trying out the service of scaleway (3 dollar a month for ARM 4-core, 100 Meg internet and 50 GB SSD storage..)
let’s install unbuntu and owncloud on it and see how it performs!
installing a server with scaleway is easy. just add your pubkey, select the image you want, deploy and one minute later you can log in as root.
first consider/edit/delete the script that edits the hostname on boot:
/etc/dhcp/dhclient-exit-hooks.d/hostname
this has advantages but also disadvantages.. leaving it in for now. (won’t be able to set a FQDN for now, let’s see if owncloud/apache work without it :)
first add a user and add it to sudo group
#adduser andreas
then install basic firewall and mosh
apt-get install mosh ufw < -- BONUS: Mosh is already installed :D
now there is a pesky little problem that occurs with ufw and scaleway's ubuntu build.. once the basic system is live and you have a root shell do this:
Edit /etc/default/ufw, turn off IPV6 (looks like Scaleway doesn’t support ipv6 yet), and set:
DEFAULT_INPUT_POLICY=”ACCEPT”
Edit /etc/ufw/after.rules, add this line just before the final COMMIT line:
-A ufw-reject-input -j DROP
Turn off ufw logging (there are IPv6 loging rules that will prevent it from running), make sure SSH can get in, and start ufw:
ufw logging off
ufw allow 22/tcp
ufw enable
then allow mosh, http and https
ufw allow mosh
ufw allow http
ufw allow https
verify with ufw status
then start with basic security:
edit /etc/apache2/mods-available/ssl.conf
and change this
SSLProtocol all
to this
SSLProtocol all -SSLv3 -SSLv2
install these tools:
apt-get install logwatch fail2ban rkhunter
this will set up postfix so have a relay at hand!
on scaleway’s security page disable “block smtp” so you can send mail
we will set up fail2ban and logwatch once owncloud and apache are live!
install the repository key of opensuse’s build service, update and install owncloud from there.
wget http://download.opensuse.org/repositories/isv:ownCloud:community/xUbuntu_14.04/Release.key
sudo apt-key add – < Release.key
refresh and install owncloud:
apt-get update
apt-get install owncloud
this will pull the binaries and set up the base owncloud system, satisfying most dependencies
now we want a subdomain so we need a vhost with apache and a matching ssl certificate:
first set up the server name and server admin, let's harden it and move to subdomain when it's ready.
edit /etc/apache2/sites-enabled/000-default.conf and adjust, then reload apache2 - check for errors
create self-signed SSL certs:
openssl req -new -x509 -days 365 -nodes -out /etc/apache2/ssl/owncloud.pem -keyout /etc/apache2/ssl/owncloud.key
edit /etc/apache2/sites-available/default-ssl.conf and edit:
point the server to the certs you just created and adjust server name and server admin
save, enable ssl engine and enable the site:
a2enmod ssl
a2ensite default-ssl.conf
service apache2 reload
check for errors and test by going to https://[your server]/
back to owncloud:
go to your server’s URL to finish the install:
do not click on “finish” just yet, let’s use SQL for database and change the data directory to something else:
create a data dir that apache (www-data) can write to:
root@bespin:~# mkdir /var/oc-data
root@bespin:~# chown -R www-data:www-data /var/oc-data/
and set up mariadb/mysql
mysql -uroot -p
CREATE USER 'owncloud'@'localhost' IDENTIFIED BY 'password';
CREATE DATABASE IF NOT EXISTS owncloud;
GRANT ALL PRIVILEGES ON owncloud.* TO 'owncloud'@'localhost' IDENTIFIED BY 'password';
and run mysql_secure_installation to remove remote root access and test db entries.
now enter this data in the owncloud window and finish install
once up create a user for yourself and enable the plugins “documents”, “contacts”, “calendar” and “mail” (roundcube plugin development is stopped apparently)
set strong directory permissions and default data storage
https://doc.owncloud.org/server/8.2/admin_manual/installation/installation_wizard.html#strong-perms-label
make sure you read the whole document (considering php and other stuff) – RUN THE SCRIPT TO GIVE APACHE ACCESS!
