[How-To] ownCloud using NGINX, PHP-FPM, and MySQL

[NasKar]

added the line

Code:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

to my ngnix.conf
It seems to redirect my http:// to https:// and removes the error message in the GUI admin page.
Will Let's Encrypt be able to renew my ssl certificate? It only worked with http:// on port 80?

 

[Jailer]

Yes it will redirect and connect over https. You can try it with the renewell code or script by adding the --dry-run switch and checking the output in console and the letsencrypt log file.

 

[NasKar]

Yes it will redirect and connect over https. You can try it with the renewell code or script by adding the --dry-run switch and checking the output in console and the letsencrypt log file.

Thanks it does renew. Any recommendation to protect my nextcloud from hackers? Do you use fail2ban or something similar.

 

[Jailer]

Thanks it does renew. Any recommendation to protect my nextcloud from hackers? Do you use fail2ban or something similar.

Do some research on nginx hardening and php hardening as well as best practices for both and that should get you going in the right direction.

I don't run fail2ban, I handle all blocking at the edge with my router but that's my personal choice. You will have to do what you are comfortable with.

 

[fireheadman]

sounds like a plan!... thanks
I have a stable release at the moment, but if I get bored or find some spare time on my hands I will revisit.

An Update for those interested....
I kept getting the notice for a new update available, so thought I would try my luck with the online updater in the UI.

So far looks good:

...and BAM!!!!.... it worked perfect.

Peeked in Admin section.... So it appears Nextcloud has fixed the updater and life just got easier for us.

 

[NasKar]

I don't think it worked for me going from v 11.0 to 11.0.1. Had to do it manually.
1)I was looking around the admin page and saw a bunch of Fatal cron errors, any idea what the problem is? I have a green circle by Cron in the Admin page.
2)I turned off all 4 logging options and now I don't know how to turn it back on.

 

[KevDog]

How are you trying to run your cron job? Through the FreeNas Interface? I suppose that's possible, I just currently run my cron job through cron within the jail setup itself however I can see the advantage of trying to run it system wide. Which cron jobs are failing?

 

[NasKar]

How are you trying to run your cron job? Through the FreeNas Interface? I suppose that's possible, I just currently run my cron job through cron within the jail setup itself however I can see the advantage of trying to run it system wide. Which cron jobs are failing?

I have it setup per your instructions #6 earlier in this thread in the jail itself.
I created 220.LetsEncrypt-SSL-Renewal in /etc/periodic/daily

Code:

#!/bin/sh

/usr/local/bin/certbot renew --quiet --pre-hook "service nginx stop" --post-hook "service nginx start"

and edited /etc/crontab

Code:

# /etc/crontab - root's crontab for FreeBSD
#
# $FreeBSD: releng/10.3/etc/crontab 194170 2009-06-14 06:37:19Z brian $
#
SHELL=/bin/sh
#PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/etc:/usr/local/sbin
#
#minute hour	mday	month   wday	who	 command
#
*/5	 *	   *	   *	   *	   root	/usr/libexec/atrun
#
# Save some entropy so that /dev/random can re-seed on boot.
#*/11   *	   *	   *	   *	   operator /usr/libexec/save-entropy
#
# Rotate log files every hour, if necessary.
0	   *	   *	   *	   *	   root	newsyslog
#
# Perform daily/weekly/monthly maintenance.
1	   3	   *	   *	   *	   root	periodic daily
15	  4	   *	   *	   6	   root	periodic weekly
30	  5	   1	   *	   *	   root	periodic monthly
#
# Adjust the time zone if the CMOS clock keeps local time, as opposed to
# UTC time.  See adjkerntz(8) for details.
1,31	0-5	 *	   *	   *	   root	adjkerntz -a

 

[KevDog]

Ok -- but I don't understand what your problem is .. The script should be working as advertised. Does your SSL script run if you run is manually? Is it executable?

 

[NasKar]

I don't think it worked for me going from v 11.0 to 11.0.1. Had to do it manually.
1)I was looking around the admin page and saw a bunch of Fatal cron errors, any idea what the problem is? I have a green circle by Cron in the Admin page.
2)I turned off all 4 logging options and now I don't know how to turn it back on.

Not sure what the fatal errors were in the logging section of the admin page were?

 

[Greg161]

I have a problem with configuration nginx.conf, I am able to login with mydomain.xx/owncloud by I wasn't successful with changing it to work with just mydomain.xx without /owncloud .

 

[Joshua Parker Ruehlig]

I have a problem with configuration nginx.conf, I am able to login with mydomain.xx/owncloud by I wasn't successful with changing it to work with just mydomain.xx without /owncloud .

change the 'root' declaration to "/usr/local/www/owncloud"
the 4 instances of "/owncloud" in the locations lines should be removed

the instance of "/owncloud" in the rewrite line should be removed.

 

[jag131990]

Convinced everything is 100% right and working with the guide,

Tried now to enable SSL, I don't think ssl is enabled with the pkg install nginx, Cyberjock mentioned this in one of his posts..

I tried his method to make from ports, instead I get this:


`/usr/ports/www/nginx' is up to date.
make: don't know how to make install. Stop

Can anyone help?

edit: worked it out

cd /usr/ports/www/nginx

make install

 

[jag131990]

Thanks heaps for this guide Josh!

Final step for me..

I have everything running, SSL enabled, let's encrypt cert using certbot. Now the last thing to tidy it all will be auto renew but when I looked at my cron in Nextcloud it said

Last cron job execution: 21 hours ago. Something seems wrong

I added the Cron job per your guide it appeared to work the first time I looked in Nextcloud and switched to Cron it had said last Cron executed minutes ago with a green dot. Looked all good, now a day later I get the above with a red.

Any idea?

Edit: fixed path had 'owncloud' instead of Nextcloud lol.

 

[Greg161]

change the 'root' declaration to "/usr/local/www/owncloud"
the 4 instances of "/owncloud" in the locations lines should be removed

the instance of "/owncloud" in the rewrite line should be removed.

I made that changes, but now I am downloading "index.php" instead opening the website.
Below my nginx.conf:

Code:

worker_processes 4;

events {
  worker_connections  1024;
}

http {
  include    mime.types;
  default_type  application/octet-stream;
  sendfile     off;
  keepalive_timeout  65;
  gzip off;

  server {
   root /usr/local/www/owncloud;
   location = /robots.txt { allow all; access_log off; log_not_found off; }
   location = /favicon.ico { access_log off; log_not_found off; }
   location ^~ / {
    client_max_body_size 512M;
    error_page 403 /owncloud/core/templates/403.php;
    error_page 404 /owncloud/core/templates/404.php;
#    location /owncloud {
#     rewrite ^ /owncloud/index.php$uri;
#    }
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
     deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
     deny all;
    }
    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
     fastcgi_split_path_info ^(.+\.php)(/.*)$;
     include fastcgi_params;
     fastcgi_pass unix:/var/run/php-fpm.sock;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     fastcgi_param PATH_INFO $fastcgi_path_info;
     fastcgi_param front_controller_active true;
     fastcgi_intercept_errors on;
    }
    location ~* \.(?:css|js)$ {
     try_files $uri /owncloud/index.php$uri$is_args$args;
     add_header Cache-Control "public, max-age=7200";
    }
    location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
     try_files $uri /owncloud/index.php$uri$is_args$args;
    }

   }
  }
}

 

[Joshua Parker Ruehlig]

Convinced everything is 100% right and working with the guide,

Tried now to enable SSL, I don't think ssl is enabled with the pkg install nginx, Cyberjock mentioned this in one of his posts..

I tried his method to make from ports, instead I get this:


`/usr/ports/www/nginx' is up to date.
make: don't know how to make install. Stop

Can anyone help?

edit: worked it out

cd /usr/ports/www/nginx

make install

you don't need to make nginx from ports. At some point since Cyberjock's post nginx enabled SSL in the package.
But, building from ports allows you to enabled/disable other features if you like to customize.

 

[jag131990]

you don't need to make nginx from ports. At some point since Cyberjock's post nginx enabled SSL in the package.
But, building from ports allows you to enabled/disable other features if you like to customize.

Hi Josh I planned to actually use the letsencrypt certificate the entire time from beginning. This meant I tried to simply enable SSL and confirm that I could get to my domain name on 443 to what I thought would be an unverified Nextcloud.

I got connection errors and believed it was due to SSL not being packaged. Turned out that without having the two lines putting to server key etc it would never work.

So I followed cyberjocks made my self signed keys it worked and thought ok it was the fact I needed to compile from ports! (Wrong as you suggest)

 

[jag131990]

you don't need to make nginx from ports. At some point since Cyberjock's post nginx enabled SSL in the package.
But, building from ports allows you to enabled/disable other features if you like to customize.

What will be there difference for me going forward to maintain this installation?

I can't do pkg upgrade etc. Is ports considered not as simple? Maybe I can make deinstall and PKG install now that it all works if I want it to be simple to maintain..

 

[Joshua Parker Ruehlig]

What will be there difference for me going forward to maintain this installation?

I can't do pkg upgrade etc. Is ports considered not as simple? Maybe I can make deinstall and PKG install now that it all works if I want it to be simple to maintain..

you can still do pkg upgrade, it will just overwrite your port install with the package. Which is fine in this case, since it has SSL enabled so it won't all of a sudden break things for you.

 

[jag131990]

Here is the ssllabs test result after final build/install. Any comments? Seems pretty poor lol.