Help configuring a local owncloud server to be accessed from the web

webserver_issue

#1

Hello, a few months ago I managed to installed owncloud on a centos VM and got it running, and been using it since then from my LAN (sync files accross computers, etc). Works well from LAN, but now I need to make it available from the web so I can use it anywhere.

I still have to register to a Dynamic DNS service so I wont have to use my public IP but for now I am doing some testing using my public IP. There are several problems with my installation. I am seeking advice from more experienced users.

  1. From LAN, I can access OC using "https://vm_ip/owncloud/" but from the internet using the same address I get "Index of /". A quick web search showed that the problem may be related to the declaration of DocumetRoot, which was modified from "/var/www/html" to "/var/www/html/owncloud". Immediately after restarting pache, I could access the login poage from both LAN and web using "https://vm_ip/" which is exactly what I want to do, but now I no longer can login. Seems entering my credentials, nothing happens. This is mostly a apache config issue, but I cannot find the root cause.

  2. I have followed the Hardening and Securing howto, and I see lots of errors in the log, what are those?

** is_file(): open_basedir restriction in effect. File(/appinfo/app.php) is not within the allowed path(s): (/var/www/html/:/tmp/:/mnt/data/:/dev/urandom) at /var/www/html/owncloud/lib/private/app.php#115
** flock() expects parameter 1 to be resource, boolean given at /var/www/html/owncloud/cron.php#116
** fopen(/tmp/owncloud-server-ocf73429d96e-cron.lock): failed to open stream: Operation not permitted at /var/www/html/owncloud/cron.php#115
** fopen(): open_basedir restriction in effect. File(/tmp/owncloud-server-ocf73429d96e-cron.lock) is not within the allowed path(s): (/var/www/html/:/mnt/data/:/dev/urandom) at /var/www/html/owncloud/cron.php#115
** touch(): open_basedir restriction in effect. File(/tmp/owncloud-server-ocf73429d96e-cron.lock) is not within the allowed path(s): (/var/www/html/:/mnt/data/:/dev/urandom) at /var/www/html/owncloud/cron.php#105
** file_exists(): open_basedir restriction in effect. File(/tmp/owncloud-server-ocf73429d96e-cron.lock) is not within the allowed path(s): (/var/www/html/:/mnt/data/:/dev/urandom) at /var/www/html/owncloud/cron.php#104
** is_file(): open_basedir restriction in effect. File(/appinfo/app.php) is not within the allowed path(s): (/var/www/html/:/mnt/data/:/dev/urandom) at /var/www/html/owncloud/lib/private/app.php#115
** dir(): open_basedir restriction in effect. File(/dev/urandom/) is not within the allowed path(s): (/var/www/html/:/mnt/data/:/dev/urandom/) at /var/www/html/owncloud/3rdparty/symfony/process/Symfony/Component/Process ExecutableFinder.php#59

php.ini's "open_basedir" directive contains :

open_basedir = "/var/www/html/:/tmp/:/mnt/data/:/dev/urandom"

  1. When accessing OC from the web, I get a page saying "You are accessing the server from an untrusted domain. Please contact your administrator" with a button to add the current domain to the trusted list. Clearly something is wrong if I can modify OC's settings (add as a trusted domain) from the internet!!!! Of course the domain will change all the time since I want to be able to use OC from anywhere in the world. What is this error message and what does it mean?

Answering these 3 questions will get me going I guess..

Best regards

Server configuration
Operating system:Centos 7
Web server: apache 2.4.6
Database: mysql
PHP version: PHP 5.4.16 (cli) (built: May 12 2016 13:45:17)
ownCloud version (see ownCloud admin page): 8.1.9 (using yum from repo @isv_ownCloud_community)
Updated from an older ownCloud or fresh install: updated from older version


#2
  1. When you access from outside your home network, you probably use a different VirtualHost configuration for connection from outside (perhaps a default or fallback-vhost): https://httpd.apache.org/docs/current/vhosts/examples.html
  2. /tmp is missing in your open_basedir-config. Either add the tmp-dir or move the tmp-dir into the owncloud-folder (you can set an option for a different tmp-folder in config/config.php.

#3

I am not sure I understand what you mean by "When you access from outside your home network, you probably use a different VirtualHost configuration for connection from outside".. I am trying to access the OC server with my android tablet connected to my cellular provider. The equivalent of being outside of my house and using someone else's internet connection.

open_basedir contains

/var/www/html/:/tmp/:/mnt/data/:/dev/urandom

Some of the error messages were older and occured before I added /tmp to the basedir directive. That still however doesnt explain

** is_file(): open_basedir restriction in effect. File(/appinfo/app.php) is not within the allowed path(s): (/var/www/html/:/tmp/:/mnt/data/:/dev/urandom) at /var/www/html/owncloud/lib/private/app.php#115

and the mystic error

** flock() expects parameter 1 to be resource, boolean given at /var/www/html/owncloud/cron.php#116

Sure someone must have configured apache to serve only one instance of owncloud??


#4

e.g. you have that in your config:

<VirtualHost 192.168.2.2:443>
ServerName owncloud.example.com
DocumentRoot /var/www/owncloud
...
</VirtualHost>
<VirtualHost _default_:443>
DocumentRoot /var/www
..
</VirtualHost>

#5

Hello tflidd

I am now using vhosts, and my apache server will be only hosting owncloud.

That being said, OC resides in /var/www/html/owncloud

httpd.conf has

ServerRoot "/etc/httpd"

Listen 80

Include conf.modules.d/*.conf
IncludeOptional conf.d/*.conf

User apache
Group apache

ServerAdmin root@localhost
ServerName www.mycloud.net

<Directory />
    AllowOverride none
    Require all denied
</Directory>

DocumentRoot "/var/www/html"

<Directory "/var/www">
    AllowOverride None
    Require all granted
</Directory>

<Directory "/var/www/html/">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>

<Files ".ht*">
    Require all denied
</Files>

ErrorLog "logs/error_log"
LogLevel warn

<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>

<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule mime_module>
    TypesConfig /etc/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>

AddDefaultCharset UTF-8

<IfModule mime_magic_module>
    MIMEMagicFile conf/magic
</IfModule>

EnableSendfile on

ssl.conf has

Listen 443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

owncloud-ssl.conf has

<VirtualHost *:80>
    ServerName www.mycloud.net
    DocumentRoot "/var/www/html/owncloud"
        Alias / "/var/www/html/owncloud/"
        <Directory "/var/www/html/owncloud/">
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                Allow from all
        </Directory>
</VirtualHost>
<VirtualHost *:443>
        ServerName www.mycloud.net
    DocumentRoot "/var/www/html/owncloud"
    Alias / "/var/www/html/owncloud/"
        <Directory "/var/www/html/owncloud/">
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                Allow from all
        </Directory>
    SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
        SSLCertificateFile /etc/pki/tls/certs/server.crt
        SSLCertificateKeyFile /etc/pki/tls/certs/server.key
        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
                SSLOptions +StdEnvVars
        </Files>
        <Directory "/var/www/cgi-bin">
                SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
        CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

        <IfModule mod_headers.c>
                Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
        </IfModule>
</VirtualHost>

#6

OK Im really stuck.

I managed to clear out some of my problems but apache still eludes me..

This is what I want to accomplish:

  • https only access so people dont have to add the http**S** (most will omit or forget this)**

Not working with the config files posted in post #5. If I enter "http://server" I get the owncloud login page but its not being forwarded to https, it stays in plain http.

  • everything would be redirected to /var/www/html/owncloud and not anywhere else (document root, etc)**

Somehow working. I enter "http://server-address" or "https://server-address" I both brings me to the owncloud login page. I however see a strange login page like if something in .htaccess or somewhere else (in apache's config files perhaps?) was not properly parsed or redirected. See screenshot.

  • I could access the OC server using either the local FQDN or IP (such as "https://mycloud") from LAN, or an external address such as "https://mycloud.net" from the web.

Not tested this one yet.

If someone (apache guru) can weight into help me get passed the first 2 issues I would appreciate.

Thanks!


#7

In you configuration (with the new DocumentRoot), this line is not needed:
Alias / "/var/www/html/owncloud/"
To redirect all traffic to SSL by default, you can change the normal HTTP-Vhost to:

<VirtualHost *:80>
    ServerName mycloud.net
    ServerAlias www.mycloud.net
    Redirect permanent / https://mycloud.net/
</VirtualHost>

To make sure all resources are send via https (and no mixed content), you can add this to your config/config.php:

/**
         * When generating URLs, ownCloud attempts to detect whether the server is
         * accessed via ``https`` or ``http``. However, if ownCloud is behind a proxy
         * and the proxy handles the ``https`` calls, ownCloud would not know that
         * ``ssl`` is in use, which would result in incorrect URLs being generated.
         * Valid values are ``http`` and ``https``.
         */
        'overwriteprotocol' => 'https',

Reboot webserver, clean browser cache, try on a current firefox/chrome browser.


#8

With the config files below, I can access OC from LAN and internet, but only on https port.

Trying to connect with plain http I get "The connection has timed out" (Firefox) and "internal error - server connection terminated" (Chrome). I want http to be redirected to https seamlessly so users dont have to punch http**s** manually...

Trying to connect with https works perfectly from LAN and internet.

/etc/httpd/conf.d/owncloud-ssl.conf

<VirtualHost *:80>
        ServerName mycloud.net
        DocumentRoot "/var/www/html/owncloud"
        Alias /owncloud "/var/www/html/owncloud/"
        <Directory "/var/www/html/owncloud/">
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                Allow from all
        </Directory>
        #Redirect permanent / http://mycloud.net/
        RewriteEngine on
        ReWriteCond %{SERVER_PORT} !^443$
        RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</VirtualHost>
<VirtualHost *:443>
        ServerName mycloud.net
        DocumentRoot "/var/www/html/owncloud"
        Alias /owncloud "/var/www/html/owncloud/"
        <Directory "/var/www/html/owncloud/">
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                Allow from all
        </Directory>
        #Redirect permanent / https://mycloud.net/
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
        SSLCertificateFile /etc/pki/tls/certs/server.crt
        SSLCertificateKeyFile /etc/pki/tls/certs/server.key
        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
                SSLOptions +StdEnvVars
        </Files>
        <Directory "/var/www/cgi-bin">
                SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
        CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
        <IfModule mod_headers.c>
                Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
        </IfModule>
</VirtualHost>

config/config.php

<?php
$CONFIG = array (
  'instanceid' => '',
  'passwordsalt' => '',
  'trusted_domains' =>
  array (
    0 => '',
    1 => 'mycloud.net',
  ),
  'datadirectory' => '/mnt/data',
  'enable_previews' => 'false',
  'overwrite.cli.url' => 'https://localhost/',
  'dbtype' => 'mysql',
  'version' => '8.1.9.2',
  'dbname' => 'clouddb',
  'dbhost' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => '',
  'dbpassword' => '',
  'installed' => true,
  'mail_domain' => '',
  'mail_from_address' => '',
  'mail_smtpmode' => '',
  'mail_smtpsecure' => 'tls',
  'mail_smtphost' => '',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_smtpport' => '',
  //'overwritewebroot' => '/owncloud',
  'forcessl' => true,
  'mail_smtpname' => '',
  'mail_smtppassword' => '',
  'loglevel' => 0,
  'logfile' => '/var/www/html/owncloud/data/owncloud.log',
  'logtimezone' => '/',
  'maintenance' => false,
  'secret' => '',
  'theme' => '',
  'filelocking.enabled' => 'true',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.locking' => '\\OC\\Memcache\\APCu',
  'overwriteprotocol' => 'https',
);

If I comment out the "Alias" lines in the vhosts and uncomment the "Redirect" lines with both plain http and https I get "too many redirects" (from the internet and LAN)...

So for now I am using the first version of the config files (commented out "Redirect" and uncommented "Alias") so at least I can have access to my server while away from home, but I am not confident everything is properly working....


#9

Just think about it for a second. If you redirect both, http and https, what happens is that http->https->https->https->https->... traffic will constantly be redirected in a loop. Why do you want to redirect the https-vhost?

Did you see the typo in (Linux world is case sensitive):

You can redirect traffic to https with either a rewrite rule or the Redirect statement. Either of them will do the job, for a simple redirect, Redirect needs less resources but for you there won't be a visible difference.

If you access your cloud via https://mycloud.net, you won't need

Alias /owncloud "/var/www/html/owncloud/"

With current tips from the official docs, your vhost for ssl should look like:

    <VirtualHost *:443>
            ServerName mycloud.net
            DocumentRoot "/var/www/html/owncloud"
            <Directory "/var/www/html/owncloud/">
                    Options Indexes FollowSymLinks MultiViews
                    AllowOverride All
                    <IfModule mod_dav.c>
                       Dav off
                    </IfModule>
                    SetEnv HOME /var/www/html/owncloud
                    SetEnv HTTP_HOME /var/www/html/owncloud
                    Order allow,deny
                    Allow from all
            </Directory>
            SSLEngine on
            SSLProtocol all -SSLv2 -SSLv3
            SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
            SSLCertificateFile /etc/pki/tls/certs/server.crt
            SSLCertificateKeyFile /etc/pki/tls/certs/server.key
            <Files ~ "\.(cgi|shtml|phtml|php3?)$">
                    SSLOptions +StdEnvVars
            </Files>
            <Directory "/var/www/cgi-bin">
                    SSLOptions +StdEnvVars
            </Directory>
            BrowserMatch "MSIE [2-5]" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
            CustomLog logs/ssl_request_log \
              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
            <IfModule mod_headers.c>
                    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
            </IfModule>
    </VirtualHost>

The http-vhost can be as short as posted in https://central.owncloud.org/t/help-configuring-a-local-owncloud-server-to-be-accessed-from-the-web/1489/7?u=tflidd

The trusted domain should not contain an empty string:

  'trusted_domains' =>
  array (
    0 => 'mycloud.net',
  ),

#10

OK Its almost all working except the redirect from http to https doesnt work. The browser tries to load the page and times out.

https works perfectly. I have modified both http and ssl vhosts as you suggested.

I have tried adding these two directves in the http vhost to redirect to ssl:

Redirect permanent / https://mycloud.net/

and

RewriteEngine on
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]

#11

I found this as well. The problem turned out to be my ISP. As a consumer residential internet service, they block inbound port 80. They don't want people running web servers out of their homes. Port 443 is allowed, however. I think this is a common practice. My ISP also blocks inbound port 25. I have Comcast residential internet service.


#12

That makes a lot of sense. Like port 25 (smtp) is generally blocked by ISP's so users dont run mail servers at home. In the case of mail servers I can understand the rationale behind this (spam) but for port 80, I just dont see the reason...

I guess OC is finally up & running thanks to you guys!!!! I leant so much about Apache, this thing has been a complete mystery for a long time now but now I understand much more how it works.

BTW, for SSL certs, what do you guys do? I decide to rely on "Lets Encrypt" and their automated renewal process. There are decent instructions on how to setup LE on Centos VPS so I figured to try it.


#13

I bought a proper commercial SSL cert from Godaddy. They had the best pricing for a large reputable vendor last time I checked. They provide easy to follow instructions for integrating their cert (and their intermediate CA) into Apache. It was really a no-brainer and I've never done this before.


#14

If you don't need wildcard or multi-domain certificates, there is no real benefit of commercial SSL certificates. Let's encrypt or startssl.com are sufficient.


#15

Startssl lists their free certificate product as "coming soon", and the Let's Encrypt root CA is not trusted by default in the major web browsers. I wanted something that "just works", from any PC or device, without having to install root CA's or other tech support tasks like that. I avoid self-signed certs for the same reason.


#16

and the Let's Encrypt root CA is not trusted by default in the major web browsers

That's why they are cross-signed by GlobalSign, whoms CA in turn does work in any browser. Check the certificate of this very site. With CertBot and Apache, this has become a complete no-brainer, and even with acmetool or letsencrypt.sh (to name tools with less dependencies), the documentation is still good.


#17

That's great, I'm glad that solution works for you. Personally, I like to go with established entities and familiar brands, so I'm happy to buy my certs from GoDaddy. FWIW I also pay for an annual subscription to RHEL Workstation for my home PC's. Yes, I know of CentOS, but I prefer to use the real RHEL product and the support and documentation that it includes.


#18

While I do see the value of RHEL subscription (support, access to portals, etc), the value of spending money on a domain validated certificate is relatively low, except for very limited situations. Anyway, YMMV.


#19

Hey guys, thanks for the feedback on the SSL config and the help provided to get my server online!!!

Still, as a follow up I have to solve this error which comes back constantly in the logs

** is_file(): open_basedir restriction in effect. File(/appinfo/app.php) is not within the allowed path(s):
(/var/www/html/:/tmp/:/mnt/data/:/dev/urandom) at /var/www/html/owncloud/lib/private/app.php#115

What does it mean???


#20

As your initial issue is solved i'm closing here. In general please don't mix several different topic in one single thread for the reasons explained here: