Linux NAS Archives - Page 2 of 2

12th August 2018

Updating Next Cloud using the CLI

For some reason I cannot used the included updater. It simply gives a blank screen.

This site really helped. https://blog.netways.de/2017/07/19/how-to-use-nextcloud-cli/

Update / Upgrade

Let’s start with upgrading to the newest version. Go to the directory where your nextcloud is located – there should be a folder called ‘updater’.

[root@nc-vm ~]# cd /var/www/nextcloud/updater

[root@nc-vm ~]

# ls index.php updater.phar

Inside the updater folder is a file called updater.phar.
Now execute the following command.

[root@nc-vm ~]# sudo -u www-data php updater.phar

Current version is 11.0.3.

Update to Nextcloud 12.0.0 available. (channel: "stable")
Following file will be downloaded automatically: https://download.nextcloud.com/server/releases/nextcloud-12.0.0.zip

Steps that will be executed:
[ ] Check for expected files
[ ] Check for write permissions
[ ] Enable maintenance mode
[ ] Create backup
[ ] Downloading
[ ] Extracting
[ ] Replace entry points
[ ] Delete old files
[ ] Move new files in place
[ ] Done

Start update? [y/N] y

Confirm with ‘y’ to start the update.

Info: Pressing Ctrl-C will finish the currently running step and then stops the updater.

[] Check for expected files
[] Check for write permissions
[] Enable maintenance mode
[] Create backup
[] Downloading
[] Extracting
[] Replace entry points
[] Delete old files
[] Move new files in place
[] Done

Update of code successful.

Should the "occ upgrade" command be executed? [Y/n] Y

After the new files have been moved in place you’ll have to confirm to execute the “occ upgrade” command.

Nextcloud or one of the apps require upgrade - only a limited number of commands are available
You may use your browser or the occ upgrade command to do the upgrade
Set log level to debug
Updating database schema
Updated database
Updating federatedfilesharing ...
Updated federatedfilesharing to 1.2.0
Updating files_pdfviewer ...
Updated files_pdfviewer to 1.1.1
Updating files_texteditor ...
..
..
Checking for update of app workflowengine in appstore
Checked for update of app "workflowengine" in appstore 
Starting code integrity check...
Finished code integrity check
Update successful
Maintenance mode is kept active
Reset log level

Keep maintenance mode active? [y/N] N

And finally you enter ‘N’ to disable the maintenance mode

Maintenance mode is disabled

And that’s it. But note: even if it tells you that a lot of apps are be updated, you may find that not all of your apps have been updated.

OCC Command

Next we’ll explore the features of the occ command.

[root@nc-vm ~]# cd /var/www/nextcloud

[root@nc-vm ~]

# sudo -u www-data php occ

You will get a long list of the available options and commands.

Nextcloud version 12.0.0

Usage:
  command [options] [arguments]

Options:
  -h, --help            Display this help message
  -q, --quiet           Do not output any message
  -V, --version         Display this application version
      --ansi            Force ANSI output
      --no-ansi         Disable ANSI output
  -n, --no-interaction  Do not ask any interactive question
      --no-warnings     Skip global warnings, show command output only
  -v|vv|vvv, --verbose  Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug

Available commands:
  _completion                         BASH completion hook.
  check                               check dependencies of the server environment
  help                                Displays help for a command
  list                                Lists commands
  status                              show some status information
  ..
  ..
versions
  versions:cleanup                    Delete versions
  versions:expire                     Expires the users file versions

I won’t be able to cover all of them in this post. But I’ll go over a view of them in the following.

Reset Admin Password

This is pretty useful if you forgot your admin password and you find yourself locked out of your Nextcloud.

[root@nc-vm ~]# sudo -u www-data php /var/www/nextcloud/occ user:resetpassword admin
Enter a new password: 
Confirm the new password: 
Successfully reset password for admin

Change Log Level

Sometimes you to increase the log level to figure out what is wrong. By default the log level is set to ‘warning’ (level 2).
To get more information you’ll have to decrease the number. So 1 is level ‘info’ and 0 is for ‘debug’.
You may also set it to ‘error’ which is level 3 to get less information.

[root@nc-vm ~]# sudo -u www-data php occ log:manage --level 0
Enabled logging backend: file
Log level: Debug (0)
Log timezone: UTC

Encryption

For server side encryption it’s necessary to enable the encryption app first.
(In Nextcloud Version 12.0.0 and prior enryption does not work with S3 object store as primary storage.)

[root@nc-vm ~]# sudo -u www-data php occ app:enable encryption
encryption enabled

And then enable encryption

[root@nc-vm ~]# sudo -u www-data php occ encryption:enable
Encryption enabled

Default module: OC_DEFAULT_MODULE

Note that only new uploaded files will be encrypted and not the existing ones.
In order to encrypt all existing files of all users you will have to issue the following command:

[root@nc-vm ~]# sudo -u www-data php occ encryption:encrypt-all


You are about to encrypt all files stored in your Nextcloud installation.
Depending on the number of available files, and their size, this may take quite some time.
Please ensure that no user accesses their files during this time!
Note: The encryption module you use determines which files get encrypted.

Do you really want to continue? (y/n) y

Continue with ‘y’. You may notify the users by mail about their private key passwords.
But this only works if the users have provided their email-addresses.

Encrypt all files with the Default encryption module
====================================================


Create key-pair for every user
------------------------------

This module will encrypt all files in the users files folder initially.
Already existing versions and files in the trash bin will not be encrypted.



 Key-pair created for all users 
 [============================]

Start to encrypt users files
----------------------------



 all files encrypted 
 [>---------------------------]

Generated encryption key passwords
----------------------------------

+-----------+----------------------+
| Username  | Private key password |
+-----------+----------------------+
| admin     | BqaK1WtI             |
+-----------+----------------------+


A list of all newly created passwords was written to data/oneTimeEncryptionPasswords.csv

Each of these users need to login to the web interface, go to the
personal settings section "basic encryption module" and
update the private key password to match the login password again by
entering the one-time password into the "old log-in password" field
and their current login password

Do you want to send the passwords directly to the users by mail? (y/n) n

Configuration

Usually the config file for Nextcloud is located in /var/www/nextcloud/config.
So in order to change the configuration you may edit the file /var/www/nextcloud/config/config.php with a text editor.
But you can also import a custom config file in json format. In this example I imported a config to set Ceph S3 object store as primary storage for Nextcloud:

[root@nc-vm ~]# cat objectstore.json
{"system": {
        "objectstore": {
            "class": "OC\\\\Files\\\\ObjectStore\\\\S3",
            "arguments": {
                    "bucket": "$RGW_BUCKET",
                    "autocreate": true,
                    "key": "$RGW_KEY",
                    "secret": "$RGW_SECRET",
                    "hostname": "$RGW_HOSTNAME",
                    "use_ssl": true,
                    "use_path_style": true
            }
        }
}}

[root@nc-vm ~]

# sudo -u www-data php occ config:import objectstore.json Config successfully imported from: objectstore.json

It’s also possible to view only specific sections of the config:

[root@nc-vm ~]# sudo -u www-data php occ config:system:get objectstore
class: OC\\Files\\ObjectStore\\S3
arguments:
  bucket: $RGW_BUCKET
  autocreate: true
  key: $RGW_KEY
  secret: $RGW_SECRET
  hostname: $RGW_HOSTNAME
  use_ssl: true
  use_path_style: true

Apps

To get a list of all installed enabled and disabled apps:

[root@nc-vm ~]# sudo -u www-data php occ app:list                                                  
Enabled:
  - activity: 2.5.2
  - bruteforcesettings: 1.0.2
  - calendar: 1.5.3
  - comments: 1.2.0
  ..
  ..
  - workflowengine: 1.2.0
Disabled:
  - admin_audit
  - encryption
  - files_external
  - previewgenerator
  - user_external
  - user_ldap

To enable/disable apps:

[root@nc-vm ~]# sudo -u www-data php occ app:enable previewgenerator
previewgenerator enabled

[root@nc-vm ~]

# sudo -u www-data php occ app:disable calendar calendar disabled

Like I mentioned before, there are many more commands and the ones I picked are just a view of them.
But I hope they were useful at least for some of you.

9th August 201818th September 2018

OMV – Changes to NGINX for self hosted sites

So this is how I have decided to configure NGINX to get different packages working under OMV. So the fix needed for Webtrees was to have another Server block which was not the same as that here /etc/nginx/sites-available/openmediavault-webgui. So I copied this file and renamed as a new file matching my site URL. Added a symlink from /etc/nginx/sites-enabled Inside the new file I needed to change a few lines …..

#    server_name openmediavault-webgui;
# change to
    server_name my_new_url;

#    listen [::]:80 ipv6only=off;
# change to
    listen [::]:80 default_server;

#    listen [::]:443 ipv6only=off ssl deferred;
# change to
    listen [::]:443 default_server;

#    include /etc/nginx/openmediavault-webgui.d/*.conf;
# change to

    include /etc/nginx/my_new_url_file.d/*.conf;

I then moved all the .conf files and added symlinks back to the opemmediavault files. Next Cloud – harder as needed to use root and not Alias

location /nextcloud {
	root /media/www;

    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header Strict-Transport-Security "max-age=15768000;includeSubDomains";<br />
    location = /nextcloud/robots.txt {
        allow all;
        access_log off;
        log_not_found off;
    }


	location = /nextcloud/.well-known/carddav {
        return 301 $scheme://$host/nextcloud/remote.php/dav;
    }

    location = /nextcloud/.well-known/caldav {
        return 301 $scheme://$host/nextcloud/remote.php/dav;
    }

    location /nextcloud/.well-known/acme-challenge { 
    }


	rewrite_log on;


	# set max upload size
    client_max_body_size 512M;
  	fastcgi_buffers 64 4K;

# Enable gzip but do not remove ETag headers
    gzip on;
  	gzip_vary on;
  	gzip_comp_level 4;
  	gzip_min_length 256;
  	gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
  	gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

	# Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;
    location /nextcloud/{
 #   	rewrite ^ /nextcloud/index.php$request_uri;
 #   	rewrite ^/nextcloud/(.*) /nextcloud/$1;
    	rewrite ^ /nextcloud/index.php$uri;

   }

  	location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
    	deny all;
  	}

    location ~ ^/nextcloud(?:\.|autotest|occ|issue|indie|db_|console) {
    	deny all;
  	}

  	location ~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
 		fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        include fastcgi.conf;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        #fastcgi_param SCRIPT_FILENAME /media/13eaa8c9-07ee-4dfc-9d1b-adfae0f0248d/www/nextcloud/$fastcgi_script_name;
        #fastcgi_param SCRIPT_FILENAME  $request_filename;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        #Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
       	fastcgi_param front_controller_active true;
        fastcgi_pass unix:/var/run/my_sock_name.sock;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
	}
    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files /nextcloud/$uri/ =404;
        index index.php;
    }
     location ~ /nextcloud/(?:$|/)\.(?:js|css|woof|svg|html|ttf|png|jpg|jpeg|gif|ico)$ {
        expires max;
        log_not_found off;
}

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
  	location ~ \.(?:css|js|woff|svg|gif)$ {     
        try_files $uri $uri/ /nextcloud/index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers  (It is intended
        # to have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read
        # into this topic first.
        # add_header Strict-Transport-Security "max-age=15768000;
        # includeSubDomains; preload;";
		add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
        }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
       	try_files $uri $uri/ /nextcloud/index.php$request_uri;
         # Optional: Don't log access to other assets
        access_log off;
    }

}

Firefly

location /firefly {
    root /media/www/firefly-iii;

    index index.php;
    try_files $uri $uri/ /firefly/index.php?$query_string;
    autoindex on;
    sendfile off;

    location ~ \.php$ {
        include fastcgi.conf;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $request_filename;
        fastcgi_pass unix:/var/run/my_sock_name.sock;
    }

    location = /firefly/favicon.ico {
        access_log off;
        log_not_found off;
    }

    location = /firefly/robots.txt {
        allow all;
        access_log off;
        log_not_found off;
    }

    location ~ /firefly/\. {
        deny all;
    }

    location ~* /firefly/(?:config)/.*\.php$ {
        deny all;
    }

    location ~* /firefly/\.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires max;
        log_not_found off;
    }
}

So the fix needed for Webtrees was to have another Server block which was not the same as that here /etc/nginx/sites-available/openmediavault-webgui. So I copied this file and renamed as a new file matching my site URL. Added a symlink from /etc/nginx/sites-enabled Inside the new file I needed to change a few lines …..

#    server_name openmediavault-webgui;
# change to
    server_name my_new_url;

#    listen [::]:80 ipv6only=off;
# change to
    listen [::]:80 default_server;

#    listen [::]:443 ipv6only=off ssl deferred;
# change to
    listen [::]:443 default_server;

#    include /etc/nginx/openmediavault-webgui.d/*.conf;
# change to

    include /etc/nginx/my_new_url_file.d/*.conf;

I then moved all the .conf files and added symlinks back to the opemmediavault files. I have wanted to run a number of packages so that all I needed to do was to type in the IP address of the OMV/package_name. I also wanted to run these from a separate drive in my case mapped to /media/www/package_name. I struggled with the NGINX configuration but there were clues in the way Mysql is implemented in the NGINX .conf files. I thought I would share what I did and if someone can improve on this great. Firstly worth saying I have Webmin installed which helps with the configuration and I have included the NGINX plugin for Webmin. OMV stores the config in /etc/nginx/sites-available/openmediavault-webgui. (note NGINX only uses these configurations if there is a symlink from the /etc/nginx/sites-enabled folder. If you examine this folder it has at the bottom a line which is include /etc/nginx/openmediavault-webgui.d/*.conf; So this indicates we can include additional configurations in the folder /etc/nginx/openmediavault-webgui.d. And sure enough there is one for Mysql – openmediavault-mysql-management-site.conf. The PHP sock is in this line fastcgi_pass unix:/var/run/php-fpm-openmediavault-mysql.sock. And you can see the shortcut to the file if you take a look in /var/run. The actual PHP config are held in /etc/php/7.0/fpm/pool.d. This is important as I did not want to change the openmediavault-webgui.d so any future changes to OMV would not overwrite my changes. These pool.d files are written using the NGINX plugin in OMV. So if you add a Pool via the NGINX plugin it creates the pool.d folder file after first writing the config to the /etc/openmediavault/config.xml. See more about this here openmediavault.readthedocs.io/…opment/internaltools.html So I figured that I could use the NGINX plugin to create the pool.d files and the associated symlink in /var/run and create my own nginx .conf files in /etc/nginx/openmediavault-webgui.d folder by copying the openmediavault-mysql-management-site.conf and altering the link to the .sock file. i.e. changing the line fastcgi_pass unix:/var/run/php-fpm-openmediavault-mysql.sock. to fastcgi_pass unix:/var/run/my_new_nginx_name.sock in the copied file. I successfully added 1. WordPress 2. Nextcloud 3. Piwigo 4. Firefly 5. Webtrees 6. Extplorer The config was slightly different for each one and Webtrees was particularly tricky for me and the URL was changed to have the server “openmediavault-webgui” in the file /etc/nginx/sites-available/openmediavault-webgui replacing the url after openmediavault-webgui/webtrees which messed by everything. More on Webtrees lower in the post. So for WordPress the NGINX .conf file is (similar for Piwigo and Extplorer and Webtrees)

location /wordpress {
    alias /media/13eaa8c9-07ee-4dfc-9d1b-adfae0f0248d/www/wordpress;

    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;

    index index.php;
    try_files $uri $uri/ index.php;

    location ~ \.php$ {
        include fastcgi.conf;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $request_filename;
       fastcgi_pass unix:/var/run/fpm-19e311b1-25e1-4257-8dbc-d49c5ec59015.sock;
       #fastcgi_pass unix:/var/run/php5-fpm.sock;
    }

    location = /wordpress/favicon.ico {
        access_log off;
        log_not_found off;
    }

    location = /wordpress/robots.txt {
        allow all;
        access_log off;
        log_not_found off;
    }

    location ~ /wordpress/\. {
        deny all;
    }

    location ~* /wordpress/(?:config)/.*\.php$ {
        deny all;
    }

    location ~* /wordpress/\.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires max;
        log_not_found off;
    }
}

Next Cloud – harder as needed to use root and not Alias

location /nextcloud {
	root /media/www;

    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header Strict-Transport-Security "max-age=15768000;includeSubDomains";<br />
    location = /nextcloud/robots.txt {
        allow all;
        access_log off;
        log_not_found off;
    }


	location = /nextcloud/.well-known/carddav {
        return 301 $scheme://$host/nextcloud/remote.php/dav;
    }

    location = /nextcloud/.well-known/caldav {
        return 301 $scheme://$host/nextcloud/remote.php/dav;
    }

    location /nextcloud/.well-known/acme-challenge { 
    }


	rewrite_log on;


	# set max upload size
    client_max_body_size 512M;
  	fastcgi_buffers 64 4K;

# Enable gzip but do not remove ETag headers
    gzip on;
  	gzip_vary on;
  	gzip_comp_level 4;
  	gzip_min_length 256;
  	gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
  	gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

	# Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;
    location /nextcloud/{
 #   	rewrite ^ /nextcloud/index.php$request_uri;
 #   	rewrite ^/nextcloud/(.*) /nextcloud/$1;
    	rewrite ^ /nextcloud/index.php$uri;

   }

  	location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
    	deny all;
  	}

    location ~ ^/nextcloud(?:\.|autotest|occ|issue|indie|db_|console) {
    	deny all;
  	}

  	location ~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
 		fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        include fastcgi.conf;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        #fastcgi_param SCRIPT_FILENAME /media/13eaa8c9-07ee-4dfc-9d1b-adfae0f0248d/www/nextcloud/$fastcgi_script_name;
        #fastcgi_param SCRIPT_FILENAME  $request_filename;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        #Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
       	fastcgi_param front_controller_active true;
        fastcgi_pass unix:/var/run/my_sock_name.sock;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
	}
    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files /nextcloud/$uri/ =404;
        index index.php;
    }
     location ~ /nextcloud/(?:$|/)\.(?:js|css|woof|svg|html|ttf|png|jpg|jpeg|gif|ico)$ {
        expires max;
        log_not_found off;
}

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
  	location ~ \.(?:css|js|woff|svg|gif)$ {     
        try_files $uri $uri/ /nextcloud/index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers  (It is intended
        # to have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read
        # into this topic first.
        # add_header Strict-Transport-Security "max-age=15768000;
        # includeSubDomains; preload;";
		add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
        }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
       	try_files $uri $uri/ /nextcloud/index.php$request_uri;
         # Optional: Don't log access to other assets
        access_log off;
    }

}

Firefly

location /firefly {
    root /media/www/firefly-iii;

    index index.php;
    try_files $uri $uri/ /firefly/index.php?$query_string;
    autoindex on;
    sendfile off;

    location ~ \.php$ {
        include fastcgi.conf;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $request_filename;
        fastcgi_pass unix:/var/run/my_sock_name.sock;
    }

    location = /firefly/favicon.ico {
        access_log off;
        log_not_found off;
    }

    location = /firefly/robots.txt {
        allow all;
        access_log off;
        log_not_found off;
    }

    location ~ /firefly/\. {
        deny all;
    }

    location ~* /firefly/(?:config)/.*\.php$ {
        deny all;
    }

    location ~* /firefly/\.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires max;
        log_not_found off;
    }
}

#    server_name openmediavault-webgui;
# change to
    server_name my_new_url;

#    listen [::]:80 ipv6only=off;
# change to
    listen [::]:80 default_server;

#    listen [::]:443 ipv6only=off ssl deferred;
# change to
    listen [::]:443 default_server;

#    include /etc/nginx/openmediavault-webgui.d/*.conf;
# change to

    include /etc/nginx/my_new_url_file.d/*.conf;

location /wordpress {
    alias /media/13eaa8c9-07ee-4dfc-9d1b-adfae0f0248d/www/wordpress;

    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;

    index index.php;
    try_files $uri $uri/ index.php;

    location ~ \.php$ {
        include fastcgi.conf;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $request_filename;
       fastcgi_pass unix:/var/run/fpm-19e311b1-25e1-4257-8dbc-d49c5ec59015.sock;
       #fastcgi_pass unix:/var/run/php5-fpm.sock;
    }

    location = /wordpress/favicon.ico {
        access_log off;
        log_not_found off;
    }

    location = /wordpress/robots.txt {
        allow all;
        access_log off;
        log_not_found off;
    }

    location ~ /wordpress/\. {
        deny all;
    }

    location ~* /wordpress/(?:config)/.*\.php$ {
        deny all;
    }

    location ~* /wordpress/\.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires max;
        log_not_found off;
    }
}

Next Cloud – harder as needed to use root and not Alias

location /nextcloud {
	root /media/www;

    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header Strict-Transport-Security "max-age=15768000;includeSubDomains";<br />
    location = /nextcloud/robots.txt {
        allow all;
        access_log off;
        log_not_found off;
    }


	location = /nextcloud/.well-known/carddav {
        return 301 $scheme://$host/nextcloud/remote.php/dav;
    }

    location = /nextcloud/.well-known/caldav {
        return 301 $scheme://$host/nextcloud/remote.php/dav;
    }

    location /nextcloud/.well-known/acme-challenge { 
    }


	rewrite_log on;


	# set max upload size
    client_max_body_size 512M;
  	fastcgi_buffers 64 4K;

# Enable gzip but do not remove ETag headers
    gzip on;
  	gzip_vary on;
  	gzip_comp_level 4;
  	gzip_min_length 256;
  	gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
  	gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

	# Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;
    location /nextcloud/{
 #   	rewrite ^ /nextcloud/index.php$request_uri;
 #   	rewrite ^/nextcloud/(.*) /nextcloud/$1;
    	rewrite ^ /nextcloud/index.php$uri;

   }

  	location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
    	deny all;
  	}

    location ~ ^/nextcloud(?:\.|autotest|occ|issue|indie|db_|console) {
    	deny all;
  	}

  	location ~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
 		fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        include fastcgi.conf;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        #fastcgi_param SCRIPT_FILENAME /media/13eaa8c9-07ee-4dfc-9d1b-adfae0f0248d/www/nextcloud/$fastcgi_script_name;
        #fastcgi_param SCRIPT_FILENAME  $request_filename;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        #Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
       	fastcgi_param front_controller_active true;
        fastcgi_pass unix:/var/run/my_sock_name.sock;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
	}
    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files /nextcloud/$uri/ =404;
        index index.php;
    }
     location ~ /nextcloud/(?:$|/)\.(?:js|css|woof|svg|html|ttf|png|jpg|jpeg|gif|ico)$ {
        expires max;
        log_not_found off;
}

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
  	location ~ \.(?:css|js|woff|svg|gif)$ {     
        try_files $uri $uri/ /nextcloud/index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers  (It is intended
        # to have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read
        # into this topic first.
        # add_header Strict-Transport-Security "max-age=15768000;
        # includeSubDomains; preload;";
		add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
        }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
       	try_files $uri $uri/ /nextcloud/index.php$request_uri;
         # Optional: Don't log access to other assets
        access_log off;
    }

}

Firefly

location /firefly {
    root /media/www/firefly-iii;

    index index.php;
    try_files $uri $uri/ /firefly/index.php?$query_string;
    autoindex on;
    sendfile off;

    location ~ \.php$ {
        include fastcgi.conf;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $request_filename;
        fastcgi_pass unix:/var/run/my_sock_name.sock;
    }

    location = /firefly/favicon.ico {
        access_log off;
        log_not_found off;
    }

    location = /firefly/robots.txt {
        allow all;
        access_log off;
        log_not_found off;
    }

    location ~ /firefly/\. {
        deny all;
    }

    location ~* /firefly/(?:config)/.*\.php$ {
        deny all;
    }

    location ~* /firefly/\.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires max;
        log_not_found off;
    }
}

#    server_name openmediavault-webgui;
# change to
    server_name my_new_url;

#    listen [::]:80 ipv6only=off;
# change to
    listen [::]:80 default_server;

#    listen [::]:443 ipv6only=off ssl deferred;
# change to
    listen [::]:443 default_server;

#    include /etc/nginx/openmediavault-webgui.d/*.conf;
# change to

    include /etc/nginx/my_new_url_file.d/*.conf;

I then moved all the .conf files and added symlinks back to the opemmediavault files.

7th August 201814th August 2018

Firefly III on OMV

Once Composer was installed started to follow instructions on the Firefly site —>
https://firefly-iii.readthedocs.io/en/latest/installation/server.html

and also here
https://gist.github.com/philthynz/ec04833a8e39c7f7d1b0d33cb4197a95

In order to have Firefly running without access to other users I created a new user for Firefly.

A new SQL database was added using mysql with the new users being the users allowed the complete access to the new database.

When I first ran the install command

composer create-project grumpydictator/firefly-iii --no-dev --prefer-dist firefly-iii 4.7.5

I got the following error

[InvalidArgumentException]
Could not find package grumpydictator/firefly-iii with version 4.7.5 in a version installable using your PHP version 7.0.30.

Following this through by looking at the available packages at https://packagist.org/packages/grumpydictator/firefly-iii highlighted that version 4.7.5 needed PHP 7.1. This is not yet available on Debian as an official release. Further searching at the packagist site shows that the latest version for PHP 7.0 is 4.6.3.1. I installed this and all was OK.

But I want the latest release. So I googled and found there is a 7.2 release. See here https://www.chris-shaw.com/blog/installing-php-7.2-on-debian-8-jessie-and-debian-9-stretch. I installed this following the instructions. A few extra packages were needed to get all OK for Firefly php7.2-zip, php7.2-bcmath, php7.2-intl.

