postfix/generic looks something like
    @hostname.localdomain @domainatmyisp.com
    By default the hostname equals the jail name. And I had to append “.localdomain” literally probably because somewhere else in the mail path postfix already appended “.localdomain”.

    After a
    postmap /usr/local/etc/postfix/generic
    and a
    service postfix restart
    your test mails should get accepted.

    Keep on the good work.

  234. Does anyone know how to enable preview generators for pdf or office files like .docx, .doc?

    Steps I’ve tried.
    Added this to my config:
    ‘enable_previews’ => true,
    ‘enabledPreviewProviders’ =>
    array (
    0 => ‘OC\Preview\TXT’,
    1 => ‘OC\Preview\MarkDown’,
    2 => ‘OC\Preview\OpenDocument’,
    3 => ‘OC\Preview\PDF’,
    4 => ‘OC\Preview\MSOffice2003’,
    5 => ‘OC\Preview\MSOfficeDoc’,
    6 => ‘OC\Preview\Image’,
    7 => ‘OC\Preview\Photoshop’,
    8 => ‘OC\Preview\TIFF’,
    9 => ‘OC\Preview\SVG’,
    10 => ‘OC\Preview\Font’,
    11 => ‘OC\Preview\MP3’,
    12 => ‘OC\Preview\Movie’,
    13 => ‘OC\Preview\MKV’,
    14 => ‘OC\Preview\MP4’,
    15 => ‘OC\Preview\AVI’,
    ),

    I also installed the PreviewGenerator App from Nextcloud App Store

    I’m running php8.0, so I wasn’t sure what imagemagick packages to install.

  235. After installing php74-pecl-APCu it was neccesary to add a line ‘apc.enable_cli = 1’ at the end of /usr/local/etc/php.ini to get rid of this error, when running next cmd:

    root@nextcloud:~ # su -m www -c ‘php /usr/local/www/nextcloud/occ config:system:set redis host –value=”/var/run/redis/redis.sock”‘
    An unhandled exception has been thrown:
    OCP\HintException: [0]: Memcache \OC\Memcache\APCu not available for local cache (Is the matching PHP module installed and enabled?)

  236. Hi everybody!

    First of all, many thanks for this guide! It helped me a lot installing a nice running Version of nextcloud for a long time now!

    But unfortunately i ran into huge problems now… I will try to explain it as good as i can, while my english isn’t the very best and i’m not a experienced user of freenas/nextcloud.

    I installed nextcloud 1 1/2 year ago, running it without any problems since then.
    But now, when i tried to install the app on a smartphone it told me, that my server version is too old and i have to update it to log me in from the app.

    I started the update from the web ui, which was my first mistake i guess… It ended up with an failure and nextcloud is in maintenance mode now.
    To help me out, i’ve looked for this guide again to find out how to repair it and update correctly.
    So I scrolled down to the section “Upgrading” and followed the instructions.
    At step 2 “Back up your existing Nextcloud Server database, data directory and config.php file.” the next problem appears. The backup was made on my plugin SSD, which only has 128GB space – but of course the backup is much bigger then that (about 500GB) and so the SSD went out of space during the backup.

    So now I’m totally stuck at this point, really don’t know how to help me out of this…
    My server was still running at version 19.0.3 or .08, so i have missed a lot of updates.

    I would need to figure out how to clean up my SSD again and getting the update running with a backup on one of the tank HDDs. There are many documents stored at the cloud only, which i dont want to lose and i really hope for help and anyone knows how to work around this!

    I appreciate any help from you and trying to give you any further information you will need to help me out of this.

    Greetings

    Following my copy from attempting the backup:

    root@nextcloud:/tmp # rsync -Aahx –info=progress2 /mnt/data/ nextcloud-databkp_date +"%Y%m%d"/
    72.51G 68% 6.95MB/s 1:17:49 rsync: [receiver] write failed on “/tmp/nextcloud-databkp_20211216/Anja/files/Birken/Birken/VIDEO_TS/VTS_01_3.VOB”: No space left on device (28)
    rsync error: error in file IO (code 11) at receiver.c(378) [receiver=3.2.3]

    rsync: [sender] write error: Broken pipe (32)
    rsync error: error in socket IO (code 10) at io.c(823) [sender=3.2.3]
    rsync: [generator] write error: Broken pipe (32)
    root@nextcloud:/tmp # rsync -Aahx –info=progress2 /usr/local/www/nextcloud/ nextcloud-dirbkp_date +"%Y%m%d"/
    305.11M 51% 1.41MB/s 0:03:16 rsync: [receiver] write failed on “/tmp/nextcloud-dirbkp_20211216/apps/richdocumentscode/collabora/Collabora_Online.AppImage”: No space left on device (28)
    rsync: [sender] write error: Broken pipe (32)
    rsync error: error in socket IO (code 10) at io.c(823) [sender=3.2.3]

    root@nextcloud:/tmp # /var/log/nextcloud/nextcloud.log
    /var/log/nextcloud/nextcloud.log: command not found
    root@nextcloud:/tmp # var/log/httpd-error.log
    var/log/httpd-error.log: Permission denied

