From Fedora Project Wiki

(Brand new edition of Owncloud installation guide, with all main security features enabled)
(→‎Resources: Nginx added)
 
(15 intermediate revisions by 6 users not shown)
Line 1: Line 1:
ownCloud is a AGPLv3 private file server
[https://www.owncloud.org ownCloud] is a web application that implements "cloud" services such as file storage and sharing, contact and calendar hosting and more. This page will help you set up an ownCloud server running on a Fedora system. See also the [http://doc.owncloud.org/ official documentation] (though we advise against using upstream's ownCloud packages from the Open Build Service: this guide uses Fedora's own ownCloud packages).
 
 
Owncloud is a software for creating a personal cloud system. Here, an installation guide for the server side.


== Features ==
== Features ==
Line 8: Line 5:
* Online file storage
* Online file storage
* Android compatibility
* Android compatibility
* Contacts(CarDAV) and calendar (CalDAV) synchronization
* Contacts (CardDAV) and calendar (CalDAV) synchronization
* Music streaming
* Music streaming
* Many more
* Many more


==Installation==
== Installation ==
 
You most likely want to install one of {{package|owncloud-httpd}} or {{package|owncloud-nginx}}, depending on the web server you wish to use, and at least one of {{package|owncloud-mysql}}, {{package|owncloud-postgresql}} and {{package|owncloud-sqlite}} depending on the database you wish to use. For example:
 
# dnf install owncloud-httpd owncloud-mysql
 
If you wish to run ownCloud on [[Apache_HTTP_Server|Apache]] and use a [[MariaDB]] / MySQL database.
 
=== Enabling and starting the web server ===
 
You will need to enable and start the web server. For Apache:
 
# systemctl enable --now httpd
 
 
For nginx:
 
# systemctl enable --now nginx php-fpm
 
See the [[Apache_HTTP_Server|Apache page]] or [[Nginx|Nginx page]] for more detailed instructions on installing and configuring of web server.
 
=== Enabling, starting and configuring the database server ===
 
If you choose to use SQLite, no special configuration is required. However, please be aware that SQLite is not a good choice for even moderately-sized or public deployments, and should really only be used for small private deployments or testing.
 
==== [[MariaDB]] / MySQL ====
 
If you use MariaDB / MySQL, you will need to enable and start the database server. It is then strongly recommended to secure the server configuration.


<code># yum install owncloud</code>
# systemctl enable --now mysqld
===SSL certificate configuration===
$ mysql_secure_installation
In order to have secure communications between host and server, you need to generate a key and a certificate


<code># yum install crypto-utils</code>
You should then create a database and a user for ownCloud to use.


<code># genkey ''hostname''</code>
$ mysql -u root -p
  CREATE USER 'username'@'localhost' IDENTIFIED BY 'password';
  CREATE DATABASE IF NOT EXISTS owncloud;
  GRANT ALL PRIVILEGES ON owncloud.* TO 'username'@'localhost' IDENTIFIED BY 'password';
  FLUSH PRIVILEGES;


Answer "no" to the question "Would you like to send a Certificate Request (CSR) to a Certificate Authority (CA)?"
Set the username as you like (but 'owncloud' is always a safe choice...), and choose a strong password (it will be saved in your ownCloud configuration, so there's no need to worry about convenience in re-typing or remembering it).


To allow httpd service to use SSL, you need to install proper dependencies
For more information on MariaDB / MySQL deployment and configuration on Fedora, see [[MariaDB]]. You can also refer to the excellent [https://mariadb.com/kb/en/mariadb/documentation/ upstream documentation].


<code># yum install mod_ssl openssl</code>
==== [[PostgreSQL]] ====


and apply the following editings to
If you use PostgreSQL, you will need to initialize the server before enabling and starting it.


