Help with OC setup


#1

Hi everyone,

I have been trying to get OC setup the right way for about 2 years, don't laugh. OK, go ahead and laugh! I have been using it but when I get it setup, it doesn't do what I want it to do. I am using Ubuntu 16.04 now but this was also an issue in earlier versions. I am a noob to Linux and server stuff in general. I am learning as I go, I don't like asking for help because I am stubborn.
I am trying to accomplish 2 things. I really want to add SSL but have no idea how to do so. I have heard many terms used but don't fully understand them, so I'm looking for laymans terms in a way. I just want to do a self-sign version and step by step to implement it on the server.
Second, when I mount a local storage drive it doesn't seem to work right. I basically add it and I can see and use what I put on there locally but everything I try to save through the "webspace" goes to the original data folder and eats up my boot drive ssd space. I feel that I also have an issue with permissions within ubuntu. I know it has something to do with the path that is applied. I named the mount storage and when I mount it it continues to go to /media/nameofuser/storage. I had an issue with the drive unmounting after reboot and fixed that at some point but don't remember what I did. I had a brain injury about 10 years ago and short term is terrible unless it's in front of me. This is why I have a hard time.
I have been trying to get this to work this way, I know it can be done. It's just that I'm not doing something right. I have followed some of the youtube videos and they have helped me in different ways but I can't get it right.
I can install OC and setup the tasksel thing and all in Linux. Is there anyone that could help me with the rest in a text document or even know of a video that can help with the rest? I want to install version 10. I know some of y'all can do this stuff in your sleep or while driving, eating breakfast and texting at the same time. I would really appreciate the help if someone's willing to do so or guide me to something other than the admin guide.
Thank you for your time reading this!


#2

Hi @esnrhtx, you're asking a lot! It might not be possible to convey answers in what you would accept as "layman's terms" :wink: I'm going to try to point you in the right direction, and you can either ask further questions or do further web searches based on what I'm saying.

(Disclaimer: I'm mostly self-taught, and I'm using FreeBSD. I haven't used linux since 2004! If I get something wrong, hopefully others will correct me!)

SSL is actually pretty easy nowadays. There are services such as Let's Encrypt that provide free certificates as well as the software that configures your webserver to use the certificate. Self signed certificates are fine for testing, but you'll find there's a lot of third party software (calendar apps, contacts apps, etc) that refuse to connect to a server using self signed certificates. Also, then you'll have to configure the webserver yourself. If you use Let's Encrypt, the client will configure your web server for you. You should check out their site.

I recommend using Let's Encrypt for simplicity's sake, but if you choose to create your own certificates, here's a simple guide. Creating certificates require two steps - creating a key, and then using that key to sign a certificate. Once created, you'll then need to configure your webserver to use the certificate.

You didn't specify whether you're using Apache or Nginx or something else. SSL isn't really an ownCloud thing, it's a webserver thing. This is probably the reason you're having trouble configuring SSL - you're trying to make SSL work with ownCloud instead of making it work with Apache/Nginx. You should do some websearching for SSL and whatever your webserver is. Once you've got SSL working with your webserver in general, getting SSL working with ownCloud is a piece of cake.

EDIT: Check out Mozilla's SSL configuration site, you tell it what webserver you use, and it provides you with configuration text to add to your conf files. It's easier to research and understand what Mozilla recommends than to figure this stuff out from scratch yourself!

I'm not sure I understand your second issue. You've got an SSD as your boot drive, and a HDD that you want to use for ownCloud storage? But you're mounting the HDD in the wrong place? Are you trying to mount the drive where ownCloud stores stuff, or are you trying to configure ownCloud to store stuff on a pre-mounted HDD?

I don't think I can really help with that. I'm not sure where things go in Ubuntu, but in FreeBSD all the ownCloud user data is stored in /usr/local/www/owncloud/data, so I'd mount the HDD there. Again, this sounds like a file system configuration issue, not an ownCloud configuration issue.

Oh, and you would have added an fstab entry to ensure your HDD is mounted on reboot :slight_smile: I completely understand forgetting these things. You do it so infrequently that you have to re-learn it every time!

Honestly, none of your questions are ownCloud-specific, that's probably why you're having trouble making things work. We'll help you as much as we can in this forum, but you would probably find better SSL information on sites dedicated to configuring your web server, or sites dedicated to explaining configuring Ubuntu file systems.

