Owncloud 10.0 on CentOS 7

FirewallD

#yum install policycoreutils-python
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

MySQL(MariaDB)

yum install mariadb-server mariadb

systemctl enable mariadb
systemctl start mariadb

mysql_secure_installation

mysql -u root -p
CREATE DATABASE owncloud;
GRANT ALL ON owncloud.* to 'ownclouduser'@'localhost' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;
quit

HTTPS

mkdir /etc/ssl/nginx/
restorecon -Rv /etc/ssl/nginx/

openssl req -new -x509 -days 365 -nodes -out /etc/ssl/nginx/drive.domain.com.crt -keyout /etc/ssl/nginx/drive.domain.com.key -subj "/CN=drive.domain.com"
openssl dhparam -out /etc/ssl/nginx/dh4096.pem 4096

Nginx

yum install epel-release
yum install nginx

systemctl enable nginx
systemctl start nginx

vi /etc/nginx/conf.d/drive.domain.com.conf
upstream php-handler {
    #server 127.0.0.1:9000;
    # Depending on your used PHP version
    #server unix:/var/run/php5-fpm.sock;
    #server unix:/var/run/php7-fpm.sock;
    server unix:/var/run/php-fpm/php-fpm.sock;
}

server {
    listen 80;
    server_name drive.domain.com www.drive.domain.com;

    # For Lets Encrypt, this needs to be served via HTTP
    location /.well-known/acme-challenge/ {
        root /usr/share/nginx/html; # Specify here where the challenge file is placed
    }

    # enforce https
    location / {
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl http2;
    server_name drive.domain.com www.drive.domain.com;

    ssl_certificate /etc/ssl/nginx/drive.domain.com.crt;
    ssl_certificate_key /etc/ssl/nginx/drive.domain.com.key;

    # Example SSL/TLS configuration. Please read into the manual of
    # nginx before applying these.
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "-ALL:EECDH+AES256:EDH+AES256:AES256-SHA:EECDH+AES:EDH+AES:!ADH:!NULL:!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!3DES:!PSK:!SRP:!DSS:!AESGCM:!RC4";
    ssl_dhparam /etc/ssl/nginx/dh4096.pem;
    ssl_prefer_server_ciphers on;
    keepalive_timeout    70;
    ssl_stapling on;
    ssl_stapling_verify on;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this topic first.
    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    # Path to the root of your installation
    root /usr/share/nginx/html;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

    location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
        return 301 $scheme://$host/remote.php/dav;
    }

    # set max upload size
    client_max_body_size 16400M;
    fastcgi_buffers 64 4K;

    # Disable gzip to avoid the removal of the ETag header
    # Enabling gzip would also make your server vulnerable to BREACH
    # if no additional measures are done. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773332
    gzip off;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;

    location / {
        rewrite ^ /index.php$uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        return 404;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        return 404;
    }

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param SCRIPT_NAME $fastcgi_script_name; # necessary for owncloud to detect the contextroot https://github.com/owncloud/core/blob/v10.0.0/lib/private/AppFramework/Http/Request.php#L603
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
        fastcgi_param front_controller_active true;
        fastcgi_read_timeout 180; # increase default timeout e.g. for long running carddav/ caldav syncs with 1000+ entries
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off; #Available since NGINX 1.7.11
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "max-age=15778463";
        # Add headers to serve security related headers (It is intended to have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into this topic first.
        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
    }

    location ~ \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg|map)$ {
        add_header Cache-Control "public, max-age=7200";
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

systemctl restart nginx

PHP

yum install https://rpms.remirepo.net/enterprise/remi-release-7.rpm

#yum-config-manager --enable remi-php71
#yum --enablerepo=remi-php71 install php-fpm php-cli php-gd php-mcrypt php-mysql php-pear php-xml php-mbstring php-pdo php-json

vi /etc/yum.repos.d/remi-php71.repo
[remi-php71]
enabled=1

yum install php-fpm php-cli php-gd php-mcrypt php-mysqlnd php-pear php-xml php-mbstring php-pdo php-json php-pecl-zip php-intl

