[How-To] ownCloud using NGINX, PHP-FPM, and MySQL

[Joshua Parker Ruehlig]

I replaced it because most of the content was either similar to yours or commented anyway.
NVM.. Pasting code via CLI messed some characters. Recreating conf carefully using SSH fixed everything, so your code is still up to date. And I got up and running.

You could mount /mnt/tank/files to default owncloud path ( /usr/local/www/owncloud/data ) instead of /mnt/files. Feels like unnecessary step to create /mnt/files middle-point

Now I'm wondering if there is a way to make nginx use SSL certificates created in FreeNAS > System > CAs & Certificates? Avoiding making separate .key and .crt files?

you could mount it there if you like. from a security standpoint it's better to use /mnt/files because it isn't in the path that nginx serves. a bug in nginx / our regex would less likely leave the files exposed.

I'm sure there's a way to grab the cert/key and use it.

 

[InQuize]

from a security standpoint it's better to use /mnt/files because it isn't in the path that nginx serves. a bug in nginx / our regex would less likely leave our files exposed.

guess you are right..

 

[adrianwi]

8.0.2 has been running perfectly since recreating the jail on my new FreeNAS box, although over the last few weeks I've been getting a NGINX timeout error the first time I connect through a browser and some irritate behaviour when connecting through the iOS app.

Thought I'd restart the jail this morning, and now I can't start owncloud with the following error in owncloud.log:

Code:

{"reqId":"65bade669319aaa50fc3c889012556ab","remoteAddr":"80.4.144.130","app":"index","message":"Exception: {\"Message\":\"An exception occured in driver: SQLSTATE[HY000] [2002] Connection refused\",\"Code\":0,\"Trace\":\"#0 \\\/usr\\\/local\\\/www\\\/owncloud\\\/3rdparty\\\/doctrine\\\/dbal\\\/lib\\\/Doctrine\\\/DBAL\\\/Connection.php(814): OC\\\\DB\\\\Connection->connect()\\n#1 \\\/usr\\\/local\\\/www\\\/owncloud\\\/lib\\\/private\\\/db\\\/connection.php(111): Doctrine\\\\DBAL\\\\Connection->executeQuery('SELECT `configv...', Array, Array, NULL)\\n#2 \\\/usr\\\/local\\\/www\\\/owncloud\\\/lib\\\/private\\\/appconfig.php(259): OC\\\\DB\\\\Connection->executeQuery('SELECT `configv...', Array)\\n#3 \\\/usr\\\/local\\\/www\\\/owncloud\\\/lib\\\/private\\\/app.php(219): OC\\\\AppConfig->getValues(false, 'enabled')\\n#4 \\\/usr\\\/local\\\/www\\\/owncloud\\\/lib\\\/private\\\/app.php(71): OC_App::getEnabledApps()\\n#5 \\\/usr\\\/local\\\/www\\\/owncloud\\\/lib\\\/base.php(542): OC_App::loadApps(Array)\\n#6 \\\/usr\\\/local\\\/www\\\/owncloud\\\/lib\\\/base.php(1011): OC::init()\\n#7 \\\/usr\\\/local\\\/www\\\/owncloud\\\/index.php(34): require_once('\\\/usr\\\/local\\\/www\\\/...')\\n#8 {main}\",\"File\":\"\\\/usr\\\/local\\\/www\\\/owncloud\\\/lib\\\/private\\\/db\\\/connection.php\",\"Line\":33}","level":4,"time":"2015-06-02T08:25:46+01:00"}

Looks like SQL is failing to connect, so checked it was running and even though it's listed with service -e:

Code:

/etc/rc.d/cleanvar                                                           
/etc/rc.d/ipfw                                                               
/etc/rc.d/newsyslog                                                          
/etc/rc.d/syslogd                                                            
/etc/rc.d/virecover                                                          
/etc/rc.d/motd                                                               
/usr/local/etc/rc.d/php-fpm                                                  
/usr/local/etc/rc.d/nginx                                                    
/usr/local/etc/rc.d/mysql-server                                             
/usr/local/etc/rc.d/fail2ban                                                 
/etc/rc.d/cron                   

service mysql-server status shows "mysql is not running." and service mysql-server start shows "Starting mysql." but it doesn't start.

