How to Fix Security & Setup Warnings in Nextcloud
In the previous article, we learned how to install Nextcloud with Nginx on Ubuntu 24.04. However, there are still some additional configurations that need to be done, according to the messages and recommendations provided by Nextcloud. These messages can be seen through the menu Profile > Administration Settings > Overview, under the section Security & setup warnings. Some of the warnings and recommended actions are related to PHP configuration and memory cache.
Security & Setup Warnings
Here are the messages displayed and how to address them:
PHP memory limit
Message: The PHP memory limit is below the recommended value of 512 MB..
The allowed memory limit for PHP on the server is less than 512 MB, which is the recommended value to ensure optimal performance for Nextcloud. This memory limit determines how much memory a PHP script can use at one time.
How to fix
Open the php.ini configuration file, for example, using PHP-FPM v8.3:
1 | sudo nano /etc/php/8.3/fpm/php.ini |
Change the memory_limit value to 512M:
1 | memory_limit = 512M |
Restart the PHP-FPM server:
1 | sudo systemctl restart php8.3-fpm |
Refresh the Overview page to check if the message still appears.
Maintenance windows start time
Message: Server has no maintenance window start time configured. This means resource intensive daily background jobs will also be executed during your main usage time. We recommend to set it to a time of low usage, so users are less impacted by the load caused from these heavy tasks.
The background job settings for maintenance have not been configured.
How to fix
Open the Nextcloud configuration file, for example, located at /var/www/nextcloud/config/config.php:
1 | sudo nano /var/www/nextcloud/config/config.php |
Add the maintenance_window_start configuration line:
1 2 3 4 | ... 'installed' => true, 'maintenance_window_start' => 1, ); |
Setting the value to 1 means background jobs will only run between 01:00 UTC and 05:00 UTC.
Strict-Transport-Security HTTP header
Message: Some headers are not set correctly on your instance – The Strict-Transport-Security HTTP header is not set (it should be at least 15552000 seconds).
The HTTP Strict Transport Security (HSTS) header is not set correctly on the web server, with a minimum value of 15552000 seconds (or 180 days). HSTS is a web security mechanism that helps protect against man-in-the-middle attacks by ensuring that all connections to the website use HTTPS.
How to fix
If using Nginx, open the server block configuration file:
1 | sudo nano /etc/nginx/sites-available/cloud.example.com.conf |
Add the following configuration:
1 | add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload" always; |
Restart Nginx:
1 | sudo systemctl restart nginx |
If using Apache, open the virtual host configuration file:
1 | sudo nano /etc/apache2/sites-available/cloud.example.com.conf |
Add the following configuration:
1 | Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" |
Restart apache:
1 | sudo systemctl restart apache2 |
System environment variables
Message: PHP does not seem to be setup properly to query system environment variables. The test with getenv(“PATH”) only returns an empty response.
PHP is not correctly configured to read system environment variables. When using PHP-FPM, environment variables such as PATH, TMP, or others are not automatically populated. As a result, PHP calls like getenv(‘PATH’) may return empty results.
How to fix
Open the PHP-FPM pool configuration file for PHP v8.3:
1 | sudo nano /etc/php/8.3/fpm/pool.d/www.conf |
Add the following configuration:
1 2 3 4 5 6 | env[HOSTNAME] = $HOSTNAME env[PATH] = /usr/local/bin:/usr/bin:/bin env[TMP] = /tmp env[TMPDIR] = /tmp env[TEMP] = /tmp clear_env = no |
Restart the PHP-FPM service.
PHP OPcache module
Message: The PHP OPcache module is not properly configured. The OPcache interned strings buffer is nearly full. To assure that repeating strings can be effectively cached, it is recommended to apply “opcache.interned_strings_buffer” to your PHP configuration with a value higher than “8”.
The PHP OPcache module is not configured correctly. Specifically, the OPcache interned string buffer is nearly full. Interned strings are strings that are stored only once in memory and reused by the application, which can improve performance.
How to fix
In the php.ini configuration file, enable and adjust the following configuration lines:
1 | opcache.interned_strings_buffer=16 |
Restart the web server or PHP-FPM service.
