PHP 8.0.x in TrueNas 13.0-U6

[Patrick M. Hausen]

Last but not least, would there be any chance at all i could import my existing users, settings and content from the NC plugin instance that i have running now or would i need to set it all up from scratch again (it is not a job stopper but it would safe me a bunch of work)?

I can answer that part - yes, you can import an NC database and also all the file store hierarchy, possibly adjust the Unix ownership of the files to the new system, and then run an php occ files:scan --all to migrate your data.

Details might require additional steps but fundamentally that works - we have been doing it dozens of times @work for customers.

 

[danb35]

i like my jails to be DHCP autoconfigure IPv4 and manage the static IP through pfSense. Is that possible?

Not through the script. You can change the jail settings afterward if you like.

do i need to define the FQDN if i just want an internal IP to access Nextcloud since, as mentioned before, i access my cloud through an FQDN with letsencrypt and HAProxy in pfSense?

You can define the FQDN as the IP address if you like.

Is it sufficient to replace STANDALONE_CERT to NOCERT=1 to bypass the whole cert process?

Yes.

assuming point 3, is it required to set CERT_EMAIL?

It shouldn't be.

would there be an issue if i already have a jail named "nextcloud" in which the plugin is running

No; you'd just need to set a jail name in the config file.

 

[ddaenen1]

@danb35, I ran the script today. I must say, i am very impressed. First time hit without any issue whatsoever.

 

[ddaenen1]

I can answer that part - yes, you can import an NC database and also all the file store hierarchy, possibly adjust the Unix ownership of the files to the new system, and then run an php occ files:scan --all to migrate your data.

Details might require additional steps but fundamentally that works - we have been doing it dozens of times @work for customers.

and you run this from within the jail shell, right?

 

[Patrick M. Hausen]

and you run this from within the jail shell, right?

Yes. For a standard (pkg install) installation of Nextcloud the complete command would be (inside the jail):

Code:

su -m www -c "/usr/local/bin/php /usr/local/www/nextcloud/occ files:scan --all"

I don't know if Nextcloud installed with @danb35's script uses a different path.

 

[ddaenen1]

The path is alright. I am a little confused though. Surely the command cannot detect files that are allocated in another jail as the plugin installs the data in the jail. So i guess the right way forward is to recreate the users in the new nextcloud instance, copy the files in the respective folders and do the files scan. does that sound like it?

 

[Patrick M. Hausen]

I thought that was what I wrote - copy over the database (which contains the users) and the files, then perform the scan just to make sure everything is up to date.

 

[victort]

The path is alright. I am a little confused though. Surely the command cannot detect files that are allocated in another jail as the plugin installs the data in the jail. So i guess the right way forward is to recreate the users in the new nextcloud instance, copy the files in the respective folders and do the files scan. does that sound like it?

This is what I usually do. I’m not sure if the plug-in uses mariadb as the database. So if you do want to copy that, you will have to convert. I believe the plug-in uses postgresql. On top of that you will have to edit your config file with the user and password for the database.

If you don’t have that many users and files, then what you wrote will work, and be easier IMO. The command will be su -m www -c "php /usr/local/www/nextcloud/occ files:scan --all"

Out of curiosity, did you install Nextcloud 28? Does downloading of multiple files and folders result in a zip file?

 

[ddaenen1]

This is what I usually do. I’m not sure if the plug-in uses mariadb as the database. So if you do want to copy that, you will have to convert. I believe the plug-in uses postgresql. On top of that you will have to edit your config file with the user and password for the database.

If you don’t have that many users and files, then what you wrote will work, and be easier IMO. The command will be su -m www -c "php /usr/local/www/nextcloud/occ files:scan --all"

My plugin used mySQL as far as i can tell. I already migrated 3 users. Works perfectly fine this way.

Out of curiosity, did you install Nextcloud 28? Does downloading of multiple files and folders result in a zip file?

Yes and yes. Just tried it.

