Louis-Philippe Véronneau - owncloudhttps://veronneau.org/2016-05-30T00:00:00-04:00Mounting ownCloud accounts with davfs2 on GNOME32016-05-30T00:00:00-04:002016-05-30T00:00:00-04:00Louis-Philippe Véronneautag:veronneau.org,2016-05-30:/mounting-owncloud-accounts-with-davfs2-on-gnome3.html<p>This post aims to share how easy it can be to mount ownCloud's WebDAV shares on GNOME3.</p>
<h2>Why do this?</h2>
<p>At SOGÉÉCOM, our users love to use ownCloud. It works nicely, has a beautiful web interface and even gives you access to your files on your phone, be it Android …</p><p>This post aims to share how easy it can be to mount ownCloud's WebDAV shares on GNOME3.</p>
<h2>Why do this?</h2>
<p>At SOGÉÉCOM, our users love to use ownCloud. It works nicely, has a beautiful web interface and even gives you access to your files on your phone, be it Android or iOS.</p>
<p>So yeah, ownCloud is great, but from a sysadmin's point of view, it can be a bit of a trouble sometimes. Our setup involves some client computers running Debian with GNOME3. Since these computers are used by multiple users each day, we cannot use ownCloud's sync client. It would duplicate a lot of files for nothing and users would constantly need to wait for files to sync when they log in.</p>
<p>The solution we found to fix this problem is to dynamically mount a user's ownCloud account through WebDAV. The result is pretty good, but vastly depends on:</p>
<ul>
<li>the latency between the client computer and the server</li>
<li>the speed of the server your running ownCloud on</li>
<li>the speed of your network connection</li>
</ul>
<p>The best setup would thus be if you were able to run ownCloud on a physical server in your office. We don't but our server pings at 100ms and we have a pretty good network connection.</p>
<h2>Introducing davfs2</h2>
<p>The best way to mount WebDAV on Debian is to use <a href="https://savannah.nongnu.org/projects/davfs2">davfs2</a>. To install it, you can run:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>apt-get<span class="w"> </span>install<span class="w"> </span>davfs2
</code></pre></div>
<p><code>davfs2</code> has two main configuration files:</p>
<ul>
<li><code>/etc/davfs2/davfs2.conf</code></li>
<li><code>/etc/davfs2/secrets</code></li>
</ul>
<p>The first one harbors <code>davfs2</code>'s configurations, while the second lists all the usernames and passwords the program will need to connect to your ownCloud server.</p>
<h3>davfs2.conf</h3>
<p>To know what all parameters do, you can check out the man page of this configuration file:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>man<span class="w"> </span>davfs2.conf
</code></pre></div>
<p>The default parameters are pretty sane, but a few things should be changed nonetheless:</p>
<ul>
<li>
<p>If <code>ask_auth</code> is set to <code>1</code>, <code>davfs2</code> will interactively ask for credentials if it can't find them in <code>/etc/davfs2/secrets</code>. Since we don't want to bother users with this, set it to <code>0</code>.</p>
</li>
<li>
<p>When we implemented our setup, ownCloud's WebDAV file locking mechanism was pretty buggy, so we decided not to use it. Since then, we have not looked back on it and truly, it was not missed. We recommend to set <code>use_locks</code> to <code>0</code>, but if you want to play around with this parameter, please do so.</p>
</li>
<li>
<p>If you have big filesystems (ours is pretty big), it is a good idea to increase the value of the <code>table_size</code> option, say to <code>2048</code>. This value should be a power of 2.</p>
</li>
<li>
<p>The <code>delay_upload</code> parameter sets how much time <code>davfs2</code> will wait before uploading a file when it is closed. We had some trouble about files disappearing for no reason when they were modified. Setting this option to <code>30</code> fixed it.</p>
</li>
<li>
<p>If you are using a GUI to view your files (chances are pretty good you are) set <code>gui_optimize</code> to <code>1</code>.</p>
</li>
</ul>
<p>The result looks like this:</p>
<div class="highlight"><pre><span></span><code><span class="c1"># version 11</span>
<span class="c1"># ------------------------------------</span>
<span class="c1"># Copyright (C) 2006, 2007, 2008, 2009, 2012, 2013, 2014 Werner Baumann</span>
<span class="c1"># Copying and distribution of this file, with or without modification, are</span>
<span class="c1"># permitted in any medium without royalty provided the copyright notice</span>
<span class="c1"># and this notice are preserved.</span>
<span class="c1"># Please read the davfs2.conf (5) man page for a description of the</span>
<span class="c1"># configuration options and syntax rules.</span>
<span class="c1"># Available options and default values</span>
<span class="c1"># ====================================</span>
<span class="c1"># General Options</span>
<span class="c1"># ---------------</span>
<span class="c1"># dav_user davfs2 # system wide config file only</span>
<span class="c1"># dav_group davfs2 # system wide config file only</span>
<span class="c1"># kernel_fs fuse</span>
<span class="c1"># buf_size 16 # KiByte</span>
<span class="c1"># WebDAV Related Options</span>
<span class="c1"># ----------------------</span>
<span class="c1"># use_proxy 1 # system wide config file only</span>
<span class="c1"># proxy # system wide config file only</span>
<span class="c1"># trust_ca_cert /etc/davfs2/certs/GandiStandardSSLCA.pem</span>
<span class="c1"># servercert # deprecated: use trust_ca_cert</span>
<span class="c1"># trust_server_cert /etc/davfs2/cert.pem</span>
<span class="c1"># clientcert</span>
<span class="c1"># secrets ~/.davfs2/secrets # user config file only</span>
<span class="n">ask_auth</span><span class="w"> </span><span class="mi">0</span>
<span class="n">use_locks</span><span class="w"> </span><span class="mi">0</span>
<span class="c1"># lock_owner <user-name></span>
<span class="c1"># lock_timeout 1800 # seconds</span>
<span class="c1"># lock_refresh 60 # seconds</span>
<span class="c1"># use_expect100 0</span>
<span class="c1"># if_match_bug 0</span>
<span class="c1"># drop_weak_etags 0</span>
<span class="c1"># n_cookies 0</span>
<span class="c1"># precheck 1</span>
<span class="c1"># ignore_dav_header 0</span>
<span class="c1"># use_compression 0</span>
<span class="c1"># follow_redirect 0</span>
<span class="c1"># server_charset</span>
<span class="c1"># connect_timeout 10 # seconds</span>
<span class="c1"># read_timeout 30 # seconds</span>
<span class="c1"># retry 30 # seconds</span>
<span class="c1"># max_retry 300 # seconds</span>
<span class="c1"># add_header</span>
<span class="c1"># Cache Related Options</span>
<span class="c1"># ---------------------</span>
<span class="c1"># backup_dir lost+found</span>
<span class="c1"># cache_dir /var/cache/davfs2 # system wide cache</span>
<span class="c1"># ~/.davfs2/cache # per user cache</span>
<span class="c1"># cache_size 50 # MiByte</span>
<span class="n">table_size</span><span class="w"> </span><span class="mi">2048</span>
<span class="c1"># dir_refresh 60 # seconds</span>
<span class="c1"># file_refresh 1 # second</span>
<span class="n">delay_upload</span><span class="w"> </span><span class="mi">30</span>
<span class="n">gui_optimize</span><span class="w"> </span><span class="mi">1</span>
<span class="c1"># minimize_mem 0</span>
<span class="c1"># Debugging Options</span>
<span class="c1"># -----------------</span>
<span class="c1"># debug # possible values: config, kernel, cache, http, xml,</span>
<span class="w"> </span><span class="c1"># httpauth, locks, ssl, httpbody, secrets, most</span>
</code></pre></div>
<h3>secrets</h3>
<p>This file lists all the usernames and the passwords <code>davfs2</code> will need to connect to ownCloud. You should fill it like this:</p>
