Tags: #OpenBSD #security #Nextcloud #TLS
OpenBSD: Nextcloud
A brief tutorial to configure Nextcloud running with httpd server in OpenBSD…
Disclaimer
Nextcloud is being constantly developed and improved with additional features and enhancements, which comes hand in hand with the following drawbacks:
- Sometimes upgrades break, especially when having a lot of Apps activated. In the realm of OpenBSD, the probability increases, since upgrades between two versions of OpenBSD usually imply an unsupported jump over several versions of Nextcloud.
- It is written in PHP, it is very CPU/RAM hungry and it is slow.
After running it for a couple of years and considering that there are alternative solutions, I do not recommend Nextcloud in production in the OpenBSD realm.
YMMV
Introduction
The original ownCloud was forked by developer Frank Karlitschek to create Nextcloud, which is:
- an open source (AGPLv3), self-hosted file share and communication platform,
- a suite of client-server software for creating and using file hosting services,
- functionally similar to Dropbox, Mega, etc., although allowing anyone to install and operate it on a private server
Nextcloud Installation in OpenBSD
The following steps assume that HTTPD and PHP has been successfully installed. Should it be required, the necessary steps have been described in OpenBSD: HTTPD with PHP Support.
The installation process of Nextcloud is pretty straightforward:
$ pkg_add nextcloud
Should the previous step installed new PHP modules, they need to be activated accodingly. The necessary steps have been described in OpenBSD: HTTPD with PHP Support.
Nextcloud Integration in HTTPD
Nextcloud README can be found in:
$ less /usr/local/share/doc/pkg-readmes/nextcloud-*
Examples of configuration for OpenBSD’s HTTPd can be found in:
$ less /var/www/conf/modules.sample/httpd-nextcloud.conf
Assuming that:
- the virtual-server (virtual-host) is expected to be running on
https://nextcloud.domain.tld
, - the maximum allowed size of uploaded files (including those uploaded from client software) is 513MB,
the appropriate httpd.conf
section need to exist:
$ vi /etc/httpd.conf
...
### nextcloud.domain.tld:443
server "nextcloud.domain.tld" {
listen on * tls port 443
log style combined
tls {
certificate "/etc/ssl/domain.tld.fullchain.pem"
key "/etc/ssl/private/domain.tld.key"
ciphers "TLSv1.2:TLSv1.3:!CAMELLIA:!ARIA:!DSS:!ADH:!PSK:!RSA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256"
}
hsts { subdomains }
directory {
index "index.php"
}
### NEXTCLOUD
# Set max upload size to 513M (in bytes)
# There is a bug, see: https://www.mail-archive.com/misc@openbsd.org/msg140661.html
# The very same instruction needs to be under the top level domain section!!!
connection max request body 537919488
# First, deny access to the specified files
location "/db_structure.xml" { block }
location "/.ht*" { block }
location "/README" { block }
location "/data*" { block }
location "/config*" { block }
# RFC5785 and RFC6764 access
location "/.well-known/caldav" {
root strip 2
block return 301 "https://nextcloud.domain.tld/remote.php/dav"
}
location "/.well-known/carddav" {
root strip 2
block return 301 "https://nextcloud.domain.tld/remote.php/dav"
}
### GENERAL WEB
# Last, allow access to the root directory
location "/*.php*" {
root { "/nextcloud" }
fastcgi socket "/run/php-fpm.sock"
}
location "/*" {
root { "/nextcloud" }
}
}
...
