Difference between revisions of "OwnCloud"

From ArchWiki
Jump to: navigation, search
(Nginx + uwsgi_php alternative)
(Removed the "php-7.0.6 doesn't work with owncloud-9.0.1-1" part, as it's obsolete. Owncloud is at 9.0.2 at the time of deletion.)
 
(293 intermediate revisions by 78 users not shown)
Line 1: Line 1:
[[Category:Web Server]]
+
{{lowercase title}}
 +
[[Category:Web server]]
 
[[fr:Owncloud]]
 
[[fr:Owncloud]]
[http://en.wikipedia.org/wiki/OwnCloud ownCloud] is a software suite that provides a location-independent storage area for data (cloud storage).
+
[[ja:ownCloud]]
 +
{{Related articles start}}
 +
{{Related|LAMP}}
 +
{{Related|Nginx}}
 +
{{Related|OpenSSL}}
 +
{{Related|WebDAV}}
 +
{{Related articles end}}
 +
From [[Wikipedia:ownCloud|Wikipedia]]: "ownCloud is a software suite that provides a location-independent storage area for data (cloud storage)."
 +
The ownCloud installation and configuration mainly depends on what web server and database you decide to run. Currently the wiki discusses [[#Apache configuration|Apache configuration]] and [[#Nginx|Nginx configuration]].
 +
 
 +
== Prerequisites ==
 +
 
 +
''ownCloud'' needs a [[:Category:Web server|web server]], [[PHP]] and a [[:Category:Database_management_systems|database]]. For instance, a classic [[LAMP|LAMP stack]] should work fine and is the [https://doc.owncloud.org/server/8.2/admin_manual/installation/system_requirements.html#recommended-setup-for-running-owncloud recommended configuration].
  
 
== Installation ==
 
== Installation ==
{{AUR|owncloud}} is available in the [[AUR]].
 
#First of all set up the [[LAMP]] stack as described in the corresponding Wiki article.
 
#Install the {{AUR|owncloud}} package as described in [[AUR#Installing_packages]].
 
#Add the following lines into '''/etc/httpd/conf/httpd.conf''' (php5 should have been configured during the LAMP stack setup):
 
  Include /etc/httpd/conf/extra/owncloud.conf
 
  LoadModule php5_module modules/libphp5.so
 
  Include conf/extra/php5_module.conf
 
Uncomment extensions in '''/etc/php/php.ini'''
 
  gd.so
 
  xmlrpc.so
 
  zip.so
 
  iconv.so
 
Depending on which database backend you are going to use uncomment either one of the following extensions in '''/etc/php/php.ini'''
 
  sqlite.so
 
  sqlite3.so
 
  pdo_sqlite.so
 
OR
 
  mysql.so
 
  mysqli.so
 
  pdo_mysql.so
 
now [[Daemons#Restarting|restart]] httpd (Apache)
 
and open [http://localhost http://localhost] in your browser. You should now be able to create a user account and follow the installation wizard.
 
  
== Custom configurations ==
+
[[Install]] the {{Pkg|owncloud}} package.
  
=== Filesize Limitations ===
+
Uncomment the following [https://doc.owncloud.org/server/8.2/admin_manual/installation/source_installation.html#prerequisites required] extensions in {{ic|/etc/php/php.ini}}:
With the default configuration ownCloud only allows the upload of filesizes less than 2MB.
+
gd.so
This can be changed by changing the following line in '''/etc/php/php.ini''' to your liking.
+
iconv.so
 +
xmlrpc.so
 +
zip.so
  
'''As of version 4.0 this is no longer necessary! The maximum upload size is now set via the ownCloud gui'''
+
It is also [https://doc.owncloud.org/server/8.2/admin_manual/installation/source_installation.html#prerequisites recommended] to install {{Pkg|php-intl}}, {{Pkg|php-mcrypt}} and uncomment the following extensions:
  upload_max_filesize = 2M
+
bz2.so
 +
curl.so
 +
intl.so
 +
mcrypt.so
  
As of version 4.5, upload limits are set in '''/usr/share/webapps/owncloud/.htaccess'''. This won't work if [[LAMP#Using_php5_with_apache2-mpm-worker_and_mod_fcgid|PHP is set up to run as CGI]], so you need to change the limits in '''/etc/php/php.ini'''. You also need to change open_basedir.
+
==== Database support ====
  upload_max_filesize = 512M
+
  post_max_size = 512M
+
  memory_limit = 512M
+
  open_basedir = /srv/http/:/home/:/tmp/:/usr/share/pear/:/usr/share/webapps/
+
  
=== Running owncloud in a subdirectory ===
+
Depending on which database backend you are going to use, uncomment the following extensions in {{ic|/etc/php/php.ini}}:
 +
* For [[MySQL]], uncomment {{ic|pdo_mysql.so}}.
 +
* For [[PostgreSQL]], uncomment {{ic|pdo_pgsql.so}} and {{ic|pgsql.so}}, and install {{Pkg|php-pgsql}}.
 +
* For [[SQLite]], uncomment {{ic|pdo_sqlite.so}} and {{ic|sqlite3.so}}, and install {{Pkg|php-sqlite}}.
  
By including the default '''owncloud.conf''' in '''httpd.conf''', owncloud will take control of port 80 and your localhost domain. If you would like to have owncloud run in a subdirectory, then skip the 'Include /etc/httpd/conf/extra/owncloud.conf' line altogether and just use a symbolic link like so:
+
==== Caching ====
ln -s /usr/share/webapps/owncloud/ /srv/http/
+
  
== Filling ownCloud with data ==
+
For enhanced performance, it is recommended to implement PHP caching using APCu, as described in [[PHP#APCu]]. It is also beneficial to enable OPCache, as described in [[PHP#OPCache]].
=== Small Files ===
+
Always use [[WebDAV]] or the web interface to add new files to your ownCloud. Otherwise they will not show up correctly, as they do not get indexed right.
+
  
Consider installing and enabling php-apc to speed up WebDAV.
+
Then, after enabling APCu, add the following directive to {{ic|/etc/webapps/owncloud/config/config.php}}:
 +
'memcache.local' => '\OC\Memcache\APCu',
  
When using [[SABnzbd]], you might want to set
+
{{Note|Make sure to add {{ic|1=apc.enable_cli=1}} under the {{ic|[apc]}} portion of your [[PHP#Configuration|PHP configuration]] and uncomment {{ic|1=extension=apcu.so}} in {{ic|/etc/php/conf.d/apcu.ini}}. As of 2015-07-12, [https://github.com/owncloud/core/issues/17329#issuecomment-119248944 several] [https://github.com/owncloud/documentation/issues/1233#issuecomment-120664134 things] won't work properly without it.}}
folder_rename 0
+
in your sabnzbd.ini file, because ownCloud will scan the files as soon as they get uploaded, preventing SABnzbd from removing UNPACKING prefixes etc.
+
  
=== Big Files ===
+
See [https://doc.owncloud.org/server/8.1/admin_manual/configuration_server/config_sample_php_parameters.html#memory-caching-backend-configuration the official documentation].
WebDAV isn't suitable for big files, because it fills up all the RAM and CPU.
+
  
With the current version, it looks like, there is no good way of copying huge amounts of data to your ownCloud.
+
==== Exif support ====
 +
Additionally enable exif support by installing the {{Pkg|exiv2}} package and uncommenting the {{ic|exif.so}} extension in {{ic|php.ini}}.
  
 +
==== Setting strong permissions ====
  
Here's a Workaround:
+
From the [https://doc.owncloud.org/server/8.2/admin_manual/installation/installation_wizard.html#setting-strong-directory-permissions official installation manual]:
 +
:''For hardened security we recommend setting the permissions on your ownCloud directories as strictly as possible, and for proper server operations. This should be done immediately after the initial installation and before running the setup. Your HTTP user must own the {{ic|config/}}, {{ic|data/}} and {{ic|apps/}} directories so that you can configure ownCloud, create, modify and delete your data files, and install apps via the ownCloud Web interface.''
  
copy the files directly to your ownCloud and do a full re-scan of your database (you could use the [http://apps.owncloud.com/content/show.php?content=151948&forumpage=0&PHPSESSID=37b915160effcc0f37cc761ad2ab88be Re-scan filesystem] add-on for example).
+
{{hc|oc-perms|2=<nowiki>
 +
#!/bin/bash
 +
ocpath='/usr/share/webapps/owncloud'
 +
htuser='http'
 +
htgroup='http'
 +
rootuser='root'
  
 +
printf "Creating possible missing Directories\n"
 +
mkdir -p $ocpath/data
 +
mkdir -p $ocpath/assets
  
But beware that this will not work as easily in the future, when end-to-end encryption gets added to ownCloud (this is a planned feature).
+
printf "chmod Files and Directories\n"
 +
find ${ocpath}/ -type f -print0 | xargs -0 chmod 0640
 +
find ${ocpath}/ -type d -print0 | xargs -0 chmod 0750
  
== Important Notes ==
+
printf "chown Directories\n"
* When using a subdomain (like cloud.example.xxx), make sure it is covered by your certificate. Otherwise, connection via the owncloud client or webdav might fail.
+
chown -R ${rootuser}:${htgroup} ${ocpath}/
 +
chown -R ${htuser}:${htgroup} ${ocpath}/apps/
 +
chown -R ${htuser}:${htgroup} ${ocpath}/config/
 +
chown -R ${htuser}:${htgroup} ${ocpath}/data/
 +
chown -R ${htuser}:${htgroup} ${ocpath}/themes/
 +
chown -R ${htuser}:${htgroup} ${ocpath}/assets/
  
* If you are planning on using OwnCloud's [http://owncloud.org/sync-clients/ sync-clients], make sure to have [[Network_Time_Protocol_daemon|NTP]] installed and running on your OwnCloud server, otherwise the sync-clients will fail.
+
chmod +x ${ocpath}/occ
  
* Add some [[LAMP#SSL|SSL encryption]] to your connection!
+
printf "chmod/chown .htaccess\n"
 +
if [ -f ${ocpath}/.htaccess ]
 +
then
 +
  chmod 0644 ${ocpath}/.htaccess
 +
  chown ${rootuser}:${htgroup} ${ocpath}/.htaccess
 +
fi
 +
if [ -f ${ocpath}/data/.htaccess ]
 +
then
 +
  chmod 0644 ${ocpath}/data/.htaccess
 +
  chown ${rootuser}:${htgroup} ${ocpath}/data/.htaccess
 +
fi
 +
</nowiki>}}
  
== Nginx + uwsgi_php alternative ==
+
If you have customized your ownCloud installation and your filepaths are different than the standard installation, then modify this script accordingly.
  
You can avoid the use of Apache, and run owncloud in it's own process by using the [https://aur.archlinux.org/packages.php?ID=63798 wsgi_php] application server. uWSGI itself has a wealth of features to limit the resource use, and to harden the security of the application, and by being a separate process it can run under its own user.
+
=== An all-in-one alternative with Docker ===
  
The nginx config is:
+
A quicker alternative to installing and configuring your own ''ownCloud'' is to use a 3rd party supported [[Docker]] image. You can find several images of fully working LAMP stack with pre-installed ''ownCloud'' in the [https://index.docker.io/search?q=ownCloud Docker repositories]. ''Docker'' containers are generally safer than a [[chroot]] environment and the overhead is very low; ''ownCloud'' in Docker works smoothly even on quite old machines. The whole setup including installing ''Docker'' and ''ownCloud'' image is considerably easier and quicker than a native installation but you must trust the 3rd party whom you've now given complete control to regarding the installation of your ownCloud instance.
<pre>
+
{{Note|Docker images are not officially supported by ownCloud.}}
#this is to avoid Request Entity Too Large error
+
 
client_max_body_size 1000M;
+
== Apache configuration ==
# deny access to some special files
+
{{Note|Make sure PHP is enabled, as described in [[Apache HTTP Server#PHP]].}}
location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
+
 
 +
Copy the Apache configuration file to its configuration directory:
 +
# cp /etc/webapps/owncloud/apache.example.conf /etc/httpd/conf/extra/owncloud.conf
 +
 
 +
And include it at the bottom of {{ic|/etc/httpd/conf/httpd.conf}}:
 +
Include conf/extra/owncloud.conf
 +
 
 +
Now restart Apache ({{ic|httpd.service}}).
 +
 
 +
Open http://localhost/owncloud in your browser. You should now be able to create a user account and follow the installation wizard.
 +
 
 +
{{Note|Moving your data folder to another location might conflict with the open_basedir option set in the default apache configuration file.}}
 +
 
 +
==== WebDAV ====
 +
ownCloud comes with its own [[WebDAV]] implementation enabled, which may conflict with the one shipped with Apache. If you have enabled WebDAV (not enabled by default with Apache), disable {{ic|mod_dav}} and {{ic|mod_dav_fs}} in {{ic|/etc/httpd/conf/httpd.conf}}. See https://forum.owncloud.org/viewtopic.php?f=17&t=7240 for details.
 +
 
 +
==== Running ownCloud in a subdirectory ====
 +
 
 +
By including the default {{ic|owncloud.conf}} in {{ic|httpd.conf}}, ownCloud will take control of port 80 and your localhost domain.
 +
 
 +
If you would like to have ownCloud run in a subdirectory, then edit the {{ic|/etc/httpd/conf/extra/owncloud.conf}} you included and comment out the {{ic|<nowiki><VirtualHost *:80> ... </VirtualHost></nowiki>}} part of the include file.
 +
 
 +
== Nginx ==
 +
 
 +
=== php-fpm configuration ===
 +
 
 +
''ownCloud'' official documentation uses {{Pkg|php-fpm}} for [[PHP]] and as such it is the best supported configuration. See [[Nginx#PHP implementation]] to set up ''php-fpm'' and [[Nginx#TLS/SSL]] to acquire and/or set up a TLS certificate.
 +
 
 +
By default, the only things you need to change from the [https://doc.owncloud.org/server/9.0/admin_manual/installation/nginx_configuration.html recommended server configuration] for ownCloud to run on Arch Linux are the {{ic|server_name}}, {{ic|ssl_certificate}}, {{ic|ssl_certificate_key}}, {{ic|root}} and {{ic|fastcgi_pass}} directives:
 +
 
 +
{{hc|/etc/nginx/nginx.conf|<nowiki>
 +
server {
 +
  listen 80;
 +
  server_name cloud.example.com;
 +
  # enforce https
 +
  return 301 https://$server_name$request_uri;
 +
}
 +
 
 +
server {
 +
  listen 443 ssl;
 +
  server_name cloud.example.com;
 +
 
 +
  ssl_certificate /path/to/domain-cert.crt;
 +
  ssl_certificate_key /path/to/private-key.key;
 +
 
 +
  # Add headers to serve security related headers
 +
  add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
 +
  add_header X-Content-Type-Options nosniff;
 +
  add_header X-Frame-Options "SAMEORIGIN";
 +
  add_header X-XSS-Protection "1; mode=block";
 +
  add_header X-Robots-Tag none;
 +
  add_header X-Download-Options noopen;
 +
  add_header X-Permitted-Cross-Domain-Policies none;
 +
 
 +
  # Path to the root of your installation
 +
  root /usr/share/webapps/owncloud/;
 +
  # set max upload size
 +
  client_max_body_size 10G;
 +
  fastcgi_buffers 64 4K;
 +
 
 +
  # Disable gzip to avoid the removal of the ETag header
 +
  gzip off;
 +
 
 +
  # Uncomment if your server is build with the ngx_pagespeed module
 +
  # This module is currently not supported.
 +
  #pagespeed off;
 +
 
 +
  index index.php;
 +
  error_page 403 /core/templates/403.php;
 +
  error_page 404 /core/templates/404.php;
 +
 
 +
  rewrite ^/.well-known/carddav /remote.php/carddav/ permanent;
 +
  rewrite ^/.well-known/caldav /remote.php/caldav/ permanent;
 +
 
 +
  # The following 2 rules are only needed for the user_webfinger app.
 +
  # Uncomment it if you're planning to use this app.
 +
  #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
 +
  #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
 +
 
 +
  location = /robots.txt {
 +
    allow all;
 +
    log_not_found off;
 +
    access_log off;
 +
  }
 +
 
 +
  location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
 
     deny all;
 
     deny all;
 +
  }
 +
 +
  location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
 +
    deny all;
 +
  }
 +
 +
  location / {
 +
    rewrite ^/remote/(.*) /remote.php last;
 +
    rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
 +
    try_files $uri $uri/ =404;
 +
  }
 +
 +
  location ~ \.php(?:$|/) {
 +
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
 +
    include fastcgi_params;
 +
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 +
    fastcgi_param PATH_INFO $fastcgi_path_info;
 +
    fastcgi_param HTTPS on;
 +
    fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
 +
    fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
 +
    fastcgi_intercept_errors on;
 +
  }
 +
 +
  # Adding the cache control header for js and css files
 +
  # Make sure it is BELOW the location ~ \.php(?:$|/) { block
 +
  location ~* \.(?:css|js)$ {
 +
    add_header Cache-Control "public, max-age=7200";
 +
    # Add headers to serve security related headers
 +
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
 +
    add_header X-Content-Type-Options nosniff;
 +
    add_header X-Frame-Options "SAMEORIGIN";
 +
    add_header X-XSS-Protection "1; mode=block";
 +
    add_header X-Robots-Tag none;
 +
    add_header X-Download-Options noopen;
 +
    add_header X-Permitted-Cross-Domain-Policies none;
 +
    # Optional: Don't log access to assets
 +
    access_log off;
 +
  }
 +
 +
  # Optional: Don't log access to other assets
 +
  location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
 +
    access_log off;
 +
  }
 
}
 
}
# pass all .php or .php/path urls to uWSGI
+
</nowiki>}}
location ~ ^(.+\.php)(.*)$ {
+
 
 +
''php-fpm'' is already configured to run as the user {{ic|http}}, so assuming you are using the permissions described above it should function fine. It is not recommended to manually copy the {{ic|config.example.php}} in the ownCloud configuration, and instead let it be automatically generated on first run.
 +
 
 +
{{Note|Automatic configuration relies on the {{ic|data/}} directory creation, as done in [[#Setting strong permissions]].}}
 +
 
 +
=== uWSGI configuration ===
 +
 
 +
You can run ''ownCloud'' in its own process and service by using the [[Uwsgi|uWSGI]] application server with {{pkg|uwsgi-plugin-php}}. This allows you to define a [[PHP#Configuration|PHP  configuration]] only for this instance of PHP, without the need to edit the global {{ic|php.ini}} and thus keeping your web application configurations compartmentalized. ''uWSGI'' itself has a wealth of features to limit the resource use and to harden the security of the application, and by being a separate process it can run under its own user.
 +
 
 +
==== Configuration ====
 +
 
 +
The only part that differs from [[#php-fpm configuration]] is the {{ic|<nowiki>location ~ \.php(?:$|/) {}</nowiki>}} block:
 +
{{bc|<nowiki>
 +
  location ~ \.php(?:$|/) {
 
     include uwsgi_params;
 
     include uwsgi_params;
 
     uwsgi_modifier1 14;
 
     uwsgi_modifier1 14;
     uwsgi_pass 127.0.0.1:3001;
+
     # Avoid duplicate headers confusing OC checks
}
+
    uwsgi_hide_header X-Frame-Options;
# everything else goes to the filesystem,
+
    uwsgi_hide_header X-XSS-Protection;
# but / will be mapped to index.php and run through uwsgi
+
    uwsgi_hide_header X-Content-Type-Options;
location / {
+
    uwsgi_hide_header X-Robots-Tag;
     root /usr/share/webapps/owncloud;
+
     uwsgi_pass unix:/run/uwsgi/owncloud.sock;
     index index.php;
+
     }
}
+
</nowiki>}}
</pre>
+
 
The uWSGI /etc/uwsgi/owncloud.ini config file (run it with uwsgi_php --ini /etc/uwsgi/owncloud.ini):
+
Then create a config file for ''uWSGI'':
<pre>
+
 
 +
{{hc|/etc/uwsgi/owncloud.ini|<nowiki>
 
[uwsgi]
 
[uwsgi]
socket = 127.0.0.1:3001
+
; load the required plugins
 +
plugins = php
 +
; force the sapi name to 'apache', this will enable the opcode cache 
 +
php-sapi-name = apache
 +
 
 +
; set master process name and socket
 +
; '%n' refers to the name of this configuration file without extension
 +
procname-master = uwsgi %n
 
master = true
 
master = true
chdir = /srv/http/owncloud
+
socket = /run/uwsgi/%n.sock
php-docroot = /usr/share/webapps/owncloud
+
 
 +
; drop privileges
 +
uid    = http
 +
gid    = http
 +
umask  = 027
 +
 
 +
; run with at least 1 process but increase up to 4 when needed
 +
processes = 4
 +
cheaper = 1
 +
 
 +
; reload whenever this config file changes
 +
; %p is the full path of the current config file
 +
touch-reload = %p
 +
 
 +
; disable uWSGI request logging
 +
;disable-logging = true
 +
 
 +
; enforce a DOCUMENT_ROOT
 +
php-docroot     = /usr/share/webapps/%n
 +
; limit allowed extensions
 +
php-allowed-ext = .php
 +
; and search for index.php if required
 
php-index = index.php
 
php-index = index.php
  
# only allow these php files, I don't want to inadvertently run something else
+
; set php configuration for this instance of php, no need to edit global php.ini
php-allowed-ext = /index.php
+
php-set = date.timezone=Etc/UTC
php-allowed-ext = /public.php
+
;php-set = open_basedir=/tmp/:/usr/share/webapps/owncloud:/etc/webapps/owncloud:/dev/urandom
php-allowed-ext = /remote.php
+
php-set = expose_php=false
php-allowed-ext = /cron.php
+
; avoid security risk of leaving sessions in world-readable /tmp
php-allowed-ext = /status.php
+
php-set = session.save_path=/usr/share/webapps/owncloud/data
php-allowed-ext = /settings/apps.php
+
 
php-allowed-ext = /core/ajax/share.php
+
; port of php directives set upstream in /usr/share/webapps/owncloud/.user.ini for use with PHP-FPM
php-allowed-ext = /core/ajax/requesttoken.php
+
php-set = upload_max_filesize=513M
php-allowed-ext = /core/ajax/translations.php
+
php-set = post_max_size=513M
php-allowed-ext = /search/ajax/search.php
+
php-set = memory_limit=512M
php-allowed-ext = /search/templates/part.results.php
+
php-set = output_buffering=off
php-allowed-ext = /settings/admin.php
+
 
php-allowed-ext = /settings/users.php
+
; load all extensions only in this instance of php, no need to edit global php.ini
php-allowed-ext = /settings/personal.php
+
;; required core modules
php-allowed-ext = /settings/help.php
+
php-set = extension=gd.so
php-allowed-ext = /settings/ajax/getlog.php
+
php-set = extension=iconv.so
php-allowed-ext = /settings/ajax/setlanguage.php
+
;php-set = extension=zip.so    # enabled by default in global php.ini
php-allowed-ext = /settings/ajax/setquota.php
+
 
php-allowed-ext = /settings/ajax/userlist.php
+
;; database connectors
php-allowed-ext = /settings/ajax/createuser.php
+
;; uncomment your selected driver
php-allowed-ext = /settings/ajax/removeuser.php
+
;php-set = extension=pdo_sqlite.so
php-allowed-ext = /settings/ajax/enableapp.php
+
;php-set = extension=pdo_mysql.so
php-allowed-ext = /core/ajax/appconfig.php
+
;php-set = extension=pdo_pgsql.so
 +
 
 +
;; recommended extensions
 +
;php-set = extension=curl.so    # enabled by default in global php.ini
 +
php-set = extension=bz2.so
 +
php-set = extension=intl.so
 +
php-set = extension=mcrypt.so
 +
 
 +
;; required for specific apps
 +
;php-set = extension=ldap.so    # for LDAP integration
 +
;php-set = extension=ftp.so    # for FTP storage / external user authentication
 +
;php-set = extension=imap.so    # for external user authentication, requires php-imap
 +
 
 +
;; recommended for specific apps
 +
;php-set = extension=exif.so    # for image rotation in pictures app, requires exiv2
 +
;php-set = extension=gmp.so    # for SFTP storage
 +
 
 +
;; for preview generation
 +
;; provided by packages in AUR
 +
; php-set = extension=imagick.so
 +
 
 +
; opcache
 +
php-set = zend_extension=opcache.so
 +
 
 +
; user cache
 +
; provided by php-acpu, to be enabled **either** here **or** in /etc/php/conf.d/apcu.ini
 +
php-set = extension=apcu.so
 +
; per https://github.com/krakjoe/apcu/blob/simplify/INSTALL
 +
php-set = apc.ttl=7200
 +
php-set = apc.enable_cli=1
 +
 
 +
cron2 = minute=-15,unique=1 /usr/bin/php -f /usr/share/webapps/owncloud/cron.php 1>/dev/null
 +
</nowiki>}}
 +
 
 +
{{Note|
 +
* Do not forget to set your timezone and uncomment the required database connector in the uWSGI config file
 +
* Starting with PHP 7, the [[PHP#Configuration|open_basedir]] directive is [https://www.archlinux.org/news/php-70-packages-released/ no longer set by default] to keep in line with upstream. A commented out version functional until at least OC 8.2 has been left in the config for users wishing to harden security. Be aware that it may [https://github.com/owncloud/core/search?q&#61;open_basedir&type&#61;Issues&utf8&#61;%E2%9C%93 occasionally break things].}}
 +
 
 +
{{Warning|The way the [https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/background_jobs_configuration.html ownCloud background job] is currently set up with [https://uwsgi-docs.readthedocs.org/en/latest/Cron.html uWSGI cron] will make use of the default global configuration from {{ic|/etc/php/php.ini}}. This means that none of the specific parameters defined (e.g. required modules) will be enabled, [https://github.com/owncloud/core/issues/12678#issuecomment-66114448 leading to various issues]. One solution is to copy {{ic|/etc/php/php.ini}} to e.g. {{ic|/etc/uwsgi/cron-php.ini}}, make the required modifications there (mirroring {{ic|/etc/uwsgi/owncloud.ini}} parameters) and referencing it in the cron directive by adding the {{ic|-c /etc/uwsgi/cron-php.ini}} option to ''php'' invocation.}}
 +
 
 +
==== Activation ====
 +
 
 +
[[Uwsgi|uWSGI]] provides a [[Systemd#Using_units|template unit]] that allows to start and enable application using their configuration file name as instance identifier. For example:
 +
# systemctl start uwsgi@owncloud.socket
 +
would start it on demand referencing the configuration file {{ic|/etc/uwsgi/owncloud.ini}}.
 +
 
 +
To enable the uwsgi service by default at start-up, run:
 +
# systemctl enable uwsgi@owncloud.socket
 +
 
 +
{{Note|Here we make use of [http://0pointer.de/blog/projects/socket-activation.html systemd socket activation] to prevent unnecessary resources consumption when no connections are made to the instance. If you'd rather have it constantly active, simply remove the {{ic|.socket}} part to start and enable the service instead.}}
 +
 
 +
See also [[Uwsgi#Starting service]].
 +
 
 +
== Synchronization ==
 +
 
 +
=== Desktop ===
 +
 
 +
The official client can be installed with the {{Pkg|owncloud-client}} package. Alternative versions are avaiable in the [[AUR]]: {{AUR|owncloud-client-beta}}{{Broken package link|{{aur-mirror|owncloud-client-beta}}}}, {{AUR|owncloud-client-git}} and {{AUR|owncloud-client-qt5}}{{Broken package link|{{aur-mirror|owncloud-client-qt5}}}}. Its use is described in [http://doc.owncloud.org/server/7.0/user_manual/files/sync.html this page] of the documentation.
 +
 
 +
==== Calendar ====
 +
 
 +
To access your ''ownCloud'' calendars using Mozilla [[Thunderbird]]'s [[Thunderbird#Lightning_-_Calendar|Lightning calendar]] you would use the following URL:
 +
 
 +
<nowiki>https://ADDRESS/remote.php/caldav/calendars/USERNAME/CALENDARNAME</nowiki>
 +
 
 +
To access your ''ownCloud'' calendars using CalDAV-compatible programs like Kontact or [[Evolution]], you would use the following URL:
 +
 
 +
<nowiki>https://ADDRESS/remote.php/caldav</nowiki>
 +
 
 +
For details see the [http://doc.owncloud.org/server/7.0/user_manual/pim/calendar.html#synchronizing-calendars-using-caldav official documentation].
 +
 
 +
==== Contacts ====
 +
 
 +
To sync contacts with [[Thunderbird]] you must install the [http://www.sogo.nu/downloads/frontends.html SOGo frontend], [[Thunderbird#Lightning_-_Calendar|Lightning extension]] and follow [http://doc.owncloud.org/server/7.0/user_manual/pim/sync_thunderbird.html those instructions] from the official doc.
 +
 
 +
==== Mounting files with davfs2 ====
 +
 
 +
If you want to mount your ownCloud permanently install {{Pkg|davfs2}} (as described in [[Davfs]]) first.
 +
 
 +
Considering your ownCloud were at {{ic|https://own.example.com}}, your WebDAV URL would be {{ic|https://own.example.com/remote.php/webdav}} (as of ownCloud 6.0).
 +
 
 +
To mount your ownCloud, use:
 +
 
 +
# mount -t davfs https://own.example.com/remote.php/webdav /path/to/mount
 +
 
 +
You can also create an entry for this in {{ic|/etc/fstab}}
 +
 
 +
{{hc|/etc/fstab|
 +
https://own.example.com/remote.php/webdav /path/to/mount davfs rw,user,noauto 0 0
 +
}}
 +
 
 +
{{Tip|In order to allow automount you can also store your username (and password if you like) in a file as described in [[Davfs#Mounting as regular user]].}}
 +
 
 +
{{Note| If creating/copying files is not possible, while the same operations work on directories, see [[Davfs#Creating/copying files not possible]].}}
 +
 
 +
=== Android ===
 +
 
 +
There is an official Android app available for a [https://play.google.com/store/apps/details?id=at.bitfire.davdroid small donation on the Play Store] and for free [https://f-droid.org/app/at.bitfire.davdroid on F-Droid].
 +
 
 +
To enable contacts and calendar sync:
 +
* if using Android 4+:
 +
*# download [https://davdroid.bitfire.at/] ([https://play.google.com/store/apps/details?id=at.bitfire.davdroid Play Store], [https://f-droid.org/app/at.bitfire.davdroid F-Droid])
 +
*# Enable mod_rewrite.so in httpd.conf
 +
*# create a new DAVdroid account in the ''Account'' settings, and specify your "short" server address and login/password couple, e.g. {{ic|<nowiki>https://cloud.example.com</nowiki>}} (there is no need for the {{ic|<nowiki>/remote.php/{carddav,webdav}</nowiki>}} part if you configured your web server with the proper redirections, as illustrated previously in the article; ''DAVdroid'' will find itself the right URLs)
 +
:For an older version of the app but with still useful info, see [http://www.slsmk.com/sync-android-contacts-calendar-and-files-to-owncloud/ this article].
 +
 
 +
* if using an Android version below 4.0 and favouring Free/Libre software solutions, give a try to [https://f-droid.org/repository/browse/?fdfilter=caldav&fdid=com.morphoss.acal aCal] for calendar and contacts sync or CalDAV Sync Adapter ([https://f-droid.org/repository/browse/?fdfilter=caldav&fdid=org.gege.caldavsyncadapter F-Droid]) for just calendar sync; if you are willing to use non-libre software, then the [http://doc.owncloud.org/server/7.0/user_manual/pim/contacts.html#synchronizing-with-android recommended solution] is to use [http://dmfs.org/ CardDAV-Sync and CalDAV-Sync].
 +
 
 +
== Important notes ==
 +
 
 +
* When using a subdomain (like cloud.example.net), make sure it is covered by your certificate. Otherwise, connection via the ownCloud client or webdav might fail.
 +
 
 +
* If you are planning on using ownCloud's [http://owncloud.org/sync-clients/ sync-clients], make sure to have [[ntpd]] installed and running on your ownCloud server, otherwise the sync-clients will fail.
 +
 
 +
* Add some [[LAMP#SSL|SSL encryption]] to your connection!
 +
(If adding SSL encryption as above, be sure to edit /etc/httpd/conf/extra/httpd-ssl.conf and change DocumentRoot "/srv/http" to DocumentRoot "/usr/share/webapps/owncloud" )
 +
 
 +
* More Apps for ownCloud can be found [http://apps.owncloud.com/ here]
 +
 
 +
* To install an new application, download the zip from the apps store, extract it into  /srv/http/owncloud/apps/.
 +
Afterwards restart httpd:
 +
 
 +
# systemctl restart httpd
 +
 
 +
log into your server go to the app sections you should see the new apps in there,
 +
 
 +
* If you are protecting access to your ownCloud location with HTTP basic auth, the file "status.php" must be excluded from auth and be publicly accessible. [https://github.com/owncloud/mirall/issues/734]
 +
 
 +
=== SABnzbd ===
 +
 
 +
When using [[SABnzbd]], you might want to set
 +
folder_rename 0
 +
in your sabnzbd.ini file, because ownCloud will scan the files as soon as they get uploaded, preventing SABnzbd from removing UNPACKING prefixes etc.
 +
 
 +
== Troubleshooting ==
 +
 
 +
=== Self-signed certificate not accepted ===
 +
 
 +
ownCloud uses [[Wikipedia:cURL]] and [[Wikipedia:SabreDAV]] to check if WebDAV is enabled. If you use SSL/TLS with a self-signed certificate, e.g. as shown in [[LAMP]], and access ownCloud's admin panel, you will see the following error message:
 +
 
 +
Your web server is not yet properly setup to allow files synchronization because the WebDAV interface seems to be broken.
 +
 
 +
Assuming that you followed the [[LAMP]] tutorial, execute the following steps:
 +
 
 +
Create a local directory for non-distribution certificates and copy [[LAMP]]s certificate there. This will prevent {{ic|ca-certificates}}-updates from overwriting it.
 +
 
 +
# cp /etc/httpd/conf/server.crt /usr/share/ca-certificates/''WWW.EXAMPLE.COM.crt''
 +
 
 +
Add ''WWW.EXAMPLE.COM.crt'' to {{ic|/etc/ca-certificates.conf}}:
 +
 
 +
''WWW.EXAMPLE.COM.crt''
 +
 
 +
Now, regenerate your certificate store:
 +
 
 +
# update-ca-certificates
 +
 
 +
Restart the httpd service to activate your certificate.
 +
 
 +
Should this not work, consider disabling {{ic|mod_curl}} in {{ic|/etc/php/php.ini}}.
 +
 
 +
=== Self-signed certificate for Android devices ===
 +
 
 +
Once you have followed the setup for SSL, as on [[LAMP#TLS.2FSSL|LAMP]] for example, early versions of DAVdroid will reject the connection because the certificate is not trusted. A certificate can be made as follows on your server:
 +
 
 +
  # openssl x509 -req -days 365 -in /etc/httpd/conf/server.csr -signkey /etc/httpd/conf/server.key -extfile android.txt -out CA.crt
 +
  # openssl x509 -inform PEM -outform DER -in CA.crt -out CA.der.crt
 +
 