 

[ddaenen1]

The migration went fine but now i have encountered a major issue and i have no clue where to start. I can access the new installation perfectly fine from the local IP address that i configured during the installation but it doesn't like it when i change the jail to DHCP and configure a different static address in pfSense. When i keep the IP it was installed with it works, even with DHCP configured but more importantly, when i set HAproxy to forward the FQDN to the internal IP on port 80, it doesn't work. I just get a black browser screen. If i configure port 443, i get a 503. I don't know if it is related to Caddy because the other instance uses NGINX. Any pointers where to look first?

 

[victort]

The migration went fine but now i have encountered a major issue and i have no clue where to start. I can access the new installation perfectly fine from the local IP address that i configured during the installation but it doesn't like it when i change the jail to DHCP and configure a different static address in pfSense. When i keep the IP it was installed with it works, even with DHCP configured but more importantly, when i set HAproxy to forward the FQDN to the internal IP on port 80, it doesn't work. I just get a black browser screen. If i configure port 443, i get a 503. I don't know if it is related to Caddy because the other instance uses NGINX. Any pointers where to look first?

This is a fairly straighforward fix, but will take some file editing. Namely, you will have to edit two files.

BTW, did you install using NO_CERT?

1. The Caddyfile located at /usr/local/www/Caddyfile Here you will need to find the line that reads 192.168.x.x:80 or whaterver your IP address was when you set it up, and change it to your FQDN or IP. Or you can just have the line read ":80" to access on port 80 with any ip or domain.

2. The nextcloud config file at /usr/local/www/nextcloud/config/config.php Here you need to change 4 valued depending on how you are going to access you nextcloud instance. The values are
trusted_domains
overwrite_cli_url
overwrite_host
overwrite_protocol

The trusted_domains value/values needs to be set with the proper IP and/or domain you will use to access nextcloud
The protocol will be either http or https depending on if you access with a cert or not
The overwrite_host needs to be set to your FQDN or IP like this "192.168.x.x" or "cloud.mydomain.com" (without the http or https part)
The overwrite_cli_url needs to be set to either "http://FQDN" https://FQDN" or "http://192.168.x.x" (notice the http and https, this will vary depending on how you will access your instance)

 

[ddaenen1]

To be clear, the main concern is that i cannot connect through HAproxy with my FQDN which has a valid cert. config.php seems to be ok as i compared it with my other instance. I already added my FQDN in trusted_domains, without https:// though. Does that matter? I didn't do that with the previous instance either. All other entries refer to the internal IP. cli_url with http://, all other just the internal IP. What i do have in the config.php which i didn't have before is trusted_proxies where the only entry is 'localhost'. In Caddyfile, i see the local IP listed twice after eachother with port 80, that should't make a difference, right?

For completeness, i did set it up with NO-CERT=1

 

[victort]

To be clear, the main concern is that i cannot connect through HAproxy with my FQDN which has a valid cert. config.php seems to be ok as i compared it with my other instance. I already added my FQDN in trusted_domains, without https:// though. Does that matter?

No, it doesn’t.

I didn't do that with the previous instance either. All other entries refer to the internal IP. cli_url with http://, all other just the internal IP. What i do have in the config.php which i didn't have before is trusted_proxies where the only entry is 'localhost'.

That gets added with the script I believe.

In Caddyfile, i see the local IP listed twice after eachother with port 80, that should't make a difference, right?

I would just do :80

For completeness, i did set it up with NO-CERT=1

So what I gather is that you want HA proxy doing all your SSL, reverse proxying, and certificate management?

If so, then you can leave your Nextcloud instance as http

 

[ddaenen1]

No, it doesn’t.

That gets added with the script I believe.

I would just do :80

So what I gather is that you want HA proxy doing all your SSL, reverse proxying, and certificate management?

If so, then you can leave your Nextcloud instance as http

hah, i tried that but it didn't work. Now i changed it to the previous again but i get an internal server error

Code:

{
        # debug
}

192.168.1.225:80, 192.168.1.225:80 {
        root * /usr/local/www/nextcloud
        file_server

 

[victort]

hah, i tried that but it didn't work. Now i changed it to the previous again but i get an internal server error

Code:

{
        # debug
}

192.168.1.225:80, 192.168.1.225:80 {
        root * /usr/local/www/nextcloud
        file_server

Fair enough. But that should work. Unless it is *:80

 

[ddaenen1]

Well, i fixed that again - appeared it was a change i made to the trusted_proxies in config.php. Not a step closer though. I must be missing something. Never had any issues getting through with the plugin installations.

 

[victort]

Can you share your Caddyfile and config.php with sensitive values redacted?

 

[ddaenen1]

Can you share your Caddyfile and config.php with sensitive values redacted?

Here is config.php

Code:

<?php
$CONFIG = array (
  'passwordsalt' => ,
  'secret' => '',
  'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => '192.168.1.xxx’,
    2 => 'cloud.xxx.be',
  ),
  'datadirectory' => '/mnt/files',
  'dbtype' => 'mysql',
  'version' => '28.0.3.2',
  'overwrite.cli.url' => 'http://192.168.1.xxx/‘,
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost:/var/run/mysql/mysql.sock',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => '',
  'installed' => true,
  'instanceid' => 'ocrupv1mqw84',
  'logtimezone' => 'Europe/Brussels',
  'default_phone_region' => 'BE',
  'log_type' => 'file',
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'loglevel' => '2',
  'logrotate_size' => '104847600',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'redis' =>
  array (
    'host' => '/var/run/redis/redis.sock',
    'port' => 0,
  ),
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'overwritehost' => '192.168.1.xxx’,
  'overwriteprotocol' => 'http',
  'htaccess.RewriteBase' => '/',
  'trusted_proxies' =>
  array (
    1 => 'localhost',
  ),
  'maintenance_window_start' => 5,
  'app_install_overwrite' =>
  array (
    0 => 'occweb',
  ),
  'mail_smtpmode' => 'smtp',
  'mail_smtpsecure' => 'ssl',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => '',
  'mail_domain' => '',
  'mail_smtphost' => '',
  'mail_smtpport' => '465',
  'mail_smtpauth' => 1,
  'mail_smtpname' => '',
  'mail_smtppassword' => '',
);

and here Caddfile:

Code:

{
    # debug
}

192.168.1.xxx:80, 192.168.1.xxx:80 {
    root * /usr/local/www/nextcloud
    file_server
    log {
        output file /var/log/192.168.1.xxx.log
    }

    php_fastcgi 127.0.0.1:9000 {
        env front_controller_active true
    }

    # client support (e.g. os x calendar / contacts)
    redir /.well-known/carddav /remote.php/dav 301
    redir /.well-known/caldav /remote.php/dav 301
    redir /.well-known/webfinger /index.php/.well-known/webfinger 301
    redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301

    # Required for legacy
    @notlegacy {
        path *.php
        not path /index*
        not path /remote*
        not path /public*
        not path /cron*
        not path /core/ajax/update*
        not path /status*
        not path /ocs/v1*
        not path /ocs/v2*
        not path /updater/*
        not path /ocs-provider/*
        not path */richdocumentscode/proxy*
    }
    rewrite @notlegacy /index.php{uri}

    # .htaccess / data / config / ... shouldn't be accessible from outside
    @forbidden {
        path /.htaccess
        path /data/*
        path /config/*
        path /db_structure
        path /.xml
        path /README
        path /3rdparty/*
        path /lib/*
        path /templates/*
        path /occ
        path /console.php
    }

    respond @forbidden 404
}

Let me know if you need anything else.

 

[victort]

So you’re saying it works from inside your LAN but from outside you get redirected to your local IP?

That’s probably due to the overwrite_host being set to your IP. You should probably either remove that line, or set it to your FQDN.

Also, you should add your FQDN to your Caddyfile like this
192.168.x.x:80, cloud.xxx.be:80

You will also need to add a your HAproxy IP to the trusted_proxies option in the config.php file.

 

[ddaenen1]

Success!!! I think adding the FQDN to Caddy file in combination with removing overwrite_host gave me access to NC via the FQDN. Afterwards adding overwrite_protocol 'https' got rid of some errors on the security and setup warnings. Many thanks to @danb35 , @victort and @Patrick M. Hausen for helping me out with this.

The only one left now is this:

The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.

Not sure where to configure this. It mentions Apache Virtual host file but obviously, my install doesn't have Apache. I do have that option in HAproxy but there it clearly mentions only to configure it for incoming http which it is not.