NextCloud

Your own little cloud

TAKE 3

After giving up on CentOS once and spending days on NFS+SNAP issues on Ubuntu, I returned to Red Hat CentOS and managed to configure what I wanted. I wanted a Nextloud server with:

Start with our default template, as per usual.

Install apache web server

yum install httpd wget unzip policycoreutils-python -y ; systemctl enable httpd ; systemctl start httpd

Install php7 repo (CentOS 7 only)

rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm

Install php 7 packages (CentOS 7 only)

yum install php70w php70w-mysql php70w-pecl-zip php70w-xml php70w-mbstring php70w-gd php70w-fpm php70w-intl php70w-ldap php70w-process -y

Install php7 AppStream (CentOS 8 only)

dnf module install php:7.2

Install php7 (CentOS 8 only)

yum install php php-mysqlnd php-pecl-zip php-xml php-mbstring php-gd php-fpm php-intl php-ldap php-process

Check php version is 7

php -v

Configure mariadb repo (CentOS 7 only)

nano /etc/yum.repos.d/MariaDB.repo

Add (CentOS 7 only)

[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.2/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

Install MariaDB

yum install MariaDB-server MariaDB-client -y

Install MariaDB from repo (CentOS 8 only)

dnf module install mariadb

Start and enable MariaDB

systemctl start mariadb ; systemctl enable mariadb

Run mysql secure installation - set password and accept defaults

mysql_secure_installation

Test mysql login

mysql -u root -p

Configure mysql for nginx user

mysql -uroot -p -e "CREATE DATABASE nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci"

Disable bash history for pw set

set +o history
mysql -uroot -p -e "GRANT ALL on nextcloud.* to nextcloud@localhost identified by 'M0d1fyth15'"

Re├źnable bash history

set -o history
mysql -uroot -p -e "FLUSH privileges"

Configure apache

nano /etc/httpd/conf.d/nextcloud.example.com.conf

Add

<VirtualHost *:80>
ServerAdmin admin@example.com
DocumentRoot /var/www/nextcloud
ServerName nextcloud.example.com
ServerAlias www.nextcloud.example.com

<Directory /var/www/nextcloud>
Options +FollowSymlinks
AllowOverride All

<IfModule mod_dav.c>
Dav off
</IfModule>

SetEnv HOME /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud
</Directory>

ErrorLog /var/log/httpd/nextcloud-error_log
CustomLog /var/log/httpd/nextcloud-access_log common

</VirtualHost>

Download v15 of nextcloud

wget https://download.nextcloud.com/server/releases/latest-15.zip .

Unzip to www root

unzip latest-15.zip -d /var/www/

Create mountpoint for nextcloud data

mkdir /var/www/nextcloud/data

Add mount to fstab (assuming an NFS share from a fileserver on the same network)

nano /etc/fstab
    10.0.5.27:/SHARES/NEXTCLOUD /var/www/nextcloud/data nfs defaults,context="system_u:object_r:httpd_sys_rw_content_t:s0" 0 0 

Test/enable nfs mount

mount -a

Set apache ownership for nextcloud chown -R apache: /var/www/nextcloud

Open http port in firewall

firewall-cmd --zone=public --add-port=80/tcp --permanent 
firewall-cmd --reload 

Edit reverse proxy config

nano /var/www/nextcloud/config/config.php

Set overwrite host/protocol

'overwritehost' => 'nextcloud.example.com',
'overwriteprotocol' => 'https',

Ensure that your firewall WAF rule is set to https and redirect so http queries won't just time out. - Test if needed after overwriteprotocol has been set.

