Nextcloud install guide debian 9 Stretch

Since the last guide was pretty polulair for installing Nextcloud on Debian 8.5, the complete step by step manual, I now created a step by step guide for installing and configuring Nextcloud on a fresh installed Debian 9 (Stretch) server. In my other guide I also configured WebRTC and Turn, but for now I only have a Nextcloud configuration. The guide already contains some modules (php) for WebRTC so I might add it in the future. The guide is pretty straight forward. I’m not gonna bore you with why i install and configure the things i install. It’s just the way i do it. Follow every step and you have a pretty secure Nextcloud installation.

This guide is also available at

Again, like the first guide, just install a clean Debian 9 Stretch server with nothing more than ssh-server and standard system utilities. If your installing on vmware also install open-vm-tools (apt install open-vm-tools)

When you’re logged in I always su – to root

Install the packages for apache, mariadb, php

apt install vim unzip sudo
apt install apache2 mariadb-server libapache2-mod-php
apt install php-gd php-json php-mysql php-curl
apt install php-intl php-mcrypt php-imagick
apt install php-zip php-xmlwriter php-xmlreader php-xml php-mbstring php-simplexml

Download the latest nextcloud version, unzip it, and move it to /var/www

mv nextcloud/ /var/www

Enable ssl module and create a ssl self signed certificate. If you want to fill in al the questions when you create the certificate, you may, but you can also just enter trough al the questions. It works either way.

a2enmod ssl
a2ensite default-ssl
mkdir /etc/apache2/ssl
cd /etc/apache2/ssl
openssl req -new -x509 -days 365 -nodes -out /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.key

Set the file permissions for the certificate files to 600

`chmod 600 /etc/apache2/ssl/apache.*`

**Optional, as suggested by @MichaIng** . You could also use Let’s Encrypt. This is a free service to generate signed certificates you can use on your server. Be sure you don’t already have certificates you or your company bought on the domain name you want to use. If there already is a certificate you wont be able to sign a new certificate on the same domain name! I haven’t tested this configuration myself yet.

apt install python-certbot-apache
certbot –apache

After you created the certificate you should create a script to regenerate the certificate (i believe they are valid for 3 months) and run the script in cron

mkdir /root/bin/
cd /root/bin

#! /bin/bash

certbot renew -q

chmod +x
crontab -e

and add

`* 3,15 * * * /root/bin/`


Create a configuration file for apache.

cd /etc/apache2/sites-available/
wget nextcloud.conf
mv download nextcloud.conf

Change the settings in nextcloud.conf to match your url/server settings and then create a symbolic link to enable the nextcloud configuration.

vi nextcloud.conf
ln -s /etc/apache2/sites-available/nextcloud.conf /etc/apache2/sites-enabled/nextcloud.conf

Enable the following apache modules. The last 3 are necessary for the WebRTC configuration (not configured in this guide yet!) If you dont want to enable these you also need remove the configuration from nextcloud.conf ( to RequestHeader)

a2enmod rewrite
a2enmod headers
a2enmod env
a2enmod dir
a2enmod mime
a2enmod proxy
a2enmod proxy_http
a2enmod proxy_wstunnel

Change to the nextcloud directory

`cd /var/www/nextcloud/`

Setup folder permissions, the easy way. We’ll fix it later on with the strong permission script.

`chown www-data:www-data . -R`

Restart apache and mariadb and enable them so the automaticly start at boot

systemctl restart apache2
systemctl enable apache2
systemctl restart mariadb
systemctl enable mariadb

Now make your mariadb/mysql configuration a bit more secure. Also set a root password.



In order to log into MariaDB to secure it, we’ll need the current
password for the root user. If you’ve just installed MariaDB, and
you haven’t set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on…

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
… Success!

By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n]
… Success!

Normally, root should only be allowed to connect from ‘localhost’. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]
… Success!

By default, MariaDB comes with a database named ‘test’ that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n]
– Dropping test database…
… Success!
– Removing privileges on test database…
… Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]
… Success!

