It always seems impossible until its done, Theodor Seuss Geisel

Nextcloud

Nextcloud is an open-source software suite that enables users to create their own private cloud storage solutions, offering file hosting, synchronization, and sharing services. It serves as a free alternative to popular platforms like Dropbox and Google Drive, emphasizing privacy and data ownership.

Cutting the cord on traditional subscriptions can save you or your company significant money.

This guide covers the installation and configuration of Nextcloud in a Proxmox LXC container running Ubuntu 24.10, using an Apache web server, PHP 8.3, and MariaDB 11.4. You should read the first article Installing Nextcloud on Proxmox LXC, A Comprehensive Guide covering passwordless SSH, MariaDB setup, Apache webserver configuration, and PHP for hosting Nextcloud in a secure and optimized environment.

Downloading, installing, and deploying Nextcloud

With the web server, PHP, and database in place, we can install Nextcloud itself. We will download the latest Nextcloud server release

Visit the official Nextcloud download page to find the latest version.

╭――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――╮
│                                                                │
│ 5. Downloading, installing, and deploying Nextcloud            │
│                                                                │
╰――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――╯
cd /tmp
# Download Nextcloud (Download server archive)
wget https://download.nextcloud.com/server/releases/nextcloud-31.0.5.tar.bz2.md5
# Check the file integrity with:
wget https://download.nextcloud.com/server/releases/nextcloud-31.0.5.tar.bz2.md5
sha256sum -c nextcloud-x.y.z.tar.bz2.sha256  # verify integrity
nextcloud-31.0.5.tar.bz2: OK
# The main archive file (nextcloud-31.0.5.tar.bz2) is intact and matches the checksum in the .sha256 file.

# Extract and Deploy Nextcloud
# Extract the downloaded file
tar -xjf nextcloud-31.0.5.tar.bz2
# This will create a directory named nextcloud.

# Rename the Directory
mv nextcloud mynextcloud

# Change Ownership of the Directory
# The owner and group of the mynextcloud directory should be set to www-data, which is the user under which the Apache web server runs.
# In other words, we make sure that Apache has the necessary permissions to access and manage the Nextcloud files.
sudo chown -R www-data:www-data mynextcloud

# Optional. For tighter permissions, you can also fine-tune file modes
# All files to 640 and directories to 750, owner www-data.
# sudo find /var/www/mynextcloud/ -type f -print0 | xargs -0 chmod 640
# sudo find /var/www/mynextcloud/ -type d -print0 | xargs -0 chmod 750

# Let's move the mynextcloud directory to the /var/www directory, which is the default document root for Apache web servers.
sudo mv mynextcloud /var/www

# Disable the Default Apache Site with a2dissite.
# 000-default.conf is the default site configuration file created by Apache.
sudo a2dissite 000-default.conf

# Reload Apache Configuration
systemctl reload apache2

Apache Configuration for Nextcloud

We need to configure Apache to serve the Nextcloud site. This involves setting up a Virtual Host, enabling HTTPS, and applying some security options.

Create an Apache Virtual Host

It’s best to create a new Apache site configuration instead of using the default. /etc/apache2/sites-available/nextcloud.conf is the path where the new configuration file for the Nextcloud site will be created.

╭――――――――――――――――――――――――――――――――――――――――╮
│                                        │
│ 6. Apache Configuration for Nextcloud  │
│                                        │
╰――――――――――――――――――――――――――――――――――――――――╯
sudo vi /etc/apache2/sites-available/nextcloud.conf
# Write down the following configuration:

# There is no space between < and VirtualHost
< VirtualHost *:80>
# It defines a virtual host that listens on port 80 (the default HTTP port). The * means it will respond to requests for any IP address.
    DocumentRoot "/var/www/mynextcloud"
    # It specifies the directory where the Nextcloud files are located. Requests to the server will serve files from this directory.
    ServerName cloud.justtothepoint.duckduckdns.com
    # It sets the hostname for the virtual host.

    < Directory "/var/www/mynextcloud/">
    # This block defines settings for the specified directory.
        Options MultiViews FollowSymlinks
        AllowOverride All
        # AllowOverride All is critical – it permits Nextcloud’s .htaccess to function.
        # Nextcloud’s .htaccess contains important rules for security and URL handling
        Order allow,deny
        Allow from all
   < /Directory>

   # The logs are directed to separate files for clarity.
   ErrorLog ${APACHE_LOG_DIR}/mynextcloud_error.log
   CustomLog ${APACHE_LOG_DIR}/mynextcloud_access.log combined

    # Redirect all HTTP traffic to HTTPS (optional but recommended) in an Apache server environment
    # It checks if the connection is not HTTPS and then redirects to the same URL on HTTPS. This ensures that even if someone accesses via plain HTTP, they get forwarded to secure HTTPS.
    RewriteEngine On
    # This line enables the Apache mod_rewrite module, which allows for URL rewriting.
    RewriteCond %{HTTPS} off
    # This condition checks if the current connection is not using HTTPS. The %{HTTPS} variable will be "on" if the connection is secure and "off" if it is not.
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
    # The RewriteRule directive defines a rule for URL rewriting.
    ^/?(.*): This pattern matches any request (the .* captures everything after the domain)
    # https://%{SERVER_NAME}/$1: This constructs the new URL by redirecting to the same path ($1 represents the previously captured path) but using HTTPS. %{SERVER_NAME} retrieves the server name from the request.
    # R=301 specifies a permanent redirect
    # L indicates that this is the last rule to be processed if the rule matches.

< /VirtualHost>

# Enable the site
sudo a2ensite nextcloud.conf
# Disable the default site
sudo a2dissite 000-default.conf

# Reload Apache
sudo systemctl reload apache2

Enable HTTPS with Let’s Encrypt SSL

For a secure setup, HTTPS is a must. We will use Let’s Encrypt to get a free SSL/TLS certificate. Ensure your DNS for justtothepoint.duckduckdns.org points to your server’s IP, and that port 80 is accessible from the internet for the certificate challenge.

Option 1:

DuckDNS is a free dynamic DNS (DDNS) service that’s perfect for home servers with a dynamic IP (like many ISPs provide). DuckDNS works by creating a subdomain (e.g., justtothepoint.duckdns.org) and automatically updating it with your public IP, so you don’t need to manually set A records in your domain’s registrar. Use justtothepoint.duckdns.org to point to your current public IP (home external IP, public, seen by the world; the IP you see in whatismyip.com). 1. Create an account at DuckDNS. 2. Create a DuckDNS subdomain. Add justtothepoint (or any other name you like). DuckDNS will create justtothepoint.duckdns.org and give you an update token. Update your public IP automatically by running a cron job on your Proxmox host to update your IP every 5 minutes or so.

Set up the router port forwarding rules. You need to create two rules:

Rule for HTTP (port 80). Name of Rule: Nextcloud-HTTP, Direction IP/Internal IP: 192.168.1.40 (this is the Nextcloud container’s IP), Protocol: TCP, External port range: Start port: 80,End port: 80, Internal port range: Start port: 80, End port: 80.
Rule for HTTPS (port 443). Name of Rule: Nextcloud-HTTPS, Direction IP/Internal IP: 192.168.1.40 (this is the Nextcloud container’s IP), Protocol: TCP, External port range: Start port: 443,End port: 443, Internal port range: Start port: 443, End port: 443.

This will resolve justtothepoint.duckduckdns.org ➜ dirIPPublicHome. Connect to port 80 and port 443. Reach your container’s Apache server directly. Complete the challenge and issue your valid HTTPS certificate.

# Install Certbot (Let’s Encrypt client) and the Apache plugin:
sudo apt install certbot python3-certbot-apache -y

# Obtain a certificate:
sudo certbot --apache -d cloud.yourdomain.com
# Offer to configure HTTPS for the Apache vhost automatically. If you allow it, Certbot will create a new config (or modify nextcloud.conf) to include the SSL VirtualHost.

# Update your public IP automatically on your Proxmox host
sudo apt install curl
# Replace < your-token > with your real DuckDNS token.
echo "url=https://www.duckdns.org/update?domains=justtothepoint&token=< your-token >&ip=" >> ~/duckdns.conf
echo "*/5 * * * * curl -k -s -o ~/duck.log -K ~/duckdns.conf" | crontab -

Follow the prompts. You’ll need to agree to Terms of Service and provide an email for renewal notices. Choose whether to redirect HTTP to HTTPS; we already added a redirect, but Certbot can add its own.

image info

Option 2:

Log in to your domain’s DNS management (where you bought your domain). Create an A record for your desired subdomain (e.g., cloud.justtothepoint.com) that points to your public IPv4 address.
In your router, forward external port 80 (HTTP) and 443 (HTTPS) to your Proxmox container’s internal IP address (e.g., 192.168.1.40). This allows inbound requests from Let’s Encrypt’s servers (and from real users) to reach your Nextcloud’s Apache server.

# Install Certbot (Let’s Encrypt client) and the Apache plugin:
sudo apt install certbot python3-certbot-apache -y

# Obtain a certificate:
sudo certbot --apache -d cloud.justtothepoint.com
# Offer to configure HTTPS for the Apache vhost automatically. If you allow it, Certbot will create a new config (or modify nextcloud.conf) to include the SSL VirtualHost.

image info

Option 3. If You Cannot Set Public DNS or just don’t Want to Be Internet-Accessible.

# You can generate a self-signed SSL certificate on your server:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
  -keyout /etc/ssl/private/nextcloud-selfsigned.key \
  -out /etc/ssl/certs/nextcloud-selfsigned.crt

In your Apache config (nextcloud.conf):
SSLEngine on
SSLCertificateFile /etc/ssl/certs/nextcloud-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/nextcloud-selfsigned.key

Browsers will warn “Not secure” because it’s self-signed, but traffic is still encrypted. You can accept the risk manually for yourself.

image info

Nextcloud Installation, Apache Configuration, and HTTPS with Let’s Encrypt on Proxmox LXC

Downloading, installing, and deploying Nextcloud

Apache Configuration for Nextcloud

Create an Apache Virtual Host

Enable HTTPS with Let’s Encrypt SSL

Related Posts