digiMoot:

FreeNAS: Nextcloud Install with SSL

Install Nextcloud in FreeNASNextcloud is a suite of client-server software for creating and using file hosting services. This FreeNAS: Nextcloud Install with SSL article will show you how to configure your Nextcloud application securely. Nextcloud functionally is similar to Dropbox, however unlike Dropbox, Nextcloud does not offer off-premises file storage hosting. Instead, Nextcloud is free and open-source, which means that anyone is allowed to install and operate it on their own private server devices. In contrast to proprietary services like Dropbox, the open architecture allows adding functionality to the server in the form of applications and enables users to have full control of their data.

I made the switch from DropBox to NextCloud for two reasons. For a long time I was uncomfortable having my data with a big company like Dropbox who has been widely criticized for security and privacy breaches. The second reason is that there is no good implementation of DropBox for FreeNAS, at least at this point. You can sync data one way to dropbox, but there is no good way to sync two ways.

This article was originally written for FreeNAS version 11.2-U6 and has been updated for 11.3-U9. It will show you how to install Nextcloud on your FreeNAS server, secure it and then access it remotely. Following the install of Nextcloud, you will want to follow this article FreeNAS: NextCloud Access to Mount Points using External Storage and Proper Permissions which shows you how to setup external storage with proper permissions.

This is part of my ongoing series of TrueNAS and FreeNAS setup, configuration and install articles.

Installing NextCloud

The first step in this FreeNAS: Nextcloud Install with SSL article is to (surprise!) install Nextcloud, which is actually pretty simple. Just do the standard plug-in install of Nextcloud from the FreeNAS WebUI plugins tab. Click Plugins -> Available -> Nextcloud -> Three dots on the right -> Install.

Follow the instructions and once it is done a popup window will appear with critical information. Copy all of the information that is displayed in the window to a text document so we can use it later.

Make sure you are happy with the IP which will be assigned to the jail; if you change it later you have to a do a bunch of additional reconfiguration work. Once you are happy, start the jail.

Now login to to the Nextcloud WebUI page by navigating to the ip that has been assigned to your jail and you will see the following.

Nextcloud Install on FreeNAS
Nextcloud Install on FreeNAS

Create an admin username and password, and then enter the database name, user and password which you copied into a text document in the step above. Leave localhost. Click ‘Finish Setup’ and it will log into your Nextcloud server.

If you’re getting an “Access through untrusted domain” Nextcloud error message, then you will need to edit the /usr/local/www/nextcloud/config/config.php file. I use the nano text editor and you may need to install it first using pkg install nano. In this file after a line which includes ‘trusted_domains’ there will be a lines which starts with 0 =>, 1 =>,etc and you will need to put the local ip address assigned to your jail on a new line below which starts with the next subsequent number. In my case I added a line which reads: 2 => '192.168.1.127',. Pay close attention to the syntax. When you’re done, it should look something like the image below.

FreeNAS: Nextcloud WebUI Access through untrusted domain error
FreeNAS: Nextcloud WebUI Access through untrusted domain error

Save the file, exit the editor and restart your jail/plugin. You should now be able to navigate to the Nextcloud WebUI.

If, when accessing the WebUI, you aren’t prompted to create a user, you are likley going to have to do it from the command line. So head to your shell (or SSH) and complete the following steps:

  1. The commands have to be run as the www user so, switch to that user using: su -m www
  2. Create the user ‘admin’ using the OCC (Nextcloud’s command-line interface) by running: php /usr/local/www/nextcloud/occ user:add admin
  3. Now you need to give the user admin privileges by adding them to the admin group by running (first ‘admin’ is the group name and second is the username: php /usr/local/www/nextcloud/occ group:adduser admin admin

You will be prompted to insert a password. Of course you can replace admin with any username you would like.

Setting Up HTTPS

Now for the securing part of this FreeNAS: Nextcloud Install with SSL article. We are now going to setup HTTPS for more secure access and so passwords are not sent plain text. So you will need to drop to a shell of your Nextcloud jail and we will create an SSL key. Once at the command prompt let’s create a directory for your SSL keys and then navigate there:

mkdir -p /usr/local/etc/ssl/nginx
cd /usr/local/etc/ssl/nginx

Generate an SSL key:
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout nextcloud.key -out nextcloud.crt

Following the command prompt instructions and enter in the location and organization information you would like to have associated with your server.

Set the correct security for you keys:
chmod 400 /usr/local/etc/ssl/nginx/nextcloud.key

Edit the nginx config file using nano /usr/local/etc/nginx/nginx.conf by after this line:

# Basic settings
# ———-

paste the following:

server {
listen 80;
listen [::]:80;
server_name [server name];
return 301 https://$server_name$request_uri;
}

It should look like what is included in the following image:

FreeNAS Nextcloud nginx.conf SSL Setup
FreeNAS Nextcloud nginx.conf SSL Setup

Now we need to edit the Nextcloud config file using this command:
nano /usr/local/etc/nginx/conf.d/nextcloud.conf

At the start of the file, replace:

server {
listen 80;
server_name _;

with:

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name [servername];
ssl_certificate /usr/local/etc/ssl/nginx/nextcloud.crt;
ssl_certificate_key /usr/local/etc/ssl/nginx/nextcloud.key;
add_header Strict-Transport-Security “max-age=15768000; includeSubDomains; preload;”;

Save the file and that should be it. Now you can restart your Nextcload jail/plugin and login to your site using https://[ipaddress].

If things don’t work, check your error log at: /var/log/nginx/error.log

External Access

If you want to add the ability to connect externally, you will need to add the external domain or ip address to the /usr/local/www/nextcloud/config/config.php file. Edit this file using nano, and add the this line1 => 'your ip or domain name', to the file below the line which starts something like 0 => '192.168.1.203',. This line that you are looking for should have the local ip address for your server. In the example image below, I’ve entered ‘8.8.8.8’ in the spot in which you should put your external ip (or domain name, if you have one).

FreeNAS Nextcloud SSL Setup Add External Access
FreeNAS Nextcloud SSL Setup Add External Access

Save the file, exit the editor and restart your jail/plugin. You should now be able to navigate to your server from your external ip address with https://[externalipaddress].

Optional Configuration

If you want to edit the location of the data directory from default (/usr/local/www/nextcloud/data), then edit the config file by runinng:

nano /usr/local/www/nextcloud/config/config.php

and change the ‘datadirectory’ variable to the path of your choice.

Linking NextCloud to Jail Mount Points

Linking Nextcloud to the rest of your FreeNas server through mount points is probably the most powerful way to use Nextcloud. I’ve put together an article which will describe exactly how to do this, with the correct permissions: FreeNAS: NextCloud Access to Mount Points using External Storage and Proper Permissions

OK, so that’s it for this FreeNAS: Nextcloud Install with SSL article and you should now be up and running with your own cloud server using Nextcloud.

Happy Nextcloudin’

~digiMoot

Sources:
https://www.youtube.com/watch?v=QhUhZA28Xn8
https://docs.nextcloud.com/server/15/admin_manual/configuration_server/occ_command.html#user-commands-label

Liked it? Take a second to support digiMoot on Patreon!

17 thoughts on “FreeNAS: Nextcloud Install with SSL

  1. The line after “Set the correct security for you keys:” should be:
    chmod 400 /usr/local/etc/ssl/nginx/nextcloud.key’

    /local/ is missing in the line.

  2. The line “mkdir -p /usr/local/etc/ssl/ngix”

    should be “mkdir -p /usr/local/etc/ssl/nginx”

  3. getting following errors, any ideas?
    2020/05/23 13:30:53 [emerg] 28296#100613: “server” directive is not allowed here in /usr/local/etc/nginx/nginx.conf:94
    2020/05/23 13:30:53 [emerg] 28297#100613: “server” directive is not allowed here in /usr/local/etc/nginx/nginx.conf:94
    2020/05/23 13:55:56 [emerg] 36084#102732: “server” directive is not allowed here in /usr/local/etc/nginx/nginx.conf:95
    2020/05/23 13:55:56 [emerg] 36085#102732: “server” directive is not allowed here in /usr/local/etc/nginx/nginx.conf:95
    2020/05/23 14:21:41 [emerg] 40276#102640: unknown directive “includeSubDomains” in /usr/local/etc/nginx/conf.d/nextcloud.conf:7
    2020/05/23 14:21:41 [emerg] 40277#102640: unknown directive “includeSubDomains” in /usr/local/etc/nginx/conf.d/nextcloud.conf:7

    1. I noticed that the same line was already in the config file and that’s probably causing the issue.
      If you leave out the line with “add_header Strict-Transport-Security”, that should fix it for you.

      Something else the blog doesn’t mention, having a separate IP address attached to this jail makes a huge difference. Otherwise there is a port overlap with Freenas itself if you use NAT.

      1. Thx Alex. This post is assuming youre not using NAT as per the comment about ensuring youre happy with this ip assigned. I will revise to make that more clear however.

  4. Hi, I just tried out your tutorial and am now facing the problem that after rebooting the machine, i cant reach the Nextcloud website anymore. Neither via the IP-address, nor the domain name. I edited the cofig.php properly and was connected to the website before the reboot. Am I doing something wrong or do I have to make a certain setting? I am running Nextcloud Version 20 on a TrueNas 12.0 instance.

    1. Thomas,
      the indicator is in the error.log. I just commented out the line ‘add_header Strict-Transport-Security “max-age=15768000; includeSubDomains; preload;”;’ and the site came back.

  5. TrueNAS-12.0-U2 does not work on the latest version
    (Version nextcloud 21)
    Does not open https: // my jails address
    Error log:
    ERROR
    unknown directive “includeSubDomains” in /usr/local/etc/nginx/conf.d/nextcloud.conf
    or
    if I just commented out the line ‘add_header Strict-Transport-Security “max-age=15768000; includeSubDomains; preload;”;’
    ERROR
    unknown directive “‘add_header” in /usr/local/etc/nginx/conf.d/nextcloud.conf:11

    1. There is an error commenting with ‘
      if you use # everything is ok
      I just commented out the line
      #add_header Strict-Transport-Security “max-age = 15768000; includeSubDomains; preload; ”;’ and the site came back.

  6. I receive the following message when trying to access: “Your connection is not private”
    This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.
    I can click proceed (Unsafe).. What am I missing?

  7. I believe this procedure is to unlock the possibility for nextcloud app on iOS and android where they only allow https connections regardless how secure they are.
    Nextcloud http or fake https (with no domain to sign your certificate) is very secure if you access it on your LAN only or via a VPN connection such as OpenVPN or WireGuard

  8. When I follow these steps, I get to the part before “External Access” and try to login. I then get a “This site can’t be reached” error and it says “Check if there is a typo in _.” I commented out the “add Header Strict” as per the comments, but it appears there is an issue with what I put as the [server name] in the nginx file. Any ideas?

    Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *