[How-To] ownCloud using NGINX, PHP-FPM, and MySQL

[Joshua Parker Ruehlig]

Yup, that was the issue. OwnCloud's trusted domains line. Glad you got it working!

 

[Aubury]

Got this warning in the ownCloud admin panel, would be nice if I could get rid of it, but it's not a big deal if you're unsure how to fix it, or if it's not really fixable

Code:

Warning    OCP\Share    Sharing backend OCA\Contacts\Share\Addressbook not registered, OCA\Contacts\Share\Addressbook is already registered for addressbook

Just gets in the way a lot, and may hide real important warnings or errors

 

[Paulo]

My error from a couple pages back seems to have resolved itself. Not sure what I did. Anyways, new problem. I'm doing port forwarding to access this externally (eg. ext port: 55555, internal port: 443) however when I try to access the page the rewrite rules are changing the port back to 443. rewrite rules are definitely not my forte, so can anyone help me out with that? Also, I wouldn't mind being able to access it at root instead of /owncloud/.

Thanks

 

[Joshua Parker Ruehlig]

My error from a couple pages back seems to have resolved itself. Not sure what I did. Anyways, new problem. I'm doing port forwarding to access this externally (eg. ext port: 55555, internal port: 443) however when I try to access the page the rewrite rules are changing the port back to 443. rewrite rules are definitely not my forte, so can anyone help me out with that? Also, I wouldn't mind being able to access it at root instead of /owncloud/.

Thanks

the port thing is tricky, port forwarding really is a hack used to deal with not enough ipv4 space, it'll be resolved with ipv6 if we ever get to it. you can just have nginx listen on 55555 and port forward without going 55555>443

just modify your nginx config to access it without the /owncloud

 

[churnd]

I proxy my SSL using HAProxy, but doing it with NGINX only takes a few lines I believe (though I've never actually done it).

Just keep in mind you'll get SSL errors when connecting unless you either..

• add your certificate to your client
• purchase an SSL cert
• purchase a domain and use StartSSL's free SSL cert (how I do it).

Can you explain a bit more how you set the HAproxy config? I'm trying to do this in pfSense itself because I'd rather terminate SSL there than the ownCloud jail, but I'm not sure what all is required on the proxy side.

 

[nasuser12]

Hi Joshua,

I followed your guide and managed to get owncoud 6 working from source with nginx. I also used cyberjock's SSL guide to get encrypted access. I use port forwarding to access my owncloud instance externally, using a DDNS service. The owncloud app on my phone, owncloud news reader app etc work fine. When I try to access my owncloud externally from a browser however, I get a time-out error 9 times out of 10.
It says: "The connection has timed out The server at xxx.xxx.xxx.x is taking too long to respond." Where xxx.xxx.xxx.x is my local ip address of the owncloud instance on my freenas machine. My link is to the DDNS address however. Sometimes however, it does get a good connection, and when I'm in, everything is fine and I can use it until I logout. And why don't my mobile apps have this same problem? I use Firefox as my browser btw.

What could be wrong? Is it something in nginx? Thanks in advance for any help or tips!

 

[Joshua Parker Ruehlig]

Can you explain a bit more how you set the HAproxy config? I'm trying to do this in pfSense itself because I'd rather terminate SSL there than the ownCloud jail, but I'm not sure what all is required on the proxy side.

Sure, my setup might be a bit different then yours so modify for you own use case. Also you can thank PiBa from the pfsense forums who added a bunch of features to the HAProxy-devel plugin at my request.

NETWORK LAYOUT
HAProxy

• Accepts HTTPS Requests, overwrites client_ip and protocol header
• Offloads SSL (for multiple domains), decides which cert to send using SNI
• Forwards to Varnish

Varnish (Optional, really only useful for the public websites I host)

• Accepts HTTP Requests, if not forwarded from HAProxy overwrites client_ip and protocol header
• Caches static objects
• Forwards to different backends depending on requested URI / host health (I have a dedicated FreeBSD webserver for ownCloud and other PHP programs, a static backup running on my pfSense box for public websites I host, and plugins on my FreeNAS box )

NGINX (On my FreeBSD server, in your case FreeNAS)

