How to Setup OwnCloud 9 with Nginx and OpenSSL on FreeBSD 11

November 9, 2016 | By in UNIX
| Reply More

OwnCloud is a PHP and MySQL based free and open source file sharing application platform which allows us to create our very own cloud storage platform. The OwnCloud server which is a free edition is released under GNU AGPLv3 license whereas the Enterprise edition is under OwnCloud Commercial license. It is a client-server architectural software in which, the files are stored on the server whereas the clients are used to access and share the files. The client for OwnCloud is available for every platform making it easy to manage and access the files from every devices. FreeBSD is a free and open source Unix-like operating system based on BSD systems. Unlike Linux, FreeBSD is developed as an entire operating system from kernel, device drivers to the userland utilities whereas linux is a kernel with device drivers. Nginx is a free and open source web server which is popular for its speed and ability of balancing server loads and caching. It is one of the most popular web server and proxy server used in large numbers of servers.

Currently while writing this article, the latest release of OwnCloud is 9.1.1 so, we'll be performing its setup on our freshly installed FreeBSD 11 server.

Installing FEMP Stack

FEMP Stack is the combination of an Nginx web server, MySQL/MariaDB database server and PHP modules running in FreeBSD server. FEMP is one of the widely used stack for hosting websites and web applications on servers. Here, we'll be installing FEMP stack in order to run our PHP based OwnCloud server.

Installing Nginx webserver

In order to install Nginx, we'll need to run the following pkg command as the default package manager of FreeBSD 11 is pkg.

% sudo pkg install nginx

Installing MySQL DB

Then, we'll need to setup MySQL DB server where we'll store database for our OwnCloud instance. To install MySQL database server version 5.6, we'll need to execute the following command in a terminal or console with sudo or root access.

% sudo pkg install mysql56-server

Installing PHP 7.0 Modules

Next, we'll install all the required PHP 7.0 modules so that we can run our PHP based app OwnCloud server in our FreeBSD 11 machine. In order to install the required PHP modules, we'll need to run the following command.

% sudo pkg install php70 php70-mysqli php70-xml php70-gd php70-curl php70-zlib php70-zip php70-hash php70-tokenizer php70-extensions php70-pdo_mysql php70-openssl php70-gmp php70-ldap php70-exif php70-fileinfo php70-mbstring php70-bcmath php70-bz2 php70-mcrypt pecl-APCu pecl-intl

Note that the modules installed in above are the common php modules whereas depending upon the requirements you may require to install additional modules.

Once the modules are installed, we'll copy the sample php configuration ie /usr/local/etc/php.ini-production to /usr/local/etc/php.ini by executing the following command.

% sudo cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini

We'll open the file  /usr/local/etc/php.ini using a text editor like nano, vi, as follows.

% sudo nano /usr/local/etc/php.ini

Then, we'll uncomment the cig.fix_pathinfo line in php.ini and set the value to 0 in order to prevent users to execute arbitrary PHP codes.

cgi.fix_pathinfo=0

Once done editing, we'll save the file and exit the text editor. Next, we'll need to run rehash command in order to regenerate the system's cache information about our installed executable files.

% rehash

Enabling services

We'll now execute the following sysrc command in order to enable nginx, php-fpm and mysql services. Enabling the services will run the respective daemons automatically on every system boot.

% sudo sysrc nginx_enable=yes mysql_enable=yes php_fpm_enable=yes

Once done, we'll start the daemons by running the following command.

% sudo service nginx start
% sudo service mysql-server start
% sudo service php-fpm start

Configuring PHP-FPM

Now, we'll need to configure PHP-FPM to use a Unix socket instead of a network port for communication as its more secure than network port. To do so, we'll need to make few changes to the php-fpm configuration file /usr/local/etc/php-fpm.d/www.conf using a text editor.

% sudo nano /usr/local/etc/php-fpm.d/www.conf

Then, we'll make comment to the line listen = 127.0.0.1:9000 by adding a semi-colon ie ; before the line. Once done, we'll add the following line just below it.

listen = /var/run/php-fpm.sock

Next, we'll uncomment the following line by removing the semi-colon as.

listen.owner = www
listen.group = www
listen.mode = 0660

Once done, we'll save the file and exit the text editor then restart the PHP-FPM by running the following command.

% sudo service php-fpm restart

Configuring MySQL

As we haven’t setup any password for the root user of our MySQL server yet, here we’ll gonna setup a root password for it. To do so, we'll need to run the following command.

% sudo mysql_secure_installation

It will ask us to enter the root password for our MySQL server but as we haven’t set any password before, we’ll simply hit enter button from keyboard. Then, we’ll be asked to setup a password for our MySQL root user, here we’ll hit Y and enter it. Then, we’ll simply strike enter button on keyboard to set the default values for the further settings.

Creating Database for OwnCloud

As our MySQL server has been configured successfully, we'll now create a new database for our OwnCloud instance. To do so, we'll first need to login to the root user of the mysql server by running the following command.

% sudo mysql -u root -p

Then, we'll be asked to enter the password which we had set just above. Once login is success, we'll be welcomed into the MySQL console environment. Here, we'll need to run the following commands to create database and set a user and password for it.

> CREATE DATABASE ownclouddb;
> CREATE USER ownclouduser@localhost IDENTIFIED BY 'Pa$$word123';
> GRANT ALL PRIVILEGES ON ownclouddb.* TO 'ownclouduser'@'localhost';
> FLUSH PRIVILEGES;
> EXIT;

Here, in this tutorial, we are creating a new database, user and password as ownclouddb, ownclouduser and Pa$$word123 respectively.

Generating SSL Certificate

Now we'll generate SSL certificate so that our traffic from the OwnCloud gets encrypted with an SSL Certificate. We can even generate and get an SSL CA Certificate for better authorization and security but here in this tutorial, we'll use a self signed SSL certificate which should work fine. To do so, we'll gonna execute the following lines of command which will generate and store the keys and certificate into /usr/local/etc/nginx/cert/ directory.

% sudo mkdir -p /usr/local/etc/nginx/cert/
% cd /usr/local/etc/nginx/cert/
% sudo openssl req -new -x509 -days 365 -nodes -out /usr/local/etc/nginx/cert/owncloud.crt -keyout /usr/local/etc/nginx/cert/owncloud.key

Once the above last command is entered, we'll be asked few information required for generating the SSL certificate. We'll need to enter those information to move ahead. Once done, the certificate with the key file is generated in the required directory. Then, we'll need to make sure that the certificate and keys are not accessible except by the file owner.

% sudo chmod 600 *

Downloading and Extracting OwnCloud

Now, we'll gonna download the latest release of OwnCloud server in our machine. We can get the latest release from the OwnCloud's Official Download page.  While writing this article, the latest release of OwnCloud was version 9.1.1 so, we'll get the link of the zip file from the website and then use wget to download it in our FreeBSD 11 server. Here, we'll download the compressed zip file to /tmp/ directory as follows.

% cd /tmp/
% wget https://download.owncloud.org/community/owncloud-9.1.1.zip

Once download is completed, we'll extract the compressed zip file using unzip command.

% unzip owncloud-9.1.1.zip

Next, we'll move the directory to the nginx's webroot ie /usr/local/www/ by default.

% sudo mv owncloud/  /usr/local/www/

After that, we'll need to change the ownership of the owncloud files and directories to www so that Nginx will have full access over the files and directories of OwnCloud. To do so, we'll need to execute the following command.

% sudo chown -R www:www /usr/local/www/owncloud/

Configuring Nginx with PHP-FPM

We'll now configure our Nginx web server with PHP-FPM in so that we can run our OwnCloud in our web browser. To do so, we'll need to configure the Nginx configuration located at /usr/local/etc/nginx/nginx.conf using a text editor.