php --version

vi /etc/php.ini
cgi.fix_pathinfo=0

vi /etc/php-fpm.d/www.conf
listen = /var/run/php-fpm/php-fpm.sock
listen.owner = nginx
listen.group = nginx
listen.mode = 0660
user = nginx
group = nginx
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

systemctl enable php-fpm
systemctl start php-fpm

vi /usr/share/nginx/html/info.php
<? php phpinfo(); ?>

Owncload download and install

wget https://download.owncloud.org/community/owncloud-10.0.3.tar.bz2
tar jxvf owncloud-10.0.3.tar.bz2
mv owncloud/* /usr/share/nginx/html/
chown -R nginx:nginx /usr/share/nginx/html/

semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/data'
restorecon '/usr/share/nginx/html/data'
semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/config'
restorecon '/usr/share/nginx/html/config'
semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/apps'
restorecon '/usr/share/nginx/html/apps'
semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/assets'
restorecon '/usr/share/nginx/html/assets'

chown -R nginx:nginx /var/lib/php/session

Caching

APCu

yum install php-devel
yum groupinstall "Development Tools"
pecl install apcu

cat < /etc/php.d/20-apcu.ini
; APCu php extension
extension=apcu.so
EOF
vi /usr/share/nginx/html/config/config.php
'memcache.local' => '\OC\Memcache\APCu',

Redis

yum install centos-release-scl-rh
yum install rh-redis32-redis

pecl install redis

chown -R redis:redis /var/run/redis/
semanage fcontext -a -t redis_var_run_t '/var/run/redis(/.*)?'
restorecon -Rv /run/redis/

vi /etc/opt/rh/rh-redis32/redis.conf
unixsocket /var/run/redis/redis.sock
unixsocketperm 700

systemctl start rh-redis32-redis
systemctl enable rh-redis32-redis

yum install net-tools
ps ax | grep redis
netstat -tlnp | grep redis
cat < /etc/php.d/20-redis.ini
; Redis php extension
extension=redis.so
EOF
vi /usr/share/nginx/html/config/config.php
'memcache.locking' => '\OC\Memcache\Redis',
'redis' => [
     'host' => '/var/run/redis/redis.sock',
     'port' => 0,
],

usermod -a -G redis nginx

Additional SELinux configuration

setsebool -P daemons_enable_cluster_mode 1

semodule -l | grep my-redisserver
ausearch -c 'redis-server' --raw | audit2allow -M my-redisserver
semodule -i my-redisserver.pp
ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
semodule -i my-phpfpm.pp
ausearch -c 'nginx' --raw | audit2allow -M my-nginx
semodule -i my-nginx.pp

setsebool -P httpd_can_sendmail=1

systemctl restart php-fpm nginx; systemctl status php-fpm nginx

crontab -u nginx -e
*/15  *  *  *  * /usr/bin/php -f /usr/share/nginx/html/cron.php

yum install samba-client nfs-utils

Links:
https://www.howtoforge.com/tutorial/owncloud-centos-install/
https://tecadmin.net/install-owncloud-on-centos/
https://doc.owncloud.org/server/10.0/admin_manual
https://www.simplehelix.com/blog/uncategorized/installing-and-configuring-nginx-php-fpm-mariadb-on-centos-7/
https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-on-centos-7
https://www.digitalocean.com/community/tutorials/how-to-upgrade-to-php-7-on-centos-7
https://stackoverflow.com/questions/6628275/how-to-get-my-session-to-write-to-apache
https://github.com/owncloud/core/issues/25927#issuecomment-262703655
https://doc.owncloud.org/server/9.1/admin_manual/installation/selinux_configuration.html#troubleshooting
https://doc.owncloud.org/server/10.0/admin_manual/configuration/server/caching_configuration.html#redis-label
https://help.nextcloud.com/t/install-nextcloud-into-root-directory-of-my-domain/2513?page=2
https://github.com/nrk/predis/issues/277
https://doc.owncloud.org/server/latest/admin_manual/installation/nginx_configuration.html#example-configurations

Leave a comment

You must be logged in to post a comment.