> -----Oorspronkelijk bericht-----
> Van: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Namens
> Antoine Jacoutot
> Verzonden: maandag 18 april 2016 18:45
> Aan: Nick
> CC: misc@openbsd.org
> Onderwerp: Re: OwnCloud - security/setup warnings etc.. Any
> help/advice would be massively appreciated.
>
> On Mon, Apr 18, 2016 at 11:32:32AM -0400, Nick wrote:
> > ## I think this error can be safely ignored, is that correct?
> OpenBSD
> > changed the way environment variables are handled.. (?) 1. php
> does not seem to be setup properly to query system environment
> variables. The test with getenv("PATH") only returns an empty
> response.
> >
> > ## This I'm not sure of, is it to do with the server needing
> access to /etc/hosts and /etc/resolv? Would you recommend it?
> > 2. This server has no working Internet connection. This means
> that
> > some of the features like mounting external storage,
> notifications
> > about updates or installation of third-party apps will not work.
> Accessing files remotely and sending of notification emails might
> not work, either. We suggest to enable Internet connection for this
> server if you want to have all features.
> >
> > ## Is it safe to allow this to be readable by PHP? If so, what do
> you think might be the best way to go about it?
> > 3. /dev/urandom is not readable by PHP which is highly
> discouraged for security reasons. Further information can be found
> in our
> [documentation](https://doc.owncloud.org/server/8.2/go.php?to=admin
> -security).
> >
> > ## I have already set the server to direct to HTTPS using the
> letsencrypt certs I created, so I figure that this is unnecessary
> to change - would you agree?
> > 4. The "Strict-Transport-Security" HTTP header is not configured
> to least "15768000" seconds. For enhanced security we recommend
> enabling HSTS as described in our [security
> tips](https://nofacade.co.uk/owncloud/index.php/settings/admin#admi
> n-tips).
> >
> > ## This one is a real pain to work out:
> > 5. No memory cache has been configured. To enhance your
> performance please configure a memcache if available. Further
> information can be found in our
> [documentation](https://doc.owncloud.org/server/8.2/go.php?to=admin
> -performance).
> >
> > ## Reading through /usr/local/share/doc/pkg-readmes/owncloud-
> 8.2.2p3 - it advises me to adapt and append the
> ownloud/config/config.php file with:
> > 'memcache.local' => '\OC\Memcache\Redis', 'redis' => array(
> 'host' =>
> > 'localhost', 'port' => 6379, 'timeout' => 0.0, ), Problem is that
> > after a server restart, I am blocked from accessing my owncloud
> server. Until I remove the recommended code and restart.
> >
> > Here's what I have tried and which hasn't worked for me:
> > ln -sf /etc/php-5.6.sample/redis.ini /etc/php-5.6/
>
> That is documented.
>
> > pkg_add redis && rcctl enable redis && rcctl start redis
>
> I though it was kind of obvious that if you wanted redis support,
> you should have a redis server...
> Also it does not need to be on the same box.
>
> > rcctl restart httpd
> > rcctl restart php56_fpm -df
> >
> >
> > Thanks for taking the time to look through this. Cheers
> >
>
> --
> Antoine
For anyone interested, I just wrote this install guide for myself
last week. It removes all the errors from owncloud except the
urandom error.
