[How-To] ownCloud using NGINX, PHP-FPM, and MySQL

[Joshua Parker Ruehlig]

After updating FreeNAS 9.10 U2 to U4 my nextcloud gave the error that .occdata file was missing from my /mnt/files directory. I created the file .ocdata and changed the permissions to www:www. After that I could access the nextcloud but trying to open documents give me a server error (unexpected server response 503). I'm not sure why things broke or how to fix it.

I assume your /mnt/files directory was a mounted dataset. Make sure it is still mounted.

 

[NasKar]

Josh I checked my storage for nextcloud and there was a conflict with 2 directories linked to the /mnt/files mount point. I deleted the one that was an error and now everything works. I don’t recall creating the incorrect mount point. Do you think the update of freenas exposed that error that was already there? Also wondering what your opinion of updating to FreeNAS 11.
Thank for your help.

 

[Joshua Parker Ruehlig]

Josh I checked my storage for nextcloud and there was a conflict with 2 directories linked to the /mnt/files mount point. I deleted the one that was an error and now everything works. I don’t recall creating the incorrect mount point. Do you think the update of freenas exposed that error that was already there? Also wondering what your opinion of updating to FreeNAS 11.
Thank for your help.

I don't think the update would do that, but maybe it was a bug.

I haven't tried updating to FN11 yet. might wait a bit

 

[ArgaWoW]

someone else had this issue in this thread. can you confirm you have php70-opcache installed?
'pkg info | grep opcache'

Hello Josuha,
I got the same message in the admin page regarding to the opc-cache. I have made the changes like told on the admin page, and I have enabled it with the occ-command on the first page. Still the same message:

The PHP Opcache is not properly configured. For better performance we recommend ↗ to use following settings in the php.ini:


have I something missed? Can you help here please :) Got this error since I have upgraded to Nextcloud12

 

[Joshua Parker Ruehlig]

Hello Josuha,
I got the same message in the admin page regarding to the opc-cache. I have made the changes like told on the admin page, and I have enabled it with the occ-command on the first page. Still the same message:

The PHP Opcache is not properly configured. For better performance we recommend ↗ to use following settings in the php.ini:


have I something missed? Can you help here please :) Got this error since I have upgraded to Nextcloud12

The occ command has nothing to do with opcache.
You need to make sure php70-opcache or php71-opcache is installed. Then restart php-fpm

 

[ArgaWoW]

true, well it's done now, lol



yeah, you could do it in your http>server block. I prefer to proxy it

The occ command has nothing to do with opcache.
You need to make sure php70-opcache or php71-opcache is installed. Then restart php-fpm

Worked for me. Thanks a lot.

Just to learn a bit: What are the occ commands on the first page doing ?

 

[Joshua Parker Ruehlig]

Worked for me. Thanks a lot.

Just to learn a bit: What are the occ commands on the first page doing ?

Those are enabling APCu and redis caches, which are used to store objects and locking status

 

[ZodiacUHD]

Hello everyone, i've been reading all 77 pages of this thread before trying to install Nextcloud12 on my FreeNas box. I have a question though: i already have a jail running nginx to reverse proxy all my plugins/Jails with SSL ( this is the guide https://forums.freenas.org/index.ph...-to-reverse-proxy-your-jails-w-certbot.49876/). I would like to know if anyone would be so kind to share their nginx.conf for nextcloud (or owncloud). I saw that at page 62 there is an updated guide i could try to follow. My main issue here is that i just want NC to run locally, i can take care of the rest with the reverse proxy: how can i make the nginx.conf "slimmer" in order for it to result in something like localip/nextcloud ?

 

[Joshua Parker Ruehlig]

Hello everyone, i've been reading all 77 pages of this thread before trying to install Nextcloud12 on my FreeNas box. I have a question though: i already have a jail running nginx to reverse proxy all my plugins/Jails with SSL ( this is the guide https://forums.freenas.org/index.ph...-to-reverse-proxy-your-jails-w-certbot.49876/). I would like to know if anyone would be so kind to share their nginx.conf for nextcloud (or owncloud). I saw that at page 62 there is an updated guide i could try to follow. My main issue here is that i just want NC to run locally, i can take care of the rest with the reverse proxy: how can i make the nginx.conf "slimmer" in order for it to result in something like localip/nextcloud ?

just use the nginx.conf from thr first page, it is more up to date then what you are referring to (for nextcloud 12).
you can change the refrences of /owncloud to /nextcloud, and make sure you have the source folder at /usr/local/www/nextcloud

 

[ZodiacUHD]

just use the nginx.conf from thr first page, it is more up to date then what you are referring to (for nextcloud 12).
you can change the refrences of /owncloud to /nextcloud, and make sure you have the source folder at /usr/local/www/nextcloud

Thank you very much. I'll do that first thing tomorrow morning.

 

[ZodiacUHD]

I'm up and running, thank you again. I'm having these security messages though:

Code:

The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.

Any idea?

 

[stillka]

Hello, could somebody update the guide for actual FreeNAS 11/OwnCloud 10.x scenario?

 

[adrianwi]

Not sure it's any different, other than selecting/downloading the version of ownCloud or Nextcloud you want

 

[stillka]

Not sure it's any different, other than selecting/downloading the version of ownCloud or Nextcloud you want

I have successfully installed Owncloud 10.0.2 using that guide, but there was necessary to add some new lines to nginx.conf for https and tsl support, so at least this would be nice to document in main guide.

Sent from my MI 5 using Tapatalk

 

[Jailer]

I have successfully installed Owncloud 10.0.2 using that guide, but there was necessary to add some new lines to nginx.conf for https and tsl support, so at least this would be nice to document in main guide.

Sent from my MI 5 using Tapatalk

There are numerous ways to acquire an SSL certificate and as such it is beyond the scope of this tutorial. Posting one way to do it would cause more questions than it would answer.

 

[Joshua Parker Ruehlig]

I'm up and running, thank you again. I'm having these security messages though:

Code:

The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.

Any idea?

can you copy over your nginx.conf. I probably need to see what you did to adapt it for nextcloud.
What is strange is SAMEORIGIN is set by nextcloud's code now in version 12.

 

[ZodiacUHD]

can you copy over your nginx.conf. I probably need to see what you did to adapt it for nextcloud.
What is strange is SAMEORIGIN is set by nextcloud's code now in version 12.

Hey, thanks for your time.

I'll give you a bit of context: i have nextcloud 12 installed with nginx running and this is the nginx.conf

Code:

worker_processes 8;

events {
	worker_connections  1024;
}

http {
	include	  mime.types;
	default_type  application/octet-stream;
	sendfile		off;
	keepalive_timeout  65;
	gzip off;

	server {
		root /usr/local/www;

		location = /robots.txt { allow all; access_log off; log_not_found off; }
		location = /favicon.ico { access_log off; log_not_found off; }
		location ^~ /nextcloud {
			error_page 403 /nextcloud/core/templates/403.php;
			error_page 404 /nextcloud/core/templates/404.php;
			location /nextcloud {
				rewrite ^ /nextcloud/index.php$request_uri;
			}
			location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
				deny all;
			}
			location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) {
				deny all;
			}
			location ~
^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/)
{
				fastcgi_split_path_info ^(.+\.php)(/.*)$;
				include fastcgi_params;
				fastcgi_pass unix:/var/run/php-fpm.sock;
				fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
				fastcgi_param PATH_INFO $fastcgi_path_info;
				fastcgi_param front_controller_active true;
				fastcgi_intercept_errors on;
			}
			location ~* \.(?:css|js|woff|svg|gif)$ {
				try_files $uri /nextcloud/index.php$request_uri;
			# Optional: Don't log access to assets
			access_log off;
			}
			location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ {
				try_files $uri /nextcloud/index.php$request_uri;
			}
		 # set max upload size
		client_max_body_size 2048M;
		fastcgi_buffers 64 4K;
		}
	}
}

Then i have NGINX as a reverse proxy as well and it is set up like this:

Code:

	   
load_module /usr/local/libexec/nginx/ngx_mail_module.so;
load_module /usr/local/libexec/nginx/ngx_stream_module.so;

#user  nobody;
worker_processes  8;

# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
#error_log  /var/log/nginx/error.log;
#

#pid		logs/nginx.pid;


events {
	worker_connections  1024;
}


http {
	include	   mime.types;
	default_type  application/octet-stream;
	server_tokens off;

	#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
	#				  '$status $body_bytes_sent "$http_referer" '
	#				  '"$http_user_agent" "$http_x_forwarded_for"';

	#access_log  logs/access.log  main;

	sendfile		on;
	#tcp_nopush	 on;

	#keepalive_timeout  0;
	keepalive_timeout  65;

	#gzip  on;

	server {
		listen 80;
		server_name *****.info;
		return 301 https://$server_name$request_uri;
		}

	server {
		listen	   443 ssl;
		server_name  ****.info;
		include ssl_common.conf;
		include proxy_setup.conf;

		#charset koi8-r;

		### Set headers ###
		add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
		proxy_hide_header X-Powered-By;
		add_header 'Referrer-Policy' 'no-referrer';
		add_header Content-Security-Policy "frame-ancestors ****.info;";
		proxy_set_header Accept-Encoding "";
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_buffering off;
		#add_header Front-End-Https on;
		### Options ##
		client_max_body_size 16400M;
		### Set timeouts ###
		proxy_read_timeout 600s;
		proxy_send_timeout 600s;
		proxy_connect_timeout 600s;

		#access_log  logs/host.access.log  main;

		location / {
			root   /usr/local/www/nginx;
			index  index.html index.htm;
		}

		#error_page  404			  /404.html;

		# redirect server error pages to the static page /50x.html
		#
		error_page   500 502 503 504  /50x.html;
		location = /50x.html {
			root   /usr/local/www/nginx-dist;
		}

		# proxy the PHP scripts to Apache listening on 127.0.0.1:80
		#
		#location ~ \.php$ {
		#	proxy_pass   http://127.0.0.1;
		#}

		# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
		#
		#location ~ \.php$ {
		#	root		   html;
		#	fastcgi_pass   127.0.0.1:9000;
		#	fastcgi_index  index.php;
		#	fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
		#	include		fastcgi_params;
		#}

		# deny access to .htaccess files, if Apache's document root
		# concurs with nginx's one
		#
		#location ~ /\.ht {
		#	deny  all;
		#}
	}


	# another virtual host using mix of IP-, name-, and port-based configuration
	#
	#server {
	#	listen	   8000;
	#	listen	   somename:8080;
	#	server_name  somename  alias  another.alias;

	#	location / {
	#		root   html;
	#		index  index.html index.htm;
	#	}
	#}


	# HTTPS server
	#
	#server {
	#	listen	   443 ssl;
	#	server_name  localhost;

	#	ssl_certificate	  cert.pem;
	#	ssl_certificate_key  cert.key;

	#	ssl_session_cache	shared:SSL:1m;
	#	ssl_session_timeout  5m;

	#	ssl_ciphers  HIGH:!aNULL:!MD5;
	#	ssl_prefer_server_ciphers  on;

	#	location / {
	#		root   html;
	#		index  index.html index.htm;
	#	}
	#}

}

Last i have the nextcloud bit which is simply:

Code:

	 location /nextcloud {
	 proxy_pass http://192.168.1.9/nextcloud;
 }

With this exact configuration i pass all the checks from nextcloud BUT if i try to test my site on securityheaders.io i get a "D"

Code:

Missing Headers
Public-Key-Pins HTTP Public Key Pinning protects your site from MiTM attacks using rogue X.509 certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.
X-Frame-Options X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Recommended value "x-frame-options: SAMEORIGIN".
X-XSS-Protection X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. Recommended value "X-XSS-Protection: 1; mode=block".
X-Content-Type-Options X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is "X-Content-Type-Options: nosniff".