HTTPD reload is necessary in order to apply changes:
$ rcctl reload httpd
Nextcloud’s PHP Requirements
As discussed earlier, the maximum allowed size of uploaded files is 513MB. The PHP configuration needs to be updated accordingly:
$ vi /etc/php-*.ini
...
post_max_size = 513M
upload_max_filesize = 513M
For enhanced performance, the PHP opcode cache module can be used. Its activation can be verified (or changed) in:
$ ls -l /etc/php-* | grep -E "^l" | grep opcache
lrwxr-xr-x 1 root wheel 31 Oct 12 18:18 opcache.ini -> /etc/php-*.sample/opcache.ini
However, OPcache usage is disabled in PHP by default:
$ grep opcache.enable= /etc/php-*.ini
;opcache.enable=0
OPcache can be enabled by altering the following lines in the php*.ini
file:
$ vi /etc/php-*.ini
[opcache]
opcache.enable=1
opcache.enable_cli=1
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.revalidate_freq=1
opcache.save_comments=1
PHP 5.6 restart is necessary to apply changes:
$ rcctl restart php56_fpm
PostgreSQL as Database Backend
Nextcloud can work with a PostgreSQL, MariaDB or SQLite3 database. Installation of PostgreSQL is straightforward:
$ pkg_add postgresql-server
PHP modules of Redis can be installed, activated and verified as follows:
$ pkg_add php-pdo_pgsql php-pgsql
...
$ ls -l /etc/php-* | grep -E "^l" | grep pgsql
lrwxr-xr-x 1 root wheel 33 Nov 22 02:32 pdo_pgsql.ini -> /etc/php-*.sample/pdo_pgsql.ini
lrwxr-xr-x 1 root wheel 29 Nov 22 02:32 pgsql.ini -> /etc/php-*.sample/pgsql.ini
Naturally, PHP server needs a restart and HTTPd server a reload:
$ rcctl restart php56_fpm
$ rcctl reload httpd
PostgreSQL server needs to be initialised as follows (the SUPERUSERPASSWORD
value should be changed accordingly):
$ su - _postgresql
$ mkdir /var/postgresql/data
$ initdb -D /var/postgresql/data -U postgres -A md5 -E UTF8 -W
...
Enter new superuser password: SUPERUSERPASSWORD
Enter it again: SUPERUSERPASSWORD
...
Success. You can now start the database server using:
pg_ctl -D /var/postgresql/data -l logfile start
$ pg_ctl -D /var/postgresql/data -l logfile start
server starting
$ exit
Due to the previous commands, the PostgreSQL server should have been started. The verification can be done as follows:
$ rcctl check postgresql
(ok)
and it can be enabled by running:
$ rcctl enable postgresql
The default PHP setup of PostreSQL’s parameters is aligned with Nextcloud’s requirements, i.e.:
$ grep pgsql.allow_persistent /etc/php-*.ini
pgsql.allow_persistent = On
$ grep pgsql.auto_reset_persistent /etc/php-*.ini
pgsql.auto_reset_persistent = Off
$ grep pgsql.max_persistent /etc/php-*.ini
pgsql.max_persistent = -1
$ grep pgsql.max_links /etc/php-*.ini
pgsql.max_links = -1
$ grep pgsql.ignore_notice /etc/php-*.ini
pgsql.ignore_notice = 0
; Unless pgsql.ignore_notice=0, module cannot log notice message.
$ grep pgsql.log_notice /etc/php-*.ini
pgsql.log_notice = 0
The default authentication setup of PostgreSQL can be checked as follows (i.e. allowing access from localhost only):
$ grep -v -E "^#|^$" /var/postgresql/data/pg_hba.conf
local all all md5
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
The PostgreSQL is up and running. In order to be used with Nextcloud, the appropriate credentials need to be created as follows (the SUPERUSERPASSWORD
is PostgreSQL’s superuser password, NCUSERNAME
/NCPASSWORD
are Nextcloud’s credentials to NCDB
database).
$ createuser -U postgres -W -P NCUSERNAME
Enter password for new role: NCPASSWORD
Enter it again: NCPASSWORD
Password: SUPERUSERPASSWORD
$ createdb -U postgres -W -O NCUSERNAME -E UTF8 NCDB
Password: SUPERUSERPASSWORD
Verification can be done by logging into the DB in two ways. The first way is to log in as superuser (i.e. postgres
) and then reconnecting to the same database (\c -
) as user NCUSERNAME
. The \q
command is an abbreviation for the \quit
command.