<code>/etc/httpd/conf.d/ssl.conf</code>
# postgresql-setup initdb
# systemctl enable --now postgresql


putting at the bottom
You will also need to configure SELinux to allow the web server to connect to the PostgreSQL server via TCP/IP:
<pre>
SSLCertificateFile /etc/pki/tls/certs/hostname.crt
SSLCertificateKeyFile /etc/pki/tls/private/hostname.key
</pre>


To force SSL usage in Owncloud server:
# setsebool -P httpd_can_network_connect_db on


<code># nano /etc/owncloud/config.php</code>
and configure PostgreSQL to use password authentication for local TCP/IP connections. To do this, edit {{filename|/var/lib/pgsql/data/pg_hba.conf}} and change the mechanism from 'ident' to 'password' on the lines that configure TCP/IP connections from localhost, 127.0.0.1, and ::0. The line for the 'local' TYPE does not apply to ownCloud, as it does not use local socket access to PostgreSQL servers. More information on this file can be found in the [http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html PostgreSQL documentation].


e modify entry
Now you will need to create a database and user for ownCloud to use.


<code>'forcessl' => false</code>
# su - -c "psql" postgres
  CREATE USER username WITH PASSWORD 'password';
  CREATE DATABASE owncloud TEMPLATE template0 ENCODING 'UNICODE';
  ALTER DATABASE owncloud OWNER TO username;
  GRANT ALL PRIVILEGES ON DATABASE owncloud TO username;


as the following one
Set the username as you like (but 'owncloud' is always a safe choice...), and choose a strong password (it will be saved in your ownCloud configuration, so there's no need to worry about convenience in re-typing or remembering it).


<code>'forcessl' => true,</code>
It is also a good idea to set a password for the postgres user within PostgreSQL, which you can do with {{command|\password postgres}} from the PostgreSQL prompt.


For more details on PostgreSQL deployment and configuration on Fedora, see [[PostgreSQL]]. You can also refer to the excellent [http://www.postgresql.org/docs/current upstream documentation].


To create admin user, insert into the browser (ignoring warning about unsigned certificate)
=== TLS certificate configuration ===


<code>localhost/owncloud</code>
See the [[Apache_HTTP_Server|Apache page]] or [[Nginx|Nginx page]] for details on configuring TLS/SSL for your web server.


==Grant remote access to the server==
If you wish, you can configure your ownCloud server to only use TLS/SSL connections. Create a file {{filename|/etc/owncloud/forcessl.config.php}} with these contents:
===Firewall configuration===
You need to find out the active firewall zone


<code># firewall-cmd --list-all-zones | grep active</code>
<?php
$CONFIG = array (
  'forcessl' => true,
);


in our case:
Now whenever someone tries to connect to any ownCloud page without using TLS/SSL, they will be automatically redirected to the appropriate TLS/SSL URL.


<code>public (default, active)</code>
=== Initial ownCloud setup ===


then we will use the following commands to allow access to http and https services
To perform initial ownCloud configuration, browse to http://localhost or https://localhost (adding a trust exception for your self-signed certificate, if you used one) from the server. If you wish to perform initial configuration from a browser running on a different machine, you will need to refer to [[Apache_HTTP_Server#webapp-access-control|these instructions for broadening access to ownCloud]] and [[Apache_HTTP_Server#firewall-configuration|these instructions for opening firewall ports]]. Please ensure you do not expose the initial configuration wizard to public access!
<pre># firewall-cmd --permanent --zone=public --add-service=http
# firewall-cmd --permanent --zone=public --add-service=https
# systemctl restart firewalld</pre>


===Configuring Apache permissions===
In initial configuration, you will set an administrator username and password, and set your database configuration. If using MariaDB / MySQL or PostgreSQL, enter the appropriate username and password for the database you created earlier.
In order to allow access to remote hosts, you need to configure Apache's


<code>/etc/httpd/conf.d/owncloud.conf</code>
In case of trouble, try restarting the Apache service:


as the following example:
# systemctl restart httpd


<pre>
== Grant remote access to the server ==
<IfModule mod_authz_core.c>
# Apache 2.4
#Require local
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
#Deny from all
#Allow from 127.0.0.1
#Allow from ::1
Allow from all
</IfModule>
</pre>


===Configuration of exposed IP addresses===
Once you have run initial configuration on your server, you can refer to [[Apache_HTTP_Server#webapp-access-control|these instructions for broadening access to ownCloud]] and [[Apache_HTTP_Server#firewall-configuration|these instructions for opening firewall ports]] in order to allow access to your server from any host. Remember that if your server is running behind a NAT router and you wish to allow access from outside your local network, you will need to configure the router to forward the HTTP and HTTPS ports to your server. Configuring DNS is outside the scope of this documentation.
Finally you need to set into configuration file


