I’d love to share data with friends and family. But the free services from Dropbox, GoogleDrive or OneDrive do not satisfy my needs. In this post I’d like to document my steps through setup and configuration of my Owncloud.
I’ll use a Ubuntu Server 16.04 64Bit VM with 1GB RAM (4GB swap), 20GB storage and 2 vCPUs. During the OS installation I chose the following two services:
!IMPORTANT! during the LAMP installation you’ll have to set the password for MySQL user root. This password will be used in later steps.
After the installation I increased the security in the first of two hardenings.
The Apache2 and MySQL components of my LAMP installation are the focus of the first harding, before I start with owncloud.
The only applications I want to be reachable at this VM are OpenSSH and Apache Full. The other ports shall be blocked be the firewall. With these commands I achived this goal:
- sudo ufw allow in "Apache Full"
- sudo ufw allow OpenSSH
- sudo ufw enable
MySQL secure installation
MySQL does provide a tool to increase the MySQL security. The tool will guide you through the process and asks specific questions you have to answer depending on your requirements. This tool dis-/enables features which could be used during an attack. You’ll reach the tool with the command: sudo mysql_secure_installation . After you successfully signed in with the root password (you set during OS setup), you can change theses aspects of your installation:
- Validate Password Plugin
- MySQL root password
- anonymous user
- remote connections
- test database
installation / setup
To enable the communication between MySQL and Owncloud you need to create a database, user and access to it. I used the MySQL CLI to setup them up.
- log into MySQL CLI as root: (with the root password you set during OS setup)
mysql -u root -p
- create owncloud database:
CREATE DATABASE owncloud;
- create owncloud user and grant access to database:
GRANT ALL ON owncloud.* to 'owncloud'@'localhost' IDENTIFIED BY 'individualPassword';
- update information:
- exit MySQL CLI:
After I setup the database and webserver it’s time to install and configure owncloud. A install guide for Owncloud on Ubuntu or other Linux operation systems can be found here. I used the following commands to install my Owncloud instance:
- get release information key:
wget -nv https://download.owncloud.org/download/repositories/stable/Ubuntu_16.04/Release.key -O Release.key
- add key to keychain:
sudo apt-key add - < Release.key
- add repository to sources list:
sudo sh -c "echo 'deb http://download.owncloud.org/download/repositories/stable/Ubuntu_16.04/ /' > /etc/apt/sources.list.d/owncloud.list"
- update source information and install Owncloud
sudo apt-get update && sudo apt-get install owncloud -y
- check installation on your favourite browser:
You can adjust system path during the configuration. I just inserted my new admin credentials and database connection for MySQL.
To take a snapshot of the current VM was crucial for me, because that was not the first time I tried to install owncloud. The previous attempts failed for different reasons (some I couldn’t grasp). I guess at some point I forgot a configuration step or did something wrong unintentionally. That’s why I decided to backup my working status quo.
create SSL certificate
I needed a SSL certificate for the future use of https. I used openssl to create a certificate and with the given parameter I placed the certificates at a common place.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
With this command I created a self-signed certificat with private key with a duration of 365 days. I found the next command in a online tutorial and will need the output for the next steps.
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
use SSL certificate with Apache2
To use my new SSL certificates I changed the virtual host configuration of my Apache2 installation. First I created a file with my desired SSL configurations.
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
SSLProtocol All -SSLv2 -SSLv3
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
Before I changed the default entires I made a backup of the SSL virtual host file.
sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.conf.bak
The key changes and entries are listed below. The marked lines are missing the current IP or DYNDNS address of my host. All other entries match my individual setup and have to be adjusted accordingly.
!IMPORTANT! next to the given entries there are several others in the file, which I didn’t change. These entries should still be there after your changes -.-.
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
I checked the changes I made with this command sudo apache2ctl configtest and activated them with these commands:
- sudo a2enmod ssl
- sudo a2enmod headers
- sudo a2ensite default-ssl
- sudo a2enconf ssl-params
- sudo service apache2 restart
trust your own IP!
The IP of the device you used for the setup will be registered in your config.php. This entry allows you to access owncloud from this IP. But let’s say you don’t just want to use your owncloud from one device (IP) only. In this situation you’ll have to add the domain(s) you want to use into this configuration file. You can find the config.php within your <owncloud_installation>/config/ folder.
$CONFIG = array (
'updatechecker' => false,
'instanceid' => '##########',
'passwordsalt' => '################',
'secret' => '###################################',
0 => '192.168.88.65',
'datadirectory' => '/var/www/owncloud/data',
'overwrite.cli.url' => 'https://<myIP>/owncloud',
'dbtype' => 'mysql',
'version' => '184.108.40.206',
'dbname' => 'owncloud',
'dbhost' => 'localhost',
'dbtableprefix' => 'oc_',
'dbuser' => 'owncloud',
'dbpassword' => '<myIndividualPassword>',
'logtimezone' => 'UTC',
'installed' => true,
The highlighted lines define the allowed IP addresses. After this change you will be able to access your owncloud instance from your desired domain.
Hopefully I will be able to configure my second Network Interface Controller in my ESXi server to setup a DMZ. My Owncloud will be placed into this DMZ which will lead to configuration changes I guess. Another topic which I have to address with my Owncloud will be the plugin External Storage to provide access to my Samba shares hosted by my filemanager. At the moment my Owncloud instance only got 20GB storage to buffer files. I guess as soon as I allow bigger files I have to adjust that storage or find a workaround including additional storage (NFS, SMB, second vHDD).
The documentation I refered to create this post:
I didn’t address the content of those sources in this post. But I used some information / steps of those in my own setup: