Difference between revisions of "Nextcloud"

From wiki
(→‎Configure PHP: owncloud => nextcloud)
(Update Nginx conf for Nextcloud 12)
 
(9 intermediate revisions by the same user not shown)
Line 3: Line 3:
 
* [[PHP]]
 
* [[PHP]]
 
* [[MariaDB]]
 
* [[MariaDB]]
* [[Fail2Ban]] to avoid people trying brute-force attacks on your password
 
  
 
== Install ==
 
== Install ==
  
=== Add Repository ===
+
=== Download ===
In order to get an up-to-date ownCloud, it is preferable to install it from the upstream repositories.
+
Download Nextcloud from https://nextcloud.com/install/#instructions-server and extract the archive in <code>/var/www/nextcloud</code>.
  
Use the following command to install the repository and its key, plus to configure pinning to use it as the default source<syntaxhighlight lang="console">
+
Fix file permissions using<syntaxhighlight lang="console">
$ curl -s https://download.owncloud.org/download/repositories/stable/Debian_8.0/Release.key | sudo apt-key add -
+
$ sudo chown -r www-data: /var/www/nextcloud/
OK
 
$ echo "deb http://download.owncloud.org/download/repositories/stable/Debian_8.0/ /" | sudo tee /etc/apt/sources.list.d/owncloud.list > /dev/null
 
$ sudo tee "/etc/apt/preferences.d/owncloud" > /dev/null << EOF
 
> Package: owncloud
 
> Pin: origin "download.owncloud.org"
 
> Pin-Priority: 995
 
> EOF
 
$ sudo apt update
 
</syntaxhighlight>
 
 
 
=== Install ===
 
<syntaxhighlight lang="console">
 
$ sudo apt install owncloud
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 
=== Configure PHP ===
 
=== Configure PHP ===
Edit file <code>[[PHP#Common_configuration|/etc/php5/mods-available/local-common.ini]]</code> and add <code>/var/www/nextcloud/:/dev/:/var/log/nextcloud/</code> to the <code>open_basedir</code> setting.
+
{{PHP/open_basedir|folders=/var/www/nextcloud/:/dev/:/var/log/nextcloud/}}
 
 
Reload PHP:
 
<syntaxhighlight lang="console">
 
$ sudo service php5-fpm reload
 
</syntaxhighlight>
 
  
 
=== Configure Webserver ===
 
=== Configure Webserver ===
{{Nginx/New Site|domain=owncloud.example.org|config=server server server {
+
{{Nginx/New Site|domain=nextcloud.example.org|config=server {
 
     include snippets/listen-http.conf;
 
     include snippets/listen-http.conf;
     server_name owncloud.example.org;
+
     server_name nextcloud.example.org;
  
     access_log /var/log/nginx/owncloud.example.org.access.log;
+
     access_log /var/log/nginx/nextcloud.example.org.access.log;
     error_log /var/log/nginx/owncloud.example.org.error.log;
+
     error_log /var/log/nginx/nextcloud.example.org.error.log;
  
 
     include snippets/https-permanent-redirect.conf;
 
     include snippets/https-permanent-redirect.conf;
Line 48: Line 29:
 
server {
 
server {
 
     include snippets/listen-https.conf;
 
     include snippets/listen-https.conf;
     server_name owncloud.example.org;
+
     server_name nextcloud.example.org;
  
     access_log /var/log/nginx/owncloud.example.org.access.log;
+
     access_log /var/log/nginx/nextcloud.example.org.access.log;
     error_log /var/log/nginx/owncloud.example.org.error.log;
+
     error_log /var/log/nginx/nextcloud.example.org.error.log;
  
 
     include snippets/acme-challenge.conf;
 
     include snippets/acme-challenge.conf;
 
     #include snippets/ssl.conf;
 
     #include snippets/ssl.conf;
     #ssl_certificate      /etc/letsencrypt/live/owncloud.example.org/fullchain.pem;
+
     #ssl_certificate      /etc/letsencrypt/live/nextcloud.example.org/fullchain.pem;
     #ssl_certificate_key  /etc/letsencrypt/live/owncloud.example.org/privkey.pem;
+
     #ssl_certificate_key  /etc/letsencrypt/live/nextcloud.example.org/privkey.pem;
 
     #include snippets/hsts.conf;
 
     #include snippets/hsts.conf;
  
Line 65: Line 46:
  
 
     include snippets/security-headers.conf;
 
     include snippets/security-headers.conf;
     include snippets/x-frame-options-sameorigin.conf;
+
     # Using more_set_headers instead of add_header to be cascaded in sub location
     add_header X-Robots-Tag none always;
+
     more_set_headers "X-Robots-Tag: none";
     add_header X-Download-Options noopen always;
+
     more_set_headers "X-Download-Options: noopen";
 
      
 
      
 
     # Path to the root of your installation
 
     # Path to the root of your installation
     root /var/www/owncloud/;
+
     root /var/www/nextcloud/;
 
      
 
      
 
     location = /.well-known/carddav {
 
     location = /.well-known/carddav {
Line 82: Line 63:
 
     fastcgi_buffers 64 4K;
 
     fastcgi_buffers 64 4K;
  
    error_page 403 /core/templates/403.php;
 
    error_page 404 /core/templates/404.php;
 
 
     location / {
 
     location / {
 
         rewrite ^ /index.php$uri;
 
         rewrite ^ /index.php$uri;
 
     }
 
     }
 
  
 
     location ~ ^/(?:build{{!}}tests{{!}}config{{!}}lib{{!}}3rdparty{{!}}templates{{!}}data)/ {
 
     location ~ ^/(?:build{{!}}tests{{!}}config{{!}}lib{{!}}3rdparty{{!}}templates{{!}}data)/ {
         return 404;
+
         deny all;
 
     }
 
     }
 
     location ~ ^/(?:\.{{!}}autotest{{!}}occ{{!}}issue{{!}}indie{{!}}db_{{!}}console) {
 
     location ~ ^/(?:\.{{!}}autotest{{!}}occ{{!}}issue{{!}}indie{{!}}db_{{!}}console) {
         return 404;
+
         deny all;
 
     }
 
     }
  
     location ~ ^/(?:index{{!}}remote{{!}}public{{!}}cron{{!}}core/ajax/update{{!}}status{{!}}ocs/v[12]{{!}}updater/.+{{!}}ocs-provider/.+{{!}}core/templates/40[34])\.php(?:${{!}}/) {
+
     location ~ ^/(?:index{{!}}remote{{!}}public{{!}}cron{{!}}core/ajax/update{{!}}status{{!}}ocs/v[12]{{!}}updater/.+{{!}}ocs-provider/.+)\.php(?:${{!}}/) {
 
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
 
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
 
         include fastcgi_params;
 
         include fastcgi_params;
Line 104: Line 82:
 
         fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
 
         fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
 
         fastcgi_param front_controller_active true;
 
         fastcgi_param front_controller_active true;
         fastcgi_pass unix:/var/run/php5-fpm.sock;
+
         fastcgi_pass php;
 
         fastcgi_intercept_errors on;
 
         fastcgi_intercept_errors on;
 
         fastcgi_request_buffering off;
 
         fastcgi_request_buffering off;
 
     }
 
     }
  
     location ~* \.(?:css{{!}}js)$ {
+
    location ~ ^/(?:updater{{!}}ocs-provider)(?:${{!}}/) {
 +
        try_files $uri/ =404;
 +
        index index.php;
 +
    }
 +
 
 +
    # Adding the cache control header for js and css files
 +
    # Make sure it is BELOW the PHP block
 +
     location ~* \.(?:css{{!}}js{{!}}woff{{!}}svg{{!}}gif)$ {
 
         try_files $uri /index.php$uri$is_args$args;
 
         try_files $uri /index.php$uri$is_args$args;
         add_header Cache-Control "public, max-age=7200";
+
         add_header Cache-Control "public, max-age=15778463";
     }
+
     }  
     location ~* \.(?:svg{{!}}gif{{!}}png{{!}}html{{!}}ttf{{!}}woff{{!}}ico{{!}}jpg{{!}}jpeg)$ {
+
   
