From c8de0beb5ed09102a414f4c4a9db8f7d40d78f78 Mon Sep 17 00:00:00 2001 From: mkrause612 Date: Thu, 12 Feb 2026 00:59:36 -0600 Subject: [PATCH] Reorg: Move nextcloud hardening to docs/deployment/ --- docs/nextcloud-hardening.md | 102 ------------------------------------ 1 file changed, 102 deletions(-) delete mode 100644 docs/nextcloud-hardening.md diff --git a/docs/nextcloud-hardening.md b/docs/nextcloud-hardening.md deleted file mode 100644 index 3c2d7fc..0000000 --- a/docs/nextcloud-hardening.md +++ /dev/null @@ -1,102 +0,0 @@ -# NextCloud Hardening & Optimization - -**Service:** NextCloud Hub 25 (32.0.5) -**Location:** Ghost VPS (64.50.188.14) -**Domain:** downloads.firefrostgaming.com -**Date:** February 11, 2026 -**Performed By:** Michael + Claude - ---- - -## Pre-Existing State - -NextCloud was previously installed on Ghost VPS with full nginx config and SSL certificate. Discovery occurred during planned deployment — the installation survived a documentation loss from a crash a few days prior. 15 security/performance warnings were present in the admin panel. - ---- - -## Changes Applied - -### Round 1: PHP & Nginx Fixes - -| Fix | Before | After | -| :---- | :---- | :---- | -| PHP memory_limit | 128M | 512M | -| OPcache interned_strings_buffer | 8 (commented out) | 16 (enabled) | -| .mjs MIME type | Missing | Added to /etc/nginx/mime.types | -| X-Robots-Tag header | Missing | noindex,nofollow | -| X-Permitted-Cross-Domain-Policies | Missing | none | -| Strict-Transport-Security (HSTS) | Missing | max-age=15552000; includeSubDomains | -| OCS provider location block | Missing | Added (cosmetic warning persists — Hub 25 known issue) | -| Database missing indices | fs_storage_path_prefix, properties_name_path_user | Added via occ db:add-missing-indices | -| Mimetype migrations | Pending | Completed via occ maintenance:repair --include-expensive | -| Maintenance window | Not set | 7 UTC (1 AM CST) | -| PHP clear_env | Commented out (;clear_env = no) | Enabled (clear_env = no) | - -### Round 2: Redis & Memcache - -| Fix | Before | After | -| :---- | :---- | :---- | -| Redis server | Not installed | redis-server 5:7.0.15 installed | -| PHP Redis extension | Not installed | php8.3-redis 5.3.7 installed | -| memcache.local | Not configured | \OC\Memcache\Redis | -| memcache.locking | Not configured (database locking) | \OC\Memcache\Redis | -| Redis connection | N/A | localhost:6379 | - -### Round 3: Cleanup - -| Fix | Before | After | -| :---- | :---- | :---- | -| AppAPI app | Enabled (warning about missing deploy daemon) | Disabled via occ app:disable | -| Imagick SVG | Missing | libmagickcore-6.q16-7-extra installed | -| Log warnings | 3 old warnings from Feb 4 | Log truncated, level set to Warning (2) | - ---- - -## Files Modified - -- `/etc/php/8.3/fpm/php.ini` — memory_limit, opcache.interned_strings_buffer -- `/etc/php/8.3/fpm/pool.d/www.conf` — clear_env -- `/etc/nginx/mime.types` — added .mjs -- `/etc/nginx/sites-enabled/downloads.firefrostgaming.com` — headers, OCS provider block -- `/var/www/nextcloud/config/config.php` — Redis memcache config - ---- - -## Packages Installed - -- redis-server (5:7.0.15) -- php8.3-redis (5.3.7) -- php8.3-igbinary (3.2.13) -- libmagickcore-6.q16-7-extra (8:6.9.12.98) - ---- - -## Services Restarted - -- php8.3-fpm (multiple times during config changes) -- nginx (reload after header/MIME changes) - ---- - -## Remaining Warnings (Intentional) - -| Warning | Reason for Skipping | -| :---- | :---- | -| OCS provider resolving | Known Hub 25 cosmetic bug — request reaches PHP correctly (verified via curl), NextCloud returns 404 internally | -| Email test | Deferred — requires Plesk migration discussion for proper email infrastructure | - ---- - -## Result - -- **Before:** 15 warnings (including "errors regarding your setup") -- **After:** 2 warnings (both intentional skips, downgraded to "warnings regarding your setup") -- **NextCloud status:** Healthy, cached with Redis, optimized for performance - ---- - -## Revision History - -| Version | Date | Changes | -| :---- | :---- | :---- | -| 1.0 | 2026-02-11 | Initial hardening documentation | \ No newline at end of file