Skip to content

Nextcloud server on EC2 with S3 primary object storage and AWS Backup data protection, with option to mount existing S3 bucket

License

Notifications You must be signed in to change notification settings

aws-samples/nextcloud-server

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

60 Commits
 
 
 
 
 
 
 
 
 
 
 
 

nextcloud-server

AWS CloudFormation template that provisions an EC2 instance running Nextcloud file synchronization and sharing server, with a new Amazon S3 bucket as primary storage and AWS Backup for data protection. Includes option to mount existing S3 bucket.

Notice

Although this repository is released under the MIT-0 license, its CloudFormation template uses features from Nextcloud project. Nextcloud project's licensing includes the AGPL license.

The template offers the option to install Webmin which is released under BSD-3-Clause license. Usage of template indicates acceptance of license agreements of all software that is installed in the EC2 instance.

Architecture diagram

architecture

Solution can be deployed in a private subnet for internal only use.

Deployment from CloudFormation console

Download UbuntuLinux-Nextcloud.yaml file, and login to AWS CloudFormation console.

Start the Create Stack wizard by choosing Create Stack. Select stack template by selecting Upload a template file, Choose File, select your .yaml file and click Next. Enter a Stack name and specify parameters values.

Parameter options

EC2 instance

Network

  • vpcID: VPC with internet connectivity. Select default VPC if unsure
  • subnetID: subnet with internet connectivity. Select subnet in default VPC if unsure
  • displayPublicIP: select No if your EC2 instance will not receive public IP address. EC2 private IP will be displayed in CloudFormation Outputs section instead. Default is Yes
  • assignStaticIP: associates a static public IPv4 address using Elastic IP address. Default is Yes

Remote Administration

  • ingressIPv4: allowed IPv4 source prefix to remote administration services, e.g. 1.2.3.4/32. You can get your source IP from https://checkip.amazonaws.com. Use 127.0.0.1/32 to block incoming access from network. Default is 0.0.0.0/0.
  • ingressIPv6: allowed IPv6 source prefix to remote administration services. Use ::1/128 to block all incoming IPv6 access. Default is ::/0
  • allowSSHport: allow inbound SSH. Option does not affect EC2 Instance Connect access. Default is No
  • installDCV: install graphical desktop environment and Amazon DCV server. Default is No
  • installWebmin: install Webmin web-based system administration tool. Default is No

SSH, DCV and Webmin inbound access are restricted to ingressIPv4 and ingressIPv6 IP prefixes.

Nextcloud

  • adminUserName: Nextcloud admin username. Default is admin
  • phpVersion: PHP version to install. Uses OndĹ™ej SurĂ˝'s ppa:ondrej/php repository
  • databaseOption: MariaDB or MySQL. Default is MariaDB
  • r53ZoneID (optional): Amazon Route 53 hosted zone ID to grant access for use with Certbot certbot-dns-route53 DNS plugin. A * value will grant access to all Route 53 zones in your AWS account. Permission is restricted to _acme-challenge.* TXT DNS records using resource record set permissions. Default is empty string for no access

S3

S3 External Storage

  • externalS3Bucket (optional): option to mount existing S3 bucket within Nextcloud as external storage. Specify bucket name in your account
  • externalS3BucketRegion: AWS Region where externalS3Bucket is located
  • externalS3BucketStorageClass: S3 storage class

EBS

AWS Backup

  • backupResource: option to backup EC2 instance, S3 bucket, existing S3 bucket mounted as external storage, or none. Versioning must be enabled on S3 bucket mounted as external storage before AWS Backup can back it up. Default is EC2-and-S3
  • scheduleExpression: CRON expression specifying when AWS Backup initiates a backup job. Default is cron(0 1 ? * * *)
  • scheduleExpressionTimezone: timezone in which the schedule expression is set. Default is Etc/UTC
  • deleteAfterDays: number of days after creation that a recovery point is deleted. Default is 35 days

It may take more than 30 minutes to provision the entire stack. After your stack has been successfully created, its status changes to CREATE_COMPLETE.

CloudFormation Outputs

The following are available in Outputs section

  • DCVwebConsole (if installDCV is Yes): DCV web browser console URL link. Login as ubuntu. Set user password by running sudo passwd ubuntu from EC2instanceConnect, SSMsessionManager or SSH session first
  • EC2console: EC2 console URL link to your EC2 instance
  • EC2instanceConnect: EC2 Instance Connect URL link. Functionality is only available under certain conditions
  • NextcloudLogUrl: Cloudwatch log group with the contents of nextcloud.log
  • SetPasswordCmd: command to set Nextcloud admin password
  • SSMsessionManager or SSMsessionManagerDCV: SSM Session Manager URL link
  • WebminUrl (if installWebmin is Yes): Webmin URL link. Set the root password by running sudo passwd root from EC2instanceConnect, SSMsessionManager or SSH session first
  • WebUrl: EC2 web server URL link

Nextcloud admin user password

Use either EC2 instance connect or SSM session manager URL link to obtain in-browser terminal access to your EC2 instance. Copy and paste SetPasswordCmd value to set Nextcloud admin password. For example, if adminUserName value is admin, the command is

sudo -u www-data php /var/www/html/occ user:resetpassword admin

After which, you can login to your Nextcloud application using WebUrl link or proceed to install a HTTPS certificate.

Obtaining certificate for HTTPS using Certbot

The EC2 instance uses a self-signed certificate for HTTPS. You can use Certbot to automatically obtain and install Let's Encrypt certificate on your web server.