also remember to edit /etc/apache2/apache2.conf
(or if in a subdir/subdomain the corresponding entry available/configured) so AllowOverride is All (default is None)
#!/bin/bash
ocpath='/var/www/owncloud'
htuser='www-data'
htgroup='www-data'
rootuser='root' # On QNAP this is admin
find ${ocpath}/ -type f -print0 | xargs -0 chmod 0640
find ${ocpath}/ -type d -print0 | xargs -0 chmod 0750
chown -R ${rootuser}:${htgroup} ${ocpath}/
chown -R ${htuser}:${htgroup} ${ocpath}/apps/
chown -R ${htuser}:${htgroup} ${ocpath}/config/
chown -R ${htuser}:${htgroup} /var/oc-data/
chown -R ${htuser}:${htgroup} ${ocpath}/themes/
chown ${rootuser}:${htgroup} ${ocpath}/.htaccess
chown ${rootuser}:${htgroup} /var/oc-data/.htaccess
chmod 0644 ${ocpath}/.htaccess
chmod 0644 /var/oc-data/.htaccess
if you want openoffice preview/edit capability install libreoffice and set the path
#apt-get install libreoffice
in config.php add:
‘preview_libreoffice_path’ => ‘/usr/bin/soffice’,
under admin > admin enable “local” office > save
take care of discovery for DAV and iOS
https://doc.owncloud.org/server/8.2/admin_manual/issues/index.html#service-discovery-label
asuming owncloud lives in /owncloud just add this to .htaccess
Redirect 301 /.well-known/carddav /owncloud/remote.php/carddav
Redirect 301 /.well-known/caldav /owncloud/remote.php/caldav
also: we want to have a redirect from the vhost “cloud.rudel.nl” to “owncloud.rudel.nl” AND use HTTPS while we are it :)
(this assumes the https server already points to /owncloud as root, otherwise another rewrite rule is needed)
just add this to apache config:
ServerName cloud.rudel.nl
Redirect permanent / https://owncloud.rudel.nl/
add another vhost if you want or enable for all subdomains
for the HTTPS server, why not enable Strict-Transport-Security? also include the subdirectories!
enable mod_headers:
#a2enmod headers
edit vhost settings and add this:
ServerName owncloud.rudel.nl
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
edit /etc/apache2/mods_availabe/ssl.conf
disable all insecure/old handshakes:
SSLProtocol all -SSLv3 -SSLv2 -TLSv1 -TLSv1.1
and force faster algorithms / disable old/insecure ones
SSLHonorCipherOrder on
SSLCipherSuite “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA3$
save, then check and reload apache:
# sudo apache2ctl configtest && sudo service apache2 restart
now lets continue working on securing and monitoring the server:
# apt-get install unattended-upgrades
# sudo dpkg-reconfigure –priority=low unattended-upgrades
apt-get install xinetd check-mk-agent check-mk-agent-logwatch mailutils
configure xinetd and open firewall for port 6556
change disable = yes to “no” and set up the “only from” IP ranges
open firewall:
ufw allow from 80.101.222.80 proto tcp to any port 6556
restart xinetd using service xinetd restart
now set up logwatch / fail2ban / rkhunter
consider:
http://hardenubuntu.com/
also let’s use letsencrypt! this is how to get our certs:
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto
(will install several modules, find your domain(s) and install certificates)
to do: memcache / transactional file locking
result:
A+ rating on Qualys :)
https://www.ssllabs.com/ssltest/analyze.html?d=owncloud.rudel.nl&hideResults=on
set up the xmpp server: prosody
apt-get install prosody
configure as per example / global settings and add an admin user there
create some keys:
openssl req -new -x509 -days 1000 -nodes -out “/etc/ssl/certs/xxxxxxxx.crt” -newkey rsa:4096 -keyout “/etc/ssl/private/xxxxxxxx.key”
UPDATE: Use Letsencrypt, this flag should do the trick
./letsencrypt-auto certonly --standalone -d xmpp.rudel.nl
Copy the certificate from /etc/letsencrypt/live/
Copy the private key from /etc/letsencrypt/live/
under your server in your domain’s .cfg.lua add the certs
ssl = {
key = “/etc/prosody/xmpp.key”;
certificate = “/etc/prosody/xmpp.crt”;
}
or create symlinks
secure the keys
sudo chmod 600 /path/to/certificate.key
sudo chown prosody:prosody /path/to/certificate.key
Prosody should also be able to read the parent directories of the file.
To test that only Prosody can read the file:
sudo -u prosody cat /path/to/certificate.key # Should succeed
sudo -u nobody cat /path/to/certificate.key # Should fail
Declaring host
The configuration of the host im.example.org will be done in the file « /etc/prosody/conf.avail/im.example.org.cfg.lua », the file example.com.cfg.lua may serve as a model:
cp -a /etc/prosody/conf.avail/example.com.cfg.lua /etc/prosody/conf.avail/xmpp.rudel.nl.cfg.lua
With your favorite editor change the settings for VirtualHost and enabled so you have:
VirtualHost “im.example.org”
–enabled = false — Remove this line to enable this host
The line “- enabled = […]” can also be removed, instead of of removing the comment like above.
Also represent the key and the SSL certificate:
ssl = {
key = “/etc/prosody/certs/im.example.org.key”;
certificate = “/etc/prosody/certs/im.example.org.cert”;
}
If you already have a key / certificate pair on the same domain name (Common Name), for example for apache, point to it instead of the files listed above.