  237. Hey Samuel, the nextcloud is working so far.

    I got one error message:

    OCA\DAV\Connector\Sabre\Exception\InvalidPath: nextcloud the file name contains an invalid character nextcloud
    /usr/local/www/nextcloud/apps/dav/lib/Connector/Sabre/LockPlugin.php – line 68:

    OCA\DAV\Connector\Sabre\ObjectTree->getNodeForPath()

    /usr/local/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php – line 89:

    OCA\DAV\Connector\Sabre\LockPlugin->getLock()

    /usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php – line 456:

    Sabre\DAV\Server->emit()

    /usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php – line 253:

    Sabre\DAV\Server->invokeMethod()

    /usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php – line 321:

    Sabre\DAV\Server->start()

    /usr/local/www/nextcloud/apps/dav/appinfo/v1/webdav.php – line 83:

    Sabre\DAV\Server->exec()

    /usr/local/www/nextcloud/remote.php – line 166:

    require_once(“/usr/local/ … p”)

    Does anyone know, what to do?

    I would appreciate a lot!

    Thanks,
    Alex

  238. Hi Sam,

    I’m just posting to let you know that your SSL cert expired. This is a great guide and a huge help for anyone trying to get Nextcloud setup in TrueNAS. In turn, I recommended the site and then found that it wouldn’t load without warnings due to the expired certificate. I figured I’d post to let you know.

    Thanks again for all the effort that went into this guide!

    1. Hey Cliff! Thanks for letting me know. For some reason the auto-renew doesn’t seem to work the way I’ve intended it to. Something to look into. Cheers.

  239. Hey Samuel,

    Thanks so much for the guide, I have learned so much over the last few months, most of which came from this post and your reverse-proxy post!

    I’m having a little trouble with the update-route53 script and was hoping you might point me in the right direction.

    I believe I have the script set up correctly, but when I run

    $ ./update-route53.sh

    I get a permission denied error. I am still new to all this so the main issue is that I am not sure what permissions exactly I need to look at (ie is this a AWS permission issue that I need to research, or does it have something to do with the user permissions associated with the jail?)

    I appreciate the help and thanks again for the amazing work!

    1. Easy fix, it was a simple root permission issue:

      $ chmod 700 /scripts/update-route53/update-route53.sh
      $chown root:wheel /scripts/update-route53/update-route53.sh

      Thanks again !

  240. First, this is a very in depth guide and I appreciate it. I have searched all over about an issue I am having (so maybe I am not typing the correct thing).

    I can reach http://JAIL_IP/info.php successfully. So I perform the next steps but when I try to reach http://JAIL_IP/ after the configuration changes, I get the error that the IP refused to connect (even tried multiple browsers). Does anyone have any ideas on where I should look to fix this so I can complete the implementation?

    Thank you!
    Dianna

    1. Hi Dianna,

      It sounds like the service might not be running, or you have a firewall issue preventing your access to the jail. I’m inclined to think that it’s the first one, so make sure the service is running with service apache24 status.

      Cheers,

      Sam

  241. Hi, great guide although i’ve become stuck where you run Apache,
    i enter “service apache24 start” and get
    “root@nextcloud:~ # service apache24 start
    Performing sanity check on apache24 configuration:
    [Sun Jan 23 08:16:33.581999 2022] [proxy_html:notice] [pid 3181] AH01425: I18n supp ort in mod_proxy_html requires mod_xml2enc. Without it, non-ASCII characters in pro xied pages are likely to display incorrectly.
    AH00558: httpd: Could not reliably determine the server’s fully qualified domain na me, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this messa ge
    Syntax OK
    Starting apache24.
    [Sun Jan 23 08:16:33.621779 2022] [proxy_html:notice] [pid 3182] AH01425: I18n supp ort in mod_proxy_html requires mod_xml2enc. Without it, non-ASCII characters in pro xied pages are likely to display incorrectly.
    AH00558: httpd: Could not reliably determine the server’s fully qualified domain na me, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this messa ge
    (48)Address already in use: AH00072: make_sock: could not bind to address [::]:80
    (48)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:8 0
    no listening sockets available, shutting down
    AH00015: Unable to open logs
    /usr/local/etc/rc.d/apache24: WARNING: failed to start apache24”

    Any ideas?

