Project

General

Profile

Actions

OwnCloud » History » Revision 3

« Previous | Revision 3/16 (diff) | Next »
Jessie Lee, 08/28/2015 01:03 PM


Updated about 9 years ago by Jessie Lee

Owncloud

Owncloud has issues with .DS_Store files. At first I thought it was a Dropbox <-> Owncloud error, but then I turned off my Dropbox and was still getting the error. We need to figure out a way to have Owncloud exclude syncing .DS_Store files, or else it will generate a bunch of them. I don't know why it is doing so, but I have figured out how to delete them all:

Run this in the top of the Owncloud directory.

find ./ -type f -name ".DS_Stor*" -exec rm {} \;

Owncloud Installation

Owncloud 8.1 on Debian 7 with Apache

  • Wheezy does not have Owncloud 7 or 8 in repository (Jessie has 7.0 but I highly recommend using 8 for webUI improvements and speed)
  • Add the OpenSuse owncloud repository (this is maintained by owncloud devs)
  • After adding sudo apt-get update && sudo apt-get install owncloud
  • This should install owncloud to /var/www/owncloud, php, and mySQL
  • This will also create a conf file in /etc/apache2/conf.d/owncloud.conf which adds configuration redirects domain.com/owncloud to the owncloud directory.
  • contents of the conf file.
    Alias /owncloud "/var/www/owncloud/" 
    <Directory "/var/www/owncloud">
        Options +FollowSymLinks
        AllowOverride All
        Satisfy Any
        <IfModule mod_dav.c>
          Dav off
        </IfModule>
    
        SetEnv HOME /var/www/owncloud
        SetEnv HTTP_HOME /var/www/owncloud
    </Directory>
    
    <Directory "/var/www/owncloud/data/">
      # just in case if .htaccess gets disabled
      Require all denied
    </Directory>
    
  • Set up Apache for owncloud access: For simple setups, edit the default-ssl config to point to ssl certs and enable with a2enmod default-ssl.
  • restart apache
  • go to https://domain.com/owncloud to start owncloud setup wizard.
  • If changes need to be made after first time setup either run again from Apps or edit /var/www/owncloud/config/config.php by hand

Database setup (mySQL)

  • make sure package php5-mysql is installed on system
  • start mysql command line mode mysql -uroot -p
  • CREATE USER 'username'@'localhost' IDENTIFIED BY 'password';
    CREATE DATABASE IF NOT EXISTS owncloud;
    GRANT ALL PRIVILEGES ON owncloud.* TO 'username'@'localhost' IDENTIFIED BY 'password';
  • keep track of username and password as the owncloud setup wizard will need that.

Enabling Samba external users

  • Enable external_user and external_storage apps (lefthand tab menu--->apps---->not enabled. enable them)
  • for a local samba installation add the following to config.php
    "user_backends" => array (
        0 => array (
                "class"     => "OC_User_SMB",
                "arguments" => array (
                                  0 => 'localhost'
                                  ),
        ),
    ),
  • users logging in with samba user and password should autocreate a user in owncloud. Permissions are not carried over!

Samba External Storage

  • go to owncloud admin panel after enabling external_storage
  • add share via interface.

owncloud + nginx

  • Install php5-fpm and nginx with apt-get install php5-fpm nginx
  • Uncomment "env[PATH] = /usr/local/bin:/usr/bin:/bin" in the file "/etc/php5/fpm/pool.d/www.conf"
  • owncloud provides a fairly good base nginx site file to use for simple setups. copied below.
    upstream php-handler {
      #server 127.0.0.1:9000;
      server unix:/var/run/php5-fpm.sock;
      }
    
    server {
      listen 80;
      server_name cloud.example.com;
      # enforce https
      return 301 https://$server_name$request_uri;
      }
    
    server {
      listen 443 ssl;
      server_name cloud.example.com;
    
      ssl_certificate /etc/ssl/nginx/cloud.example.com.crt;
      ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key;
    
      # Path to the root of your installation
      root /var/www/owncloud/;
      # set max upload size
      client_max_body_size 10G;
      fastcgi_buffers 64 4K;
    
      # Disable gzip to avoid the removal of the ETag header
      gzip off;
    
      # Uncomment if your server is build with the ngx_pagespeed module
      # This module is currently not supported.
      #pagespeed off;
    
      rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
      rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
      rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
    
      index index.php;
      error_page 403 /core/templates/403.php;
      error_page 404 /core/templates/404.php;
    
      location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
        }
    
      location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README){
        deny all;
        }
    
      location / {
       # The following 2 rules are only needed with webfinger
       rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
       rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
    
       rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
       rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
    
       rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
    
       try_files $uri $uri/ /index.php;
       }
    
       location ~ \.php(?:$|/) {
       fastcgi_split_path_info ^(.+\.php)(/.+)$;
       include fastcgi_params;
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
       fastcgi_param PATH_INFO $fastcgi_path_info;
       fastcgi_param HTTPS on;
       fastcgi_pass php-handler;
       }
    
       # Optional: set long EXPIRES header on static assets
       location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
           expires 30d;
           # Optional: Don't log access to assets
             access_log off;
       }
    
      }
  • In the main server block add add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; to enable strict transport security

Performance tweaks

*coming soon: enabling apc (or apcu in php5.5 or later), php.ini edits, server edits.

Security and Hardening

  • enable mod_headers (a2enmod headers) and add Header always add Strict-Transport-Security "max-age=15768000" to virtual host file.
  • move data directory outside /var/www/owncloud folder
  • turn on server side encryption of data. (Admin settings --> turn on)
  • redirect all traffic to ssl:
    <VirtualHost *:80>
       ServerName cloud.owncloud.com
       Redirect permanent / https://cloud.owncloud.com/
    </VirtualHost>
  • verify that strict transport security and other headers are being sent by the server using curl. curl -I https://owncloud.site/owncloud/COPYING-AGPL or calling another static resource.
    • headers should include X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Robots-Tag: none X-Frame-Options: SAMEORIGIN

resource links

Updated by Jessie Lee about 9 years ago · 3 revisions

Also available in: PDF HTML TXT

Go to top