$ psql -U postgres -W NCDB
Password for user postgres: SUPERUSERPASSWORD
psql (9.3.1)
Type "help" for help.
NCDB=# \c - NCUSERNAME
Password for user NCUSERNAME: NCPASSWORD
You are now connected to database "NCDB" as user "NCUSERNAME".
NCDB=> \q
The second way is using NCUSERNAME
as username directly:
$ psql -U NCUSERNAME -W NCDB
Password for user NCUSERNAME: NCPASSWORD
psql (9.6.2)
Type "help" for help.
NCDB=> \q
Nextcloud Setup
Sometimes, Nextcloud requires tasks to be done on a regular basis without the need for user interaction or hindering Nextcloud performance. For that purpose, a cron task can be created as follows:
$ crontab -e
*/15 * * * * /usr/bin/ftp -Vo - https://nextcloud.domain.tld/cron.php >/dev/null
In order to finish the installation process and to create a new admin user, the https://nextcloud.domain.tld
URL needs to be accessed:
- Near the top:
Create an admin account
to define user name and password. - In the middle:
Performance Warning
about SQLite. PostgreSQL needs to be selected and details filled accordingly, i.e.:
- dbuser:
NCUSERNAME
, - dbpassword:
NCPASSWORD
, - dbname:
NCDB
, - dbhost:
localhost:5432
.
- Confirmation:
Finish Setup
button.
There are two types of caches to use with Nextcloud:
- the PHP OPcode cache stores compiled PHP scripts so they don’t need to be re-compiled every time they are called,
- the data caching for the web server is supplied by the APC User Cache, Memcached or Redis.
Redis Integration in Nextcloud
Redis should be already installed as part of OpenBSD: Rspamd and ClamAV installation.
PHP modules of Redis can be installed and activated accordingly:
$ pkg_add pecl-redis
...
$ ls -l /etc/php-* | grep -E "^l" | grep redis
lrwxr-xr-x 1 root wheel 29 Oct 12 18:18 redis.ini -> /etc/php-*.sample/redis.ini
Redis can be integrated in Nextcloud as follows (by expanding the $CONFIG
array):
$ vi /var/www/nextcloud/config/config.php
...
'memcache.local' => '\OC\Memcache\Redis',
'redis' => array(
'host' => 'localhost',
'port' => 6379,
'timeout' => 0.0,
),
...
Finally, the trusted domains section in Nextcloud can be modified as follows (by expanding the $CONFIG
array):
$ vi /var/www/nextcloud/config/config.php
...
'trusted_domains' =>
array (
0 => 'nextcloud.domain.tld',
),
...
Nextcloud Fine-Tuning and Verification
The Nextcloud’s installation can be checked by logging as administrator in:
https://nextcloud.domain.tld/index.php/settings/admin
In order to get rid of some error messages, it proved necessary to uncomment the following lines in /etc/php-fpm.conf
:
$ vi /etc/php-fpm.conf
...
pm.max_children = 10
...
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
Application of changes, PHP restart:
$ rcctl restart php56_fpm
The pm.max_children
need to be tweaked a bit according the server load and available system resources:
$ tail -f /var/log/php-fpm.log
[06-Dec-2017 12:25:37] WARNING: [pool www] server reached pm.max_children setting (5), consider raising it
PostgreSQL to Nextcloud integration can be verified as follows:
$ grep db /var/www/nextcloud/config/config.php
'dbtype' => 'pgsql',
'dbname' => 'NCDB',
'dbhost' => 'localhost',
'dbport' => '5432',
'dbtableprefix' => 'oc_',
'dbuser' => 'NCUSERNAME',
'dbpassword' => 'NCPASSWORD',
The /dev/urandom is not readable by PHP
error is most probably a bug, since it is not possible to access urandom from a chrooted environment.
The failed integrity checks
are problem of OpenBSD distribution and can only be resolved by the package maintainers, as the files are cryptographically signed.
Further Options
The next part of this short tutorial is OpenBSD: Nextcloud LDAP User Management.