Control Your Files Using Your Own Cloud With ownCloud     

OwnCloud is an open-source file storage and file synchronization solution. It provides access to files via web interface, webDAV or a sync client that makes it easier to synchronize files from the file explorer to the cloud. Multiple add-ons can also be installed within ownCloud to make the system even more useful, namely, plugins to create notes, a calendar app and an address book.

Owncloud was first mentioned at the Camp KDE 2010 by its Founder, Frank Karlitschek. A couple of months following that, ownCloud 1.0 was officially released which included the web interface, webDAV support and the plugin system as well as the option to receive notifications. Over the next six years, Frank Karlitschek, Holger Dyrioff and Markus Rex added multiple features, created the desktop client, introduced the Security Bug Bounty program and improved the software that is now available in the current 9.1 version. One fact to note is that Frank Karlitschek resigned from ownCloud at the time ownCloud 9 was officially announced to collaborate on a new cloud project called NextCloud.

As with other software programs, ownCloud provides both a community and an enterprise version. The differences between the versions are that some features are missing from the community version in comparison to the enterprise version. For example, it is not possible to simply drag and drop files from the file explorer into the browser window nor does it provide access to guest users. The Integration of Microsoft Sharepoint or Windows Network Drives is also not an option as well as Single Sign-On for authentication. An overview of the features can be found at https://ownCloud.com/community-or-enterprise/.

It is important to note that for BSD Users, there is no official support through ownCloud for BSD. This means that the enterprise support will also not be available to reply to BSD-related questions. However, many ownCloud related issues that occur during the installation or maintenance process can be resolved within the online ownCloud community forum or with the extensive user or admin guide.

This article will show the necessary steps needed to install and maintain ownCloud under FreeBSD 11, starting with installing the web server by configuration of the MySQL to set different optional parameters that secure the system.

The initial step is to install a web server and upload the ownCloud Website; our Apache in version 2.4 works just fine. Once everything is in order, NGINX can be installed as a reverse proxy to increase the speed for maintaining SSL connections. Nginx as a reverse proxy functions optimally if the root server has only one IP address, but you want to run multiple web pages on TCP port 80/443. In this case, NGINX forwards requests for different URLs to the Apache which internally listens on different ports.

For now, we only want to install Apache using the following command:

portmaster www/apache24

===>>> The following actions were performed:
Installation of databases/db5 (db5-5.3.28_6)
Installation of databases/gdbm (gdbm-1.12)
Installation of textproc/expat2 (expat-2.2.0)
Installation of devel/apr1 (apr-1.5.2.1.5.4_2)
Installation of devel/pcre (pcre-8.39)
Installation of textproc/libxml2 (libxml2-2.9.4)
Installation of www/apache24 (apache24-2.4.23_1)

To enable Apache 2.4 during boot time, we simply use the command “sysrc apache24_enable=yes” which simply adds the command to /etc/rc.conf. OwnCloud by default uses MySQL to read and write different data. Therefore, it is necessary to install some database like MariaDB, PostgreSQL, MySQL or Oracle. (Oracle is only available for ownCloud Enterprise Edition).

We have installed the default database MySQL:

portmaster databases/mysql56-server

===>>> The following actions were performed:
Installation of archivers/liblz4 (liblz4-131)
(…)
Installation of databases/mysql56-client (mysql56-client-5.6.34)
Installation of databases/mysql56-server (mysql56-server-5.6.34)

The same way Apache was added to /etc/rc.conf, MySQL can be added by using the following command:

sysrc mysql_enable=yes

To proceed to the next step, it is necessary to start MySQL by typing the following command:

service mysql-server start

To configure basic MySql, FreeBSD offers a nice wizard. The wizard can be started by using the following command:

/usr/local/bin/mysql_secure_installation

My recommendations would be to set a long root password, drop the anonymous users, disable remote root login ability and remove the test database. Please keep in mind that presently MySQL does not have a root password, this means you need just simply to answer the first question by clicking return.

The next step is to install Apache php module in version 7.0 using the command:

portmaster www/mod_php70

===>>> Installation of www/mod_php70 (mod_php70-7.0.13) complete portmaster lang/php70 textproc/php70-ctype textproc/php70-dom graphics/php70-gd converters/php70-iconv devel/php70-json textproc/php70-xmlwriter textproc/php70-simplexml sysutils/php70-posix archivers/php70-zip archivers/php70-zlib databases/php70-pdo_mysql lang/php70 ftp/php70-curl sysutils/php70-fileinfo archivers/php70-bz2 security/php70-mcrypt security/php70-openssl converters/php70-mbstring devel/oniguruma5 graphics/php70-exif security/php70-filter security/php70-hash textproc/php70-wddx textproc/php70-xml www/php70-session textproc/php70-xmlreader textproc/php70-xsl

===>>> The following actions were performed:
Installation of lang/php70 (php70-7.0.13)
(…)
Installation of textproc/php70-xmlreader (php70-xmlreader-7.0.13)
Installation of textproc/php70-xsl (php70-xsl-7.0.13)

Finally, we install ownCloud itself. Since I am not interested in a connection to an ldap server or smb server, I disable both ldap and smb during the installation process.

portmaster www/owncloud

===>>> Installation of www/owncloud (owncloud-9.1.2) complete

After installation of all of the necessary components, there is a need to configure the Apache server to display the installed ownCloud. It is necessary first to edit the file httpd.conf at /usr/local/etc/apache24.

The following file should be edited:

Replace “Listen 80” with “Listen 443”

Enable “LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so”
Enable “LoadModule ssl_module libexec/apache24/mod_ssl.so”
Disable “LoadModule status_module libexec/apache24/mod_status.so”
Disable “LoadModule autoindex_module libexec/apache24/mod_autoindex.so”
Make certain that “LoadModule php7_module libexec/apache24/libphp7.so” is enabled
Replace “ServerAdmin [email protected]” with “ServerAdmin “
Enable “Include etc/apache24/extra/http-ssl.conf”
Disable “Include etc/apache24/Includes/*.conf”

Add the following lines:

# Define to handle files with the ending .php as PHP Skript files
<FilesMatch "\.php$">
SetHandler application/x-httpd-php

# Define to handle phps (php source files) by the PHP source-filter/handler

<FilesMatch "\.phps$">
SetHandler application/x-httpd-php-source

# Sets the list of resources to look for, when the client requests an index of the directory

DirectoryIndex index.php index.html index.htm
AddType application/x-httpd-php .php

# Disable HTTP Trace Methode
TraceEnable off
# Disable showing the server version and only showing Apache in the Server header
ServerTokens Prod
ServerSignature Off

# Control and modify HTTP request and response header

Header always set Strict-Transport-Security “max-age=15768000; includeSubDomains”

For the next step, it is necessary to edit httpd-ssl.conf in the /usr/local/etc/apache24/extra directory

Disable “Listen 443”
Replace “DocumentRoot “/usr/local/www/apache24/data”” with “DocumentRoot “/usr/local/www/owncloud””
Replace “ServerName www.example.com:443” with “ServerName :443”
Replace “ServerAdmin [email protected]” with “ServerAdmin ”
Replace “SSLCertificateFile “/usr/local/etc/apache24/server.crt”” with “SSLCertificateFile ” Replace “SSLCertificateKeyFile “/usr/local/etc/apache24/server.key”” with “SSLCertificateKeyFile “path to the server private key””

A sure way to generate a valid certificate is to use „Let’s Encrypt“.
For more information, please have a look at „https://certbot.eff.org/”. Here, you can simply select your web server and the operation system in order to get detailed instructions for your specific environment.

Add the following lines:

Options +FollowSymlinks
AllowOverride All
Require all granted

SSLRenegBufferSize 888388608 (Comment: We can simply delete this line because it was only used during different tests)

Dav off

SetEnv HOME /usr/local/www/owncloud
SetEnv HTTP_HOME /usr/local/www/owncloud

After changing multiple lines in both files, it is necessary to ensure that the certificates for the fully qualified configured domain name is valid, and located in the path configured at SSLCertifcateFile and SSLCertificateKeyFile.

One of the last steps of installation is to start Apache by typing the following command:

service apache24 start

Before we can proceed to the last step, it is required to create the ownCloud database and a separate ownCloud user in MySQL.

mysql -u root -p
Enter password:

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 5.7.17-log Source distribution

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

[email protected] [(none)]> CREATE DATABASE owncloud;
Query OK, 1 row affected (0.02 sec)

[email protected] [(none)]> GRANT ALL ON owncloud.* to ‘owncloud’@’localhost’ IDENTIFIED BY ‚’;
Query OK, 0 rows affected, 1 warning (0.03 sec)

[email protected] [(none)]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.03 sec)

After creating the MySQL database and user for ownCloud, just connect to the web interface and fill out the required fields.

Now you should be able to use ownCloud without any problems.

Optional ownCloud Hardening:

Based on your security requirement, there are some requirements for securing ownCloud.

(1) Some of the default SSL enable ciphers in Apache are known to be vulnerable. Therefore, there is a very helpful configuration wizard that shows cipher recommendations for different browsers at https://mozilla.github.io/server-side-tls/ssl-config-generator/. The disadvantage of this option is that older web clients might not be able to connect to the apache.

(2) In order to prevent security problems from another website to a virtual host, it is a smart option to use one of the better-built security features in FreeBSD, the FreeBSD Jails.

3. Multiple jails may be utilized simultaneously, each with a separate web server that should listen to port 80 or 443. If your server provider only offers one public IP address, a possible solution would be to use a NGINX reverse proxy to listen to port 443 and to forward the requests to different ports to different jails internally.

4. Another school of thought is to periodically fetch the IP ranges from the designated countries to block external requests from IP addresses which are outside these locations. This action certainly does not increase the security of the server itself but should reduce the number of global scans outside the host country. The disadvantage is that some companies use their internet service providers where the public IP address is used from different countries. In this situation, the user will not be able to connect to the Apache and NGINX.

5. In order to increase security, it is helpful to disable all unnecessary PHP
functions. The recommendation is to add the following line to php.ini:

disable_functions=exec,passthru,shell_exec,system,proc_open,popen,curl_multi_exec,parse_ini_file,show_source,eval,php_uname,getmyuid,leak,listen,diskfreespace,tmpfile,link,ignore_u ser_abord,dl,highlight_file,source,sho
w_source,fpaththru,virtual,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgro ups,posix_getlogin,posix_getpgid,posix_getpgrp,posix,posix_getpwnam,posix_getrlimit
,posix_getsid,posix_isatty,posix_kill,posix_mkfifo,posix_setegid,posix_seteuid, posix_setgid,posix_setpgid,posix_setsid,posix_setuid,posix_times,posix_ttyname,posix_uname,proc_open,proc_close,proc_get_status, proc_nice, p
roc_terminate, phpinfo

If additional modules are required with the use of future versions of ownCloud, the following line will appear in the ownCloud.log:
” has been disabled for security reasons at /usr/local/www/owncloud/”

Optional Apps:

The main purpose of ownCloud is to store and share files. However, last year ownCloud implemented a platform for different internal applications which are helpful.

1. Bookmarks: This app is helpful to create a bookmark collection of favorite bookmarks. Yes, every browser has its bookmarks store, but by using the app, it is possible to have bookmarks in a central location for each browser used.

2. Calendar: The calendar app is exactly that, provides calendar functionality with the option to sync the data with mobile devices.

3. Contacts: The same as the Calendar. This application is a wonderful option to have
for a list of all contacts.

4. Tasks: Tasks is a very beneficial app used to manage daily and weekly to-do lists with multiple options. It offers various options such as writing step-by-step actions, setting priorities and creating tags for the different jobs. Perfect for organizing.

5. Podcast: The podcast app helps organize and play your favorite podcast from the browser by simply adding the podcast URL.

6. QuickNotes: This app offers nicely colored virtual notepads where you can jot down important information. It’s a simple yet effective app to recall data at a later time.

About the Author:

Marcus Schmitt is a Senior Network Engineer for network infrastructure and security in Germany. For several years, he worked on the Cisco TAC team focusing on packet capture analysis and web security products. Presently, he is employed as a senior network, infrastructure and security engineer, with additional responsibilities for the company’s internal cloud solution. After exposure to the FreeBSD and OpenBSD operating systems, he found them to be more interesting than the alternative Linux-tested derivatives and has spent almost the last 15 years working in this field.