% sudo nano /usr/local/etc/nginx/nginx.conf

Once the text editor is opened, we'll need to set the user value as www and worker_processes as the number of CPUs or cores that our machine is configured with. This can be checked by running sysctl hw.ncpu in the console. Then, we'll need to configure our server{} block as shown in the following nginx configuration.

    user  www;
worker_processes  1; #No. of processors
error_log /var/log/nginx/error.log info;

events {
worker_connections  1024;
}

http {
include       mime.types;
default_type  application/octet-stream;

access_log /var/log/nginx/access.log;

sendfile        on;
keepalive_timeout  65;

server {
server_name cloud.linoxide.com www.cloud.linoxide.com;
listen 80;
return 301 https://$server_name$request_uri;
}

server {
listen  443 ssl;
server_name cloud.linoxide.com www.cloud.linoxide.com;
root /usr/local/www/owncloud/;
index index.php index.html index.htm;

# Adding our self-signed SSL Certificate.
ssl_certificate /usr/local/etc/nginx/cert/owncloud.crt;
ssl_certificate_key /usr/local/etc/nginx/cert/owncloud.key;

# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000;includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;

# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}

location /.well-known/acme-challenge { }

# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;

# Disable gzip to avoid the removal of the ETag header
gzip off;

# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;

error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

location / {
rewrite ^ /index.php$uri;
}

location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
return 404;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
return 404;
}

location ~
^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/)
{
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_param front_controller_active true;
fastcgi_pass unix:/var/run/php-fpm.sock;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}

location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri $uri/ =404;
index index.php;
}

# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* \.(?:css|js)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=7200";
# Add headers to serve security related headers (It is intended to have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into this topic first.
#add_header Strict-Transport-Security "max-age=15552000;includeSubDomains";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}

location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Don't log access to other assets
access_log off;
}
}
}

Once the configuration is configured and saved, we'll need to make sure that our configuration file doesn't have any syntax error. We can know that by executing the following command.

% sudo nginx -t

If our configuration is ok, then we'll restart our nginx server. We can restart our nginx server by running the following command.

% sudo service nginx restart

Installing OwnCloud

If everything above is setup as expected, we'll now should be able to access the web interface of OwnCloud Installer. In order to access, we'll need open our favourite web browser and point the address to https://ip-address/ or https://cloud.linoxide.com/ . If we're using a self-signed SSL certificate, we'll see a warning in the web browser as shown below. As we're running Firefox, we'll need to click on Advanced then Add Exception and confirm the certificate.

SSL Self-Signed Certificate Confirmation

Then, we'll be welcomed into the OwnCloud Web Installer in which we'll need to setup login details for our OwnCloud Administrator user. Next, we'll need to click on Storage & Database in which we'll select MySQL/MariaDB as we have setup MySQL above.

OwnCloud Web Installation

Then, we'll need to enter the database login information which we had setup above while creating our new database. Once done, we'll be directed into the OwnCloud's file storage dashboard.

OwnCloud 9 Dashboard

Conclusion

Here we have installed the latest OwnCloud version 9.1.1 in our FreeBSD 11 machine with Nginx as web server, MySQL DB as database server and PHP modules with PHP-FPM with SSL certificate. Here, in this article, the SSL certificate is a self-signed but we can even setup LetsEncrypt and generate a free SSL CA certificate with it or we can buy a commercial CA certificate from different providers. As its installation has been completed, we can now add more users, setup email configurations, upload and share our required files and folders. The more advantage of OwnCloud is that, we can install many cloud based apps which we can utilize to perform many activities in our OwnCloud server. We can connect to the owncloud platform using its clients which can be run from almost any platform. So, if you have any questions, suggestions, feedback please write them in the comment box below. Thank you ! Enjoy :-)

Filed Under : STORAGE, UNIX

Tagged With : , ,

Free Linux Ebook to Download

Leave a Reply

Commenting Policy:
Promotion of your products ? Comment gets deleted.
All comments are subject to moderation.