Our last post took care of a working Nextcloud installation. Afterwards I pumped 100GB of data to my cloud without a hickup. But, especially in multi-user production environments, there are certainly a couple of important security and performance tricks to be performed. So be sure to check out these tips.
I think this post is really one of a kind at this moment. Sure, these tips and tweaks to secure your installation and optimize performance can be found elsewhere, but not all at the same place.
Everything has be tested in a production environment as well, so it’s rock solid.
Nextcloud memory caching
Reading the administrator pages there are 3 types of memory caching available to Nextcloud. Basically there is a old one (Memcached), an enterprise one (Redis) and a preferred one for smaller organizations (APCu). I’ll be using the latter, which is also not so hard to setup.
# yum install php-pecl-apcu
Then put a single line in your Nextcloud folder, config directory, config.php:
'memcache.local' => '\OC\Memcache\APCu',
Save the file and restart Apache:
# systemctl restart httpd
Redis File Locking for Nextcloud
File locking is enabled by default (avoiding file corruption) but at higher loads will be a considerable constraint on your database. Therefore we can use a Redis based file locking, sparing your database and increase performance.
# yum install redis php-pecl-redis
# systemctl start redis
# systemctl enable redis
Then as above, in your Nextcloud folder, config directory, config.php, edit right below the APCu edit:
'memcache.locking' => '\OC\Memcache\Redis',
'redis' => array(
'host' => 'localhost',
'port' => 6379,
Restart and test in your admin console.
# systemctl restart httpd
The OPcache improves the performance of PHP applications by caching precompiled bytecode. With PHP 7.1 you have to put the below few lines in your /etc/php.d/10-opcache.ini file or uncomment them.
Restart Apache again.
The HTTP Strict Transport Security (HSTS) mechanism is too important to neglect and you can easily enable it for your installation. Just edit (in my case) the virtual hosts configuration file for your Nextcloud domain. In my instance this is /etc/httpd/sites-enabled/nextcloud.yourdomain.com.conf. Add the module and settings to your HTTPS section:
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
Nextcloud has to run frequent background tasks as specified in the /var/www/nextcloud.yourdomain.com/cron.php file. The default is to do this with AJAX, but recommended is to do this with cron. Change this setting in you Administration Console – Basic Settings. Then on your server:
# crontab -u apache -e
*/15 * * * * php -f /var/www/nextcloud.yourdomain.com/cron.php
Be sure your syntax is OK. You can check if you get a status 0 with:
# sudo -u apache php -f /var/www/nextcloud.yourdomain.com/cron.php
Check in your administration console if your job is run every 15 minutes.
The standard behaviour of Nextcloud is to put index.php after (or somewhere in between) every URL. I like URLs to be as short as possible so I’m going to change that. Again in your Nextcloud folder, config directory, config.php put these lines:
'overwrite.cli.url' => 'https://example.org',
'htaccess.RewriteBase' => '/',
Save the file and write to the .htaccess file (that should be writable by Apache) with the following command:
# sudo -u apache php /var/www/nextcloud.yourdomain.com/occ maintenance:update:htaccess
Last but not least, there is the admin console, a rather nice GUI where you can do a lot of settings, also security related. For instance encryption and password policy enforcement. Be sure to check it out.