Help configuring a local owncloud server to be accessed from the web

Hello, a few months ago I managed to installed owncloud on a centos VM and got it running, and been using it since then from my LAN (sync files accross computers, etc). Works well from LAN, but now I need to make it available from the web so I can use it anywhere.

I still have to register to a Dynamic DNS service so I wont have to use my public IP but for now I am doing some testing using my public IP. There are several problems with my installation. I am seeking advice from more experienced users.

  1. From LAN, I can access OC using "https://vm_ip/owncloud/" but from the internet using the same address I get "Index of /". A quick web search showed that the problem may be related to the declaration of DocumetRoot, which was modified from "/var/www/html" to "/var/www/html/owncloud". Immediately after restarting pache, I could access the login poage from both LAN and web using "https://vm_ip/" which is exactly what I want to do, but now I no longer can login. Seems entering my credentials, nothing happens. This is mostly a apache config issue, but I cannot find the root cause.

  2. I have followed the Hardening and Securing howto, and I see lots of errors in the log, what are those?

** is_file(): open_basedir restriction in effect. File(/appinfo/app.php) is not within the allowed path(s): (/var/www/html/:/tmp/:/mnt/data/:/dev/urandom) at /var/www/html/owncloud/lib/private/app.php#115
** flock() expects parameter 1 to be resource, boolean given at /var/www/html/owncloud/cron.php#116
** fopen(/tmp/owncloud-server-ocf73429d96e-cron.lock): failed to open stream: Operation not permitted at /var/www/html/owncloud/cron.php#115
** fopen(): open_basedir restriction in effect. File(/tmp/owncloud-server-ocf73429d96e-cron.lock) is not within the allowed path(s): (/var/www/html/:/mnt/data/:/dev/urandom) at /var/www/html/owncloud/cron.php#115
** touch(): open_basedir restriction in effect. File(/tmp/owncloud-server-ocf73429d96e-cron.lock) is not within the allowed path(s): (/var/www/html/:/mnt/data/:/dev/urandom) at /var/www/html/owncloud/cron.php#105
** file_exists(): open_basedir restriction in effect. File(/tmp/owncloud-server-ocf73429d96e-cron.lock) is not within the allowed path(s): (/var/www/html/:/mnt/data/:/dev/urandom) at /var/www/html/owncloud/cron.php#104
** is_file(): open_basedir restriction in effect. File(/appinfo/app.php) is not within the allowed path(s): (/var/www/html/:/mnt/data/:/dev/urandom) at /var/www/html/owncloud/lib/private/app.php#115
** dir(): open_basedir restriction in effect. File(/dev/urandom/) is not within the allowed path(s): (/var/www/html/:/mnt/data/:/dev/urandom/) at /var/www/html/owncloud/3rdparty/symfony/process/Symfony/Component/Process ExecutableFinder.php#59

php.ini's "open_basedir" directive contains :

open_basedir = "/var/www/html/:/tmp/:/mnt/data/:/dev/urandom"

  1. When accessing OC from the web, I get a page saying "You are accessing the server from an untrusted domain. Please contact your administrator" with a button to add the current domain to the trusted list. Clearly something is wrong if I can modify OC's settings (add as a trusted domain) from the internet!!!! Of course the domain will change all the time since I want to be able to use OC from anywhere in the world. What is this error message and what does it mean?

Answering these 3 questions will get me going I guess..

Best regards

Server configuration
Operating system:Centos 7
Web server: apache 2.4.6
Database: mysql
PHP version: PHP 5.4.16 (cli) (built: May 12 2016 13:45:17)
ownCloud version (see ownCloud admin page): 8.1.9 (using yum from repo @isv_ownCloud_community)
Updated from an older ownCloud or fresh install: updated from older version

  1. When you access from outside your home network, you probably use a different VirtualHost configuration for connection from outside (perhaps a default or fallback-vhost): https://httpd.apache.org/docs/current/vhosts/examples.html
  2. /tmp is missing in your open_basedir-config. Either add the tmp-dir or move the tmp-dir into the owncloud-folder (you can set an option for a different tmp-folder in config/config.php.

I am not sure I understand what you mean by "When you access from outside your home network, you probably use a different VirtualHost configuration for connection from outside".. I am trying to access the OC server with my android tablet connected to my cellular provider. The equivalent of being outside of my house and using someone else's internet connection.

open_basedir contains

/var/www/html/:/tmp/:/mnt/data/:/dev/urandom

Some of the error messages were older and occured before I added /tmp to the basedir directive. That still however doesnt explain

** is_file(): open_basedir restriction in effect. File(/appinfo/app.php) is not within the allowed path(s): (/var/www/html/:/tmp/:/mnt/data/:/dev/urandom) at /var/www/html/owncloud/lib/private/app.php#115

and the mystic error

** flock() expects parameter 1 to be resource, boolean given at /var/www/html/owncloud/cron.php#116

Sure someone must have configured apache to serve only one instance of owncloud??

e.g. you have that in your config:

<VirtualHost 192.168.2.2:443>
ServerName owncloud.example.com
DocumentRoot /var/www/owncloud
...
</VirtualHost>
<VirtualHost _default_:443>
DocumentRoot /var/www
..
</VirtualHost>

Hello tflidd

I am now using vhosts, and my apache server will be only hosting owncloud.

That being said, OC resides in /var/www/html/owncloud

httpd.conf has

ServerRoot "/etc/httpd"

Listen 80

Include conf.modules.d/*.conf
IncludeOptional conf.d/*.conf

User apache
Group apache

ServerAdmin root@localhost
ServerName www.mycloud.net

<Directory />
    AllowOverride none
    Require all denied
</Directory>

DocumentRoot "/var/www/html"

<Directory "/var/www">
    AllowOverride None
    Require all granted
</Directory>

<Directory "/var/www/html/">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>

<Files ".ht*">
    Require all denied
</Files>

ErrorLog "logs/error_log"
LogLevel warn

<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>

<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule mime_module>
    TypesConfig /etc/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>

AddDefaultCharset UTF-8

<IfModule mime_magic_module>
    MIMEMagicFile conf/magic
</IfModule>

EnableSendfile on

ssl.conf has

Listen 443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

owncloud-ssl.conf has

<VirtualHost *:80>
    ServerName www.mycloud.net
    DocumentRoot "/var/www/html/owncloud"
        Alias / "/var/www/html/owncloud/"
        <Directory "/var/www/html/owncloud/">
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                Allow from all
        </Directory>
</VirtualHost>
<VirtualHost *:443>
        ServerName www.mycloud.net
    DocumentRoot "/var/www/html/owncloud"
    Alias / "/var/www/html/owncloud/"
        <Directory "/var/www/html/owncloud/">
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                Allow from all
        </Directory>
    SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
        SSLCertificateFile /etc/pki/tls/certs/server.crt
        SSLCertificateKeyFile /etc/pki/tls/certs/server.key
        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
                SSLOptions +StdEnvVars
        </Files>
        <Directory "/var/www/cgi-bin">
                SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
        CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

        <IfModule mod_headers.c>
                Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
        </IfModule>
</VirtualHost>

OK Im really stuck.

I managed to clear out some of my problems but apache still eludes me..

This is what I want to accomplish:

  • https only access so people dont have to add the http**S** (most will omit or forget this)**

Not working with the config files posted in post #5. If I enter "http://server" I get the owncloud login page but its not being forwarded to https, it stays in plain http.

  • everything would be redirected to /var/www/html/owncloud and not anywhere else (document root, etc)**

Somehow working. I enter "http://server-address" or "https://server-address" I both brings me to the owncloud login page. I however see a strange login page like if something in .htaccess or somewhere else (in apache's config files perhaps?) was not properly parsed or redirected. See screenshot.

  • I could access the OC server using either the local FQDN or IP (such as "https://mycloud") from LAN, or an external address such as "https://mycloud.net" from the web.

Not tested this one yet.

If someone (apache guru) can weight into help me get passed the first 2 issues I would appreciate.

Thanks!

In you configuration (with the new DocumentRoot), this line is not needed:
Alias / "/var/www/html/owncloud/"
To redirect all traffic to SSL by default, you can change the normal HTTP-Vhost to:

<VirtualHost *:80>
    ServerName mycloud.net
    ServerAlias www.mycloud.net
    Redirect permanent / https://mycloud.net/
</VirtualHost>

To make sure all resources are send via https (and no mixed content), you can add this to your config/config.php:

/**
         * When generating URLs, ownCloud attempts to detect whether the server is
         * accessed via ``https`` or ``http``. However, if ownCloud is behind a proxy
         * and the proxy handles the ``https`` calls, ownCloud would not know that
         * ``ssl`` is in use, which would result in incorrect URLs being generated.
         * Valid values are ``http`` and ``https``.
         */
        'overwriteprotocol' => 'https',

Reboot webserver, clean browser cache, try on a current firefox/chrome browser.

