Nextcloud Configuration

In a previous post I’ve walked you through all the steps to successfully install Nextcloud 15 on a Raspberry Pi.

However, even then, a few configuration tasks remain. In this post, I’m going to cover Nextcloud configuration.

We are going to:

  • Clean up as much as possible the Security & setup warnings of the Overview panel in the Administration section.
  • Setup SMTP for operational emails.
  • Improve security with 2FA.

1. Memory Caching

Nextcloud Setup Memcache Warning
Nextcloud Setup Memcache Warning

After enabling PHP memory cache, we should get rid of 2 warnings at once.

You may not have noticed in Nextcloud 15 on Raspberry Pi, but I already installed PHP’s APCu package. Why APCu ? Because the Raspberry Pi is a low memory single server. APCu provides the best PHP acceleration / memory consumption ratio.

Enabling memcache and optimizing PHP performance is only a matter of adding:

'memcache.local' => '\OC\Memcache\APCu',

To Nextcloud’s configuration file:

$ cd /var/www/html/nextcloud/config/
$ sudo vi config.php

Furthermore, we also need to setup PHP accordingly. The warning message tells it all. Just make sure you use the recommended values. Otherwise the warning will remain.

$ cd /etc/php/7.0/fpm/
$ sudo vi php.ini

Then check the values of all the parameters below. Normally they should already be present. Hence, it should mostly be a matter of un-commenting the corresponding lines.

opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1

Finally restart the php-fpm service for good measure:

$ sudo systemctl restart php7.0-fpm

References:

2. Database BigInt Identifiers

To be honest, the next warning is a bit of a mystery to me. Especially since I’ve installed Nextcloud 15 from scratch (i.e. I didn’t upgrade from an earlier version).

Nextcloud Setup BigInt Warning
Nextcloud Setup BigInt Warning

This warning is supposedly about a change in the database identifiers type since Nextcloud 13 !?! Also, for once, Nextcloud’s otherwise excellent documentation (refer to : BigInt (64bit) identifiers) shows an incomplete (thus wrong) command to solve the problem.

Moreover, there is a catch ! Well, actually a couple of catches. Fixing this may take hours depending on the number of files known to Nextcloud. And, Nextcloud must be shut down during the process. Thus it’s better to solve this as early as possible after starting using Nextcloud.

First let’s shutdown Apache in order to make sure there is no active connection to Nextcloud:

$ sudo systemctl stop apache2

Now enter the command below:

$ sudo -u www-data php /var/www/html/nextcloud/occ db:convert-filecache-bigint
Following columns will be updated:
filecache.mtime
filecache.storage_mtime
This can take up to hours, depending on the number of files in your instance!
Continue with the conversion (y/n)? [n] y

Fortunately, on my pristine system, it’s been almost instantaneous.

Finally, remember to restart Apache:

$ sudo systemctl start apache2

3. Setup Emails

Nextcloud Email Server Configuration
Nextcloud Email Server Configuration

Setting an email server is important. In particular for Nextcloud’s administrators. Indeed you need to receive important operational and security communications.

In order to abide to the KISS principle (Keep It Simple Stupid), I suggest to use Gmail as a SMTP gateway. Obviously this implies you own a Google account. If you don’t, create one, it’s free.

You may object that Google isn’t necessarily the best in terms of privacy concerns. Why install Nextcloud to get rid of Google if we still need Google in the end ? I would tend agree, but, it’s free and convenient. Also, many, many people own a Google account. Sometimes, we also need to think in a practical way.

If you use the same configuration as the one in the screenshot above, you’ll establish a secure TLS connection to Google’s SMTP server. It will then relay emails to the proper destination addresses.

  • STARTTLS sets the TLS encryption.
  • Gmail SMTP server: smtp.gmail.com
  • Gmail SMTP port (for TLS): 587

All you have to do now is enter your Google account email address and credentials. The SMTP username is simply your Google email address.

With regards to the SMTP Password I would suggest that you create a specific app password. Then you don’t have to enter your “real” Google account password. Please refer to Sign in using App Passwords for instructions on how to do this.

Once you’re done, click on the Store credentials button. Then click on the Send email button, and verify you have properly received a test email.

4. Security

4.1 Password Policy

Nextcloud Password Policy Settings
Nextcloud Password Policy Settings

As you can see in the screenshot above, I’ve beefed up the security settings. You can find these in the Security tab of the Administration panel.

You may think I’m going overboard enforcing 18 character passwords. Most of my passwords are actually much longer than that (when possible). I can only suggest that you use a password manager like:

  • bitwarden (free to start with and accessible online)
  • KeepassXC (cross-platform open source app) or
  • 1Password (excellent but comes at a price)

Also, I’ve basically checked all password options. It’s a good practice to insure passwords are random enough. Again, that works better if you use a password manager.

4.2 Two Factor Authentication

In case you haven’t noticed I’m a bit paranoid with security. We are going to enforce 2 factor authentication for all Nextcloud users.

2FA principle is straightforward. First you log in with a password as usual. The password is “something you know”. Then, as an extra login step, you must enter either a code generated by an app (on your mobile device typically) or a U2F key. This part is about “something you own”. In other words an attacker must:

  • Guess your password (if it’s strong enough it’s not an easy treat already) then
  • Steal you mobile phone or U2F key (the part you own). This requires “physical access”.

Long story short: 2FA makes it extremely difficult for an attacker to access your account.

4.2.1 Security App Installation

You may not know it but Nextcloud isn’t just about storing files. It comes with its own app store. We are going to install the security apps enabling 2FA.

Nextcloud App Store
Nextcloud App Store

On the top right of the screen, click on your profile icon. Then select the + Apps menu item.

Nextcould Security Applications
Nextcould Security Applications

In the app store select the Security tab and install the 2 applications highlighted in the screenshot above:

  • Two Factor TOTP Provider
  • Two Factor U2F

4.2.2 Enabling 2FA TOTP

Nextcloud Two Factor Authentication
Nextcloud Two Factor Authentication

Now select Settings in your profile menu on the top right of the screen. Then choose the Security tab on the left hand menu in the Personal section.

First, generate your backup codes. Save them somewhere safe where you are sure you can access them later on if necessary. In the worst case scenario, if you loose your U2F key or your mobile phone, you can use these codes to access your account. Still, be careful, you only have 10 backup codes.

Next check the Enable TOTP checkbox.

This should open a pop in. Carefully read the instructions. You’ll need an authenticator app. You can find loads of them on Android and IOS. I personally recommend Authy.

I like Authy because you can install it on several terminals. Thus you can generate TOTP code from more than one of them. However convenience is arguably not good for security. If you can generate codes from many different terminals, it’s easier for someone to get their hands on one of them. Hence, it defeats in a way the 2FA extra security. Reversely, and it happened to me, if for any reason you loose access to the one terminal capable of generating codes … you’re in to access all your 2FA enabled accounts with backup codes and regenerate TOTP access on all of them !

TOTP codes are created either from a QR code or a long random characters string. On a mobile, Authy can scan the QR code with the phone camera. However, password managers (at least those I recommended) are also capable of generating such codes from the long characters string.

4.2.3 Enabling 2FA U2F

If you are the proud owner of a U2F device like a Yubico or Nitrokey key, I advise you to also add it to your account. Then you’ll be given the choice of either entering a code or use your key when logging in.

It goes without saying: it’s an either or. You don’t need to enter a TOTP code and use your U2F key. We are discussing 2 factor authentication not 3FA !

Nextcloud TOTP or U2F 2FA during login
Nextcloud TOTP or U2F 2FA during login

4.2.4 Enforcing 2FA

As a last step we are going to enforce 2FA. In other words it will be mandatory on login for all users on your Nextcloud instance.

Nextcloud Enforcing 2FA
Nextcloud Enforcing 2FA

As you can see above you only need to check the Enforce two-factor authentication in the Security tab of the Administration panel (thus in Nextcloud global settings).

Moreover, I’ve created a group “no2fa”. Why is that ? Basically all people assigned to this group won’t have 2fa enforced on login. What’s the point of enforcing 2FA if one of our first action is to find a way around it ?

The answer is: I use this trick for new users. On their first login (at least and as long as they haven’t configured 2FA), they obviously have no mean to issue a 2nd factor authentication code. Once they’ve set up 2FA on their account, you can remove users from this group.

4.3 Encryption

In the same panel where we enforced 2FA, there is an option to Enable server-side encryption.

Since my Nextcloud server runs on a Raspberry Pi, I haven’t activated the server-side encryption. In other circumstances however, I certainly would have.

Even though I’ve installed PHP’s mcrypt module, I’m cautious with the performance toll. Consider that the Raspberry Pi would have to encrypt and decrypt all files on the fly. Then remember that the Raspberry Pi, as brilliant as it is, remains a modest (low memory) server.

On a powerful enough machine, I definitely would consider setting up the server side encryption. Also, maybe you should evaluate how sensitive are your documents. Is it worth it, to impede usability in order to increase security ?

Food for thoughts: if your files and documents truly are sensitive, maybe a self hosted Nextcloud on a Raspberry Pi at home isn’t the best approach. In such a case, I’d go for a TresorIt, pCloud or SpiderOak subscription.

4.4 Scan Your Instance

As a nice final touch, Nextcloud provides an online scanner to check your installation. If everything’s right you should easily get an A+.

https://scan.nextcloud.com/

Nextcloud Security Scanner
Nextcloud Security Scanner

5. Final Words

There are obviously plenty more things you can do or configure on Nextcloud. Here, we’ve only scratched the surface.

Still these are the very first steps I take with Nextcloud:

  • Resolve warnings
  • Setup SMTP
  • Improve security

I hope you find this post useful. Please let me know if you found anything erroneous.

Also, what are the first things you do configure on Nextcloud on your end ? Would you advise any other initial configuration steps ?

Leave a comment