Nextcloud on Tor Hidden Service

Nextcloud requires Apache or nginx, PHP 8.0+, and MariaDB/PostgreSQL. Install the LEMP stack (nginx + PHP-FPM + MariaDB) with all services bound to localhost. Download Nextcloud server archive, extract to /var/www/nextcloud, and set permissions for the web server user (www-data). During Nextcloud's web-based installation wizard, set the domain to your .onion address and configure the database connection. After installation, add the .onion address to trusted_domains in config/config.php. Critical: set 'overwrite.cli.url' and 'overwritehost' to the .onion address to ensure Nextcloud generates correct internal URLs. Set 'htaccess.RewriteBase' to '/' if installed at the root. Nextcloud's .htaccess rules must be translated to nginx configuration (Nextcloud provides official nginx configuration snippets in their documentation).

Nextcloud by default makes numerous external HTTP requests: app store access (for installing/updating apps), online user lookup (searching for other Nextcloud users on federation network), external link previews, and weather widgets. Disable all external connections: in Nextcloud admin settings, disable App Store under Settings > Administration > Security (use manual app updates), disable User Status (makes API calls), disable Dashboard weather widget, and disable federated file sharing if you want isolated operation. In config.php: set 'has_internet_connection' => false to disable internet connectivity checks. Disable cron-based background jobs that call external services. Run Nextcloud's cron job via local system cron (crontab -u www-data -e with */5 * * * * php /var/www/nextcloud/cron.php) rather than AJAX (which fires on page load) or Webcron (external HTTP trigger).

The Nextcloud desktop client (Windows, Mac, Linux) supports SOCKS5 proxy configuration. Go to Settings > Network > Proxy Settings and configure SOCKS5 proxy at 127.0.0.1:9050. After proxy configuration, enter the .onion address as the server URL and proceed with login. File syncing works normally through the Tor proxy, subject to Tor bandwidth limits. For large initial syncs (many GB of files), Tor's throughput limitations mean syncing may take significantly longer than clearnet cloud storage. The Nextcloud mobile app (Android, iOS) requires Orbot in VPN mode to route connections through Tor to the .onion server. Android Nextcloud app + Orbot VPN mode works reliably. iOS Tor support depends on available Tor apps for the platform.

Nextcloud's built-in server-side encryption (SSE) encrypts files at rest on the server. Enable in Settings > Administration > Encryption. SSE encrypts files with per-user encryption keys, encrypted with the user's login password. The encryption keys are stored on the server - if the server is seized with decryption keys accessible, files can be recovered. For stronger protection: use client-side encryption (Nextcloud's End-to-End Encryption app, currently in beta for some platforms) where encryption happens on the client device and the server never sees plaintext. Alternatively, use Cryptomator (open source client-side encryption) on the client machine to encrypt files before they sync to Nextcloud. Files are encrypted locally with a password, and only ciphertext reaches the server. This provides strong protection against server compromise.

Tor's latency characteristics affect Nextcloud's user experience. Optimize for Tor: enable Nextcloud's Redis-based memory caching (install Redis bound to localhost, configure in config.php: 'memcache.local' => 'OCMemcacheRedis', 'redis' => ['host' => '127.0.0.1', 'port' => 6379]). Redis caching dramatically reduces database queries for repeated requests. Enable APCu for in-process caching: 'memcache.locking' => 'OCMemcacheAPCu'. Configure opcache for PHP (included in php-opcache package) to cache compiled PHP bytecode. Gzip compression in nginx for Nextcloud responses reduces file sizes in transit. For the Nextcloud web interface: disable apps that load slowly or add unnecessary JavaScript. The fewer round-trips required to render a page, the better the user experience over Tor's high-latency connection. Consider using the Nextcloud CLI client (occ) for bulk operations (like initial bulk upload) via local filesystem access rather than HTTP upload.