Since some of us feel the urge to migrate our cloud data away from Google, Microsoft or other US based services, this is one way to set up a self-hosted open source service as a private cloud.

We will need a Nextcloud instance as a frontend for cloud storage and basic file handling for images, PDF, notes, markdown documents etc., and also a Collabora Online instance for providing office document capabilities.

It goes as follows:

We log in to our preferred VPS/root server provider and order a machine with 4 vCPUs and 4-8 GB RAM, which comes usually with 128 to 256 GB HDD space. (I’m with netcup - not affiliated - and took a VPS with 4 vCPUs, 8 GB RAM and 256 GB HDD at 6,84 EUR/month.) We deploy a fresh Ubuntu Server 24.04, we deploy necessary updates, we reboot.

At our DNS registrar, we register A records for nx.example.com and co.example.com for the IP of the new machine, given that we own the domain example.com.

We install an appropriate firewall and/or startup scripts. It makes sense to open ports 80 and 443 for web as well as to install an ssh server for remote access. We open port 9980 tcp only for our client IP.

Now we execute phase 1 of this great Nextcloud install instruction.

Then, we create an Apache configration nx.example.com.conf with the following contents:

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
	ServerName nx.example.com
	ServerAlias nx.example.com
        DocumentRoot /var/www/nextcloud
        
        <Directory /var/www/nextcloud>
            Options Indexes FollowSymLinks
            AllowOverride All
            Require all granted
	</Directory>
        
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Please be aware that we use the path /var/www/nextcloud instead of /var/www/html/nextcloud as per the tutorial.

After enabling the instance by a2ensite nx.example.com.conf and restarting Apache we switch the server to https:

apt-get install certbot python3-certbot-apache
certbot -d nx.example.com

After that, we have a running nextcloud instance and can login at https://nx.example.com. We even can view pictures and PDF documents that are supplied with the server as examples. But we cannot open the also supplied docx-Document. In order to do that, we have to setup a Collabora Online instance, which we can do at the same server.

For installing this instance we follow the official instructions until the end of point 4.

In the configuration file /etc/coolwsd/coolwsd.xml we change the following settings:

Under <ssl desc="SSL settings"> we switch enable to false and terminationto true.

Furthermore, under <net desc="Network settings"> we set the proto to IPv4 (in case we have IPv4 als the internal IP protocol at our server).

Now, we can call the URL http://nx.example.com:9980 from our browser, and we should get an “OK” as answer. That means, that our Collabora Online instance is working.

Next, we have to make this instance available to our Nextcloud server. In order to do that, we first enable some additional Apache modules for reverse proxying:

a2enmod proxy
a2enmod proxy_http
a2enmod proxy_connect
a2enmod proxy_wstunnel

After that, we can create a new Apache config for our Collabora Online service:

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName co.example.com
    ServerAlias co.example.com

 ########################################
 # Reverse proxy for Collabora Online   #
 ########################################

 AllowEncodedSlashes NoDecode
 ProxyPreserveHost On

 # static html, js, images, etc. served from coolwsd
 # browser is the client part of Collabora Online
 ProxyPass           /browser http://127.0.0.1:9980/browser retry=0
 ProxyPassReverse    /browser http://127.0.0.1:9980/browser

 # WOPI discovery URL
 ProxyPass           /hosting/discovery http://127.0.0.1:9980/hosting/discovery retry=0
 ProxyPassReverse    /hosting/discovery http://127.0.0.1:9980/hosting/discovery

 # Capabilities
 ProxyPass           /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities retry=0
 ProxyPassReverse    /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities

 # Main websocket
 ProxyPassMatch      "/cool/(.*)/ws$"      ws://127.0.0.1:9980/cool/$1/ws nocanon

 # Admin Console websocket
 ProxyPass           /cool/adminws ws://127.0.0.1:9980/cool/adminws

 # Download as, Fullscreen presentation and Image upload operations
 ProxyPass           /cool http://127.0.0.1:9980/cool
 ProxyPassReverse    /cool http://127.0.0.1:9980/cool

 # Compatibility with integrations that use the /lool/convert-to endpoint
 ProxyPass           /lool http://127.0.0.1:9980/cool
 ProxyPassReverse    /lool http://127.0.0.1:9980/cool
</VirtualHost>

We activate this service by a2ensite co.example.com, restart Apache and make the service available as https with certbot -d co.example.com. Although we cannot access the service directly, this step is important for integration with the Nextcloud service, which is the last step.

We log into our Nextcloud server at https://nx.example.com, click at our avatar in the upper right corner and switch to + Apps. At the left pane, we then find under “Featured Apps” the “Nextcloud Office”, which we download and enable. Then, we head over to Avatar -> Administration Settings, click on the magnifying glass in the top pane and serach for “office”. We select “Office Administration”, select “Use your own server” and put in the URL https://co.example com.
This will NOT work using the same URL as for the nextcloud server, e.g. nx.example.com, even if both services are located at the same machine!

Last, we edit the Allow list for WOPI requests with the values 127.0.0.1, [our server's IP address] and set in /etc/php/8.3/php.ini the values

memory_limit = 512M
upload_max_filesize = 64M

With these settings, we should at least get no red errors at the Nextcloud admin page. Now, we should be able to open the supplied docx document as well. Further tweaking according to the linked documentation.

That’s it, we have an integrated Cloud/Docs server where we can migrate all our files and documents to!

(We can and should now close port 9980 tcp for any external access.)