It is worth noting that the installer creates the directory for Firefly and you do not need to create this first. If the installer fails however the directory the installer creates needs to be deleted before the installer is run again.

This time I ran

composer create-project  grumpydictator/firefly-iii --no-dev --prefer-dist firefly-iii 4.7.5.3

and it worked fine


Installing grumpydictator/firefly-iii (4.7.5.3)
- Installing grumpydictator/firefly-iii (4.7.5.3): Loading from cache
Created project in firefly-iii
&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt; @php -r "file_exists('.env') || copy('.env.example', '.env');"
&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt; @php -r "if (!(getenv('DYNO'))===false){file_exists('.env') || copy('.env.heroku', '.env');}"
Loading composer repositories with package information
Installing dependencies from lock file
Package operations: 62 installs, 0 updates, 0 removals
- Installing bacon/bacon-qr-code (1.0.3): Downloading (100%)
- Installing psr/http-message (1.0.1): Downloading (100%)
- Installing guzzlehttp/psr7 (1.4.2): Downloading (100%)
- Installing guzzlehttp/promises (v1.3.1): Downloading (100%)
- Installing guzzlehttp/guzzle (6.3.3): Downloading (100%)
- Installing bunq/sdk_php (dev-master 8c1faef): Downloading (100%)
- Installing vlucas/phpdotenv (v2.5.0): Downloading (100%)
- Installing symfony/css-selector (v4.1.2): Downloading (100%)
- Installing tijsverkoyen/css-to-inline-styles (2.2.1): Downloading (100%)
- Installing symfony/polyfill-php72 (v1.8.0): Downloading (100%)
- Installing symfony/polyfill-mbstring (v1.8.0): Downloading (100%)
- Installing symfony/var-dumper (v4.1.2): Downloading (100%)
- Installing symfony/routing (v4.1.2): Downloading (100%)
- Installing symfony/process (v4.1.2): Downloading (100%)
- Installing symfony/polyfill-ctype (v1.8.0): Downloading (100%)
- Installing symfony/http-foundation (v4.1.2): Downloading (100%)
- Installing symfony/event-dispatcher (v4.1.2): Downloading (100%)
- Installing psr/log (1.0.2): Loading from cache
- Installing symfony/debug (v4.1.2): Downloading (100%)
- Installing symfony/http-kernel (v4.1.2): Downloading (100%)
- Installing symfony/finder (v4.1.2): Downloading (100%)
- Installing symfony/console (v4.1.2): Downloading (100%)
- Installing doctrine/lexer (v1.0.1): Loading from cache
- Installing egulias/email-validator (2.1.4): Downloading (100%)
- Installing swiftmailer/swiftmailer (v6.1.2): Downloading (100%)
- Installing paragonie/random_compat (v2.0.17): Downloading (100%)
- Installing ramsey/uuid (3.8.0): Downloading (100%)
- Installing psr/simple-cache (1.0.1): Downloading (100%)
- Installing psr/container (1.0.0): Downloading (100%)
- Installing symfony/translation (v4.1.2): Downloading (100%)
- Installing nesbot/carbon (1.25.0): Downloading (100%)
- Installing monolog/monolog (1.23.0): Loading from cache
- Installing league/flysystem (1.0.45): Downloading (100%)
- Installing erusev/parsedown (1.7.1): Downloading (100%)
- Installing dragonmantank/cron-expression (v2.2.0): Downloading (100%)
- Installing doctrine/inflector (v1.3.0): Downloading (100%)
- Installing laravel/framework (v5.6.29): Downloading (100%)
- Installing davejamesmiller/laravel-breadcrumbs (5.1.0): Downloading (100%)
- Installing doctrine/event-manager (v1.0.0): Downloading (100%)
- Installing doctrine/cache (v1.7.1): Downloading (100%)
- Installing doctrine/dbal (v2.8.0): Downloading (100%)
- Installing fideloper/proxy (4.0.0): Downloading (100%)
- Installing zendframework/zend-diactoros (1.8.3): Downloading (100%)
- Installing symfony/psr-http-message-bridge (v1.0.2): Downloading (100%)
- Installing phpseclib/phpseclib (2.0.11): Downloading (100%)
- Installing league/event (2.1.2): Downloading (100%)
- Installing lcobucci/jwt (3.2.2): Downloading (100%)
- Installing defuse/php-encryption (v2.2.1): Downloading (100%)
- Installing league/oauth2-server (6.1.1): Downloading (100%)
- Installing firebase/php-jwt (v5.0.0): Downloading (100%)
- Installing laravel/passport (v5.0.3): Downloading (100%)
- Installing laravelcollective/html (v5.6.10): Downloading (100%)
- Installing league/commonmark (0.17.5): Downloading (100%)
- Installing league/csv (9.1.4): Downloading (100%)
- Installing league/fractal (0.17.0): Downloading (100%)
- Installing paragonie/constant_time_encoding (v2.2.2): Downloading (100%)
- Installing symfony/polyfill-util (v1.8.0): Downloading (100%)
- Installing symfony/polyfill-php56 (v1.8.0): Downloading (100%)
- Installing pragmarx/google2fa (v3.0.1): Downloading (100%)
- Installing pragmarx/google2fa-laravel (v0.2.0): Downloading (100%)
- Installing twig/twig (v1.35.4): Downloading (100%)
- Installing rcrowe/twigbridge (v0.9.6): Downloading (100%)
Generating optimized autoload files
&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt; Illuminate\Foundation\ComposerScripts::postAutoloadDump
&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt; php artisan firefly:instructions install
+------------------------------------------------------------------------------+
| |
| Thank you for installing Firefly III, v4.7.5.3! |
| |
| |
+------------------------------------------------------------------------------+
&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt; @php artisan key:generate

and the key needed for config is generated.

