HOW-TO: NextCloud 10 w/ Apache, PHP, and MariaDB

nathank1989 · Sep 16, 2016

HOW TO: INSTALL NEXTCLOUD 10.0.1 (and NC11) ON FREEBSD 9.10 JAIL
Should also work with Nextcloud 11 with little to no change in setup.

I wrote this guide primarily as a backup in case I needed to redo things over again, and decided to spruce it up and share it with others.

The Goal:
Put Nextcloud 10/11 on a FreeNAS jail using a standard LAMP setup for FreeBSD (FAMP)
This guide is a mix of several other guides I found for installing OwnCloud. The process for OC9 and NC10 is virtually identical. But most of the guides were out of date in regards to FreeNAS, so I updated it for FreeNAS 9.10.1, Nextcloud 10, Apache 2.4, PHP 7, and MariaDB 10.1 and FreeBSD 10+ Jail. I sourced all of the guides and pages I had used down at the bottom.

This guide is an advanced manual installation, based off of the half dozen guides for Owncloud out there. At the original time of this posting, pkg install nextcloud did not work for me due to an issue with the maintainer. This appears to have been fixed. Be aware that the package available through pkg or ports is updated by it's maintainer, and may take some time before you see an update (This is the reason we manually compile Apache and OpenSSL in this guide, because, at the time of this writing, a simple pkg update doesn't fix the CVE-2016-2107 vulnerability). The method below allows you to update the moment Nextcloud issues one without waiting for the maintainer to update.

This guide is beneficial to any advanced user who doesn't mind doing manual upgrades, wants bleeding edge software, and want to use this specific operating environment (Apache2.4, PHP 7 and MariaDB 10.1). This guide also shows you how to use a separate and dedicated mountpoint and dataset for your data directory AND database files.

If this guide intimidates you, you may be safer installing from pkg or ports, but it never hurts to try and learn new techniques ;)

**After Nextcloud 10.0.1 their plan is to have The Updater App work well enough that you would not need to do a manual upgrade again.**

Getting Started -
General Assumptions:

You are familiar with Linux and comfortable with command line, but not so familiar with FreeBSD
You have already set up a proper pool to use for your NextCloud dataset
You are using FreeNAS 9.10.1-RELEASE with FreeBSD Jail Template "------"
Your FreeNAS is connected to the internet, and your jails are properly configured.
That you're generally on a clean install of 9.10.1-RELEASE, upgrades from 9.3, 9.2.1, etc have some issues with jails and templates. I ain't got time for that nonsense so this was a fresh install for me.
You're using this for maybe a small start-up with no more than 100 users.

Specifics:
My Build: A real budget strapped build. (<$1400)
ASRock C2550d4n
16GB Crucial (2x8gb) DDR3-1600 EUDIMM 1.35v
x2 5TB HGST NAS 7200rpm
x2 2TB Seagate Barracuda 7200rpm (These two are used for my NextCloud setup)
Target: 100+ users for Cloud and Archive storage, currently, with disk-to-disk mirroring. Soon to be expanded to a proper raid when I get the funds.

Let's Begin
Pool Name: "Cloud"
Static IP Address: 192.168.1.99

Creating the Dataset & Jail
Create Dataset
Within FreeNAS Userspace:

Storage > Create ZFS Dataset

Dataset Name = files
Compression level = lz4
Enable atime = Off
All other options default

SQL Data
Dataset Name = db
Compression level = zle
Enable atime = Off
Record Size = 16K (Under Advanced Mode)
All other options default

Users - Add New

Username: mysql
Shell: nologin
Full Name: SQL User
Password: anything

Storage -> /mnt/Cloud/db Change Permissions

Owner: mysql
Owner: mysql
Set permission recursively

Create Jail
Jails > Add Jail

Jail Name: nextcloud
Template: "------"
IPv4 Address: 192.168.1.99
IPv4 Subnet: 255.255.255.0
Leave all else default
Ensure VIMAGE is checked*

*Unless you have and want to use a separate and dedicated NIC for the jail. The MoBo I use comes with additional network ports.