Tiemen Werkman
# Owncloud Setup
### requirements
- ssl certificates
- database
- php
- owncloud
- httpd
- redis
### create self-signed ssl certificate and private key for owncloud
see _create certificates.md_
### install postgresql database server
see _postgresql setup.md_
### install phpPgAdmin
see _phpPgAdmin setup.md_
### install owncloud and php PostgreSQL drivers
`$ pkg_add -iv owncloud php-pdo_pgsql redis`
When promted, pick the latest version of php. After the installation has
finished, create the symlinks as shown by `pkg_add`. Also check the
pkg-readmes
Open _php-fpm.conf_ and change the following lines:
;env[PATH] = /usr/local/bin:/usr/bin:/bin
env[PATH] = /usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:sbin
;pm.max_children = 5
pm.max_children = 10
Open `/var/www/owncloud/config/config.php` and add the following:
'datadirectory' => '/owncloud/data',
'updatechecker' => false,
'log_type' => 'syslog',
'syslog_tag' => 'owncloud',
'logfile' => '/var/log/owncloud',
'loglevel' => 2,
'memcache.locking' => '\OC\Memcache\Redis',
'memcache.local' => '\OC\Memcache\Redis',
'redis' => array(
'host' => 'localhost',
'port' => 6379,
'timeout' => 0.0,
),
Create owncloud log file
`$ touch /var/log/owncloud`
`$ chmod 640 /var/log/owncloud`
Edit `/etc/syslog.conf`, prepend the following:
!!owncloud
*.* /var/log/owncloud
!*
Setup log rotation, append the following to `/etc/newsyslog.conf`
/var/log/owncloud 640 5 30 * Z
Reload syslogd
rcctl reload syslogd
### create ownCloud database
$ psql -U postgres
$ postgres=# CREATE USER owncloud WITH PASSWORD 'password';
$ CREATE ROLE
$ postgres=# CREATE DATABASE owncloud TEMPLATE template0 ENCODING
'UNICODE';
$ CREATE DATABASE
$ postgres=# ALTER DATABASE owncloud OWNER TO owncloud;
$ ALTER DATABASE
$ postgres=# GRANT ALL PRIVILEGES ON DATABASE owncloud TO owncloud;
$ GRANT
$ postgres=# \q
### setup httpd daemon
The following files are required by owncloud and must therefore be made
available inside the chroot where owncloud resides.
`$ mkdir -p /var/www/usr/share/locale/UTF-8/`
`$ cp /usr/share/locale/UTF-8/LC_CTYPE /var/www/usr/share/locale/UTF-8/`
`$ mkdir /var/www/etc`
`$ cp /etc/{hosts,resolv.conf,localtime} /var/www/etc/`
Create httpd.conf.
`$ touch /etc/http.conf`
# set macros
ext_if="egress"
domain="www.myowncloud.com"
# Include MIME types instead of the built-in ones
types {
include "/usr/share/misc/mime.types"
}
server "default" {
listen on $ext_if port 80
block return 301 "https://www.myowncloud.com$REQUEST_URI";
}
server $domain {
listen on $ext_if tls port 443
# set certificates for owncloud
tls {
certificate "/etc/ssl/server.crt"
key "/etc/ssl/private/server.key"
}
# Enable HTTP Strict Transport Security
# set max-age as suggested by owncloud
hsts max-age 15768000
# Set max upload size to 513M (in bytes)
connection max request body 537919488
root "/owncloud"
# First deny access to the specified files
location "*/db_structure.xml" { block }
location "*/.ht*" { block }
location "*/README" { block }
location "*/data*" { block }
location "*/config*" { block }
# If it is accessed as /owncloud
location "/owncloud/*.php*" {
root { "/owncloud", strip 1 }
fastcgi socket "/run/php-fpm.sock"
}
location "/owncloud/*" {
root { "/owncloud", strip 1 }
}
# Any other PHP file
location "/*.php*" {
fastcgi socket "/run/php-fpm.sock"
}
}
### add rules to pf.conf firewall
pass in inet proto tcp from any to self port http
pass in inet proto tcp from any to self port https
### reload pf
`$ pfctl -f /etc/pf.conf`
### add cronjob
`$ crontab -u www -e`
webcron
*/15 * * * * /usr/bin/ftp -S dont -Vo -
https://myowncloud.example.com/owncloud/cron.php > /dev/null
cron
*/15 * * * * php -f /var/www/owncloud/cron.php
> /dev/null 2>&1
### add redis, php-fpm and httpd rc scripts to rc.conf.local and start
deamons
`$ rcctl enable redis php56_fpm httpd`
`$ rcctl start redis php56_fpm httpd`
