From Fedora Project Wiki

(Create a database)
(Brand new edition of Owncloud installation guide, with all main security features enabled)
Line 1: Line 1:
 
ownCloud is a AGPLv3 private file server
 
ownCloud is a AGPLv3 private file server
 +
 +
 +
Owncloud is a software for creating a personal cloud system. Here, an installation guide for the server side.
  
 
== Features ==
 
== Features ==
Line 9: Line 12:
 
* Many more
 
* Many more
  
== Installation ==
+
==Installation==
  
=== Requirements ===
+
<code># yum install owncloud</code>
 +
===SSL certificate configuration===
 +
In order to have secure communications between host and server, you need to generate a key and a certificate
  
The following software must be installed and configured
+
<code># yum install crypto-utils</code>
  
<ol><li>A database management system
+
<code># genkey ''hostname''</code>
* [[MariaDB]]</li>
 
  
<li>A web server
+
Answer "no" to the question "Would you like to send a Certificate Request (CSR) to a Certificate Authority (CA)?"
* [[Apache HTTP Server]]</li></ol>
 
  
=== Install owncloud ===
+
To allow httpd service to use SSL, you need to install proper dependencies
  
<pre>$ su root
+
<code># yum install mod_ssl openssl</code>
$ yum install owncloud owncloud-mysql owncloud-httpd</pre>
 
  
A configuration file named <code>/etc/httpd/conf.d/owncloud.conf</code> should have been created
+
and apply the following editings to
  
Start [[MariaDB]] and [[Apache HTTP Server]] if they weren't already
+
<code>/etc/httpd/conf.d/ssl.conf</code>
<pre>$ systemctl start httpd
 
$ systemctl start mariadb</pre>
 
  
If Apache was already running restart it
+
putting at the bottom
<pre>$ systemctl restart httpd</pre>
+
<pre>
 +
SSLCertificateFile /etc/pki/tls/certs/hostname.crt
 +
SSLCertificateKeyFile /etc/pki/tls/private/hostname.key
 +
</pre>
  
=== Create a database ===
+
To force SSL usage in Owncloud server:
  
Log in as root to MariaDB
+
<code># nano /etc/owncloud/config.php</code>
<pre>$ mysql -u root -p</pre>
 
  
Create a new databse
+
e modify entry
<pre>CREATE DATABASE IF NOT EXISTS owncloud;</pre>
 
  
Create a new user and grant him privileges
+
<code>'forcessl' => false</code>
<pre>CREATE USER 'username'@'localhost' IDENTIFIED BY 'password';
 
GRANT ALL PRIVILEGES ON owncloud.* TO 'username'@'localhost' IDENTIFIED BY 'password';</pre>
 
  
Reload privileges and quit
+
as the following one
<pre>FLUSH PRIVILEGES;
 
quit</pre>
 
  
=== Setup owncloud ===
+
<code>'forcessl' => true,</code>
  
Open <code>localhost/owncloud</code> in your browser and create the admin account. Also configure owncloud database parameters set previously.
 
  
Then your owncloud server should be available under your <code>localhost/owncloud</code>. Unless configured otherwise it won't be available from outside.
+
To create admin user, insert into the browser (ignoring warning about unsigned certificate)
  
{{admon/warning | This exposes your installation to the Internet and potential attackers. Secure your installation properly before exposing your server to the Internet.}}
+
<code>localhost/owncloud</code>
  
Once owncloud is properly configured you can make it available from outside. Open Apache ports and edit <code>/etc/httpd/conf.d/owncloud.conf</code> such that
+
==Grant remote access to the server==
<pre>   <IfModule mod_authz_core.c>
+
===Firewall configuration===
    # Apache 2.4
+
You need to find out the active firewall zone
    #Require local
+
 
    Require all granted
+
<code># firewall-cmd --list-all-zones | grep active</code>
    </IfModule>
+
 
    <IfModule !mod_authz_core.c>
+
in our case:
    # Apache 2.2
+
 
    Order Deny,Allow
+
<code>public (default, active)</code>
    #Deny from all
+
 
    #Allow from 127.0.0.1
+
then we will use the following commands to allow access to http and https services
    #Allow from ::1
+
<pre># firewall-cmd --permanent --zone=public --add-service=http
    Allow from all
+
# firewall-cmd --permanent --zone=public --add-service=https
    </IfModule>
+
# systemctl restart firewalld</pre>
</pre>
+
 
 +
===Configuring Apache permissions===
 +
In order to allow access to remote hosts, you need to configure Apache's
 +
 
 +
<code>/etc/httpd/conf.d/owncloud.conf</code>
  
This however enables owncloud for all your virtual hosts under <code>hostname/owncloud</code>. If this is not what you want, comment out this line
+
as the following example:
<pre># Alias /owncloud /usr/share/owncloud</pre>
 
  
And for example, let's say that you want to create a virtual host for owncloud using the domain <code>owncloud.hostname</code> with SSL support. If /etc/httpd/conf.d/hostname.conf doesn't exist, create it, and paste this
 
