[How-To] ownCloud using NGINX, PHP-FPM, and MySQL

[TonyITNewb]

I hope you still monitor this thread. I am new to OwnCloud. My main goal is to have mobile pictures uploaded from my phone to a folder on my freenas machine. The windows file share that I want to be able to upload to is \\FreenasSVR\Pictures\Mobile Uploads. I've tried adapting this guide, but I get errors. When I tried installing the mariadb100 package, it says I have no available matching patches. The step before this completes successfully.

My system:
Build FreeNAS-9.3-STABLE-201604041648
Platform Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz
Memory 8165MB
System Time Wed Apr 20 22:28:52 EDT 2016
Uptime 10:28PM up 4 days, 6:35, 0 users
Load Average 0.46, 0.57, 0.57

Thanks for any input
Tony

 

[Joshua Parker Ruehlig]

I hope you still monitor this thread. I am new to OwnCloud. My main goal is to have mobile pictures uploaded from my phone to a folder on my freenas machine. The windows file share that I want to be able to upload to is \\FreenasSVR\Pictures\Mobile Uploads. I've tried adapting this guide, but I get errors. When I tried installing the mariadb100 package, it says I have no available matching patches. The step before this completes successfully.

My system:
Build FreeNAS-9.3-STABLE-201604041648
Platform Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz
Memory 8165MB
System Time Wed Apr 20 22:28:52 EDT 2016
Uptime 10:28PM up 4 days, 6:35, 0 users
Load Average 0.46, 0.57, 0.57

Thanks for any input
Tony

I'm not sure why you cant install mariadb, the package could just be missing in your particular package server when you tried.

as for having owncloud files onto a particular share on your freenas, here's my suggestion...
* Mount the dataset into your owncloud jail somewhere like /mnt/uploads
* install the external mount app in owncloud
* setup a 'local external mount' in the owncloud admin page for the users/groups you like to this folder from your users InstantUpload folder (or whatever name you choose, but this is the default the android owncloud app uses)

 

[tamilmad]

can you try this out and see if it works?

Code:

mv /usr/local/www/owncloud /usr/local/www/owncloud-bak
fetch "http://download.owncloud.org/community/owncloud-9.0.0.tar.bz2"
tar jxf owncloud-*.tar.bz2 -C /usr/local/www
rm owncloud-*.tar.bz2
cp /usr/local/www/owncloud-bak/config/config.php /usr/local/www/owncloud/config
chown -R www:www /usr/local/www/owncloud

chsh -s /bin/sh www
su www
php /usr/local/www/owncloud/occ upgrade

Thanks for this guide for upgrade. Worked without any hitch. Now I am at 9.0.1.

Thanks for all your support.

 

[Mad_noob]

Hello,

Just want to thank you for your guides Joshua and Cyberjoke for the SSL part.

Everything is up and running and fast responsive compared to the PBI version !

Thank you !

 

[rldoose]

So when I got to:
ownCloud WebUI (http://jailip/owncloud)
Storage & database

• Data folder = /mnt/files
• Database user = ocuser
• Database password = ocpass
• Database name = owncloud
• Database host = localhost:/tmp/mysql.sock

I input the Data folder, and then it yacked at me about putting in the user name and password. I made the mistake of hitting return and it when with what I had input which was only the Date folder..... I never set the other params. It seems to work at first blush, but will this cause me problems down the road? Is there an easy way to fix?

 

[rldoose]

@Joshua Parker Ruehlig
Can you elaborate on "I have my SSL terminated by HAProxy running on my pfSense router. If you don't have this option, I recommend setting up SSL in NGINX as seen here."

So if you have pfSense, your ownCloud, Transmission, etc. don't have to be configured for SSL? I'm not enough of a network guy to wrap my head around how that works. Could pfSense be run on the FreeNAS running ownCloud, or would that be a security risk? Seems that those running pfSense dedicate a computer strictly to that function, and I'm guessing that is more secure?

P.S. Thanks for the great guide! A bit tough for a noob to get through, and would have liked a bit more verbosity, but you forced me to think which is not a bad thing either!

