Jailer
Not strong, but bad
- Joined
- Sep 12, 2014
- Messages
- 4,977
You're nginx.conf, both for your proxy and owncloud, is not configured to serve an SSL connection. You've got a lot more work to do than what can be explained here to get that working.
-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum has become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
[How-To] ownCloud using NGINX, PHP-FPM, and MySQL
- Thread starter Joshua Parker Ruehlig
- Start date
fireheadman
Dabbler
- Joined
- Nov 13, 2016
- Messages
- 49
UPDATED: I edited this post to reflect my second build/rebuild of nextcloud. Also brought over a couple of changes (that were applicable) from my previous Owncloud server.
I have been searching high and low for a complete Nextcloud 11 installation on FreeBSD/FreeNAS. This thread was the best I could find, but it is a little out of date... so here is my contribution.... Maybe this could be inserted into a new thread?
I have Owncloud 8.x running on VBox (hosted from OSX). It's tuned the way I like it so will be comparing settings and trying to match 1 for 1 on my new FreeNAS Nextcloud jail.
THIS IS A MASHUP FROM Joshua Ruehlig's OWNCLOUD WRITE-UP from the beginning of this thread. [Many Thanks to Joshua!!]
I couldn't find anything recent on deploying NEXTCLOUD 11....
Create standard FreeNas Jail - Named it: "nextcloud"
added storage (external storage for data) - This will be connected at the end.
FROM:/mnt/abyss/nextcloud
TO:/mnt/nextcloud
CONFIG NGINX
#### THIS IS A FULL nginx.conf FILE
### MODIFIED FROM https://docs.nextcloud.com/server/11/admin_manual/installation/nginx_nextcloud_9x.html
### It Could be tweaked some more -- MAKE Sure you update your hostname and certname in this file.
## Create a 10 Year Self-Signed Cert
## Change '3650' to '365' For a 1 Year Cert
(should be successful on check)
CONFIG PHP
CONFIG MARIADB/MYSQL
(These entries need to be present in the [mysql] section, MAKE SURE THERE ARE NOT DUPLICATE SETTINGS WITH DIFFERENT VALUES)
Find the section that says: # Uncomment the following if you are using InnoDB tables
And uncomment that block (should look like this):
CONFIG REDIS
FIRST SANITY CHECK (mysql initial start will should innodb creation)
MORE CONFIG MARIADB/MYSQL
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
Remove anonymous users? [Y/n]
... Success!
Disallow root login remotely? [Y/n]
... Success!
Remove test database and access to it? [Y/n]
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reload privilege tables now? [Y/n]
... Success!
Cleaning up...
CONFIG CRON (Once Nextcloud is online and senses the cron job running, it will auto switch from AJAX to Cron)
INSTALL NEXTCLOUD (GUI-Method)
GOTO Browser http://nextcloud.domain.com (or whatever you named your webserver, update your /etc/hosts if you need the domain to resolve locally)
Should be at the install wizard, so complete it.
Once complete, you will be logged into Nextcloud for the 1st time....
GOTO Top right <username>, then Admin page
will see some issues to resolve... (WE WILL GET BACK TO THESE)
now GO BACK TO CLI
NEXT SANITY CHECK
- installed: true
- version: 11.0.0.10
- versionstring: 11.0.0
- edition:
MEMCACHING/FILE LOCKING
https://docs.nextcloud.com/server/11/admin_manual/configuration_server/caching_configuration.html
Enable Avatars For User Profiles (optional)
FYI: I noticed I was still not seeing the place to upload my avatar. I had to manually edit /usr/local/www/nextcloud/config/config.php and remove the single quotes surrounding 'true' to be true, the restart your web services.... Now my avatar section was available.
TO ENABLE ALL PREVIEW PROVIDERS
ENABLE VIDEO PREVIEWS
RESTART SERVICES
CONFIG EXTERNAL STORAGE
Once logged in, GOTO TOP LEFT -> APPS -> NOT ENABLED -> ENABLE EXTERNAL STORAGE
GOTO TOP RIGHT -> USERNAME -> Admin -> EXTERNAL STORAGE -> Configure the EXTERNAL Storage to the Storage you attached to the jail.
Basic Install Completed, now configure your software however you want it!
I would highly recommend you restart your Jail at this point to validate everything works after a reboot.
==========================
#################################################
######### TROUBLESHOOTING/TUNING AREA ##########
#################################################
ISSUE #1
After restart, I see these in the error log: (Everytime I click somewhere one spawns)
2016/12/20 22:58:03 [error] 24805#102118: *44 access forbidden by rule, client: 192.168.1.xx, server: nextcloud.domain.com, request: "GET /data/.ocdata?t=1482299883686 HTTP/1.1", host: "nextcloud.domain.com"
2016/12/20 23:02:35 [error] 25779#100985: *20 access forbidden by rule, client: 192.168.1.xx, server: nextcloud.domain.com, request: "GET /data/.ocdata?t=1482300155871 HTTP/1.1", host: "nextcloud.domain.com"
2016/12/20 23:03:48 [error] 25905#100974: *15 access forbidden by rule, client: 192.168.1.xx, server: nextcloud.domain.com, request: "GET /data/.ocdata?t=1482300228746 HTTP/1.1", host: "nextcloud.domain.com"
2016/12/20 23:05:36 [error] 26142#102116: *3 access forbidden by rule, client: 192.168.1.xx, server: nextcloud.domain.com, request: "GET /data/.ocdata?t=1482300336618 HTTP/1.1", host: "nextcloud.domain.com"
2016/12/20 23:09:28 [error] 26369#102121: *26 access forbidden by rule, client: 192.168.1.xx, server: nextcloud.domain.com, request: "GET /data/.ocdata?t=1482300568421 HTTP/1.1", host: "nextcloud.domain.com"
2016/12/20 23:10:02 [error] 26369#102121: *30 access forbidden by rule, client: 192.168.1.xx, server: nextcloud.domain.com, request: "GET /data/.ocdata?t=1482300602480 HTTP/1.1", host: "nextcloud.domain.com"
2016/12/20 23:18:37 [error] 26818#102118: *2 access forbidden by rule, client: 192.168.1.xx, server: nextcloud.domain.com, request: "GET /data/.ocdata?t=1482301117857 HTTP/1.1", host: "nextcloud.domain.com"
....This block in the nginx.conf is causing it: (Need to figure out how to make this RULE Cleaner)
This block is directly from the Nextcloud documentation
ISSUE #2
#### IF YOU INSTALL THIS, IT WILL BREAK NEXTCLOUD SINCE THERE IS A PHP56 PKG THAT UNINSTALLS ALL PHP70
#### DEATH ON THE LAST STEP ---- ARGH!!!!
#### I COULD HAVE JUST UNINSTALLED PHP56 and REINSTALLED THE PHP70 PKGS, BUT I HAVE NO IDEA HOW CLEAN IT WOULD BE
#### SO FOR NOW I WILL LIVE W/O DOC/DOCX PREVIEWS.
...<snippet from install>
Number of packages to be removed: 30
Number of packages to be installed: 117
The process will require 1 GiB more space.
Proceed with this action? [y/N]: y
[nextcloud] [1/147] Deinstalling php70-xsl-7.0.14...
[nextcloud] [1/147] Deleting files for php70-xsl-7.0.14: 100%
[nextcloud] [2/147] Deinstalling php70-wddx-7.0.14...
[nextcloud] [2/147] Deleting files for php70-wddx-7.0.14: 100%
[nextcloud] [3/147] Deinstalling php70-xmlreader-7.0.14...
[nextcloud] [3/147] Deleting files for php70-xmlreader-7.0.14: 100%
[nextcloud] [4/147] Deinstalling php70-redis-3.0.0_1...
[nextcloud] [4/147] Deleting files for php70-redis-3.0.0_1: 100%
[nextcloud] [5/147] Deinstalling php70-pdo_mysql-7.0.14...
[nextcloud] [5/147] Deleting files for php70-pdo_mysql-7.0.14: 100%
[nextcloud] [6/147] Deinstalling php70-xml-7.0.14...
[nextcloud] [6/147] Deleting files for php70-xml-7.0.14: 100%
[nextcloud] [7/147] Deinstalling php70-dom-7.0.14...