And add the external domain name to the allowed array: (this bit may need to wait till later actually)

  array (
    0 => '10.0.5.26',
    1 => 'nextcloud.example.com',
    2 => 'nextcloud.lan.example.com',

Update SELinux settings

setsebool -P httpd_can_connect_ldap on
setsebool -P httpd_use_nfs=1 
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/nextcloud/data(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/nextcloud/config(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/nextcloud/apps(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/nextcloud/.htaccess'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/nextcloud/.user.ini'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/nextcloud/3rdparty/aws/aws-sdk-php/src/data/logs(/.*)?'
restorecon -Rv '/var/www/nextcloud/'

Reboot to confirm that changes survive

After reverse proxy setup on the firewall (as seen below), go to https://nextcloud.example.com

Create admin account, select mysql/mariadb DB. Set user/pw/databasename/localhost to

nextcloud
M0d1fyth15 (use the actual pw you set when configuring the db above)
nextcloud
localhost 

Click finish setup and wait a couple of minutes.

Setup https reverse proxy on the Web Application Firewall (WAF)

We're going to configure the firewall act as a reverse proxy, handling the HTTPS certificate, while the nextcloud server will just run on plain ol' HTTP on the inside LAN.

In your firewall, go to Webserver Protection->Certificate Management->New Certificate

This bit assumes that you've setup a dns entry on your EXTERNAL DNS - namecheap, rackspace or whatever it's called. So you'll have an entry like nextcloud.example.com pointing to the same external IP that your firewall has. The firewall can then differentiate between requests sent to different websites/domains/subdomains, even if they are resolving to and querying the same IP - e.g. 123.123.123.12 in my case.

Create a new certificate, select type "Lets encrypt" and WAN interface. Set the domain to the external subdomain you are using for nextcloud, e.g. nextcloud.example.com , and wait a couple of minutes for it to process.

Add a new virtual server.

Webserver Protection->Web Application Firewall->New virtual server

Name your vserver and select WAN interface, type Encrypted(HTTPS) on port 443. Select the certificate that you just created. Add a "Real Webserver" by pressing the plus sign. Name it something like nextcloud, select your host or create a new host definition that points to your actual nextcloud machine if it isn't available to select. Make sure to select port 80 as this is what the firewall will try to access.

Select basic protection firewall and save.

Select no firewall profile for now as it screws up webdav access.

todo - adjust fw!!!

Setup LDAP authentication so you can manage users from FreeIPA

Add a group in FreeIPA called nextcloudusers and the user accounts you want to have access to it.

Log on to the Nextcloud interface with your admin account. Click on your avatar in the top right corner and select Apps. Enable the LDAP user and group backend app.

Note that if you've installed without using SNAP packages or docker images that this app won't show or will be impossible to enable if you've missed installing the php-ldap package.

After enabling the LDAP app, go to Settings->Administration->LDAP/AD integration.

On the Server tab, add your server and see if "detect port" works out of the box. It should discover the service on 389. Skip the credentials and again, see if it can auto-detect the Base DN. It should find something like dc=lan,dc=example,dc=com . Test to confirm.

Note that if you are unable to connect and nothing gets detected here it may be because of the ldap app having SELinux rights issues (relevant if you haven't used SNAP/docker) and you should check the SELinux log, test with permissive mode. Confirm that the httpd_can_connect_ldap bool is set to 1. See above.

On the Users tab, the "Only these object classes" dropdown should only have interorgperson selected.

On the Login Attributes check the LDAP/AD Username checkbox. Now you can test if your username is resolved.

On the Groups tab, select Only from these groups - nextcloudusers or whatever you've called it.

Go to Advanced->Directory Settings and set the Base User Tree to

cn=users,cn=accounts,dc=lan,dc=example,dc=com

And the Base Group Tree to

cn=groups,cn=accounts,dc=lan,dc=example,dc=com

Go to Expert->Override UUID detection and set UUID Attribute for Users to

uid

Some of the particulars make more sense after reading the FreeIPA OwnCloud documentation https://www.freeipa.org/page/Owncloud_Authentication_against_FreeIPA

Adding files directly

If you are adding/removing/changing files on the fileserver/filesystem directly you need to run an update/scan command

sudo -u apache php /var/www/nextcloud/occ files:scan --all

Adjust the memory_limit setting in /etc/php.ini to 512M to get rid of the memory warnings

memory_limit = 512M