FreeNAS: Nextcloud Install with SSL
Nextcloud is a suite of client-server software for creating and using file hosting services. This FreeNAS: Nextcloud Install with SSL article will show you how to configure your Nextcloud application securely. Nextcloud functionally is similar to Dropbox, however unlike Dropbox, Nextcloud does not offer off-premises file storage hosting. Instead, Nextcloud is free and open-source, which means that anyone is allowed to install and operate it on their own private server devices. In contrast to proprietary services like Dropbox, the open architecture allows adding functionality to the server in the form of applications and enables users to have full control of their data.
I made the switch from DropBox to NextCloud for two reasons. For a long time I was uncomfortable having my data with a big company like Dropbox who has been widely criticized for security and privacy breaches. The second reason is that there is no good implementation of DropBox for FreeNAS, at least at this point. You can sync data one way to dropbox, but there is no good way to sync two ways.
This article was originally written for FreeNAS version 11.2-U6 and has been updated for 11.3-U9. It will show you how to install Nextcloud on your FreeNAS server, secure it and then access it remotely. Following the install of Nextcloud, you will want to follow this article FreeNAS: NextCloud Access to Mount Points using External Storage and Proper Permissions which shows you how to setup external storage with proper permissions.
This is part of my ongoing series of TrueNAS and FreeNAS setup, configuration and install articles.
The first step in this FreeNAS: Nextcloud Install with SSL article is to (surprise!) install Nextcloud, which is actually pretty simple. Just do the standard plug-in install of Nextcloud from the FreeNAS WebUI plugins tab. Click Plugins -> Available -> Nextcloud -> Three dots on the right -> Install.
Follow the instructions and once it is done a popup window will appear with critical information. Copy all of the information that is displayed in the window to a text document so we can use it later.
Make sure you are happy with the IP which will be assigned to the jail; if you change it later you have to a do a bunch of additional reconfiguration work. Once you are happy, start the jail.
Now login to to the Nextcloud WebUI page by navigating to the ip that has been assigned to your jail and you will see the following.
Create an admin username and password, and then enter the database name, user and password which you copied into a text document in the step above. Leave localhost. Click ‘Finish Setup’ and it will log into your Nextcloud server.
If you’re getting an “Access through untrusted domain” Nextcloud error message, then you will need to edit the
/usr/local/www/nextcloud/config/config.php file. I use the nano text editor and you may need to install it first using
pkg install nano. In this file after a line which includes ‘trusted_domains’ there will be a lines which starts with
1 =>,etc and you will need to put the local ip address assigned to your jail on a new line below which starts with the next subsequent number. In my case I added a line which reads:
2 => '192.168.1.127',. Pay close attention to the syntax. When you’re done, it should look something like the image below.
Save the file, exit the editor and restart your jail/plugin. You should now be able to navigate to the Nextcloud WebUI.
If, when accessing the WebUI, you aren’t prompted to create a user, you are likley going to have to do it from the command line. So head to your shell (or SSH) and complete the following steps:
- The commands have to be run as the www user so, switch to that user using:
su -m www
- Create the user ‘admin’ using the OCC (Nextcloudâ€™s command-line interface) by running:
php /usr/local/www/nextcloud/occ user:add admin
- Now you need to give the user admin privileges by adding them to the admin group by running (first ‘admin’ is the group name and second is the username:
php /usr/local/www/nextcloud/occ group:adduser admin admin
You will be prompted to insert a password. Of course you can replace admin with any username you would like.
Setting Up HTTPS
Now for the securing part of this FreeNAS: Nextcloud Install with SSL article. We are now going to setup HTTPS for more secure access and so passwords are not sent plain text. So you will need to drop to a shell of your Nextcloud jail and we will create an SSL key. Once at the command prompt let’s create a directory for your SSL keys and then navigate there:
mkdir -p /usr/local/etc/ssl/nginx
Generate an SSL key:
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout nextcloud.key -out nextcloud.crt
Following the command prompt instructions and enter in the location and organization information you would like to have associated with your server.
Set the correct security for you keys:
chmod 400 /usr/local/etc/ssl/nginx/nextcloud.key
Edit the nginx config file using
nano /usr/local/etc/nginx/nginx.conf by after this line:
# Basic settings
paste the following:
server_name [server name];
return 301 https://$server_name$request_uri;
It should look like what is included in the following image:
Now we need to edit the Nextcloud config file using this command:
At the start of the file, replace:
listen 443 ssl http2;
listen [::]:443 ssl http2;
add_header Strict-Transport-Security “max-age=15768000; includeSubDomains; preload;”;
Save the file and that should be it. Now you can restart your Nextcload jail/plugin and login to your site using https://[ipaddress].
If things don’t work, check your error log at:
If you want to add the ability to connect externally, you will need to add the external domain or ip address to the
/usr/local/www/nextcloud/config/config.php file. Edit this file using nano, and add the this line
1 => 'your ip or domain name', to the file below the line which starts something like
0 => '192.168.1.203',. This line that you are looking for should have the local ip address for your server. In the example image below, I’ve entered ‘184.108.40.206’ in the spot in which you should put your external ip (or domain name, if you have one).