I can get an A if i put those headers in my reverse proxy nginx.conf file but then nextcloud will spit out those security checks i posted earlier. I have really no clue...

 

[Joshua Parker Ruehlig]

Hey, thanks for your time.

I'll give you a bit of context: i have nextcloud 12 installed with nginx running and this is the nginx.conf

Code:

worker_processes 8;

events {
	worker_connections  1024;
}

http {
	include	  mime.types;
	default_type  application/octet-stream;
	sendfile		off;
	keepalive_timeout  65;
	gzip off;

	server {
		root /usr/local/www;

		location = /robots.txt { allow all; access_log off; log_not_found off; }
		location = /favicon.ico { access_log off; log_not_found off; }
		location ^~ /nextcloud {
			error_page 403 /nextcloud/core/templates/403.php;
			error_page 404 /nextcloud/core/templates/404.php;
			location /nextcloud {
				rewrite ^ /nextcloud/index.php$request_uri;
			}
			location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
				deny all;
			}
			location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) {
				deny all;
			}
			location ~
^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/)
{
				fastcgi_split_path_info ^(.+\.php)(/.*)$;
				include fastcgi_params;
				fastcgi_pass unix:/var/run/php-fpm.sock;
				fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
				fastcgi_param PATH_INFO $fastcgi_path_info;
				fastcgi_param front_controller_active true;
				fastcgi_intercept_errors on;
			}
			location ~* \.(?:css|js|woff|svg|gif)$ {
				try_files $uri /nextcloud/index.php$request_uri;
			# Optional: Don't log access to assets
			access_log off;
			}
			location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ {
				try_files $uri /nextcloud/index.php$request_uri;
			}
		 # set max upload size
		client_max_body_size 2048M;
		fastcgi_buffers 64 4K;
		}
	}
}

Then i have NGINX as a reverse proxy as well and it is set up like this:

Code:

	 
load_module /usr/local/libexec/nginx/ngx_mail_module.so;
load_module /usr/local/libexec/nginx/ngx_stream_module.so;

#user  nobody;
worker_processes  8;

# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
#error_log  /var/log/nginx/error.log;
#

#pid		logs/nginx.pid;


events {
	worker_connections  1024;
}


http {
	include	   mime.types;
	default_type  application/octet-stream;
	server_tokens off;

	#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
	#				  '$status $body_bytes_sent "$http_referer" '
	#				  '"$http_user_agent" "$http_x_forwarded_for"';

	#access_log  logs/access.log  main;

	sendfile		on;
	#tcp_nopush	 on;

	#keepalive_timeout  0;
	keepalive_timeout  65;

	#gzip  on;

	server {
		listen 80;
		server_name *****.info;
		return 301 https://$server_name$request_uri;
		}

	server {
		listen	   443 ssl;
		server_name  ****.info;
		include ssl_common.conf;
		include proxy_setup.conf;

		#charset koi8-r;

		### Set headers ###
		add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
		proxy_hide_header X-Powered-By;
		add_header 'Referrer-Policy' 'no-referrer';
		add_header Content-Security-Policy "frame-ancestors ****.info;";
		proxy_set_header Accept-Encoding "";
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_buffering off;
		#add_header Front-End-Https on;
		### Options ##
		client_max_body_size 16400M;
		### Set timeouts ###
		proxy_read_timeout 600s;
		proxy_send_timeout 600s;
		proxy_connect_timeout 600s;

		#access_log  logs/host.access.log  main;

		location / {
			root   /usr/local/www/nginx;
			index  index.html index.htm;
		}

		#error_page  404			  /404.html;

		# redirect server error pages to the static page /50x.html
		#
		error_page   500 502 503 504  /50x.html;
		location = /50x.html {
			root   /usr/local/www/nginx-dist;
		}