 
<pre>
 
<pre>
<VirtualHost *:80>
+
<IfModule mod_authz_core.c>
    ServerName hostname
+
# Apache 2.4
    DocumentRoot /usr/share/owncloud
+
#Require local
</VirtualHost>
+
Require all granted
 +
</IfModule>
 +
<IfModule !mod_authz_core.c>
 +
# Apache 2.2
 +
Order Deny,Allow
 +
#Deny from all
 +
#Allow from 127.0.0.1
 +
#Allow from ::1
 +
Allow from all
 +
</IfModule>
 +
</pre>
 +
 
 +
===Configuration of exposed IP addresses===
 +
Finally you need to set into configuration file
  
<VirtualHost *:443>
+
<code>/etc/owncloud/config.php</code>
    ServerName hostname
 
    DocumentRoot /usr/share/owncloud
 
    SSLEngine On
 
    SSLCertificateFile /etc/pki/tls/certs/hostname.crt
 
    SSLCertificateKeyFile /etc/pki/tls/private/hostname.key
 
</VirtualHost>
 
</pre>
 
  
ownCloud onfiguration file is <code>/etc/owncloud/config.php</code>
+
at entry
  
 +
<pre>array (
 +
  0 => 'localhost',
 +
)</pre>
 +
the IP addresses with which the server will be exposed outside (both LAN and WAN). An example of configuration with IP addresses for both LAN and WAN is:
 +
<pre>
 +
array (
 +
  0 => 'localhost',
 +
  1 => '192.168.1.100',
 +
  2 => '200.100.1.100',
 +
)
 +
</pre>
 +
 
 
== Troubleshooting ==
 
== Troubleshooting ==
  
Line 102: Line 118:
 
If you have a dynamic IP address you can configure a dynamic DNS client, for example [[inadyn-mt]] to update your ip for your DNS server account
 
If you have a dynamic IP address you can configure a dynamic DNS client, for example [[inadyn-mt]] to update your ip for your DNS server account
  
== Links ==
+
 
 +
==Resources==
 +
*[http://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/ch-Web_Servers.html#s2-apache-mod_ssl Fedora Deployment_Guide: Setting Up an SSL Server]
 +
*[http://docs.fedoraproject.org/en-US/Fedora/14/html/Deployment_Guide/s1-apache-mod_ssl.html Fedora Deployment_Guide: Setting Up an SSL Server]
 
* [http://doc.owncloud.org/server/6.0/admin_manual/contents.html ownCloud Administrators Manual]
 
* [http://doc.owncloud.org/server/6.0/admin_manual/contents.html ownCloud Administrators Manual]

Revision as of 20:52, 21 July 2014

ownCloud is a AGPLv3 private file server


Owncloud is a software for creating a personal cloud system. Here, an installation guide for the server side.

Features

  • Online file storage
  • Android compatibility
  • Contacts(CarDAV) and calendar (CalDAV) synchronization
  • Music streaming
  • Many more

Installation

# yum install owncloud

SSL certificate configuration

In order to have secure communications between host and server, you need to generate a key and a certificate

# yum install crypto-utils

# genkey hostname

Answer "no" to the question "Would you like to send a Certificate Request (CSR) to a Certificate Authority (CA)?"

To allow httpd service to use SSL, you need to install proper dependencies

# yum install mod_ssl openssl

and apply the following editings to

/etc/httpd/conf.d/ssl.conf

putting at the bottom

SSLCertificateFile /etc/pki/tls/certs/hostname.crt
SSLCertificateKeyFile /etc/pki/tls/private/hostname.key

To force SSL usage in Owncloud server:

# nano /etc/owncloud/config.php

e modify entry

'forcessl' => false

as the following one

'forcessl' => true,


To create admin user, insert into the browser (ignoring warning about unsigned certificate)

localhost/owncloud

Grant remote access to the server

Firewall configuration

You need to find out the active firewall zone

# firewall-cmd --list-all-zones | grep active

in our case:

public (default, active)

then we will use the following commands to allow access to http and https services

# firewall-cmd --permanent --zone=public --add-service=http
# firewall-cmd --permanent --zone=public --add-service=https
# systemctl restart firewalld

Configuring Apache permissions

In order to allow access to remote hosts, you need to configure Apache's

/etc/httpd/conf.d/owncloud.conf

as the following example:

<IfModule mod_authz_core.c>
# Apache 2.4
#Require local
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
#Deny from all
#Allow from 127.0.0.1
#Allow from ::1
Allow from all
</IfModule>

Configuration of exposed IP addresses

Finally you need to set into configuration file

/etc/owncloud/config.php

at entry

array (
   0 => 'localhost',
)

the IP addresses with which the server will be exposed outside (both LAN and WAN). An example of configuration with IP addresses for both LAN and WAN is:

array (
   0 => 'localhost',
   1 => '192.168.1.100',
   2 => '200.100.1.100',
)

Troubleshooting

Dynamic IP adress

If you have a dynamic IP address you can configure a dynamic DNS client, for example inadyn-mt to update your ip for your DNS server account


Resources