With the config files below, I can access OC from LAN and internet, but only on https port.

Trying to connect with plain http I get "The connection has timed out" (Firefox) and "internal error - server connection terminated" (Chrome). I want http to be redirected to https seamlessly so users dont have to punch http**s** manually...

Trying to connect with https works perfectly from LAN and internet.

/etc/httpd/conf.d/owncloud-ssl.conf

<VirtualHost *:80>
        ServerName mycloud.net
        DocumentRoot "/var/www/html/owncloud"
        Alias /owncloud "/var/www/html/owncloud/"
        <Directory "/var/www/html/owncloud/">
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                Allow from all
        </Directory>
        #Redirect permanent / http://mycloud.net/
        RewriteEngine on
        ReWriteCond %{SERVER_PORT} !^443$
        RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</VirtualHost>
<VirtualHost *:443>
        ServerName mycloud.net
        DocumentRoot "/var/www/html/owncloud"
        Alias /owncloud "/var/www/html/owncloud/"
        <Directory "/var/www/html/owncloud/">
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                Allow from all
        </Directory>
        #Redirect permanent / https://mycloud.net/
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
        SSLCertificateFile /etc/pki/tls/certs/server.crt
        SSLCertificateKeyFile /etc/pki/tls/certs/server.key
        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
                SSLOptions +StdEnvVars
        </Files>
        <Directory "/var/www/cgi-bin">
                SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
        CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
        <IfModule mod_headers.c>
                Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
        </IfModule>
</VirtualHost>

config/config.php

<?php
$CONFIG = array (
  'instanceid' => '',
  'passwordsalt' => '',
  'trusted_domains' =>
  array (
    0 => '',
    1 => 'mycloud.net',
  ),
  'datadirectory' => '/mnt/data',
  'enable_previews' => 'false',
  'overwrite.cli.url' => 'https://localhost/',
  'dbtype' => 'mysql',
  'version' => '8.1.9.2',
  'dbname' => 'clouddb',
  'dbhost' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => '',
  'dbpassword' => '',
  'installed' => true,
  'mail_domain' => '',
  'mail_from_address' => '',
  'mail_smtpmode' => '',
  'mail_smtpsecure' => 'tls',
  'mail_smtphost' => '',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_smtpport' => '',
  //'overwritewebroot' => '/owncloud',
  'forcessl' => true,
  'mail_smtpname' => '',
  'mail_smtppassword' => '',
  'loglevel' => 0,
  'logfile' => '/var/www/html/owncloud/data/owncloud.log',
  'logtimezone' => '/',
  'maintenance' => false,
  'secret' => '',
  'theme' => '',
  'filelocking.enabled' => 'true',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.locking' => '\\OC\\Memcache\\APCu',
  'overwriteprotocol' => 'https',
);

If I comment out the "Alias" lines in the vhosts and uncomment the "Redirect" lines with both plain http and https I get "too many redirects" (from the internet and LAN)...

So for now I am using the first version of the config files (commented out "Redirect" and uncommented "Alias") so at least I can have access to my server while away from home, but I am not confident everything is properly working....

Just think about it for a second. If you redirect both, http and https, what happens is that http->https->https->https->https->... traffic will constantly be redirected in a loop. Why do you want to redirect the https-vhost?

Did you see the typo in (Linux world is case sensitive):

You can redirect traffic to https with either a rewrite rule or the Redirect statement. Either of them will do the job, for a simple redirect, Redirect needs less resources but for you there won't be a visible difference.

If you access your cloud via https://mycloud.net, you won't need

Alias /owncloud "/var/www/html/owncloud/"

With current tips from the official docs, your vhost for ssl should look like:

    <VirtualHost *:443>
            ServerName mycloud.net
            DocumentRoot "/var/www/html/owncloud"
            <Directory "/var/www/html/owncloud/">
                    Options Indexes FollowSymLinks MultiViews
                    AllowOverride All
                    <IfModule mod_dav.c>
                       Dav off
                    </IfModule>
                    SetEnv HOME /var/www/html/owncloud
                    SetEnv HTTP_HOME /var/www/html/owncloud
                    Order allow,deny
                    Allow from all
            </Directory>
            SSLEngine on
            SSLProtocol all -SSLv2 -SSLv3
            SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
            SSLCertificateFile /etc/pki/tls/certs/server.crt
            SSLCertificateKeyFile /etc/pki/tls/certs/server.key
            <Files ~ "\.(cgi|shtml|phtml|php3?)$">
                    SSLOptions +StdEnvVars
            </Files>
            <Directory "/var/www/cgi-bin">
                    SSLOptions +StdEnvVars
            </Directory>
            BrowserMatch "MSIE [2-5]" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
            CustomLog logs/ssl_request_log \
              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
            <IfModule mod_headers.c>
                    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
            </IfModule>
    </VirtualHost>

The http-vhost can be as short as posted in https://central.owncloud.org/t/help-configuring-a-local-owncloud-server-to-be-accessed-from-the-web/1489/7?u=tflidd

The trusted domain should not contain an empty string:

  'trusted_domains' =>
  array (
    0 => 'mycloud.net',
  ),

OK Its almost all working except the redirect from http to https doesnt work. The browser tries to load the page and times out.

https works perfectly. I have modified both http and ssl vhosts as you suggested.

I have tried adding these two directves in the http vhost to redirect to ssl:

Redirect permanent / https://mycloud.net/

and

RewriteEngine on
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]

I found this as well. The problem turned out to be my ISP. As a consumer residential internet service, they block inbound port 80. They don't want people running web servers out of their homes. Port 443 is allowed, however. I think this is a common practice. My ISP also blocks inbound port 25. I have Comcast residential internet service.

That makes a lot of sense. Like port 25 (smtp) is generally blocked by ISP's so users dont run mail servers at home. In the case of mail servers I can understand the rationale behind this (spam) but for port 80, I just dont see the reason...

I guess OC is finally up & running thanks to you guys!!!! I leant so much about Apache, this thing has been a complete mystery for a long time now but now I understand much more how it works.

BTW, for SSL certs, what do you guys do? I decide to rely on "Lets Encrypt" and their automated renewal process. There are decent instructions on how to setup LE on Centos VPS so I figured to try it.

I bought a proper commercial SSL cert from Godaddy. They had the best pricing for a large reputable vendor last time I checked. They provide easy to follow instructions for integrating their cert (and their intermediate CA) into Apache. It was really a no-brainer and I've never done this before.

If you don't need wildcard or multi-domain certificates, there is no real benefit of commercial SSL certificates. Let's encrypt or startssl.com are sufficient.

Startssl lists their free certificate product as "coming soon", and the Let's Encrypt root CA is not trusted by default in the major web browsers. I wanted something that "just works", from any PC or device, without having to install root CA's or other tech support tasks like that. I avoid self-signed certs for the same reason.

and the Let's Encrypt root CA is not trusted by default in the major web browsers

That's why they are cross-signed by GlobalSign, whoms CA in turn does work in any browser. Check the certificate of this very site. With CertBot and Apache, this has become a complete no-brainer, and even with acmetool or letsencrypt.sh (to name tools with less dependencies), the documentation is still good.

That's great, I'm glad that solution works for you. Personally, I like to go with established entities and familiar brands, so I'm happy to buy my certs from GoDaddy. FWIW I also pay for an annual subscription to RHEL Workstation for my home PC's. Yes, I know of CentOS, but I prefer to use the real RHEL product and the support and documentation that it includes.

While I do see the value of RHEL subscription (support, access to portals, etc), the value of spending money on a domain validated certificate is relatively low, except for very limited situations. Anyway, YMMV.

Hey guys, thanks for the feedback on the SSL config and the help provided to get my server online!!!

Still, as a follow up I have to solve this error which comes back constantly in the logs

** is_file(): open_basedir restriction in effect. File(/appinfo/app.php) is not within the allowed path(s):
(/var/www/html/:/tmp/:/mnt/data/:/dev/urandom) at /var/www/html/owncloud/lib/private/app.php#115

What does it mean???

As your initial issue is solved i'm closing here. In general please don't mix several different topic in one single thread for the reasons explained here: