Part 1: Server Build and Configuration
Let’s start by turning off SELinux:
sed -i 's/enforcing/disabled/g' /etc/selinux/config
Note: in production environments, I’d recommend instead determining the SELinux policy that is required for the server instead of just turning it off. I’ll try to update this section in the future.
Restart the machine to apply the change:
shutdown -r now
Update the Server:
yum update -y
Install the Prerequisite packages:
yum install yum-cron httpd php php-mysql sqlite php-dom php-mbstring php-gd php-pdo php-json php-xml php-zip php-gd curl php-curl php-pear wget mariadb-server mariadb realmd samba samba-common samba-client oddjob oddjob-mkhomedir sssd ntpdate samba-winbind-clients samba-winbind ntp -y
Note: I’m going to connect this machine to a domain. You can omit all of the packages after “realmd” if you’re not joining it to a domain.
Set auto-updates for yum:
sed -i 's/apply_updates = no/apply_updates = yes/g' /etc/yum/yum-cron.conf
Network Configuration:
firewall-cmd --permanent --zone=internal --change-interface=eth0
firewall-cmd --permanent --zone=internal --add-source={internal_network_IP}/24
firewall-cmd --permanent --zone=internal --add-service=http
firewall-cmd --permanent --zone=internal --add-service=ssh
firewall-cmd --permanent --zone=internal --add-service=https
firewall-cmd --permanent --zone=internal --add-service=ntp
firewall-cmd --permanent --zone=internal --add-service=dns
firewall-cmd --permanent --zone=internal --add-service=samba-client
firewall-cmd --permanent --zone=internal --add-service=samba
firewall-cmd --permanent --zone=internal --add-service=smtp
firewall-cmd --reload
Disclaimer: I’m far from being a network security expert, so ensure you review these rules with a professional before deploying them into production. If you know a better way to implement these rules, please share your knowledge.
Set DNS Servers (this is just for my network, as my crappy router doesn’t let me define a different DNS Server for DHCP):
echo "{DNS Server in Domain}" >> /etc/sysconfig/network-scripts/ifcfg-eth0
echo "{Backup DNS Server in Domain}" >> /etc/sysconfig/network-scripts/ifcfg-eth0
echo "DNS3=8.8.8.8" >> /etc/sysconfig/network-scripts/ifcfg-eth0 # i like to keep Google as a backup DNS, in case my router craps out
sed -i 's/PEERDNS="yes"/PEERDNS="no"/g' /etc/sysconfig/network-scripts/ifcfg-eth0
Restart the network service for the changes to take effect:
systemctl restart network.service
Set the Timezone:
timedatectl set-timezone Australia/Sydney
This is just specific to my environment, as I have a domain:
systemctl enable ntpd.service
ntpdate domaincontroller.domain.example
systemctl start ntpd.service
realm join --client-software=sssd [email protected] domain.example
And then add my user account to the Sudoers file:
## Add AD Domain Admins to sudoers file
visudo
:99
# add:
%domain\ [email protected] ALL=(ALL) ALL
Then finally shut down the machine, and take a snapshot. If it’s a physical machine, take an image of the machine.
shutdown now
# take the snapshot
LAMP Configuration
Start Apache and MySQL:
sudo systemctl start mariadb
sudo systemctl start httpd
Set Apache and MySQL to start on boot:
sudo systemctl enable mariadb
sudo systemctl enable httpd
Setup MySQL, substituting {mysqlrootpassword}
with your own desired password:
sudo mysql_secure_installation
[Enter]
Y
{mysqlrootpassword}
{mysqlrootpassword}
Y
Y
Y
Y
Y
Now create the OwnCloud database, substituting {ownclouduserpassword}
with your own desired password:
mysql -uroot -p
{mysqlrootpassword}
CREATE DATABASE owncloud;
CREATE USER 'ownclouduser'@'localhost' identified by '{ownclouduserpassword}';
GRANT ALL ON owncloud.* TO 'ownclouduser'@'localhost';
FLUSH PRIVILEGES;
exit
Set PHP charset to UTF-8:
sudo vi /etc/php.ini
/UTF-8 (searches for the text UTF-8)
# set default_charset = "UTF-8" (remove the ';')
Part 2: OwnCloud Installation
I chose to install it this way, as it allows for future updates to just come down via yum.
Add the OwnCloud Repository:
cd /etc/yum.repos.d/
sudo wget http://download.opensuse.org/repositories/isv:ownCloud:community/CentOS_CentOS-7/isv:ownCloud:community.repo
sudo wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
sudo rpm -ivh epel-release-7-5.noarch.rpm
Install OwnCloud:
sudo yum install owncloud -y
Now we have to edit one of the files in owncloud, because otherwise it prevents you from installing apps from the owncloud appstore:
sudo vi /var/www/html/owncloud/lib/private/httphelper.php
[:73] (go to line 73)
[i]
# add:
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
[Esc][:wq][Enter]
Now you should be able to browse to the site, by going to http://{server_name}/owncloud
If it worked, take another snapshot in case you break it during the application setup.
Part 3: TLS Enablement
This is fairly straightforward, and there are plenty of guides out there, but I’ll include it here for completeness sake.
First we need the mod_ssl module for Apache:
sudo yum install mod_ssl -y
Now create the Key:
sudo mkdir /etc/httpd/ssl
sudo openssl req -new -newkey rsa:2048 -nodes -out /etc/httpd/ssl/apache.csr -keyout /etc/httpd/ssl/apache.key -subj "/C=AU/ST=ACT/L=Canberra/O={org_name}/OU={section_name}/CN={server_name}"
Now output the CSR, to send to your certificate authority:
cat /etc/httpd/ssl/apache.csr
Get the CSR signed, and the copy the resultant certificate contents (as Base64) and put it on the server:
sudo vi /etc/httpd/ssl/apache.crt
[dG]
[i]
# paste the signed certificate here
[Esc][:wq][Enter]
Configure Apache to use the SSL Certificate:
sudo vi /etc/httpd/conf.d/ssl.conf
[i]
# DocumentRoot "/var/www/html"
# ServerName {server_name}:443
# SSLCertificateFile /etc/httpd/ssl/apache.crt
# SSLCertificateKeyFile /etc/httpd/ssl/apache.key
[Esc][:wq][Enter]
Finally restart apache to have your settings take effect:
sudo service httpd restart