Introduction
Today I’ll show you how to build what I genuinely believe is the fastest NextCloud stack available in 2025:
- OpenLiteSpeed – the fastest web server with built-in cache
- LSPHP 8.1/8.2 – LiteSpeed’s ultra-fast PHP implementation
- Redis + APCu – for blazing-fast caching and locking
- Runs completely non-root, under its own user
- Hardened with proper security headers, HSTS, and isolated data folder
Even if NextCloud gets compromised, the attacker still can’t touch the rest of your server.
Let’s go!
Step 1: Secure Your VPS First
Before anything, harden your server. Follow my full guide here:
How to Make Your VPS Secure
Step 2: Install OpenLiteSpeed, LSPHP, Redis & Tools
Run as root:
# Update system
apt update && apt upgrade -y
# Add OpenLiteSpeed repository
wget -O - https://repo.litespeed.sh | bash
# Install essentials
apt install -y curl gnupg2 imagemagick ffmpeg redis openlitespeed lsphp81* lsphp82* zip unzip mariadb-server mariadb-clientNote: On Ubuntu 22.04+, the ImageMagick package might be libmagickwand-dev + imagemagick. The above works on most recent Debian/Ubuntu.
Enable and restart Redis:
systemctl enable --now redis-serverStep 3: Create a Dedicated System User for NextCloud
adduser --shell /bin/bash files
usermod -aG redis files # Allow access to Redis socketStep 4: Download & Extract NextCloud as the "files" User
su - files
mkdir -p ~/public_html
cd ~/public_html
wget https://download.nextcloud.com/server/releases/latest.zip
unzip latest.zip
rsync -av nextcloud/ ./
rm -rf nextcloud latest.zip .htaccess .user.ini
exitStep 5: Configure OpenLiteSpeed Web Admin (Port 7080)
Set an admin password:
/usr/local/lsws/admin/misc/admpass.shNow visit: https://your-vps-ip:7080 and log in.
Virtual Host Setup
- Delete the default "Example" virtual host
- Add new Virtual Host:
- Virtual Host Name: yourdomain.com
- Virtual Host Root: /home/files/
- Config File: $SERVER_ROOT/conf/vhosts/$VH_NAME/vhconf.conf
- Document Root: $VH_ROOT/public_html
- Script Handler → Add:
- Suffix: php
- Handler Type: LiteSpeed LVE
- Handler: lsphp81 (or lsphp82 if you prefer PHP 8.2)
- Rewrite Rules (force HTTPS):
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]- Security Headers (Context → Static → Add new context /):
Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Content-Security-Policy "upgrade-insecure-requests"- External App → LSPHP → Edit:
- Run as User/Group: files
- PHP_LSAPI_CHILDREN = 100
- LSAPI_AVOID_FORK = 0
- Listeners:
- Delete default listeners
- Add HTTP → port 80
- Add HTTPS → port 443 (Secure = Yes)
- Map your domain to both listeners
Graceful restart → OpenLiteSpeed → Graceful Restart
Step 6: Issue Let’s Encrypt SSL
apt install -y certbot
certbot certonly --webroot -w /home/files/public_html -d yourdomain.comNote the paths (you’ll need them):
- Fullchain: /etc/letsencrypt/live/yourdomain.com/fullchain.pem
- Privkey: /etc/letsencrypt/live/yourdomain.com/privkey.pem
Add them in:
- Virtual Host → SSL tab
- Listener HTTPS → SSL tab
- Chained Certificate = Yes
Graceful restart again.
Step 7: Auto-Renew SSL
crontab -eAdd:
cron0 3 * * * /usr/bin/certbot renew --quiet
Step 8: Install & Secure MariaDB/MySQL
mysql_secure_installationThen create database & user:
mysql -u root -p
CREATE DATABASE nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
CREATE USER 'ncuser'@'localhost' IDENTIFIED BY 'strong-password-here';
GRANT ALL PRIVILEGES ON nextcloud.* TO 'ncuser'@'localhost';
FLUSH PRIVILEGES;
EXIT;Step 9: Optimize PHP & Enable OPCache + APCu
# Edit the correct php.ini (adjust path if using lsphp82)
sed -i '/usr/local/lsws/lsphp81/etc/php/8.1/litespeed/php.ini' \
-e 's/memory_limit = .*/memory_limit = 1024M/' \
-e 's/upload_max_filesize = .*/upload_max_filesize = 10G/' \
-e 's/post_max_size = .*/post_max_size = 10G/' \
-e 's/max_execution_time = .*/max_execution_time = 3600/' \
-e 's/opcache.enable=.*/opcache.enable=1/' \
-e 's/;opcache.memory_consumption=.*/opcache.memory_consumption=512/' \
-e 's/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=64/' \
-e 's/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=20000/'
# Enable APCu CLI
echo "apc.enable_cli = 1" >> /usr/local/lsws/lsphp81/etc/php/8.1/litespeed/php.ini
pkill -f lsphp
systemctl restart lswsStep 10: Configure Redis as Unix Socket
sed -i 's/port 6379/port 0/' /etc/redis/redis.conf
sed -i 's|# unixsocket /var/run/redis/redis-server.sock|unixsocket /var/run/redis/redis-server.sock|' /etc/redis/redis.conf
sed -i 's/# unixsocketperm 700/unixsocketperm 770/' /etc/redis/redis.conf
sed -i 's/# maxmemory .*/maxmemory 1gb/' /etc/redis/redis.conf
systemctl restart redis-serverStep 11: Final NextCloud Configuration
Move Data Folder Outside Web Root (Critical!)
During setup, set data directory to: /home/files/data
Edit config.php (after first login)
su - files
nano /home/files/public_html/config/config.phpAdd right after 'installed' => true,:
'memcache.local' => '\\OC\\Memcache\\APCu',
'memcache.distributed' => '\\OC\\Memcache\\Redis',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'redis' => [
'host' => '/var/run/redis/redis-server.sock',
'port' => 0,
],Set Up Background Jobs (Cron)
su - files
crontab -eAdd:
cron*/5 * * * * /usr/local/lsws/lsphp81/bin/php -f /home/files/public_html/cron.php
Then in NextCloud Admin → Basic Settings → Background jobs → Select Cron (recommended).
Bonus: Make occ Easy to Use Forever
su - files
echo "alias occ='/usr/local/lsws/lsphp81/bin/php /home/files/public_html/occ'" >> ~/.bashrc
source ~/.bashrcNow from anywhere in ~/public_html:
cd ~/public_html
occ status
occ maintenance:repair
occ db:add-missing-indicesYou're Done!
You now have:
- The fastest NextCloud stack (OpenLiteSpeed + Redis + APCu)
- Fully non-root and isolated
- Automatic SSL renewal
- Hardened security headers
- Proper data folder protection
Enjoy your blazing-fast, private cloud!
If anything goes wrong — drop a comment and I’ll help you fix it.
If you loved this guide, share it or subscribe to The Self Hosting Art. Thank you for reading! 🚀