PT Commons

{{lastupdated_at}} by {{lastupdated_by}}

{{>toc}}

h1. Owncloud

Owncloud has issues with .DS_Store files. At first I thought it was a Dropbox <-> Owncloud error, but then I turned off my Dropbox and was still getting the error.  We need to figure out a way to have Owncloud exclude syncing .DS_Store files, or else it will generate a bunch of them. I don't know why it is doing so, but I have figured out how to delete them all:

Run this in the top of the Owncloud directory.

<pre>

find ./ -type f -name ".DS_Stor*" -exec rm {} \;

</pre>

h1. Owncloud Installation

h2. Owncloud 9.0 on Debian 8 with Apache

* -Wheezy does not have Owncloud 7 or 8 in repository (Jessie has 7.0 but I highly recommend using 8 for webUI improvements and speed- 

* -Add the "Owncloud repository":https://download.owncloud.org/download/repositories/stable/owncloud/ (this is maintained by owncloud devs)- (this is now added by puppet to fileservers and can be added to any other server needed)

* After adding @sudo apt-get update && sudo apt-get install owncloud@

* This should install owncloud to /var/www/owncloud, php, and mySQL

* This will also create a conf file in /etc/apache2/conf-available/owncloud.conf which adds configuration redirects domain.com/owncloud to the owncloud directory. 

* contents of the conf file. <pre>Alias /owncloud "/var/www/owncloud/"

<Directory "/var/www/owncloud">

    Options +FollowSymLinks

    AllowOverride All

    Satisfy Any

    <IfModule mod_dav.c>

      Dav off

    </IfModule>

    SetEnv HOME /var/www/owncloud

    SetEnv HTTP_HOME /var/www/owncloud

</Directory>

<Directory "/var/www/owncloud/data/">

  # just in case if .htaccess gets disabled

  Require all denied

</Directory>

</pre>

h2. Apache setup

* owncloud.conf is located in /etc/apache2/conf-available/owncloud.conf

* it can be disabled and enabled by a2disconf and a2enconf respectively

* by default it aliases {anyurl}/owncloud to the owncloud directory (default /var/www/owncloud)

* a virtualhost must be enabled for this to work. (ex. a2ensite default-ssl)

h2. Database setup (mySQL)

* make sure package php5-mysql is installed on system

* start mysql command line mode @mysql -uroot -p@

* <pre>CREATE USER 'username'@'localhost' IDENTIFIED BY 'password';

CREATE DATABASE IF NOT EXISTS owncloud;

GRANT ALL PRIVILEGES ON owncloud.* TO 'username'@'localhost' IDENTIFIED BY 'password';</pre>

* keep track of username and password as the owncloud setup wizard will need that. 

h2. First Time Wizard

* go to https://domain.com/owncloud to start owncloud setup wizard. 

* click on mysql/mariadb and input the mysql user and pw are correct. 

* create super admin user and password

* If changes need to be made after first time setup either run again from Apps or edit /var/www/owncloud/config/config.php by hand 

h2. Enabling Samba external users

* Enable external_user and external_storage apps (lefthand tab menu--->apps---->not enabled. enable them)

* for a local samba installation add the following to config.php <pre>

"user_backends" => array (

    0 => array (

            "class"     => "OC_User_SMB",

            "arguments" => array (

                              0 => 'localhost'

                              ),

    ),

),</pre>

* users logging in with samba user and password should autocreate a user in owncloud. Permissions are not carried over!

h2.  Samba External Storage

* go to owncloud admin panel after enabling external_storage

* add share via interface. 

h2. owncloud + nginx

* Install php5-fpm and nginx with @apt-get install php5-fpm nginx@

* Uncomment "env[PATH] = /usr/local/bin:/usr/bin:/bin" in the file "/etc/php5/fpm/pool.d/www.conf"

* owncloud "provides":https://doc.owncloud.org/server/7.0/admin_manual/installation/nginx_configuration.html a fairly good base nginx site file to use for simple setups. copied below.

<pre>upstream php-handler {

  #server 127.0.0.1:9000;

  server unix:/var/run/php5-fpm.sock;

  }

server {

  listen 80;

  server_name cloud.example.com;

  # enforce https

  return 301 https://$server_name$request_uri;

  }

server {

  listen 443 ssl;

  server_name cloud.example.com;

  ssl_certificate /etc/ssl/nginx/cloud.example.com.crt;

  ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key;

  # Path to the root of your installation

  root /var/www/owncloud/;

  # set max upload size

  client_max_body_size 10G;

  fastcgi_buffers 64 4K;

  # Disable gzip to avoid the removal of the ETag header

  gzip off;

  # Uncomment if your server is build with the ngx_pagespeed module

  # This module is currently not supported.

  #pagespeed off;

  rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;

  rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;

  rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;

  index index.php;

  error_page 403 /core/templates/403.php;

  error_page 404 /core/templates/404.php;

  location = /robots.txt {

    allow all;

    log_not_found off;

    access_log off;

    }

  location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README){

    deny all;

    }

  location / {

   # The following 2 rules are only needed with webfinger

   rewrite ^/.well-known/host-meta /public.php?service=host-meta last;

   rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

   rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;

   rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;

   rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;

   try_files $uri $uri/ /index.php;