 +
The file {{ic|android.txt}} should contain the following:
 +
 
 +
  basicConstraints=CA:true
 +
 
 +
Then import {{ic|CA.der.crt}} to your Android device:
 +
 
 +
Put the {{ic|CA.der.crt}} file onto the sdcard of your Android device (usually to the internal one, e.g. save from a mail attachment). It should be in the root directory. Go to ''Settings > Security > Credential storage'' and select ''Install from device storage''.
 +
The {{ic|.crt}} file will be detected and you will be prompted to enter a certificate name. After importing the certificate, you will find it in ''Settings > Security > Credential storage > Trusted credentials > User''.
 +
 
 +
Thanks to: [http://www.leftbrainthings.com/2013/10/13/creating-and-importing-self-signed-certificate-to-android-device/]
 +
 
 +
Another way is to import the certificate directly from your server via [https://play.google.com/store/apps/details?id=at.bitfire.cadroid CAdroid] and follow the instructions there.
 +
 
 +
=== Cannot write into config directory! ===
 +
 
 +
Check your httpd configuration file (like {{ic|owncloud.conf}}). Add your configuration directory ({{ic|/etc/webapps}} by default) to
 +
 
 +
php_admin_value open_basedir "/srv/http/:/home/:/tmp/:/usr/share/pear/:/usr/share/webapps/:/path/to/dir/"
 +
 
 +
Restart the httpd or php-fpm service to activate the change.
 +
 
 +
=== Cannot create data directory (/path/to/dir) ===
 +
 
 +
Check your httpd configuration file (like {{ic|owncloud.conf}}). Add your data directory to
 +
 
 +
php_admin_value open_basedir "/srv/http/:/home/:/tmp/:/usr/share/pear/:/usr/share/webapps/:/path/to/dir/"
 +
 
 +
Restart the httpd or php-fpm service to activate the change.
 +
 
 +
=== CSync failed to find a specific file. ===
 +
 
 +
This is most likely a certificate issue. Recreate it, and do not leave the common name empty or you will see the error again.
 +
 
 +
# openssl req -new -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt
 +
 
 +
=== Seeing white page after login ===
 +
 
 +
The cause is probably a new app that you installed. To fix that, you can use the occ command as described [https://doc.owncloud.org/server/8.2/admin_manual/configuration_server/occ_command.html here]. So with
 +
sudo -u http php /usr/share/webapps/owncloud/occ app:list
 +
you can list all apps (if you installed owncloud in the standard directory), and with
 +
sudo -u http php /usr/share/webapps/owncloud/occ app:disable <nameOfExtension>
 +
you can disable the troubling app.
 +
 
 +
Alternatively, you can either use [[phpMyAdmin]] to edit the {{ic|oc_appconfig}} table (if you got lucky and the table has an edit option), or do it by hand with mysql:
 +
 
 +
mysql -u root -p owncloud
 +
MariaDB [owncloud]> '''delete from''' oc_appconfig '''where''' appid='<nameOfExtension>' '''and''' configkey='enabled' '''and''' configvalue='yes';
 +
MariaDB [owncloud]> '''insert into''' oc_appconfig (appid,configkey,configvalue) '''values''' ('<nameOfExtension>','enabled','no');
 +
 
 +
This should delete the relevant configuration from the table and add it again.
 +
 
 +
=== GUI sync client fails to connect ===
 +
 
 +
If using HTTP basic authentication, make sure to exclude "status.php", which must be publicly accessible. [https://github.com/owncloud/mirall/issues/734]
 +
 
 +
=== Some files upload, but give an error 'Integrity constraint violation...' ===
 +
 
 +
You may see the following error in the ownCloud sync client:
 +
 
 +
    SQLSTATE[23000]: Integrity constraint violation: ... Duplicate entry '...' for key 'fs_storage_path_hash')...
 +
 
 +
This is caused by an issue with the File Locking app, which is often not sufficient to keep conflicts from occurring on some webserver configurations. A more complete [https://doc.owncloud.org/server/8.1/admin_manual/configuration_files/files_locking_transactional.html Transactional File Locking] is available that rids these errors, but you must be using the Redis php-caching method. Install {{Pkg|redis}} and {{AUR|php-redis}}, comment out your current php-cache mechanism, and then in {{ic|/etc/php/conf.d/redis.ini}} uncomment {{ic|1=extension=redis.so}}. Then in {{ic|config.php}} make the following changes:
 +
 
 +
    'memcache.local' => '\OC\Memcache\Redis',
 +
    'filelocking.enabled' => 'true',
 +
    'memcache.locking' => '\OC\Memcache\Redis',
 +
    'redis' => array(
 +
        'host' => 'localhost',
 +
        'port' => 6379,
 +
        'timeout' => 0.0,
 +
          ),
 +
 
 +
and start Redis:
 +
 
 +
    systemctl enable redis.service
 +
    systemctl start redis.service
 +
 
 +
Finally, disable the File Locking App, as the Transational File Locking will take care of it (and would conflict).
 +
 
 +
If everything is working, you should see 'Transactional File Locking Enabled' under Server Status on the Admin page, and syncs should no longer cause issues.
 +
 
 +
=== "Cannot write into apps directory" ===
 +
 
 +
As mentioned in the [http://doc.owncloud.org/server/6.0/admin_manual/configuration/configuration_apps.html official admin manual], either you need an apps directory that is writable by the http user, or you need to set {{ic|appstoreenabled}} to {{ic|false}}.
 +
 
 +
''Also'', not mentioned there, the directory needs to be in the {{ic|open_basedir}} line in {{ic|/etc/php/php.ini}}.
 +
 
 +
{{Accuracy|Does not seem to work with 8.0.2}}
 +
 
 +
One clean method is to have the package-installed directory at {{ic|/usr/share/webapps/owncloud/apps}} stay owned by root, and have the user-installed apps go into e.g. {{ic|/var/www/owncloud/apps}}, which is owned by http. Then you can set {{ic|appstoreenabled}} to {{ic|true}} and package upgrades of apps should work fine as well. Relevant lines from {{ic|/etc/webapps/owncloud/config/config.php}}:
 +
 
 +
{{bc|<nowiki>
 +
  'apps_paths' =>
 +
  array (
 +
    0 =>
 +
    array (
 +
      'path' => '/usr/share/webapps/owncloud/apps',
 +
      'url' => '/apps',
 +
      'writable' => false,
 +
    ),
 +
    1 =>
 +
    array (
 +
      'path' => '/var/www/owncloud/apps',
 +
      'url' => '/wapps',
 +
      'writable' => true,
 +
    ),
 +
  ),
 +
</nowiki>}}
 +
 
 +
Example {{ic|open_basedir}} line from {{ic|/etc/php/php.ini}} (you might have other directories in there as well):
 +
 
 +
open_basedir = /srv/http/:/usr/share/webapps/:/var/www/owncloud/apps/
 +
 
 +
Directory permissions:
 +
 
 +
{{hc|$ ls -ld /usr/share/webapps/owncloud/apps /var/www/owncloud/apps/|
 +
<nowiki>drwxr-xr-x 26 root root 4096 des.  14 20:48 /usr/share/webapps/owncloud/apps
 +
drwxr-xr-x  2 http http  48 jan.  20 20:01 /var/www/owncloud/apps/</nowiki>}}
 +
 +
=== Security warnings even though the recommended settings have been included in nginx.conf ===
 +
 
 +
At the top of the admin page there might be a warning to set the {{ic|Strict-Transport-Security}}, {{ic|X-Content-Type-Options}}, {{ic|X-Frame-Options}}, {{ic|X-XSS-Protection}} and {{ic|X-Robots-Tag}} according to https://doc.owncloud.org/server/8.1/admin_manual/configuration_server/harden_server.html even though they are already set like that.
 +
 
 +
A possible cause could be that because owncloud sets those settings, uwsgi passed them along and nginx added them again:
 +
{{hc|$ curl -I https://domain.tld|
 +
<nowiki>...
 +
X-XSS-Protection: 1; mode=block
 +
X-Content-Type-Options: nosniff
 +
X-Frame-Options: Sameorigin
 +
X-Robots-Tag: none
 +
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload;
 +
X-Content-Type-Options: nosniff
 +
X-Frame-Options: SAMEORIGIN
 +
X-XSS-Protection: 1; mode=block
 +
X-Robots-Tag: none</nowiki>}}
 +
 
