Complete Secure Setup and Deployment of OwnCloud
Hello everyone, recently I have been doing some very interesting and intensive work with OwnCloud. To be specific OwnCloud 7. I needed to create a safe and secure environment where people could come together to share files quickly and safely.
So what is OwnCloud? OwnCloud is a popular open source file sync and share community project. OwnCloud was founded in 2011 to give corporate IT greater control of their data — combining greater flexibility, openness and extensibility with on premise servers and storage. Company headquarters are in Boston, with European headquarters in Nuremberg, Germany.
To read some more about OwnCloud you can check out their about link here
(Enterprise has some very nice extra features such as logging/monitoring, better access to certified OwnCloud plugins, and much more. Check out their comparison chart here)
For this guide we will be using OwnCloud 7 Community edition. I would have loved to setup this install with their enterprise edition but when I submitted a request for a quote they came back with around a $10,000 bill. Needless to say this wasn’t going to be an option.
For some specs on the machine I will be running a minimal installation of CentOS 7 x64 (CentOS 7 only comes in x86_64) , with one 80Gb HDD and 2Gb of memory. So this is a very basic kinda of starter machine for any new beginners interesting in OwnCloud, or maybe even a small usage server. Obviously you should expand your installation to fit your needs so please keep that in mind. The OwnCloud forums and official documentation have some great information that I would highly suggest you reference when setting up your own OwnCloud instance.
Section 1.0: Initial Install
I wont go over how to install CentOS 7 on a machine, though if you need to get their ISO you can head over here. Now for this next section I configured all my network and machine settings in the GUI when I first installed CentOS. So if you don’t want or need to know how to do it manually you can skip to the next section. But if you wish to know how to statically set your IPv4, DNS, and Hostname you can continue reading below.
So after you run the installer on your machine and you either have an SSH connection into the box or are staring at your monitor you will want to go ahead and start to statically assign your machines information. Statically assigning this information now will save you a good deal of time and effort later, so I would highly advise setting theses settings now before you continue.
Lets start be grabbing a few tools that do not come pre-installed with the minimal installation and will come in handy later. Run the following command to get the needed tools:
yum -y install VIM net-tools wget
VIM is a terminal editor that is a more useful then the built in vi editor. vi and vim are the same, vim just has more features. net-tools is a networking tool for linux that allows you to use commands such as ifconfig which allows you to view network settings and configs. (yes I know its weird this is not already built into the minimal install). Lastly there is wget which is a nice tool to grab files via the web if your know their URL.
If you ever need to install a package in a red-hat based distribution you can run:
yum search thepackageyouwanttofind
So as an example if I ran a “yum search games” my machine would search my installed repos for a list of packages that are related to games and display them in a list.
I would also grab the EPEL 7 repo while you at it with the following command:
rpm -ivh http://dl.fedoraproject.org/pub/epel/beta/7/x86_64/epel-release-7-0.2.noarch.rpm
EPEL 7 is still in beta as of now so it doesn’t actually contain the owncloud installation files. If you wish you can grab the EPEL 6 repo which does contain the owncloud installers. I don’t advise this due to the fact that you will need to highly restrict the EPEL 6 repo so that it doesn’t screw up EPEL 7 packages. Meaning EPEL 6 will screw up your system if not regulated. I will tell you later on in this guide on how to get the owncloud instillation file.
You can check what repo’s are installed and enabled ón your system by running:
yum repolist all
After you install these tools head on over to “/etc/sysconfig/network-scripts/yournicname” and change the following:
"BOOTPROTO=dhcp" to "BOOTPROTO=static"
then add in the following lines. (Replace x.x.x.x with your appropriate network settings)
IPADDR=x.x.x.x NETMASK=x.x.x.x GATEWAY=x.x.x.x
Next you will need to restart you network to update the settings with the following command:
systemctl restart network (systemctl replaced the old service modual)
After the restart you can run an:
and it will show you the network settings you statically assigned it. Next will will want to manually assign your DNS servers as some networks will not have dynamic DNS available to push to clients.
if nothing is there add in
(optional-if you want) domain yourdomain.com search yourdomain.com nameserver x.x.x.x. namerserver x.x.x.x
Save with :
Try pinging www.google.com and some other sites and you should be getting responses back from them. If you can ping google.com your DNS is working in not try 220.127.116.11 which is a DNS server by google, meaning if you can ping 18.104.22.168 and not www.google.com your DNS is wrong somehow.
ping www.google.com ping 22.214.171.124
Section 1.1: Setting the Hostname
Next you will probably want to set the hostname of the machine if you plan on joining this machine to a windows or Linux domain later. To find you current hostname run the following command:
This will output your current hostname. Now in if you run a:
This will only temporary change your hostname so when you machine reboots it will change back. To permanently set your hostname go to:
Find the line that says
and change it to the FQDN (Fully Qualified Domain Name machinename.domain.com) that you would like the machine to have. And there you have it, in this section we statically set our machines IPv4 and DNS adress as well as permanently setting our hostname. Next we will move onto installing LAMP on our machine.
Installing the LAMP-Stack Overview:
A LAMP-STACK or LAMP for short is an acronym for an archetypal model of web service solutions. Originally consisting of largely interchangeable components: Linux, the Apache HTTP Server, the MySQL relational database management system, and the PHP programming language. As a solution stack, LAMP is suitable for building dynamic web sites and web applications.
The LAMP model has since been adapted to other componentry, though typically consisting of free and open-source software. As an example, the equivalent installation on a Microsoft Windows operating system is known as WAMP.
Section 2: Installing MySQL 5
Run the following command to install MYSQL (mariadb):
yum -y install mariadb-server mariadb
After you run the install for the MySQL package you will want to create a start-up link so that MySQL will start automatically whenever the machine reboots.
systemctl start mariadb.service systemctl enable mariadb.service
Section 2.1: Configure MySQL
Now will will start the configurations on MySQL. The following command will launch you into the MySQL configuration wizard:
MySQL Configure Wizard:
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! In order to log into MySQL to secure it, we'll need the current password for the root user. If you've just installed MySQL, and you haven't set the root password yet, the password will be blank, so you should just press enter here. Enter current password for root (enter for none): ## Press Enter ## OK, successfully used password, moving on... Setting the root password ensures that nobody can log into the MySQL root user without the proper authorisation. Set root password? [Y/n] ## Press Enter ## New password: ## Enter new password ## Re-enter new password: ## Re-enter new password ## Password updated successfully! Reloading privilege tables.. ... Success! By default, a MySQL installation has an anonymous user, allowing anyone to log into MySQL without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? [Y/n] ## Press Enter ## ... Success! Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? [Y/n] ## Press Enter ## ... Success! By default, MySQL comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? [Y/n] ## Press Enter ## - Dropping test database... ... Success! - Removing privileges on test database... ... Success! Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? [Y/n] ## Press Enter ## ... Success! Cleaning up... All done! If you've completed all of the above steps, your MySQL installation should now be secure. Thanks for using MySQL!
Next we will move on to installing the Apache web-server.
Section 3.0: Install Apache
Now you will need to install the Apache web-server will the following command:
yum -y install httpd
Next just like MYSQL you will need to add in an auto start-up setting to have the Apache service start when the computer does:
systemctl start httpd.service systemctl enable httpd.service
Section 3.1:Adjust CentOS firewall to allow Apahce
Now something to note is that CentOS 7 runs the new firewall-cmd (firewalld) firewall modual. This replaced iptables. Its still an option to use iptables though you will just have to disable firewall-cmd and install iptables. I use the new firewall-cmd since its good to learn something new.
Run the following commands to allow certain protocols through the CentOS firewall.
firewall-cmd --permanent --zone=public --add-service=http firewall-cmd --permanent --zone=public --add-service=https firewall-cmd --reload
Then once you reload the firewall you should get onto another computer on the same network and point the browser to http://x.x.x.x and you should get a page like the picture below. Remember since we are in a minimal installation we don’t have a GUI to interface with, which is why we need another computer to view our progress.
(The new Apache homepage is pretty compared to the old non styled one. Though this is just a preference and nothing more)
Section 4.0: Installing PHP
Next we will install PHP and Apache PHP modules:
yum -y install php systemctl restart httpd.service
Section 4.1: Test out PHP
The default document root of the Apache web-server is located at /var/www/html. Create a small PHP file (info.php) in that directory and call it in a browser. The file will display lots of useful details about the PHP installation.
Now restart your Apache web-server and point your browser to http://x.x.x.x/info.php and you will see a PHP page with a list of all the different PHP modules currently installed.
systemctl restart httpd
Section 4.2: Adding MySQL support for PHP
To add MySQL support in PHP, you can install the php-mysql package. It’s a good idea to install some other PHP5 modules as well, as you might need them for your applications. And of course be sure to restart Apache after you do this or nothing new will show up.
Adding PHP support for MySQL
yum search php yum -y install php-mysqlphp-gd php-ldap php-odbc php-pear php-xml php-xmlrpc php-mbstring php-snmp php-soap curl curl-develsystemctl restart httpd.service
Then point your browser again to “http://x.x.x.x/info.php” and you’ll see a lot more information on the PHP page.