Cleaning up…

All done! If you’ve completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

Now you can create a empty database so we can run the occ install script

mysql -u root -p
GRANT ALL ON nextcloud.* to ‘nextcloud’@’localhost’ IDENTIFIED BY ‘YOURPASSWORD’;

Run the command below to start the nextcloud installation.

`sudo -u www-data php occ maintenance:install –database “mysql” –database-name “nextcloud” –database-user “nextcloud” –database-pass “YOURPASSWORD” –admin-user “ncadmin” –admin-pass “YOURPASSWORD”`

To be able to open your nextcloud you need to add your fqdn or ip address in the trusted domains section in the config.php. You can add multiple entry’s, just increase the number in front of the line.

`vi /var/www/nextcloud/config/config.php`

array (
0 => ‘localhost’,
1 => ‘’,

`’datadirectory’ => ‘/var/nc_data’,`

We also want to move the /var/www/nextcloud/data folder to /var/nc_data (or any other mount point you desire)

`mv /var/www/nextcloud/data /var/nc_data`

Now as promised, the secure folder and file permissions

`vi /var/www/`

Add the script below to the file. If you changed the data folder to another location, you need to change it in the script also.


printf “Creating possible missing Directories\n”
mkdir -p $ncpath/data
mkdir -p $ncpath/updater

printf “chmod Files and Directories\n”
find ${ncpath} -type f -print0 | xargs -0 chmod 0640
find ${ncpath} -type d -print0 | xargs -0 chmod 0750
find ${ncdata} -type f -print0 | xargs -0 chmod 0640
find ${ncdata} -type d -print0 | xargs -0 chmod 0750

printf “chown Directories\n”
chown -R ${rootuser}:${htgroup} ${ncpath}
chown -R ${htuser}:${htgroup} ${ncpath}/apps/
chown -R ${htuser}:${htgroup} ${ncpath}/config/
chown -R ${htuser}:${htgroup} ${ncdata}/
chown -R ${htuser}:${htgroup} ${ncpath}/themes/
chown -R ${htuser}:${htgroup} ${ncpath}/updater/

chmod +x ${ncpath}/occ

printf “chmod/chown .htaccess\n”
if [ -f ${ncpath}/.htaccess ]
chmod 0644 ${ncpath}/.htaccess
chown ${rootuser}:${htgroup} ${ncpath}/.htaccess
if [ -f ${ncdata}/.htaccess ]
chmod 0644 ${ncdata}/.htaccess
chown ${rootuser}:${htgroup} ${ncdata}/.htaccess

`chmod 750 /var/www/`

Execute the script


Add the opcache configuration to your php.ini. Add it at the end of the file **just before ; Local Variables:**

`vi /etc/php/7.0/apache2/php.ini`


Now just restart apache2 one more time. You now can go to your browser and enter the url to login to nexcloud with the credentials you provided in the installation command.

`systemctl restart apache2`

If you followed the guide to the letter, you now have a Debian 9 Stretch server with the latest nextcloud, secured with a self signed certificate. The only thing we didnt configure is memory cache. If you want to know how to configure this you can check the Server Tuning section by clicking the link in the admin page of nextcloud.

If your server is directly connected to the internet you might want to configure ufw. It’s a uncomplicated firewall to complement this uncomplicated installation guide 😉 Don’t forget to allow ssh or you won’t be able to connect with a terminal client anymore.

apt install ufw
ufw allow ssh
ufw allow http
ufw allow https
ufw enable

Nextcloud client on Debian 9 Stretch

Run as root or sudo:
echo 'deb /' | sudo tee /etc/apt/sources.list.d/nextcloud-client.list
wget -q -O - | sudo apt-key add -
sudo apt-get update
sudo apt-get install nextcloud-client

Install guide Nextcloud on Debian 8 with webconference

Most up to date version can be found at:

Install packages for apache, mariadb, php, nextcloud and enable ssl

apt-get install vim
apt-get install unzip
apt-get install sudo
Installing apache2.4 and Mariadb
apt-get install apache2 mariadb-server libapache2-mod-php5

Installing php modules
apt-get install php5-gd php5-json php5-mysql php5-curl
apt-get install php5-intl php5-mcrypt php5-imagick

Download unzip and move latest NextCloud
mv nextcloud/ /var/www

Enable SSL
a2enmod ssl
a2ensite default-ssl

Now for some reason the default-ssl prevents from starting. So create your own certificate:

mkdir /etc/apache2/ssl
cd /etc/apache2/ssl
openssl req -new -x509 -days 365 -nodes -out /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.key
Just enter trough all the certificate questions
chmod 600 /etc/apache2/ssl/apache.*

Create vhost file (rename to your own host.domain):

Download the vhost config file here

Create symbolic link to sites-enabled
ln -s /etc/apache2/sites-available/nextcloud.conf /etc/apache2/sites-enabled/nextcloud.conf

Enable apache modules:
a2enmod rewrite
a2enmod headers
a2enmod env
a2enmod dir
a2enmod mime
a2enmod ssl
a2ensite default-ssl
a2enmod proxy proxy_http proxy_wstunnel

If you’re running mod_fcgi instead of the standard mod_php also enable:
a2enmod setenvif

Installing NextCloud
cd /var/www/nextcloud
sudo -u www-data php occ maintenance:install --database "mysql" --database-name "nextcloud" --database-user "root" --database-pass ‘password’ --admin-user "admin" --admin-pass ‘password’

Make sure you have a dns record or configured host file so you can access your virtualhost name based. Open your browser and go to (change to your host and domain)

You probably get an error:

You are accessing the server from an untrusted domain.
Please contact your administrator. If you are an administrator of this instance, configure the “trusted_domains” setting in config/config.php. An example configuration is provided in config/config.sample.php.
Depending on your configuration, as an administrator you might also be able to use the button below to trust this domain.

Just open your /var/www/nextcloud/config/config.php and add:

vi /var/www/nextcloud/config/config.php
find the line with 0 => ‘localhost’, and add a line below like 1 => ‘’,

array (
0 => 'localhost',
1 => '',

I also move the data folder from /var/www/nextcloud/data to /var/oc_data

mv /var/www/nextcloud/data /var/oc_data

And change the data folder in /var/www/nextcloud/config/config.php

'datadirectory' => '/var/oc_data',

If you have done this you can also run the next script for strong file permissions:

vi /var/www/

####### Copy and Paste from #!/bin/bash to the last fi

printf "Creating possible missing Directories\n"
mkdir -p $ncpath/data
mkdir -p $ncpath/assets
mkdir -p $ncpath/updater

printf "chmod Files and Directories\n"
find ${ncpath} -type f -print0 | xargs -0 chmod 0640
find ${ncpath} -type d -print0 | xargs -0 chmod 0750

printf "chown Directories\n"
chown -R ${rootuser}:${htgroup} ${ncpath}
chown -R ${htuser}:${htgroup} ${ncpath}/apps/
chown -R ${htuser}:${htgroup} ${ncpath}/assets/
chown -R ${htuser}:${htgroup} ${ncpath}/config/
chown -R ${htuser}:${htgroup} ${ncdata}/
chown -R ${htuser}:${htgroup} ${ncpath}/themes/
chown -R ${htuser}:${htgroup} ${ncpath}/updater/

chmod +x ${ncpath}/occ

printf "chmod/chown .htaccess\n"
if [ -f ${ncpath}/.htaccess ]
chmod 0644 ${ncpath}/.htaccess
chown ${rootuser}:${htgroup} ${ncpath}/.htaccess
if [ -f ${ncdata}/.htaccess ]
chmod 0644 ${ncdata}/.htaccess
chown ${rootuser}:${htgroup} ${ncdata}/.htaccess

######### END SCRIPT#########

That concludes the basic Nextcloud installation and configuration on a Debian 8.5 server. Now for the WebRTC fun stuff. You can now login in nextcloud by going to

First we gonna make go available on our system. Don’t install it with apt because you’ll get a 1.3 version wich is to low. Install it from source, its verry easy:

First download go
cd /root
tar xzvf go1.7.linux-amd64.tar.gz
mv go/ /usr/local
vi /root/.profile

add after fi and before mesg n

export PATH=$PATH:/usr/local/go/bin

I also run this command straight from the command line to make available instantly

export PATH=$PATH:/usr/local/go/bin

Now test if go can be found and is working

go version
go version go1.7 linux/amd64

Now install WebRTC

First we need some more packages. Git and node.js

apt-get install git node.js make automake

cd /var/www

cd spreed-webrtc-master

If all finished without errors, then kuddo’s, you really followed this manual. Now you can now configure webrtc. We still need to be in /var/www/spreed-webrtc-master First copy the de default config file to server.conf

cp server.conf

Lets first generate a secret for our sessionSecret

openssl rand -hex 32

Copy this string to your memory so you can paste it in the next config file

You need to adjust te following lines to be exactly like (except for the sessionSecret and sharedsecret_secret ofcourse):

vi server.conf

[http] section
basePath = /webrtc/

[app] section
authorizeRoomJoin = true
extra = /var/www/nextcloud/apps/spreedme/extra
plugin = extra/static/owncloud.js
sessionSecret = 1e719578d2345d32f7ce467d891111f1ba6aa8bexxxxxxxxxxxxxxxx

[users] section
enabled = true
mode = sharedsecret
sharedsecret_secret = 1e719578d2345d32f7ce467d891111f1ba6aa8bexxxxxxxxxxxxxxxx

Save and close the file. This concludes the configuration of spreed-webrtc.

Now we need the nextcloud app

cd /var/www/nextcloud/apps
mv nextcloud-spreedme-master spreedme
cd spreedme/config
cp config.php
vi config.php

Add your sharedSecret from ealier to the config

SPREED_WEBRTC_SHAREDSECRET = ‘1e719578d2345d32f7ce467d891111f1ba6aa8bexxxxxxxxxxxxxxxx’

Thats it. Save and close the file. This concludes the configuration of app.

cd ../extra/static/config
cp OwnCloudConfig.js

Now we can start

cd /var/www/spreed-webrtc-master/

This command makes spreed run in the forground. Use the next command to run in background (at least until your next boot. U can ofcourse make a init script. Please leave samples below i’m not that good in init scripts)

nohup ./spreed-webrtc-server > /dev/null 2>&1 &

Check if it is running

ps -e |grep spreed

Now the app is installed and configured. Login to Nextcloud, open the apps page. Select “Not Enabled” and scroll to the bottom and enable the app

Just remember. Your spreedme cam sessions will only work if you and the one you call are in the same network, or are directly connected to the internet. When you are inside a company network your peer to peer traffic will most likely be blocked by the firewall.

Auto add fail2ban-ssh to ipset


# This script will spit out all of the IPs that have been blocked by fail2ban-ssh, then for each one, add it to our `ipset fail2ban-ssh`. It will then restart fail2ban to flush the fail2ban-ssh drop chain.

# Build the ipset if it's not already built

ipset create fail2ban-ssh hash:ip

# Build a list of IPs to scrub

iptables -L fail2ban-ssh -v -n | grep -E '[1-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '{print $8}' > blockthese.txt

# Add lines from blockthese.txt to your ipset fail2ban-ssh

while read line; do ipset add fail2ban-ssh $line; done < blockthese.txt iptables -I INPUT -m set --match-set blacklist src -p TCP --destination-port 22 -j DROP echo -e "Adding to fail2ban-ssh...\n" echo -e "All finished." # Mail the file we just made cat blockthese.txt | mail -s "Fail2Ban -> IPSet Added"

# optional remove the blockthese file. i'll just keep it for future reference.
# rm blockthese.txt

# And that's it