    1. Hey! So I am pretty new to this but I find helping troubleshoot issues helps me learn a lot. The:

      [Sun Jan 23 08:16:33.621779 2022] [proxy_html:notice] [pid 3182] AH01425: I18n supp ort in mod_proxy_html requires mod_xml2enc. Without it, non-ASCII characters in pro xied pages are likely to display incorrectly.
      AH00558: httpd: Could not reliably determine the server’s fully qualified domain na me, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this messa ge

      is addressed in the guide so the main things that I would guess we need to look at is:

      (48)Address already in use: AH00072: make_sock: could not bind to address [::]:80
      (48)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:8 0
      no listening sockets available, shutting down

      I’ll admit I am not terribly familiar with the error but off the bat it look like maybe something is not allowing apache to bind to port 80. I believe [::]:80 is IPv6 and 0.0.0.0:8 0 is IPv4

      I was able to find https://www.digitalocean.com/community/tutorials/apache-network-error-ah00072-make_sock-could-not-bind-to-address#troubleshooting-with-ss-and-ps-utilities

      if you take a look specifically at the “Troubleshooting with ss and ps Utilities” is looks like that might be able to shed some light on what is going on. That is linux syntax so it might not all work perfectly, but you can probably work out how to pull the same information in FreeBSD

      Hopefully that might be able to give you some direction and hopefully someone more knowledgeable than myself can chime in with a more concise and concrete solution!

      1. Hi Tom, Thanks for that I hadn’t got that far along , i wanted to go through as instructed but AH00558 is now fixed. I came across the link you mentioned but none of the commands people suggest to use seem to work, I imagine its the different environment. Most things point to another service using the port but I have gone into the router settings and i can’t see anything using port 80 so im stumped.

    2. Hi Chris,

      This looks like another service is listening on port 80 within your jail. You can try navigating to http:// in your browser to see what’s being served there, or from inside your jail you should be able to execute sockstat -4l to get a breakdown of what services are listening on what sockets.

      To bind apache (httpd) to port 80, you’d need to stop whatever service is currently listening on that port. You can normally do this with the service servicename stop command.

      HTH.

      Cheers,

      Sam

      1. Hi Sam, That sorted it thanks. I’ve manged to move along since to restarting apache before the web interface but then i get a webpage in a basic format with just:

        Index of/
        config/
        themes

        And this error when restarting apache:
        root@nextcloud:~ # service apache24 restart
        Performing sanity check on apache24 configuration:
        [Mon Jan 24 14:35:36.089949 2022] [proxy_html:notice] [pid 60666] AH01425: I18n support in mod_proxy_html requires mod_xml2enc. Without it, non-ASCII characters in proxied pages are likely to display incorrectly.
        Syntax OK
        Stopping apache24.
        Waiting for PIDS: 60619.
        Performing sanity check on apache24 configuration:
        [Mon Jan 24 14:35:36.164772 2022] [proxy_html:notice] [pid 60676] AH01425: I18n support in mod_proxy_html requires mod_xml2enc. Without it, non-ASCII characters in proxied pages are likely to display incorrectly.
        Syntax OK
        Starting apache24.
        [Mon Jan 24 14:35:36.204005 2022] [proxy_html:notice] [pid 60677] AH01425: I18n support in mod_proxy_html requires mod_xml2enc. Without it, non-ASCII characters in proxied pages are likely to display incorrectly.
        root@nextcloud:~ #

        any idea’s?

        Thanks Chris

        1. Sounds like you’ve accidentally deleted some files from your nextcloud web root? It would be displaying that page because it can’t find an index.html, which should be shipped with the nextcloud distribution.

  242. @Tom — I don’t use Apache so I’m not explicitly sure about that module that was mentioned, however a couple of other things you could check. i’m assuming youre running on FreeBSD or linux. Did you check netstat or ss against your server to make sure there wasn’t any listening service on port 80? Just want to rule out the smaller stuff. You could also do a quick nginx install and just see if that process will bind port 80 as well — just thinking of some things you could check to make sure this problem is related to Apache and not another server process.

