How to Install OwnCloud in a secure manner

Complete Secure Setup and Deployment of OwnCloud


CentOS LAMP Stack Logo Owncloud-logo


Guide Overview:

Hello everyone, recently I have been doing some very interesting and intensive work with OwnCloud.  To be specific OwnCloud 7. I needed to create a safe and secure environment where people could come together to share files quickly and safely.

So what is OwnCloud?  OwnCloud is a popular open source file sync and share community project. OwnCloud was founded in 2011 to give corporate IT greater control of their data — combining greater flexibility, openness and extensibility with on premise servers and storage. Company headquarters are in Boston, with European headquarters in Nuremberg, Germany.

To read some more about OwnCloud you can check out their about link here

Machine Overview:

(Enterprise has some very nice extra features such as logging/monitoring, better access to certified OwnCloud plugins, and much more.  Check out their comparison chart here)

For this guide we will be using OwnCloud 7 Community edition. I would have loved to setup this install with their enterprise edition but when I submitted a request for a quote they came back with around a $10,000 bill.  Needless to say this wasn’t going to be an option.

For some specs on the machine I will be running a minimal installation of CentOS 7 x64 (CentOS 7 only comes in x86_64) , with one 80Gb HDD and 2Gb of memory.  So this is a very basic kinda of starter machine for any new beginners interesting in OwnCloud, or maybe even a small usage server. Obviously you should expand your installation to fit your needs so please keep that in mind. The OwnCloud forums and official documentation have some great information that I would highly suggest you reference when setting up your own OwnCloud instance.

Section 1.0: Initial Install

I wont go over how to install CentOS 7 on a machine, though if you need to get their ISO you can head over here. Now for this next section I configured all my network and machine settings in the GUI when I first installed CentOS. So if you don’t want or need to know how to do it manually you can skip to the next section.  But if you wish to know how to statically set your IPv4, DNS, and Hostname you can continue reading below.

So after you run the installer on your machine and you either have an SSH connection into the box or are staring at your monitor you will want to go ahead and start to statically assign your machines information.  Statically assigning this information now will save you a good deal of time and effort later, so I would highly advise setting theses settings now before you continue.

Lets start be grabbing a few tools that do not come pre-installed with the minimal installation and will come in handy later. Run the following command to get the needed tools:

yum -y install VIM net-tools wget

VIM is a terminal editor that is a more useful then the built in vi editor.  vi and vim are the same,  vim just has more features.  net-tools is a networking tool for linux that allows you to use commands such as ifconfig which allows you to view network settings and configs. (yes I know its weird this is not already built into the minimal install). Lastly there is wget which is a nice tool to grab files via the web if your know their URL.

If you ever need to install a package in a red-hat based distribution you can run:

yum search thepackageyouwanttofind

So as an example if I ran a “yum search games” my machine would search my installed repos for a list of packages that are related to games and display them in a list.

I would also grab the EPEL 7 repo while you at it with the following command:

rpm -ivh http://dl.fedoraproject.org/pub/epel/beta/7/x86_64/epel-release-7-0.2.noarch.rpm

EPEL 7 is still in beta as of now so it doesn’t actually contain the owncloud installation files. If you wish you can grab the EPEL 6 repo which does contain the owncloud installers. I don’t advise this due to the fact that you will need to highly restrict the EPEL 6 repo so that it doesn’t screw up EPEL 7 packages.  Meaning EPEL 6 will screw up your system if not regulated. I will tell you later on in this guide on how to get the owncloud instillation file.

You can check what repo’s are installed and enabled ón your system by running:

yum repolist all

After you install these tools head on over to “/etc/sysconfig/network-scripts/yournicname” and change the following:

"BOOTPROTO=dhcp" to "BOOTPROTO=static"

then add in the following lines. (Replace x.x.x.x with your appropriate network settings)

IPADDR=x.x.x.x

NETMASK=x.x.x.x

GATEWAY=x.x.x.x

Next you will need to restart you network to update the settings with the following command:

systemctl restart network

(systemctl replaced the old service modual)

After the restart you can run an:

ifconfig

and it will show you the network settings you statically assigned it.  Next will will want to manually assign your DNS servers as some networks will not have dynamic DNS available to push to clients.

cd /etc/resolv.conf

if nothing is there add in

(optional-if you want) domain yourdomain.com

search yourdomain.com

nameserver x.x.x.x.

namerserver x.x.x.x

Save with :

wq

Try pinging www.google.com and some other sites and you should be getting responses back from them. If you can ping google.com your DNS is working in not try 8.8.4.4 which is a DNS server by google, meaning if you can ping 8.8.4.4 and not www.google.com your DNS is wrong somehow.

ping www.google.com

ping 8.8.4.4

Section 1.1: Setting the Hostname

Next you will probably want to set the hostname of the machine if you plan on joining this machine to a windows or Linux domain later. To find you current hostname run the following command:

hostname

This will output your current hostname. Now in if you run a:

hostname yournewhostname

This will only temporary change your hostname so when you machine reboots it will change back.  To permanently set your hostname go to:

vim /etc/sysconfig/network

Find the line that says

HOSTNAME=something

and change it to the FQDN (Fully Qualified Domain Name machinename.domain.com) that you would like the machine to have. And there you have it, in this section we statically set our machines IPv4 and DNS adress as well as permanently setting our hostname. Next we will move onto installing LAMP on our machine.


LINUX LAMP


Installing the LAMP-Stack Overview:

A LAMP-STACK or LAMP for short is an acronym for an archetypal model of web service solutions. Originally consisting of largely interchangeable components: Linux, the Apache HTTP Server, the MySQL relational database management system, and the PHP programming language. As a solution stack, LAMP is suitable for building dynamic web sites and web applications.

The LAMP model has since been adapted to other componentry, though typically consisting of free and open-source software. As an example, the equivalent installation on a Microsoft Windows operating system is known as WAMP.


mysql-logo


Section 2: Installing MySQL 5

Run the following command to install MYSQL (mariadb):

yum -y install mariadb-server mariadb

After you run the install for the MySQL package you will want to create a start-up link so that MySQL will start automatically whenever the machine reboots.

systemctl start mariadb.service

systemctl enable mariadb.service

Section 2.1: Configure MySQL

Now will will start the configurations on MySQL.  The following command will launch you into the MySQL configuration wizard:

mysql_secure_installation

MySQL Configure Wizard:

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!
In order to log into MySQL to secure it, we'll need the current
password for the root user.  If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):     ## Press Enter ## 
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n]        ## Press Enter ##
New password:                   ## Enter new password ##
Re-enter new password:          ## Re-enter new password ##
Password updated successfully!
Reloading privilege tables..
 ... Success!

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n]    ## Press Enter ##
... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]     ## Press Enter ##
... Success!
By default, MySQL comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n]     ## Press Enter ##
- Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]     ## Press Enter ##
... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!

 

Next we will move on to installing the Apache web-server.


apache_software_foundation_logo


Section 3.0: Install Apache

Now you will need to install the Apache web-server will the following command:

yum -y install httpd

Next just like MYSQL you will need to add in an auto start-up setting to have the Apache service start when the computer does:

systemctl start httpd.service

systemctl enable httpd.service

Section 3.1:Adjust CentOS firewall to allow Apahce

Now something to note is that CentOS 7 runs the new firewall-cmd (firewalld) firewall modual.  This replaced iptables.  Its still an option to use iptables though you will just have to disable firewall-cmd and install iptables. I use the new firewall-cmd since its good to learn something new.

Run the following commands to allow certain protocols through the CentOS firewall.

firewall-cmd --permanent --zone=public --add-service=http

firewall-cmd --permanent --zone=public --add-service=https

firewall-cmd --reload

Then once you reload the firewall you should get onto another computer on the same network and point the browser to http://x.x.x.x and you should get a page like the picture below. Remember since we are in a minimal installation we don’t have a GUI to interface with, which is why we need another computer to view our progress.

(The new Apache homepage is pretty compared to the old non styled one. Though this is just a preference and nothing more)

apachelanding page

 


php-logo


 Section 4.0: Installing PHP

Next we will install PHP and Apache PHP modules:

yum -y install php
systemctl restart httpd.service

Section 4.1: Test out PHP

The default document root of the Apache web-server  is located at /var/www/html. Create a small PHP file (info.php) in that directory and call it in a browser. The file will display lots of useful details about the PHP installation.

vim /var/www/html/info.php

Save with:

wq

Now restart your Apache web-server and point your browser to http://x.x.x.x/info.php and you will see a PHP page with a list of all the different PHP modules currently installed.

systemctl restart httpd

phpinfo

Section 4.2: Adding MySQL support for PHP

To add MySQL support in PHP, you can install the php-mysql package. It’s a good idea to install some other PHP5 modules as well, as you might need them for your applications. And of course be sure to restart Apache after you do this or nothing new will show up.

Adding PHP support for MySQL

yum search php
yum -y install php-mysqlphp-gd php-ldap php-odbc php-pear php-xml php-xmlrpc php-mbstring php-snmp php-soap curl curl-develsystemctl restart httpd.service

Then point your browser again to “http://x.x.x.x/info.php” and you’ll see a lot more information on the PHP page.


phpMyAdmin-Logo


Section 5.0: Installing phpMyAdmin

ATTENTION: Only install phpMyAdmin is you don’t feel comfortable managing MYSQL from the command line.  phpMyAdmin is not exactly the most secure, and since we want to focus on security please asses your needs and skill set before continuing.  I have guides for both, and quite frankly you wont be in the database to often, and its worth not have the unsecured graphical interface. I will show you how to setup a database via the command line later in this guide.  Its very easy

phpMyAdmin is just a web interface that allows you to manage MySQL databases. It can very easily be done via the command line with a few short commands.

yum install phpMyAdmin

Now we configure phpMyAdmin. We change the Apache configuration so that phpMyAdmin allows connections not just from localhost (by commenting out the <Directory “/usr/share/phpmyadmin”>)

vim /etc/httpd/conf.d/phpMyAdmin.conf

phpmyadmin phpmyadminblockout

Then add in after the commented out lines phpMyAdmin Authentication:

Options none

AllowOverride Limit

Require all granted


Now we need to change the authentication in phpMyAdmin from cookie to http:

vim /etc/phpMyAdmin/config.inc.php

[...]
$cfg['Servers'][$i]['auth_type']     = 'cookie';
// Authentication method (config, http or cookie based)?
[...]

CHANGE TO

[...]$cfg['Servers'][$i]['auth_type']     = 'http';
// Authentication method (config, http or cookie based)?
[...]

Then you will need to restart Apache again:

systemctl restart httpd.service

Afterwards, you can access phpMyAdmin under http://x.x.x.x/phpmyadmin/: Again only install the phpMyAdmin module if you need to.


Owncloud-logo


Section 6.0: Installing Owncloud 7

Remember in the beginner of this guide when I said that the EPEL 6 repo didnt contain any of the OwnCloud installers yet.  Well before we can continue we will need to grab the opensuse owncloud repo which does have the installers and is designed to only install OwnCloud and its dependencies.  This removes the need to setup complicated configs for EPEL 6.

OpenSuse Repo

NOTE: This is more a semi-long term solution, I would highly advise phasing out the opensuse repo when EPEL 7 gains support for the OwnCloud installers.

cd /etc/yum.repos.d/

wget http://download.opensuse.org/repositories/isv:ownCloud:community/CentOS_CentOS-6/isv:ownCloud:community.repo

yum -y install owncloud

mv /var/www/html/owncloud /var/www

Now I mv (moved) the OwnCloud directory back one folder just to add a small layer of security.  Though due to the fact I mv the OwnCloud directory, SELinux permission got jacked up. So I would suggest you cp OwnCloud to  /var/www which will carry over the SELinux permission. If you did mv the OwnCloud directory you will need to run these commands to fix the SELinux permission and also for owncloud to install correctly.

ATTENTION: Do not disable SELinux as this will leave a system in a comparable state. Placing SELinux in permissive mode (0) allows SELinx to log its permission information but not block.  If you disable SELinux you will need to reboot, then make your changes, then re-enable, reboot again, wait 30+min while the entire system is recontexted, just to see if your changes took affect. DO NOT DISABLE SELINUX

setenforce 0(zero)

sestatus (to view the status of SELinux)

chcon -R -t httpd_sys_rw_content_t /var/www/owncloud/config

chcon -R -t httpd_sys_rw_content_t /var/www/owncloud/data

chcon -R -t httpd_sys_rw_content_t /var/www/owncloud/apps

Section 6.1: Create a OwnCloud database

Now this next part is designed for a non-graphical setup of a MYSQL database. So head into your MYSQL instance to create a new database and assign it an “sa” account with all permissions.

mysql -u root -p

create database owncloud;

CREATE USER 'SAYOURUSER'@'localhost' IDENTIFIED BY 'YOURPASSWORD';

GRANT ALL PRIVILEGES ON owncloud. * TO 'SAUSERNAME'@'localhost';

FLUSH PRIVILEGES;

EXAMPLE: GRANT [type of permission] ON [database name].[table name] TO ‘[username]’@’localhost’;

Section 6.2: OwnCloud 7 Setup Finalization

Since we moved OwnCloud back on directory from html to www we need to tell Apache where to look for web applications

vim /etc/httpd/conf/httpd/conf

DocumentRoot "/var/www"

#DocumentRoot "/var/www/html"

After you create a database user you will want to navigate to your OwnCloud instance via “http://x.x.x.x/owncloud” and you will be prompted with the following.  The first box is where you will setup an administrative user.  Then the box after is where you will supply the OwnCloud 7 instance with the database information that you created earlier. After this information is entered you can finish the setup and you will be redirected to the OwnCloud 7 user homepage where you can begin your journey into OwnCloud.

OwnCloud-Setup-PageOwnCloud-Dashboard

 


SSL Logo


Section 7.0: Adding https communications

For an SSL encrypted web server you will need a few things. Depending on your install you may or may not have OpenSSL and mod_ssl, Apache’s interface to OpenSSL.  Use yum to get them if you need them.

yum -y install mod_ssl openssl

Section 7.1:Generating a self-signed certificate

Using OpenSSL we will generate a self-signed certificate. If you are using this on a production server you are probably likely to want a key from a Trusted Certificate Authority, but if you are just using this on a personal site or for testing purposes a self-signed certificate is fine.

# Generate private key

openssl genrsa -out ca.key 2048

# Generate CSR

openssl req -new -key ca.key -out ca.csr

# Generate Self Signed Key

openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

# Copy the files to the correct locations

cp ca.crt /etc/pki/tls/certs

cp ca.key /etc/pki/tls/private/ca.key

cp ca.csr /etc/pki/tls/private/ca.csr

WARNING: Make sure that you copy the files and do not move them if you use SELinux. Apache will complain about missing certificate files otherwise, as it cannot read them because the certificate files do not have the right SELinux context.

If you have moved the files and did not copy them, you can use the following command to correct the SELinux contexts on those files, as the correct context definitions for /etc/pki/* come with the bundled SELinux policy.

restorecon -RvF /etc/pki

Then we need to update the Apache SSL configuration file

vim +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf

Change the Following lines to match where your keys are

SSLCertificateFile /etc/pki/tls/certs/ca.crt

SSLCertificateKeyFile /etc/pki/tls/private/ca.key

Then save and close and restart the apache servce.

wq
systemctl restart httpd

All being well you should now be able to connect over https to your server and see a default Centos or Owncloud page. As the certificate is self signed browsers will generally ask you whether you want to accept the certificate.

Section 7.2:Creating Virtual Host for OwnCloud

Next you will want to navigate to /etc/httpd/conf.d/owncloud.conf and create a virtual host

vim /etc/httpd/conf.d/owncloud.conf

This will allow you to go to https://x.x.x.x and it will take you directly to OwnCloud instead of using https://x.x.x.x/owncloud.

I created a sample virtual host file below to let you go off of

#Listen 80 http (only enable this is you need to listen on non native port)

NameVirtualHost *:80

AllowOverride All
DocumentRoot /var/www/owncloud

ServerName x.x.x.x

#Listen 443 https (only need to enable this listen if it is a non native port)

NameVirtualHost *:443

SSLEngine on

SSLCertificateFile /etc/pki/tls/certs/ca.crt

SSLCertificateKeyFile /etc/pki/tls/private/ca.key

AllowOverride All

DocumentRoot /var/www/owncloud

ServerName x.x.x.x


Restart Apache again using

systemctl restart httpd

Now you can navigate to https://x.x.x.x and it will auto redirect you to your OwnCloud site.  This is good and all but sometimes people would like to have their HTTPS sites listen on different ports.


Blue redirect Arrow


 

Section 2.3: Redirecting port 443 to another port

You will need to install some SELinux  tools before you can continue on.

yum -y install policycoreutils-python

Next you can run a semanage port -l to get an idea for some port options that you can allow and create. But for me I wanted to allow Apache to bind to port 5443 so i issued the following command.

semanage port -a -t http_port_t -p tcp 5443

Then after allowing this port you will need to change your owncloud.conf  virtual host file located in /ect/http/conf.d. And replace anything with the standard 443 port should be read a 5443.

Listen 5443 https

NameVirtualHost *:5443

SSLEngine on

SSLCertificateFile /etc/pki/tls/certs/ca.crt

SSLCertificateKeyFile /etc/pki/tls/private/ca.key

AllowOverride All

DocumentRoot /var/www/owncloud

ServerName x.x.x.x:5443


After changing theses settings you will need to change a couple more .conf files to get back into OwnCloud.  The first thing you will need to do is open port 5443 in your firewall.

firewall-cmd --permanent --zone=public --add-port=5443/tcp

Next you will need to edit the /var/www/owncloud/config/config.php file to be able to access the OwnCloud application via its new address. So find the line that looks like the one below and change it.

OwnCloud.conf Trusted Domain

'trusted_domains' =>
array(
0 => 'x.x.x.x',

CHANGE TO

'trusted_domains' =>
array (
0 =>'x.x.x.x.x:5443',

After these files and firewall ports have been opened you can now navigate to https://x.x.x.x:5443 and you will be direct to your OwnCloud site.


CentOS LAMP Stack Logo Owncloud-logo


 

Congratulations, you made it to the end.  By now you should have a secure OwnCloud isntance running on https://x.x.x.x:5443.  This is a great step to understanding OwnCloud and what possibilities it can contain for you. Please check back later for some guides on setting up some OwnCloud apps that will make file exploration and usage a little easier.

 

Thank you

cropped-logo3.png

One thought on “How to Install OwnCloud in a secure manner

  • Hey anyone,

    I hope this guide will help anyone wanting to try out OwnCloud. If you see any mistakes or have a better way to install OwnCloud or just have some question in general let me know.

    Thank you
    CeleriumMind

Leave a Reply