Section 5.0: Installing phpMyAdmin
ATTENTION: Only install phpMyAdmin is you don’t feel comfortable managing MYSQL from the command line. phpMyAdmin is not exactly the most secure, and since we want to focus on security please asses your needs and skill set before continuing. I have guides for both, and quite frankly you wont be in the database to often, and its worth not have the unsecured graphical interface. I will show you how to setup a database via the command line later in this guide. Its very easy
phpMyAdmin is just a web interface that allows you to manage MySQL databases. It can very easily be done via the command line with a few short commands.
yum install phpMyAdmin
Now we configure phpMyAdmin. We change the Apache configuration so that phpMyAdmin allows connections not just from localhost (by commenting out the <Directory “/usr/share/phpmyadmin”>)
Then add in after the commented out lines phpMyAdmin Authentication:
Options none AllowOverride Limit Require all granted
Now we need to change the authentication in phpMyAdmin from cookie to http:
vim /etc/phpMyAdmin/config.inc.php [...] $cfg['Servers'][$i]['auth_type'] = 'cookie'; // Authentication method (config, http or cookie based)? [...] CHANGE TO [...]$cfg['Servers'][$i]['auth_type'] = 'http'; // Authentication method (config, http or cookie based)? [...]
Then you will need to restart Apache again:
systemctl restart httpd.service
Afterwards, you can access phpMyAdmin under http://x.x.x.x/phpmyadmin/: Again only install the phpMyAdmin module if you need to.
Section 6.0: Installing Owncloud 7
Remember in the beginner of this guide when I said that the EPEL 6 repo didnt contain any of the OwnCloud installers yet. Well before we can continue we will need to grab the opensuse owncloud repo which does have the installers and is designed to only install OwnCloud and its dependencies. This removes the need to setup complicated configs for EPEL 6.
NOTE: This is more a semi-long term solution, I would highly advise phasing out the opensuse repo when EPEL 7 gains support for the OwnCloud installers.
cd /etc/yum.repos.d/ wget http://download.opensuse.org/repositories/isv:ownCloud:community/CentOS_CentOS-6/isv:ownCloud:community.repo yum -y install owncloud mv /var/www/html/owncloud /var/www
Now I mv (moved) the OwnCloud directory back one folder just to add a small layer of security. Though due to the fact I mv the OwnCloud directory, SELinux permission got jacked up. So I would suggest you cp OwnCloud to /var/www which will carry over the SELinux permission. If you did mv the OwnCloud directory you will need to run these commands to fix the SELinux permission and also for owncloud to install correctly.
ATTENTION: Do not disable SELinux as this will leave a system in a comparable state. Placing SELinux in permissive mode (0) allows SELinx to log its permission information but not block. If you disable SELinux you will need to reboot, then make your changes, then re-enable, reboot again, wait 30+min while the entire system is recontexted, just to see if your changes took affect. DO NOT DISABLE SELINUX
setenforce 0(zero) sestatus (to view the status of SELinux) chcon -R -t httpd_sys_rw_content_t /var/www/owncloud/config chcon -R -t httpd_sys_rw_content_t /var/www/owncloud/data chcon -R -t httpd_sys_rw_content_t /var/www/owncloud/apps
Section 6.1: Create a OwnCloud database
Now this next part is designed for a non-graphical setup of a MYSQL database. So head into your MYSQL instance to create a new database and assign it an “sa” account with all permissions.
mysql -u root -p create database owncloud; CREATE USER 'SAYOURUSER'@'localhost' IDENTIFIED BY 'YOURPASSWORD'; GRANT ALL PRIVILEGES ON owncloud. * TO 'SAUSERNAME'@'localhost'; FLUSH PRIVILEGES;
EXAMPLE: GRANT [type of permission] ON [database name].[table name] TO ‘[username]’@’localhost’;
Section 6.2: OwnCloud 7 Setup Finalization
Since we moved OwnCloud back on directory from html to www we need to tell Apache where to look for web applications
vim /etc/httpd/conf/httpd/conf DocumentRoot "/var/www" #DocumentRoot "/var/www/html"
After you create a database user you will want to navigate to your OwnCloud instance via “http://x.x.x.x/owncloud” and you will be prompted with the following. The first box is where you will setup an administrative user. Then the box after is where you will supply the OwnCloud 7 instance with the database information that you created earlier. After this information is entered you can finish the setup and you will be redirected to the OwnCloud 7 user homepage where you can begin your journey into OwnCloud.