  243. Hey Samuel,

    I’ve installed the nextcloud via your tutorial maybe around 10-15 times and I’m always ending up with the same error message:
    Sabre\DAV\Exception\BadRequest: Expected filesize of 10485760 bytes but read (from Nextcloud client) and wrote (to Nextcloud storage) 10263918 bytes. Could either be a network problem on the sending side or a problem writing to the storage on the server side.
    /usr/local/www/nextcloud/apps-pkg/dav/lib/Connector/Sabre/Directory.php – line 155:
    OCA\DAV\Connector\Sabre\File->put(null)
    /usr/local/www/nextcloud/apps-pkg/dav/lib/Upload/UploadFolder.php – line 45:
    OCA\DAV\Connector\Sabre\Directory->createFile(“10485760”, null)
    /usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php – line 1098:
    OCA\DAV\Upload\UploadFolder->createFile(“10485760”, null)
    /usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php – line 504:
    Sabre\DAV\Server->createFile(“uploads/nca … 0”, null, null)
    /usr/local/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php – line 89:
    Sabre\DAV\CorePlugin->httpPut(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})
    /usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php – line 472:
    Sabre\DAV\Server->emit(“method:PUT”, [ Sabre\HTTP … }])
    /usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php – line 253:
    Sabre\DAV\Server->invokeMethod(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})
    /usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php – line 321:
    Sabre\DAV\Server->start()
    /usr/local/www/nextcloud/apps-pkg/dav/lib/Server.php – line 339:
    Sabre\DAV\Server->exec()
    /usr/local/www/nextcloud/apps-pkg/dav/appinfo/v2/remote.php – line 35:
    OCA\DAV\Server->exec()
    /usr/local/www/nextcloud/remote.php – line 166:
    require_once(“/usr/local/ … p”)

    I’ve tried also plugin installation in Truenas and docker etc. –> I’m always getting the same message.
    Also tried php7.4 vs 8 etc.

    Do you have an idea?

  244. Hello everyone,

    I’m interested in setting up the Nextcloud high performance backend. The manual instructions state the following:

    Push server

    The push server should be setup to run as a background daemon, the recommended way is by setting it up as a system service in the init system. If you’re not using systemd than any init or process management system that runs the push server binary with the described environment variables will work.

    How is this accomplished using Truenas? The instructions give examples for systemd and OpenRC. Thanks!

  245. @Phil — TrueNAS Core (FreeBSD) uses the RC init system. TrueNAS Scale (Debian Linux) uses the systemd init system. The instructions given above show how to setup the system with TrueNAS Core. Nextcloud by nature isn’t high performance — it just isn’t — anyway you slice it. It runs using a php backend which isn’t high performance. I like Nextcloud a lot however if you’re for true high performance — I’d look at a different product. Just my 2 cents.

  246. Hi Samuel,

    For the route53 script, would you happen to know if there is a way to update multiple records at once? I was thinking something like:

    RECORDSET=”cloud.mydomain.com”;
    “plex.mydomain.com”;

    or maybe

    RECORDSET=”.mydomain.com”

    which would update the CNAME record for all subdomains?

    Thanks!

    1. Hey Tom,

      There isn’t with the script as it currently stands. Feel free to modify it to your needs though. One way would be to make the RECORDSET variable an input argument, so you could run:

      ./update_route53.sh plex.mydomain.com
      ./update_route53.sh cloud.mydomain.com
      

      Alternatively you could predefine all of your desired RECORDSET values and loop over them. There are a plethora of tutorials on how to use bash for these kinds of purposes online, so I’m sure you won’t have much trouble researching it. A quick search yielded this guide though – perhaps you’ll find it helpful.

      Cheers,

      Sam

      1. Thanks so much as always, Samuel. This is more than enough to get me where I need to be. And thanks again for this incredible guide (and the reverse proxy one.) I have always been interested in many of things that you cover, but never knew exactly where to start. This guide specifically includes so many interesting topics and they are explained so well. The time and effort is much appreciated.

  247. I assume that most people here used Samuels guide to install Nextcloud and may be seeing the following message as well.

    Checking for packages with security vulnerabilities:
    db5-5.3.28_8: Tag: expiration_date Value: 2022-06-30
    db5-5.3.28_8: Tag: deprecated Value: EOLd, potential security issues, maybe use db18 instead

    Running pkg update / pkg upgrade doesn’t present an option to upgrade. Has anyone done the upgrade and how did you go about it?

    1. I”ve done some more digging and found that db5 is installed as a dependency when installing Apache24. Apache24 has a dependency on APR (Apache Portable Runtime project) which in turn needs db5. The latest version of apache24 still requires both.

      Any ideas on how to resolve this?

      1. It looks like APR has finally been updated to use DB18 instead of DB5. If you’re running package update under “latest” it should see the changes and do the updates. If you’re running quarterly, you’ll have to wait a bit longer.

        I also had to run pkg autoremove . Without that db5 was still showing up in the securities vulnerabilities list

  248. Hi Samuel, hi all,
    I followed your instructions, Samuel, (thank you very much!) and nextcloud is availalble from my local network. But I don‘t need and don‘t want to use a reverse proxy. Can someone tell me how the manual of Samuel had to be modified to make nextcloud is available from the internet without using a reverse proxy?