[nextcloud] [7/147] Deleting files for php70-dom-7.0.14: 100%
[nextcloud] [8/147] Deinstalling php70-xmlwriter-7.0.14...
[nextcloud] [8/147] Deleting files for php70-xmlwriter-7.0.14: 100%
[nextcloud] [9/147] Deinstalling php70-simplexml-7.0.14...
[nextcloud] [9/147] Deleting files for php70-simplexml-7.0.14: 100%
[nextcloud] [10/147] Deinstalling php70-gd-7.0.14...
[nextcloud] [10/147] Deleting files for php70-gd-7.0.14: 100%
[nextcloud] [11/147] Deinstalling php70-iconv-7.0.14...
[nextcloud] [11/147] Deleting files for php70-iconv-7.0.14: 100%
[nextcloud] [12/147] Deinstalling php70-intl-7.0.14...
[nextcloud] [12/147] Deleting files for php70-intl-7.0.14: 100%
[nextcloud] [13/147] Deinstalling php70-curl-7.0.14...
[nextcloud] [13/147] Deleting files for php70-curl-7.0.14: 100%
[nextcloud] [14/147] Deinstalling php70-session-7.0.14...
[nextcloud] [14/147] Deleting files for php70-session-7.0.14: 100%
[nextcloud] [15/147] Deinstalling php70-openssl-7.0.14...
[nextcloud] [15/147] Deleting files for php70-openssl-7.0.14: 100%
[nextcloud] [16/147] Deinstalling php70-posix-7.0.14...
[nextcloud] [16/147] Deleting files for php70-posix-7.0.14: 100%
[nextcloud] [17/147] Deinstalling php70-hash-7.0.14...
[nextcloud] [17/147] Deleting files for php70-hash-7.0.14: 100%
[nextcloud] [18/147] Deinstalling php70-exif-7.0.14...
[nextcloud] [18/147] Deleting files for php70-exif-7.0.14: 100%
[nextcloud] [19/147] Deinstalling php70-zlib-7.0.14...
[nextcloud] [19/147] Deleting files for php70-zlib-7.0.14: 100%
[nextcloud] [20/147] Deinstalling php70-mcrypt-7.0.14...
[nextcloud] [20/147] Deleting files for php70-mcrypt-7.0.14: 100%
[nextcloud] [21/147] Deinstalling php70-bz2-7.0.14...
[nextcloud] [21/147] Deleting files for php70-bz2-7.0.14: 100%
[nextcloud] [22/147] Deinstalling php70-ctype-7.0.14...
[nextcloud] [22/147] Deleting files for php70-ctype-7.0.14: 100%
[nextcloud] [23/147] Deinstalling php70-mbstring-7.0.14...
[nextcloud] [23/147] Deleting files for php70-mbstring-7.0.14: 100%
[nextcloud] [24/147] Deinstalling php70-json-7.0.14...
[nextcloud] [24/147] Deleting files for php70-json-7.0.14: 100%
[nextcloud] [25/147] Deinstalling php70-pdo-7.0.14...
[nextcloud] [25/147] Deleting files for php70-pdo-7.0.14: 100%
[nextcloud] [26/147] Deinstalling php70-fileinfo-7.0.14...
[nextcloud] [26/147] Deleting files for php70-fileinfo-7.0.14: 100%
[nextcloud] [27/147] Deinstalling php70-zip-7.0.14...
[nextcloud] [27/147] Deleting files for php70-zip-7.0.14: 100%
[nextcloud] [28/147] Deinstalling php70-filter-7.0.14...
[nextcloud] [28/147] Deleting files for php70-filter-7.0.14: 100%
[nextcloud] [29/147] Deinstalling php70-APCu-5.1.7...
[nextcloud] [29/147] Deleting files for php70-APCu-5.1.7: 100%
[nextcloud] [30/147] Deinstalling php70-7.0.14...
You may need to manually remove /usr/local/etc/php-fpm.d/www.conf if it is no longer needed.
[nextcloud] [30/147] Deleting files for php70-7.0.14: 100%
...
[nextcloud] [144/147] Installing php56-5.6.29...
[nextcloud] [144/147] Extracting php56-5.6.29: 100%
ISSUE #3 . [Resolved - maybe be in next release of Nextcloud]
In the Admin section, if you view the "Server Info" it will prompt php to view the system memory, which it has no access to since it is jailed.
These are the errors I was gettings:
Solution was to change the code in /usr/local/www/nextcloud/apps/serverinfo/lib/SystemStatistics.php
The restart your web services (nginx/php/redis)
ISSUE #4 [Resolved - Unable to select specific users on shared folders to be read-only or even give option to create/change/delete file]
After adding in the external storage, I wanted to add a couple users to it, 1 user = contributor (create/change/no-delete) and the other user = viewer (read-only). Once you allow sharing and add a user, clicking the '...' next to their name will popup a dialogue to select the user access/mod level. This was missing.
Had to update the ownership to allow the webserver access, then rescan the files.
In the future I might allow my external storage to become a NFS/AFP share so that pictures or docs could be added from computers on my local network. This will require some more thought as a crontab would need to be added to re-scan periodically and this could mess up things with deleting files outside Nextcloud's knowledge/management.
UPDATE: Slight change to this config... I noticed that if I left the "Available for" field empty (defaults to ALL USERS), and checked the share button to add users, they would see every folder/file in the External Storage (not my intention to have that). So I ended up putting my admin username in the Available For field and then could add users to the folders/files in the External Storage.
I have been searching high and low for a complete Nextcloud 11 installation on FreeBSD/FreeNAS. This thread was the best I could find, but it is a little out of date... so here is my contribution.... Maybe this could be inserted into a new thread?
I have Owncloud 8.x running on VBox (hosted from OSX). It's tuned the way I like it so will be comparing settings and trying to match 1 for 1 on my new FreeNAS Nextcloud jail.
THIS IS A MASHUP FROM Joshua Ruehlig's OWNCLOUD WRITE-UP from the beginning of this thread. [Many Thanks to Joshua!!]
I couldn't find anything recent on deploying NEXTCLOUD 11....
Create standard FreeNas Jail - Named it: "nextcloud"
added storage (external storage for data) - This will be connected at the end.
FROM:/mnt/abyss/nextcloud
TO:/mnt/nextcloud
jexec 5 /bin/sh
pkg update
pkg upgrade
pkg install bash wget
logout
jexec 5 /usr/local/bin/bash
pkg install mariadb101-server nginx redis php70-bz2 php70-ctype php70-curl php70-dom php70-exif php70-fileinfo php70-filter php70-gd php70-hash php70-iconv php70-intl php70-json php70-mbstring php70-mcrypt php70-pdo_mysql php70-openssl php70-posix php70-session php70-simplexml php70-xml php70-xmlreader php70-xmlwriter php70-xsl php70-wddx php70-zip php70-zlib php70-APCu php70-redis php70-pdo
sysrc 'nginx_enable=YES' 'php_fpm_enable=YES' 'mysql_enable=YES' 'redis_enable=YES'CONFIG NGINX
