OpenBSD: Nextcloud

Posted on March 24, 2018

A brief tutorial to configure Nextcloud running with httpd server in OpenBSD…

Disclaimer

Nextcloud is being constantly developed and improved with additional features and enhancements, which comes hand in hand with the following drawbacks:

Sometimes upgrades break, especially when having a lot of Apps activated. In the realm of OpenBSD, the probability increases, since upgrades between two versions of OpenBSD usually imply an unsupported jump over several versions of Nextcloud.
It is written in PHP, it is very CPU/RAM hungry and it is slow.

After running it for a couple of years and considering that there are alternative solutions, I do not recommend Nextcloud in production in the OpenBSD realm.

YMMV

Introduction

The original ownCloud was forked by developer Frank Karlitschek to create Nextcloud, which is:

an open source (AGPLv3), self-hosted file share and communication platform,
a suite of client-server software for creating and using file hosting services,
functionally similar to Dropbox, Mega, etc., although allowing anyone to install and operate it on a private server

Nextcloud Installation in OpenBSD

The following steps assume that HTTPD and PHP has been successfully installed. Should it be required, the necessary steps have been described in OpenBSD: HTTPD with PHP Support.

The installation process of Nextcloud is pretty straightforward:

$ pkg_add nextcloud

Should the previous step installed new PHP modules, they need to be activated accodingly. The necessary steps have been described in OpenBSD: HTTPD with PHP Support.

Nextcloud Integration in HTTPD

Nextcloud README can be found in:

$ less /usr/local/share/doc/pkg-readmes/nextcloud-*

Examples of configuration for OpenBSD’s HTTPd can be found in:

$ less /var/www/conf/modules.sample/httpd-nextcloud.conf

Assuming that:

the virtual-server (virtual-host) is expected to be running on https://nextcloud.domain.tld,
the maximum allowed size of uploaded files (including those uploaded from client software) is 513MB,

the appropriate httpd.conf section need to exist:

$ vi /etc/httpd.conf
...
### nextcloud.domain.tld:443
server "nextcloud.domain.tld" {
  listen on * tls port 443
  log style combined
  tls {
    certificate "/etc/ssl/domain.tld.fullchain.pem"
    key "/etc/ssl/private/domain.tld.key"
    ciphers "TLSv1.2:TLSv1.3:!CAMELLIA:!ARIA:!DSS:!ADH:!PSK:!RSA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256"
  }
  hsts { subdomains }
  directory {
    index "index.php"
  }
  ### NEXTCLOUD
  # Set max upload size to 513M (in bytes)
  # There is a bug, see: https://www.mail-archive.com/misc@openbsd.org/msg140661.html
  # The very same instruction needs to be under the top level domain section!!!
  connection max request body 537919488
  # First, deny access to the specified files
  location "/db_structure.xml" { block }
  location "/.ht*"             { block }
  location "/README"           { block }
  location "/data*"            { block }
  location "/config*"          { block }
  # RFC5785 and RFC6764 access
  location "/.well-known/caldav" {
    root strip 2
    block return 301 "https://nextcloud.domain.tld/remote.php/dav"
  }
  location "/.well-known/carddav" {
    root strip 2
    block return 301 "https://nextcloud.domain.tld/remote.php/dav"
  }
  ### GENERAL WEB
  # Last, allow access to the root directory
  location "/*.php*" {
    root { "/nextcloud" }
    fastcgi socket "/run/php-fpm.sock"
  }
  location "/*" {
    root { "/nextcloud" }
  }
}
...

HTTPD reload is necessary in order to apply changes:

$ rcctl reload httpd

Nextcloud’s PHP Requirements

As discussed earlier, the maximum allowed size of uploaded files is 513MB. The PHP configuration needs to be updated accordingly:

$ vi /etc/php-*.ini
...
post_max_size = 513M
upload_max_filesize = 513M

For enhanced performance, the PHP opcode cache module can be used. Its activation can be verified (or changed) in:

$ ls -l /etc/php-* | grep -E "^l" | grep opcache
lrwxr-xr-x  1 root  wheel  31 Oct 12 18:18 opcache.ini -> /etc/php-*.sample/opcache.ini

However, OPcache usage is disabled in PHP by default:

$ grep opcache.enable= /etc/php-*.ini
;opcache.enable=0

OPcache can be enabled by altering the following lines in the php*.ini file:

$ vi /etc/php-*.ini
[opcache]
opcache.enable=1
opcache.enable_cli=1
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.revalidate_freq=1
opcache.save_comments=1

PHP 5.6 restart is necessary to apply changes:

$ rcctl restart php56_fpm

PostgreSQL as Database Backend

Nextcloud can work with a PostgreSQL, MariaDB or SQLite3 database. Installation of PostgreSQL is straightforward:

$ pkg_add postgresql-server

PHP modules of Redis can be installed, activated and verified as follows:

$ pkg_add php-pdo_pgsql php-pgsql
...
$ ls -l /etc/php-* | grep -E "^l" | grep pgsql
lrwxr-xr-x  1 root  wheel  33 Nov 22 02:32 pdo_pgsql.ini -> /etc/php-*.sample/pdo_pgsql.ini
lrwxr-xr-x  1 root  wheel  29 Nov 22 02:32 pgsql.ini -> /etc/php-*.sample/pgsql.ini

Naturally, PHP server needs a restart and HTTPd server a reload:

$ rcctl restart php56_fpm
$ rcctl reload httpd

PostgreSQL server needs to be initialised as follows (the SUPERUSERPASSWORD value should be changed accordingly):

$ su - _postgresql
$ mkdir /var/postgresql/data
$ initdb -D /var/postgresql/data -U postgres -A md5 -E UTF8 -W
...
Enter new superuser password: SUPERUSERPASSWORD
Enter it again: SUPERUSERPASSWORD
...
Success. You can now start the database server using:

    pg_ctl -D /var/postgresql/data -l logfile start

$ pg_ctl -D /var/postgresql/data -l logfile start
server starting
$ exit

Due to the previous commands, the PostgreSQL server should have been started. The verification can be done as follows:

$ rcctl check postgresql
(ok)

and it can be enabled by running:

$ rcctl enable postgresql

The default PHP setup of PostreSQL’s parameters is aligned with Nextcloud’s requirements, i.e.:

$ grep pgsql.allow_persistent /etc/php-*.ini
pgsql.allow_persistent = On
$ grep pgsql.auto_reset_persistent /etc/php-*.ini
pgsql.auto_reset_persistent = Off
$ grep pgsql.max_persistent /etc/php-*.ini
pgsql.max_persistent = -1
$ grep pgsql.max_links /etc/php-*.ini
pgsql.max_links = -1
$ grep pgsql.ignore_notice /etc/php-*.ini
pgsql.ignore_notice = 0
; Unless pgsql.ignore_notice=0, module cannot log notice message.
$ grep pgsql.log_notice /etc/php-*.ini
pgsql.log_notice = 0

The default authentication setup of PostgreSQL can be checked as follows (i.e. allowing access from localhost only):

$ grep -v -E "^#|^$" /var/postgresql/data/pg_hba.conf
local   all             all                                     md5
host    all             all             127.0.0.1/32            md5
host    all             all             ::1/128                 md5

The PostgreSQL is up and running. In order to be used with Nextcloud, the appropriate credentials need to be created as follows (the SUPERUSERPASSWORD is PostgreSQL’s superuser password, NCUSERNAME/NCPASSWORD are Nextcloud’s credentials to NCDB database).

$ createuser -U postgres -W -P NCUSERNAME
Enter password for new role: NCPASSWORD
Enter it again: NCPASSWORD
Password: SUPERUSERPASSWORD
$ createdb -U postgres -W -O NCUSERNAME -E UTF8 NCDB
Password: SUPERUSERPASSWORD

Verification can be done by logging into the DB in two ways. The first way is to log in as superuser (i.e. postgres) and then reconnecting to the same database (\c -) as user NCUSERNAME. The \q command is an abbreviation for the \quit command.