  249. Hi Samuel,
    Great manual, but do you have a method for SSL implementation where, we do not use a reverse proxy and we have our own SSL wildcard cert.

    Thank you.

  250. Hi Samuel,
    I may have answered my own question here, but to use SSL (that you already own) and to configure next cloud to use SSL (port 443), is it a matter of configuring the following?

    File: subdomain.domain.com.conf – located in /usr/local/etc/apache24/Includes/

    DocumentRoot “/usr/local/www/nextcloud”
    ServerName subdomain.domain.com.au.conf

    SetHandler “proxy:fcgi://127.0.0.1:9000/”

    DirectoryIndex /index.php index.php

    Is it a matter of changing and adding the following :

    DocumentRoot “/usr/local/www/nextcloud”
    ServerName subdomain.domain.com.au

    SetHandler “proxy:fcgi://127.0.0.1:9000/”

    DirectoryIndex /index.php index.php

    And then adding to the file

    SSLCertificateFile
    SSLCertificateKeyFile
    SSLCertificateChainFile

    And then restarting Apache ?

    Thanks in advance.

  251. Update to my post above – a bit clearer…….

    ‘VirtualHost *:80
    ‘ DocumentRoot “/usr/local/www/nextcloud”
    ‘ ServerName subdomain.domain.com.au.conf
    ‘ -FilesMatch .php$-
    ‘ SetHandler “proxy:fcgi://127.0.0.1:9000/”
    ‘ /FilesMatch
    ‘DirectoryIndex /index.php index.php
    ‘VirtualHost

    Is it a matter of changing and adding the following

    ‘VirtualHost *:443
    ‘ DocumentRoot “/usr/local/www/nextcloud”
    ‘ ServerName subdomain.domain.com.au
    ‘ -FilesMatch .php$-
    ‘ SetHandler “proxy:fcgi://127.0.0.1:9000/”
    ‘ -FilesMatch
    ‘ DirectoryIndex /index.php index.php
    ‘VirtualHost

    And then adding to the file

    ‘SSLCertificateFile (Certificate Location path)
    ‘SSLCertificateKeyFile (Certificate Location path)
    ‘SSLCertificateChainFile (Certificate Location path)

  252. Hello Community,
    the post is great, and i have used and optimized out documentation depending by my needs.
    at home, we do not need the mail functionality but i’ve used an MariaDB 10.6 in a shred mode for all Jails Apps that are running with MariaDB.

    Great Job
    Andy

  253. During an update everything appears to be working and I removed my config.php backup. By doing
    rm -r /usr/local/www/nextcloud-old/

    Now after restart, my nextcloud would give error:
    It looks like you are trying to reinstall your Nextcloud. However the file CAN_INSTALL is missing from your config directory. Please create the file CAN_INSTALL in your config folder to continue.

    I looked at cat /usr/local/www/nextcloud/config/config.php file and noticed the entire content is gong expect an instanceId:
    <?php
    $CONFIG = array (
    ‘instanceid’ => ‘an id value not sure how to verify’,
    );

    Am I facing data loss at this point? How can I restore my config.php file?
    Thanks a bunch.
    Peter

    1. Hi Thijsjek, it is linked to the Trunas file system and has regular snapshots being made. I have not attempt to restore anything from the snapshots before. Maybe now it is the time to test my snapshot actually works or not.

      Do you have experiences or instructions on how to view snapshots and read file contents?

    2. Looks like it is linked to this file on TrueNas /mnt/tank/apps/nextcloud/config/config.php

      Maybe I can find file history somehow. Have not tried this before.

    3. Sorry to report the snapshots doesn’t have the /mnt/tank/apps/ directory. In the snapshots UI, it has the iocage snapshot. Must be created automatically when I upgrade the jail version.
      tank/iocage/releases/11.2-RELEASE/root for nextcloud jail.

      I clone the snapshot and viewed the files inside. It doens’t have that config.php file. :sad

    4. Sadly I don’t have snapshot for apps/nextcloud folder.

      It was working after upgrade and that’s why I rm all the backups.

      I should not have deleted them and just left them there.

    5. [SOLUTION] Next cloud when using online updater provides back up for config.php by default. Thanks Nextcloud for doing this and it saved me in a big way. Location is here:

      cat /mnt/data/updater-snadfnes/backups/nextcloud-23.0.8.1-1662165509/config/config.php
      Modify the content to match your current install
      version => ‘your current installed version’
      updater.secret change to ‘updater.release.channel’ => ‘stable’,

      After making the change visit the website will prompt you to update. Click on the update button will fix the system.