rm -rf /usr/local/www/nginx
cp -rf /usr/local/www/nginx-dist /usr/local/www/nginx
mv /usr/local/etc/nginx/nginx.conf /usr/local/etc/nginx/nginx.conf.bak
vi /usr/local/etc/nginx/nginx.conf#### THIS IS A FULL nginx.conf FILE
### MODIFIED FROM https://docs.nextcloud.com/server/11/admin_manual/installation/nginx_nextcloud_9x.html
### It Could be tweaked some more -- MAKE Sure you update your hostname and certname in this file.
Code:
load_module /usr/local/libexec/nginx/ngx_mail_module.so;
load_module /usr/local/libexec/nginx/ngx_stream_module.so;
#user nobody;
worker_processes 4; ##TUNE TO CPUS YOU HAVE
# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
error_log /var/log/nginx/error.log;
#
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
upstream php-handler {
#server 127.0.0.1:9000;
server unix:/var/run/php-fpm.sock;
}
server {
listen 80;
server_name nextcloud.domain.com;
# enforce https
return 301 https://$server_name$request_uri;
}
# NGINX CAN USE HTTP/2 Protocol For Supported Browsers
server {
listen 443 ssl http2;
server_name nextcloud.domain.com;
ssl_certificate /usr/local/etc/nginx/ssl/nextcloud.domain.com.crt;
ssl_certificate_key /usr/local/etc/nginx/ssl/nextcloud.domain.com.key;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Path to the root of your installation
root /usr/local/www/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Disable gzip to avoid the removal of the ETag header
gzip off;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
location / {
rewrite ^ /index.php$uri;
}
## THIS LOCATION BLOCK IS THROWING ERRORS - NEEDS REVIEW/EDITING
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
include fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* \.(?:css|js|woff|svg|gif)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=7200";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Don't log access to other assets
access_log off;
}
}
}
## Create a 10 Year Self-Signed Cert
## Change '3650' to '365' For a 1 Year Cert
mkdir /usr/local/etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /usr/local/etc/nginx/ssl/nextcloud.domain.com.key -out /usr/local/etc/nginx/ssl/nextcloud.domain.com.crt
nginx -t (should be successful on check)
CONFIG PHP
cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini
vi /usr/local/etc/php.iniCode:
cgi.fix_pathinfo=1 date.timezone = America/Denver upload_max_filesize = 2048M post_max_size = 2058M
vi /usr/local/etc/php-fpm.d/www.confCode:
;listen = 127.0.0.1:9000 listen = /var/run/php-fpm.sock listen.owner = www listen.group = www env[PATH] = /usr/local/bin:/usr/bin:/bin pm.max_children = 8 (I have an 8-core CPU, This is a tuneable) pm.max_requests = 500 (uncomment this, This is a tuneable)
CONFIG MARIADB/MYSQL
cp /usr/local/share/mysql/my-medium.cnf /usr/local/etc/my.cnf
vi /usr/local/etc/my.cnf (These entries need to be present in the [mysql] section, MAKE SURE THERE ARE NOT DUPLICATE SETTINGS WITH DIFFERENT VALUES)
Code:
skip-networking skip-name-resolve expire_logs_days = 1
Find the section that says: # Uncomment the following if you are using InnoDB tables
And uncomment that block (should look like this):
Code:
innodb_data_home_dir = /var/db/mysql innodb_data_file_path = ibdata1:10M:autoextend innodb_log_group_home_dir = /var/db/mysql # You can set .._buffer_pool_size up to 50 - 80 % # of RAM but beware of setting memory usage too high innodb_buffer_pool_size = 20M innodb_additional_mem_pool_size = 2M # Set .._log_file_size to 25 % of buffer pool size innodb_log_file_size = 5M innodb_log_buffer_size = 8M innodb_lock_wait_timeout = 50 innodb_flush_method = O_DIRECT skip-innodb_doublewrite innodb_flush_log_at_trx_commit = 2 innodb_file_per_table
CONFIG REDIS
vi /usr/local/etc/redis.confCode:
port 0 unixsocket /tmp/redis.sock unixsocketperm 777
FIRST SANITY CHECK (mysql initial start will should innodb creation)
service nginx start
service php-fpm start
service mysql-server start
service redis startMORE CONFIG MARIADB/MYSQL
mysql_secure_installationEnter current password for root (enter for none):
OK, successfully used password, moving on...
Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
Remove anonymous users? [Y/n]
... Success!
Disallow root login remotely? [Y/n]
... Success!
Remove test database and access to it? [Y/n]
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reload privilege tables now? [Y/n]
... Success!
Cleaning up...
mysql -u root -p
Enter password:
CREATE DATABASE nextcloud;
GRANT ALL PRIVILEGES ON nextcloud.* TO 'nextcloud_user'@'localhost' IDENTIFIED BY 'nextcloud_pass'; (CHANGE USERNAME/PASSWD)
FLUSH PRIVILEGES;
exit; cd /tmp
wget https://download.nextcloud.com/server/releases/nextcloud-11.0.0.zip (PROCEDURE BASED AROUND THIS VERSION)
cd /usr/local/www
unzip /tmp/nextcloud-11.0.0.zip
chown -R www:www /usr/local/www/nextcloudCONFIG CRON (Once Nextcloud is online and senses the cron job running, it will auto switch from AJAX to Cron)
crontab -u www -e
Code:
*/15 * * * * /usr/local/bin/php -f /usr/local/www/nextcloud/cron.php
INSTALL NEXTCLOUD (GUI-Method)
GOTO Browser http://nextcloud.domain.com (or whatever you named your webserver, update your /etc/hosts if you need the domain to resolve locally)
Should be at the install wizard, so complete it.
Once complete, you will be logged into Nextcloud for the 1st time....
GOTO Top right <username>, then Admin page
will see some issues to resolve... (WE WILL GET BACK TO THESE)
now GO BACK TO CLI
NEXT SANITY CHECK
su -m www -c 'php /usr/local/www/nextcloud/occ status' (A SANITY CHECK)- installed: true
- version: 11.0.0.10
- versionstring: 11.0.0
- edition:
su -m www -c 'php /usr/local/www/nextcloud/occ list' (to see options)MEMCACHING/FILE LOCKING
https://docs.nextcloud.com/server/11/admin_manual/configuration_server/caching_configuration.html
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set memcache.local --value="\OC\Memcache\APCu"'
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set memcache.locking --value="\OC\Memcache\Redis"'
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set redis host --value="/tmp/redis.sock"'
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set redis port --value=0 --type=integer'
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set memcache.distributed --value="\OC\Memcache\Redis"'
Enable Avatars For User Profiles (optional)
FYI: I noticed I was still not seeing the place to upload my avatar. I had to manually edit /usr/local/www/nextcloud/config/config.php and remove the single quotes surrounding 'true' to be true, the restart your web services.... Now my avatar section was available.
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set enable_avatars --value=true'
TO ENABLE ALL PREVIEW PROVIDERS
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set enable_previews --value=true --type=boolean'
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set enabledPreviewProviders 0 --value="OC\Preview\PNG"'
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set enabledPreviewProviders 1 --value="OC\Preview\JPEG"'
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set enabledPreviewProviders 2 --value="OC\Preview\GIF"'
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set enabledPreviewProviders 3 --value="OC\Preview\BMP"'
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set enabledPreviewProviders 4 --value="OC\Preview\XBitmap"'
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set enabledPreviewProviders 5 --value="OC\Preview\MarkDown"'
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set enabledPreviewProviders 6 --value="OC\Preview\MP3"'
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set enabledPreviewProviders 7 --value="OC\Preview\TXT"'
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set enabledPreviewProviders 8 --value="OC\Preview\Illustrator"'
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set enabledPreviewProviders 9 --value="OC\Preview\Movie"'
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set enabledPreviewProviders 10 --value="OC\Preview\MSOffice2003"'
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set enabledPreviewProviders 11 --value="OC\Preview\MSOffice2007"'
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set enabledPreviewProviders 12 --value="OC\Preview\MSOfficeDoc"'
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set enabledPreviewProviders 13 --value="OC\Preview\OpenDocument"'
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set enabledPreviewProviders 14 --value="OC\Preview\PDF"'
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set enabledPreviewProviders 15 --value="OC\Preview\Photoshop"'
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set enabledPreviewProviders 16 --value="OC\Preview\Postscript"'
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set enabledPreviewProviders 17 --value="OC\Preview\StarOffice"'
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set enabledPreviewProviders 18 --value="OC\Preview\SVG"'
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set enabledPreviewProviders 19 --value="OC\Preview\TIFF"'
su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set enabledPreviewProviders 20 --value="OC\Preview\Font"'ENABLE VIDEO PREVIEWS
pkg install ffmpegRESTART SERVICES
service nginx restart
service php-fpm restart
service redis restartCONFIG EXTERNAL STORAGE
Once logged in, GOTO TOP LEFT -> APPS -> NOT ENABLED -> ENABLE EXTERNAL STORAGE
GOTO TOP RIGHT -> USERNAME -> Admin -> EXTERNAL STORAGE -> Configure the EXTERNAL Storage to the Storage you attached to the jail.
Basic Install Completed, now configure your software however you want it!
I would highly recommend you restart your Jail at this point to validate everything works after a reboot.
==========================
#################################################
######### TROUBLESHOOTING/TUNING AREA ##########
#################################################
ISSUE #1
After restart, I see these in the error log: (Everytime I click somewhere one spawns)
2016/12/20 22:58:03 [error] 24805#102118: *44 access forbidden by rule, client: 192.168.1.xx, server: nextcloud.domain.com, request: "GET /data/.ocdata?t=1482299883686 HTTP/1.1", host: "nextcloud.domain.com"
2016/12/20 23:02:35 [error] 25779#100985: *20 access forbidden by rule, client: 192.168.1.xx, server: nextcloud.domain.com, request: "GET /data/.ocdata?t=1482300155871 HTTP/1.1", host: "nextcloud.domain.com"
2016/12/20 23:03:48 [error] 25905#100974: *15 access forbidden by rule, client: 192.168.1.xx, server: nextcloud.domain.com, request: "GET /data/.ocdata?t=1482300228746 HTTP/1.1", host: "nextcloud.domain.com"
2016/12/20 23:05:36 [error] 26142#102116: *3 access forbidden by rule, client: 192.168.1.xx, server: nextcloud.domain.com, request: "GET /data/.ocdata?t=1482300336618 HTTP/1.1", host: "nextcloud.domain.com"
2016/12/20 23:09:28 [error] 26369#102121: *26 access forbidden by rule, client: 192.168.1.xx, server: nextcloud.domain.com, request: "GET /data/.ocdata?t=1482300568421 HTTP/1.1", host: "nextcloud.domain.com"
2016/12/20 23:10:02 [error] 26369#102121: *30 access forbidden by rule, client: 192.168.1.xx, server: nextcloud.domain.com, request: "GET /data/.ocdata?t=1482300602480 HTTP/1.1", host: "nextcloud.domain.com"
2016/12/20 23:18:37 [error] 26818#102118: *2 access forbidden by rule, client: 192.168.1.xx, server: nextcloud.domain.com, request: "GET /data/.ocdata?t=1482301117857 HTTP/1.1", host: "nextcloud.domain.com"
....This block in the nginx.conf is causing it: (Need to figure out how to make this RULE Cleaner)
This block is directly from the Nextcloud documentation
Code:
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}ISSUE #2
#### IF YOU INSTALL THIS, IT WILL BREAK NEXTCLOUD SINCE THERE IS A PHP56 PKG THAT UNINSTALLS ALL PHP70
#### DEATH ON THE LAST STEP ---- ARGH!!!!
#### I COULD HAVE JUST UNINSTALLED PHP56 and REINSTALLED THE PHP70 PKGS, BUT I HAVE NO IDEA HOW CLEAN IT WOULD BE
#### SO FOR NOW I WILL LIVE W/O DOC/DOCX PREVIEWS.
pkg install libreoffice pecl-imagick (TO ENABLE DOC/DOCX EDITING and PREVIEWS)...<snippet from install>
Number of packages to be removed: 30
Number of packages to be installed: 117
The process will require 1 GiB more space.
Proceed with this action? [y/N]: y
[nextcloud] [1/147] Deinstalling php70-xsl-7.0.14...
[nextcloud] [1/147] Deleting files for php70-xsl-7.0.14: 100%
[nextcloud] [2/147] Deinstalling php70-wddx-7.0.14...
[nextcloud] [2/147] Deleting files for php70-wddx-7.0.14: 100%
[nextcloud] [3/147] Deinstalling php70-xmlreader-7.0.14...
[nextcloud] [3/147] Deleting files for php70-xmlreader-7.0.14: 100%
[nextcloud] [4/147] Deinstalling php70-redis-3.0.0_1...
[nextcloud] [4/147] Deleting files for php70-redis-3.0.0_1: 100%
[nextcloud] [5/147] Deinstalling php70-pdo_mysql-7.0.14...
[nextcloud] [5/147] Deleting files for php70-pdo_mysql-7.0.14: 100%
[nextcloud] [6/147] Deinstalling php70-xml-7.0.14...
[nextcloud] [6/147] Deleting files for php70-xml-7.0.14: 100%
[nextcloud] [7/147] Deinstalling php70-dom-7.0.14...
[nextcloud] [7/147] Deleting files for php70-dom-7.0.14: 100%
[nextcloud] [8/147] Deinstalling php70-xmlwriter-7.0.14...
[nextcloud] [8/147] Deleting files for php70-xmlwriter-7.0.14: 100%
[nextcloud] [9/147] Deinstalling php70-simplexml-7.0.14...
[nextcloud] [9/147] Deleting files for php70-simplexml-7.0.14: 100%
[nextcloud] [10/147] Deinstalling php70-gd-7.0.14...
[nextcloud] [10/147] Deleting files for php70-gd-7.0.14: 100%
[nextcloud] [11/147] Deinstalling php70-iconv-7.0.14...
[nextcloud] [11/147] Deleting files for php70-iconv-7.0.14: 100%
[nextcloud] [12/147] Deinstalling php70-intl-7.0.14...
[nextcloud] [12/147] Deleting files for php70-intl-7.0.14: 100%
[nextcloud] [13/147] Deinstalling php70-curl-7.0.14...
[nextcloud] [13/147] Deleting files for php70-curl-7.0.14: 100%
[nextcloud] [14/147] Deinstalling php70-session-7.0.14...
[nextcloud] [14/147] Deleting files for php70-session-7.0.14: 100%
[nextcloud] [15/147] Deinstalling php70-openssl-7.0.14...
[nextcloud] [15/147] Deleting files for php70-openssl-7.0.14: 100%
[nextcloud] [16/147] Deinstalling php70-posix-7.0.14...
[nextcloud] [16/147] Deleting files for php70-posix-7.0.14: 100%
[nextcloud] [17/147] Deinstalling php70-hash-7.0.14...
[nextcloud] [17/147] Deleting files for php70-hash-7.0.14: 100%
[nextcloud] [18/147] Deinstalling php70-exif-7.0.14...
[nextcloud] [18/147] Deleting files for php70-exif-7.0.14: 100%
[nextcloud] [19/147] Deinstalling php70-zlib-7.0.14...
[nextcloud] [19/147] Deleting files for php70-zlib-7.0.14: 100%
[nextcloud] [20/147] Deinstalling php70-mcrypt-7.0.14...
[nextcloud] [20/147] Deleting files for php70-mcrypt-7.0.14: 100%
[nextcloud] [21/147] Deinstalling php70-bz2-7.0.14...
[nextcloud] [21/147] Deleting files for php70-bz2-7.0.14: 100%
[nextcloud] [22/147] Deinstalling php70-ctype-7.0.14...
[nextcloud] [22/147] Deleting files for php70-ctype-7.0.14: 100%
[nextcloud] [23/147] Deinstalling php70-mbstring-7.0.14...
[nextcloud] [23/147] Deleting files for php70-mbstring-7.0.14: 100%
[nextcloud] [24/147] Deinstalling php70-json-7.0.14...
[nextcloud] [24/147] Deleting files for php70-json-7.0.14: 100%
[nextcloud] [25/147] Deinstalling php70-pdo-7.0.14...
[nextcloud] [25/147] Deleting files for php70-pdo-7.0.14: 100%
[nextcloud] [26/147] Deinstalling php70-fileinfo-7.0.14...
[nextcloud] [26/147] Deleting files for php70-fileinfo-7.0.14: 100%
[nextcloud] [27/147] Deinstalling php70-zip-7.0.14...
[nextcloud] [27/147] Deleting files for php70-zip-7.0.14: 100%
[nextcloud] [28/147] Deinstalling php70-filter-7.0.14...
[nextcloud] [28/147] Deleting files for php70-filter-7.0.14: 100%
[nextcloud] [29/147] Deinstalling php70-APCu-5.1.7...
[nextcloud] [29/147] Deleting files for php70-APCu-5.1.7: 100%
[nextcloud] [30/147] Deinstalling php70-7.0.14...
You may need to manually remove /usr/local/etc/php-fpm.d/www.conf if it is no longer needed.
[nextcloud] [30/147] Deleting files for php70-7.0.14: 100%
...
[nextcloud] [144/147] Installing php56-5.6.29...
[nextcloud] [144/147] Extracting php56-5.6.29: 100%
ISSUE #3 . [Resolved - maybe be in next release of Nextcloud]
In the Admin section, if you view the "Server Info" it will prompt php to view the system memory, which it has no access to since it is jailed.