Section 7.0: Adding https communications
For an SSL encrypted web server you will need a few things. Depending on your install you may or may not have OpenSSL and mod_ssl, Apache’s interface to OpenSSL. Use yum to get them if you need them.
yum -y install mod_ssl openssl
Section 7.1:Generating a self-signed certificate
Using OpenSSL we will generate a self-signed certificate. If you are using this on a production server you are probably likely to want a key from a Trusted Certificate Authority, but if you are just using this on a personal site or for testing purposes a self-signed certificate is fine.
# Generate private key openssl genrsa -out ca.key 2048 # Generate CSR openssl req -new -key ca.key -out ca.csr # Generate Self Signed Key openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt # Copy the files to the correct locations cp ca.crt /etc/pki/tls/certs cp ca.key /etc/pki/tls/private/ca.key cp ca.csr /etc/pki/tls/private/ca.csr
WARNING: Make sure that you copy the files and do not move them if you use SELinux. Apache will complain about missing certificate files otherwise, as it cannot read them because the certificate files do not have the right SELinux context.
If you have moved the files and did not copy them, you can use the following command to correct the SELinux contexts on those files, as the correct context definitions for /etc/pki/* come with the bundled SELinux policy.
restorecon -RvF /etc/pki
Then we need to update the Apache SSL configuration file
vim +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf Change the Following lines to match where your keys are SSLCertificateFile /etc/pki/tls/certs/ca.crt SSLCertificateKeyFile /etc/pki/tls/private/ca.key
Then save and close and restart the apache servce.
wq systemctl restart httpd
All being well you should now be able to connect over https to your server and see a default Centos or Owncloud page. As the certificate is self signed browsers will generally ask you whether you want to accept the certificate.
Section 7.2:Creating Virtual Host for OwnCloud
Next you will want to navigate to /etc/httpd/conf.d/owncloud.conf and create a virtual host
This will allow you to go to https://x.x.x.x and it will take you directly to OwnCloud instead of using https://x.x.x.x/owncloud.
I created a sample virtual host file below to let you go off of
#Listen 80 http (only enable this is you need to listen on non native port) NameVirtualHost *:80 AllowOverride All DocumentRoot /var/www/owncloud ServerName x.x.x.x #Listen 443 https (only need to enable this listen if it is a non native port) NameVirtualHost *:443 SSLEngine on SSLCertificateFile /etc/pki/tls/certs/ca.crt SSLCertificateKeyFile /etc/pki/tls/private/ca.key AllowOverride All DocumentRoot /var/www/owncloud ServerName x.x.x.x
Restart Apache again using
systemctl restart httpd
Now you can navigate to https://x.x.x.x and it will auto redirect you to your OwnCloud site. This is good and all but sometimes people would like to have their HTTPS sites listen on different ports.
Section 2.3: Redirecting port 443 to another port
You will need to install some SELinux tools before you can continue on.
yum -y install policycoreutils-python
Next you can run a semanage port -l to get an idea for some port options that you can allow and create. But for me I wanted to allow Apache to bind to port 5443 so i issued the following command.
semanage port -a -t http_port_t -p tcp 5443
Then after allowing this port you will need to change your owncloud.conf virtual host file located in /ect/http/conf.d. And replace anything with the standard 443 port should be read a 5443.
Listen 5443 https NameVirtualHost *:5443 SSLEngine on SSLCertificateFile /etc/pki/tls/certs/ca.crt SSLCertificateKeyFile /etc/pki/tls/private/ca.key AllowOverride All DocumentRoot /var/www/owncloud ServerName x.x.x.x:5443
After changing theses settings you will need to change a couple more .conf files to get back into OwnCloud. The first thing you will need to do is open port 5443 in your firewall.
firewall-cmd --permanent --zone=public --add-port=5443/tcp
Next you will need to edit the /var/www/owncloud/config/config.php file to be able to access the OwnCloud application via its new address. So find the line that looks like the one below and change it.
OwnCloud.conf Trusted Domain 'trusted_domains' => array( 0 => 'x.x.x.x', CHANGE TO 'trusted_domains' => array ( 0 =>'x.x.x.x.x:5443',
After these files and firewall ports have been opened you can now navigate to https://x.x.x.x:5443 and you will be direct to your OwnCloud site.
Congratulations, you made it to the end. By now you should have a secure OwnCloud isntance running on https://x.x.x.x:5443. This is a great step to understanding OwnCloud and what possibilities it can contain for you. Please check back later for some guides on setting up some OwnCloud apps that will make file exploration and usage a little easier.