 +
While the fast_cgi sample config has a parameter to avoid that ( {{ic|fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice}} ), when using uwsgi and nginx the following modification of the uwsgi part in nginx.conf could help:
  
php-set = date.timezone=Europe/Skopje
+
{{hc| /etc/nginx/nginx.conf|
php-set = open_basedir=/srv/http/owncloud:/tmp/:/usr/share/pear/:/usr/share/webapps/owncloud
+
<nowiki>...
 +
        # pass all .php or .php/path urls to uWSGI
 +
        location ~ ^(.+\.php)(.*)$ {
 +
            include uwsgi_params;
 +
            uwsgi_modifier1 14;
 +
            # hode following headers received from uwsgi, because otherwise we would send them twice since we already add them in nginx itself
 +
            uwsgi_hide_header X-Frame-Options;
 +
            uwsgi_hide_header X-XSS-Protection;
 +
            uwsgi_hide_header X-Content-Type-Options;
 +
            uwsgi_hide_header X-Robots-Tag;
 +
            uwsgi_hide_header X-Frame-Options;
 +
            #Uncomment line below if you get connection refused error. Remember to commet out line with "uwsgi_pass 127.0.0.1:3001;" below
 +
            uwsgi_pass unix:/run/uwsgi/owncloud.sock;
 +
            #uwsgi_pass 127.0.0.1:3001;
 +
        }
 +
...</nowiki>}}
  
processes = 10
+
=== Password not saved ===
cheaper = 2
+
cron = -1 -1 -1 -1 -1 /usr/bin/curl -H https://localhost/cron.php
+
  
</pre>
+
If the password are not saved and asked on every startup try to install {{Pkg|gnome-keyring}}, helped under xfce4.
Finally, a simple systemd unit file to start the uwsgi instance can be (this is without using the emperor):
+
<pre>
+
[Unit]
+
Description=OwnCloud service via uWSGI-PHP
+
  
[Service]
+
== Upload and Share from File Manager ==
User=http
+
You can use the following script to quickly upload and share files to your ownCloud installation from Thunar (and possibly other filemanagers): https://github.com/schiesbn/shareLinkCreator
ExecStart=/usr/bin/uwsgi_php --ini /etc/uwsgi/owncloud.ini
+
You need to edit the file with the proper configuration settings.
ExecReload=/bin/kill -HUP $MAINPID
+
'''Note: password is stored as plain text.'''
KillSignal=SIGQUIT
+
Restart=always
+
  
[Install]
+
== See also ==
WantedBy=multi-user.target
+
* [http://owncloud.org/ ownCloud official website]
</pre>
+
* [http://doc.owncloud.org/server/8.2/admin_manual/ ownCloud 8.2 Admin Documentation]

Latest revision as of 13:03, 20 May 2016

Related articles

From Wikipedia: "ownCloud is a software suite that provides a location-independent storage area for data (cloud storage)." The ownCloud installation and configuration mainly depends on what web server and database you decide to run. Currently the wiki discusses Apache configuration and Nginx configuration.

Prerequisites

ownCloud needs a web server, PHP and a database. For instance, a classic LAMP stack should work fine and is the recommended configuration.

Installation

Install the owncloud package.

Uncomment the following required extensions in /etc/php/php.ini:

gd.so
iconv.so
xmlrpc.so
zip.so

It is also recommended to install php-intl, php-mcrypt and uncomment the following extensions:

bz2.so
curl.so
intl.so
mcrypt.so

Database support

Depending on which database backend you are going to use, uncomment the following extensions in /etc/php/php.ini:

Caching

For enhanced performance, it is recommended to implement PHP caching using APCu, as described in PHP#APCu. It is also beneficial to enable OPCache, as described in PHP#OPCache.

Then, after enabling APCu, add the following directive to /etc/webapps/owncloud/config/config.php:

'memcache.local' => '\OC\Memcache\APCu',
Note: Make sure to add apc.enable_cli=1 under the [apc] portion of your PHP configuration and uncomment extension=apcu.so in /etc/php/conf.d/apcu.ini. As of 2015-07-12, several things won't work properly without it.

See the official documentation.

Exif support

Additionally enable exif support by installing the exiv2 package and uncommenting the exif.so extension in php.ini.

Setting strong permissions

From the official installation manual:

For hardened security we recommend setting the permissions on your ownCloud directories as strictly as possible, and for proper server operations. This should be done immediately after the initial installation and before running the setup. Your HTTP user must own the config/, data/ and apps/ directories so that you can configure ownCloud, create, modify and delete your data files, and install apps via the ownCloud Web interface.
oc-perms
#!/bin/bash
ocpath='/usr/share/webapps/owncloud'
htuser='http'
htgroup='http'
rootuser='root'

printf "Creating possible missing Directories\n"
mkdir -p $ocpath/data
mkdir -p $ocpath/assets

printf "chmod Files and Directories\n"
find ${ocpath}/ -type f -print0 | xargs -0 chmod 0640
find ${ocpath}/ -type d -print0 | xargs -0 chmod 0750

printf "chown Directories\n"
chown -R ${rootuser}:${htgroup} ${ocpath}/
chown -R ${htuser}:${htgroup} ${ocpath}/apps/
chown -R ${htuser}:${htgroup} ${ocpath}/config/
chown -R ${htuser}:${htgroup} ${ocpath}/data/
chown -R ${htuser}:${htgroup} ${ocpath}/themes/
chown -R ${htuser}:${htgroup} ${ocpath}/assets/

chmod +x ${ocpath}/occ

printf "chmod/chown .htaccess\n"
if [ -f ${ocpath}/.htaccess ]
 then
  chmod 0644 ${ocpath}/.htaccess
  chown ${rootuser}:${htgroup} ${ocpath}/.htaccess
fi
if [ -f ${ocpath}/data/.htaccess ]
 then
  chmod 0644 ${ocpath}/data/.htaccess
  chown ${rootuser}:${htgroup} ${ocpath}/data/.htaccess
fi

If you have customized your ownCloud installation and your filepaths are different than the standard installation, then modify this script accordingly.

An all-in-one alternative with Docker

A quicker alternative to installing and configuring your own ownCloud is to use a 3rd party supported Docker image. You can find several images of fully working LAMP stack with pre-installed ownCloud in the Docker repositories. Docker containers are generally safer than a chroot environment and the overhead is very low; ownCloud in Docker works smoothly even on quite old machines. The whole setup including installing Docker and ownCloud image is considerably easier and quicker than a native installation but you must trust the 3rd party whom you've now given complete control to regarding the installation of your ownCloud instance.

Note: Docker images are not officially supported by ownCloud.

Apache configuration

Note: Make sure PHP is enabled, as described in Apache HTTP Server#PHP.

Copy the Apache configuration file to its configuration directory:

# cp /etc/webapps/owncloud/apache.example.conf /etc/httpd/conf/extra/owncloud.conf

And include it at the bottom of /etc/httpd/conf/httpd.conf:

Include conf/extra/owncloud.conf

Now restart Apache (httpd.service).

Open http://localhost/owncloud in your browser. You should now be able to create a user account and follow the installation wizard.

Note: Moving your data folder to another location might conflict with the open_basedir option set in the default apache configuration file.

WebDAV

ownCloud comes with its own WebDAV implementation enabled, which may conflict with the one shipped with Apache. If you have enabled WebDAV (not enabled by default with Apache), disable mod_dav and mod_dav_fs in /etc/httpd/conf/httpd.conf. See https://forum.owncloud.org/viewtopic.php?f=17&t=7240 for details.

Running ownCloud in a subdirectory

By including the default owncloud.conf in httpd.conf, ownCloud will take control of port 80 and your localhost domain.

If you would like to have ownCloud run in a subdirectory, then edit the /etc/httpd/conf/extra/owncloud.conf you included and comment out the <VirtualHost *:80> ... </VirtualHost> part of the include file.

Nginx

php-fpm configuration

ownCloud official documentation uses php-fpm for PHP and as such it is the best supported configuration. See Nginx#PHP implementation to set up php-fpm and Nginx#TLS/SSL to acquire and/or set up a TLS certificate.

By default, the only things you need to change from the recommended server configuration for ownCloud to run on Arch Linux are the server_name, ssl_certificate, ssl_certificate_key, root and fastcgi_pass directives:

/etc/nginx/nginx.conf
server {
  listen 80;
  server_name cloud.example.com;
  # enforce https
  return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl;
  server_name cloud.example.com;

  ssl_certificate /path/to/domain-cert.crt;
  ssl_certificate_key /path/to/private-key.key;

  # Add headers to serve security related headers
  add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
  add_header X-Content-Type-Options nosniff;
  add_header X-Frame-Options "SAMEORIGIN";
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Robots-Tag none;
  add_header X-Download-Options noopen;
  add_header X-Permitted-Cross-Domain-Policies none;

  # Path to the root of your installation
  root /usr/share/webapps/owncloud/;
  # set max upload size
  client_max_body_size 10G;
  fastcgi_buffers 64 4K;

  # Disable gzip to avoid the removal of the ETag header
  gzip off;

  # Uncomment if your server is build with the ngx_pagespeed module
  # This module is currently not supported.
  #pagespeed off;

  index index.php;
  error_page 403 /core/templates/403.php;
  error_page 404 /core/templates/404.php;

  rewrite ^/.well-known/carddav /remote.php/carddav/ permanent;
  rewrite ^/.well-known/caldav /remote.php/caldav/ permanent;

  # The following 2 rules are only needed for the user_webfinger app.
  # Uncomment it if you're planning to use this app.
  #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
  #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

  location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
  }

  location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
    deny all;
  }

  location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
    deny all;
  }

  location / {
    rewrite ^/remote/(.*) /remote.php last;
    rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
    try_files $uri $uri/ =404;
  }

  location ~ \.php(?:$|/) {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_path_info;
    fastcgi_param HTTPS on;
    fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
    fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
    fastcgi_intercept_errors on;
  }

  # Adding the cache control header for js and css files
  # Make sure it is BELOW the location ~ \.php(?:$|/) { block
  location ~* \.(?:css|js)$ {
    add_header Cache-Control "public, max-age=7200";
    # Add headers to serve security related headers
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    # Optional: Don't log access to assets
    access_log off;
  }

  # Optional: Don't log access to other assets
  location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
    access_log off;
  }
}

php-fpm is already configured to run as the user http, so assuming you are using the permissions described above it should function fine. It is not recommended to manually copy the config.example.php in the ownCloud configuration, and instead let it be automatically generated on first run.