 

[Joshua Parker Ruehlig]

So when I got to:
ownCloud WebUI (http://jailip/owncloud)
Storage & database

• Data folder = /mnt/files
• Database user = ocuser
• Database password = ocpass
• Database name = owncloud
• Database host = localhost:/tmp/mysql.sock

I input the Data folder, and then it yacked at me about putting in the user name and password. I made the mistake of hitting return and it when with what I had input which was only the Date folder..... I never set the other params. It seems to work at first blush, but will this cause me problems down the road? Is there an easy way to fix?

I'm not sure how it would work if you didn't enter the database credentials. possibly your using sqlite instead, but I purposely say to remove that package so I doubt it.

 

[Joshua Parker Ruehlig]

@Joshua Parker Ruehlig
Can you elaborate on "I have my SSL terminated by HAProxy running on my pfSense router. If you don't have this option, I recommend setting up SSL in NGINX as seen here."

So if you have pfSense, your ownCloud, Transmission, etc. don't have to be configured for SSL? I'm not enough of a network guy to wrap my head around how that works. Could pfSense be run on the FreeNAS running ownCloud, or would that be a security risk? Seems that those running pfSense dedicate a computer strictly to that function, and I'm guessing that is more secure?

P.S. Thanks for the great guide! A bit tough for a noob to get through, and would have liked a bit more verbosity, but you forced me to think which is not a bad thing either!

I dont think you can run pfsense in a jail, I've always installed it to its own hardware.
haproxy is doing the SSL termination for me, and passing unencrypted HTTP to my nginx webserver.

 

[rldoose]

I'm not sure how it would work if you didn't enter the database credentials. possibly your using sqlite instead, but I purposely say to remove that package so I doubt it.

Actually, it only worked one time. I got in when I hit return, and saw the expected folders. Got out to do other stuff, but now it errors out when I try to get back in. But I can still access all the configuration files I generated. I will just burn it down and do it again. Good practice.

 

[IsNoGood]

I hope you still monitor this thread. I am new to OwnCloud. My main goal is to have mobile pictures uploaded from my phone to a folder on my freenas machine. The windows file share that I want to be able to upload to is \\FreenasSVR\Pictures\Mobile Uploads. I've tried adapting this guide, but I get errors. When I tried installing the mariadb100 package, it says I have no available matching patches. The step before this completes successfully.

My system:
Build FreeNAS-9.3-STABLE-201604041648
Platform Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz
Memory 8165MB
System Time Wed Apr 20 22:28:52 EDT 2016
Uptime 10:28PM up 4 days, 6:35, 0 users
Load Average 0.46, 0.57, 0.57

Thanks for any input
Tony

It's because now it package named mariadb101-server.

 

[Sean Coston]

I dont think you can run pfsense in a jail, I've always installed it to its own hardware.
haproxy is doing the SSL termination for me, and passing unencrypted HTTP to my nginx webserver.

Josh,

I know it is a bit off topic for this thread, so I'd be happy to start a new thread if you think it is necessary.
Here's my situation:

I just got my very own pfSense device up and running on its own hardware.

Comcast modem --- pfSense device (192.168.0.1) ---wifi access point and wired switches (/24 netmask)

On the LAN side of the pfSense device I have several computers and a FreeNAS server running 9.3 on a Lenovo server:
Hostname freenas.local
Build FreeNAS-9.3-STABLE-201412090314
Platform Intel(R) Xeon(R) CPU E3-1276 v3 @ 3.60GHz
Memory 28438MB
System Time Thu Jun 02 15:30:27 MDT 2016
Uptime 3:30PM up 7 days, 17:46, 0 users
Load Average 0.10, 0.11, 0.08

The FreeNAS has several jails running that all have their own LAN ip addresses. Some of the jails (like MythTV backend, calibre, and my kiddo's Minecraft server) all present http interfaces and I'd like to do something like you've done to allow https connections with the reverse proxy being handled by the pfSense device. I have a domain from DynDNS that always points to my Comcast external ip. Let's call it "SDC-PrivateDomain.net" for now.

What I'd like to do is to be able to externally navigate to my jail in this fashion:
https://mythTV.SDC-PrivateDomain.net or https://SDC-PrivateDomain.net/mythTV and access my jail from the www using an ssl connection.