These are the errors I was gettings:
Code:
Error PHP file_get_contents(/proc/meminfo): failed to open stream: No such file or directory at /usr/local/www/nextcloud/apps/serverinfo/lib/SystemStatistics.php#71 2016-12-22T01:07:31-0700 Error PHP file_get_contents(/proc/meminfo): failed to open stream: No such file or directory at /usr/local/www/nextcloud/apps/serverinfo/lib/SystemStatistics.php#71 2016-12-22T01:07:30-0700 Error PHP file_get_contents(/proc/meminfo): failed to open stream: No such file or directory at /usr/local/www/nextcloud/apps/serverinfo/lib/SystemStatistics.php#71 2016-12-22T01:07:29-0700
Solution was to change the code in /usr/local/www/nextcloud/apps/serverinfo/lib/SystemStatistics.php
The restart your web services (nginx/php/redis)
Code:
-$memoryUsage = file_get_contents('/proc/meminfo');
+$memoryUsage = @file_get_contents('/proc/meminfo');ISSUE #4 [Resolved - Unable to select specific users on shared folders to be read-only or even give option to create/change/delete file]
After adding in the external storage, I wanted to add a couple users to it, 1 user = contributor (create/change/no-delete) and the other user = viewer (read-only). Once you allow sharing and add a user, clicking the '...' next to their name will popup a dialogue to select the user access/mod level. This was missing.
Had to update the ownership to allow the webserver access, then rescan the files.
chmod -R www:www /mnt/nextcloud
su -m www -c 'php /usr/local/www/nextcloud/occ files:scan --all'In the future I might allow my external storage to become a NFS/AFP share so that pictures or docs could be added from computers on my local network. This will require some more thought as a crontab would need to be added to re-scan periodically and this could mess up things with deleting files outside Nextcloud's knowledge/management.
UPDATE: Slight change to this config... I noticed that if I left the "Available for" field empty (defaults to ALL USERS), and checked the share button to add users, they would see every folder/file in the External Storage (not my intention to have that). So I ended up putting my admin username in the Available For field and then could add users to the folders/files in the External Storage.
Last edited:
Kartoff
Cadet
- Joined
- Jan 6, 2017
- Messages
- 5
Nice post ! I will try it step by step immediately :)
---Edit---
I am curious will NextCloud self updater work with this installation ? Because i am so noob and i have no clue what will i do in the future when the time for update comes :)
---Edit---
I am curious will NextCloud self updater work with this installation ? Because i am so noob and i have no clue what will i do in the future when the time for update comes :)
Last edited:
Kartoff
Cadet
- Joined
- Jan 6, 2017
- Messages
- 5
Thank you for the answer :) Then anybody know how to update PHP in NextCloud jail ? I see FreeNAS put NextCloud in PBI directory... Seems when i update PHP and it updates normally ( "php -v" show 7.0.14 or something), but NextCloud wont reckognise it... But it want PHP greater than 5.6 to do update to 11... Maybe it has to be updaten in PBI also, but i dont know how...
--edit--
@ fireheadman I am not sure but for Libre Office maybe this : " pkg install -I php56 libreoffice pecl-imagick " will do the trick... Still didnt try by myself but...
Last edited:
Joshua Parker Ruehlig
Hall of Famer
- Joined
- Dec 5, 2011
- Messages
- 5,949
this thread is about manual installation using nginx, not about the plugin. there is a section of the forum for that.
as for the nextcloud plugin, there isn't a good way to update the php it uses. the plugin will be stuck at nextcloud 10 until I find a way to include php5.6
fireheadman
Dabbler
- Joined
- Nov 13, 2016
- Messages
- 49
Actually, I do believe it will update.
Under the Admin section -> Server Settings
This should show the update and allow you to apply it. When I did my first attempt, I had v10.x installed and it allowed it.
I could be wrong though... Sure someone will try it out.
fireheadman
Dabbler
- Joined
- Nov 13, 2016
- Messages
- 49
I was just pointing out this broke the install from your first post that mentioned this.
If you can be so kind to mention that thread, I can take a look at it and contribute there.
Jailer
Not strong, but bad
- Joined
- Sep 12, 2014
- Messages
- 4,977
No it won't. The updater fails and has for the last 2 version updates I've run. Both updates had to be manually installed.
If you want an easy way to update then install the package version of nextcould/owncloud.
pkg install nextcloud
fireheadman
Dabbler
- Joined
- Nov 13, 2016
- Messages
- 49
I believe the pkg supplied version of nextcloud is not at version 11. (I was after the latest/greatest)
For me having libreoffice is not a show stopper since my cloud is used primarily for photo sharing with family/friends.... but yeah, what you are recommending might/could resolve other people's issues with that plugin.
Jailer
Not strong, but bad
- Joined
- Sep 12, 2014
- Messages
- 4,977
It is at version 11 and it updated via
pgk upgrade recently just fine. Only difference is the php dependencies are still based on php56. If you want php7 then you still have to follow the excellent tutorial on the first page that @Joshua Parker Ruehlig has written up.
fireheadman
Dabbler
- Joined
- Nov 13, 2016
- Messages
- 49
sounds like a plan!... thanks
I have a stable release at the moment, but if I get bored or find some spare time on my hands I will revisit.
Kartoff
Cadet
- Joined
- Jan 6, 2017
- Messages
- 5
Now i need little help...
I did all @fireheadman says and now all works... Instead of just 2 things, one of them is Avatars wich worked fine after install and my fault is that accidentally i do copy paste this : su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set enable_avatars --value=true' and now avatars dont work :( And other thing is about Not showing memory, because i have no clue where exactly in file to put code provided here...
Thank you in advance :)
--edit--
Just did reinstall NextCloud, i mean after unzipping to www and all after that instead of that for avatars and they work now :)
I did all @fireheadman says and now all works... Instead of just 2 things, one of them is Avatars wich worked fine after install and my fault is that accidentally i do copy paste this : su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set enable_avatars --value=true' and now avatars dont work :( And other thing is about Not showing memory, because i have no clue where exactly in file to put code provided here...
Thank you in advance :)
--edit--
Just did reinstall NextCloud, i mean after unzipping to www and all after that instead of that for avatars and they work now :)
Last edited:
Michael Sparks
Explorer
- Joined
- Apr 23, 2014
- Messages
- 56
Worked great, how do you go about updating when the time comes? will it work via website upgrade button or do you need to run manual commands?
thanks!
Last edited:
Kartoff
Cadet
- Joined
- Jan 6, 2017
- Messages
- 5
It may update with buton but who knows... I think about to install 10.0.1 following @fireheadman steps and then to try update to 10.0.2 or 11... If it works I am pretty sure it will continue to work in the future :)
Hey guys, Thanks for guide. I'm trying to set this up using the instructions on Page1.
I've installed owncloud however the version I installed was 9.1.3. The guide is using 9.1.1. I'm not sure this matters. The code I used to install owncloud was the following:
I wanted to run a sanity check on owncloud after the installation using the following command but obtained the following output:
I get similar output when running the commands for memory caching (or the ones that start with su -m www -c ... in the guide).
How could ownCloud not be installed?
I've installed owncloud however the version I installed was 9.1.3. The guide is using 9.1.1. I'm not sure this matters. The code I used to install owncloud was the following:
Code:
fetch "http://download.owncloud.org/community/owncloud-9.1.3.tar.bz2" tar jxf owncloud-*.tar.bz2 -C /usr/local/www rm owncloud-*.tar.bz2 chown -R www:www /usr/local/www/owncloud /mnt/files
I wanted to run a sanity check on owncloud after the installation using the following command but obtained the following output:
Code:
root@OwnCloud:/usr/local/etc # su -m www -c 'php /usr/local/www/owncloud/occ status' The process control (PCNTL) extensions are required in case you want to interrupt long running commands - see http://php.net/manual/en/book.pcntl.php ownCloud is not installed - only a limited number of commands are available [Doctrine\DBAL\DBALException] Failed to connect to the database: An exception occured in driver: could not find driver status [--output [OUTPUT]]
I get similar output when running the commands for memory caching (or the ones that start with su -m www -c ... in the guide).
How could ownCloud not be installed?
Joshua Parker Ruehlig
Hall of Famer
- Joined
- Dec 5, 2011
- Messages
- 5,949
I assume you never completed the steps I have outlined under ownCloud WebUI.
Argh -- I didn't actually know I had to go to the page...so
Questions
I filled in the criteria
For the admin account can you fill in anything?
Lastly just proceeding in vain, I'm receiving
Error while trying to create admin user: Failed to connect to database: An exception occured in driver: SQLSTATE[HY000][1045] Access denied for user 'ocuser'@'localhost' (using password: YES)
I went through the mysql steps for database creation again, however do I have to flush a cache or something to make it reload or anything? I see this error listed on the internet in many places however every setup is slightly different so I'm confused.
And just tip to everyone -- anytime you make a change to ngnix.conf, restart the nginx service and flush browser cache. Really help to eliminate a lot of possibilities.
***Figured this out
For whatever reason I had to create grant the privileges manually on the mysql command line for this to work. -- ie
login to mysql
$ mysql -u root -p
Then GRANT privileges that way.
The Admin user and password can be anything.
Last edited:
I spent alot of time going through this guide and other resources to setup the SSL capabilities with this setup. I took cyberjock's recommendations [How-To] ownCloud using NGINX, PHP-FPM, and MySQL and then kind of modified them to upgrade the SSL parameters. I didn't feel the des3 keys were sufficient.
[
Here are steps
1. Getting a working setup as per page 1 of this guide
2. Compile Nginx as per recommendations by Cyberjock -- Page 3 this thread
[How-To] ownCloud using NGINX, PHP-FPM, and MySQL
****Please note: This step is unnecessary if running FreeNAS 9.10 or newer and running FreeBSD 10.3 jails. The package version of nginx comes pre compiled with SSL support. You can determine the FreeBSD version at the command line within the jail:
#uname -r
If you meet the following criteria, nginx can be installed by:
#pkg install nginx
3. Generate server keys
This command will create rsa 2048 bit keys along with Diffie Hellman parameter. The keys can be named any name (I've chosen nginx-selfsigned)
4. Modify the nginx.conf file. Below is my nginx.conf file --- this was the most difficult part of the entire process. Be sure to modify the following lines:
worker_processes
ssl_certificate
ssl_certificate_key
ssl_dhparam
server_name
The following setup assumes owncloud is accessed by https://URL/owncloud
NGINX.CONF --- USE THE ENTIRE FILE
5. Finally I like to thank fireheadman who really got me point in the right direction
[How-To] ownCloud using NGINX, PHP-FPM, and MySQL
6. Clear Browser cache and restart nginx server
[
Here are steps
1. Getting a working setup as per page 1 of this guide
2. Compile Nginx as per recommendations by Cyberjock -- Page 3 this thread
[How-To] ownCloud using NGINX, PHP-FPM, and MySQL
****Please note: This step is unnecessary if running FreeNAS 9.10 or newer and running FreeBSD 10.3 jails. The package version of nginx comes pre compiled with SSL support. You can determine the FreeBSD version at the command line within the jail:
#uname -r
If you meet the following criteria, nginx can be installed by:
#pkg install nginx
3. Generate server keys
# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /usr/local/etc/nginx/ssl/nginx-selfsigned.key -out /usr/local/etc/nginx/ssl/nginx-selfsigned.crt
# openssl dhparam -out /usr/local/etc/nginx/ssl/dhparam.pem 2048
This command will create rsa 2048 bit keys along with Diffie Hellman parameter. The keys can be named any name (I've chosen nginx-selfsigned)
4. Modify the nginx.conf file. Below is my nginx.conf file --- this was the most difficult part of the entire process. Be sure to modify the following lines:
worker_processes
ssl_certificate
ssl_certificate_key
ssl_dhparam
server_name
The following setup assumes owncloud is accessed by https://URL/owncloud
NGINX.CONF --- USE THE ENTIRE FILE
Code:
load_module /usr/local/libexec/nginx/ngx_mail_module.so;
load_module /usr/local/libexec/nginx/ngx_stream_module.so;
#user nobody;
worker_processes 4; # equal to the number of _real_ cpu cores since nginx workers block on SSL handshake and disk I/O
worker_priority 15; # renice workers to reduce priority compared to system processes for
# machine health. worst case nginx will get ~25% system resources at nice=15
#worker_rlimit_nofile 1024; # maximum number of open files, freebsd = "sysctl kern.maxfiles"
#worker_cpu_affinity 0100; # pin the single worker_processes to a real, single physical cpu core to avoid cpu cache misses.
# we randomly choose cpu2(0100) from our four(4) real cpu cores,
# cpu0(0001), cpu1(0010), cpu2(0100) or cpu3(1000)
# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
#
#pid logs/nginx.pid;
events {
#accept_mutex on; # serialize accept() per port between multiple workers so only one worker ready at any one moment for efficiency
# turn off for httpready or dataready and a single worker
#accept_mutex_delay 50ms; # worker process will accept mutex after this delay if not assigned. (default 500ms)
#multi_accept on; # accept all new connections, ignored when using kqueue method
use kqueue; # event method, kqueue for FreeBSD and OpenBSD
worker_connections 1024;
}
http {
#######SSL SECTION########################################
# global SSL options with Perfect Forward Secrecy (PFS) high strength ciphers
# first. PFS ciphers are those which start with ECDHE which means (EC)DHE
# which stands for (Elliptic Curve) Diffie-Hellman Ephemeral. 256bit preference.
# ciphers for RSA signed certificates
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA;
# Nginx with BoringSSL ciphers for Elliptic Curve Digital Signature Algorithm
# (ECDSA) signed certificates. equal preference groups.
# ssl_ciphers [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-AES256-GCM-SHA384]:[ECDHE-ECDSA-AES128-SHA256|ECDHE-ECDSA-AES256-SHA384]:[ECDHE-ECDSA-AES128-SHA|ECDHE-ECDSA-AES256-SHA];
ssl_certificate /usr/local/etc/nginx/ssl/nginx-selfsigned.crt;
ssl_certificate_key /usr/local/etc/nginx/ssl/nginx-selfsigned.key;
ssl_dhparam /usr/local/etc/nginx/ssl/dhparam.pem;
ssl_ecdh_curve secp384r1; # 384 bit prime modulus curve efficiently supports ECDHE ssl_ciphers up to a SHA384 hash
ssl_prefer_server_ciphers on; # the preferred ciphers are listed on the server by "ssl_ciphers"
ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # protocols, the order is unimportant
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 128s; # how long before the client and server must renegotiate the ssl key
#ssl_stapling on; # staple the ssl cert to the initial reply returned to the client for speed
#ssl_stapling_verify on;
