Keeping NextCloud Secure by Updating PHP Version

To ensure the security of your NextCloud instance, it is highly recommended to run a supported version of PHP (or PHP-FPM) that is still receiving security updates. This is important for any PHP application, but even more crucial for a NextCloud server because any security vulnerabilities could endanger the privacy and security of the data on your private cloud storage.

According to the PHP support lifecycle, security support for PHP 7.1 ends on Dec 1, 2019; the same for PHP 7.2 ends Nov 30, 2020, and for PHP 7.3 ends Dec 6, 2021. Upgrading your PHP version to a supported branch future proofs your NextCloud deployment so that it can receive bug fixes and patches from the PHP team.

Aside from security updates, newer PHP versions also deliver performance enhancements, which reduces server load and translates to faster page load times. PHP 7.3 is roughly 10% faster than PHP 7.2 and 3X faster than PHP 5.6 according to this Phoronix benchmark. So if your NextCloud instance is feeling a little sluggish, updating to a newer PHP version might be in order.

On Oct 24, 2019, NextCloud GmBH published a security bulletin advising admins using NGINX and PHP-FPM to update to the latest bug fix version of PHP to mitigate CVE-2019-11043. The patched versions are 7.1.33, 7.2.24, and 7.3.11. Apache servers are not identified as vulnerable to this security issue.

A friendly reminder to always backup your NextCloud server by performing a snapshot before making any major changes such as upgrading the NextCloud or PHP version. It is not atypical to experience issues with blank screens (the “white screen of death”) if some configuration value is not copied over correctly from your current PHP version.

For professional support with upgrading your NextCloud server and its PHP version, contact our team of NextCloud support specialists.

For reference here are some suggested values to modify in /etc/php.ini, /etc/php-fpm.d/www.conf, and  /etc/php.d/10-opcache.ini for a reference NextCloud installation with the web server user running as nginx.

It supports large file uploads in the web interface up to 16GB. Uploads from the desktop client are theoretically unlimited as large files are uploaded in 20MB chunks.  If changes to any PHP values are made to php.ini, the same values should be reflected in php-fpm.d/www.conf.

php.ini values for NextCloud

max_execution_time = 86400
max_input_time = 86400
memory_limit = 512M
post_max_size = 16G
upload_max_filesize = 16G
default_socket_timeout = 86400
date.timezone = UTC
session.save_handler = files
session.save_path = "/var/lib/php/session"
soap.wsdl_cache_dir="/var/lib/php/wsdlcache"

php-fpm.d/www.conf values for NextCloud

user = nginx
group = nginx
pm.max_children = 120
pm.start_servers = 12
pm.min_spare_servers = 6
pm.max_spare_servers = 18
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
php_admin_flag[log_errors] = on
php_admin_value[memory_limit] = 512M
php_admin_value[post_max_size] = 16G
php_admin_value[upload_max_filesize] = 16G
php_admin_value[max_input_time] = 86400
php_admin_value[max_execution_time] = 86400
php_value[session.save_handler] = files
php_value[session.save_path]    = /var/lib/php/session
php_value[soap.wsdl_cache_dir]  = /var/lib/php/wsdlcache

php.d/10-opcache.ini values for NextCloud

; Enable Zend OPcache extension module
zend_extension=opcache
opcache.enable=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1

Customers running NextCloud as a highly available cluster can perform a zero-downtime, rolling update by temporarily taking the nodes that are being updated offline, while keeping some spares running to serve user requests.

Installing & Updating PHP for NextCloud on CentOS Server

If you followed the instructions on the official NextCloud installation guide for CentOS 7, you added the Red Hat Software Collections repository (such as rh-php72) which installs the PHP binary at /opt/rh/rh-php72/root/bin/php, a different path than a standard installation of PHP at /usr/bin/php. Likewise, the config files php.ini, php-fpm.conf, and php-fpm.d/www.conf are located in a different directory at /etc/opt/rh/rh-php72/. Module configuration files are under /etc/opt/rh/rh-php72/php.d/.

Normally when you install PHP with a repository such as the Remi repo, these config files are located directly under the standard /etc/ directory at php.ini, php-fpm.conf, and php-fpm.d/www.conf. PHP modules such as 10-opcache.ini which NextCloud requires for optimal performance, can be configured under the /etc/php.d/ directory.

We recommend all NextCloud users on CentOS to migrate from Red Hat Software Collections (RHSCL) to the Remi RPM repository as it provides more timely updates when a new bug fix version of PHP is released. As of October 26, 2019, the Software Collections repo rh-php72 is still on PHP 7.2.10 while the Remi repo is already serving up PHP 7.2.24, the latest version published at php.net.

If you already have the Software Collections version of PHP installed, you can install it side-by-side with the version from the Remi repo (in case you need to roll back to the Software Collections version). However, you will need to first disable and stop the PHP-FPM service before proceeding to prevent a FastCGI port conflict at 127.0.0.1:9000. During the duration of the upgrade, your server will be unavailable.

sudo systemctl disable rh-php72-php-fpm
sudo systemctl stop rh-php72-php-fpm

To add the Remi repo, install PHP 7.3, and enable the PHP-FPM service, along with NextCloud’s required modules.

sudo yum install epel-release
sudo rpm -Uvh https://rpms.remirepo.net/enterprise/remi-release-7.rpm
yum install yum-utils
sudo yum-config-manager --enable remi-php73
sudo yum install php-zip php-process php php-pecl-apcu php-mysqlnd php-pecl-redis php-common php-cli php-xml php-pear php-intl php-mbstring php-pdo php-ldap php-pecl-igbinary php-json php-gd php-fpm php-opcache php-pecl-imagick
sudo systemctl enable php-fpm
sudo systemctl start php-fpm

If you installed PHP correctly you should get the following output from php -v:

PHP 7.3.11 (cli) (built: Oct 22 2019 08:11:04) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.11, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.3.11, Copyright (c) 1999-2018, by Zend Technologies

Installing & Updating PHP for NextCloud on Ubuntu Server

Ubuntu includes multiple versions of PHP in the default apt repositories maintained by Canonical, unlike the CentOS default repositories which are stuck in the stone age with a PHP version of 5.4 (end-of-life Sep 14, 2015).  The ondrej/php PPA is popularly used by Ubuntu admins to install the version of PHP needed, but its not strictly necessary to add any PPAs to install a somewhat modern version of PHP in Ubuntu.

As of October 26, 2019, running sudo apt install libapache2-mod-php7.2 (for mod_php with Apache prefork MPM) or php7.2-fpm (for php-fpm with NGINX, Apache worker, or event MPM) provides users with PHP version 7.2.19.

We still recommend adding the ondrej/php PPA because it is more updated with PHP 7.2.24 and PHP 7.3.11 at the time of this writing. These versions are patched against CVE-2019-11043.

If you already have PHP installed using Ubuntu’s default repositories and are migrating to a newer PHP version through Ondrej’s PPA, you should first remove any PHP packages you have on your system, after noting down which PHP packages you have installed in case you need to roll back the change. During the duration of the upgrade, your server will be unavailable.

dpkg -l | grep php
sudo apt purge php*

To add the ondrej/php PPA and install PHP 7.3, along with NextCloud’s required modules:

sudo add-apt-repository ppa:ondrej/php
sudo apt update
sudo apt install php7.3-fpm php7.3-gd php7.3-json php7.3-mysql php7.3-curl php7.3-mbstring php7.3-intl php-imagick php7.3-xml php7.3-zip

To enable the PHP-FPM service on Ubuntu

sudo systemctl enable php7.3-fpm
sudo systemctl start php7.3-fpm
sudo a2enmod proxy_fcgi setenvif
sudo a2enconf php7.3-fpm
sudo systemctl reload apache2

If you installed PHP correctly you should get the following output from php -v:

PHP 7.3.11-1+ubuntu18.04.1+deb.sury.org+1 (cli) (built: Oct 24 2019 18:23:23) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.11, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.3.11-1+ubuntu18.04.1+deb.sury.org+1, Copyright (c) 1999-2018, by Zend Technologies