> -----Oorspronkelijk bericht----- > Van: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Namens > Antoine Jacoutot > Verzonden: maandag 18 april 2016 18:45 > Aan: Nick > CC: misc@openbsd.org > Onderwerp: Re: OwnCloud - security/setup warnings etc.. Any > help/advice would be massively appreciated. > > On Mon, Apr 18, 2016 at 11:32:32AM -0400, Nick wrote: > > ## I think this error can be safely ignored, is that correct? > OpenBSD > > changed the way environment variables are handled.. (?) 1. php > does not seem to be setup properly to query system environment > variables. The test with getenv("PATH") only returns an empty > response. > > > > ## This I'm not sure of, is it to do with the server needing > access to /etc/hosts and /etc/resolv? Would you recommend it? > > 2. This server has no working Internet connection. This means > that > > some of the features like mounting external storage, > notifications > > about updates or installation of third-party apps will not work. > Accessing files remotely and sending of notification emails might > not work, either. We suggest to enable Internet connection for this > server if you want to have all features. > > > > ## Is it safe to allow this to be readable by PHP? If so, what do > you think might be the best way to go about it? > > 3. /dev/urandom is not readable by PHP which is highly > discouraged for security reasons. Further information can be found > in our > [documentation](https://doc.owncloud.org/server/8.2/go.php?to=admin > -security). > > > > ## I have already set the server to direct to HTTPS using the > letsencrypt certs I created, so I figure that this is unnecessary > to change - would you agree? > > 4. The "Strict-Transport-Security" HTTP header is not configured > to least "15768000" seconds. For enhanced security we recommend > enabling HSTS as described in our [security > tips](https://nofacade.co.uk/owncloud/index.php/settings/admin#admi > n-tips). > > > > ## This one is a real pain to work out: > > 5. No memory cache has been configured. To enhance your > performance please configure a memcache if available. Further > information can be found in our > [documentation](https://doc.owncloud.org/server/8.2/go.php?to=admin > -performance). > > > > ## Reading through /usr/local/share/doc/pkg-readmes/owncloud- > 8.2.2p3 - it advises me to adapt and append the > ownloud/config/config.php file with: > > 'memcache.local' => '\OC\Memcache\Redis', 'redis' => array( > 'host' => > > 'localhost', 'port' => 6379, 'timeout' => 0.0, ), Problem is that > > after a server restart, I am blocked from accessing my owncloud > server. Until I remove the recommended code and restart. > > > > Here's what I have tried and which hasn't worked for me: > > ln -sf /etc/php-5.6.sample/redis.ini /etc/php-5.6/ > > That is documented. > > > pkg_add redis && rcctl enable redis && rcctl start redis > > I though it was kind of obvious that if you wanted redis support, > you should have a redis server... > Also it does not need to be on the same box. > > > rcctl restart httpd > > rcctl restart php56_fpm -df > > > > > > Thanks for taking the time to look through this. Cheers > > > > -- > Antoine
For anyone interested, I just wrote this install guide for myself last week. It removes all the errors from owncloud except the urandom error. Tiemen Werkman # Owncloud Setup ### requirements - ssl certificates - database - php - owncloud - httpd - redis ### create self-signed ssl certificate and private key for owncloud see _create certificates.md_ ### install postgresql database server see _postgresql setup.md_ ### install phpPgAdmin see _phpPgAdmin setup.md_ ### install owncloud and php PostgreSQL drivers `$ pkg_add -iv owncloud php-pdo_pgsql redis` When promted, pick the latest version of php. After the installation has finished, create the symlinks as shown by `pkg_add`. Also check the pkg-readmes Open _php-fpm.conf_ and change the following lines: ;env[PATH] = /usr/local/bin:/usr/bin:/bin env[PATH] = /usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:sbin ;pm.max_children = 5 pm.max_children = 10 Open `/var/www/owncloud/config/config.php` and add the following: 'datadirectory' => '/owncloud/data', 'updatechecker' => false, 'log_type' => 'syslog', 'syslog_tag' => 'owncloud', 'logfile' => '/var/log/owncloud', 'loglevel' => 2, 'memcache.locking' => '\OC\Memcache\Redis', 'memcache.local' => '\OC\Memcache\Redis', 'redis' => array( 'host' => 'localhost', 'port' => 6379, 'timeout' => 0.0, ), Create owncloud log file `$ touch /var/log/owncloud` `$ chmod 640 /var/log/owncloud` Edit `/etc/syslog.conf`, prepend the following: !!owncloud *.* /var/log/owncloud !* Setup log rotation, append the following to `/etc/newsyslog.conf` /var/log/owncloud 640 5 30 * Z Reload syslogd rcctl reload syslogd ### create ownCloud database $ psql -U postgres $ postgres=# CREATE USER owncloud WITH PASSWORD 'password'; $ CREATE ROLE $ postgres=# CREATE DATABASE owncloud TEMPLATE template0 ENCODING 'UNICODE'; $ CREATE DATABASE $ postgres=# ALTER DATABASE owncloud OWNER TO owncloud; $ ALTER DATABASE $ postgres=# GRANT ALL PRIVILEGES ON DATABASE owncloud TO owncloud; $ GRANT $ postgres=# \q ### setup httpd daemon The following files are required by owncloud and must therefore be made available inside the chroot where owncloud resides. `$ mkdir -p /var/www/usr/share/locale/UTF-8/` `$ cp /usr/share/locale/UTF-8/LC_CTYPE /var/www/usr/share/locale/UTF-8/` `$ mkdir /var/www/etc` `$ cp /etc/{hosts,resolv.conf,localtime} /var/www/etc/` Create httpd.conf. `$ touch /etc/http.conf` # set macros ext_if="egress" domain="www.myowncloud.com" # Include MIME types instead of the built-in ones types { include "/usr/share/misc/mime.types" } server "default" { listen on $ext_if port 80 block return 301 "https://www.myowncloud.com$REQUEST_URI" } server $domain { listen on $ext_if tls port 443 # set certificates for owncloud tls { certificate "/etc/ssl/server.crt" key "/etc/ssl/private/server.key" } # Enable HTTP Strict Transport Security # set max-age as suggested by owncloud hsts max-age 15768000 # Set max upload size to 513M (in bytes) connection max request body 537919488 root "/owncloud" # First deny access to the specified files location "*/db_structure.xml" { block } location "*/.ht*" { block } location "*/README" { block } location "*/data*" { block } location "*/config*" { block } # If it is accessed as /owncloud location "/owncloud/*.php*" { root { "/owncloud", strip 1 } fastcgi socket "/run/php-fpm.sock" } location "/owncloud/*" { root { "/owncloud", strip 1 } } # Any other PHP file location "/*.php*" { fastcgi socket "/run/php-fpm.sock" } } ### add rules to pf.conf firewall pass in inet proto tcp from any to self port http pass in inet proto tcp from any to self port https ### reload pf `$ pfctl -f /etc/pf.conf` ### add cronjob `$ crontab -u www -e` webcron */15 * * * * /usr/bin/ftp -S dont -Vo - https://myowncloud.example.com/owncloud/cron.php > /dev/null cron */15 * * * * php -f /var/www/owncloud/cron.php > /dev/null 2>&1 ### add redis, php-fpm and httpd rc scripts to rc.conf.local and start deamons `$ rcctl enable redis php56_fpm httpd` `$ rcctl start redis php56_fpm httpd`