Cloud storage is an excellent way to keep your files safe in case something happens and your computer is lost or damaged. It can help you access your files on the road or from work, and helps you keep everything synced up across your devices.

Cloud storage comes with one major drawback, though. You have to trust some company with all of your personal files. What happens if they get hacked? Are they really all that trustworthy, or are they going through your things when you’re not looking? It’s not really possible to know for sure.

There is another option. You can host your own cloud storage with Nextcloud. Nextcloud is an open source cloud storage solution that lets you be your own cloud storage company. It has an easy to use and clean interface and accompanying apps for all your devices, so you’re not dealing with some hacked together junk.

This guide is going to focus on hosting Nextcloud on a VPS (Virtual Private Server), but you can also run it locally on your home network. Just don’t expect to access it from the outside unless you set up port forwarding or are running a VPN. Some of the steps would be a little different, and you won’t need to buy domain name or set up SSL certificates.

Choose A Host

Assuming you’re going with a true cloud solution and want your files accessible over the Web, you need to set up a VPS to host Nextcloud on. There are some great options out there, so pick what seems best for you. Check out Linode, DigitalOcean, and Gandi, if you don’t already have a host in mind.

This guide is going to use Debian 9 “Stretch” as the server operating system. Debian is super stable and fairly secure by default. It’s also well supported by most hosting platforms. If you’re more comfortable with Ubuntu, most of this will apply directly there too, since Ubuntu is based on Debian.

You’re also going to need to get a domain name for your server. Since this isn’t going to be a public site, you can really make it anything you like. The process for purchasing and linking a domain name is different for every host and domain name provider, so be sure to check the documentation provided by the services you choose.

Everything here is going to be handled remotely from the Linux command line. So, if you’re on Mac or Linux, you can just open a terminal and use SSH to access your VPS. IF you’re on Windows, grab an SSH client like PuTTY.

Install What You Need

There are a lot of pieces to this puzzle. You may as well grab them all now, so you have what you need to continue from here. Debian doesn’t usually have sudo installed by default, so grab that first, and set it up.

$ su -c 'apt install sudo'

Enter your root password and Sudo will be installed. Then, you need to add your user to the sudo group.

$ su -c 'gpasswd -a username sudo'

Now, you can use sudo. You might need to log in again, if it doesn’t work immediately. From this point forward, you’ll be using sudo instead, especially since you’re going to disable root logins for security purposes.

Now, grab everything from Debian’s repositories.

$ sudo apt install ufw mariadb-server nginx certbot php php-mysql php-fpm php-cli php-json php-curl php-imap php-gd php-xml php-zip php-intl php-mcrypt php-imagick php-mbstring

Set Up Your Firewall

Your server is on the Internet. There’s no way around that, and it means that you’re going to need to deal with attackers. Setting up a simple firewall will help prevent a lot of potential threats.

Instead of using iptables directly, you can use UFW(Uncomplicated Firewall) to secure your system. It has simpler syntax, and it’s much easier to work with.

Start by disabling everything in the firewall. This will set the default policy to deny connections to all services and ports, ensuring that attackers can’t connect on some forgotten port.

$ sudo ufw default deny incoming

$ sudo ufw default deny outgoing $ sudo ufw default deny forward

Next, you can tell ufw the services that you do want it to allow. In this case, you only need SSH and web access. You’re also going to want to enable NTP and DNS so your server can fetch updates and set its clock.

$ sudo ufw allow in ssh
$ sudo ufw allow out ssh 
$ sudo ufw allow in http 
$ sudo ufw allow out http 
$ sudo ufw allow in https 
$ sudo ufw allow out https 
$ sudo ufw allow in ntp 
$ sudo ufw allow out ntp 
$ sudo ufw allow in 53 
$ sudo ufw allow out 53 
$ sudo ufw allow in 67 
$ sudo ufw allow out 67

 

Nextcloud UFW

You can start up your firewall now. It will give you a warning about disrupting SSH, but you already allowed SSH, so you’ll be okay.

$ sudo ufw enable

Configure SSH

SSH is one of the most frequently assaulted services on Linux servers. It’s the gateway to everything else on the server, and it’s usually only protected by a password. That’s why it’s important to make sure that your server isn’t easily accessible to attackers over SSH.

SSH Keys

First, you need to set up a much more secure alternative to a password, an SSH key. The process is different on Windows than on Mac and Linux, so follow the instructions that fit your desktop.

Windows

As is the Windows way, you need yet another program to complete this simple task. PuTTYgen is an RSA key generator for PuTTY. It’s available from the PuTTY download page. Download it, and run it.

In the window that opens, name your key and create a password for it. It’s the password that you’ll use to log in to your server. On the bottom, select SSH-2 RSA and set a key size of at least 2048 bits. 4096 is better, but 2048 will be slightly faster. Then, generate your keys, and save both the public and private keys. Finally, copy the public key that displays on the top of the window.

Use PuTTY to connect to your server. Open a file at ~/.ssh/authorized_keys and paste your key in.

Back in PuTTY, find SSH on the side menu. Then, open up “Auth.” In the field for the pivate key, browse to the location of the private key that you just saved. When everything in PuTTY is set up for your server, save the session. Test it out to make sure you’re connecting with your key before moving on.

Mac and Linux

Mac and Linux users have a much easier road here. Start by generating an SSH key, if you don’t have one already. You have the option of creating a password for the key. It is optional, so that is your call.

$ ssh-keygen -b 4096 -t rsa

Now, just send your key to your server. Substitute your username and the IP of the server.

$ ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]

That’s it!

Disallow Root and Passwords

After you have your key set up, you can disable passwords for SSH. Don’t worry if you set up a key with a password. That’s something different, and this won’t impact that at all. Open the SSH configuration file at /etc/ssh/sshd_config.

$ sudo nano /etc/ssh/sshd_config

Find the line that reads:

#PermitRootLogin prohibit-password

Change it to:

PermitRootLogin no

Next, find the two lines:

#PasswordAuthentication yes
#PermitEmptyPasswords no

Change them to:

PasswordAuthentication no
PermitEmptyPasswords no

Finally, find:

UsePAM yes

Make it:

UsePAM no

Save your file, and close it. Then, restart SSH. This might kick you off, so reconnect if it does.

$ sudo systemctl restart sshd

Configure Your Database

The next thing you’ll need to do is configure your database. There really isn’t much involved here, so don’t worry too much. You just need to set up a user and empty database for Nextcloud to access.

MariaDB security

There’s actually a convenient script to set up and secure MariaDB for you. Run it first.

$ sudo mysql_secure_installation

The default root password is empty, so it “Enter” when asked. It’ll then ask you to set up a root password. Do that. Answer “Yes” to every question that follows.

You can log into your database with the root password that you just set up.

$ sudo mysql -u root -p

The prompt will change to the MariaDB one. This is the console for managing your database server. Begin by creating a new database. Capitalization counts here.

CREATE DATABASE nextcloud;

Next, make a user for that database.

CREATE USER `nextcloud`@`localhost` IDENTIFIED BY "PasswordForUser";

Then, grant that user permission to use the database.

GRANT ALL ON nextcloud.* TO `nextcloud`@`localhost`;

That’s it! You can exit the database server now.

\q

Configure PHP

Nextcloud is written in PHP. You already installed the latest version of PHP available on Debian Stretch along with the PHP extensions that Nextcloud needs to function right. You still need to make a couple of tweaks to your PHP configuration to make it work more easily with Nginx.

Nextcloud php.ini config

It really just needs some basic security tweaks. These aren’t anything major, but they will help improve the security of your server.

Open up /etc/php/7.0/fpm/php.ini with sudo and your favorite text editor.

The file is massive, so use your editor’s search function to navigate around. If you’ve been using Nano, it’s Ctrl+W. The fist option that you need to find is disable_functions. Add add phpinfo,system,mail,exec, on the end.

Then, find sql.safe_mode and turn it on. Next, set allow_url_fopen off. At the end of the file, add the following line, save, and close it.

register_globals = Off

Get Nextcloud

Nextcloud isn’t available as a package for Debian yet, and that’s alright. You really don’t need it to be. It’s a lot like other pre-built PHP web applications, like WordPress, and it comes in a compressed archive that you can extract where you want Nextcloud installed.

As of right now, the latest stable release is Nextcloud, double-check what the latest version is for you when you’re reading this. The guide will refer to 12, but use whatever the latest stable one is.

Change into a directory where you want to download your Nextcloud archive. Then, change into /var/www to extract it.

$ cd ~/Downloads
$ wget https://download.nextcloud.com/server/releases/nextcloud-12.0.3.tar.bz2
$ cd /var/www
$ sudo tar xjpf ~/Downloads/nextcloud-12.0.3.tar.bz2

If you are reading this in the future, you can find the download link on Nextcloud’s server install page.

Finally, change the ownership of your Nextcloud installation to www-data.

$ sudo chown -R www-data:www-data /var/www/nextcloud

Create SSL Certificates

Creating your SSL certificates is very easy thanks to Certbot. Certbot will automatically generate your SSL certs for you and place them in the web root of whichever site you’re creating them for. You only need to run a single command.

$ sudo certbot certonly --webroot -w /var/www/nextcloud -d your-domain.com -d www.your-domain.com

Since it’s your first time running Certbot, it will ask for an email address. It will use that address to warn you when your certs are about to expire. You can easily renew them with a single command too.

$ sudo certbot renew

Configure Nginx

Nginx is a lightweight, yet powerful, web server. It’s going to serve the interface that you use to access Nextcloud. There are a couple of configuration files associated with Nginx. The first one is the main configuration located at /etc/nginx/nginx.conf. That’s the main configuration file, but it has solid defaults. You can play with it if you know what you’re doing, but you can leave it alone and be just fine too.

Nextcloud Nginx Configuration

The next configuration is much longer and more complex. Thankfully, you don’t need to write it all. The Nextcloud devs already did. You just need to modify it. The config file is located on Nextcloud’s site. Grab the one for the webroot of Nginx. Create a new file at /etc/nginx/sites-available/nextcloud, and paste it in.

Once you have the file, you need to make a couple of simple alterations. First, find the upstream block and change it to look like this:

upstream php-handler {
    server unix:/run/php/php7.0-fpm.sock;
}

Then, find anywhere it says cloud.example.com and change it to your domain name.

The last thing you need to do is point Nginx to your SSL certs. Change the lines:

ssl_certificate /etc/ssl/nginx/cloud.example.com.crt;
ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key;

To:

ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;

That’s it! Next, you need to link it so Nginx can find it.

$ cd /etc/nginx/sites-enabled
$ sudo ln -s /etc/nginx/sites-available/nextcoud nextcloud

Remove the existing default that’s there.

$ sudo rm default

Restart PHP and Nginx, and you’ll be able to access Nextcloud!

$ sudo systemctl restart php7.0-fpm
$ sudo systemctl restart nginx

Start Nextcloud

Nextcloud

Open your web browser and navigate to your domain name. You’ll be greeted with the Nextcloud setup screen. Create yourself an admin account and enter in the information for the database account that you created.

Nextcloud will take several minutes to configure itself and install. When it finishes, you’ll be dropped into your new Nextcloud dashboard. From there, you can create new users to allow people you trust onto your new cloud storage. You can also start uploading files right away.

That’s it! You now have your own private cloud!