From 5685b3d8625e5ba062faf94fff3aba609a1e03aa Mon Sep 17 00:00:00 2001 From: mkrause612 Date: Thu, 12 Feb 2026 00:59:35 -0600 Subject: [PATCH] Reorg: Move nextcloud hardening to docs/deployment/ --- docs/deployment/nextcloud-hardening.md | 102 +++++++++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 docs/deployment/nextcloud-hardening.md diff --git a/docs/deployment/nextcloud-hardening.md b/docs/deployment/nextcloud-hardening.md new file mode 100644 index 0000000..3c2d7fc --- /dev/null +++ b/docs/deployment/nextcloud-hardening.md @@ -0,0 +1,102 @@ +# NextCloud Hardening & Optimization + +**Service:** NextCloud Hub 25 (32.0.5) +**Location:** Ghost VPS (64.50.188.14) +**Domain:** downloads.firefrostgaming.com +**Date:** February 11, 2026 +**Performed By:** Michael + Claude + +--- + +## Pre-Existing State + +NextCloud was previously installed on Ghost VPS with full nginx config and SSL certificate. Discovery occurred during planned deployment — the installation survived a documentation loss from a crash a few days prior. 15 security/performance warnings were present in the admin panel. + +--- + +## Changes Applied + +### Round 1: PHP & Nginx Fixes + +| Fix | Before | After | +| :---- | :---- | :---- | +| PHP memory_limit | 128M | 512M | +| OPcache interned_strings_buffer | 8 (commented out) | 16 (enabled) | +| .mjs MIME type | Missing | Added to /etc/nginx/mime.types | +| X-Robots-Tag header | Missing | noindex,nofollow | +| X-Permitted-Cross-Domain-Policies | Missing | none | +| Strict-Transport-Security (HSTS) | Missing | max-age=15552000; includeSubDomains | +| OCS provider location block | Missing | Added (cosmetic warning persists — Hub 25 known issue) | +| Database missing indices | fs_storage_path_prefix, properties_name_path_user | Added via occ db:add-missing-indices | +| Mimetype migrations | Pending | Completed via occ maintenance:repair --include-expensive | +| Maintenance window | Not set | 7 UTC (1 AM CST) | +| PHP clear_env | Commented out (;clear_env = no) | Enabled (clear_env = no) | + +### Round 2: Redis & Memcache + +| Fix | Before | After | +| :---- | :---- | :---- | +| Redis server | Not installed | redis-server 5:7.0.15 installed | +| PHP Redis extension | Not installed | php8.3-redis 5.3.7 installed | +| memcache.local | Not configured | \OC\Memcache\Redis | +| memcache.locking | Not configured (database locking) | \OC\Memcache\Redis | +| Redis connection | N/A | localhost:6379 | + +### Round 3: Cleanup + +| Fix | Before | After | +| :---- | :---- | :---- | +| AppAPI app | Enabled (warning about missing deploy daemon) | Disabled via occ app:disable | +| Imagick SVG | Missing | libmagickcore-6.q16-7-extra installed | +| Log warnings | 3 old warnings from Feb 4 | Log truncated, level set to Warning (2) | + +--- + +## Files Modified + +- `/etc/php/8.3/fpm/php.ini` — memory_limit, opcache.interned_strings_buffer +- `/etc/php/8.3/fpm/pool.d/www.conf` — clear_env +- `/etc/nginx/mime.types` — added .mjs +- `/etc/nginx/sites-enabled/downloads.firefrostgaming.com` — headers, OCS provider block +- `/var/www/nextcloud/config/config.php` — Redis memcache config + +--- + +## Packages Installed + +- redis-server (5:7.0.15) +- php8.3-redis (5.3.7) +- php8.3-igbinary (3.2.13) +- libmagickcore-6.q16-7-extra (8:6.9.12.98) + +--- + +## Services Restarted + +- php8.3-fpm (multiple times during config changes) +- nginx (reload after header/MIME changes) + +--- + +## Remaining Warnings (Intentional) + +| Warning | Reason for Skipping | +| :---- | :---- | +| OCS provider resolving | Known Hub 25 cosmetic bug — request reaches PHP correctly (verified via curl), NextCloud returns 404 internally | +| Email test | Deferred — requires Plesk migration discussion for proper email infrastructure | + +--- + +## Result + +- **Before:** 15 warnings (including "errors regarding your setup") +- **After:** 2 warnings (both intentional skips, downgraded to "warnings regarding your setup") +- **NextCloud status:** Healthy, cached with Redis, optimized for performance + +--- + +## Revision History + +| Version | Date | Changes | +| :---- | :---- | :---- | +| 1.0 | 2026-02-11 | Initial hardening documentation | \ No newline at end of file