I took a look in the /var/db/mysql folder and found an owncloud.err file which has the following lines at the time of the restart:

Code:

150602 10:03:39 mysqld_safe Starting mysqld daemon with databases from /var/db/mysql
150602 10:03:39 [Warning] Can't create test file /var/db/mysql/owncloud.lower-test
150602 10:03:39 [Note] InnoDB: Using mutexes to ref count buffer pool pages
150602 10:03:39 [Note] InnoDB: The InnoDB memory heap is disabled
150602 10:03:39 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
150602 10:03:39 [Note] InnoDB: Memory barrier is not used
150602 10:03:39 [Note] InnoDB: Compressed tables use zlib 1.2.8
150602 10:03:39 [Note] InnoDB: Using CPU crc32 instructions
150602 10:03:39 [ERROR] mysqld: Can't create/write to file '/mnt/APEpool1/jails/crashplan_1/var/tmp/ibEVzFXk' (Errcode: 2 "No such $
2015-06-02 10:03:39 803407400 InnoDB: Error: unable to create temporary file; errno: 2
150602 10:03:39 [ERROR] Plugin 'InnoDB' init function returned error.
150602 10:03:39 [ERROR] Plugin 'InnoDB' registration as a STORAGE ENGINE failed.
150602 10:03:39 [ERROR] Unknown/unsupported storage engine: InnoDB
150602 10:03:39 [ERROR] Aborting

150602 10:03:39 [Note] /usr/local/libexec/mysqld: Shutdown complete

150602 10:03:39 mysqld_safe mysqld from pid file /var/db/mysql/owncloud.pid ended

I'd also noticed the permissions had the owner:group set as 88:88 which didn't look right, but not entirely sure what these should be (root:wheel, mysql:mysql?)

The crash plan_1 line is strange as I was going to have a play around with the plug-in last week, but when I tried to install it didn't seem to work and I didn't really have time to try and investigate so left.

Haven't changed anything in the jail and it was working before the restart (no problems with various sync clients connecting) so wondered if anyone had any ideas?

Thanks

 

[cyberjock]

Ok, except there's a problem.... you claim to be running 8.0.2 with a jail not working.

8.0.2 had no jails support. So either you aren't using a jail or you aren't using 8.0.2. My guess is the latter. ;)

 

[adrianwi]

The latter! FreeNAS 9.3 and ownCloud 8.0.2 :D

 

[Joshua Parker Ruehlig]

8.0.2 has been running perfectly since recreating the jail on my new FreeNAS box, although over the last few weeks I've been getting a NGINX timeout error the first time I connect through a browser and some irritate behaviour when connecting through the iOS app.

Thought I'd restart the jail this morning, and now I can't start owncloud with the following error in owncloud.log:

Code:

{"reqId":"65bade669319aaa50fc3c889012556ab","remoteAddr":"80.4.144.130","app":"index","message":"Exception: {\"Message\":\"An exception occured in driver: SQLSTATE[HY000] [2002] Connection refused\",\"Code\":0,\"Trace\":\"#0 \\\/usr\\\/local\\\/www\\\/owncloud\\\/3rdparty\\\/doctrine\\\/dbal\\\/lib\\\/Doctrine\\\/DBAL\\\/Connection.php(814): OC\\\\DB\\\\Connection->connect()\\n#1 \\\/usr\\\/local\\\/www\\\/owncloud\\\/lib\\\/private\\\/db\\\/connection.php(111): Doctrine\\\\DBAL\\\\Connection->executeQuery('SELECT `configv...', Array, Array, NULL)\\n#2 \\\/usr\\\/local\\\/www\\\/owncloud\\\/lib\\\/private\\\/appconfig.php(259): OC\\\\DB\\\\Connection->executeQuery('SELECT `configv...', Array)\\n#3 \\\/usr\\\/local\\\/www\\\/owncloud\\\/lib\\\/private\\\/app.php(219): OC\\\\AppConfig->getValues(false, 'enabled')\\n#4 \\\/usr\\\/local\\\/www\\\/owncloud\\\/lib\\\/private\\\/app.php(71): OC_App::getEnabledApps()\\n#5 \\\/usr\\\/local\\\/www\\\/owncloud\\\/lib\\\/base.php(542): OC_App::loadApps(Array)\\n#6 \\\/usr\\\/local\\\/www\\\/owncloud\\\/lib\\\/base.php(1011): OC::init()\\n#7 \\\/usr\\\/local\\\/www\\\/owncloud\\\/index.php(34): require_once('\\\/usr\\\/local\\\/www\\\/...')\\n#8 {main}\",\"File\":\"\\\/usr\\\/local\\\/www\\\/owncloud\\\/lib\\\/private\\\/db\\\/connection.php\",\"Line\":33}","level":4,"time":"2015-06-02T08:25:46+01:00"}

Looks like SQL is failing to connect, so checked it was running and even though it's listed with service -e:

Code:

/etc/rc.d/cleanvar                                                           
/etc/rc.d/ipfw                                                               
/etc/rc.d/newsyslog                                                          
/etc/rc.d/syslogd                                                            
/etc/rc.d/virecover                                                          
/etc/rc.d/motd                                                               
/usr/local/etc/rc.d/php-fpm                                                  
/usr/local/etc/rc.d/nginx                                                    
/usr/local/etc/rc.d/mysql-server                                             
/usr/local/etc/rc.d/fail2ban                                                 
/etc/rc.d/cron                   

service mysql-server status shows "mysql is not running." and service mysql-server start shows "Starting mysql." but it doesn't start.

I took a look in the /var/db/mysql folder and found an owncloud.err file which has the following lines at the time of the restart:

Code:

150602 10:03:39 mysqld_safe Starting mysqld daemon with databases from /var/db/mysql
150602 10:03:39 [Warning] Can't create test file /var/db/mysql/owncloud.lower-test
150602 10:03:39 [Note] InnoDB: Using mutexes to ref count buffer pool pages
150602 10:03:39 [Note] InnoDB: The InnoDB memory heap is disabled
150602 10:03:39 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
150602 10:03:39 [Note] InnoDB: Memory barrier is not used
150602 10:03:39 [Note] InnoDB: Compressed tables use zlib 1.2.8
150602 10:03:39 [Note] InnoDB: Using CPU crc32 instructions
150602 10:03:39 [ERROR] mysqld: Can't create/write to file '/mnt/APEpool1/jails/crashplan_1/var/tmp/ibEVzFXk' (Errcode: 2 "No such $
2015-06-02 10:03:39 803407400 InnoDB: Error: unable to create temporary file; errno: 2
150602 10:03:39 [ERROR] Plugin 'InnoDB' init function returned error.
150602 10:03:39 [ERROR] Plugin 'InnoDB' registration as a STORAGE ENGINE failed.
150602 10:03:39 [ERROR] Unknown/unsupported storage engine: InnoDB
150602 10:03:39 [ERROR] Aborting

150602 10:03:39 [Note] /usr/local/libexec/mysqld: Shutdown complete

150602 10:03:39 mysqld_safe mysqld from pid file /var/db/mysql/owncloud.pid ended

I'd also noticed the permissions had the owner:group set as 88:88 which didn't look right, but not entirely sure what these should be (root:wheel, mysql:mysql?)

The crash plan_1 line is strange as I was going to have a play around with the plug-in last week, but when I tried to install it didn't seem to work and I didn't really have time to try and investigate so left.

Haven't changed anything in the jail and it was working before the restart (no problems with various sync clients connecting) so wondered if anyone had any ideas?

Thanks

does /var/db/mysql/my.cnf still exist?
I made this guide extra complicated because that database directory is actually supposed to be a mounted dataset (for performance and backup reasons).

also, 88 is the mysql user's UID.