   }

   location ~ \.php(?:$|/) {

   fastcgi_split_path_info ^(.+\.php)(/.+)$;

   include fastcgi_params;

   fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

   fastcgi_param PATH_INFO $fastcgi_path_info;

   fastcgi_param HTTPS on;

   fastcgi_pass php-handler;

   }

   # Optional: set long EXPIRES header on static assets

   location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {

       expires 30d;

       # Optional: Don't log access to assets

         access_log off;

   }

  }</pre>

* In the main server block add @add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";@ to enable strict transport security

h2. Performance tweaks

* enable system cron: by default owncloud runs scheduled jobs via ajax every page load which isn't great for actually getting things done at regular intervals. add: <pre># crontab -u www-data -e

*/15  *  *  *  * php -f /var/www/owncloud/cron.php > /dev/null 2>&1</pre> 

* enable apc (or apcu for php 5.5 and above) -for wheezy @apt-get install php-apc@ and add @'memcache.local' => '\OC\Memcache\APC',@ to config.php-

* for php 5.5 and above @apt- get install php-apcu@ and add @'memcache.local' => '\OC\Memcache\APCu',@

* you may have to add apc.enable_cli=1 to /etc/php5/cli/php.ini 

* redis can be used for caching and file locking on higher load deployments but is usually unnecessary. 

h2. Security and Hardening

* enable mod_headers (a2enmod headers) and add @Header always add Strict-Transport-Security "max-age=15768000"@ to virtual host file.

* move data directory outside /var/www/owncloud folder

* turn on server side encryption of data. (Admin settings --> turn on) 

* redirect all traffic to ssl: <pre><VirtualHost *:80>

   ServerName cloud.owncloud.com

   Redirect permanent / https://cloud.owncloud.com/

</VirtualHost></pre>

* verify that strict transport security and other headers are being sent by the server using curl. @curl -I https://owncloud.site/owncloud/COPYING-AGPL@ or calling another static resource. 

** headers should include @X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Robots-Tag: none X-Frame-Options: SAMEORIGIN@

h2. For Office File servers

Owncloud does not autoscan files that are not controlled by owncloud regularly. For office file servers this could mean files added via different methods may not show up in owncloud. 

* add the following cronjob to crontab -u www-data <pre>30      6,15     *       *       *  php /var/www/owncloud/occ file:scan --all >/dev/null 2>&1

</pre>

Owncloud may also need the web user (debian www-data) to be part of the staff group. @usermod -a -G www-data user@ 

To add users /home folders:

* add the www-data user to the group for the user in question

* restart apache

* add the user's home folder as an external share

* *in that order*

h2. Fixing Permissions

* If the permissions of the owncloud directory become an issue the below script should fix them. 

* The one line that may need changing other than the $ocpath variable is the location of the data directory 

<pre>#!/bin/bash

ocpath='/var/www/owncloud'

htuser='www-data'

htgroup='www-data'

rootuser='root'

printf "Creating possible missing Directories\n"

mkdir -p $ocpath/data

mkdir -p $ocpath/assets

mkdir -p $ocpath/updater

printf "chmod Files and Directories\n"

find ${ocpath}/ -type f -print0 | xargs -0 chmod 0640

find ${ocpath}/ -type d -print0 | xargs -0 chmod 0750

printf "chown Directories\n"

chown -R ${rootuser}:${htgroup} ${ocpath}/

chown -R ${htuser}:${htgroup} ${ocpath}/apps/

chown -R ${htuser}:${htgroup} ${ocpath}/assets/

chown -R ${htuser}:${htgroup} ${ocpath}/config/

chown -R ${htuser}:${htgroup} ${ocpath}/data/  #this may need changing. 

chown -R ${htuser}:${htgroup} ${ocpath}/themes/

chown -R ${htuser}:${htgroup} ${ocpath}/updater/

chmod +x ${ocpath}/occ

printf "chmod/chown .htaccess\n"

if [ -f ${ocpath}/.htaccess ]

 then

  chmod 0644 ${ocpath}/.htaccess

  chown ${rootuser}:${htgroup} ${ocpath}/.htaccess

fi

if [ -f ${ocpath}/data/.htaccess ]

 then

  chmod 0644 ${ocpath}/data/.htaccess

  chown ${rootuser}:${htgroup} ${ocpath}/data/.htaccess

fi</pre>

h2. resource links

* "owncloud config.php parameters":https://doc.owncloud.org/server/8.1/admin_manual/configuration_server/config_sample_php_parameters.html

* "owncloud nginx configuration":https://doc.owncloud.org/server/7.0/admin_manual/installation/nginx_configuration.html

* "owncloud database configuration":https://doc.owncloud.org/server/7.0/admin_manual/configuration/database_configuration.html

* "owncloud external auth":https://doc.owncloud.org/server/8.1/admin_manual/configuration_user/user_auth_ftp_smb_imap.html

* "owncloud external storage, direct config.php editing":https://doc.owncloud.org/server/7.0/admin_manual/configuration/external_storage_configuration.html