  254. For some reason flows do not work for me when i use this guide.
    the flow page just show “Available flows, Your flows” text, without buttons.
    tried to reinstall from php7.4 to php81 with new data dirs, no difference.
    the plugin install of truenas does have flow buttons.
    didnt see any related errors in logs.

  255. Hello everyone,

    having been prompted by Nextcloud to upgrade my PHP installation, I am now doing my first search on the subject. It does not seem quite straight forward. I have found a nice link, which fits my case (php 7.4 to 8) and may also be useful to others.
    https://mwl.io/archives/22357
    If someone has already gone through this process, I would appreciate any insights, before making the upgrade

    1. Hey,
      I have an identical testing jail for these purposes. Php82 is not supported yet by nextcloud 25.0.3, but php81 is. Meanwhile 80 is almost eol.
      https://www.php.net/supported-versions.php
      To remove the old php version by pkg remove php74 and then:

      pkg install php81 php81-bz2 php81-ctype php81-curl php81-dom php81-exif php81-fileinfo php81-filter php81-gd php81-iconv php81-intl php81-ldap php81-mbstring php81-opcache php81-pdo php81-pdo_mysql php81-pecl-APCu php81-pecl-imagick php81-pecl-redis php81-posix php81-session php81-simplexml php81-xml php81-xmlreader php81-xmlwriter php81-xsl php81-zip php81-zlib php81-bcmath php81-gmp
      Restart jail.
      This how I just went from php80 to php81 on the testing jail.

      1. Forgot to mention to add again at
        /usr/local/etc/php/ext-20-apcu.ini if you use cron background job.

        apc.enabled=1
        apc.shm_size=32M
        apc.ttl=7200
        apc.enable_cli=1

      2. Hey THIJS,
        As your php update path is based on the setup provided by Samuel’s wonderful guide, I just wanted to add some helpful commands in this context. I used these commands to update from php80 to php81. Afterwards I have used the normal web updater of Nextcloud to go from 25.0.2 to 25.0.3.

        With the following command I extracted a list of the installed php80 packages and replaced the version number 80 with 81:
        pkg info -x php | sed ‘s/(.)-./\1/g’ | sed ‘s/80/81/g’ > php81packagelist

        Then I manually deleted the php81-openssl package from this list, because it seems to be included in php now. At least, I can not find a corresponding package on freshports anymore.

        Afterwards I did a
        pkp remove php80

        To install the php81 packages from the list I used
        cat php81packagelist | xargs -L1 -p pkg install -y

        By hitting Y I could follow the installation process for each package. After a restart of the jail the Nextcloud webinterface worked without any problems.

        Thanks to everyone on this page for all the advices and good luck for all.

    2. Dear All

      I have done an nextcloud upgrade to Nextcloud Hub 3 (25.0.2) a few days ago.

      My Installation:
      TrueNAS Core 13.0-U3.1
      Jail Nextcloud: 13.1-RELEASE-p1
      Nextcloud installed via pkg with version nextcloud-php74; actual version of nextcloud 24.0.5.

      I did upgrade by:

      Update my Jail via GUI from TrueNAS Core: 13.1-RELEASE-p1 to 13.1-RELEASE-p5 => Jail restart

      Via ssh I connect to the jail and made as search for nextcloud pkg’s.
      I selected nextcloud-php81 to install.

      All pkg related to php74 have been automatically deleted during installation of nextcloud-php81.

      Additionally I had to install:
      php81-pecl-redis
      php81-pecl-smbclient

      In the file redis.conf the line unixsocketperm was transferred incorrect, I had to change from unixsocketperm 770 to unixsocketperm 777.

      I now restarted my Jail via GUI from TrueNAS Core and Nextcloud did the necessary upgrade.

      Nextcloud mentioned that Imagick is not working correct.

      I had do install php81-pecl-imagick additionally, restart the jail again and all was fine.

  256. Hey Samuel,

    this tutorial helped me so much!

    I’m struggeling to adapt the configuration of “mod_rate”
    maybe u can help me? i want to limit the bandwith of the clients to 3000KiB/s

    Thanks for any hints

    Johanne

  257. Greetings Samuel,
    I have so far ventured into networking as far as I have come thanks to your guide. Thank you so much for producing such a clear and concise guide. I, unfortunately am stuck on the portion just before you navigate to the jail IP in the browser window and the nextcloud admin login is returned. I am getting the following in the httpd.log, there is not a nextcloud.log produced anywhere. Within the nextcloud jail. Any help would be appreciated.

    proxy_fcgi:error] [pid 68997] [client 192.168.1.133:55662] AH01071: Got error 'PHP message: {"reqId":"ZYjAZgxeIVSIavvBnnVB","level":3,"time":"2023-04-05T03:27:34+00:00","remoteAddr":"192.168.1.133","user":"--","app":"base","method":"GET","url":"/","message":"Failed to start session","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0","version":"","exception":{"Exception":"Exception","Message":"Failed to start session","Code":0,"Trace":[{"file":"/usr/local/www/nextcloud/lib/base.php","line":434,"function":"__construct","class":"OC\\\\Session\\\\Internal","type":"->"},{"file":"/usr/local/www/nextcloud/lib/base.php","line":676,"function":"initSession","class":"OC","type":"::"},{"file":"/usr/local/www/nextcloud/lib/base.php","line":1144,"function":"init","class":"OC","type":"::"},{"file":"/usr/local/www/nextcloud/index.php","line":34,"args":["/usr/local/www/nextcloud/lib/base.php"],"function":"require_once"}],"File":"/usr/local/www/nextcloud/lib/private/Session/Internal.php","Line":62,"CustomMessage":"--"}}'

  258. Hello Samuel
    Hope you are doing great.
    While ago, I have followed your guide and suscesfully installed NextCloud on my FreeNas.
    Well, some time later, some hardware failure took me to reinstall everything however one thing is not operational.
    I have 2 NAS boxes running exactly same version TrueNas CORE 13.0-U4.
    Before the failure and reinstall, I was running TrueNas 11.
    Basically I have NAS2 mounted on NAS1 using the mount command without any issues. When I recover NAS1 and rebuild it, I started getting “permission denied” when attempting to mount. I’ve been trying to get this working for more than 8 months now and countless entries on forums with no lucky.
    I have tried even mannually setting the destination as 777 and still get such “permission denied”. Logs were not much clear, just that an attempt was denied. I even tried ChatGPT with no luck on getting this mount working. By any chance you can point me to some documentation or process I could fix that?
    Really appreciate any guidance.

    Thank you
    Marcelo

  259. Hey Samuel and other readers. I really appreciate all the work continuing help with this guide.

    So this morning I updated to nextcloud 26.0.1
    I’ve installed nextcloud within freebsd jail (as instructed above), and I’m running php version 8.0.

    $ php –version
    PHP 8.0.28 (cli) (built: Apr 15 2023 01:18:26) ( NTS )
    Copyright (c) The PHP Group
    Zend Engine v4.0.28, Copyright (c) Zend Technologies
    with Zend OPcache v8.0.28, Copyright (c), by Zend Technologies

    I’m now getting the system warning that php module sysvsem needs to be installed.

    Looking at my php module list: (sudo php -m), I have following modules installed:
    $ php -m
    [PHP Modules]
    apcu
    bcmath
    bz2
    Core
    ctype
    curl
    date
    dom
    exif
    fileinfo
    filter
    gd
    gmp
    hash
    iconv
    imagick
    intl
    json
    ldap
    libxml
    mbstring
    mysqlnd
    openssl
    pcntl
    pcre
    PDO
    pdo_mysql
    pdo_sqlite
    Phar
    posix
    redis
    Reflection
    session
    SimpleXML
    SPL
    sqlite3
    standard
    sysvsem
    tokenizer
    xml
    xmlreader
    xmlwriter
    xsl
    Zend OPcache
    zip
    zlib

    [Zend Modules]
    Zend OPcache

    So sysvsem seems to be installed for php8.0. I’ve seen others on other platforms with this error. Is there something I need to do to activate module or have php process module?

    Thanks.

    Lastly — offtopic — do I need to upgrade php versions?

  260. Hey Kevdog. I had the same error. I’m on php8.1. I just installed the php81-sysvsem module and that took care of the error for me.

  261. @Phil –I don’t know what the problem was – I installed the php80-sysvsem module but it wasn’t initially working, but with a reboot of the jail things then started working. Being these modules are dynamically loaded, maybe it wasn’t loaded after the initial installation?? Not sure. While I was tinkering with the system I went ahead anyway and upgraded by php stack to 8.2 which wasn’t too difficult to do.

  262. Hello JUSTIN,

    I’m also getting the sam error as you. Did you find the solution?

