Private Cloud Storage
Z Tech Blog
This instruction manual covers the setting up of a private cloud storage, similar in features as OneDrive and Google Drive, using the NextCloud platform. This cloud storage will be self-hosted – running on your own servers – and secured using encryption. Thus, you will have full control and sole admin access to your private data. This is an excellent solution for those that prefer their data to not be potentially accessible by third parties that are hosting the cloud storage being used such as Google, Microsoft or AWS. This manual will cover the setup of the NextCloud platform and it’s prerequisites.

To keep things simple in this tutorial, in this setup, the NextCloud server and the data will be on the same server. However, for more advanced users, the DB can be on an separate MySQL server instead of on localhost if needed. The nextcloud servers can also be abstracted from the storage volume (i.e. the files can be stored on a separate volume/mount). If the files are stored on a separate volume, then the design can include elastic scaling by having the nextcloud servers behind an elastic load balancers with each server connecting to a RAID enabled nfs server that has the volume with all the data.

Installation Requirements

  1. Active Internet Connection
  2. Open firewall ports for HTTP (80) and HTTPS (443)
  3. Internet accessible domain that points to your NextCloud server (free domains are available on
  4. Operating System – The NextCloud server is a Linux only platform. Clients can run on Wnidows, Mac OS, iOS and Android
    1. Ubuntu 16.04 (or later) LTS (recommended)
    2. Red Hat Enterprise Linux 8 (recommended)
    3. Debian 10 (Buster)
    4. SUSE Linux Enterprise Server 15
    5. openSUSE Leap 42.1+
    6. CentOS 8
  5. Memory: Minimum of 128MB RAM. 512MB recommended

1.  LAMP Stack

Next cloud requires a LAMP stack (previously covered in my tutorial on setting up a self-hosted webserver). The steps covering the installation of the LAMP stack in the webserver tutorial can be reused, or alternatively, a third party, LAMP stack specific tutorial can be used too.

If using the LAMP stack installation section of the webserver tutorial, then please note, DO NOT SETUP TLS/SSL CERTIFICATION (LETSENCRYPT.ORG AND CERTBOT). THIS WILL BE COVERED LATER IN THIS TUTORIAL. It is critical to not install the certification until the correct time in the setup process as incorrect TLS/SSL certification installation will cause the overall installation process to fail.

2.  Download and Install the NextCloud Software

Download NextCloud into a folder named nextcloud in your home directory.

Extract nextcloud:

Copy nextcloud to it’s directory. It must be saved outside of the apache root (/var/www/html) for security purposes, as storing it there would open all nextcloud files/folders to the wider internet)

Add permissions for apache as a group and user to access the folder:

3.  Setup the NextCloud Data Base (DB)

Log in to phpmyadmin and a DB with the following

DB Collation: <code>utf8mb4_collation_ci</code>

User with complete access to the nextcloud DB only (not the entire DB instance)

Run the following SQL query:

4.  Configure Apache

Configure Apache for use by nextcloud by creating a virtual host file.

Create the file:

Paste the following into the file and change the highlighted text in red to the correct domain that points to your NextCloud server:

Create a symlink to the corresponding file in the sites-enabled folder:

Enable the following apache modules:

Install the following php modules:

Restart apache:

5.  Configure NextCloud

Create a folder for the user data to be stored:

Assign permissions to the folder for apache to be able to use it:

Complete the installation wizard via the website: <code><web url of your domain (it will not require “/nextcloud” ></code>

The DB user, password, name will be what was setup when the DB was created (above) the host will be local host

6.  Secure the platform with encryption using TLS/SSL

Secure the installation with SSL certification from letsencrypt.

Install letsencrypt client (certbot). First, install the certbot package repository:

Then, update the repository:

Install apache plugin:

Setup the SSL certificate. The certificate can only be setup for domains that are successfully pointing to this particular server; they cannot be used for domains pointing to servers that do not have this instance of this certbot client running (i.e. this server). i.e. the certificate is server instance specific. For advanced users who are using multiple NextCloud servers, it would be best to place the certificate on the load balancer.

Complete the wizard accordingly

If an error occurs (“the Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA”), then use the following command:

Test if installation and setup was successful by visiting:

Test if setup was successful:

Test if automatic system scheduler has scheduled certbot for automatically renewing/revalidating the certificate. Certbot should be scheduled for running within the next 12 hours in the returned table:

Add in the HSTS security header to the SSL config file:

Edit the file:

Paste the following lines in the file after <code>SSLCertificateKeyFile</code> line.

Restart apache:

7.  Final Steps

Congratulations! NextCloud has been installed. You can now use a nextcloud app (easily available on the app store or on google play), to connect to your NextCloud storage. You can also log in via the web interface by going to your registered NextCloud domain.

Z Tech is a technologist, senior programme director, business change lead and Agile methodology specialist. He is a former solutions architect, software engineer, infrastructure engineer and cyber security manager. He writes here in his spare time about technology, tech driven business change, how best to adopt Agile practices and cyber security.

Posted in Cyber Security, Private Cloud, Tutorials and tagged .

Leave a Reply

Your email address will not be published. Required fields are marked *