<code>/etc/owncloud/config.php</code>
== ownCloud package update policy ==


at entry
Fedora's ownCloud packages may (and often will) receive major version bumps within a stable release. For instance, ownCloud 7.x may be shipped as an update to ownCloud 6.x within a single Fedora release. We believe this update policy is an appropriate reflection of the upstream development practices:


<pre>array (
* Old major versions are quickly deprecated, often receiving few, infrequent or even no updates immediately after a new major version ships
  0 => 'localhost',
* Upgrades across more than one major release are not supported and frequently fail, meaning it would be dangerous for us to release Fedora X with ownCloud 7 and Fedora X+1 with ownCloud 9
)</pre>
the IP addresses with which the server will be exposed outside (both LAN and WAN). An example of configuration with IP addresses for both LAN and WAN is:
<pre>
array (
  0 => 'localhost',
  1 => '192.168.1.100',
  2 => '200.100.1.100',
)
</pre>
 
== Troubleshooting ==


=== Dynamic IP adress ===
This policy will be adjusted as appropriate to changes in upstream's practices: if upstream ever adopts an approach more friendly to conservative upgrade policies, we may change to only doing major version bumps between Fedora releases.


If you have a dynamic IP address you can configure a dynamic DNS client, for example [[inadyn-mt]] to update your ip for your DNS server account
As ownCloud is not on the [[Critical_path_package|critical path]], we consider this approach acceptable under the [[Updates_Policy#All_other_updates|updates policy]] - we consider it not to be practically "at all possible" to "[a]void Major version updates, ABI breakage or API changes".


== Resources ==


==Resources==
* [[Apache_HTTP_Server]]
*[http://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/ch-Web_Servers.html#s2-apache-mod_ssl Fedora Deployment_Guide: Setting Up an SSL Server]
* [[Nginx]]
*[http://docs.fedoraproject.org/en-US/Fedora/14/html/Deployment_Guide/s1-apache-mod_ssl.html Fedora Deployment_Guide: Setting Up an SSL Server]
* [[MariaDB]]
* [http://doc.owncloud.org/server/6.0/admin_manual/contents.html ownCloud Administrators Manual]
* [[PostgreSQL]]
* [http://doc.owncloud.org/ ownCloud documentation]

Latest revision as of 10:10, 15 February 2017

ownCloud is a web application that implements "cloud" services such as file storage and sharing, contact and calendar hosting and more. This page will help you set up an ownCloud server running on a Fedora system. See also the official documentation (though we advise against using upstream's ownCloud packages from the Open Build Service: this guide uses Fedora's own ownCloud packages).

Features

  • Online file storage
  • Android compatibility
  • Contacts (CardDAV) and calendar (CalDAV) synchronization
  • Music streaming
  • Many more

Installation

You most likely want to install one of Package-x-generic-16.pngowncloud-httpd or Package-x-generic-16.pngowncloud-nginx, depending on the web server you wish to use, and at least one of Package-x-generic-16.pngowncloud-mysql, Package-x-generic-16.pngowncloud-postgresql and Package-x-generic-16.pngowncloud-sqlite depending on the database you wish to use. For example:

# dnf install owncloud-httpd owncloud-mysql

If you wish to run ownCloud on Apache and use a MariaDB / MySQL database.

Enabling and starting the web server

You will need to enable and start the web server. For Apache:

# systemctl enable --now httpd


For nginx:

# systemctl enable --now nginx php-fpm

See the Apache page or Nginx page for more detailed instructions on installing and configuring of web server.

Enabling, starting and configuring the database server

If you choose to use SQLite, no special configuration is required. However, please be aware that SQLite is not a good choice for even moderately-sized or public deployments, and should really only be used for small private deployments or testing.

MariaDB / MySQL

If you use MariaDB / MySQL, you will need to enable and start the database server. It is then strongly recommended to secure the server configuration.

# systemctl enable --now mysqld
$ mysql_secure_installation

You should then create a database and a user for ownCloud to use.

$ mysql -u root -p
  CREATE USER 'username'@'localhost' IDENTIFIED BY 'password';
  CREATE DATABASE IF NOT EXISTS owncloud;
  GRANT ALL PRIVILEGES ON owncloud.* TO 'username'@'localhost' IDENTIFIED BY 'password';
  FLUSH PRIVILEGES;

Set the username as you like (but 'owncloud' is always a safe choice...), and choose a strong password (it will be saved in your ownCloud configuration, so there's no need to worry about convenience in re-typing or remembering it).

