# NextCloud Hardening & Optimization

**Service:** NextCloud Hub 25 (32.0.5)
**Location:** Ghost VPS (64.50.188.14)
**Domain:** downloads.firefrostgaming.com
**Date:** February 11, 2026
**Performed By:** Michael + Claude

---

## Pre-Existing State

NextCloud was previously installed on Ghost VPS with full nginx config and SSL certificate. Discovery occurred during planned deployment — the installation survived a documentation loss from a crash a few days prior. 15 security/performance warnings were present in the admin panel.

---

## Changes Applied

### Round 1: PHP & Nginx Fixes

| Fix | Before | After |
| :---- | :---- | :---- |
| PHP memory_limit | 128M | 512M |
| OPcache interned_strings_buffer | 8 (commented out) | 16 (enabled) |
| .mjs MIME type | Missing | Added to /etc/nginx/mime.types |
| X-Robots-Tag header | Missing | noindex,nofollow |
| X-Permitted-Cross-Domain-Policies | Missing | none |
| Strict-Transport-Security (HSTS) | Missing | max-age=15552000; includeSubDomains |
| OCS provider location block | Missing | Added (cosmetic warning persists — Hub 25 known issue) |
| Database missing indices | fs_storage_path_prefix, properties_name_path_user | Added via occ db:add-missing-indices |
| Mimetype migrations | Pending | Completed via occ maintenance:repair --include-expensive |
| Maintenance window | Not set | 7 UTC (1 AM CST) |
| PHP clear_env | Commented out (;clear_env = no) | Enabled (clear_env = no) |

### Round 2: Redis & Memcache

| Fix | Before | After |
| :---- | :---- | :---- |
| Redis server | Not installed | redis-server 5:7.0.15 installed |
| PHP Redis extension | Not installed | php8.3-redis 5.3.7 installed |
| memcache.local | Not configured | \OC\Memcache\Redis |
| memcache.locking | Not configured (database locking) | \OC\Memcache\Redis |
| Redis connection | N/A | localhost:6379 |

### Round 3: Cleanup

| Fix | Before | After |
| :---- | :---- | :---- |
| AppAPI app | Enabled (warning about missing deploy daemon) | Disabled via occ app:disable |
| Imagick SVG | Missing | libmagickcore-6.q16-7-extra installed |
| Log warnings | 3 old warnings from Feb 4 | Log truncated, level set to Warning (2) |

---

## Files Modified

- `/etc/php/8.3/fpm/php.ini` — memory_limit, opcache.interned_strings_buffer
- `/etc/php/8.3/fpm/pool.d/www.conf` — clear_env
- `/etc/nginx/mime.types` — added .mjs
- `/etc/nginx/sites-enabled/downloads.firefrostgaming.com` — headers, OCS provider block
- `/var/www/nextcloud/config/config.php` — Redis memcache config

---

## Packages Installed

- redis-server (5:7.0.15)
- php8.3-redis (5.3.7)
- php8.3-igbinary (3.2.13)
- libmagickcore-6.q16-7-extra (8:6.9.12.98)

---

## Services Restarted

- php8.3-fpm (multiple times during config changes)
- nginx (reload after header/MIME changes)

---

## Remaining Warnings (Intentional)

| Warning | Reason for Skipping |
| :---- | :---- |
| OCS provider resolving | Known Hub 25 cosmetic bug — request reaches PHP correctly (verified via curl), NextCloud returns 404 internally |
| Email test | Deferred — requires Plesk migration discussion for proper email infrastructure |

---

## Result

- **Before:** 15 warnings (including "errors regarding your setup")
- **After:** 2 warnings (both intentional skips, downgraded to "warnings regarding your setup")
- **NextCloud status:** Healthy, cached with Redis, optimized for performance

---

## Revision History

| Version | Date | Changes |
| :---- | :---- | :---- |
| 1.0 | 2026-02-11 | Initial hardening documentation |