samuel-emrys-blogs / freebsd-nextcloud-setup-hardened Goto Github PK
View Code? Open in Web Editor NEWHow to install Nextcloud on FreeNAS in an iocage jail with hardened security
How to install Nextcloud on FreeNAS in an iocage jail with hardened security
Hi Samuel
This is a new installation on Freenas 11.3-U3.2 I have followed your guide to set up datasets and permissions. As I have only 1 pool the apps dataset and iocage dataset are under the main dataset vault. I have included commands from adding storage to the iocage jail.
root@freenas[]# iocage start nextcloud]# iocage exec nextcloud mkdir -p /mnt/data
nextcloud is already running!
root@freenas[
root@freenas[]# iocage exec nextcloud mkdir -p /var/db/mysql]# iocage exec nextcloud mkdir -p /usr/local/www/nextcloud/config
root@freenas[
root@freenas[]# iocage exec nextcloud mkdir -p /usr/local/www/nextcloud/themes]# iocage fstab -a nextcloud /mnt/vault/cloud /mnt/data nullfs rw 0 0
root@freenas[
Successfully added mount to nextcloud's fstab
root@freenas[]# iocage fstab -a nextcloud /mnt/vault/apps/nextcloud/db /var/db/mysql nullfs rw 0 0]# iocage fstab -a nextcloud /mnt/vault/apps/nextcloud/config /usr/local/www/nextcloud/config nullfs rw 0 0
Successfully added mount to nextcloud's fstab
root@freenas[
Successfully added mount to nextcloud's fstab
root@freenas[]# iocage fstab -a nextcloud /mnt/vault/apps/nextcloud/themes /usr/local/www/nextcloud/themes nullfs rw 0 0]# setenv EDITOR /usr/local/bin/nano
Successfully added mount to nextcloud's fstab
root@freenas[
zsh: command not found: setenv
root@freenas[]# zfs set primarycache=metadata vault/apps/nextcloud/db]# iocage list
root@freenas[
+-----+-----------+-------+--------------+--------------+
| JID | NAME | STATE | RELEASE | IP4 |
+=====+===========+=======+==============+==============+
| 1 | nextcloud | up | 11.3-RELEASE | 192.168.1.15 |
+-----+-----------+-------+--------------+--------------+
root@freenas[~]# iocage console nextcloud
FreeBSD 11.3-RELEASE-p9 (FreeNAS.amd64) #0 r325575+588899735f7(HEAD): Mon Jun 1 15:04:31 EDT 2020
Welcome to FreeBSD!
Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories: https://www.FreeBSD.org/security/
FreeBSD Handbook: https://www.FreeBSD.org/handbook/
FreeBSD FAQ: https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums: https://forums.FreeBSD.org/
Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with: pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.
Show the version of FreeBSD installed: freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages: man man
FreeBSD directory layout: man hier
Edit /etc/motd to change this login announcement.
root@nextcloud:~ # pkg update
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
[nextcloud] Installing pkg-1.14.6...
[nextcloud] Extracting pkg-1.14.6: 100%
Updating FreeBSD repository catalogue...
[nextcloud] Fetching meta.conf: 100% 163 B 0.2kB/s 00:01
[nextcloud] Fetching packagesite.txz: 100% 6 MiB 1.1MB/s 00:06
Processing entries: 100%
FreeBSD repository update completed. 32052 packages processed.
All repositories are up to date.
root@nextcloud:~ # pkg install nano
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Updating database digests format: 100%
The following 3 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
gettext-runtime: 0.20.2
indexinfo: 0.3.1
nano: 4.9.2
Number of packages to be installed: 3
The process will require 3 MiB more space.
690 KiB to be downloaded.
Proceed with this action? [y/N]: y
[nextcloud] [1/3] Fetching nano-4.9.2.txz: 100% 522 KiB 534.7kB/s 00:01
[nextcloud] [2/3] Fetching indexinfo-0.3.1.txz: 100% 6 KiB 5.8kB/s 00:01
[nextcloud] [3/3] Fetching gettext-runtime-0.20.2.txz: 24% 40 KiB 41.0kB/s 00:03 E[nextcloud] [3/3] Fetching gettext-runtime-0.20.2.txz: 100% 162 KiB 166.0kB/s 00:01
Checking integrity... done (0 conflicting)
[nextcloud] [1/3] Installing indexinfo-0.3.1...
[nextcloud] [1/3] Extracting indexinfo-0.3.1: 100%
[nextcloud] [2/3] Installing gettext-runtime-0.20.2...
[nextcloud] [2/3] Extracting gettext-runtime-0.20.2: 100%
[nextcloud] [3/3] Installing nano-4.9.2...
[nextcloud] [3/3] Extracting nano-4.9.2: 100%
root@nextcloud:~ # pkg install wget ca_root_nss
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 4 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
ca_root_nss: 3.54
libidn2: 2.3.0_1
libunistring: 0.9.10_1
wget: 1.20.3
Number of packages to be installed: 4
The process will require 7 MiB more space.
2 MiB to be downloaded.
Message from ca_root_nss-3.54:
--
FreeBSD does not, and can not warrant that the certification authorities
whose certificates are included in this package have in any way been
audited for trustworthiness or RFC 3647 compliance.
Assessment and verification of trust is the complete responsibility of the
system administrator.
This package installs symlinks to support root certificates discovery by
default for software that uses OpenSSL.
This enables SSL Certificate Verification by client software without manual
intervention.
If you prefer to do this manually, replace the following symlinks with
either an empty file or your site-local certificate bundle.
New packages to be INSTALLED:
apache24: 2.4.43
apr: 1.7.0.1.6.1_1
db5: 5.3.28_7
expat: 2.2.8
gdbm: 1.18.1_1
libnghttp2: 1.41.0
libxml2: 2.9.10
pcre: 8.44
perl5: 5.30.3
readline: 8.0.4
Number of packages to be installed: 10
The process will require 151 MiB more space.
35 MiB to be downloaded.
Message from perl5-5.30.3:
--
The /usr/bin/perl symlink has been removed starting with Perl 5.20.
For shebangs, you should either use:
#!/usr/local/bin/perl
or
#!/usr/bin/env perl
Message from apr-1.7.0.1.6.1_1:
Message from apache24-2.4.43:
--
To run apache www server from startup, add apache24_enable="yes"
in your /etc/rc.conf. Extra options can be found in startup script.
Your hostname must be resolvable using at least 1 mechanism in
/etc/nsswitch.conf typically DNS or /etc/hosts or apache might
have issues starting depending on the modules you are using.
apache24 default build changed from static MPM to modular MPM
more modules are now enabled per default in the port
icons and error pages moved from WWWDIR to DATADIR
If build with modular MPM and no MPM is activated in
httpd.conf, then mpm_prefork will be activated as default
MPM in etc/apache24/modules.d to keep compatibility with
existing php/perl/python modules!
Please compare the existing httpd.conf with httpd.conf.sample
and merge missing modules/instructions into httpd.conf!
root@nextcloud:~ # sysrc apache24_enable=yes
apache24_enable: -> yes
root@nextcloud:~ # service apache24 start
Performing sanity check on apache24 configuration:
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
Syntax OK
Starting apache24.
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
root@nextcloud:~ # pkg install mariadb104-server
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 10 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
bash: 5.0.17
boost-libs: 1.72.0_2
galera26: 26.4.5
icu: 67.1,1
libedit: 3.1.20191231,1
libiconv: 1.16
mariadb104-client: 10.4.13_4
mariadb104-server: 10.4.13_4
rsync: 3.1.3_1
unixODBC: 2.3.7
Number of packages to be installed: 10
The process will require 481 MiB more space.
60 MiB to be downloaded.
Message from boost-libs-1.72.0_2:
--
You have built the Boost library with thread support.
Message from mariadb104-client-10.4.13_4:
--
MariaDB respects hier(7) and doesn't check /etc and /etc/mysql for
my.cnf. Please move existing my.cnf files from those paths to
/usr/local/etc/mysql or /usr/local/etc. Sample
configuration files are provided in /usr/local/etc/mysql
and /usr/local/etc/mysql/conf.d.
Message from galera26-26.4.5:
Message from mariadb104-server-10.4.13_4:
--
MariaDB respects hier(7) and doesn't check /etc and /etc/mysql for
my.cnf. Please move existing my.cnf files from those paths to
/usr/local/etc/mysql or /usr/local/etc. Sample
configuration files are provided in /usr/local/etc/mysql
and /usr/local/etc/mysql/conf.d.
This port does NOT include the mytop perl script, this is included in
the MariaDB tarball but the most recent version can be found in the
databases/mytop port
root@nextcloud:~ # sysrc mysql_enable=yes
mysql_enable: -> yes
root@nextcloud:~ # nano /usr/local/etc/mysql/my.cnf
GNU nano 4.9.2 /usr/local/etc/mysql/my.cnf
[client-server]
port = 3306
socket = /tmp/mysql.sock
!includedir /usr/local/etc/mysql/conf.d/
root@nextcloud:~ # service mysql-server start
Installing MariaDB/MySQL system tables in '/var/db/mysql' ...
OK
To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system
Two all-privilege accounts were created.
One is root@localhost, it has no password, but you need to
be system 'root' user to connect. Use, for example, sudo mysql
The second is mysql@localhost, it has no password either, but
you need to be the system 'mysql' user to connect.
After connecting you can set the password, if you would need to be
able to connect as any of these users with a password and without sudo
See the MariaDB Knowledgebase at http://mariadb.com/kb or the
MySQL manual for more instructions.
You can start the MariaDB daemon with:
cd '/usr/local' ; /usr/local/bin/mysqld_safe --datadir='/var/db/mysql'
You can test the MariaDB daemon with mysql-test-run.pl
cd '/usr/local/mysql-test' ; perl mysql-test-run.pl
Please report any problems at http://mariadb.org/jira
The latest information about MariaDB is available at http://mariadb.org/.
You can find additional information about the MySQL part at:
http://dev.mysql.com
Consider joining MariaDB's strong and vibrant community:
https://mariadb.org/get-involved/
Starting mysql.
root@nextcloud:~ # mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.
Enter current password for root (enter for none):
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysql/mysql.sock' (2)
Enter current password for root (enter for none):
The guide states.
If you're using Windows, you'll need to use PuTTy or Cygwin. Refer to the guide linked above for more detail.
This is not true. Windows has had OpenSSH built in for years now. You can open PowerShell or CMD and type ssh user@IP
to ssh into FreeNAS. I have been using that to ssh into everything for at least 2 years now.
If you are feeling fancy you can even use 'Windows Terminal'.
https://github.com/Microsoft/Terminal
Previous versions of freenas did not require the destination directory to exist. However, now they do. This could be fixed with the addition of commands similar to the following:
$ iocage exec nextcloud mkdir data
A user commented:
You can set an app password under security at accounts.google.com. I just tested and it works. So no need to enable less secure access or turn off 2-step verification.
Investigate this and update the guide if this works successfully
Make sure that the reverse proxy is added to the trusted_proxies
directive in config.php
:
'trusted_proxies' =>
array (
0 => 'REVERSE_PROXY_IP',
),
modify the current cron entry for the www user to be:
*/5 * * * * /usr/local/bin/php -f /usr/local/www/nextcloud/cron.php
I was thinking on how to combine FreeBSD jailing with an effective DMZ. If your server hardware has a separate network interface you could disable VNET to your jail and assign the separate interface, and run a separate cable to your router.
Im not an expert on firewall rules so I'm not sure how you would give your LAN access in that scenario...
Would you be willing to rewrite the article you did on NextCloud & FreeNAS? Now that TrueNAS core is out.
I hve followed your steps repeatedly and get different errors every time :/
it is a GREAT write up, just hoping you would be willing to find the time to update it.
Thank you so much! Keep up the great work!
The GUI has changed since the screenshots were taken. For example 'Full Name' and 'Username' has switch positions when adding a user. Same goes for 'Enable password login' has changed to 'Disable Password'. This means the guide tells you to select 'No' when you should select 'Yes'. I can see people not noticing this and causing a minor inconvenience.
At first, I did the guide properly exactly as written other than file path changes for fstab but I got the titled error message. To test I shortened the process to the following and I still get the error.
This is on FreeNAS-11.3-U3.2 and I also tried switching the repo to latest with the same error. Also tried mariadb103-server with the same error.
iocage create -r 11.3-RELEASE -n tst dhcp=on
iocage start tst
iocage console tstpkg update
pkg install -y nano wget ca_root_nss apache24 mariadb104-server
sysrc apache24_enable=yes
service apache24 start
sysrc mysql_enable=yes
service mysql-server start
mysql_secure_installation
I get...
Starting mysql.
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.Enter current password for root (enter for none): I-PRESS-ENTER
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)
Enter current password for root (enter for none):
I am not having any luck with researching this error other than people saying to re-install mysql.
MariaDB defaults the mysql socket location to /var/run/mysql/mysql.sock
. This is a departure from the previous default of /tmp/mysql.sock
. Update the instructions to reflect this new default path. Remove the --socket
flag used for mysql_secure_installation
. Relates to #11
Ordered list on line 25 missing a space between preceeding paragraph - this renders in line rather than as an ordered list
Based on the comments of Stephen David:
I followed all the steps above in Freenas 11.3, with nextcloud-7.2. Once everything is setup, i could not log in using the webapp. This gives a 401 error when trying to grant access.
The apache server configuration was missing modwrite in other to pass the authentication through for the webdav basic auth. as per link: https://help.nextcloud.com/t/client-login-fails-with-401/29378/7
steps required:
nano /usr/local/etc/apache24/httpd.conf
find rewrite_module and uncomment the line: LoadModule rewrite_module libexec/apache24/mod_rewrite.so
return to modify your virtual host file
cd /usr/local/etc/apache24/Includes
Add the following lines into the virtual hosts, it should look something like this (note, i’ve changed my php-fpm to use a socket):
<VirtualHost *:80>
DocumentRoot "/usr/local/www/nextcloud"
ServerName IP
<FilesMatch \.php$>
SetHandler "proxy:unix:/var/run/php-fpm.sock|fcgi://localhost/"
</FilesMatch>
DirectoryIndex /index.php index.php
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
</VirtualHost>
Boom, the web-app should work and you’ll be able to log in from the application. From reading over the comment thread, the basic authentication is not being passed through, leading to a 401 error.
Taken from KevDog's post:
I’d like to document the process I’ve used to upgrade in place php72 to php74. For reference my FreeNAS installation runs 11.3-U2-1. My iocage jails had been updated to an 11.3 base. The pkg repo was updated to the latest release and not the quarterly release (this step was documented above)
Preparation
– Make sure you create a snapshot of the iocage nextcloud jail and a snapshot of the datasets used by nextcloud (ie jailhouse tree) in case something goes wrong
– Additionally save a copy of /usr/local/www/nextcloud/config/config.php in case something goes wrong
– Put nextcloud in maintanence mode: sudo -u www php occ maintenance:mode –on
Pkg Install
– sudo pkg install nextcloud-php74-18.0.3
You’ll be presented with a list of all the conflicting files between 7.2 and 7.4. Make a note of what php files are not included in the 7.4 list that are included in the 7.2 list. You’ll need to manually install these.
I let the installation complete
I then had to manually install the following files (this was based on the step above):
sudo pkg install php74-pcntl php74-pecl-imagick php74-pecl-redis php74-phar php74-tokenizer
The only package that didn’t have a match was php72_wddx. There was no corresponding php74 version
Change ownership of the /usr/local/www/nextcloud directory
sudo chown -R www:www /usr/local/www/nextcloud
Take nextcloud out of maintainence mode
sudo -u www php occ maintenance:mode –off
Potential problems – Complete step only if this problem occurs to you
Prior to upgrading I was running nextcloud php72-18.0.4.2 and this process install php74-18.0.3.0. On accessing either nextcloud through the browser or through a sudo -u www php occ status — I was receiving error: Downgrading is not supported and is likely to cause unpredictable issues (The installation downgraded my 18.0.4.2 version to 18.0.3.0)
For a workaround —
As root – edit /usr/local/etc/nextcloud/config/config.php and look for version line — change the line to look like the follwoing:
‘version’ => ‘18.0.3.0’,
Perform a manual upgrade on command line:
sudo -u www php occ upgrade
The above command should restore to the latest nextcloud version.
Verify php7.4 is now being used (Optional)
– At command line: php –version
— From browser – create an info.php file and place it inside your nextcloud root directory (/usr/local/www/nextcloud)
The contents of info.php are:
Browse to your nextloud domain –> For example nextcloud.example.com/info.php. This should display the php version as well.
According to:
https://wiki.freebsd.org/MariaDB
One should run:
pkg search mariadb | grep server
and pick from one of the available versions to install.
tried several variations of this:
iocage create -n nextcloud -r 13.0-U6.1-RELEASE ip4_addr="vnet0|192.168.1.100/24" defaultrouter="192.168.1.1" vnet="on" allow_raw_sockets="1" boot="on"
but always get the same error:
"
13.0-U6.1-RELEASE was not found!"
Add the following params to php.ini
:
max_execution_time = 300
max_input_time = 300
This worked in unison with changes suggested in samuel-emrys-blogs/nginx-reverse-proxy#4
A user has reported that the following command:
$ su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set memcache.locking --value="\OC\Memcache\Redis"'
causes an internal server error. This may be related to changes present in nextcloud 20.0.0. Attempt to replicate and investigate why this is occurring and update the guide to reflect any findings.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.