Owncloud 9 installation

Goal

The goal for this post is to succeed in installing owncloud on a raspberry pi on https with a SSL certificate signed from a trusted vendor.

Disclaimer

I shamelessly inspired myself from two blog posts that I would like to give credit to:

  • this post detailing how to install owncloud on a raspberry pi (with a self-signed certificate)
  • this one very nicely explains how to set up let’s encrypt on a raspberry pi

Raspbian

Download raspbian lite image from this site

You can download the torrent from here or direct link from here

Prerequisites

First, change the password to something other than the default password

NOTE: the default username is “pi” and the default password is “raspberry” for the Raspbian distributions.

passwd

We log in as super user, so that we don’t have to “sudo” all the time:

NOTE: the “-” flag at the end means we use the normal shell and not the bash shell

sudo su -

Now we need to add ssh access. As of November 2016, the raspbian lite distribution has ssh disabled by default

raspi-config

Select “Advanced Options”, then activate the “SSH” option.

You can also choose to “Expand Filesystem” so that you get all the available space on the sd card you mounted

Bring raspbian up-to-date:

apt-get update
apt-get upgrade

Change the swap size to 512 MB (owncloud eats up pretty much RAM):

nano /etc/dphys-swapfile

change the following line:

CONF_SWAPSIZE=100
to
CONF_SWAPSIZE=512

Web server

Give rights to the www-data user:

usermod -a -G www-data www-data

Install all needed packages:

apt-get install nginx openssl ssl-cert php5-cli php5-gd php5-common php5-cgi php-pear php-apc curl libapr1 libtool curl libcurl4-openssl-dev php-xml-parser php5 php5-dev php5-curl php5-gd php5-fpm memcached php5-memcache varnish

Configure nginx:

mv /etc/nginx/sites-available/default /etc/nginx/sites-available/default_old
nano /etc/nginx/sites-available/default

Now add the following to the nginx configuration file.

upstream php-handler {
    server 127.0.0.1:9000;
    #server unix:/var/run/php5-fpm.sock;
}
 
server {
    listen 80;
    server_name IPaddress;
    # Path to the root of your installation
    root /var/www/owncloud;
    client_max_body_size 1000M; # set max upload size
    fastcgi_buffers 64 4K;
    rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
    rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
    rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
    index index.php;
    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README) {
        deny all;
    }
    location / {
        # The following 2 rules are only needed with webfinger
        rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
        rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
        rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
        rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
        rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
        try_files $uri $uri/ index.php;
    }
    location ~ \.php(?:$|/) {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        fastcgi_pass php-handler;
    }
    # Optional: set long EXPIRES header on static assets
    location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
         expires 30d;
         # Optional: Don't log access to assets
         access_log off;
    }
}

Replace IPAddress with your local ip address / domain name

Edit maximum upload limits in php:

nano /etc/php5/fpm/php.ini

NOTE: use ctrl + w to search with the nano tool:

upload_max_filesize = 2000M
post_max_size = 2000M

Update the php listen line:

nano /etc/php5/fpm/pool.d/www.conf

change the following line:

listen = /var/run/php5-fpm.sock
to
listen = 127.0.0.1:9000

 

Reboot the raspberry pi:

reboot

Owncloud installation

Now we install owncloud (latest version is 9.0.4)

mkdir -p /var/www/owncloud
wget https://download.owncloud.org/community/owncloud-9.0.4.tar.bz2
tar xvf owncloud-9.0.4.tar.bz2
mv owncloud/ /var/www/
chown -R www-data:www-data /var/www
rm -rf owncloud owncloud-9.0.4.tar.bz2

Mysql

You can gain the best performance from an owncloud installation if you use the mysql database. For this, we need to install some dependencies. Ensure to set a password for the mysql-server that you will remember in the next step of the process.

apt-get install mysql-server mysql-client php5-mysql

Next step: we create a new database

mysql -u root -p

Then enter the password you supplied on the earlier step. Now you should have a mysql command line interface. If your line starts with mysql> then you’re in.

Creating a new database statement:

CREATE DATABASE owncloud;
exit

SSL

Now we install Let’s Encrypt:

gpg --keyserver pgpkeys.mit.edu --recv-key 8B48AD6246925553
gpg -a --export 8B48AD6246925553 | apt-key add -
gpg --keyserver pgpkeys.mit.edu --recv-key 7638D0442B90D010
gpg -a --export 7638D0442B90D010 | apt-key add -

echo "deb http://httpredir.debian.org/debian jessie-backports main contrib non-free" > /etc/apt/sources.list.d/debian-jessie-backports.list
apt-get update -y
apt install letsencrypt -t jessie-backports -y
rm /etc/apt/sources.list.d/debian-jessie-backports.list
apt-get update -y

Next step: we have to run the Let’s Encrypt tool to generate the certificates needed for SSL. Attention: your server must now be accessible from the outside on port 80. To ensure you are the one controlling the domain, the tool will copy some files on your server for some sort of “handshake” operation.

Run the certification tool using the following command:

letsencrypt certonly --webroot -w /var/www/owncloud -d <your_domain>

Follow the instructions. At the end you should have your certificates placed in the /etc/letsencrypt/live/<your_domain> folder

Now let’s modify the nginx configuration to include the certificates and to communicate by default via ssl:

upstream php-handler {
    server 127.0.0.1:9000;
    #server unix:/var/run/php5-fpm.sock;
}
 
server {
    listen 80;
    server_name IPaddress;
    return 301 https://$server_name$request_uri; # enforce https
}
 
server {
    listen 443 ssl;
    server_name IPaddress;
    ssl_certificate /etc/letsencrypt/live/<your_domain>/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/<your_domain>/privkey.pem;
    # Path to the root of your installation
    root /var/www/owncloud;
    client_max_body_size 1000M; # set max upload size
    fastcgi_buffers 64 4K;
    rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
    rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
    rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
    index index.php;
    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README) {
        deny all;
    }
    location / {
        # The following 2 rules are only needed with webfinger
        rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
        rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
        rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
        rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
        rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
        try_files $uri $uri/ index.php;
    }
    location ~ \.php(?:$|/) {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        fastcgi_pass php-handler;
    }
    # Optional: set long EXPIRES header on static assets
    location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
         expires 30d;
         # Optional: Don't log access to assets
         access_log off;
    }
}

Owncloud first-time usage setup

Now you can browse to your domain and follow the instructions on the initial web page. You will have to supply

  • Admin:
    • username
    • password
  • Data folder location – normally on a usb drive
  • Database
    • username (normally root)
    • password (the one supplied during the mysql-server package installation)
    • database name (owncloud)
    • server name (localhost)

Have fun!

Now you should have a working owncloud installation!


Leave a Reply

Your email address will not be published. Required fields are marked *
You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>