I hope I've helped! Don't hesitate to ask if you have further questions or if I've been unclear about something. Good luck :slight_smile:


#3

Thank you for your response DarkSteve. I will try the getting the SSL done this weekend. I'm just lost when it comes to that. I know a lot of people in the forum suggest using SSL. Do you think it's best to use SSL? It's just mainly music and other non-important stuff. By the way, I am using Apache. The second issue is exactly what you said. The SSD is just for the OS and OC installation. When I get the external storage set up, it works fine until I reboot. I can add stuff to it and it goes to the external storage. When I reboot. I add stuff to the ext. drive and it goes to the SSD and fills it up. It has something to do with the auto mount from what I'm getting. I try to mount the ext. to media/storage. It then ends up in /media/username/storage and I think it "blocks" stuff from going there.
Even after 2 years of trying this I'm still excited that one day it will work right. It has so many benefits. I don't blame OC because I know it's something I'm doing wrong. I have no problem otherwise, everything else works great. I have my phone setup and it backs up fine and all. It's just this external storage thing.
I used OC with Windows and it was great, but back then there wasn't ext. storage. OC on Linux is easy too but some new stuff has me lost.

Again, thank you for your input. I'm just hoping one day to get it right.


#4

Definitely! Not only does SSL protect your passwords, but it stops things you might not expect, like your ISP injecting ads or trackers into your datastream.

Also, having a cracker break into your ownCloud setup gives them a foothold on cracking the rest of your machine. (Stuff like data theft, identity theft, and planting keyloggers etc.) Don't think you're not important enough to attack, there are bots that blanket attack everyone.

I use Apache too, however it's setup is slightly different on FreeBSD compared to Ubuntu. The data within the conf files is the same, but the file locations and file names are different. So don't take the file names or locations I use literally! They should be close, but probably not the same. You should be able to find better guides online that are Ubuntu specific.

Big picture - you need to ensure openssl/libressl is installed, and that Apache can use it. Then create a certificate (self-signed or get one from Let's Encrypt). Then configure your site to use your cert and ssl.

I first install openssl, then mod_ssl (which might be auto-installed on Ubuntu). Check your httpd.conf to ensure the ssl module in enabled. You should have a line that's something like:
LoadModule ssl_module libexec/apache24/mod_ssl.so

There's a second line you'll need to uncomment, something like:
Include etc/apache24/extra/httpd-ssl.conf

That httpd-ssl.conf file is what you update with the settings you got from Mozilla. Most of it you can leave as defaults, but here's what a portion of my httpd-ssl.conf looks like:

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

# OCSP Stapling, as per Mozilla's reccomendations
SSLUseStapling                    on
SSLStaplingResponderTimeout       5
SSLStaplingReturnResponderErrors  off
SSLStaplingCache                  shmcb:/var/run/ocsp(128000)

<VirtualHost _default_:443>
DocumentRoot /usr/local/www/mydomain.tk
ServerName mydomain.tk
ServerAdmin steve@mydomain.tk
ErrorLog "/var/log/httpd-error.log"
TransferLog "/var/log/httpd-access.log"
# HSTS (mod_headers is required) (15768000 seconds = 6 months),
# as per Mozilla's reccomendations
Header always set Strict-Transport-Security "max-age=15768000"
SSLEngine on
SSLCertificateFile "/usr/local/etc/letsencrypt/live/mydomain.tk/fullchain.pem"
SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/mydomain.tk/privkey.pem"
SSLCertificateChainFile "/usr/local/etc/letsencrypt/live/mydomain.tk/chain.pem"
</VirtualHost>

My cipher suite is bigger than Mozilla's recommendation. That's because I had to add some ciphers because the ownCloud app couldn't connect! Also, you'll notice I'm only allowing TLS 1.2. You should never use sslv2 or sslv3 (they're cracked so bad you may as well not use SSL at all), and while I don't think TLS has been cracked yet, there are theoretical attacks against TLSv1.0 which may become practical without warning.

Also, this will be the default site that your visitors (and you) will be directed to when connecting via https and the domain isn't specified in your vhosts file. (For example, if you connect via IP address.)

And here's a snippet of my vhosts contents:

<VirtualHost *:80>
    ServerName mydomain.tk
    Redirect permanent / https://mydomain.tk/
</VirtualHost>

<VirtualHost *:443>
    DocumentRoot /usr/local/www/mydomain.tk
    ServerName mydomain.tk
    Header always set Strict-Transport-Security "max-age=15768000"
    SSLEngine on
    SSLCertificateFile "/usr/local/etc/letsencrypt/live/mydomain.tk/fullchain.pem"
    SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/mydomain.tk/privkey.pem"
</VirtualHost>

The first virtualhost redirects all non-encrypted connections to the encrypted one. The second virtualhost is my actual encrypted site. This setup gives me an A+ on SSL Labs. Just add an extra virtualhost for each site you want.

I hope this helps you get SSL working! Please ask me again if you more questions, but you might do better getting advice from someone familiar with Ubuntu :wink:

Your second problem, I can't help with. I've never used the external storage functionality in ownCloud, I have zero experience and knowledge about it. I thought you were mounting an internal HDD, not mounting an external HDD. If you are talking about an internal HDD, then ownCloud's external storage shouldn't come into it at all. If you're talking about an external HDD, disregard my earlier comment about fstab!

I first played with ownCloud version 3.x, which was buggy and crap. I finally switched to owncloud full time (and away from SpiderOak) around version 5. OwnCloud is worth the effort, it really is, but for your own security, please keep trying until you get SSL working!

And once you start, you won't stop learning! Each individual component (the cipher, the protocol, individual or SAN certificates, etc) is a steep learning curve. Years ago, I managed to get SSL working with self-signed certs, only to be later emailed by the Australian government to tell me to fix my site! Apparently I was vulnerable to POODLE, but I had no idea what the hell the that meant! Now I understand it meant I was offering protocols that undermined any security I was trying to implement. (Which is why I explained disabling sslv2 and 3!)

It's much easier to understand and fix a working system than to set one up without any understanding at all. Persevere with SSL, it'll all be worth it :slight_smile:


#5

Hi Steve,
I will work on the SSL and see what happens after I reinstall OC later tonight. I appreciate all you have done so far, I really do. With the HDD, it is an internal drive and I may have worded it incorrectly along the way. I want to make the 2nd drive the ONLY data location and use the SSD just for the "regular" stuff. They claim it's easier to set everything up during the initial installation. They say it's hard to move the data directory after the install has been done so I am going to reinstall it. I did notice last time when I installed it, that when I tried to use the other HDD for the data folder on the opening screen of OC, it said I couldn't. I don't remember the exact wording but it had to do with permissions. So, I assume the permissions for the 2nd HDD have to be in place to install the data folder at install. When I installed the default way, I get the 2nd HDD setup with permissions (I think they're right) and it works until I reboot. I would like to not have "local" listed in the directory of OC, I would rather have it look like the default view. What I mean is when you login from a PC, it lists document. pics and so on, I don't want local listed(for the 2nd HDD) in the directory. I assume if you set it up as the data folder, it will only list, docs, pics and so on without local listed.
When you set permissions for the 2nd HDD I was told that permissions should look like this: sudo chown -R dummy:www-data /var/www/html/ for the installation and sudo chmod 775 /var/www/html/,
sudo chmod g+s /var/www/html/. OC works correctly when I do this as long as I only use the default drive. When I setup the second it needs to be setup similar except for the path. The first thing to install data on the 2nd drive is that you need to mkdir. I make /media/storage and I attempt to mount the 2nd HDD to that location. After reboot it no longer works. Can you tell me in a simple to understand outline of what to do in order to properly setup the 2nd HDD so I can install the data folder on the install screen. I know I'm asking for a lot but this is where the mistakes are made.

  1. Obviously the HDD is connected, lol.
  2. Do I mkdir?
  3. Do I mount it now? How do I prevent it from going to media/name/storage?
  4. set permissions? should they be www-data:www-data or can it be dummy:www-data? Should 775 be ok, I think they claim 770?
  5. Then I will need to change fstab correct? I see that some say to use the blkid info for fstab? I get lost on this one.
  6. Then install OC?

I'm sorry for asking so much. Some of the terminology gets me lost in the admin manual. The steps in the manual assume you know a lot about servers and Linux. If someone made an easy to follow manual I would buy it if I needed to, lol. Again, thank you.