Updated about 9 years ago by Jessie Lee

• Table of contents
• Owncloud
• Owncloud Installation
  • Owncloud 8.1 on Debian 7 with Apache
  • Database setup (mySQL)
  • Enabling Samba external users
  • Samba External Storage
  • owncloud + nginx
  • Performance tweaks
  • Security and Hardening
  • For Office File servers
  • resource links

Owncloud¶

Owncloud has issues with .DS_Store files. At first I thought it was a Dropbox <-> Owncloud error, but then I turned off my Dropbox and was still getting the error. We need to figure out a way to have Owncloud exclude syncing .DS_Store files, or else it will generate a bunch of them. I don't know why it is doing so, but I have figured out how to delete them all:

Run this in the top of the Owncloud directory.

find ./ -type f -name ".DS_Stor*" -exec rm {} \;

Owncloud Installation¶

Owncloud 8.1 on Debian 7 with Apache¶

• Wheezy does not have Owncloud 7 or 8 in repository (Jessie has 7.0 but I highly recommend using 8 for webUI improvements and speed)
• Add the OpenSuse owncloud repository (this is maintained by owncloud devs)
• After adding sudo apt-get update && sudo apt-get install owncloud
• This should install owncloud to /var/www/owncloud, php, and mySQL
• This will also create a conf file in /etc/apache2/conf.d/owncloud.conf which adds configuration redirects domain.com/owncloud to the owncloud directory.
• contents of the conf file.

  Alias /owncloud "/var/www/owncloud/" 
  <Directory "/var/www/owncloud">
      Options +FollowSymLinks
      AllowOverride All
      Satisfy Any
      <IfModule mod_dav.c>
        Dav off
      </IfModule>
  
      SetEnv HOME /var/www/owncloud
      SetEnv HTTP_HOME /var/www/owncloud
  </Directory>
  
  <Directory "/var/www/owncloud/data/">
    # just in case if .htaccess gets disabled
    Require all denied
  </Directory>
  

• Set up Apache for owncloud access: For simple setups, edit the default-ssl config to point to ssl certs and enable with a2enmod default-ssl.
• restart apache
• go to https://domain.com/owncloud to start owncloud setup wizard.
• If changes need to be made after first time setup either run again from Apps or edit /var/www/owncloud/config/config.php by hand

Database setup (mySQL)¶

• make sure package php5-mysql is installed on system
• start mysql command line mode mysql -uroot -p

• CREATE USER 'username'@'localhost' IDENTIFIED BY 'password';
  CREATE DATABASE IF NOT EXISTS owncloud;
  GRANT ALL PRIVILEGES ON owncloud.* TO 'username'@'localhost' IDENTIFIED BY 'password';

• keep track of username and password as the owncloud setup wizard will need that.

Enabling Samba external users¶

• Enable external_user and external_storage apps (lefthand tab menu--->apps---->not enabled. enable them)
• for a local samba installation add the following to config.php

  "user_backends" => array (
      0 => array (
              "class"     => "OC_User_SMB",
              "arguments" => array (
                                0 => 'localhost'
                                ),
      ),
  ),

• users logging in with samba user and password should autocreate a user in owncloud. Permissions are not carried over!

Samba External Storage¶

• go to owncloud admin panel after enabling external_storage
• add share via interface.

owncloud + nginx¶

• Install php5-fpm and nginx with apt-get install php5-fpm nginx
• Uncomment "env[PATH] = /usr/local/bin:/usr/bin:/bin" in the file "/etc/php5/fpm/pool.d/www.conf"
• owncloud provides a fairly good base nginx site file to use for simple setups. copied below.
  

  upstream php-handler {
    #server 127.0.0.1:9000;
    server unix:/var/run/php5-fpm.sock;
    }
  
  server {
    listen 80;
    server_name cloud.example.com;
    # enforce https
    return 301 https://$server_name$request_uri;
    }
  
  server {
    listen 443 ssl;
    server_name cloud.example.com;
  
    ssl_certificate /etc/ssl/nginx/cloud.example.com.crt;
    ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key;
  
    # Path to the root of your installation
    root /var/www/owncloud/;
    # set max upload size
    client_max_body_size 10G;
    fastcgi_buffers 64 4K;
  
    # Disable gzip to avoid the removal of the ETag header
    gzip off;
  
    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;
  
    rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
    rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
    rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
  
    index index.php;
    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;
  
    location = /robots.txt {
      allow all;
      log_not_found off;
      access_log off;
      }
  
    location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README){
      deny all;
      }
  
    location / {
     # The following 2 rules are only needed with webfinger
     rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
     rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
  
     rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
     rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
  
     rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
  
     try_files $uri $uri/ /index.php;
     }
  
     location ~ \.php(?:$|/) {
     fastcgi_split_path_info ^(.+\.php)(/.+)$;
     include fastcgi_params;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     fastcgi_param PATH_INFO $fastcgi_path_info;
     fastcgi_param HTTPS on;
     fastcgi_pass php-handler;
     }
  
     # Optional: set long EXPIRES header on static assets
     location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
         expires 30d;
         # Optional: Don't log access to assets
           access_log off;
     }
  
    }

• In the main server block add add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; to enable strict transport security

Performance tweaks¶

• enable system cron: by default owncloud runs scheduled jobs via ajax every page load which isn't great for actually getting things done at regular intervals. add:

  # crontab -u www-data -e
  */15  *  *  *  * php -f /var/www/owncloud/cron.php > /dev/null 2>&1

• enable apc (or apcu for php 5.5 and above) for wheezy apt-get install php-apc and add 'memcache.local' => '\OC\Memcache\APC', to config.php
• for php 5.5 and above apt- get install php-apcu and add 'memcache.local' => '\OC\Memcache\APCu',
• you may have to add apc.enable_cli=1 to /etc/php5/cli/php.ini

Security and Hardening¶

• enable mod_headers (a2enmod headers) and add Header always add Strict-Transport-Security "max-age=15768000" to virtual host file.
• move data directory outside /var/www/owncloud folder
• turn on server side encryption of data. (Admin settings --> turn on)
• redirect all traffic to ssl:

  <VirtualHost *:80>
     ServerName cloud.owncloud.com
     Redirect permanent / https://cloud.owncloud.com/
  </VirtualHost>

• verify that strict transport security and other headers are being sent by the server using curl. curl -I https://owncloud.site/owncloud/COPYING-AGPL or calling another static resource.
  • headers should include X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Robots-Tag: none X-Frame-Options: SAMEORIGIN

For Office File servers¶

• add the following cronjob to crontab -u www-data

  30      6,15     *       *       *  php /var/www/owncloud/occ file:scan --all >/dev/null 2>&1
  

resource links¶

• owncloud config.php parameters
• owncloud nginx configuration
• owncloud database configuration
• owncloud external auth
• owncloud external storage, direct config.php editing