Memory cache (memcache)
Message
The database is used for transactional file locking. To enhance performance, please configure memcache, if available.
The database is used for transactional file locking. This is done to prevent file corruption during normal operations. However, to improve performance, it is recommended to configure memcache if available.
No memory cache has been configured. To enhance performance, please configure a memcache, if available.
No memory cache is configured. Memory cache can significantly improve Nextcloud server performance by storing frequently requested objects in memory for faster data retrieval.
How to fix
Install APCu and Redis:
1 | sudo apt install php8.3-apcu php8.3-redis redis-server -y |
Add the following configuration to the Nextcloud config.php file:
1 2 3 4 5 6 7 | 'memcache.local' => '\OC\Memcache\APCu', 'memcache.distributed' => '\OC\Memcache\Redis', 'memcache.locking' => '\OC\Memcache\Redis', 'redis' => [ 'host' => 'localhost', 'port' => 6379, ], |
Default phone region
Message: Your installation has no default phone region set. This is required to validate phone numbers in the profile settings without a country code. To allow numbers without a country code, please add “default_phone_region” with the respective ISO 3166-1 code of the region to your config file.
The default phone region has not been set. This is required to validate phone numbers in profile settings without a country code. In other words, if users enter a phone number without a country code, Nextcloud will have difficulty validating the number unless the default phone region is set.
How to fix
Add the following configuration to the Nextcloud config.php file:
1 | 'default_phone_region' => 'ID', |
Email server
Message: You have not set or verified your email server configuration, yet. Please head over to the “Basic settings” in order to set them. Afterwards, use the “Send email” button below the form to verify your settings.
The email server settings for sending notifications such as password reset, file sharing, file changes, and activity notifications have not been configured.
How to fix
You should already have an email account with an SMTP server service.
Open the menu Administration settings > Basic settings. In the Email server section, enter:
- Send mode: SMTP
- Encryption: SSL
- From address: email address
- Server address: SMTP server and port number
- Authentication: enable
- Credentials: email address and password
Then click Save and click Send email to test the email delivery.
Recommended PHP modules
Message: This instance is missing some recommended PHP modules. For improved performance and better compatibility it is highly recommended to install them: – bcmath for WebAuthn passwordless login – gmp for WebAuthn passwordless login, and SFTP storage – intl increases language translation performance and fixes sorting of non-ASCII characters.
Some recommended PHP modules are not installed. These modules can enhance the performance and compatibility of Nextcloud.
- bcmath: Used for passwordless login with WebAuthn. This module provides high-precision mathematical functions needed for WebAuthn authentication.
- gmp: Also used for passwordless login with WebAuthn, as well as for SFTP storage. This module provides arithmetic functions for large numbers required by WebAuthn and SFTP.
- intl: Enhances language translation performance and improves non-ASCII character sorting. This module provides internationalization functions such as text processing, date and time formatting, and string sorting.
How to fix
Install the recommended PHP modules:
1 | sudo apt install php8.3-bcmath php8.3-gmp php8.3-intl -y |
Restart the web server or PHP-FPM.
PHP module imagick
Message
The PHP module “imagick” is not enabled although the theming app is. For favicon generation to work correctly, you need to install and enable this module.
The PHP module imagick is not enabled, even though the theming app is activated. The imagick module is required to properly generate favicons in Nextcloud. A favicon is a small icon that appears in the browser tab when visiting a website, and imagick assists in the creation of these icons.
The PHP module “imagick” in this instance has no SVG support. For better compatibility it is recommended to install it.
The installed PHP module “imagick” does not support SVG (Scalable Vector Graphics) file formats. SVG support is important for better compatibility, particularly in handling vector images in Nextcloud. Without SVG support, some functions or features relying on SVG formats may not work correctly.
How to fix
Install the PHP imagick module:
1 | sudo apt install php8.3-imagick libmagickcore-dev libmagickwand-dev -y |
Then restart the web server or PHP-FPM.
If you found this article helpful and would like to support my work, consider making a donation through PayPal. Your support helps me continue creating useful content and tutorials. Thank you!
Donate via PayPal: https://paypal.me/musaamin