Can you point me to any resource that can walk me through how to set up the reverse proxy that you have described? I have already installed the squid3 package and have tried to configure the reverse proxy to no avail, probably because I'm not understanding everything that needs to be accomplished. With these networking solutions the devil is always in the details.

Thanks,

Sean

 

[Sean Coston]

Hi Josh,

I did some more searching and found some links (I'll post here for anyone else interested). Still have not been able to get my reverse proxy to work yet, but I think I'm closer. All this networking stuff with pfSense is new to me...been working with consumer routes for years and never saw many of the configurable options available with the pfSense box. Fun! But also frustrating at times.

I've gone to using haproxy as well.

So for the posst with info:
https://forum.pfsense.org/index.php?topic=103726.0

https://forum.pfsense.org/index.php?topic=93766.msg527268#msg527268

Lots of ground covered in these... The second one gives a link to pdf attachment with basics.

My last two posts are really not directly FreeNAS or ownCloud related, but more about how to access your FreeNAS jail servers/apps more safely from the outside world. Not sure if they should be ported to a different thread.

Sean

Sent from my Nexus 6P using Tapatalk

 

[Kevin Horton]

Sean,

Adding an unrelated post to a random 55 page thread is probably the worst possible way for people to notice your question.

It is much more likely to get attention from knowledgeable people if you put it in its own thread, with a descriptive title.

 

[Sean Coston]

Agreed. I'll start a new thread soon. Most thought I'd give Josh a chance to respond since I know he follows his thread, and he has developed a working solution to exactly what I'm trying to accomplish.

Sent from my Nexus 6P using Tapatalk

 

[Joshua Parker Ruehlig]

Agreed. I'll start a new thread soon. Most thought I'd give Josh a chance to respond since I know he follows his thread, and he has developed a working solution to exactly what I'm trying to accomplish.

Sent from my Nexus 6P using Tapatalk

Hey Sean, sorry been super busy working on some stuff at my home and have a deadline.

As for a reverse proxy, do all of the services you want have the ability to be under a webroot? For example owncloud can have everything under /owncloud.
Since you have pfsense and need SSL termination I recommend the haproxy plugin. I personally get my legitimate certs from StartSSL, but those require a real domain, so maybe you could use a self-signed cert?

Because i cache websites that I host, I also have varnish behind my haproxy, but you don't need that. I think you could do this...
* define backends in the haproxy plugin
* define ACL > owncloud_acl | path starts with | /owncloud
* define action > use backend | backend=owncloud_backend | owncloud_acl

Tell me if you try this route, might take some tinkering to get it right but the haproxy plugin is very flexible. and in my opinion better for this purpose then squid.

 

[Thoni]

Hi @All

I hope someone can help me.
Last year i have owncloud up and running on FreeNas 9.3.

Now i have installed new (9.10) with new harddrives and want to get my owncloud running...
I followed the post at the beginning of this threat.
The 1. config page of owncloud is showing (where you can enter the root-user and the database etc.), but when i insert all the information an click on "finish installation" i get an error 404.

My nginx.conf:

Code:

worker_processes 2;
events {
  worker_connections  1024;
}

http {
  include  mime.types;
  default_type  application/octet-stream;
  sendfile  off;
  keepalive_timeout  65;
  gzip off;

  server {
  root /usr/local/www;
  location = /robots.txt { allow all; access_log off; log_not_found off; }
  location = /favicon.ico { access_log off; log_not_found off; }
  location ^~ /owncloud {
  client_max_body_size 4G;
  error_page 403 /owncloud/core/templates/403.php;
  error_page 404 /owncloud/core/templates/404.php;
  location /owncloud {
  rewrite ^ /owncloud/index.php$uri;
  }
  location ~ ^/owncloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
  deny all;
  }
  location ~ ^/owncloud/(?:\.|autotest|occ|issue|indie|db_|console) {
  deny all;
  }
  location ~ ^/owncloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
  include fastcgi_params;
  fastcgi_split_path_info ^(.+\.php)(/.+)$;
  fastcgi_pass unix:/var/run/php-fpm.sock;
  fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
  fastcgi_param PATH_INFO $fastcgi_path_info;
  fastcgi_param front_controller_active true;
  fastcgi_intercept_errors on;
  }
  location ~* \.(?:css|js)$ {
  try_files $uri /owncloud/index.php$uri$is_args$args;
  add_header Cache-Control "public, max-age=7200";
  }
  location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
  try_files $uri /owncloud/index.php$uri$is_args$args;
  }
  }
  }
}

Any hints?