So artisan is part of PHP 7.2 and not PHP 7.0!

I have not listed the key for obvious reasons!!

The .env file was then updated following the instructions here https://gist.github.com/philthynz/ec04833a8e39c7f7d1b0d33cb4197a95

and then the following command run

/media/www/firefly-iii# php artisan migrate:refresh --seed

with this result

Migration table not found.
Migration table created successfully.
Migrating: 2016_06_16_000000_create_support_tables
Migrated: 2016_06_16_000000_create_support_tables
Migrating: 2016_06_16_000001_create_users_table
Migrated: 2016_06_16_000001_create_users_table
Migrating: 2016_06_16_000002_create_main_tables
Migrated: 2016_06_16_000002_create_main_tables
Migrating: 2016_08_25_091522_changes_for_3101
Migrated: 2016_08_25_091522_changes_for_3101
Migrating: 2016_09_12_121359_fix_nullables
Migrated: 2016_09_12_121359_fix_nullables
Migrating: 2016_10_09_150037_expand_transactions_table
Migrated: 2016_10_09_150037_expand_transactions_table
Migrating: 2016_10_22_075804_changes_for_v410
Migrated: 2016_10_22_075804_changes_for_v410
Migrating: 2016_11_24_210552_changes_for_v420
Migrated: 2016_11_24_210552_changes_for_v420
Migrating: 2016_12_22_150431_changes_for_v430
Migrated: 2016_12_22_150431_changes_for_v430
Migrating: 2016_12_28_203205_changes_for_v431
Migrated: 2016_12_28_203205_changes_for_v431
Migrating: 2017_04_13_163623_changes_for_v440
Migrated: 2017_04_13_163623_changes_for_v440
Migrating: 2017_06_02_105232_changes_for_v450
Migrated: 2017_06_02_105232_changes_for_v450
Migrating: 2017_08_20_062014_changes_for_v470
Migrated: 2017_08_20_062014_changes_for_v470
Migrating: 2017_11_04_170844_changes_for_v470a
Migrated: 2017_11_04_170844_changes_for_v470a
Migrating: 2018_01_01_000001_create_oauth_auth_codes_table
Migrated: 2018_01_01_000001_create_oauth_auth_codes_table
Migrating: 2018_01_01_000002_create_oauth_access_tokens_table
Migrated: 2018_01_01_000002_create_oauth_access_tokens_table
Migrating: 2018_01_01_000003_create_oauth_refresh_tokens_table
Migrated: 2018_01_01_000003_create_oauth_refresh_tokens_table
Migrating: 2018_01_01_000004_create_oauth_clients_table
Migrated: 2018_01_01_000004_create_oauth_clients_table
Migrating: 2018_01_01_000005_create_oauth_personal_access_clients_table
Migrated: 2018_01_01_000005_create_oauth_personal_access_clients_table
Migrating: 2018_03_19_141348_changes_for_v472
Migrated: 2018_03_19_141348_changes_for_v472
Migrating: 2018_04_07_210913_changes_for_v473
Migrated: 2018_04_07_210913_changes_for_v473
Migrating: 2018_04_29_174524_changes_for_v474
Migrated: 2018_04_29_174524_changes_for_v474
Migrating: 2018_06_08_200526_changes_for_v475
Migrated: 2018_06_08_200526_changes_for_v475
Seeding: AccountTypeSeeder
Seeding: TransactionCurrencySeeder
Seeding: TransactionTypeSeeder
Seeding: PermissionSeeder
Seeding: LinkTypeSeeder
Seeding: ConfigSeeder

and then this run

/media/www/firefly-iii# php artisan passport:install
Encryption keys generated successfully.
Personal access client created successfully. Client ID: 1 Client Secret: ..........
Password grant client created successfully. Client ID: 2 Client Secret: ........

Continue to follow instructions

Update Postfix
Update Aliases
Change ownership of directory firefly-iii to www-data for NGINX and PHP

From this point I changed direction and decided to use the NGINX plug in for OMV and add a sock for Firefly.

And the could never get to work. The tried to address a php7.2 error and ended up by mistake deleting OMV again!

So started again. I am deciding to run this only with supported packages. i.e. I’ll wait for PHP 7+ on Debian.

So basically did the steps above again. Created a new sock.

The NGINX configuration was a bit tricky but this worked in the end.

location /firefly {
root /path to install/firefly-iii;

index index.php;
try_files $uri $uri/ /firefly/index.php?$query_string;
autoindex on;
sendfile off;

location ~ \.php$ {
include fastcgi.conf;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass unix:/var/run/sockname.sock;
}

location = /firefly/favicon.ico {
access_log off;
log_not_found off;
}

location = /firefly/robots.txt {
allow all;
access_log off;
log_not_found off;
}

location ~ /firefly/\. {
deny all;
}

location ~* /firefly/(?:config)/.*\.php$ {
deny all;
}

location ~* /firefly/\.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
}

7th August 20187th August 2018

Recursive changes for CHMOD and CHOWN

So more trouble with the OMV box and associated link to the Synology Diskstation! Another story.