Add Storage

Jail: nextcloud
Source = /mnt/Cloud/files
Destination = /mnt/files

Jail: nextcloud
Source = /mnt/Cloud/db
Destination = /var/db/mysql

Setting primary cache
In FreeNAS UserSpace Shell

$ zfs set primarycache=metadata Cloud/db

Configure Jail for SSH
We need to set up the jail to be able to SSH in and make faster adjustments.

Enter the Jail's shell from within FreeNAS

$ pkg upgrade

If it asks any questions, select Y and continue.

Enable SSH

 $ cd /etc/ssh

$ vi sshd_config

JWTech said:
Use... ... sed -i '' 's/#PermitRootLogin no/PermitRootLogin yes/g' /etc/ssh/sshd_config and that will auto-replace the text.

Personally, I despise vi, but this is the quickest method I have found. Know a way better, please let me know.
if you don't know how to use vi, here's a quick step by step. I suggest you check out this cheat sheet
~~Reason we don't use nano here is because keys like ctrl+x do not work in the shell applet used in FreeNAS GUI. We have to use a real terminal like PuTTY to use a nano properly.~~

Scroll down using the DOWN arrow key until you find #PermitRootLogin no line.

With the cursor on the # hit x this will delete the hash now use the RIGHT arrow key to select the space before 'no'

Hit i type yes

Hit esc

Select the n in 'no' and hit x twice to delete 'no' so the line reads PermitRootLogin yes

type :wq

Hit ENTER

The file is now saved

Now enable and start SSH

 $ sysrc sshd_enable=yes

$ service sshd start

Change Jail Root PW
We need to reset the jails root password; type this command, and follow the prompts

$ passwd

Now close the shell within FreeNAS, and use PuTTY to SSH to the jail.

F.A.M.P Installation
In this section we are going to install F.A.M.P, an iteration of LAMP (Linux, Apache, MySQL, PHP). I chose this because I, personally, haven't had much luck with nginx or lighttp. Another guide suggested lighttp and sqlite, but those might not hold up to a good amount of users storing a bit of data.
The setup is:

FreeBSD 10.1
Apache 2.4
MariaDB 10.1
PHP 7.0 **Do NOT install PHP7.1 - Nexcloud is absolutely incompatible with this version as of this writing **

This provides the basis for our webserving jail.

Before we get started, let's add a few necessary packages as they aren't currently installed.

$ pkg install nano wget sudo

We will install each part of FAMP one-by-one. FreeBSD is the Operating system so good to go on that!

Apache 2.4
Install
$ pkg install apache24

Setup in rc.conf
$ sysrc apache24_enable=yes

Start Apache
$ service apache24 start

Check that it works
Navigate to http://192.168.1.99 and you should see the text "It Works!"

MariaDB 10.1
Install

$ pkg install mariadb101-server

Setup in rc.conf
$ sysrc mysql_enable=yes

Start MySQL Service
$ service mysql-server start

Run Wizard Script
$ mysql_secure_installation

Read and follow prompts. There is no root password set just hit enter, and answer Y to all the following questions.

Login to MySQL, create Nextcloud DB and User
$ mysql -u root -p

enter password you made for root during setup.

Enter each of these commands one-by-one, and make sure to include the semi-colon ;

Code:

CREATE DATABASE nextcloud;

CREATE USER 'nextcloud_admin'@'localhost' IDENTIFIED BY 'MAKEUP-YOUR-OWN-PASSWORD';

GRANT ALL ON nextcloud.* TO 'nextcloud_admin'@'localhost';

FLUSH PRIVILEGES;

exit

Replace MAKEUP-YOUR-OWN-PASSWORD with a password of your choosing. You need this for the NextCloud setup.

PHP 7.0
Install PHP and associated modules

Code:

pkg install redis php70 php70-bz2 php70-ctype php70-curl php70-dom php70-exif php70-fileinfo php70-filter php70-gd php70-hash php70-iconv php70-intl php70-json php70-mbstring php70-mcrypt php70-pdo_mysql php70-openssl php70-posix php70-session php70-simplexml php70-xml php70-xmlreader php70-xmlwriter php70-xsl php70-wddx php70-zip php70-zlib php70-APCu php70-redis

sysrc 'mysql_enable=YES' 'redis_enable=YES'

Configuring Apache for PHP7
Ensure that the rewrite and ssl modules are enabled (uncommented) in /usr/local/etc/apache24/httpd.conf.