Save the file, exit the editor and restart your jail/plugin. You should now be able to navigate to your server from your external ip address with https://[externalipaddress].
If you want to edit the location of the data directory from default (/usr/local/www/nextcloud/data), then edit the config file by runinng:
and change the ‘datadirectory’ variable to the path of your choice.
Linking NextCloud to Jail Mount Points
Linking Nextcloud to the rest of your FreeNas server through mount points is probably the most powerful way to use Nextcloud. I’ve put together an article which will describe exactly how to do this, with the correct permissions: FreeNAS: NextCloud Access to Mount Points using External Storage and Proper Permissions
OK, so that’s it for this FreeNAS: Nextcloud Install with SSL article and you should now be up and running with your own cloud server using Nextcloud.
17 thoughts on “FreeNAS: Nextcloud Install with SSL”
The line after “Set the correct security for you keys:” should be:
chmod 400 /usr/local/etc/ssl/nginx/nextcloud.key’
/local/ is missing in the line.
Good catch. Thanks. It’s been corrected.
The line â€œmkdir -p /usr/local/etc/ssl/ngixâ€
should be â€œmkdir -p /usr/local/etc/ssl/nginxâ€
getting following errors, any ideas?
2020/05/23 13:30:53 [emerg] 28296#100613: â€œserverâ€ directive is not allowed here in /usr/local/etc/nginx/nginx.conf:94
2020/05/23 13:30:53 [emerg] 28297#100613: â€œserverâ€ directive is not allowed here in /usr/local/etc/nginx/nginx.conf:94
2020/05/23 13:55:56 [emerg] 36084#102732: â€œserverâ€ directive is not allowed here in /usr/local/etc/nginx/nginx.conf:95
2020/05/23 13:55:56 [emerg] 36085#102732: â€œserverâ€ directive is not allowed here in /usr/local/etc/nginx/nginx.conf:95
2020/05/23 14:21:41 [emerg] 40276#102640: unknown directive â€œincludeSubDomainsâ€ in /usr/local/etc/nginx/conf.d/nextcloud.conf:7
2020/05/23 14:21:41 [emerg] 40277#102640: unknown directive â€œincludeSubDomainsâ€ in /usr/local/etc/nginx/conf.d/nextcloud.conf:7
I noticed that the same line was already in the config file and thatâ€™s probably causing the issue.
If you leave out the line with â€œadd_header Strict-Transport-Securityâ€, that should fix it for you.
Something else the blog doesnâ€™t mention, having a separate IP address attached to this jail makes a huge difference. Otherwise there is a port overlap with Freenas itself if you use NAT.
Thx Alex. This post is assuming youre not using NAT as per the comment about ensuring youre happy with this ip assigned. I will revise to make that more clear however.
Thanks for this comprehensive and well written tuturial!
You helped alot!
Hi, I just tried out your tutorial and am now facing the problem that after rebooting the machine, i cant reach the Nextcloud website anymore. Neither via the IP-address, nor the domain name. I edited the cofig.php properly and was connected to the website before the reboot. Am I doing something wrong or do I have to make a certain setting? I am running Nextcloud Version 20 on a TrueNas 12.0 instance.
I haven’t yet tried this with truenas. It is my next article to update.
the indicator is in the error.log. I just commented out the line â€˜add_header Strict-Transport-Security â€œmax-age=15768000; includeSubDomains; preload;â€;â€™ and the site came back.
Thanks for posting your solution!!
TrueNAS-12.0-U2 does not work on the latest version
(Version nextcloud 21)
Does not open https: // my jails address
unknown directive “includeSubDomains” in /usr/local/etc/nginx/conf.d/nextcloud.conf
if I just commented out the line â€˜add_header Strict-Transport-Security â€œmax-age=15768000; includeSubDomains; preload;â€;â€™
unknown directive “â€˜add_header” in /usr/local/etc/nginx/conf.d/nextcloud.conf:11
There is an error commenting with â€˜
if you use # everything is ok
I just commented out the line
#add_header Strict-Transport-Security â€œmax-age = 15768000; includeSubDomains; preload; â€;â€™ and the site came back.
I receive the following message when trying to access: â€œYour connection is not privateâ€
This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.
I can click proceed (Unsafe).. What am I missing?
I believe this procedure is to unlock the possibility for nextcloud app on iOS and android where they only allow https connections regardless how secure they are.
Nextcloud http or fake https (with no domain to sign your certificate) is very secure if you access it on your LAN only or via a VPN connection such as OpenVPN or WireGuard
When I follow these steps, I get to the part before â€œExternal Accessâ€ and try to login. I then get a â€œThis site canâ€™t be reachedâ€ error and it says â€œCheck if there is a typo in _.â€ I commented out the â€œadd Header Strictâ€ as per the comments, but it appears there is an issue with what I put as the [server name] in the nginx file. Any ideas?