 

[adrianwi]

Thanks for the reply Josh!

Yes, my.cnf is still there and after checking through all the files amended or created in your tutorial I couldn't see anything amiss.

Line 10 in the owncloud.err file looks to be the likely culprit, but not sure how crash plan created in another jail could have changed something in my owncloud one.

After a few hours hoping to try and fix the problem, I cut my losses and installed OC 8.0.3 in a new jail in probably less time that it took to unsuccessfully diagnose the issue in the old one. At least I'm running the latest version, or am until 8.1 hits shortly! The process of users re-syncing local data is the bit that takes the most time.

 

[InQuize]

Does libreoffice integration still work?
Never managed to experience it. Files just keep downloading.
FFmpeg, on the other side, works. Stucks on some very high-bitrate files, but generally works.

 

[Joshua Parker Ruehlig]

Does libreoffice integration still work?
Never managed to experience it. Files just keep downloading.
FFmpeg, on the other side, works. Stucks on some very high-bitrate files, but generally works.

Yes, it works on my install.

Did you..

1. Code:

   pkg install libreoffice

   
   
2. install owncloud's "Documents" app
3. enable MS Word support in owncloud's admin menu (optional)
4. enable previews for chosen file types
   • https://doc.owncloud.org/server/8.0...ml?highlight=enabledpreviewproviders#previews

 

[adrianwi]

Just updated from OC 8.0.3 to 8.0.4 using the built in Updater without any problems.

Noticed in the release notes that the Extended X-Accel-Redirect functionality has been fixed so unhashed this in my nginx.conf file and everything appears to be working fine.

 

[Darkk]

Just updated from OC 8.0.3 to 8.0.4 using the built in Updater without any problems.

Noticed in the release notes that the Extended X-Accel-Redirect functionality has been fixed so unhashed this in my nginx.conf file and everything appears to be working fine.

Sweet!! I've been waiting for this part to install the OwnCloud 8 from scratch. I had version 7 working with SSL cert and then tried to upgrade it which of course trashed everything. Then tried installing version 8 from scratch which had problems with the redirect function so gave up for awhile even with the feature disabled. I was having weird SSL issues.

Cool to see this been finally addressed so going to try version 8.0.4 a try this weekend.

 

[kwessel]

I have run your tutorial a few times as a learning experience and now have two boxes running OwnCloud with a self-signed certificate. Thank you Joshua and cyberjock.

One thing I would like to learn more about is your suggestion of having your dataset outside of the OwnCloud jail.

I followed your tutorial, created the datasets and added storage to the OwnCloud jail. However, when I entered “zfs set primarycache=metadata tank/db” by clicking on Shell in the FreeNas GUI, I get “cannot open ‘tank/db’: dataset does not exist.”

I can find my OwnCloud data as follows:

/mnt/Volume Name/OwnCloud/mnt/files/kwessel/files/Photos

Is there a way to get the data higher in the directory tree? Why am I getting error message when I try to set the primarycache?

 

[Joshua Parker Ruehlig]

if you followed my guide the same folder would be available at /mnt/Volume Name/files/kwessel/files/Photos

what confuses me is your owncloud jail is on the top dataset instead of being in a jails dataset, but maybe you set it weird that way.

####

because you didn't adjust the command to your zpool name "Volume Name". BTW, I really hate how you named/organized things. I would never dream of using a space or uppercase in the name. But everything should still work if you adjust things accordingly.

 

[kwessel]

Actually I didn't use any spaces but I did use uppercase in the volume name (WLF). I'm an old guy (62) and fascinated with learning something new. Is there a reason to avoid uppercase? I am going to try this again. When you say zpool name do you mean I should substitute my volume name for "tank"?

 

[Joshua Parker Ruehlig]

Actually I didn't use any spaces but I did use uppercase in the volume name (WLF). I'm an old guy (62) and fascinated with learning something new. Is there a reason to avoid uppercase? I am going to try this again. When you say zpool name do you mean I should substitute my volume name for "tank"?