 $ cd /usr/local/etc/apache24/

$ nano httpd.conf

Search the conf file for "ssl_module"

Code:

ctrl+w
ssl_module
ENTER

Uncomment (delete the # at the start of the line) so it looks like this:

LoadModule ssl_module libexec/apache24/mod_ssl.so

Repeat for

 

LoadModule rewrite_module libexec/apache24/mod_rewrite.so

Remove php5 add php7:

Find & Remove this >> LoadModule php5_module libexec/apache24/libphp5.so
Replace with >> LoadModule php7_module libexec/apache24/libphp7.so

If you can't find libphp5.so, just add
LoadModule php7_module libexec/apache24/libphp7.so
to the last of the LoadModule section; right above

 # Third party modules

IncludeOptional ...

Also, after you save, double check that you see libphp7.so in /usr/local/libexec/apache24

Right after libphp7.so line add

Code:

<IfModule php7_module>
   <FilesMatch "\.(php|phps|php7|phtml)$">
	   SetHandler php7-script
   </FilesMatch>
   DirectoryIndex index.php
</IfModule>

Then FIND <IFModule mime_module>

Then Insert After:

Code:

AddType application/x-httpd-php-source .phps
AddType application/x-httpd-php		.php

Save & quit

Add a PHP handler to /usr/local/etc/apache24/modules.d
# touch /usr/local/etc/apache24/modules.d/001_mod_php.conf
# nano /usr/local/etc/apache24/modules.d/001_mod_php.conf
Paste:

Code:

<FilesMatch "\.php$">
		SetHandler application/x-httpd-php
	</FilesMatch>
	<FilesMatch "\.phps$">
		SetHandler application/x-httpd-php-source
	</FilesMatch>

Save & Exit
Once you're done save and close CTRL+x, Y, ENTER
service apache24 restart

Configure PHP.INI
$ nano /usr/local/etc/php.ini

find cgi.fix_pathinfo=0 change from =0 to =1

find date.timezone = Change to your timezone (America/New_York) [ SEE: http://php.net/manual/en/timezones.php ]

find post_max_size= change it to 1999M

find upload_max_size= change to 1999M

CTRL+X, Y, ENTER

Restart Apache

$ service apache24 restart

Testing with PHPINFO()
Navigate to /usr/local/www/apache24/data/

$ touch info.php
$ nano info.php

Paste:

Code:

<?php
// Show all information, defaults to INFO_ALL
phpinfo();
?>

Save & Exit

Navigate to http://192.168.1.99/info.php

You should see a full page with all the information regarding your PHP installation.

Configure REDIS
Update /usr/local/etc/redis.conf to run on local socket

Find port and change default value to 0

Find and replace:

Code:

unixsocket /tmp/redis.sock
unixsocketperm 777

Add REDIS to rc.conf
$ sysrc redis_enable=yes

Start REDIS
$ service redis start

Run ls -al /tmp to run on local socket, you should see redis.sock and mysql.sock in the list.

If you see those two, you're ALMOST DONE!!

Installing NextCloud
Download in apache data directory /usr/local/www/apache24/data/

Go to the default apache data directory
$ cd /usr/local/www/apache24/data
Download Nextcloud
$ wget https://download.nextcloud.com/server/releases/nextcloud-10.0.1.zip
Unzip Nextcloud
$ unzip nextcloud-10.0.1.zip
Give correct owner
chown -R www:www /usr/local/www/apache24/data/nextcloud /mnt/files

Add virtual Host info
Navigate to /usr/local/etc/apache24/Includes
Touch file: (I used a cloud.* subdomain, if you're not using a sub, remove the 'cloud.')

$ touch cloud.YOURDOMAIN.com.conf

$ nano cloud*

Copy and paste the below text.
~~I commented out mod_rewrite and did not include SSL because I am waiting to setup a real domain to attach to it and did not want to run into issues until I had the domain.~~
See bottom of post for SSL Using Certbot instructions. Otherwise, you'll be rewriting the URL to https:// using mod_rewrite

Code:

<VirtualHost *:80>
DocumentRoot "/usr/local/www/apache24/data/nextcloud"
ServerName cloud.YOURSITE.com
   RewriteEngine on
   RewriteCond %{SERVER_NAME} =cloud.YOURSITE.com
   RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
#ErrorLog ${APACHE_LOG_DIR}/error.log
#CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /usr/local/www/apache24/data/nextcloud/>
Options +FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /usr/local/www/apache24/data/nextcloud
SetEnv HTTP_HOME /usr/local/www/apache24/data/nextcloud
Satisfy Any
</Directory>
</VirtualHost>

Restart apache... again...

$ service apache24 restart

Navigate to the website

http://192.168.1.99/

You should now see the setup screen for NextCloud!!

If you do, give yourself a pat on the back. Now for the last steps...

NextCloud WebUI
Set up your admin account with a username and password you choose.

Storage & database

Data folder = /mnt/files
Database user = nextcloud_admin
Database password = MADEUP_PASSWORD_FROM_BEFORE
Database name = nextcloud
Database host = localhost:/tmp/mysql.sock

Back in Jail Shell:

We setup redis for caching

Code:

$ su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set memcache.local --value="\OC\Memcache\APCu"'
$ su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set memcache.locking --value="\OC\Memcache\Redis"'
$ su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set redis host --value="/tmp/redis.sock"'
$ su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set redis port --value=0 --type=integer'

Setup NC's cron jobs

crontab -u www -e

Code:

*/15 * * * * /usr/local/bin/php -f /usr/local/www/apache24/data/nextcloud/cron.php

And VOILA! YOU ARE DONE!!!!!

I have NOT yet installed the CollaboraOnline stuff yet. I will have to figure that out....

EXTRAS
SSL using Certbot

Download/Install Certbot
pkg install py27-certbot

certbot certonly --webroot -w /usr/local/www/apache24/data/nextcloud -d YOURSITE.COM

Edit /usr/local/etc/apache24/httpd.conf

Find Listen 80 and add underneath Listen 443

Edit /usr/local/etc/apache24/Includes/yoursite.conf
Uncomment the Rewrite rules written in the above guide
Add:

Code:

<VirtualHost *:443>
	ServerAdmin YOUREMAIL
	ServerName YOURSITE.COM
	DirectoryIndex index.php
	DocumentRoot /usr/local/www/apache24/data/nextcloud
	SSLCertificateFile /usr/local/etc/letsencrypt/live/YOURSITE.COM/fullchain.pem
	SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/YOURSITE.COM/privkey.pem
	SSLEngine on
	# Intermediate configuration, tweak to your needs
	SSLProtocol			 all -SSLv2 -SSLv3
	SSLCipherSuite		  ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
	SSLHonorCipherOrder	 on
	SSLCompression		  off
	SSLOptions +StrictRequire
	<Directory /usr/local/www/apache24/data/nextcloud>
	  AllowOverride all
	</Directory>
	<IfModule mod_headers.c>
	  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
	</IfModule>
  </VirtualHost>

Restart Apache
service apache24 restart

Add Cron Job:
crontab -e
* 1 * * 1 ./usr/local/bin/certbot renew --quiet

Using NC on separate NIC
Shut down the jail
Click Edit
Uncheck VIMAGE and select the NIC from the NIC drop down. Make sure your IP info didn't change.
Start jail and try to access your cloud. If all went well you'd basically see nothing changed as it will work as expected.

SITES and GUIDES I USED TO MAKE THIS WORK: BIG THANKS TO ALL!!!

I also did the following, but modifed to the /usr/local/www/apache24/data/nextcloud directory. Currently having issues with imagick uninstalling php70

Joshua Parker Ruehlig said:

Troubleshooting:

Redis server went away
chmod 777 /tmp/redis.sock

If SSL Labs rates you an F:
You probably have the OpenSSL CVE-2016-2107 Vulnerability. For whatever reason, pkg update/upgrade will not solve this and we need to rebcompile both openssl and apache24 from ports.

nano /etc/make.conf
Add line:
DEFAULT_VERSIONS+=ssl=openssl

Save & Quit

portsnap fetch
portsnap extract
portsnap update

cd /usr/ports/security/openssl
make deinstall
make install clean

cd /usr/ports/www/apache24/
make deinstall
make install clean

service apache24 restart

pkg lock apache24
pkg lock openssl

Until FreeBSDs repos have versions of apache and OpenSSL that fix the vulnerability, this is the only way I have found to get back to an A+ rating.

Test SSL Labs again, you should now see an A+!

Murac · Sep 18, 2016

Thanks for the write up. I'm going through this now. will edit this post if i find anything else

nathank1989 said:
Now enable and start SSH

$ sysrc sshd_enable=yes
$ service ssh start

service sshd start

nathank1989 said:
Setup in rc.conf
$ sysrc mysql_enable=yes

Run Wizard Script
$ mysql_secure_installation

Should have "service mysql-server start" in between these steps

Murac · Sep 19, 2016

nathank1989 said:
Remove php5 add php7: [4] [5]

Find & Remove this >> LoadModule php5_module libexec/apache24/libphp5.so

Replace with >> LoadModule php7_module libexec/apache24/libphp7.so

There is no php5_module to be found in httpd.conf. i've definitelly installed all the packages and this was coming from a fresh install and jail. anyone else get this?

nathank1989 · Sep 19, 2016

Murac said:
Thanks for the write up. I'm going through this now. will edit this post if i find anything else

service sshd start

Should have "service mysql-server start" in between these steps

Knew I had to be missing something, I will edit my post to reflect your edits.

Murac said:
There is no php5_module to be found in httpd.conf. i've definitelly installed all the packages and this was coming from a fresh install and jail. anyone else get this?

Are you sure you can't find any reference of PHP5 in the default httpd.conf? And you're using Apache2.4? There should be a section with a whole lot of LoadModule lines. The very last one was php5.so
Just search using Nano for "php5.so" and replace it with "php7.so"

Hope that helps!

If you can't find it still, just add

Code:

LoadModule php7_module        libexec/apache24/libphp7.so

to the last of the LoadModule section; right above

Code:

# Third party modules
IncludeOptional ...

Also double check that you see libphp7.so in /usr/local/libexec/apache24

Murac · Sep 19, 2016

nathank1989 said:
If you can't find it still, just add

Code:
LoadModule php7_module libexec/apache24/libphp7.so

to the last of the LoadModule section; right above

Code:
# Third party modules IncludeOptional ...

Also double check that you see libphp7.so in /usr/local/libexec/apache24

Right so I inspected every LoadModule line after searching turned up negative. I did as you said and just added the new line at the end as well as the <IfModule> portion after that. I have a feeling it's missing in /usr/local/libexec/apache24. But yes, I did install 2.4. I'll have to check tonight when I get home.

nathank1989 · Sep 19, 2016

Murac said:
Right so I inspected every LoadModule line after searching turned up negative. I did as you said and just added the new line at the end as well as the <IfModule> portion after that. I have a feeling it's missing in /usr/local/libexec/apache24. But yes, I did install 2.4. I'll have to check tonight when I get home.

Make sure that you also installed all of the PHP7 packages I have listed.

check with php -v

If php -v turns up a version number and libphp7.so is not in that directory then I am not sure what went wrong.

nathank1989 · Sep 19, 2016

Murac said:
Right so I inspected every LoadModule line after searching turned up negative. I did as you said and just added the new line at the end as well as the <IfModule> portion after that. I have a feeling it's missing in /usr/local/libexec/apache24. But yes, I did install 2.4. I'll have to check tonight when I get home.

Also, Murac, I just noticed I had a typo in the <IFModule> section, it said php5, NOT php7. Below is the CORRECT PHP7 <IFModule> (And I edited the main post). I had followed a guide for PHP56 and forgot to change the handles for PHP7.

Code:

<IfModule php7_module>
   <FilesMatch "\.(php|phps|php7|phtml)$">
       SetHandler php7-script
   </FilesMatch>
   DirectoryIndex index.php
</IfModule>

Murac · Sep 19, 2016

Okay, making some progress. First, found another typo:

nathank1989 said:
<FilesMatch "\.php$"> SetHandler application/x-httpd-php </FilesMatch> <FilesMatch "\.phps$"> SetHandler application/x-httpd-php-source </FilesMatch> </IfModule>

Remove the

Code:

</IfModule>

Second I had to

Code:

pkg install mod_php70

referenced here: https://forums.freebsd.org/threads/56058/
for what it's worth, I added the line to the Makefile and rebuilt and installed php70 but it didn't work until I installed mod_php70 so that step might not actually be necessary..

Also I had to set ServerName in httpd.conf. I chose the jail IP

UPDATE: alright, I'm up and running. Note to all: make sure /mnt/files is a new dataset or something because I stupidly reused a dataset and it locked the share. so i moved my other files to a new dataset and i'm fine now. just an fyi. maybe nextcloud would have been ok in its own folder or something, but yeah.

nathank1989 · Sep 21, 2016

Murac said:
Okay, making some progress. First, found another typo:

Remove the
Code:
</IfModule>

Second I had to
Code:
pkg install mod_php70

referenced here: https://forums.freebsd.org/threads/56058/
for what it's worth, I added the line to the Makefile and rebuilt and installed php70 but it didn't work until I installed mod_php70 so that step might not actually be necessary..

Also I had to set ServerName in httpd.conf. I chose the jail IP

UPDATE: alright, I'm up and running. Note to all: make sure /mnt/files is a new dataset or something because I stupidly reused a dataset and it locked the share. so i moved my other files to a new dataset and i'm fine now. just an fyi. maybe nextcloud would have been ok in its own folder or something, but yeah.

Glad you got it working, friend.

However I found something interesting. If you have a dataset you want in Nextcloud, simply add it to the jail's storage,
In the jail chown -R www:www the whole dataset and add it as a Local External Storage share after installing the External Storage plugin in Nextcloud. This works for a separated dataset I have set up as a CIFS share, since the share is local only, and I don't have a php70 smbclient, using it as a local mount within the jail worked, even over the internet. Did not mess with my CIFS permissions, and it's read/writable in Nextcloud.
Just know that any change in Nextcloud takes time to take effect in the actual dataset since Nextcloud has a versioning system.

Murac · Sep 22, 2016

nathank1989 said:
Glad you got it working, friend.

However I found something interesting. If you have a dataset you want in Nextcloud, simply add it to the jail's storage,
In the jail chown -R www:www the whole dataset and add it as a Local External Storage share after installing the External Storage plugin in Nextcloud. This works for a separated dataset I have set up as a CIFS share, since the share is local only, and I don't have a php70 smbclient, using it as a local mount within the jail worked, even over the internet. Did not mess with my CIFS permissions, and it's read/writable in Nextcloud.
Just know that any change in Nextcloud takes time to take effect in the actual dataset since Nextcloud has a versioning system.

Now that's cool.

What security precautions are you taking for accessing it externally?

nathank1989 · Sep 22, 2016

Using SSL for web access, NasGUI is not accessible from the internet. Only the jail. And within the jail I have ssd root logon without password so only ones with certs can ssh in.

nathank1989 · Sep 22, 2016

Murac said:
Now that's cool.

What security precautions are you taking for accessing it externally?

I do want to warn you right now that I am having some issues with MariaDB.
I did a reboot of my system and come to find my database's root password was gone, and the nextcloud database has an issue.
https://forums.freenas.org/index.ph...oot-jails-sql-database-no-longer-works.46231/

So Make backups of everything and tread lightly until I can figure out why MAriaDB is losing its -ish

It appears somehow the /var/db/mysql folder was owned by root:wheel and not mysql:mysql
I created a nologin user on freenas named mysql grp: mysql and applied it to the db dataset and set it to recursive. This should be good enough! I will adjust the steps above!

danb35 · Sep 22, 2016

Why are you storing your database on the pool, rather than inside the jail? That configuration sounds like it's asking for trouble. If you do want to do that, yes, you need to do what you've done (change the ownership of the database dataset to mysql:mysql), but you also need to make sure that the user and group ids of the mysql user and group in FreeNAS match whatever is used in the jail.

And for the text editor, I just 'pkg install nano' any time I create a new jail. nano is a simple, easy-to-use text editor. Edit: I now see you install nano later in the howto, but not before editing sshd.conf. I guess it's up to you, but I'd install that first thing and use it for all the edits.

I'd also doubt that you actually need to run sshd inside the jail--ssh to the FreeNAS box, jls, jexec # tcsh (or other shell of your choice).

nathank1989 · Sep 22, 2016

danb35 said:
Why are you storing your database on the pool, rather than inside the jail? That configuration sounds like it's asking for trouble. If you do want to do that, yes, you need to do what you've done (change the ownership of the database dataset to mysql:mysql), but you also need to make sure that the user and group ids of the mysql user and group in FreeNAS match whatever is used in the jail.

And for the text editor, I just 'pkg install nano' any time I create a new jail. nano is a simple, easy-to-use text editor.

I'd also doubt that you actually need to run sshd inside the jail--ssh to the FreeNAS box, jls, jexec # tcsh (or other shell of your choice).

I got the idea to store the db in a separate pool via this guide and one other: https://forums.freenas.org/index.php?threads/how-to-owncloud-using-nginx-php-fpm-and-mysql.17786/

I have installed nano, one of my instructions suggests installing it and setting it as your default editor.

and I don't ssh into the FreeNAS for security reasons. The jail has a global IP, where as the NAS WebGUI and services I want only accessible via LAN. Due to what I am using the jail for, it is easier for me to have direct SSH access to that, rather than the whole NAS.

danb35 · Sep 22, 2016

My mention of nano was because you mentioned how much you hated vi. So install nano first thing, and use that instead of vi; problem solved.

The db configuration seems odd to me, and I'm not sure I see a real reason to do that, but @Joshua Parker Ruehlig usually knows what he's doing. Again, though, if you're going to do it that way, you need to make sure the uid and gid for the mysql user and group match between the jail and the base FreeNAS system.

As to the ssh configuration, that's up to you. If you need to ssh to the jail from outside, then yes, you'd need to configure it as you stated (and I'd certainly agree with not opening up ssh on your FreeNAS box to the world). I don't find that I often (ever, really) need get shell access to any of my jails remotely, but if I did, I'd VPN into my LAN.

Kaitux · Sep 23, 2016

hi,
just fyi: had the problem that there was no /usr/local/libexec/apache24/libphp7.so but php -v showed no problem.

Muracs solution with installing pkg install mod_php70 and adding the jails-ip to the ServerName worked for me also.

Kaitux · Sep 26, 2016

i followed your tutorial, thanks alot!
I got a question about the certbot: SSL-Labs rating is F, because of the (CVE-2016-2107) openssl padding vulnerabillity.
Am I the only one who got this problem? How can i fix this?

techmod · Oct 13, 2016

Hi!

First of all - thanks for the effort to make this work for us! It´s very appreciated.
I got almost everything up and running except of http -> https redirect and certbot.

Here´s the setup of YOURPAGE.conf as it is recommended here in this thread:

<VirtualHost *:80>
DocumentRoot "/usr/local/www/apache24/data/nextcloud"
ServerName cloud.YOURSITE.com
RewriteEngine on
RewriteCond %{SERVER_NAME} =cloud.YOURSITE.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

The rest isn´t posted, because it is the same as mine.

Here´s my setup of YOURPAGE.conf:

Code:

<VirtualHost *:80> DocumentRoot /usr/local/www/apache24/data/nextcloud/
ServerName MYOWNURL.de
Redirect permanent / https://MYOWNURL.de/nextcloud
  <IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=15768000; inclu$
  </IfModule>
  RewriteEngine on
  RewriteCond %{SERVER_NAME} =MY-IP

When I connect to MYURL from "outside" the LAN I have to comment out all lines from Redirect to </IfModule> (the recommended server setup from nextcloud> , but then only http works. MYURL is an official Domain from my ISP pointing to my IP followed by /nextcloud. I connect to my WebGui via VPN and changed the ssl port there to 444. I would like to ccess my nextcloud via MYOWNURL.de on port 443 (secured with self-signed certificate as certbot won´t work).

What am I missing here?

techmod · Oct 13, 2016

Hi!

First of all - thanks for the effort to make this work for us! It´s very appreciated.
I got almost everything up and running except of http -> https redirect and certbot.

Here´s the setup of YOURPAGE.conf as it is recommended here in this thread:

<VirtualHost *:80>
DocumentRoot "/usr/local/www/apache24/data/nextcloud"
ServerName cloud.YOURSITE.com
RewriteEngine on
RewriteCond %{SERVER_NAME} =cloud.YOURSITE.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

The rest isn´t posted, because it is the same as mine.

Here´s my setup of YOURPAGE.conf:

Code:

<VirtualHost *:80> DocumentRoot /usr/local/www/apache24/data/nextcloud/
ServerName MYOWNURL.de
Redirect permanent / https://MYOWNURL.de/nextcloud
  <IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=15768000; inclu$
  </IfModule>
  RewriteEngine on
  RewriteCond %{SERVER_NAME} =MY-IP

When I connect to MYURL from "outside" the LAN I have to comment out all lines from Redirect to </IfModule> (the recommended server setup from nextcloud> , but then only http works. MYURL is an official Domain from my ISP pointing to my IP followed by /nextcloud. I connect to my WebGui via VPN and changed the ssl port there to 444. I would like to ccess my nextcloud via MYOWNURL.de on port 443 (secured with self-signed certificate as certbot won´t work).

What am I missing here?

nathank1989 · Oct 13, 2016

Kaitux said:
i followed your tutorial, thanks alot!
I got a question about the certbot: SSL-Labs rating is F, because of the (CVE-2016-2107) openssl padding vulnerabillity.
Am I the only one who got this problem? How can i fix this?

See if you have the latest OpenSSL version. You won't get an A+ with certbot, but you should at least get a B.

techmod said:
Hi!

First of all - thanks for the effort to make this work for us! It´s very appreciated.
I got almost everything up and running except of http -> https redirect and certbot.

Here´s the setup of YOURPAGE.conf as it is recommended here in this thread:

The rest isn´t posted, because it is the same as mine.

Here´s my setup of YOURPAGE.conf:

Code:
<VirtualHost *:80> DocumentRoot /usr/local/www/apache24/data/nextcloud/ ServerName MYOWNURL.de Redirect permanent / https://MYOWNURL.de/nextcloud <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15768000; inclu$ </IfModule> RewriteEngine on RewriteCond %{SERVER_NAME} =MY-IP

When I connect to MYURL from "outside" the LAN I have to comment out all lines from Redirect to </IfModule> (the recommended server setup from nextcloud> , but then only http works. MYURL is an official Domain from my ISP pointing to my IP followed by /nextcloud. I connect to my WebGui via VPN and changed the ssl port there to 444. I would like to ccess my nextcloud via MYOWNURL.de on port 443 (secured with self-signed certificate as certbot won´t work).

What am I missing here?

Look at your conf file. Do you have a section that starts with <VirtualHost*:443>?
The one you posted is the configuration for http listening on port 80.
You need to set up an *additional* virtual host for 443 and ensure that 443 is accessible from the internet.

Look at my guide again, the SSL cert and cipher info all belongs under <VirtualHost*:443>

Important Announcement for the TrueNAS Community.

HOW-TO: NextCloud 10 w/ Apache, PHP, and MariaDB

Contributor

Dabbler

Dabbler

Contributor

Dabbler

Contributor

Contributor

Dabbler

Contributor

Dabbler

Contributor

Contributor

Hall of Famer

Contributor

Hall of Famer

Dabbler

Dabbler

Cadet

Cadet

Contributor

Similar threads