 

[Joshua Parker Ruehlig]

Hi @All

I hope someone can help me.
Last year i have owncloud up and running on FreeNas 9.3.

Now i have installed new (9.10) with new harddrives and want to get my owncloud running...
I followed the post at the beginning of this threat.
The 1. config page of owncloud is showing (where you can enter the root-user and the database etc.), but when i insert all the information an click on "finish installation" i get an error 404.

My nginx.conf:

Code:

worker_processes 2;
events {
  worker_connections  1024;
}

http {
  include  mime.types;
  default_type  application/octet-stream;
  sendfile  off;
  keepalive_timeout  65;
  gzip off;

  server {
  root /usr/local/www;
  location = /robots.txt { allow all; access_log off; log_not_found off; }
  location = /favicon.ico { access_log off; log_not_found off; }
  location ^~ /owncloud {
  client_max_body_size 4G;
  error_page 403 /owncloud/core/templates/403.php;
  error_page 404 /owncloud/core/templates/404.php;
  location /owncloud {
  rewrite ^ /owncloud/index.php$uri;
  }
  location ~ ^/owncloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
  deny all;
  }
  location ~ ^/owncloud/(?:\.|autotest|occ|issue|indie|db_|console) {
  deny all;
  }
  location ~ ^/owncloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
  include fastcgi_params;
  fastcgi_split_path_info ^(.+\.php)(/.+)$;
  fastcgi_pass unix:/var/run/php-fpm.sock;
  fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
  fastcgi_param PATH_INFO $fastcgi_path_info;
  fastcgi_param front_controller_active true;
  fastcgi_intercept_errors on;
  }
  location ~* \.(?:css|js)$ {
  try_files $uri /owncloud/index.php$uri$is_args$args;
  add_header Cache-Control "public, max-age=7200";
  }
  location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
  try_files $uri /owncloud/index.php$uri$is_args$args;
  }
  }
  }
}

Any hints?

I would check for any errors in the log in /media
that may not exist, so you could enable logging in the nginx config, restart nginx, and read the nginx log

 

[Thoni]

Hi Joshua.

hmmm... log in /var/log/nginx-error.log

Code:

2016/06/06 20:29:39 [error] 39310#102512: *4 directory index of "/usr/local/www/" is forbidden, client: 192.168.50.44, server: , request: "GET / HTTP/1.1", host: "192.168.50.35"
2016/06/06 20:29:50 [error] 39310#102512: *8 open() "/usr/local/www/core/img/breadcrumb.svg" failed (2: No such file or directory), client: 192.168.50.44, server: , request: "GET /core/img/breadcrumb.svg HTTP/1.1", host: "192.168.50.35"
2016/06/06 20:29:50 [error] 39310#102512: *10 open() "/usr/local/www/core/vendor/zxcvbn/zxcvbn.js" failed (2: No such file or directory), client: 192.168.50.44, server: , request: "GET /core/vendor/zxcvbn/zxcvbn.js HTTP/1.1", host: "192.168.50.35"
2016/06/06 20:30:54 [error] 39310#102512: *10 open() "/usr/local/www/index.php" failed (2: No such file or directory), client: 192.168.50.44, server: , request: "POST /index.php HTTP/1.1", host: "192.168.50.35"

Don't understand the first line...see 1.png and 2.png

edit: ok. got it. /usr/local/www/core/ and /usr/local/www/index.php doesn't exist. There is /owncloud/ missing. But why?

 

[Thoni]

never mind. Got it.

 

[Mad_noob]

Hi,

Everything is still running fine since my last post, but...

I want to get a ride of security tips concerning HSTS.

I added these lines to my nginx conf file but the warning message still appears even if i have restarted nginx.

server mydomain.com;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains' always;

Maybe i missed something.

Thanks.