Now create the symbolic link in« /etc/prosody/conf.d/ » with:
ln -sf /etc/prosody/conf.avail/im.example.org.cfg.lua /etc/prosody/conf.d/im.example.org.cfg.lua
Several host by one configuration
Here is an example to declare a single configuration for multiple hosts (thank you MattJ):
for _, host in ipairs { “example.net”, “example.org” } do
VirtualHost (host)
option1 = “foo”
option2 = “bar”
end
Create users (single)
Creating user accounts is done with the command « prosodyctl »
prosodyctl adduser romeo@im.example.org
open firewall for ports 5222 and 5269 IP and IPv6
create DNS SRV records for optimal federation / domain delegation
use this template:
_xmpp-client._tcp.example.com. 18000 IN SRV 0 5 5222 xmpp.example.com.
_xmpp-server._tcp.example.com. 18000 IN SRV 0 5 5269 xmpp.example.com.
_jabber._tcp.example.com 18000 IN SRV 0 5 5222 xmpp.example.com < -- that still relevant? also.. no dots after TLD? doubt this will work... in fact: the domain is automatically added so just add this: _xmpp-client._tcp type SRV with value 0 5 5222 xmpp.domain.com. and _xmpp-server._tcp type SRV with value 0 5 5222 xmpp.domain.com. it must point to an existing A-record - not an IP address (this also helps with IPv6 I guess...)
;; QUESTION SECTION:
;_xmpp-client._tcp.rudel.nl. IN SRV
;; ANSWER SECTION:
_xmpp-client._tcp.rudel.nl. 3600 IN SRV 0 5 5222 telecity.rudel.nl.
;; ADDITIONAL SECTION:
telecity.rudel.nl. 3600 IN A 80.252.86.117
restart and test
—————————————————-
https://doc.owncloud.org/server/8.2/admin_manual/installation/installation_wizard.html
as long as you can call it from the apache config file (and/or the owncloud virtual host config)
RewriteEngine on
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
SSLEngine on
SSLCertificateFile /etc/ssl/certs/owncloud.pem
SSLCertificateKeyFile /etc/ssl/private/owncloud.key
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
enforce redirect to SSL (disable plain HTTP) and enforce transport header security
see owncloud hardening document
TO DO: memcache and db locking > https://doc.owncloud.org/server/8.2/admin_manual/configuration_server/caching_configuration.html?highlight=memcache
apt-get install php5-apcu
FAIL: edit config.php and add the config (didn’t work for me.. )
Quasselcore: building it myself:
http://bugs.quassel-irc.org/projects/1/wiki/Build_Core_On_Ubuntu
on the old host stop the daemon:
#service quasselcore stop
then copy over old quassel:
(assuming a single user sqlite install without a particulary important certificate…) meaning one config file and one log file:
(do not copy the cert… let’s create a new one)
/var/lib/quassel/quasselcore.conf
and /var/lib/quassel/quassel-storage.sqlite
create a user called “quasselcore” with group “quassel” and its homedir in /var/lib/quassel
move these to /var/lib/quassel and change the permissions of the dir and the files to quasselcore:quassel (chown)
create /etc/defaults/quasselcore
# Defaults for quasselcore initscript
# sourced by /etc/init.d/quasselcore
# Loglevel Debug|Info|Warning|Error. Default is: Info
LOGLEVEL="Info"
# The port quasselcore will listen at. Default is: 4242
PORT="4242"
and the upstart script: /etc/init/quasselcore.conf
# quasselcore - distributed IRC client using a central core component
#
# This is the core component of Quassel. A modern,
# cross-platform, distributed IRC client, meaning that one
# (or multiple) client(s) can attach to and detach from this
# central core. It's much like the popular combination
# of screen and a text-based IRC client such as WeeChat.
description "distributed IRC client using a central core component"
author "Michael Marley
start on (filesystem and net-device-up IFACE!=lo)
stop on runlevel [!2345]
setuid quasselcore
setgid quassel
chdir /var/lib/quassel
env HOME=/var/lib/quassel
respawn
respawn limit 10 0
script
DATADIR="/var/lib/quassel"
LOGFILE="/var/log/quassel/core.log"
LOGLEVEL="Info"
PORT="4242"
test -f /etc/default/quasselcore && . /etc/default/quasselcore
exec quasselcore --configdir=$DATADIR --logfile=$LOGFILE --loglevel=$LOGLEVEL --port=$PORT
end script
post-stop exec sleep 5
create a cert (as user “quasselcore”)
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /var/lib/quassel/quasselCert.pem -out /var/lib/quassel/quasselCert.pem
check if the config checks out:
root@bespin:~# init-checkconf /etc/init/quasselcore.conf
File /etc/init/quasselcore.conf: syntax ok
root@bespin:~#
start the server
#service quasselcore start
open firewall:
#ufw allow 4242/tcp
and it should work :)