• sets real_IP
• sets https variable based on protocol header

NOTES THAT MAY LEAD YOU IN THE RIGHT DIRECTION

• Changed pfSense WebUI to listen on 444
• I have HAProxy listening on port 443 WAN, made a rule to open this port, no NAT needed
• HAProxy Frontend
  • check 'use forwardfor option'
  • 'use httpclost option' = http-server-close
  • check 'use offloading'
  • certificate = default certificate, add this in pfsense Cert Manager, uncheck Add ACL for certificate CommonName
  • Additional certificates = add any others, uncheck Add ACL for certificate CommonName
  • Advanced ssl options = no-sslv3 ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA

• Varnish is listening on port 80, made a rule to open this port, no NAT needed
• Varnish (I recommend you skip this part unless you know what you're doing)
  • set settings in pfSense WebUI as close as possible
  • Advanced startup options = "-f /usr/local/etc/varnish/default.vcl"

Code:

cp /var/etc/default.vcl /usr/local/etc/varnish/default.vcl

/usr/local/etc/varnish/default.vcl

Code:

sub vcl_recv {
 
if (!client.ip ~ haproxy) {
set req.http.X-Forwarded-For = client.ip;
set req.http.X-Forwarded-Proto = "http";
}
 
# Custom logic to handle different URIs
 
}

/usr/local/etc/nginx/nginx.conf

Code:

#sendfile on; #this isn't helpful is serving files from ZFS
 
set_real_ip_from 192.168.1.1;
real_ip_header X-Forwarded-For;
map $http_x_forwarded_proto $server_https {
default off;
https on;
}
map $http_x_forwarded_proto $host_port {
default 80;
https 443;
}

/usr/local/etc/nginx/fastcgi_params

Code:

fastcgi_index    index.php;
fastcgi_param    HTTPS    $server_https;
fastcgi_param    SERVER_NAME    $host;
fastcgi_param    SERVER_PORT    $host_port;

 

[Matthew Davis]

Wanted to let you know that this setup worked flawlessly on 9.2.1.4. Thank-you greatly. The plugin method was very slow. I switched from dropbox -> ownCloud and had ~30G of data. Of which, 1-2G were small files ~10-20k. And each file (with the plugin) was taking about 2-3 sec a file. After about 24 hours of uploading I was only at 10% (this is with a 1G connection on an i5 freenas box & 16G RAM). After redoing the setup to this, the owncloud sync finished in about 3 hours and was coming close to maxing out the network at times.

Thank-you greatly!

 

[diedrichg]

Could someone post the step-by-step instructions for the last part of the instructions, please:

Code:

crontab -u www -e

The explanation a few pages back did not help.

 

[Matthew Davis]

Could someone post the step-by-step instructions for the last part of the instructions, please.

Run the command you just pasted (the crontab command). That will get you into the crontab editor (which should be the 'vi' editor). Hit the 'i' button to set vi into 'insert mode'. In the OP is a block of code, which you now need to copy & paste into the editor (pasted below also).

Code:

*/15 * * * * /usr/local/bin/php -f /usr/local/www/owncloud/cron.php

After it is posted, hit the "Escape" button then ":" then "w" then "q" then "enter". So it should be:

<escape>:wq<enter>

That will save the file and the crontab will be active.

 

[diedrichg]

Oh wow, thanks! No way I would have ever found that or known that.

 

[jonnn]

OK I went through the whole process again.

Part of my problem was that I was using putty to SSH into freenas and running some commands there.
This time I used the shell directly into the jail via the GUI.

Everything went smoothly, including executing crontab at the end.

However, when I go to 192.168.1.2/owncloud ---> All I get is a white blank page. There's nothing there.
There is no error, so the page is responding, it's just blank/empty.

Any ideas?

 

[FreeRev]

Joshua Parker Ruehlig thank you thank you thank you thank you thank you!!!

I just wanted to mention just in case any noob runs into the same issue. If you're copying and pasting to the conf files using the web shell seems like the ~ character doesn't go through so you'll end up with an error. In one case the * did not go through either.

The way I detected this was by creating a quick share to my jail so that I may open it in Notepad++
I used the Compare plugin
I copied 1 tab of what it was supposed to be
and the copy from my jail
Did the compare and those were the only differences

Hopefully that helps someone!