######END SSL SECTION########################################
######TIMEOUTS SECTION#######################################
# Timeouts: do not keep connections open longer then necessary to reduce
# resource usage and deny Slowloris type attacks. Slow attacks are related to
# pausing in between packets.
client_body_timeout 2s; # maximum time between packets the client can pause when sending nginx any data
client_header_timeout 2s; # maximum time the client has to send the entire header to nginx
keepalive_timeout 65s; # timeout which a single keep-alive client connection will stay open
send_timeout 10s; # maximum time between packets nginx is allowed to pause when sending the client data
######END TIMEOUTS SECTION###################################
######GENERAL OPTIONS for FreeBSD on ZFS#####################
# general options for FreeBSD on ZFS
aio on; # asynchronous file input/output, fast with ZFS, make sure sendfile=off
charset utf-8; # adds the line "Content-Type" into response-header, same as "source_charset"
default_type application/octet-stream;
#directio off; # zfs does not support direct i/o because of the ARC and L2ARC
disable_symlinks on; # disable symlinks to avoid malicious symlinks out of the document root
etag off; # disables "ETag" response header so clients use Cache-Control header only
gzip off; # disable on the fly gzip compression, only use gzip_static to reduce latency
gzip_http_version 1.0; # serve gzipped content to all clients including HTTP/1.0 and greater
gzip_static always; # precompress content (gzip -1) with an external script found on this page below
#gzip_vary on; # send response header "Vary: Accept-Encoding". SPDY ignores Vary header
gzip_proxied any; # allows compressed responses for any request even from proxies
ignore_invalid_headers on;
include /usr/local/etc/nginx/mime.types;
keepalive_requests 20; # number of keep alive requests per connection, does not affect SPDY
keepalive_disable none; # allow all browsers to use keepalive connections
lingering_time 2; # maximum time during which nginx will process additional data from the client
lingering_timeout 2; # maximum waiting time for more client data to arrive
max_ranges 1; # allow a single range header for resumed downloads and to stop large range header DoS attacks
merge_slashes on; # compression of two or more adjacent slashes in a URI into a single slash "//" into "/"
msie_padding off;
#open_file_cache max=128 inactive=4h; # cache is not be needed if ZFS ARC size is sufficient
#open_file_cache_errors on; # since ARC delivery is faster then the cache lookups
#open_file_cache_min_uses 1;
#open_file_cache_valid 3h;
output_buffers 1 256K; # sendfile=off so set to the total size of all objects on an average page
#postpone_output 1460; # before sending data response, collect at least one packet's payload (MSS) of data
#read_ahead 0; # no forced read ahead, let ZFS handle I/O calls as zfs is efficient
recursive_error_pages on;
reset_timedout_connection on; # reset timed out connections freeing ram and resources
sendfile off; # off for FreeBSD and ZFS to avoid redundant data caching
server_tokens off; # no nginx version number in error pages
#server_name_in_redirect off; # if off, nginx will use the requested Host header
source_charset utf-8; # same value as "charset"
tcp_nodelay on; # disable the Nagle buffering algorithm, used for keepalive only
tcp_nopush off; # sendfile=off so tcp_nopush can not be used
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
######END GENERAL OPTIONS for FreeBSD on ZFS#################
# request limits
limit_req_zone $binary_remote_addr zone=gulag:1m rate=25r/m;
log_format main '$remote_addr $host $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_protocol $ssl_cipher $request_time';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log info;
upstream php-handler {
#server 127.0.0.1:9000;
server unix:/var/run/php-fpm.sock;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
#enforce https
root /var/empty;
server_name XXX.XXX.XXX.XXX; #IP Address or URL
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
root /usr/local/www;
location = /robots.txt { allow all; access_log off; log_not_found off; }
location = /favicon.ico { access_log off; log_not_found off; }
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
location ^~ /owncloud {
client_max_body_size 512M;
fastcgi_buffers 64 4K;
error_page 403 /owncloud/core/templates/403.php;
error_page 404 /owncloud/core/templates/404.php;
location /owncloud {
rewrite ^ /owncloud/index.php$uri;
}
location ~ ^/owncloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/owncloud/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/owncloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true;
fastcgi_pass unix:/var/run/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param front_controller_active true;
fastcgi_intercept_errors on;
}
location ~* \.(?:css|js)$ {
try_files $uri /owncloud/index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=7200";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg|png)$ {
try_files $uri /owncloud/index.php$uri$is_args$args;
access_log off;
}
}
}
}
5. Finally I like to thank fireheadman who really got me point in the right direction
[How-To] ownCloud using NGINX, PHP-FPM, and MySQL
6. Clear Browser cache and restart nginx server
# service nginx stop
# service nginx start
Last edited:
F/u --- Obtain a free SSL certificate for the server
Steps
1. Obtain a Domain Name -- For purposes of this tutorial I chose a domain name from www.noip.com. There are other sites to obtain a domain name as well.
2. Setup the Dynamic DNS Service on FreeNAS
Under Services -- Dynamic DNS will be listed
Note that its very important to type in the exact syntax for the IP Server
Also note that everytime you make changes to this dialogue box, you will have to type in the password and confirm the password (EVERYTIME). Yes its annoying but its just how things work. Once your appropriate settings are entered, start the service and check the error log on the main FreeNAS screen to ensure the service starts correctly. I had to do this a few times to get the service to start appropriately.
3. Obtaining the SSL certificate for your domain.
Pre-requisites
a. A running configuration with SSL enabled (as described above in previous post [How-To] ownCloud using NGINX, PHP-FPM, and MySQL)
b. A domain name
c. Optional but recommended (Dynamic DNS Service) enabled
The free SSL certificate is provided through Let's Encrypt (https://letsencrypt.org/getting-started/) using Certbot (https://certbot.eff.org/) as the client to create the certificate
Install the certbot client
#pkg install py27-certbot
Use the webroot setting for certbot to install the certificates
certbot certonly --webroot -w /usr/local/www -d <domain_name> -d www.<domain_name>
Enter your email address and you should finally see something similar to the following;
Server certificates are stored at /usr/local/etc/letsencrypt/live/<domain_name>/
The certificates of interest are named:
/usr/local/etc/letsencrypt/live/<domain_name>/cert.pem
/usr/local/etc/letsencrypt/live/<domain_name>/privkey.pem
4. Modify the nginx.conf file to reflect the locations of the certificates.
I've included my entire nginx.conf file which you can use. This is the entire file. Please by sure to modify the following lines:
worker_processes
ssl_certificate
ssl_certificate_key
ssl_dhparam
server_name
Everywhere there is a <domain_name> in this file, please substitute and edit appropriately
5. Restart nginx server
#service nginx stop
#service nginx start
6. Allow for autorenewal of the Let's Encrypt SSL Certificates
By default the Certificates Issued by LetsEncrypt are only valid for 90 days. They will contact you within 30 days of renewal if the certificates are not renewed automatically. In order to automate the process, you can create a cron script run everyday ask for renewal. Renewals are only granted if the expiration date is within 30 days.
FreeBSD system cron jobs are kept in /etc/periodic. The file /etc/crontab controls when when the files in the directories are updated.
I first modified to the /etc/crontab command to contain additional paths. Please update the relevant section of the /etc/crontab file:
I then created a 220.LetsEncrypt-SSL-Renewal file
# chmod +x /etc/periodic/daily/220.LetsEncrypt-SSL-Renewal
I hope this helps.
The SSL keys provided by LetsEncrypt are 2048 length. If ever 4096 length keys are needed, this can by done using the renewal process -- which probably can be run manually. This would be: #certbot renew --rsa-key-size 4096
Steps
1. Obtain a Domain Name -- For purposes of this tutorial I chose a domain name from www.noip.com. There are other sites to obtain a domain name as well.
2. Setup the Dynamic DNS Service on FreeNAS
Under Services -- Dynamic DNS will be listed
Note that its very important to type in the exact syntax for the IP Server
Also note that everytime you make changes to this dialogue box, you will have to type in the password and confirm the password (EVERYTIME). Yes its annoying but its just how things work. Once your appropriate settings are entered, start the service and check the error log on the main FreeNAS screen to ensure the service starts correctly. I had to do this a few times to get the service to start appropriately.
3. Obtaining the SSL certificate for your domain.
Pre-requisites
a. A running configuration with SSL enabled (as described above in previous post [How-To] ownCloud using NGINX, PHP-FPM, and MySQL)
b. A domain name
c. Optional but recommended (Dynamic DNS Service) enabled
The free SSL certificate is provided through Let's Encrypt (https://letsencrypt.org/getting-started/) using Certbot (https://certbot.eff.org/) as the client to create the certificate
Install the certbot client
#pkg install py27-certbot
Use the webroot setting for certbot to install the certificates
certbot certonly --webroot -w /usr/local/www -d <domain_name> -d www.<domain_name>
Enter your email address and you should finally see something similar to the following;
Server certificates are stored at /usr/local/etc/letsencrypt/live/<domain_name>/
The certificates of interest are named:
/usr/local/etc/letsencrypt/live/<domain_name>/cert.pem
/usr/local/etc/letsencrypt/live/<domain_name>/privkey.pem
4. Modify the nginx.conf file to reflect the locations of the certificates.
I've included my entire nginx.conf file which you can use. This is the entire file. Please by sure to modify the following lines:
worker_processes
ssl_certificate
ssl_certificate_key
ssl_dhparam
server_name
Everywhere there is a <domain_name> in this file, please substitute and edit appropriately
Code:
load_module /usr/local/libexec/nginx/ngx_mail_module.so;
load_module /usr/local/libexec/nginx/ngx_stream_module.so;
#user nobody;
worker_processes 4; # equal to the number of _real_ cpu cores since nginx workers block on SSL handshake and disk I/O
worker_priority 15; # renice workers to reduce priority compared to system processes for
# machine health. worst case nginx will get ~25% system resources at nice=15
#worker_rlimit_nofile 1024; # maximum number of open files, freebsd = "sysctl kern.maxfiles"
#worker_cpu_affinity 0100; # pin the single worker_processes to a real, single physical cpu core to avoid cpu cache misses.