    As per the logs it seems proxy_fcgi:error is unable to staert the session

    [Tue Jun 27 03:55:02.814713 2023] [proxy_fcgi:error] [pid 86446] [client 192.168.0.210:56435] AH01071: Got error 'PHP message: {"reqId":"kOvLNmoH7qDBpyuzKTIN","level":3,"time":"2023-06-27T10:55:02+00:00","remoteAddr":"192.168.0.210","user":"--","app":"base","method":"GET","url":"/","message":"Failed to start session","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 YaBrowser/23.5.2.625 Yowser/2.5 Safari/537.36","version":"","exception":{"Exception":"Exception","Message":"Failed to start session","Code":0,"Trace":[{"file":"/usr/local/www/nextcloud/lib/base.php","line":446,"function":"__construct","class":"OC\\\\Session\\\\Internal","type":"->"},{"file":"/usr/local/www/nextcloud/lib/base.php","line":701,"function":"initSession","class":"OC","type":"::"},{"file":"/usr/local/www/nextcloud/lib/base.php","line":1173,"function":"init","class":"OC","type":"::"},{"file":"/usr/local/www/nextcloud/index.php","line":34,"args":["/usr/local/www/nextcloud/lib/base.php"],"function":"require_once"}],"File":"/usr/local/www/nextcloud/lib/private/Session/Internal.php","Li...'

    I’ve installed php80

    “`php -m
    [PHP Modules]
    Core
    date
    hash
    json
    libxml
    mysqlnd
    openssl
    pcre
    Reflection
    SPL
    standard

    [Zend Modules]

    php -version
    PHP 8.0.29 (cli) (built: Jun 10 2023 01:16:34) ( NTS )
    Copyright (c) The PHP Group
    Zend Engine v4.0.29, Copyright (c) Zend Technologies“`

    Looks like all the modules are not installed. Not sure what’s happening here.

  263. Hello Samuel,
    great manual and I have nextcloud running.
    I am stuck in the aide section where it come to sending the E Mail.
    Seems that google changed the login procedure and I keep getting this error:

    535-5.7.8 Username and Password not accepted.

    I checked the password several times now, and I am pretty sure it is correct.
    Searching for the above error gave me the hint to enable less secure Apps. But this option is no longer available in the setting.
    I found an Info from google that they turned this off in May 2022.

    Any Ideas what else I could try?

    Thanks

    regards
    steffen

    1. I had to turn on 2 factor authentication in the google setting. Then generated an App Password for this and used it in the above SASL_Passwd file. Make sure to hash the file, because I forgot it and wondered why it still did not work.
      postmap /usr/local/etc/postfix/sasl_passwd
      Now everything seems to work.
      One Question why is the sender of the Email Charlie Root?

  264. Thanks for this wonderful guide which is still relevant today. Just a point that I would like to make is that the way the zfs datasets are configured in this guide will cause the installation to break if we use the manual update process detailed in the Nextcloud Manual as the /nextcloud/config and /nextcloud/themes are external dataset to the jail and attached to the jail via fstab. So if you rename the nextcloud folder it will break the mapping. It may be better if the external dataset is mapped to www instead of /www/nextcloud. This will allow to rename and recreate the nextcloud folder

    1. Hi BGONS,
      I’m currently on Nextcloud 28.0.2 and have problems to upgrade to current version 28.0.5 using the web updater of Nextcloud. The web based updates before have been working (not mentioning the usual problems of outdated php packages and the like – business as usual).

      Your comment regarding the mounting of the zfs datasets into the nextcloud/ directory of the jail might be a good starting point for my problem. However, I have not made any progress so far.

      Any input, in particular experience with a recent upgrade would be appreciated.

      Or perhaps you can further specify how you would implement the datasets into the jail.

      1. I’ve had issues using the web updater since V27 – fails with permission errors. My solution was to install phpXX-phar (XX being your php version) and then use the command line updater – it has worked for me everytime:

        su -m www -c ‘php /usr/local/www/nextcloud/updater/updater.phar’

  265. This is a great tutorial and design layout is worthy of implementing. I am still early in my nextcloud experience but I’m a retired IT professional and agree that it’s better than default by far. I was able to upgrade many times in the default mode but not without issues that seemed to be able to get resolved, until once and I was screwed (fubr). In researching that issue I found your article and re-implemented it your way for the most part to eliminate that scenario. Great job! My nextcloud instance is in-house only so SSL is optional for me.
    I was wondering if you have done something successful using postfix to authenticate to gmail using OAuth2 which is required now by Google.Everything I’ve found has app passwords and less secure app and all that’s gone now. All I want to do is use smtp.gmail.com as a relay host from postfix. I was able to setup nextcloud mail as a client but that doesn’t seem to work for alerts and notifications,etc. Thanks

  266. Hi

    With nextcloud 30.0.1, I’m getting message regarding: MariaDB version “10.4.28-MariaDB” detected. MariaDB >=10.6 and <=11.4 is suggested for best performance, stability and functionality with this version of Nextcloud

    Is there an easy method to upgrade nextcloud? Specifically if I just upgrade mariadb via the package manager, will that break the installation?

Leave a Reply

Your email address will not be published. Required fields are marked *