Hi,
this Tuturial describes the steps to setup owncloud on top of debian/raspian with lighttpd as webserver and https encryption with certificates sign by Let’s encrypt campain.
Operating System
Install a minimal debian jessie system.
Login as root. On raspbian login as user pi change to root.
pi@raspown ~ $ sudo su -
If you want to setup the cloud by ssh and you want to login with root an password authentification set “PermitRootLogin” to “yes” in /etc/ssh/sshd_config.
Don’t forget to set it back to “without-password” after finishing.
Install required packages
root@raspown:~# apt-get -y install php5 php5-common php5-gd php-xml-parser php5-intl php5-json php5-mcrypt root@raspown:~# apt-get -y install php5-sqlite php5-mysql php5-pgsql smbclient php5-curl curl libcurl3 libcurl3-dev root@raspown:~# apt-get -y install lighttpd php5-cgi root@raspown:~# apt-get -y remove apache2 apache2-bin apache2-data libaprutil1-dbd-sqlite3 libaprutil1-ldap liblua5.1-0 root@raspown:~# apt-get -y install python-pip root@raspown:~# apt-get -y install git bash
For Raspbian Users. Do not start graphical desktop, just boot in text mode
root@raspown:~# systemctl get-default root@raspown:~# systemctl set-default -f multi-user.target
Set the hostname respectily full qualified domain name
root@raspown:~# hostnamectl set-hostname yourhost.yourdomain.net
Configure a static IP Address. Disable old (init) config style by saving /etc/network/interfaces and creating an empty file
root@raspown:~# mv /etc/network/interfaces /etc/network/interfaces.save root@raspown:~# touch /etc/network/interfaces
Setting up eth0. Create a file /etc/systemd/network/eth0.network, Name it as you want.
[Match]
# You can also use wildcards. Maybe you want enable dhcp
# an all eth* NICs
Name=eth0
[Network]
#DHCP=v4
# static IP
# 192.168.100.2 netmask 255.255.255.0
Address=192.168.100.2/24
Gateway=192.168.100.1
DNS=192.168.100.1
and enable systemd-networkd and resolved
root@raspown:~# systemctl enable systemd-networkd.service root@raspown:~# systemctl enable systemd-resolved.service
Define DNS Server. You can add the DNS Server either in the Network section of the NIC adapter config (see above) or in /etc/systemd/resolved.conf
Create a symlink
root@raspown:~# mv /etc/resolv.conf /etc/resolv.conf.save root@raspown:~# ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
Enable lighttpd on Port 80
Start the webserver and see if its running
root@raspown # lighty-enable-mod fastcgi-php root@raspown # systemctl enable lighttpd.service root@raspown # systemctl start lighttpd.service root@raspown # journalctl -xn
https certificates
Lets Encrypt
Create the certificates. Get project sources
root@raspown:~# git clone https://github.com/letsencrypt/letsencrypt
Install additional packages needed by letsencrypt create the virtual environment. Do not use the standard shell on Debian 8 based systems. Also the Python Package Index must be reachable:
root@raspown:~/letsencrypt# bash letsencrypt-auto -v
If you want to use your own key and signing request:
Create your server key and csr by openssl. Do not enter a challenge password at the end of the creation process otherwise lighttpd will prompt at each start for it.
root@raspown:~# mkdir -p /etc/lighttpd/ssl
Create Key and Signing request. For a better quality of random numbers consider to generate the key on a “real” PC. Note: The CommonName and the the subjectAltName of the siging request must set to the domain name to which the certificate should belongs to. The output format of the csr must set to DER.
Create an x509 v3 exentension file /etc/lighttpd/ssl/ssl_v3.cfg
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[ v3_req ]
basicConstraints = CA:FALSE
nsCertType = server,client
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage=serverAuth,clientAuth,emailProtection,codeSigning,timeStamping
subjectAltName = @alt_names
[alt_names]
DNS.1 = yourhost.yourdomain.net
# DNS.2 =
[req_distinguished_name]
Generate Key and signing request
root@raspown:~# openssl req -nodes -new -newkey rsa:2048 -sha256 -outform DER -out /etc/lighttpd/ssl/server.der -keyout /etc/lighttpd/ssl/server.key -subj '/C=DE/ST=Franken/L=Nuremberg/O=Your Company/OU=Your OU/emailAddress=webmaster@yourdomain.net/CN=yourhost.yourdomain.net/' -config /etc/lighttpd/ssl/ssl_v3.cfg # Sets the following parameters # Country Name (2 letter code) [AU]:DE # State or Province Name (full name) [Some-State]:Franken # Locality Name (eg, city) []:Nuremberg # Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company # Organizational Unit Name (eg, section) []:Your OU # Common Name (e.g. server FQDN or YOUR name) []:yourhost.yourdomain.net # Email Address []:webmaster@yourdomain.net # A challenge password []: # An optional company name []:
Verify that your csr contains all your parameter:
root@raspown:~# openssl req -inform der -in /etc/lighttpd/ssl/server.der -noout -text
Get the certificate from the LetsEncrypt CA. This example is based on the webroot authenticator to validate the domain (DV). Means, the letsencrypt-auto script creates a file in the webroot of your webserver which will be read during the domain validation process by the LetsEncrypt webservice.