However I have moved the Family History site based on Webtrees to the OMV having mistakenly deleted every file in the /volume1/web directory. Luckly it changes very seldomly and I had an sql backup which was OK.

However the install does not seem to give the right directory or file permissions. I have done a CHOWN to give www-data as both user and group but now want to recursively have directories as 755 an files as 644.

find /media/www/webtrees -type d -exec chmod 755 {} \;

and

find /media/www/webtrees -type f -exec chmod 644 {} \;

does the trick.

31st July 201831st July 2018

OMV Error Access denied for user ‘debian-sys-maint’@’localhost’

Fixed this by adding a new user to MySQL and used password in /etc/mysql/debian.cnf

31st July 201831st July 2018

Composer on OMV – harder than I thought

So I now decided it would be nice to install firefly iii.

This needs Composer.

So installing Composer is proving harder than expected.

The download keeps timing out go gave up and just downloaded latest version (1.6.5) from here

https://getcomposer.org/download/

Created a /usr/local/composer directory and downloaded the file into that.

Then executed


mv /usr/local/composer/composer.phar /usr/local/bin/composer

chmod +x /usr/local/bin/composer

composer -v

All seems OK now

The problem seems to be something to do with the way curl works with ipv6 vs ipv4.

I also enabled ipv6 on the OMV box.

So I did add

ipv4 >> ~/.curlrc

but still made no difference.

30th July 201830th July 2018

OMV random mail alerts after update to Arrakis

See here

https://forum.openmediavault.org/index.php/Thread/21204-Mail-alert-after-the-update-to-arrakis/

Removed php5 cron job which was sending random alterts.

27th July 201830th July 2018

Changes to the OMV box – rkhunter

Today I added rkhunter to check for Rootkits. There is a Debian version of this which installs fine using

apt-get intall rkhunter

The package installs rkhunter into /usr/bin

The instructions here are good –> https://sourceforge.net/p/rkhunter/wiki/install/ but need to be followed carefully.

I did also install skdet and unhide as suggested. Again the instructions work just fine. I had some trouble with the patch command for skdet but only as I typed -pl and not -p1 (a 1 not an l)!

The tests all worked fine and nothing found.

Config files are in /etc/rkhunter.conf

The package comes with a cron.daily job in etc/cron.daily which pulls in some default values from /etc/default/rkhunter. So this file needs to be update to make the cron job do anything.

and this is where the trouble started……

This job uses sendmail. So you would think, well I did to install sendmail. I did without looking at the dependencies and it wipes out Openmediavault! Ekkk!

So 36 hours later we are running again! It corrupted the system on a reboot and networking did not work.

Eventually I worked out that sendmail did not uninstall correctly and OMV did not install correctly. The Linux prompts help but key were reloading OMV Extras. Nothing worked except apt-get clean followed by a load using

wget -O – http://omv-extras.org/install | bash

which I got from the OMV Extras site here…. http://omv-extras.org/joomla/index.php/guides

(Interesting just noticed they are using Joomla!)

I needed to remove some packages using apt-get purge after checking what they were using wget -l | grep openm.

At last working OK. Note some editing needed on the etc/openmediavault/config.xml to remove old entries which cause errors. Clever .xml record what should be in OMV which is fine until things go wrong! Also read the developers guide for info on how to edit the xml without actually accessing the file directly.

25th July 201830th July 2018

Changes to the OMV box – eXtplorer

Added eXtplorer to the OMV box today.

The config uses the latest version from here –> http://extplorer.net/projects/extplorer/files

Used a sensible local location for the files.

Changed permission to allow www-data to be user and group.

Followed the instructions here –> http://extplorer.net/projects/extplorer/wiki/Getting_Started

Stand Alone Installation
1. Extract the downloaded Archive to a local directory, say C:\Files\extplorer
2. Login to your server via FTP and create a subdirectory for eXtplorer, say /extplorer
3. Allow write access for your webserver for that subdirectory and the subdirectory /extplorer/ftp_tmp (e.g. chmod 777)
4. With your FTP program browse to the eXtplorer directory /config and make the file “.htusers.php” writable (CHMOD 666).
5. Upload all eXtplorer files from your computer into the subdirectory on the server
6. Browse to the URL and login (user: admin, pass: admin).
7. Remembered to immediately change the admin password.

Added into OMV an Nginx server root with www-data as the user and group but otherwise used the defaults.

Added a new .conf file into /etc/nginx/openmendiavault-webgui.d folder.

location /extplorer {
    alias /xx/xx/eXtplorer;

    index index.php;
    try_files $uri $uri/ index.php;

    location ~ \.php$ {
        include fastcgi.conf;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $request_filename;
        fastcgi_pass unix:/var/run/xxx.sock;
    }

    location ~ /extplorer/\. {
        deny all;
    }

    location ~* /extplorer/(?:config)/.*\.php$ {
        deny all;
    }

    location ~* /extplorer/\.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires max;
        log_not_found off;
    }
}