Earlier this week I decided to test drive ownCloud; an open source alternative to cloud sync services like Google Drive or Dropbox. The main difference is that you install and run ownCloud on your own server.
ownCloud provides packages for most Linux distributions including CentOS here; the advantage of installing from the package is that it will automatically install required dependencies and you can update ownCloud with yum. If you use the ownCloud package, you will also need Remi’s RPM repository as CentOS 6 provides PHP 5.3 and ownCloud 8 requires PHP 5.4.
Since I already had a server running Nginx I decided to skip the package installation of ownCloud because it also installs Apache as a dependency. The steps below can be used to set up ownCloud 8 on CentOS using Nginx, PHP-FPM and MySQL.
Set up Nginx and Remi repos:
1 2 3 4 5 6 7 8 9 10 |
vi /etc/yum.repos.d/nginx.repo [nginx] name=nginx repo baseurl=http://nginx.org/packages/centos/$releasever/$basearch/ gpgcheck=0 enabled=1 rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm |
Install Nginx, MySQL and PHP components:
1 |
yum --enablerepo=remi install php-fpm php-common php-mysql php-xml php-gd php-mbstring php-process php-curl php-intl php-mcrypt mysql-server nginx -y |
Start MySQL and run mysql_secure_installation script to create root password (answer Y to all questions):
1 |
mysql_secure_installation |
Now create the database and user for ownCloud:
1 2 3 4 5 |
mysql -uroot -p CREATE DATABASE owncloud; GRANT ALL PRIVILEGES ON owncloud.* TO 'owncloud_user'@'localhost' IDENTIFIED BY 'owncloud_user_pasword'; FLUSH PRIVILEGES; |
Create document root for Nginx and install ownCloud:
1 2 3 4 5 6 |
mkdir -p /var/www/html cd /var/www/html wget https://download.owncloud.org/community/owncloud-8.0.4.tar.bz2 tar -xjf owncloud-8.0.4.tar.bz2 rm owncloud-8.0.4.tar.bz2 chown -R nginx:nginx owncloud |
Edit /etc/php-fpm.d/www.conf to replace apache user with nginx on lines 39 and 41:
35 36 37 38 39 40 41 |
; Unix user/group of processes ; Note: The user is mandatory. If the group is not set, the default user's group ; will be used. ; RPM: apache Choosed to be able to access some dir as httpd user = nginx ; RPM: Keep a group allowed to write in log dir. group = nginx |
Give nginx user permissions on /var/lib/php/session (this fixed a redirect loop I was getting when trying to login):
1 |
chown -R root:nginx /var/lib/php/session |
Make sure services start automatically on boot:
1 2 3 |
chkconfig nginx on chkconfig php-fpm on chkconfig mysqld on |
Now you just need to configure Nginx to work with ownCloud; below is my configuration file that I made based on the ownCloud documentation here.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 |
upstream php-handler { server 127.0.0.1:9000; #server unix:/var/run/php5-fpm.sock; } # ownCloud HTTPS server { listen 80; listen 443 ssl spdy; server_name mydomain; ssl_certificate /etc/nginx/certs/mydomain.crt; ssl_certificate_key /etc/nginx/certs/mydomain.key; ssl_session_cache builtin:1000 shared:SSL:20m; ssl_session_timeout 4h; ssl_session_tickets on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/certs/dhparam.pem; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/certs/startssl_stapling_sha2.crt; add_header Strict-Transport-Security "max-age=31536000"; if ( $scheme = http ) { return 301 https://$host$request_uri; } root /var/www/html/owncloud; # set max upload size client_max_body_size 10G; fastcgi_buffers 64 4K; # Disable gzip to avoid the removal of the ETag header gzip off; # Uncomment if your server is build with the ngx_pagespeed module # This module is currently not supported. #pagespeed off; rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect; rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect; rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect; index index.php; error_page 403 /core/templates/403.php; error_page 404 /core/templates/404.php; location = /robots.txt { allow all; log_not_found off; access_log off; } location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README){ deny all; } location / { # The following 2 rules are only needed with webfinger rewrite ^/.well-known/host-meta /public.php?service=host-meta last; rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; try_files $uri $uri/ /index.php; } location ~ \.php(?:$|/) { fastcgi_split_path_info ^(.+\.php)(/.+)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param HTTPS on; fastcgi_pass php-handler; } # Optional: set long EXPIRES header on static assets location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ { expires 30d; # Optional: Don't log access to assets access_log off; } } |
Once you have Nginx configured correctly, browse to your server and you will be greeted by the following screen where you will create the admin account and provide the details of the MySQL database you created earlier:
For added security, you can configure Fail2Ban to protect the ownCloud login page from brute force attempts by using the guide located here: http://www.tech-and-dev.com/2014/11/protecting-owncloud-against-bruteforce-attacks-with-fail2ban.html