 

[mrMuppet]

Hi,when i try to pkg install (like the turoial is telling me) i get some errors:

Code:

 packagesite in pkg.conf is deprecated. please create a repository configuration file

and

Code:

pkg: warning: use of http // url scheme with srv records is deprecated switch to pkg+http //

What can i do? Or do i have to ignore it?

 

[SmallGuy]

Look at this http://forums.freenas.org/index.php?threads/keeping-the-jails-up-to-date.20062/

 

[mrMuppet]

Look at this http://forums.freenas.org/index.php?threads/keeping-the-jails-up-to-date.20062/

Thanks. Just a little change in freeBSD.conf

But now i get an error when starting mysql_secure_installation. Its telling me:

Code:

find_mysql_client: not found

and later:

Code:

Enter current password for root (enter for none):
ERROR 2002 (HY000): Can't connect to local MySQL server throught socket '/tmp/mysql.sock' (2)

Edit:

Is it right, that my my.cfg contains only the lines listet in the tutorial above? Or did i overwrite some other template lines? If so where can i get the original file?

 

[HenningS]

URGENT

Please have a look at the ongoing github discussion before updating. Currently there is a chance to crash your instance because the updater downgrades to 5.0.11 because of missing bz2 extension theirfore using an outdated fallback zip download that points to 5.0.11.

Check with ssh: php -m | grep bz2

https://github.com/owncloud/core/issues/8393#issuecomment-41678503

 

[mrMuppet]

Thanks. Just a little change in freeBSD.conf

But now i get an error when starting mysql_secure_installation. Its telling me:

Code:

find_mysql_client: not found

and later:

Code:

Enter current password for root (enter for none):
ERROR 2002 (HY000): Can't connect to local MySQL server throught socket '/tmp/mysql.sock' (2)

I reinstalled it and the everything seemed to install the right way. But when i open http://192.168.178.156/owncloud only a blank page opens. Any Idea?

Edit: nginx-error.log gives me:

Code:

2014/04/29 21:38:39 [error] 59415#0: *1 directory index of "/usr/local/www/" is forbidden, client: 192.168.178.79, server: , request: "GET / HTTP/1.1", host: "192.168.178.158"

Edit: I changed /usr/local/www/owncloud from 0640 to 755 ... nginx-errror-log now:

Code:

2014/04/29 22:07:53 [error] 82616#0: *5 open() "/usr/local/www/index.php" failed (2: No such file or directory), client: 192.168.178.79, server: , request: "GET /owncloud/owncloud HTTP/1.1", host: "192.168.178.158"

http://192.168.178.156/nginx gives me the nginx welcome-page.


Edit: After a complete new install of the jail, everything works! Don't know why, but...

 

[Aubury]

For some reason, starting today, after I updated openssl from ports I started getting 502 bad gateway when trying to get to my owncloud instance. This is what I get when I looked at the nginx-error logs

Code:

2014/05/04 13:35:30 [crit] 66145#0: *1 connect() to unix:/var/run/php-fpm.sock failed (13: Permission denied) while connecting to upstream, client: 192.168.1.1, server: mydomain.com, request: "PROPFIND /owncloud/remote.php/webdav/ HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.sock:", host: "mydomain.com"

Not sure what's going on here...

Edit:
removing the comment out on

Code:

listen.owner = www
listen.group = www

fixed it.

 

[MuneebMufti]

Guys I am having a problem i am hoping someone over here can help me out. I setup jail for owncloud according to this guide with SSL and then steup fail2ban on it. its all working fine on LAN. I setup on port forwarding and have that part working aswell. I have HTTPS://static-ip:50/owncloud being forwarded on port 50. It connects and syncs data but there is a problem that i need to troubleshoot.

Almost every other day connection over Internet drops. when I check it on canyouseeme.org it shows that on port 50 "error connection refused" and it starts working fine again when I stop jail and then restart it. After that on canyouseeme.org it shows port open. when this error occurs owncloud on LAN is fully functional and I have tested my router EA4500 by restarting it and also my internet Router, neither fixes it. it only gets fixed when I stop and then start the jail so the problem is in Jail setup. any help would be appreciated