[How-To] ownCloud using NGINX, PHP-FPM, and MySQL

[Darkk]

I tested 8.1 today using a fresh run through of this tutorial and it worked as expected. are you accessing http://jail_IP/owncloud?

Sigh... I am so used to just typing in the IP address and not put in the /owncloud. lol. Thanks for pointing me in the right direction. Web page did load properly.

My old set up I didn't have to do that so I will tweak the nginx.conf file to skip that part.

 

[Joshua Parker Ruehlig]

Sigh... I am so used to just typing in the IP address and not put in the /owncloud. lol. Thanks for pointing me in the right direction. Web page did load properly.

My old set up I didn't have to do that so I will tweak the nginx.conf file to skip that part.

glad it works. it should only be a few lines of changes to not use '/owncloud', or you could just add a 301 redirect from / to /owncloud

 

[Darkk]

Ok, I've tweaked the nginx.conf file to make it easier to go straight to the IP without having to put in /owncloud

Just add /owncloud to the end of this line:

root /usr/local/www/owncloud;

Then remove /owncloud in the lines below it.

So far it's working fine. Still testing.

 

[Joshua Parker Ruehlig]

Ok, I've tweaked the nginx.conf file to make it easier to go straight to the IP without having to put in /owncloud

Just add /owncloud to the end of this line:

root /usr/local/www/owncloud;

Then remove /owncloud in the lines below it.

So far it's working fine. Still testing.

that should do it

 

[Darkk]

that should do it

Yep, it's working great. Next step is add the HA proxy on my PfSense and SSL cert then I should be good to go!

 

[SkitzoTek]

Thank you for this guide, it has been really great to follow. However just one little mistake in my following of the guide ended up wasting hours of my time trying to figure out what was wrong since ownCloud's error reporting was completely wrong. Thought I would post in case others were in the same position.

All I could get from the ownCloud initial signin was the error:
MySQL/MariaDB username and/or password not valid You need to enter either an existing account or the administrator.
And so I went searching into everything about MariaDB I could to solve the login problem.

However the solution was simple: I was missing typing /mnt/files into the Data folder input box! Such a simply stupid mistake that I could not figure out for hours. If ownCloud had issued an error for anything about the Data folder, this would have been much better.

Now on to getting SSL working.

 

[Darkk]

Yep. Troubleshooting stuff like this is always fun. When I was tweaking the nginx.conf last night I noticed I didn't update the /mnt/files part since I made mine a little different for clarity / security reasons. Since mine is different I had to pay extra attention to the paths.

I am still working on getting the HA Proxy and SSL working. Just finishing up what OwnCloud is complaining about. lol

 

[Darkk]

I got the SSL working but looks like the standard jail is using an older OpenSSL library??

OpenSSL 0.9.8za-freebsd 5 Jun 2014

For TLS 1.1 and 1.2 to work it needs OpenSSL 1.0.1 and higher. TLS 1 is ok but not recommended these days.

EDIT: Got the OpenSSL on the port compiled with the latest version to OpenSSL 1.0.2d and linked. Still working on the nginx.conf settings for the SSL portion.

 

[Joshua Parker Ruehlig]

I got the SSL working but looks like the standard jail is using an older OpenSSL library??

OpenSSL 0.9.8za-freebsd 5 Jun 2014

For TLS 1.1 and 1.2 to work it needs OpenSSL 1.0.1 and higher. TLS 1 is ok but not recommended these days.

EDIT: Got the OpenSSL on the port compiled with the latest version to OpenSSL 1.0.2d and linked. Still working on the nginx.conf settings for the SSL portion.

I thought you were going to use HAProxy on your pfsense? Not sure why openssl version of the jail matters then.

And as you might have already figured out, you can compile ports with "WITH_OPENSSL_PORT=yes" in your /etc/make.conf if you like.

 

[Darkk]

Yep, I did the make.conf update with it. I am still researching as it seems TLS 1.1 and 1.2 not working with that version either.