Before you call the script make sure your webserver is reachable from the internet by your dns name at port 80 (letsencrypt http-01 challenge).
If your Webserver is behind a DSL Router ensure you have configured a port forwarding rule from port 80 to the internal ip address of your webserver. The default lighttpd Webroot for Port 80 is at /var/www/html.
If you want to use your own csr and webroot authentification you have to specify a webroot-map in letsencrypts config file to define a conjunction between domain name and webroot path otherwise an error “PluginError–webroot-path must be set” occurs.
Create a config file /etc/letsencrypt/cli.ini
authenticator = webroot
webroot-path = /var/www/html
webroot-map = {"yourhost.yourdomain.net" : "/var/www/html"}
root@raspown:~/letsencrypt# bash letsencrypt-auto certonly --config /etc/letsencrypt/cli.ini --agree-tos --csr /etc/lighttpd/ssl/server.der --cert-path /etc/lighttpd/ssl/server.pem
And set restricted permissions for csr, certificate and key.
root@raspown:~# cat /etc/lighttpd/ssl/server.key /etc/lighttpd/ssl/server.crt > /etc/lighttpd/ssl/server.pem root@raspown:~# chown -R www-data:root /etc/lighttpd/ssl/ root@raspown:~# chmod 460 /etc/lighttpd/ssl/* root@raspown:~# chown -R www-data:www-data /etc/lighttpd/ssl/server.key root@raspown:~# chmod 400 /etc/lighttpd/ssl/server.key
For testing
For testing https you can use selfsigned certificates
root@raspown:~# mkdir -p /etc/lighttpd/ssl/ root@raspown:~# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/lighttpd/ssl/server.key -out /etc/lighttpd/ssl/server.crt root@raspown:~# cat /etc/lighttpd/ssl/server.key /etc/lighttpd/ssl/server.crt > /etc/lighttpd/ssl/server.pem
root@raspown:~# chown -R www-data:root /etc/lighttpd/ssl/ root@raspown:~# chmod 460 /etc/lighttpd/ssl/*
Configure Lighttpd
Append the following lines to your config file /etc/lighttpd/lighttpd.conf , ensure that the owncloud data directory is not readable from the web.
# If you want to use HTTP logging (troubleshooting) insert both lines below
# Consider to mount the log folder /var/log/lighttpd as
# tmpfs (but logs are lost after reboot) to avoid excessive writing to the SD Card.
# Add fstab
# tmpfs /var/log/lighttpd tmpfs rw,size=256M,noexec,nodev,nosuid,uid=33,gid=33 0 0
server.modules += ( "mod_accesslog" )
accesslog.filename = "/var/log/lighttpd/access.log"
# SSL Server settings
# redirect all to https
$HTTP["scheme"] == "http" {
# redirect all http traffic to https, expect the letsencrypt webroot auth requests
$HTTP["url"] !~ "^/\.well-known/" {
# capture vhost name with regex conditiona -> %0 in redirect pattern
# must be the most inner block to the redirect rule
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
}
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
# ssl.ca-file = "/etc/lighttpd/ssl/server.crt"
# Enter your hostname
server.name = "yourhost.yourdomain.net"
server.document-root = "/var/www/owncloud"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.use-compression = "disable"
ssl.honor-cipher-order = "enable"
# A more secure cipher list. Not working with older Webbrowsers!
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH"
server.errorlog = "/var/log/lighttpd/serror.log"
accesslog.filename = "/var/log/lighttpd/saccess.log"
}
# Owncloud Data directory
$HTTP["url"] =~ "^/oc/data/" {
url.access-deny = ("")
}
# Owncloud root
$HTTP["url"] =~ "^/oc($|/)" {
dir-listing.activate = "disable"
}
# Letsencrypt webauth root
$HTTP["url"] =~ "^/\.well-known/" {
dir-listing.activate = "disable"
}
# Not Owncloud or Webauth
$HTTP["url"] !~ "^/oc$|^/oc/|^/\.well-known/" {
url.access-deny = ("")
}
Create the webserver root directory for your owncloud instance
root@raspown # mkdir -p /var/www/owncloud root@raspown # chown www-data:www-data /var/www/owncloud
Start the webserver and see if its running
root@raspown # lighty-enable-mod fastcgi-php root@raspown # systemctl enable lighttpd.service root@raspown # systemctl start lighttpd.service root@raspown # journalctl -xn
Owncloud
Installing owncloud(In this tutorial 8.2)
root@raspown # cd /var/www/owncloud root@owncloud:/var/www/owncloud# wget https://download.owncloud.org/community/owncloud-8.2.1.tar.bz2 root@owncloud:/var/www/owncloud# tar -xvjf owncloud-8.2.1.tar.bz2
Owncloud is now extracted to the subfolder owncloud in the webserver root /var/www/owncloud . I renamed this folder to oc. If you plan another name alter also the deny and dir-listing directive in lighttpd.conf to your folder.
root@owncloud:/var/www/owncloud# mv owncloud oc
Remove owncloud sources
root@owncloud:/var/www/owncloud# rm owncloud-8.2.1.tar.bz2
Set Folder permissions
root@owncloud:/var/www/owncloud# cd oc root@owncloud:/var/www/owncloud/oc# mkdir -p data root@owncloud:/var/www/owncloud/oc# chmod -R o-wxr /var/www/owncloud root@owncloud:/var/www/owncloud/oc# chown -R www-data:www-data /var/www/owncloud
Database
The default database backend of owncloud is sqlite. If you plan to synchronize your Data with the Ownclound Desktop Client a real Database System is recommended.
Here are the steps to setup a mysql Datebase. Install the server and choose secure password.
root@raspown # apt-get -y install mysql-server
Secure your installation
root@raspown # mysql_secure_installation Remove anonymous users? [Y/n] y ... Success! Disallow root login remotely? [Y/n] y ... Success! Remove test database and access to it? [Y/n] y - Dropping test database... ... Success! Reload privilege tables now? [Y/n] y ... Success!
Open the MySQL Console as Database root
root@raspown # mysql -u root -p
Create a User ocuser (Replace ocpassword with your Password π ) and the database owncloud and permit the user to the database.
mysql> create database owncloud;
mysql> CREATE USER 'ocuser'@'localhost' identified by 'ocpassword';
mysql> grant all on owncloud.* to 'ocuser'@'localhost';
mysql> FLUSH PRIVILEGES;
If you want to change the password
mysql> use mysql;
mysql> SET PASSWORD FOR 'ocuser'@'localhost' = PASSWORD('ocpassword');
Securing the installation
AppArmor
I use AppArmor to secure lighttpd and mysql. The raspbian kernel does not support AppArmor out of the box. To use AppArmor you have to recompile the kernel. My post provides a script which supports you :-). Debian Jessie has the support for AppArmor already included.
Installing and activating, on a PC with grub booloader add apparmor=1 security=apparmor to the kernel parameters in /etc/default/grub
root@raspown # apt-get install apparmor apparmor-profiles apparmor-utils root@raspown # cp /etc/default/grub /etc/default/grub.org root@raspown # perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub root@raspown # update-grub root@raspown # reboot
On an Raspberry edit /boot/cmdline.txt
root@raspown # sed -e's/\( root=\/dev\/mmcblk0p2\)/\1 apparmor=1 security=apparmor/g' /boot/cmdline.txt --in-place=.bak
Check if apparmor is correct installed
root@raspown # aa-status
Note: If error “apparmor filesystem is not mounted.” occurs you have to forgot to call update-grub π
By default a mysql profiles is loaded and enforced. Create a lighttpd profile /etc/apparmor.d/usr.sbin.lighttpd This profile is based on the example shipped with debian /usr/share/doc/apparmor-profiles/extras/usr.sbin.lighttpd and OpenSUSE
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim:syntax=apparmor
#include
/usr/sbin/lighttpd {
#include
#include
#include
# needed to change max file descriptors
capability sys_resource,
# network service ;)
capability net_bind_service,
# changing the uid/gid on startup
capability setgid,
capability setuid,
/etc/ld.so.cache r,
/etc/lighttpd r,
/etc/lighttpd/*.conf r,
/etc/lighttpd/conf.d/*.conf r,
/etc/lighttpd/auth.d/* r,
/etc/lighttpd/vhosts.d r,
/etc/lighttpd/vhosts.d/* r,
/usr/sbin/lighttpd mix,
/usr/lib/lighttpd/*.so mr,
/usr/lib64/lighttpd/*.so mr,
/etc/ssl/private/*.pem r,
/etc/lighttpd/ssl/server.pem r,
# home dir. e.g. used for sockets.
/var/lib/lighttpd/ r,
/var/lib/lighttpd/** rwl,
# mod_compress cache
/var/cache/lighttpd/ r,
/var/cache/lighttpd/** rwl,
# pid
/{,var/}run/lighttpd.pid rwl,
# log files
/var/log/lighttpd/*.log rw,
# Socket
/run/lighttpd/* w,
# exec
# /usr/bin/php-cgi Cx,
/usr/bin/php5-cgi Cx,
# include_shell
/bin/bash mix,
/bin/dash mix,
/bin/zsh mix,
/bin/cat mix,
# http docs
/var/www/ r,
/var/www/** r,
# Debian/Ubuntu integration in default installation
#include
/etc/mime.types r,
/usr/share/lighttpd/ r,
/usr/share/lighttpd/*.pl rmix,
/etc/lighttpd/conf-available/ r,
/etc/lighttpd/conf-available/*.conf r,
/etc/lighttpd/conf-enabled/ r,
/etc/lighttpd/conf-enabled/*.conf r,
profile /usr/bin/php5-cgi {
#include
/etc/* r,
/etc/ssl/openssl.cnf r,
/etc/php/** r,
/etc/php5/** r,
/lib/lib*so* mr,
/var/lib/php5/sessions/* rwk,
/var/www/ r,
/var/www/** r,
/var/www/owncloud/oc/apps/** rwk,
/var/www/owncloud/oc/config/** rwk,
/var/www/owncloud/oc/data/** rwk,
/tmp/ r,
/tmp/* rwk,
/usr/share/mysql/charsets/Index.xml r,
/usr/bin/php5-cgi r,
/usr/lib/lib*so* mr,
/usr/lib{,32,64}/** mr,
}
}
Set it in enforce mode
root@raspown # aa-enforce /usr/sbin/lighttpd root@raspown # systemctl restart lighttpd.service
Add the line
/etc/ld.so.cache r,
also into /usr/sbin/mysqld {} Section of /etc/apparmor.d/usr.sbin.mysqld
root@raspown # aa-enforce /usr/sbin/mysqld
If have already tested the apparmor profile for a while. If owncloud shows unexpected behaviours check the syslog for apparmor DENIES and send it to me:
root@raspown # journalctl -x --since yesterday|grep 'apparmor="DENIED"'
Tripwire
Next step in security is to monitor filesystem changes. Here are the steps to handle this with tripwire. For further information see documention
Install tripwire
root@raspown # apt-get install tripwire
Create a site key. The site key is used for creating and signing the policy
root@raspown # twadmin -m G -S /etc/tripwire/site.key -Q YourSecureSiteKeyPassword
Create a local key. The local key is used checking file integrity and update database on changes (OS Update..)
root@raspown # twadmin -m G -L /etc/tripwire/${HOSTNAME}-local.key -P -Q YourSecureLocalKeyPassword
Adjust the config /etc/tripwire/twcfg.txt as needed and create the config file from the text template
root@raspown # twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
Adjust the default policy /etc/tripwire/twpol.txt to your system. This is an good overview.
and append the rules for owncloud to the end of the file /etc/tripwire/twpol.txt
#
# owncloud
#
#
(
rulename = "owncloud Directories",
severity = $(SIG_MED)
)
{
/var/www/ -> $(SEC_BIN) (recurse = 1) ;
/var/www/owncloud/oc/config -> $(SEC_CONFIG) (recurse = 1) ;
!/var/www/owncloud/oc/data;
}
Create the policy file from text file
root@raspown # twadmin --create-polfile /etc/tripwire/twpol.txt
Do the init filesystem scan and create the database and eleminate all errors
root@raspown # tripwire --init
Checking your system is simple, the report is stored at /var/lib/tripwire/report/.
root@raspown # tripwire --check
If your database has to be updated, maybe you update your Linux OS, run “tripwire –update” against the latest report file. This opens an text editor. Edit only the changes (removing the [X] => [ ]) which should not be written to the database. Save the file and you will prompted for the local passphrase.
root@raspown # tripwire --update -r /var/lib/tripwire/report/report-20151118.twr
After updating the database its an good idea to copy the database file /var/lib/tripwire/*.twd to an storage which is readonly. Before each tripwire check command check also if the database in the /var/lib/tripwire and on the readonly storage is identically.
Setup an cron job which periodically starts an tripwire check
Owncloud Configuration
All backend service are now prepared and running. Open a brower and connect to your Owncloud Installation. Navigate to
https://yourFQDNHostname/oc/
Owncloud is now ready to configure and use π
Michael