How to manually install Nextcloud on FreeNAS in an iocage jail with hardened security

How to manually install Nextcloud on FreeNAS in an iocage jail with hardened security v2.0.1

samuel-emrys

Contributor
Joined
Dec 14, 2018
Messages
136
The Guide: https://www.samueldowling.com/2020/...n-FreeNAS-iocage-jail-with-hardened-security/

This guide will show you how to manually set up and configure a Nextcloud server in an iocage jail, as well as how to harden your security to make sure your information is safe. Specifically, this guide covers:
  • Organise your datasets
  • Set up and configuration of a FAMP (FreeBSD, Apache, MySQL, PHP) web server stack
  • Optimise your database
  • Install and configure Nextcloud to remove all security warnings and adhere to Nextcloud's suggested best practice
  • Configure HTTPS (configuring a reverse proxy, and the Nextcloud specific configuration)
  • Configure tamper detection
  • Configure DDNS
  • Guidance on upgrading and maintaining your server
Importantly, I attempt to make this beginner friendly by explaining exactly what happens in each of the commands I present, so that this is as much a way to gain familiarity with *nix configuration as it is a way to set up Nextcloud.

Changelog (22/06/2020):
  • Modified installation method to use a tarball directly from Nextcloud instead of the FreeBSD package manager
  • Added upgrade instructions
  • Presents installation of Nextcloud 19 and PHP 7.4
  • Modified to explicitly create directories within the jail before attempting to mount
  • Changed SSL configuration to use an nginx reverse proxy to improve HTTPS certificate maintainability when multiple services are being managed
Changelog (18/12/2018):
  • The latest branch of the FreeBSD repository now ships with Nextcloud 15. I've run through the installation process and made a couple of minor caching modifications to ensure compatibility. My brief test showed everything working as expected.
This guide is also under version control on GitHub. Please feel free to raise issues if you find any bugs or just have suggestions. If you're even keener, feel free to raise a Pull Request with any suggested changes.
 
Last edited:

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
Thanks for the guide. I'm biased, but I think my script is about the easiest way to get a working Nextcloud installation on FreeNAS (complete with a Let's Encrypt cert). A pull request for the hardening changes would be more than welcome.
 

samuel-emrys

Contributor
Joined
Dec 14, 2018
Messages
136
Thanks for the guide. I'm biased, but I think my script is about the easiest way to get a working Nextcloud installation on FreeNAS (complete with a Let's Encrypt cert). A pull request for the hardening changes would be more than welcome.

Yeah, I've found your script - it's great! It has a slightly different purpose to what I'm providing here though, yours is great for a blind installation, but it doesn't provide anyone an understanding of what's going on under the hood. Especially if something breaks in your script (or doesn't match the target environment), it can be hard for a beginner to troubleshoot. If anything, our two resources are complimentary in that way - my guide provides some of the detail surrounding what your script actually does.

I primarily put this together to document my own understanding and how I've configured things, I just thought others might benefit from that as well. With respect to updating the script with hardening changes, I'll definitely keep that in mind and put it on my to do list. That list is pretty long at the moment though so it might be some time before I get to it.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
Granted, my script does nothing to help folks understand what's going on under the hood. My observation was that (1) even though the guide (Dureal's specifically) explained step by step what was happening, people didn't seem to follow that part; and (2) there was an awful lot of user error going on in setting things up. My thought was to automate as much as possible--but you're right, if it doesn't work, troubleshooting isn't very easy.
 

Skro

Contributor
Joined
Jun 26, 2018
Messages
100
Thanks for the guide (and the script)!
 

samuel-emrys

Contributor
Joined
Dec 14, 2018
Messages
136
Granted, my script does nothing to help folks understand what's going on under the hood. My observation was that (1) even though the guide (Dureal's specifically) explained step by step what was happening, people didn't seem to follow that part; and (2) there was an awful lot of user error going on in setting things up. My thought was to automate as much as possible--but you're right, if it doesn't work, troubleshooting isn't very easy.
Yep, you're right. I actually used Dureal's guide as the skeleton of my process (referenced in the guide). It was really helpful, but as you've noted there was a lot of user error, which I determined to be due to a requirement of a certain amount of familiarity/technical experience with CLI configurations to be able to understand what was going on. I elaborate a lot on what's going on at each of these steps, and provide further "good practice" configuration additionally. Have a read of it; you'll see what I mean :)
 

Apollo

Wizard
Joined
Jun 13, 2013
Messages
1,458
Hi Samuel-emrys,

Lots to go through. I couldn't seem to find a PDF version for offline reading.
 

samuel-emrys

Contributor
Joined
Dec 14, 2018
Messages
136
Hi Samuel-emrys,

Lots to go through. I couldn't seem to find a PDF version for offline reading.
Interesting, I hadn't considered that this might be something useful. I've added a PDF export option to the site - It seems to work well for the most part. One thing I noticed is that it has prepended a '#' to some code blocks, presenting some lines as commented out. I've presented the code in such a way that there shouldn't be any extraneous commented code though, so identifying what should and shouldn't be a comment will be obvious (anything that is code and not a sentence isn't supposed to be commented)
 

Apollo

Wizard
Joined
Jun 13, 2013
Messages
1,458
Interesting, I hadn't considered that this might be something useful. I've added a PDF export option to the site - It seems to work well for the most part. One thing I noticed is that it has prepended a '#' to some code blocks, presenting some lines as commented out. I've presented the code in such a way that there shouldn't be any extraneous commented code though, so identifying what should and shouldn't be a comment will be obvious (anything that is code and not a sentence isn't supposed to be commented)
Going though the PDF on my phone seems fine. I can manage having the text set to reading mode.
Nowadays, it seems supperlative to not having a web browser to read such articles, but when you need to explore the content in more details it is a nice thing to have. I have added the PDF to my nextcloud account so that I can have access whenever I need to.

