[How-To] ownCloud using NGINX, PHP-FPM, and MySQL

[Jailer]

Hey Jailer,

Can you detail out the steps here?

From the jail cli:

First you need to download the ports tree and extract them

portsnap fetch extract

After that add the following to /etc/mke.conf

echo 'DEFAULT_VERSIONS+=ssl=openssl' >> /etc/make.conf

Next uninstall openssl and nginx

pkg delete openssl
pkg delete nginx

Once they have been uninstalled re install each starting with openssl.

cd /usr/ports/security/openssl/ && make install clean

Once that's completed install nginx

cd /usr/ports/www/nginx/ && make install clean

After they have installed restart nginx

service nginx restart

Now go check your results at SSL Labs server test to check the results.

Once you've got all that set you'll need to lock the 2 packages that you installed from ports. If you don't the next time you do a pkg upgrade you'll overwrite the ports version with the package install. To do this just run pkg lock name_of_package and it won't be upgraded until you unlock it.

To keep everythign up to date you will need to manage the packages and ports seperately. Packages are managed with the package manger. To manage the ports you have a couple options. I install the portmaster package to manage my ports but you can install what works for you.

Your workflow for updates will go as follows:

• pkg upgrade and upgrade all your packages.
• pkg unlock name_of_package and unlock nginx and openssl
• portsnap fetch update to update the ports tree
• portmaster -a to check your packages and install available updates
• pkg lock name_of_package to lock nginx and openssl after updates are installed

Can you provide the relevant section in your conf file also?

Code:

    server {   
        listen       443 ssl;
        server_name  www.boredguy.showersnet.com boredguy.showersnet.com;
        root /usr/local/www/nginx;
        ssl_session_cache    shared:SSL:10m;
        ssl_session_timeout  10m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers   on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_certificate /usr/local/etc/letsencrypt/live/boredguy.showersnet.com/fullchain.pem;
        ssl_certificate_key /usr/local/etc/letsencrypt/live/boredguy.showersnet.com/privkey.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_dhparam /usr/local/etc/nginx/dhparams.pem;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
      
        }

 

[jag131990]

From the jail cli:

First you need to download the ports tree and extract them

portsnap fetch extract

After that add the following to /etc/mke.conf

echo 'DEFAULT_VERSIONS+=ssl=openssl' >> /etc/make.conf

Next uninstall openssl and nginx

pkg deinstall openssl
pkg deinstall nginx

Once they have been uninstalled re install each starting with openssl.

cd /usr/ports/security/openssl/ && make install clean

Once that's completed install nginx

cd /usr/ports/www/nginx/ && make install clean

After they have installed restart nginx

service nginx restart

Now go check your results at SSL Labs server test to check the results.

Code:

    server {    
        listen       443 ssl;
        server_name  www.boredguy.showersnet.com boredguy.showersnet.com;
        root /usr/local/www/nginx;
        ssl_session_cache    shared:SSL:10m;
        ssl_session_timeout  10m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers   on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_certificate /usr/local/etc/letsencrypt/live/boredguy.showersnet.com/fullchain.pem;
        ssl_certificate_key /usr/local/etc/letsencrypt/live/boredguy.showersnet.com/privkey.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_dhparam /usr/local/etc/nginx/dhparams.pem;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
       
        }

Thanks Jailer. This is exactly what I did though, still didn't work (though I didn't have your nginx conf). You must, like me, still have the freebsd base openssl 1.0.1 installed? What happens if you run openssl version -a?

I'll try matching my config file to yours after work.

 

[Jailer]

That command gives you the version of the base openssl. To check the ports version run /usr/local/bin/openssl version

 

[jag131990]

That command gives you the version of the base openssl. To check the ports version run /usr/local/bin/openssl version

Funny I did exactly the same thing last night but repeated it again after you had reaffirmed the method.

Now I'm getting an A+..

Somehow I think the nginx port kept using the base last night but it's working now.

Thanks so much man.

 

[KevDog]

@Jailer -- thanks a lot for your help -- I ran through your steps and I'm getting an A grade not A+

Here is my info (All running in FreeNAS FreeBSD Jail)
OpenSSL 1.0.1s-freebsd 1 Mar 2016
nginx version: nginx/1.10.3

Relevant nginx.conf section

Code:

    server {
        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;
        server_name gohilton.com;

        #######SSL SECTION########################################
        # global SSL options with Perfect Forward Secrecy (PFS) high strength ciphers
        # first. PFS ciphers are those which start with ECDHE which means (EC)DHE
        # which stands for (Elliptic Curve) Diffie-Hellman Ephemeral - 4096 bit DH key. 256bit preference.

        # ciphers for RSA signed certificates
      # ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA;
        ssl_ciphers HIGH:!aNULL:!MD5;
        # Nginx with BoringSSL ciphers for Elliptic Curve Digital Signature Algorithm
        # (ECDSA) signed certificates. equal preference groups.
        ssl_dhparam /usr/local/etc/nginx/ssl/dhparam.pem;
        ssl_trusted_certificate /usr/local/etc/letsencrypt/live/gohilton.com/chain.pem;
        ssl_ecdh_curve secp384r1;              # 384 bit prime modulus curve efficiently supports ECDHE ssl_ciphers up to a SHA384 hash
        ssl_prefer_server_ciphers on;          # the preferred ciphers are listed on the server by "ssl_ciphers"
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;   # protocols, the order is unimportant
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 128s;              # how long before the client and server must renegotiate the ssl key
        ssl_stapling on;                       # staple the ssl cert to the initial reply returned to the client for speed
        ssl_stapling_verify on;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

        ssl_certificate /usr/local/etc/letsencrypt/live/gohilton.com/fullchain.pem;
        ssl_certificate_key /usr/local/etc/letsencrypt/live/gohilton.com/privkey.pem;

    #######END SSL SECTION##############################################################

 

[Jailer]

Your site isn't using strict transport security. The configuration looks ok so not sure why it's doing that. Did you restart nginx after making changes?

 

[KevDog]

Yea I restarted nginx after the change and rechecked -- still A grade. Not sure what else to check -- I compiled nginx and openssl from ports. I also have these options -- are they a problem?

Code:

        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;

 

[Jailer]

They can be depending on where they are located in your config.

https://community.qualys.com/thread/14747

Edit: That link is ok but read the page linked at the bottom. It explains why your strict transport security headed isn't being acknowledged. Also do be careful in enabling it. Once your browser is presented with a valid certificate with HSTS you will NOT be able to revisit the site over an unencrypted connection.

Do your research and tread lightly. This article is a very good read and will explain it better.

https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/

 

[KevDog]

It looks like php70-APCu has been deprecated and replaced by pecl-APCu. What's the appropriate way to upgrade without breaking everything?

 

[KevDog]

Hmm

Both php70-APCu and php70-redis have been deleted and replaced by
pecl-APCu
pecl-redis

However pecl-redis depends on php56-session.

Code:

$ make search name=php70-APCu
Port:    devel/php70-APCu
Moved:    devel/pecl-APCu
Date:    2017-02-12
Reason:    Use devel/pecl-APCu for PHP 7.0+ users

$ make search name=php70-redis
Port:    databases/php70-redis
Moved:    databases/pecl-redis
Date:    2017-02-15
Reason:    Merged with latest codebase that supports all php versions

$ make search name=pecl-redis
Port:    pecl-redis-3.1.1
Path:    /usr/ports/databases/pecl-redis
Info:    Extension to access Redis
Maint:    daniel@blodan.se
B-deps:    autoconf-2.69_1 autoconf-wrapper-20131203 indexinfo-0.2.6 libxml2-2.9.4 m4-1.4.18,1 pcre-8.40 perl5-5.24.1 php56-5.6.30 php56-session-5.6.30
R-deps:    libxml2-2.9.4 pcre-8.40 php56-5.6.30 php56-session-5.6.30
WWW:    https://pecl.php.net/package/redis

So how can pecl-redis support all php versions when php56-session is listed as a dependency? Or maybe I don't understand?

 

[jag131990]

Has anyone tried to access the Nextcloud updater in 11.01 based on this install?

Mine hangs and won't load. A search on Nextcloud suggested the updater needs the directory owner by the www user but this is already the case

 

[Jailer]

Same here and same as always. Does nothing but open a blank page files page.

 

[jag131990]

Same here and same as always. Does nothing but open a blank page files page.

Thanks not just me then. I'm intrigued. Do you have any idea why? My previous owncloud installs had never used nginx..

 

[KevDog]

I'm not certain but after reading the documentation it would seem that within
/usr/local/www/nextcloud/updater there is supposed to be a application.php file. I do not have this file and my directory only contains two files index.php and updater.phar.
When I run the following command manually (within the /usr/local/www/nextcloud directory):
sudo -u www php occ upgrade
The process control (PCNTL) extensions are required in case you want to interrupt long running commands - see http://php.net/manual/en/book.pcntl.php
Nextcloud is already latest version

Output doesn't seem right since I'm notified 11.02 is available and I'm on 11.01. When I choose the updater within the nextcloud settings, I'm also getting a blank page files page. I'm betting the reason is due to the missing updater program.

I'll probably have to resort to the manual method in updating, or perhaps the ports tree?

 

[KevDog]

Anyone know where I can get the php70-redis file port or pkg? It's not offered anymore?

 

[Jailer]

Well I couldn't figure out the web updater but I did get the shell update utility to work. It downloaded and updated my nextcloud install to 11.0.2 without issue.

 

[jag131990]

Well I couldn't figure out the web updater but I did get the shell update utility to work. It downloaded and updated my nextcloud install to 11.0.2 without issue.

I am wondering if I re-enable my LAN IP in Nextcloud config and use that instead of the domain it may work? - as in to access the updater

 

[Jailer]

I run my Nextcloud install on my local network only and the web updater doesn't seem to work for me no matter what I've tried.

 

[jag131990]

Well I couldn't figure out the web updater but I did get the shell update utility to work. It downloaded and updated my nextcloud install to 11.0.2 without issue.

Tried and got stuck -
su -m www -c 'php occ upgrade'


The process control (PCNTL) extensions are required in case you want to interrupt long running commands - see http://php.net/manual/en/book.pcntl.php
Nextcloud is already latest version

 

[Jailer]

Occ upgrade doesn't work either. You have to use the updater.phar app to get it to work. To do so you need to install sudo and php70-phar and follow the update instructions for using the pahr updater.