Ahh, I thought your zpool was named "Volume Name" but maybe you were just hiding what it actually was. I don't think there's any reason to avoid uppercase, I'm just use to working with mostly lowercase in filenames / paths.

Yup, substitute tank with the actual name.

 

[kwessel]

Bingo! The puzzle is complete. Thank you.

 

[Joshua Parker Ruehlig]

Bingo! The puzzle is complete. Thank you.

glad you got it working

 

[InQuize]

Yes, it works on my install.

Did you..

1. Code:

   pkg install libreoffice

   
   
2. install owncloud's "Documents" app
3. enable MS Word support in owncloud's admin menu (optional)
4. enable previews for chosen file types
   • https://doc.owncloud.org/server/8.0...ml?highlight=enabledpreviewproviders#previews

Got it.

I've been testing and researching things now for a while and as a result I would like to point out the fact that one should only run such a setup if security of data, stored & transferred by that OwnCloud instance, has no meaning for owner. Or in case it is not exposed to the Internet and the chances of unauthorised access are minimal (pretty much LAN or OpenVPN...).
Because reasons:
1) Current built of FreeNAS 9.3 has OpenSSL 0.9.8, which is year old and doesn't support TLS 1.2 (the only cryptographic protocol that is not yet deprecated, the one you would want to use in a modern browser via https connection in a normal situation). And the only way to update the lib is compiling from ports.. maybe.. sort of.. I had no success, nor desire, and, on the other hand, even FreeBSD man pages say no guarantee it would be rock solid.

Anyway, pain in the butt is guaranteed. Correct me if I'm wrong.

There happens a lot during a year period in encryption sphere and hosting cloud storage service you would really want to be on a cutting edge. So, that leads to my next point:

2) Jail system itself in a current state is not so suitable for real world applications. And it would be hard to maintain such environment.

There is no mechanism for updating Jails in FreeNAS. It's just a tarball that gets extracted when the jail type is first created, and then it's also used as a template for all additional jails of the same type. You should not expose your jails to the internet, to say nothing of the FreeNAS box itself, without additional firewall controls in place. SSL and Certificates won't save you from the types of attacks people mount against Unix systems of all types - they look for services listening on open ports and then try to compromise those services by fuzzing their inputs and otherwise causing them to behave in ways unintended by the designers and then exploit that unexpected behavior, if possible.

Why is there no mechanism for updating jails? Because Jails were designed in a very simplistic fashion and "lifecycle management" was never part of the original design. Jails are not comprised of packages, so garbage-collecting old things won't work and you're also not able to upgrade in a controlled fashion, which is very important. Just splatting a new tarball on top of the old one wouldn't work: It would cause things to just accumulate, possibly in highly unpredictable and security-compromising ways, since nothing could ever be deleted. No migration or upgrade scripts could be run, either, since extracting a tarball won't cause that to happen, so things could be broken as a consequence.

That is all part of Package Management, which is how jails should be created in the future (as a collection of packages, just as FreeNAS is). That's a lot of work and a complete redesign of the current system, however, so it's not going to happen for 9.3. It's one of the goals for FreeNAS 10, along with the ability to run full-fledged VMs (using bhyve) instead of jails. For now, the best thing you can do is leave your jails alone once created, since if you don't know what you're doing at the CLI, you're only likely to break them (just like doing surgery on a person without any actual surgical or medical training). If you *have* the equivalent of medical training, of course, then Go For It since you know how to update individual components selectively and to audit the process carefully.

Here is a good resource on a security side of data transfers, which has SSL test to give an idea about your state: https://www.ssllabs.com/ssltest
And security grade in that test for such setup is capped to 'C'.. For a comparison, DropBox has A+, as it should.

Show : ShowMeIt

Slightly better would be to delegate SSL function, eg. to pfSense as Joshua actually did (right now it has openssl 1.0.1l, plus since it's already updated to FreeBSD 10.1, maybe HAProxy has it's own version built in and overall it's a freaking firewall meant to deal with such things). But still OwnCloud in a jail just asks for trouble.

I personally decided it's better to support industry practice to separate file and web servers even in a home environment. So I went crazy with a separate Proxmox machine with Ubuntu 14.04 in OpenVZ container as an OS for a similar setup. Ubuntu at least for now, while I still get used to linux/unix. So far I was amazed how stable it is connected via NFS to FreeNAS (even constantly rebooting NAS after another 'update train', system has no problem watsoever to hook up back when it's live again).

Btw, a question to Josh about recommendations on NFS shares' permissions for ownCloud. Right now I'm restricting them to a Proxmox box IP and use 'Mapall User/Group' feature set to nobody/nobody on files dataset and mysql/mysql on database (ID 110/106 according to Ubuntu's). Generally I would be very happy to read about any details on your actual setup.

Repeating the test I managed to get things right this time (not 100% due to my compatibility requirements):

Show : Result

Although my room now seems like a tiny data center having 4 platforms, overall I'm glad I went this way..

Also, here is a good trick for those who want both OpenVPN and a web server on port 443 to access it from behind the strict NAT is to use OpenVPN ability to decipher traffic and act as proxy for TCP applications:

Code:

port-share <internal IP> 443

It seems to slow down the communication a bit (at least on Celeron), but still sufficient enough for a 'cloud'.

Right now, I'm in a process of making some documentation on my setup just in case; experimenting with Markdown language for it, so here, if someone would find it helpful, complete version of original how-to (which is great anyway, really helped me to get into) stylized with it: https://gist.github.com/ (note "Raw" button)

End of damn tin foil hat rant.

 

[Joshua Parker Ruehlig]

@InQuize
Like your research concluded, openssl with the base FreeBSD jails FreeNAS has isn't update-able. Here's a few points you might want to consider..

1. If this was a normal FreeBSD system, you could keep the jail up-to-date with FreeBSD base secutiry updates, which would patch openssl (for security vulnerabilities, not new features). So you'd still be on 0.98 and not have TLS 1.2, but there are ways to use TLS 1.0 without any known vulnerabilities. But, your point still stands, FreeNAS jail templates are not updated everytime a FreeBSD 9.3 point release happens.
2. When you install packages from the freebsd repo, they'd be built against the patched openssl 0.98 on FreeBSD's build servers. So any security vulnerabilities is mitigated here, but you won't get new features this way.
   
3. If you install from ports, just put "WITH_OPENSSL_PORT=yes" in your /etc/make.conf all yuour stuff will be built against the latest and greated openssl.

####

Hmm, I don't do much in terms of NFS security more than limit the host that can connect. NFS was never really built for security in mind. I do have my network segmented into different subnets, so it's not much of an issue for me.

As for my personal setup, it's a bit more distributed then this guide. I have..

• pfsense with HAProxy (SSL) > Varnish (Caching, but not effective for owncloud) >
  
• freebsd webserver with nginx > multiple jails with different php applications in them, one of them being owncloud >
• freenas (NFS backend for storage)

Here's a video on the exact topic https://www.youtube.com/watch?v=8TrjKc-UiE8

####

Haha, my datacenter is in my closet. https://www.youtube.com/watch?v=Ujekt6lFXjM

 

[InQuize]

@InQuize
I do have my network segmented into different subnets, so it's not much of an issue for me.

Segmented using different interfaces or vlans?

Yeah, I respect FreeBSD as host system, it has impressive feature set, and it seems reasonable to use it in such case, but it's just me starting small.. Because of the amount of docs and tips, and mans on Ubuntu, and on the other hand I wanted to use OpenVZ instead of KVM, and it's limited to linux on Proxmox (I still need Win VM for some automation tasks). Maybe I'll change my mind later. Probably.

Actually I already had found your channel during my research, nice demos. Gave me ideas too.
Basically, I feel ok to configure the rest of my infrastructure on my own from this point, it's just a security stand point that bugs me because I have such a little experience with it.

Yeah, I live in Moscow. Mostly we have flats) but still rack is a future project.