Thanks.
 

samuel-emrys

Contributor
Joined
Dec 14, 2018
Messages
136
Update: The latest branch of the FreeBSD repository now ships with Nextcloud 15. I've run through the installation process and made a couple of minor caching modifications to ensure compatibility. My brief test showed everything working as expected.
 

dureal99d

Contributor
Joined
Aug 3, 2017
Messages
156
I'd like to add that i am in the middle of reworking an updated guide to address certain concerns and include securing your server using NginX vs having an all in one.

Stand by for greatness and great work to all who have improved upon the original its great to see what a community can do!!!!!
 

T_T

Explorer
Joined
Jul 24, 2018
Messages
64
Please helppppp !!!
So I got to the permission part where I have to use the command:
chown -R user:group /path/to/directory
but it give me an error saying that illegal group name. Anybody have any idea ?
Untitled.png
 

samuel-emrys

Contributor
Joined
Dec 14, 2018
Messages
136
Please helppppp !!!
So I got to the permission part where I have to use the command:
chown -R user:group /path/to/directory
but it give me an error saying that illegal group name. Anybody have any idea ? View attachment 27425
This isn't a command you need to enter. I provided this as a description of what's going on in the previous command you executed. Explicitly:
chown -R www:www /usr/local/www/nextcloud /mnt/data
changes the ownership of the directories /usr/local/www/nextcloud and /mnt/data to the user "www", and the group "www", defined by the format you tried to enter:
chown -R user:group /path/to/directory
No need to enter the format, this is just for your information.
 
  • Like
Reactions: T_T

T_T

Explorer
Joined
Jul 24, 2018
Messages
64
in the caching and redis section. When I enter this command:
$ su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set redis host --value="/tmp/redis.sock"'
$ su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set redis port --value=0 --type=integer'
Untitled.png


it give me the message below in the picture. Can any body tell me if that's something that suppose to happen or am I doing something wrong here ?
 

dureal99d

Contributor
Joined
Aug 3, 2017
Messages
156
in the caching and redis section. When I enter this command:
$ su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set redis host --value="/tmp/redis.sock"'
$ su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set redis port --value=0 --type=integer'
View attachment 27427

it give me the message below in the picture. Can any body tell me if that's something that suppose to happen or am I doing something wrong here ?
in the php file you must enter the memory limit as follows

nano /usr/local/etc/php.ini

cntrl + w to search for
memory_limit

should look like this when done >>>
memory_limit = 512M
 
  • Like
Reactions: T_T

T_T

Explorer
Joined
Jul 24, 2018
Messages
64
So onto the next part when configuring the email. When I typed in this command:
nano /var/log/maillog
and this is the log a get which pretty means error everywhere....
mail test error.png
 

samuel-emrys

Contributor
Joined
Dec 14, 2018
Messages
136
So onto the next part when configuring the email. When I typed in this command:
nano /var/log/maillog
and this is the log a get which pretty means error everywhere.... View attachment 27436
Bearing in mind that I have zero experience configuring postfix for yahoo, my guess would be that you haven't configured the yahoo smtp server correctly. My advice would be to set up a new gmail account specifically for server notifications and follow the guide exactly, as I can confirm this works. However, if you're intent on using yahoo you'll have to do your own research to work out what configuration you need.

Looking at the log you posted, it seems to be throwing errors because you've put the wrong smtp server domain in. This Yahoo SMTP guide provides a walkthrough for SMTP for yahoo. Noteably, you have used:
smtp.yahoo.com:587
This needs to be
smtp.mail.yahoo.com:587

Another hurdle you might have with yahoo is configuration of the mailbox is to allow "Less Secure Apps" to use the mailbox; this is relatively well documented for gmail, but you'd have to research if this is something that can be configured (or if it even needs to be configured) for yahoo.

Edit: Derp, a discussion of "Less Secure Apps" is covered in the guide I linked, just had to read down a little bit
 
Last edited:
  • Like
Reactions: T_T

Apollo

Wizard
Joined
Jun 13, 2013
Messages
1,458
Aren't you supposed to use the following?:

Encryption: SSL/TLS
SMTP: plus.smtp.mail.yahoo.com
Port: 465
 

T_T

Explorer
Joined
Jul 24, 2018
Messages
64
Bearing in mind that I have zero experience configuring postfix for yahoo, my guess would be that you haven't configured the yahoo smtp server correctly. My advice would be to set up a new gmail account specifically for server notifications and follow the guide exactly, as I can confirm this works. However, if you're intent on using yahoo you'll have to do your own research to work out what configuration you need.

Looking at the log you posted, it seems to be throwing errors because you've put the wrong smtp server domain in. This Yahoo SMTP guide provides a walkthrough for SMTP for yahoo. Noteably, you have used:
smtp.yahoo.com:587
This needs to be
smtp.mail.yahoo.com:587

Another hurdle you might have with yahoo is configuration of the mailbox is to allow "Less Secure Apps" to use the mailbox; this is relatively well documented for gmail, but you'd have to research if this is something that can be configured (or if it even needs to be configured) for yahoo.

Edit: Derp, a discussion of "Less Secure Apps" is covered in the guide I linked, just had to read down a little bit
I was thinking that I did something wrong when creating the virtual host. But I’ll try again using gmail. Thanks !!!
 
Top