Nextcloud security and performance tweaks

Our last postnextcloud took care of a working Nextcloud installation. Afterwards I pumped 100GB of data to my cloud without a hickup. But, especially in multi-user production environments, there are certainly a couple of important security and performance tricks to be performed. So be sure to check out these tips.

I think this post is really one of a kind at this moment. Sure, these tips and tweaks to secure your installation and optimize performance can be found elsewhere, but not all at the same place.

Everything has be tested in a production environment as well, so it’s rock solid.

Nextcloud memory caching

Reading the administrator pages there are 3 types of memory caching available to Nextcloud. Basically there is a old one (Memcached), an enterprise one (Redis) and a preferred one for smaller organizations (APCu). I’ll be using the latter, which is also not so hard to setup.

# yum install php-pecl-apcu

Then put a single line in your Nextcloud folder, config directory, config.php:

'memcache.local' => '\OC\Memcache\APCu',

Save the file and restart Apache:

# systemctl restart httpd

Redis File Locking for Nextcloud

File locking is enabled by default (avoiding file corruption) but at higher loads will be a considerable constraint on your database. Therefore we can use a Redis based file locking, sparing your database and increase performance.

# yum install redis php-pecl-redis

# systemctl start redis

# systemctl enable redis

Then as above, in your Nextcloud folder, config directory, config.php, edit right below the APCu edit:

'memcache.locking' => '\OC\Memcache\Redis',
'redis' => array(
'host' => 'localhost',
'port' => 6379,
),

Restart and test in your admin console.

# systemctl restart httpd

PHP OPcache

The OPcache improves the performance of PHP applications by caching precompiled bytecode. With PHP 7.1 you have to put the below few lines in your /etc/php.d/10-opcache.ini file or uncomment them.

opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1

Restart Apache again.

Enable HSTS

The HTTP Strict Transport Security (HSTS) mechanism is too important to neglect and you can easily enable it for your installation. Just edit (in my case) the virtual hosts configuration file for your Nextcloud domain. In my instance this is /etc/httpd/sites-enabled/nextcloud.yourdomain.com.conf. Add the module and settings to your HTTPS section:

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>

Restart Apache. You can test this and other sections at securityheaders.io (as described before over here).

Cron

Nextcloud has to run frequent background tasks as specified in the /var/www/nextcloud.yourdomain.com/cron.php file. The default is to do this with AJAX, but recommended is to do this with cron. Change this setting in you Administration Console – Basic Settings. Then on your server:

# crontab -u apache -e

*/15 * * * * php -f /var/www/nextcloud.yourdomain.com/cron.php

Be sure your syntax is OK. You can check if you get a status 0 with:

# sudo -u apache php -f /var/www/nextcloud.yourdomain.com/cron.php

Check in your administration console if your job is run every 15 minutes.

Shorter URL

The standard behaviour of Nextcloud is to put index.php after (or somewhere in between) every URL. I like URLs to be as short as possible so I’m going to change that. Again in your Nextcloud folder, config directory, config.php put these lines:

'overwrite.cli.url' => 'https://example.org',
'htaccess.RewriteBase' => '/',

Save the file and write to the .htaccess file (that should be writable by Apache) with the following command:

# sudo -u apache php /var/www/nextcloud.yourdomain.com/occ maintenance:update:htaccess

Admin console

Last but not least, there is the admin console, a rather nice GUI where you can do a lot of settings, also security related. For instance encryption and password policy enforcement. Be sure to check it out.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.