 +
     location ~* \.(?:png{{!}}html{{!}}ttf{{!}}ico{{!}}jpg{{!}}jpeg)$ {
 
         try_files $uri /index.php$uri$is_args$args;
 
         try_files $uri /index.php$uri$is_args$args;
    }
 
 
    location ~* ^.+\.(jpg{{!}}jpeg{{!}}gif{{!}}bmp{{!}}ico{{!}}png{{!}}css{{!}}js{{!}}swf{{!}}svg)$ {
 
        expires 30d;
 
 
     }
 
     }
 
<nowiki>}</nowiki>
 
<nowiki>}</nowiki>
 
}}
 
}}
  
=== Configure ownCloud ===
+
=== Configure Nextcloud ===
 
//config.php<syntaxhighlight lang="console">
 
//config.php<syntaxhighlight lang="console">
 
$ sudo tee "/usr/local/bin/occ" > /dev/null << EOF
 
$ sudo tee "/usr/local/bin/occ" > /dev/null << EOF
 
> !/bin/sh
 
> !/bin/sh
> sudo -u www-data /usr/bin/php /var/www/owncloud/occ "\$@"
+
> sudo -u www-data /usr/bin/php /var/www/nextcloud/occ "\$@"
 
> EOF
 
> EOF
 
$ sudo chmod +x /usr/local/bin/occ
 
$ sudo chmod +x /usr/local/bin/occ
Line 153: Line 135:
  
 
=== Cron ===
 
=== Cron ===
Create file <code>/etc/cron.d/owncloud</code><syntaxhighlight lang="text">
+
Create file <code>/etc/cron.d/nextcloud</code><syntaxhighlight lang="text">
*/15 *  *  *  *  www-data /usr/bin/php -f /var/www/owncloud/cron.php
+
*/15 *  *  *  *  www-data /usr/bin/php -f /var/www/nextcloud/cron.php
</syntaxhighlight>Now open ownCloud in your browser and go to the admin section and activate cron
+
</syntaxhighlight>Now open Nextcloud in your browser and go to the admin section and activate cron
  
 
[[File:owncloud cron.png|border|frameless|540x540px]]
 
[[File:owncloud cron.png|border|frameless|540x540px]]
  
== Fail2Ban ==
+
== Test ==
Create file <code>/etc/fail2ban/filter.d/owncloud.conf</code><syntaxhighlight lang="ini">
+
 
[Definition]
+
=== Security ===
failregex="Login failed: '.*' \(Remote IP: '<HOST>'?\)"
+
Nextcloud is providing a [https://scan.nextcloud.com/ security scanning service] for public instances. Scan your instance to find configuration issues.  
</syntaxhighlight>Create file <code>/etc/fail2ban/jail.d/owncloud.conf</code><syntaxhighlight lang="ini">
 
[owncloud]
 
enabled = true
 
filter = owncloud
 
port    = http,https
 
logpath = /var/log/owncloud/owncloud.log
 
  
</syntaxhighlight>Finally, activate the new jail using<syntaxhighlight lang="console">
 
$ sudo fail2ban-client reload owncloud
 
ERROR  NOK: ('owncloud',)
 
</syntaxhighlight>(the error message is normal)
 
 
[[Category:Debian Release]]
 
[[Category:Debian Release]]
[[Category:Fail2Ban]]
 
 
[[Category:Linux Server]]
 
[[Category:Linux Server]]

Latest revision as of 07:37, 4 October 2017

Prerequisite

Install

Download

Download Nextcloud from https://nextcloud.com/install/#instructions-server and extract the archive in /var/www/nextcloud.

Fix file permissions using

$ sudo chown -r www-data: /var/www/nextcloud/

Configure PHP

Edit file /etc/php/7.0/mods-available/local-common.ini and add /var/www/nextcloud/:/dev/:/var/log/nextcloud/ to the open_basedir setting.

Reload PHP: 

$ sudo systemctl reload php7.0-fpm.service

Configure Webserver

  1. Create the config file /etc/nginx/sites-available/nextcloud.example.org
    server {
    include snippets/listen-http.conf;
    server_name nextcloud.example.org;

    access_log /var/log/nginx/nextcloud.example.org.access.log;
    error_log /var/log/nginx/nextcloud.example.org.error.log;

    include snippets/https-permanent-redirect.conf;
}

server {
    include snippets/listen-https.conf;
    server_name nextcloud.example.org;

    access_log /var/log/nginx/nextcloud.example.org.access.log;
    error_log /var/log/nginx/nextcloud.example.org.error.log;

    include snippets/acme-challenge.conf;
    #include snippets/ssl.conf;
    #ssl_certificate      /etc/letsencrypt/live/nextcloud.example.org/fullchain.pem;
    #ssl_certificate_key  /etc/letsencrypt/live/nextcloud.example.org/privkey.pem;
    #include snippets/hsts.conf;

    # Protect web interface during initial setup
    # The following two lines must be removed after initial configuration
    auth_basic            "You shall not pass!";
    auth_basic_user_file  /etc/nginx/htpasswd/generic.htpasswd;

    include snippets/security-headers.conf;
    # Using more_set_headers instead of add_header to be cascaded in sub location
    more_set_headers "X-Robots-Tag: none";
    more_set_headers "X-Download-Options: noopen";
    
    # Path to the root of your installation
    root /var/www/nextcloud/;
    
    location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
        return 301 $scheme://$host/remote.php/dav;
    }

    client_max_body_size 10G; # set max upload size
    fastcgi_buffers 64 4K;

    location / {
        rewrite ^ /index.php$uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
        fastcgi_param front_controller_active true;
        fastcgi_pass php;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~* \.(?:css|js|woff|svg|gif)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=15778463";
    }   
    
    location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
    }
}
  2. Activate the configuration with
    $ sudo nginx_modsite -e nextcloud.example.org
Would you like to reload the Nginx configuration now? (Y/n) Y
  3. Edit file /usr/local/etc/certmanage/main.json and add the following to the list
    {
    "domains": ["nextcloud.example.org"],
    "reload": [["/bin/systemctl", "reload", "nginx.service"]]
}
  4. Get your certificate
    $ sudo /usr/local/sbin/certmanage
Renewing certificate for nextcloud.example.org that will expire on 0001-01-01

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for nextcloud.example.org
Using the webroot path /var/www/acme-challenge for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/1764_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/1764_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/nextcloud.example.org/fullchain.pem. Your cert
   will expire on 2025-02-19. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Restarting services:
systemctl reload nginx.service
  5. Uncomment the ssl related lines in /etc/nginx/sites-available/nextcloud.example.org and run
    $ sudo systemctl reload nginx.service

Configure Nextcloud

//config.php

$ sudo tee "/usr/local/bin/occ" > /dev/null << EOF
> !/bin/sh
> sudo -u www-data /usr/bin/php /var/www/nextcloud/occ "\$@"
> EOF
$ sudo chmod +x /usr/local/bin/occ

Logs

First you need to create a folder for the logs

$ sudo mkdir /var/log/nextcloud
$ sudo chmod 750 /var/log/nextcloud
$ sudo chown www-data:adm /var/log/nextcloud

Create file /etc/logrotate.d/nextcloud with the following content

/var/log/nextcloud/nextcloud.log {
  rotate 6
  monthly
  compress
  delaycompress
  missingok
  notifempty
  create 640 www-data adm
}

Finally activate the new log location. Edit /var/www/nextcloud/config/config.php and add/edit the logfile line

'logfile' => '/var/log/nextcloud/nextcloud.log',

Cron

Create file /etc/cron.d/nextcloud

*/15 *   *   *   *   www-data /usr/bin/php -f /var/www/nextcloud/cron.php

Now open Nextcloud in your browser and go to the admin section and activate cron

owncloud cron.png

Test

Security

Nextcloud is providing a security scanning service for public instances. Scan your instance to find configuration issues.

Retrieved from ‘https://wiki.meurisse.org/index.php?title=Nextcloud&oldid=662