$ psql -U postgres -W NCDB
Password for user postgres: SUPERUSERPASSWORD
psql (9.3.1)
Type "help" for help.

NCDB=# \c - NCUSERNAME
Password for user NCUSERNAME: NCPASSWORD
You are now connected to database "NCDB" as user "NCUSERNAME".
NCDB=> \q

The second way is using NCUSERNAME as username directly:

$ psql -U NCUSERNAME -W NCDB
Password for user NCUSERNAME: NCPASSWORD
psql (9.6.2)
Type "help" for help.

NCDB=> \q

Nextcloud Setup

Sometimes, Nextcloud requires tasks to be done on a regular basis without the need for user interaction or hindering Nextcloud performance. For that purpose, a cron task can be created as follows:

$ crontab -e
*/15 * * * * /usr/bin/ftp -Vo - https://nextcloud.domain.tld/cron.php >/dev/null

In order to finish the installation process and to create a new admin user, the https://nextcloud.domain.tld URL needs to be accessed:

Near the top: Create an admin account to define user name and password.
In the middle: Performance Warning about SQLite. PostgreSQL needs to be selected and details filled accordingly, i.e.:

dbuser: NCUSERNAME,
dbpassword: NCPASSWORD,
dbname: NCDB,
dbhost: localhost:5432.

Confirmation: Finish Setup button.

There are two types of caches to use with Nextcloud:

the PHP OPcode cache stores compiled PHP scripts so they don’t need to be re-compiled every time they are called,
the data caching for the web server is supplied by the APC User Cache, Memcached or Redis.

Redis Integration in Nextcloud

Redis should be already installed as part of OpenBSD: Rspamd and ClamAV installation.

PHP modules of Redis can be installed and activated accordingly:

$ pkg_add pecl-redis
...
$ ls -l /etc/php-* | grep -E "^l" | grep redis
lrwxr-xr-x  1 root  wheel  29 Oct 12 18:18 redis.ini -> /etc/php-*.sample/redis.ini

Redis can be integrated in Nextcloud as follows (by expanding the $CONFIG array):

$ vi /var/www/nextcloud/config/config.php
...
  'memcache.local' => '\OC\Memcache\Redis',
  'redis' => array(
    'host' => 'localhost',
    'port' => 6379,
    'timeout' => 0.0,
  ),
...

Finally, the trusted domains section in Nextcloud can be modified as follows (by expanding the $CONFIG array):

$ vi /var/www/nextcloud/config/config.php
...
  'trusted_domains' =>
  array (
    0 => 'nextcloud.domain.tld',
  ),
...

Nextcloud Fine-Tuning and Verification

The Nextcloud’s installation can be checked by logging as administrator in: https://nextcloud.domain.tld/index.php/settings/admin

In order to get rid of some error messages, it proved necessary to uncomment the following lines in /etc/php-fpm.conf:

$ vi /etc/php-fpm.conf
...
pm.max_children = 10
...
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

Application of changes, PHP restart:

$ rcctl restart php56_fpm

The pm.max_children need to be tweaked a bit according the server load and available system resources:

$ tail -f /var/log/php-fpm.log
[06-Dec-2017 12:25:37] WARNING: [pool www] server reached pm.max_children setting (5), consider raising it

PostgreSQL to Nextcloud integration can be verified as follows:

$ grep db /var/www/nextcloud/config/config.php
  'dbtype' => 'pgsql',
  'dbname' => 'NCDB',
  'dbhost' => 'localhost',
  'dbport' => '5432',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'NCUSERNAME',
  'dbpassword' => 'NCPASSWORD',

The /dev/urandom is not readable by PHP error is most probably a bug, since it is not possible to access urandom from a chrooted environment.

The failed integrity checks are problem of OpenBSD distribution and can only be resolved by the package maintainers, as the files are cryptographically signed.

Further Options

The next part of this short tutorial is OpenBSD: Nextcloud LDAP User Management.

Tags: #OpenBSD #security #Nextcloud #TLS