# we randomly choose cpu2(0100) from our four(4) real cpu cores,
# cpu0(0001), cpu1(0010), cpu2(0100) or cpu3(1000)
# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
#
#pid logs/nginx.pid;
events {
#accept_mutex on; # serialize accept() per port between multiple workers so only one worker ready at any one moment for efficiency
# turn off for httpready or dataready and a single worker
#accept_mutex_delay 50ms; # worker process will accept mutex after this delay if not assigned. (default 500ms)
#multi_accept on; # accept all new connections, ignored when using kqueue method
use kqueue; # event method, kqueue for FreeBSD and OpenBSD
worker_connections 1024;
}
http {
#######SSL SECTION########################################
# global SSL options with Perfect Forward Secrecy (PFS) high strength ciphers
# first. PFS ciphers are those which start with ECDHE which means (EC)DHE
# which stands for (Elliptic Curve) Diffie-Hellman Ephemeral. 256bit preference.
# ciphers for RSA signed certificates
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA;
# Nginx with BoringSSL ciphers for Elliptic Curve Digital Signature Algorithm
# (ECDSA) signed certificates. equal preference groups.
# ssl_ciphers [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-AES256-GCM-SHA384]:[ECDHE-ECDSA-AES128-SHA256|ECDHE-ECDSA-AES256-SHA384]:[ECDHE-ECDSA-AES128-SHA|ECDHE-ECDSA-AES256-SHA];
#ssl_certificate /usr/local/etc/letsencrypt/live/$server_name/fullchain.pem;
#ssl_certificate_key /usr/local/etc/letsencrypt/live/$server_name/privkey.pem;
#ssl_certificate /usr/local/etc/nginx/ssl/nginx-selfsigned.crt;
#ssl_certificate_key /usr/local/etc/nginx/ssl/nginx-selfsigned.key;
ssl_dhparam /usr/local/etc/nginx/ssl/dhparam.pem;
ssl_trusted_certificate /usr/local/etc/letsencrypt/live/<domain_name>/chain.pem;
ssl_ecdh_curve secp384r1; # 384 bit prime modulus curve efficiently supports ECDHE ssl_ciphers up to a SHA384 hash
ssl_prefer_server_ciphers on; # the preferred ciphers are listed on the server by "ssl_ciphers"
ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # protocols, the order is unimportant
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 128s; # how long before the client and server must renegotiate the ssl key
ssl_stapling on; # staple the ssl cert to the initial reply returned to the client for speed
ssl_stapling_verify on;
######END SSL SECTION########################################
######TIMEOUTS SECTION#######################################
# Timeouts: do not keep connections open longer then necessary to reduce
# resource usage and deny Slowloris type attacks. Slow attacks are related to
# pausing in between packets.
client_body_timeout 2s; # maximum time between packets the client can pause when sending nginx any data
client_header_timeout 2s; # maximum time the client has to send the entire header to nginx
keepalive_timeout 65s; # timeout which a single keep-alive client connection will stay open
send_timeout 10s; # maximum time between packets nginx is allowed to pause when sending the client data
######END TIMEOUTS SECTION###################################
######GENERAL OPTIONS for FreeBSD on ZFS#####################
# general options for FreeBSD on ZFS
aio on; # asynchronous file input/output, fast with ZFS, make sure sendfile=off
charset utf-8; # adds the line "Content-Type" into response-header, same as "source_charset"
default_type application/octet-stream;
#directio off; # zfs does not support direct i/o because of the ARC and L2ARC
disable_symlinks on; # disable symlinks to avoid malicious symlinks out of the document root
etag off; # disables "ETag" response header so clients use Cache-Control header only
gzip off; # disable on the fly gzip compression, only use gzip_static to reduce latency
gzip_http_version 1.0; # serve gzipped content to all clients including HTTP/1.0 and greater
gzip_static always; # precompress content (gzip -1) with an external script found on this page below
#gzip_vary on; # send response header "Vary: Accept-Encoding". SPDY ignores Vary header
gzip_proxied any; # allows compressed responses for any request even from proxies
ignore_invalid_headers on;
include /usr/local/etc/nginx/mime.types;
keepalive_requests 20; # number of keep alive requests per connection, does not affect SPDY
keepalive_disable none; # allow all browsers to use keepalive connections
lingering_time 2; # maximum time during which nginx will process additional data from the client
lingering_timeout 2; # maximum waiting time for more client data to arrive
max_ranges 1; # allow a single range header for resumed downloads and to stop large range header DoS attacks
merge_slashes on; # compression of two or more adjacent slashes in a URI into a single slash "//" into "/"
msie_padding off;
#open_file_cache max=128 inactive=4h; # cache is not be needed if ZFS ARC size is sufficient
#open_file_cache_errors on; # since ARC delivery is faster then the cache lookups
#open_file_cache_min_uses 1;
#open_file_cache_valid 3h;
output_buffers 1 256K; # sendfile=off so set to the total size of all objects on an average page
#postpone_output 1460; # before sending data response, collect at least one packet's payload (MSS) of data
#read_ahead 0; # no forced read ahead, let ZFS handle I/O calls as zfs is efficient
recursive_error_pages on;
reset_timedout_connection on; # reset timed out connections freeing ram and resources
sendfile off; # off for FreeBSD and ZFS to avoid redundant data caching
server_tokens off; # no nginx version number in error pages
#server_name_in_redirect off; # if off, nginx will use the requested Host header
source_charset utf-8; # same value as "charset"
tcp_nodelay on; # disable the Nagle buffering algorithm, used for keepalive only
tcp_nopush off; # sendfile=off so tcp_nopush can not be used
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
######END GENERAL OPTIONS for FreeBSD on ZFS#################
# request limits
limit_req_zone $binary_remote_addr zone=gulag:1m rate=25r/m;
log_format main '$remote_addr $host $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_protocol $ssl_cipher $request_time';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log info;
upstream php-handler {
#server 127.0.0.1:9000;
server unix:/var/run/php-fpm.sock;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
#enforce https
root /var/empty;
server_name <domain_name>; #IP Address or URL
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name <domain_name>;
ssl_certificate /usr/local/etc/letsencrypt/live/<domain_name>/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/<domain_name>/privkey.pem;
root /usr/local/www;
location = /robots.txt { allow all; access_log off; log_not_found off; }
location = /favicon.ico { access_log off; log_not_found off; }
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
location ^~ /owncloud {
client_max_body_size 512M;
fastcgi_buffers 64 4K;
error_page 403 /owncloud/core/templates/403.php;
error_page 404 /owncloud/core/templates/404.php;
location /owncloud {
rewrite ^ /owncloud/index.php$uri;
}
location ~ ^/owncloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/owncloud/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/owncloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true;
fastcgi_pass unix:/var/run/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param front_controller_active true;
fastcgi_intercept_errors on;
}
location ~* \.(?:css|js)$ {
try_files $uri /owncloud/index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=7200";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg|png)$ {
try_files $uri /owncloud/index.php$uri$is_args$args;
access_log off;
}
}
}
}
5. Restart nginx server
#service nginx stop
#service nginx start
6. Allow for autorenewal of the Let's Encrypt SSL Certificates
By default the Certificates Issued by LetsEncrypt are only valid for 90 days. They will contact you within 30 days of renewal if the certificates are not renewed automatically. In order to automate the process, you can create a cron script run everyday ask for renewal. Renewals are only granted if the expiration date is within 30 days.
FreeBSD system cron jobs are kept in /etc/periodic. The file /etc/crontab controls when when the files in the directories are updated.
I first modified to the /etc/crontab command to contain additional paths. Please update the relevant section of the /etc/crontab file:
Code:
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/etc:/usr/local/sbin
I then created a 220.LetsEncrypt-SSL-Renewal file
Code:
#!/bin/sh /usr/local/bin/certbot renew --quiet --pre-hook "service nginx stop" --post-hook "service nginx start"
# chmod +x /etc/periodic/daily/220.LetsEncrypt-SSL-Renewal
I hope this helps.
The SSL keys provided by LetsEncrypt are 2048 length. If ever 4096 length keys are needed, this can by done using the renewal process -- which probably can be run manually. This would be: #certbot renew --rsa-key-size 4096
Last edited:
Related topics on forums.truenas.com for thread: "[How-To] ownCloud using NGINX, PHP-FPM, and MySQL"
Similar threads
- Locked