Also tried this command to recompile the packages:
portupgrade -Rrf security/openssl

Reason I am doing this is a learning process for me. Yes I will use HA Proxy but haven't got that configured yet. This FreeBSD with ports / jails is whole different enchilada I am used to doing. lol.

 

[InQuize]

I would join the research, because I'm curious either, but right now I'm stuck choosing hardware upgrade for network restructure.
Sorry for offtop, but..

C2558

Have you tested OpenVPN throughput with aes-ni on this board? Does Intel QuickAssist helps in pfSense?

 

[Joshua Parker Ruehlig]

Yep, I did the make.conf update with it. I am still researching as it seems TLS 1.1 and 1.2 not working with that version either.

Also tried this command to recompile the packages:
portupgrade -Rrf security/openssl

Reason I am doing this is a learning process for me. Yes I will use HA Proxy but haven't got that configured yet. This FreeBSD with ports / jails is whole different enchilada I am used to doing. lol.

Hmm, not sure what that command does. But, for whatever does need newer openssl you'll need to recompile it as well.

Ohh, and earlier when you said TLS 1.0 isn't recommended, I explained earlier that even with older versions of openssl, FreeBSD backports security fixes. So regardless of support for newer versions of things, if you keep your packages up to date, there is no known security exploits.

 

[Joshua Parker Ruehlig]

I would join the research, because I'm curious either, but right now I'm stuck choosing hardware upgrade for network restructure.
Sorry for offtop, but..

Have you tested OpenVPN throughput with aes-ni on this board? Does Intel QuickAssist helps in pfSense?

Yeah, I have OpenVPN setup on C2558 pfsense router. I get full line speed, so encryption isn't slowing me down, but my house is only 100Mb down / 10Mb up.

pfsense doesn't yet use quickassist but the developers have it as one of their goals.

 

[InQuize]

Ohh, and earlier when you said TLS 1.0 isn't recommended, I explained earlier that even with older versions of openssl, FreeBSD backports security fixes. So regardless of support for newer versions of things, if you keep your packages up to date, there is no known security exploits.

https://community.qualys.com/blogs/securitylabs/2013/09/10/is-beast-still-a-threat

BEAST is a client side type attack which can only be mitigated avoiding use of TLS 1.0 and lower.. I'm still all for TLS 1.2 only where possible

 

[Darkk]

Yep. If you connect to FreeNAS directly it uses TLS 1.2 so I know it's capable of doing it. Just have to figure out the settings or openssl not being used by nginx despite I've already recompiled it. Guess I'll do it again to be sure.

 

[Joshua Parker Ruehlig]

https://community.qualys.com/blogs/securitylabs/2013/09/10/is-beast-still-a-threat

BEAST is a client side type attack which can only be mitigated avoiding use of TLS 1.0 and lower.. I'm still all for TLS 1.2 only where possible

It's mitigated client side so as long as your clients update their browsers they should be fine. Who doesn't update their browsers anymore?

 

[Darkk]

It's mitigated client side so as long as your clients update their browsers they should be fine. Who doesn't update their browsers anymore?

You'd be surprised as I work in IT. I've disabled SSLv3 stuff and people complained can't log onto the website because they are still using very old version of IE.

 

[InQuize]

It's mitigated client side so as long as your clients update their browsers they should be fine. Who doesn't update their browsers anymore?

Lazy administrators? Public system with outdated software (work, university, school, etc..) to reach some file on your own 'cloud' is a pretty common use case.

 

[Darkk]

Lazy administrators? Public system with outdated software (work, university, school, etc..) to reach some file on your own 'cloud' is a pretty common use case.

Government websites are the worst!!

Anyway, getting sidetracked. I'll figure it out and share my findings.

 

[Joshua Parker Ruehlig]

Lol, guess I didn't think of institutions that control the updates. I figured chrome/firefox auto-updating solved this issue.


This is what I have on the HAProxy plugin's 'Advanced ssl options'

Code:

ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA no-sslv3

By allowing only those ciphers I keep older IEs from getting to my site =]