[How-To] ownCloud using NGINX, PHP-FPM, and MySQL

[Joshua Parker Ruehlig]

Thanks man it works great now.

I have another issue now. I cannot share files with other users/groups. When I type I don't get autocomplete or even it I type full name I get nothing.
The sharing settings are turned on and the users belong to the same group with one user as group's admin.

edit: only thing I did different was add https. like cyberjock said.
I also added


to get rid of other warning from official documentation

full config:

note: there are more changes I took from official doc but they were done later on and this issue was already there.

Code:

worker_processes  4;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        off;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    gzip  off;

    server {
    listen 443 ssl;

    ssl_certificate /usr/local/etc/nginx/server.crt;
        ssl_certificate_key /usr/local/etc/nginx/server.key;

    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
      add_header X-Content-Type-Options nosniff;
      add_header X-Frame-Options "SAMEORIGIN";
      add_header X-XSS-Protection "1; mode=block";
      add_header X-Robots-Tag none;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

    root /usr/local/www;
        location = /robots.txt { allow all; access_log off; log_not_found off; }
        location = /favicon.ico { access_log off; log_not_found off; }
    rewrite ^/caldav(.*)$ /owncloud/remote.php/caldav$1 redirect;
    rewrite ^/carddav(.*)$ /owncloud/remote.php/carddav$1 redirect;
    rewrite ^/webdav(.*)$ /owncloud/remote.php/webdav$1 redirect;

        location ^~ /owncloud {
            index index.php;
       rewrite ^/.well-known/host-meta /owncloud/public.php?service=host-meta last;
            rewrite ^/.well-known/host-meta.json /owncloud/public.php?service=host-meta-json last;

       rewrite ^/.well-known/carddav /owncloud/remote.php/carddav/ redirect;
           rewrite ^/.well-known/caldav /owncloud/remote.php/caldav/ redirect;
       rewrite ^(/owncloud/core/doc/[^\/]+/)$ $1/index.html;
            try_files $uri $uri/ /owncloud/index.php$is_args$args;
            error_page 403 /owncloud/core/templates/403.php;
            error_page 404 /owncloud/core/templates/404.php;
            client_max_body_size 10G;
            fastcgi_buffers 64 4K;
            location ~ ^/owncloud/(?:\.|build|tests|config|lib|3rdparty|templates|data|autotest|occ|issue|indie|db_|console) {
                deny all;
            }
            location ~ \.php(?:$|/) {
                fastcgi_split_path_info ^(.+\.php)(/.*)$;
                fastcgi_pass unix:/var/run/php-fpm.sock;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param PATH_INFO $fastcgi_path_info;
                fastcgi_intercept_errors on;
        fastcgi_param modHeadersAvailable true;
        fastcgi_param HTTPS on;
                include fastcgi_params;
            }

            location ~* \.(?:css|js)$ {
           add_header Cache-Control "public, max-age=7200";
            # Add headers to serve security related headers
            add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
            add_header X-Content-Type-Options nosniff;
            add_header X-Frame-Options "SAMEORIGIN";
            add_header X-XSS-Protection "1; mode=block";
            add_header X-Robots-Tag none;
            access_log off;
            }

            location ~* \.(?:jpg|jpeg|bmp|swf|gif|ico|png|css|js|svg)$ {
        access_log off;
                expires max; add_header Cache-Control public;
            }
        }
}

What you are asking doesn't sound freenas specific and autocomplete works fine in my production setup. I don't have experience with HTTPS on NGINX so I suggest asking on the owncloud forum/github or NGINX forum.

 

[wrath]

What you are asking doesn't sound freenas specific and autocomplete works fine in my production setup. I don't have experience with HTTPS on NGINX so I suggest asking on the owncloud forum/github or NGINX forum.

ah just I wanted to check if my setup was causing file sharing issues.

 

[Joshua Parker Ruehlig]

ah just I wanted to check if my setup was causing file sharing issues.

I'm not sure why those settings would affect anything, but can't confirm because my SSL is not through nginx =/

 

[adrianwi]

I get following message:

and in error logs I get a spammed with:

any clue what is causing these problems?

The 2nd one is a bug and has been discussed at some length in github for a few releases now > https://github.com/owncloud/core/pull/18921#issuecomment-157436055

There have been a number of fixes that work posted - including the one in the thread - but it doesn't seem to have made it into a release. I've just applied it to the functions.php file and it's stopped the messages!

 

[adrianwi]

Duplicate post

 

[adrianwi]

Another one!

 

[InQuize]

How did you come up with this?

Code:

location ~ ^/owncloud/(?:\.|build|tests|config|lib|3rdparty|templates|data|autotest|occ|issue|indie|db_|console) {
deny all;
}

Why so different from https://doc.owncloud.org/server/8.2/admin_manual/installation/nginx_configuration.html

Code:

location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README){
deny all;
}

 

[Joshua Parker Ruehlig]

How did you come up with this?

Code:

location ~ ^/owncloud/(?:\.|build|tests|config|lib|3rdparty|templates|data|autotest|occ|issue|indie|db_|console) {
deny all;
}

Why so different from https://doc.owncloud.org/server/8.2/admin_manual/installation/nginx_configuration.html

Code:

location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README){
deny all;
}

it's based on the uncommitted changes from here.
https://github.com/owncloud/documentation/pull/1320/files

 

[ArgaWoW]

they released 8.2.1 yesterday, I assuming it fixes bugs with 8.2.0

i have update to oc8.2.1. but i got the following error on updating database:

Doctrine\DBAL\Exception\DriverException: An exception occurred while executing 'DROP TABLE `oc_oc_appconfig_gptn3yacwimyg`': SQLSTATE[HY000]: General error: 2006 MySQL server has gone away

 

[Joshua Parker Ruehlig]

i have update to oc8.2.1. but i got the following error on updating database:

Doctrine\DBAL\Exception\DriverException: An exception occurred while executing 'DROP TABLE `oc_oc_appconfig_gptn3yacwimyg`': SQLSTATE[HY000]: General error: 2006 MySQL server has gone away

sounds like it might be related to the database host parsing issue people were having during setup. I recommend creating a bug on github.
I updated my production system to 8.2.1 and everything worked as expected

 

[InQuize]

it's based on the uncommitted changes from here.
https://github.com/owncloud/documentation/pull/1320/files

thx

And one more question: how safe is to give permissions to write on "/owncloud/.user.ini" to HTTP group while using nginx? (e.g. to be able to tinker with upload size in admin panel)
Found no info about that. Docs only mention file in contex of apache..

 

[Joshua Parker Ruehlig]

thx

And one more question: how safe is to give permissions to write on ".user.ini" to HTTP group using nginx? (e.g. to be able to tinker with upload size in admin panel)

if the application (owncloud) had an exploit it could be used to do nasty stuff (maybe grab you password). but it could do that regardless because this guide tells you to chown the owncloud directory to the www user. so editing the upload size should already be possible, but I know it hasnt worked because a bug in owncloud.

does editing the upload size not work in 8.2.1?

 

[InQuize]

if the application (owncloud) had an exploit it could be used to do nasty stuff (maybe grab you password). but it could do that regardless because this guide tells you to chown the owncloud directory to the www user. so editing the upload size should already be possible, but I know it hasnt worked because a bug in owncloud.

does editing the upload size not work in 8.2.1?

Well, I was using script, provided here to set permissions, and all works perfectly exept the fact that .use.ini now has:

Code:

-rw-r-----  1 root     www-data   159 Nov 19 16:50 .user.ini

So nginx can only read but not write. And upload_size field in admin panel is greyed out with such permissions.
If I set 0660 to the file, field becomes editable..

 

[Joshua Parker Ruehlig]

Well, I was using script, provided here to set permissions, and all works perfectly exept the fact that .use.ini now has:

Code:

-rw-r-----  1 root     www-data   159 Nov 19 16:50 .user.ini

So nginx can only read but not write. And upload_size field in admin panel is greyed out with such permissions.
If I set 0660 to the file, field becomes editable..

www-data is something I used with Ubuntu before... not sure why you'd ever use that with freebsd

 

[InQuize]

www-data is something I used with Ubuntu before... not sure why you'd ever use that with freebsd

Right, I am running Ubuntu using your guide and owncloud docs as reference

 

[Joshua Parker Ruehlig]

Right, I am running Ubuntu using your guide and owncloud docs as reference

ahh, OK. I'm not 100% sure the security implications, but it is more secure to not let the php user own anything but the config, but it less convenient. up to you, that's all I know on that

 

[InQuize]

ahh, OK. I'm not 100% sure the security implications, but it is more secure to not let the php user own anything but the config, but it less convenient. up to you, that's all I know on that

https://secure.php.net/manual/en/configuration.file.per-user.php
Apparently PHP uses it for applications to direcly pass CGI params to php.ini avoiding nginx configs.. As .htaccess for apache
I tried commenting 'upload_max_filesize=20G' and 'post_max_size=20G' line in .user.ini and according to admin panel max upload defaulted to 2M (as in php.ini) and not to 20G set in nginx location
If so, I'd better leave the file without write permissions indeed.

 

[neto_hugo]

Sorry, duplicate

 

[Joshua Parker Ruehlig]

@Joshua Parker Ruehlig I'm starting a new fresh installation. In the tuto first page is suggested:

Code:

FreeNAS WebUI
Storage> Create ZFS Dataset
Dataset Name = files
Compression level = LZ4
Enable atime = Off
Dataset Name = db
Compression level = zle
Enable atime = Off
Record Size = 16K

I believe the option zle on the compression level is no longer available in version 9.3.1, correct? May I leave lz4 such as in Dataset files?
Thank you

not sure if they took it out. that option isn't critical though. none, lz4, zle all work fine

 

[neto_hugo]

@Joshua Parker Ruehlig I'm starting a new fresh installation. In the tuto first page is suggested:

Code:

FreeNAS WebUI
Storage> Create ZFS Dataset
Dataset Name = files
Compression level = LZ4
Enable atime = Off
Dataset Name = db
Compression level = zle
Enable atime = Off
Record Size = 16K

I believe the option zle on the compression level is no longer available in version 9.3.1, correct? May I leave lz4 such as in Dataset files?
Thank you

 

[neto_hugo]

Sorry one more question ...

On the openssl-1.0.2 setup screen, do I need to select or deselect any option? or can I leave all of them default and continue with the installation?
Thanks!`

Edit
Leaving all option default I'm getting this warning:

Code:

root@MyCloud:/ # make install clean -C /usr/ports/security/php56-openssl && pkg install php56-curl                                 
===>   php56-openssl-5.6.7 depends on file: /usr/local/lib/libcrypto.so.8 - not found                                              
===>    Verifying install for /usr/local/lib/libcrypto.so.8 in /usr/ports/security/openssl                                         
===>  openssl-1.0.2 GMP is LGPLv3 and can not be linked.                                                                           
*** [install] Error code 1                                                                                                         
                                                                                                                                   
Stop in /usr/ports/security/openssl.                                                                                               
*** [build-depends] Error code 1                                                                                                   
                                                                                                                                   
Stop in /usr/ports/security/php56-openssl.