		# proxy the PHP scripts to Apache listening on 127.0.0.1:80
		#
		#location ~ \.php$ {
		#	proxy_pass   http://127.0.0.1;
		#}

		# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
		#
		#location ~ \.php$ {
		#	root		   html;
		#	fastcgi_pass   127.0.0.1:9000;
		#	fastcgi_index  index.php;
		#	fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
		#	include		fastcgi_params;
		#}

		# deny access to .htaccess files, if Apache's document root
		# concurs with nginx's one
		#
		#location ~ /\.ht {
		#	deny  all;
		#}
	}


	# another virtual host using mix of IP-, name-, and port-based configuration
	#
	#server {
	#	listen	   8000;
	#	listen	   somename:8080;
	#	server_name  somename  alias  another.alias;

	#	location / {
	#		root   html;
	#		index  index.html index.htm;
	#	}
	#}


	# HTTPS server
	#
	#server {
	#	listen	   443 ssl;
	#	server_name  localhost;

	#	ssl_certificate	  cert.pem;
	#	ssl_certificate_key  cert.key;

	#	ssl_session_cache	shared:SSL:1m;
	#	ssl_session_timeout  5m;

	#	ssl_ciphers  HIGH:!aNULL:!MD5;
	#	ssl_prefer_server_ciphers  on;

	#	location / {
	#		root   html;
	#		index  index.html index.htm;
	#	}
	#}

}

Last i have the nextcloud bit which is simply:

Code:

	 location /nextcloud {
	 proxy_pass http://192.168.1.9/nextcloud;
}

With this exact configuration i pass all the checks from nextcloud BUT if i try to test my site on securityheaders.io i get a "D"

Code:

Missing Headers
Public-Key-Pins HTTP Public Key Pinning protects your site from MiTM attacks using rogue X.509 certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.
X-Frame-Options X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Recommended value "x-frame-options: SAMEORIGIN".
X-XSS-Protection X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. Recommended value "X-XSS-Protection: 1; mode=block".
X-Content-Type-Options X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is "X-Content-Type-Options: nosniff".

I can get an A if i put those headers in my reverse proxy nginx.conf file but then nextcloud will spit out those security checks i posted earlier. I have really no clue...

I have a feeling by adding those header with your nginx proxy, it is removing the X-Frame-Options that Nextcloud 12 sends.

As for the complaints about the other headers, in my opinion X-XSS-Protection and X-Content-Type-Options for any modern browsers.

And, I persoanlly don't add any of those headers, but you can see what nextcloud recommends to add here.
https://docs.nextcloud.com/server/1...ion/nginx.html#nextcloud-in-a-subdir-of-nginx

 

[ZodiacUHD]

I have a feeling by adding those header with your nginx proxy, it is removing the X-Frame-Options that Nextcloud 12 sends.

As for the complaints about the other headers, in my opinion X-XSS-Protection and X-Content-Type-Options for any modern browsers.

And, I persoanlly don't add any of those headers, but you can see what nextcloud recommends to add here.
https://docs.nextcloud.com/server/1...ion/nginx.html#nextcloud-in-a-subdir-of-nginx

Thanks, i didn't really understand your second sentence tho, maybe missing the verb? ;)

Anyway, shouldn't my reverse proxy be the "one to consider" when we talk about security? It should be that one talking to the internet so i wouldn't really mind getting errors from nextcloud as far as i'm fine using the reverse proxy in the appropriate way.

 

[Joshua Parker Ruehlig]

Thanks, i didn't really understand your second sentence tho, maybe missing the verb? ;)

Anyway, shouldn't my reverse proxy be the "one to consider" when we talk about security? It should be that one talking to the internet so i wouldn't really mind getting errors from nextcloud as far as i'm fine using the reverse proxy in the appropriate way.

lol, meant to say those headers are irrelevant for any modern browser.

Hmm, i think that's a matter of opinion/design where you want those headers added. I personally don't add any of them except possibly HSTS with my SSL proxy (using HAProxy), and nextcloud adds X-Frame-Options for me.