The latest release of NextCloudPi is out, and managing your private cloud is now easier than ever!

This release features features a shiny new Web UI.

This web panel makes use of the extras provided by our familiar nextcloudpi-config, and serves for the exact same purpose. From our browser, we can set up Let’s Encrypt certificates, move our datafolder to an external USB drive, forward our external ports and all the rest, with the benefit that we don’t need to understand SSH or even connect your keyboard to the Raspberry Pi for the initial configuration.

This will allow NextCloudPi to reach even more people and lower the barrier of adoption for Nextcloud.

Also, it will provide the NextCloudPi docker image with a nice and convenient configuration interface without the need for SSH daemons or using docker exec (soon).

This feature is quite basic for this first release. It wil be gradually improved through the remote update system.

NextCloudPi improves everyday thanks to your feedback. Please report any problems, or ask technical questions here. Also, you can discuss anything in the forums.

Last but not least, please download through bitorrent and share it for a while to help keep hosting costs down.

Installation

The new UI is included by default in the new image, and will be installed through remote updates. Unfortunately, the configuration of the virtual host for Apache will need to be done individually for users that are using old images.

Those users have two options

Backup through nc-backup, install the new image and restore through nc-restore. Remember to also backup your data directory separatedly in case you moved it with nc-datadir.

Manually make the changes in your existing image. Still, it is recommended to backup first. You can then copy and paste this code

sudo su cat > /etc/apache2/sites-available/ncp.conf <<'EOF' Listen 4443 <VirtualHost _default_:4443> DocumentRoot /var/www/ncp-web SSLEngine on SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key </VirtualHost> <Directory /var/www/ncp-web/> Require host localhost Require ip 127.0.0.1 Require ip 192.168 Require ip 10 </Directory> EOF a2ensite ncp mkdir /home/www -p chown www-data:www-data /home/www chmod 700 /home/www cat > /home/www/ncp-launcher.sh <<'EOF' #!/bin/bash DIR=/usr/local/etc/nextcloudpi-config.d test -f $DIR/$1 || { echo "File not found"; exit 1; } source /usr/local/etc/library.sh cd $DIR launch_script $1 EOF chmod 700 /home/www/ncp-launcher.sh echo "www-data ALL = NOPASSWD: /home/www/ncp-launcher.sh" >> /etc/sudoers systemctl reload apache2

I recommend the first option if you don’t know what you are doing.

Usage

The web panel is equivalent to nextcloudpi-config, so it is used exactly in the same way. You can check the specific posts for detailed instructions.

It is accessible only inside your local network through the HTTPS protocol on port 4443. Just type in your browser

https://<ip_or_url>:4443

If you haven’t configured Let’s Encrypt yet, the SSL certificate will be self-signed, which means that communications will be encrypted, but there is no third party verifying the authenticity of the connection (more here). Because it is a local IP that we are using, we can be reasonably confident that the other end is the NextCloudPi, but still the browser will warn us of this fact.

For this reason, we have to manually tell our browser that we trust this website. Include a permanent exception like so

There is nothing incorrect here, just the browser being cautious as it should.

Features to come

As stated before, I just released the minimal working version of the web UI. In the following weeks, I plan to add

Password verification using PAM credentials

Live updates of the progress using websockets, server side events, or some similar push technology.

Same site cookie support.

Update modsecurity rules so that the web UI works and works more safely.

NextCloudPi update web notifications

Polish of the UI

Security and implementation details

I tried to make this minimal, lean and fast. For this reason, I chose to use minified.js over jQuery. gzipped minified.js only weights 8 KB, which is several times smaller.

Also, I wanted to play around a bit with the new advantages that come with HTTP2, so I included server-side HTTP2 push for the web content. This way, we can send all assets at once and save precious time. Pushed assets show in gray in the Firefox network tab.

The backend includes protection for some common attacks

Single use tokens for preventing CSRF attacks.

Strict CSP rules to prevent XSS attacks

httponly cookies.

secure cookies (only sent through encrypted connections).

It also comes with our familiar bunch of security headers.

In any case, security is a thorny topic, so I will feel better as more eyes look at this. If you spot some vulnerability, please let me know in private so it can get fixed as soon as possible.

References

https://www.smashingmagazine.com/2017/04/guide-http2-server-push/

https://blog.cloudflare.com/using-http-2-server-push-with-php/

http://www.stevesouders.com/blog/2013/11/07/prebrowsing/

http://blog.ircmaxell.com/2013/02/preventing-csrf-attacks.html