Prerequisites

Ensure you have a domain name whose DNS entry resolves to your EC2 instance IP address. If you do not have a domain, you can register a new domain using Amazon Route 53 and create a DNS A record.

Obtain HTTPS certificate

Option 1: Using Certbot Apache plugin

This option requires your domain name to resolve to your EC2 instance public internet IP address. From terminal, run the below command

sudo certbot --apache

Option 2: Using Certbot certbot-dns-route53 plugin

The certbot-dns-route53 option requires your DNS to be hosted by Route 53. It supports wildcard certificates and domain names that resolve to private IP addresses. Ensure that Route 53 zone access is granted by specifying r53ZoneID value. From terminal, run the below command

sudo certbot --dns-route53 --installer apache

Follow instructions to have Certbot request and install certificate on your web server. Refer to Certbot site for help with this tool.

Configure HSTS

To configure HTTP Strict Transport Security (HSTS) headers, edit *ssl.conf file in /etc/apache2/sites-available/ folder and add the following text between <VirtualHost> and </VirtualHost> rows.

    <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>

Verify Apache configuration

sudo apachetl -t

Reload Apache server

sudo systemctl reload apache2

Managing and using Nextcloud

Sending email

Nextcloud supports email server for password reset and activity notifications. You can configure Nextcloud to use external SMTP server (e.g. Amazon SES), or sendmail.

When configuring external SMTP server, use 465, 587 or supported port number that is not 25. Amazon EC2 restricts email sending using port 25 on all instances by default. You can request that this restriction be removed if you are using port 25 for external SMTP server or sendmail. Refer to How do I remove the restriction on port 25 from my Amazon EC2 instance or Lambda function? for more information.

Using the occ command

The occ command is Nextcloud's command-line interface. It is used to perform common server operations such as installing and upgrading Nextcloud, and must be run as HTTP user, i.e. sudo -u www-data php /var/www/html/occ. On the EC2 instance, you can use the alias nextcloud.occ.

Mounting external storage services as external storage

Nextcloud external storage feature enables you to mount external storage services including Windows file servers and S3 buckets as secondary storage devices. Refer to NextCloud documentation for details.

Downloads

Desktop and mobile applications download links are available from Nextcloud Install page.

Using Nextcloud

Refer to Nextcloud documentation.

Documentation

Administration guide and user manual are available from Nextcloud documentation site.

Further information

Nextcloud is mentioned by the following blog posts

Data protection

S3 primary storage

Amazon S3 is used to provide almost unlimited, cost-effective and durable storage over EBS. Using S3 as primary storage provides performance benefits over S3 as external storage, including support for large file uploads.

Note that files are not accessible outside of NextCloud as all metadata (filenames, directory structures, etc) is stored in MariaDB/MySQL database on EC2 instance. The S3 bucket holds the file content by unique identifier and not filename. This has implications for data backup and recovery, and it is important to backup both EC2 instance and S3 bucket data.

Restoring from backup

If you enable AWS Backup, you can restore your EC2 instance and S3 data from recovery points (backups) in your backup vault. The CloudFormation template creates an IAM role that grants AWS Backup permission to restore your backups. Role name can be located in your CoudFormation stack Resources section where Logical ID is backupRestoreRole.

Recovery points protection

To protect recovery points from inadvertent or malicious deletions, you can enable AWS Backup Vault Lock in compliance mode to provide immutable WORM (write-once, read-many) backups. Vaults that are locked in compliance mode cannot be deleted once the cooling-off period ("grace time") expires if any recovery points are in the vault. Refer to Protecting data with AWS Backup Vault Lock for more information.

Filter IAM policy source IP

Nextcloud server uses EC2 IAM role for S3 primary storage access. If assignStaticIP is Yes, you can limit access to only your Nextcloud server. This ensures that even when the session credentials are stolen, an attacker cannot directly use it to access files from his own address.

The created IAM role can be located in CloudFormation console stack Resources section with Logical ID of instanceIamRole. Click on the Physical ID value to edit inline permission in IAM console. Change aws:SourceIp value from 0.0.0.0/0 to your EC2 instance public IPv4 address. If IP address is 1.2.3.4, your updated policy may look similar to below

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "1.2.3.4/32"
        }
      },
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::nextcloud-s3bucket-8ohvkk9vzv2f",
        "arn:aws:s3:::nextcloud-s3bucket-8ohvkk9vzv2f/*"
      ],
      "Effect": "Allow"
    }
  ]
}

An IAM user with attached policy is used for S3 external storage access. Using EC2 IAM role for external storage currently generates errors in nextcloud.log. (Issue #46400) The IAM user can be located in CloudFormation Resources section where Logical ID is iamUser, and you may want to configure the associated policy aws:SourceIp value. You can modify attached IAM policy to mount additional S3 buckets; the security credentials are located in /root/.nextcloud-credentials on EC2 instance.

Sensitive data protection

To strengthen data security posture, you can enable Amazon Macie to automate discovery of sensitive data that is uploaded to your S3 bucket

Securing EC2 instance

To futher secure your EC2 instance, you may want to

Clean Up

To remove created resources,

  • Empty created S3 bucket(s)
  • Delete any recovery points in created backup vault
  • Disable EC2 instance termination protection (if enabled)
  • Delete CloudFormation stack

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.

About

Nextcloud server on EC2 with S3 primary object storage and AWS Backup data protection, with option to mount existing S3 bucket

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published