For more information on MariaDB / MySQL deployment and configuration on Fedora, see MariaDB. You can also refer to the excellent upstream documentation.

PostgreSQL

If you use PostgreSQL, you will need to initialize the server before enabling and starting it.

# postgresql-setup initdb
# systemctl enable --now postgresql

You will also need to configure SELinux to allow the web server to connect to the PostgreSQL server via TCP/IP:

# setsebool -P httpd_can_network_connect_db on

and configure PostgreSQL to use password authentication for local TCP/IP connections. To do this, edit /var/lib/pgsql/data/pg_hba.conf and change the mechanism from 'ident' to 'password' on the lines that configure TCP/IP connections from localhost, 127.0.0.1, and ::0. The line for the 'local' TYPE does not apply to ownCloud, as it does not use local socket access to PostgreSQL servers. More information on this file can be found in the PostgreSQL documentation.

Now you will need to create a database and user for ownCloud to use.

# su - -c "psql" postgres
  CREATE USER username WITH PASSWORD 'password';
  CREATE DATABASE owncloud TEMPLATE template0 ENCODING 'UNICODE';
  ALTER DATABASE owncloud OWNER TO username;
  GRANT ALL PRIVILEGES ON DATABASE owncloud TO username;

Set the username as you like (but 'owncloud' is always a safe choice...), and choose a strong password (it will be saved in your ownCloud configuration, so there's no need to worry about convenience in re-typing or remembering it).

It is also a good idea to set a password for the postgres user within PostgreSQL, which you can do with \password postgres from the PostgreSQL prompt.

For more details on PostgreSQL deployment and configuration on Fedora, see PostgreSQL. You can also refer to the excellent upstream documentation.

TLS certificate configuration

See the Apache page or Nginx page for details on configuring TLS/SSL for your web server.

If you wish, you can configure your ownCloud server to only use TLS/SSL connections. Create a file /etc/owncloud/forcessl.config.php with these contents:

<?php
$CONFIG = array (
  'forcessl' => true,
);

Now whenever someone tries to connect to any ownCloud page without using TLS/SSL, they will be automatically redirected to the appropriate TLS/SSL URL.

Initial ownCloud setup

To perform initial ownCloud configuration, browse to http://localhost or https://localhost (adding a trust exception for your self-signed certificate, if you used one) from the server. If you wish to perform initial configuration from a browser running on a different machine, you will need to refer to these instructions for broadening access to ownCloud and these instructions for opening firewall ports. Please ensure you do not expose the initial configuration wizard to public access!

In initial configuration, you will set an administrator username and password, and set your database configuration. If using MariaDB / MySQL or PostgreSQL, enter the appropriate username and password for the database you created earlier.

In case of trouble, try restarting the Apache service:

# systemctl restart httpd

Grant remote access to the server

Once you have run initial configuration on your server, you can refer to these instructions for broadening access to ownCloud and these instructions for opening firewall ports in order to allow access to your server from any host. Remember that if your server is running behind a NAT router and you wish to allow access from outside your local network, you will need to configure the router to forward the HTTP and HTTPS ports to your server. Configuring DNS is outside the scope of this documentation.

ownCloud package update policy

Fedora's ownCloud packages may (and often will) receive major version bumps within a stable release. For instance, ownCloud 7.x may be shipped as an update to ownCloud 6.x within a single Fedora release. We believe this update policy is an appropriate reflection of the upstream development practices:

  • Old major versions are quickly deprecated, often receiving few, infrequent or even no updates immediately after a new major version ships
  • Upgrades across more than one major release are not supported and frequently fail, meaning it would be dangerous for us to release Fedora X with ownCloud 7 and Fedora X+1 with ownCloud 9

This policy will be adjusted as appropriate to changes in upstream's practices: if upstream ever adopts an approach more friendly to conservative upgrade policies, we may change to only doing major version bumps between Fedora releases.

As ownCloud is not on the critical path, we consider this approach acceptable under the updates policy - we consider it not to be practically "at all possible" to "[a]void Major version updates, ABI breakage or API changes".

Resources