Note: Automatic configuration relies on the data/ directory creation, as done in #Setting strong permissions.

uWSGI configuration

You can run ownCloud in its own process and service by using the uWSGI application server with uwsgi-plugin-php. This allows you to define a PHP configuration only for this instance of PHP, without the need to edit the global php.ini and thus keeping your web application configurations compartmentalized. uWSGI itself has a wealth of features to limit the resource use and to harden the security of the application, and by being a separate process it can run under its own user.

Configuration

The only part that differs from #php-fpm configuration is the location ~ \.php(?:$|/) {} block:

  location ~ \.php(?:$|/) {
    include uwsgi_params;
    uwsgi_modifier1 14;
    # Avoid duplicate headers confusing OC checks
    uwsgi_hide_header X-Frame-Options;
    uwsgi_hide_header X-XSS-Protection;
    uwsgi_hide_header X-Content-Type-Options;
    uwsgi_hide_header X-Robots-Tag;
    uwsgi_pass unix:/run/uwsgi/owncloud.sock;
    }

Then create a config file for uWSGI:

/etc/uwsgi/owncloud.ini
[uwsgi]
; load the required plugins
plugins = php
; force the sapi name to 'apache', this will enable the opcode cache  
php-sapi-name = apache

; set master process name and socket
; '%n' refers to the name of this configuration file without extension
procname-master = uwsgi %n
master = true
socket = /run/uwsgi/%n.sock

; drop privileges
uid    = http
gid    = http
umask  = 027

; run with at least 1 process but increase up to 4 when needed
processes = 4
cheaper = 1

; reload whenever this config file changes
; %p is the full path of the current config file
touch-reload = %p

; disable uWSGI request logging
;disable-logging = true

; enforce a DOCUMENT_ROOT
php-docroot     = /usr/share/webapps/%n
; limit allowed extensions
php-allowed-ext = .php
; and search for index.php if required
php-index = index.php

; set php configuration for this instance of php, no need to edit global php.ini
php-set = date.timezone=Etc/UTC
;php-set = open_basedir=/tmp/:/usr/share/webapps/owncloud:/etc/webapps/owncloud:/dev/urandom
php-set = expose_php=false
; avoid security risk of leaving sessions in world-readable /tmp
php-set = session.save_path=/usr/share/webapps/owncloud/data

; port of php directives set upstream in /usr/share/webapps/owncloud/.user.ini for use with PHP-FPM
php-set = upload_max_filesize=513M
php-set = post_max_size=513M
php-set = memory_limit=512M
php-set = output_buffering=off

; load all extensions only in this instance of php, no need to edit global php.ini
;; required core modules
php-set = extension=gd.so
php-set = extension=iconv.so
;php-set = extension=zip.so     # enabled by default in global php.ini

;; database connectors
;; uncomment your selected driver
;php-set = extension=pdo_sqlite.so
;php-set = extension=pdo_mysql.so
;php-set = extension=pdo_pgsql.so

;; recommended extensions
;php-set = extension=curl.so    # enabled by default in global php.ini
php-set = extension=bz2.so
php-set = extension=intl.so
php-set = extension=mcrypt.so

;; required for specific apps
;php-set = extension=ldap.so    # for LDAP integration
;php-set = extension=ftp.so     # for FTP storage / external user authentication
;php-set = extension=imap.so    # for external user authentication, requires php-imap

;; recommended for specific apps
;php-set = extension=exif.so    # for image rotation in pictures app, requires exiv2
;php-set = extension=gmp.so     # for SFTP storage

;; for preview generation
;; provided by packages in AUR
; php-set = extension=imagick.so

; opcache
php-set = zend_extension=opcache.so

; user cache
; provided by php-acpu, to be enabled **either** here **or** in /etc/php/conf.d/apcu.ini
php-set = extension=apcu.so
; per https://github.com/krakjoe/apcu/blob/simplify/INSTALL
php-set = apc.ttl=7200
php-set = apc.enable_cli=1

cron2 = minute=-15,unique=1 /usr/bin/php -f /usr/share/webapps/owncloud/cron.php 1>/dev/null
Note:
  • Do not forget to set your timezone and uncomment the required database connector in the uWSGI config file
  • Starting with PHP 7, the open_basedir directive is no longer set by default to keep in line with upstream. A commented out version functional until at least OC 8.2 has been left in the config for users wishing to harden security. Be aware that it may occasionally break things.
Warning: The way the ownCloud background job is currently set up with uWSGI cron will make use of the default global configuration from /etc/php/php.ini. This means that none of the specific parameters defined (e.g. required modules) will be enabled, leading to various issues. One solution is to copy /etc/php/php.ini to e.g. /etc/uwsgi/cron-php.ini, make the required modifications there (mirroring /etc/uwsgi/owncloud.ini parameters) and referencing it in the cron directive by adding the -c /etc/uwsgi/cron-php.ini option to php invocation.

Activation

uWSGI provides a template unit that allows to start and enable application using their configuration file name as instance identifier. For example:

# systemctl start uwsgi@owncloud.socket

would start it on demand referencing the configuration file /etc/uwsgi/owncloud.ini.

To enable the uwsgi service by default at start-up, run:

# systemctl enable uwsgi@owncloud.socket
Note: Here we make use of systemd socket activation to prevent unnecessary resources consumption when no connections are made to the instance. If you'd rather have it constantly active, simply remove the .socket part to start and enable the service instead.

See also Uwsgi#Starting service.

Synchronization

Desktop

The official client can be installed with the owncloud-client package. Alternative versions are avaiable in the AUR: owncloud-client-betaAUR[broken link: archived in aur-mirror], owncloud-client-gitAUR and owncloud-client-qt5AUR[broken link: archived in aur-mirror]. Its use is described in this page of the documentation.

Calendar

To access your ownCloud calendars using Mozilla Thunderbird's Lightning calendar you would use the following URL:

https://ADDRESS/remote.php/caldav/calendars/USERNAME/CALENDARNAME

To access your ownCloud calendars using CalDAV-compatible programs like Kontact or Evolution, you would use the following URL:

https://ADDRESS/remote.php/caldav

For details see the official documentation.

Contacts

To sync contacts with Thunderbird you must install the SOGo frontend, Lightning extension and follow those instructions from the official doc.

Mounting files with davfs2

If you want to mount your ownCloud permanently install davfs2 (as described in Davfs) first.

Considering your ownCloud were at https://own.example.com, your WebDAV URL would be https://own.example.com/remote.php/webdav (as of ownCloud 6.0).

To mount your ownCloud, use:

# mount -t davfs https://own.example.com/remote.php/webdav /path/to/mount

You can also create an entry for this in /etc/fstab

/etc/fstab
https://own.example.com/remote.php/webdav /path/to/mount davfs rw,user,noauto 0 0
Tip: In order to allow automount you can also store your username (and password if you like) in a file as described in Davfs#Mounting as regular user.
Note: If creating/copying files is not possible, while the same operations work on directories, see Davfs#Creating/copying files not possible.

Android

There is an official Android app available for a small donation on the Play Store and for free on F-Droid.

To enable contacts and calendar sync:

  • if using Android 4+:
    1. download [1] (Play Store, F-Droid)
    2. Enable mod_rewrite.so in httpd.conf
    3. create a new DAVdroid account in the Account settings, and specify your "short" server address and login/password couple, e.g. https://cloud.example.com (there is no need for the /remote.php/{carddav,webdav} part if you configured your web server with the proper redirections, as illustrated previously in the article; DAVdroid will find itself the right URLs)
For an older version of the app but with still useful info, see this article.
  • if using an Android version below 4.0 and favouring Free/Libre software solutions, give a try to aCal for calendar and contacts sync or CalDAV Sync Adapter (F-Droid) for just calendar sync; if you are willing to use non-libre software, then the recommended solution is to use CardDAV-Sync and CalDAV-Sync.

Important notes

  • When using a subdomain (like cloud.example.net), make sure it is covered by your certificate. Otherwise, connection via the ownCloud client or webdav might fail.
  • If you are planning on using ownCloud's sync-clients, make sure to have ntpd installed and running on your ownCloud server, otherwise the sync-clients will fail.

(If adding SSL encryption as above, be sure to edit /etc/httpd/conf/extra/httpd-ssl.conf and change DocumentRoot "/srv/http" to DocumentRoot "/usr/share/webapps/owncloud" )

  • More Apps for ownCloud can be found here
  • To install an new application, download the zip from the apps store, extract it into /srv/http/owncloud/apps/.

Afterwards restart httpd:

# systemctl restart httpd

log into your server go to the app sections you should see the new apps in there,

  • If you are protecting access to your ownCloud location with HTTP basic auth, the file "status.php" must be excluded from auth and be publicly accessible. [2]

SABnzbd

When using SABnzbd, you might want to set

folder_rename 0

in your sabnzbd.ini file, because ownCloud will scan the files as soon as they get uploaded, preventing SABnzbd from removing UNPACKING prefixes etc.

Troubleshooting

Self-signed certificate not accepted

ownCloud uses Wikipedia:cURL and Wikipedia:SabreDAV to check if WebDAV is enabled. If you use SSL/TLS with a self-signed certificate, e.g. as shown in LAMP, and access ownCloud's admin panel, you will see the following error message:

Your web server is not yet properly setup to allow files synchronization because the WebDAV interface seems to be broken.

Assuming that you followed the LAMP tutorial, execute the following steps:

Create a local directory for non-distribution certificates and copy LAMPs certificate there. This will prevent ca-certificates-updates from overwriting it.

# cp /etc/httpd/conf/server.crt /usr/share/ca-certificates/WWW.EXAMPLE.COM.crt

Add WWW.EXAMPLE.COM.crt to /etc/ca-certificates.conf:

WWW.EXAMPLE.COM.crt

Now, regenerate your certificate store:

# update-ca-certificates

Restart the httpd service to activate your certificate.

Should this not work, consider disabling mod_curl in /etc/php/php.ini.

Self-signed certificate for Android devices

Once you have followed the setup for SSL, as on LAMP for example, early versions of DAVdroid will reject the connection because the certificate is not trusted. A certificate can be made as follows on your server:

 # openssl x509 -req -days 365 -in /etc/httpd/conf/server.csr -signkey /etc/httpd/conf/server.key -extfile android.txt -out CA.crt
 # openssl x509 -inform PEM -outform DER -in CA.crt -out CA.der.crt 

The file android.txt should contain the following:

 basicConstraints=CA:true

Then import CA.der.crt to your Android device:

Put the CA.der.crt file onto the sdcard of your Android device (usually to the internal one, e.g. save from a mail attachment). It should be in the root directory. Go to Settings > Security > Credential storage and select Install from device storage. The .crt file will be detected and you will be prompted to enter a certificate name. After importing the certificate, you will find it in Settings > Security > Credential storage > Trusted credentials > User.

Thanks to: [3]

Another way is to import the certificate directly from your server via CAdroid and follow the instructions there.

Cannot write into config directory!

Check your httpd configuration file (like owncloud.conf). Add your configuration directory (/etc/webapps by default) to

php_admin_value open_basedir "/srv/http/:/home/:/tmp/:/usr/share/pear/:/usr/share/webapps/:/path/to/dir/"

Restart the httpd or php-fpm service to activate the change.

Cannot create data directory (/path/to/dir)

Check your httpd configuration file (like owncloud.conf). Add your data directory to

php_admin_value open_basedir "/srv/http/:/home/:/tmp/:/usr/share/pear/:/usr/share/webapps/:/path/to/dir/"

Restart the httpd or php-fpm service to activate the change.

CSync failed to find a specific file.

This is most likely a certificate issue. Recreate it, and do not leave the common name empty or you will see the error again.

# openssl req -new -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt

Seeing white page after login

The cause is probably a new app that you installed. To fix that, you can use the occ command as described here. So with

sudo -u http php /usr/share/webapps/owncloud/occ app:list

you can list all apps (if you installed owncloud in the standard directory), and with

sudo -u http php /usr/share/webapps/owncloud/occ app:disable <nameOfExtension>

you can disable the troubling app.

Alternatively, you can either use phpMyAdmin to edit the oc_appconfig table (if you got lucky and the table has an edit option), or do it by hand with mysql:

mysql -u root -p owncloud
MariaDB [owncloud]> delete from oc_appconfig where appid='<nameOfExtension>' and configkey='enabled' and configvalue='yes';
MariaDB [owncloud]> insert into oc_appconfig (appid,configkey,configvalue) values ('<nameOfExtension>','enabled','no');

This should delete the relevant configuration from the table and add it again.

GUI sync client fails to connect

If using HTTP basic authentication, make sure to exclude "status.php", which must be publicly accessible. [4]

Some files upload, but give an error 'Integrity constraint violation...'

You may see the following error in the ownCloud sync client:

   SQLSTATE[23000]: Integrity constraint violation: ... Duplicate entry '...' for key 'fs_storage_path_hash')...

This is caused by an issue with the File Locking app, which is often not sufficient to keep conflicts from occurring on some webserver configurations. A more complete Transactional File Locking is available that rids these errors, but you must be using the Redis php-caching method. Install redis and php-redisAUR, comment out your current php-cache mechanism, and then in /etc/php/conf.d/redis.ini uncomment extension=redis.so. Then in config.php make the following changes:

   'memcache.local' => '\OC\Memcache\Redis',
   'filelocking.enabled' => 'true',
   'memcache.locking' => '\OC\Memcache\Redis',
   'redis' => array(
        'host' => 'localhost',
        'port' => 6379,
        'timeout' => 0.0,
         ),

and start Redis:

   systemctl enable redis.service
   systemctl start redis.service

Finally, disable the File Locking App, as the Transational File Locking will take care of it (and would conflict).

If everything is working, you should see 'Transactional File Locking Enabled' under Server Status on the Admin page, and syncs should no longer cause issues.

"Cannot write into apps directory"

As mentioned in the official admin manual, either you need an apps directory that is writable by the http user, or you need to set appstoreenabled to false.

Also, not mentioned there, the directory needs to be in the open_basedir line in /etc/php/php.ini.

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: Does not seem to work with 8.0.2 (Discuss in Talk:OwnCloud#)

One clean method is to have the package-installed directory at /usr/share/webapps/owncloud/apps stay owned by root, and have the user-installed apps go into e.g. /var/www/owncloud/apps, which is owned by http. Then you can set appstoreenabled to true and package upgrades of apps should work fine as well. Relevant lines from /etc/webapps/owncloud/config/config.php:

  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/usr/share/webapps/owncloud/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/owncloud/apps',
      'url' => '/wapps',
      'writable' => true,
    ),
  ),

Example open_basedir line from /etc/php/php.ini (you might have other directories in there as well):

open_basedir = /srv/http/:/usr/share/webapps/:/var/www/owncloud/apps/

Directory permissions:

$ ls -ld /usr/share/webapps/owncloud/apps /var/www/owncloud/apps/
 drwxr-xr-x 26 root root 4096 des.  14 20:48 /usr/share/webapps/owncloud/apps
 drwxr-xr-x  2 http http   48 jan.  20 20:01 /var/www/owncloud/apps/

Security warnings even though the recommended settings have been included in nginx.conf

At the top of the admin page there might be a warning to set the Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection and X-Robots-Tag according to https://doc.owncloud.org/server/8.1/admin_manual/configuration_server/harden_server.html even though they are already set like that.

A possible cause could be that because owncloud sets those settings, uwsgi passed them along and nginx added them again:

$ curl -I https://domain.tld
...
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: Sameorigin
X-Robots-Tag: none
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload;
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none

While the fast_cgi sample config has a parameter to avoid that ( fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice ), when using uwsgi and nginx the following modification of the uwsgi part in nginx.conf could help:

 /etc/nginx/nginx.conf
...
        # pass all .php or .php/path urls to uWSGI
        location ~ ^(.+\.php)(.*)$ {
            include uwsgi_params;
            uwsgi_modifier1 14;
            # hode following headers received from uwsgi, because otherwise we would send them twice since we already add them in nginx itself
            uwsgi_hide_header X-Frame-Options;
            uwsgi_hide_header X-XSS-Protection;
            uwsgi_hide_header X-Content-Type-Options;
            uwsgi_hide_header X-Robots-Tag;
            uwsgi_hide_header X-Frame-Options;
            #Uncomment line below if you get connection refused error. Remember to commet out line with "uwsgi_pass 127.0.0.1:3001;" below
            uwsgi_pass unix:/run/uwsgi/owncloud.sock;
            #uwsgi_pass 127.0.0.1:3001;
        }
...

Password not saved

If the password are not saved and asked on every startup try to install gnome-keyring, helped under xfce4.

Upload and Share from File Manager

You can use the following script to quickly upload and share files to your ownCloud installation from Thunar (and possibly other filemanagers): https://github.com/schiesbn/shareLinkCreator You need to edit the file with the proper configuration settings. Note: password is stored as plain text.

See also