<div class="highlight"><pre><span></span><code>user1 user1_password
user2 user2_password
user3 user3_password
</code></pre></div>
<p>This file is pretty sensitive. To be sure no one but the administrator can read it, modify its permissions:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>chmod<span class="w"> </span><span class="m">600</span><span class="w"> </span>/etc/davfs2/secrets
</code></pre></div>
<h2>Dynamically mounting with PAM</h2>
<p>The "dynamic" part of our mounting process (i.e. when a user logs in, the account in mounted automatically) is done with the help of PAM, a great and powerful tool.</p>
<p>The file we will be modifying here is <code>/etc/security/pam_mount.conf.xml</code>. You can read its man page by typing:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>man<span class="w"> </span>pam_mount.conf
</code></pre></div>
<p>This file is written in XML and only few things needs to be modified for our setup to work. Your job will mainly consist in writing volume definitions in this style:</p>
<div class="highlight"><pre><span></span><code><volume user="user1" fstype="davfs" path="https://fqdm.org/remote.php/webdav/" mountpoint="the/mountpoint/path" options="uid=user1,gid=user1_group,file_mode=0770,dir_mode=0770" />
</code></pre></div>
<p>The options bit is pretty important, because if you set different permission, users will have trouble reading their files from the mount point.</p>
<p>Since we are potentially dealing with a lot of users here, you should probably read about the behavior of the <a href="https://www.debian.org/doc/debian-policy/#user-configuration-files-dotfiles">/etc/skel</a> directory. We use it to create a standard mountpoint in a user's directory (<code>~/ownCloud</code>).</p>
<p>Our <code>pam_mount.conf.xml</code> kinda looks like this, but with real values:</p>
<div class="highlight"><pre><span></span><code><span class="cp"><?xml version="1.0" encoding="utf-8" ?></span>
<span class="cp"><!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"></span>
<span class="cm"><!--</span>
<span class="cm"> See pam_mount.conf(5) for a description.</span>
<span class="cm">--></span>
<span class="nt"><pam_mount></span>
<span class="w"> </span><span class="cm"><!-- debug should come before everything else,</span>
<span class="cm"> since this file is still processed in a single pass</span>
<span class="cm"> from top-to-bottom --></span>
<span class="nt"><debug</span><span class="w"> </span><span class="na">enable=</span><span class="s">"0"</span><span class="w"> </span><span class="nt">/></span>
<span class="w"> </span><span class="cm"><!-- Volume definitions --></span>
<span class="nt"><volume</span><span class="w"> </span><span class="na">user=</span><span class="s">"user1"</span><span class="w"> </span><span class="na">fstype=</span><span class="s">"davfs"</span><span class="w"> </span><span class="na">path=</span><span class="s">"https://fqdm.org/remote.php/webdav/"</span><span class="w"> </span><span class="na">mountpoint=</span><span class="s">"the/mountpoint/path"</span><span class="w"> </span><span class="na">options=</span><span class="s">"uid=user1,gid=user1_group,file_mode=0770,dir_mode=0770"</span><span class="w"> </span><span class="nt">/></span>
<span class="nt"><volume</span><span class="w"> </span><span class="na">user=</span><span class="s">"user2"</span><span class="w"> </span><span class="na">fstype=</span><span class="s">"davfs"</span><span class="w"> </span><span class="na">path=</span><span class="s">"https://fqdm.org/remote.php/webdav/"</span><span class="w"> </span><span class="na">mountpoint=</span><span class="s">"the/mountpoint/path"</span><span class="w"> </span><span class="na">options=</span><span class="s">"uid=user2,gid=user2_group,file_mode=0770,dir_mode=0770"</span><span class="w"> </span><span class="nt">/></span>
<span class="nt"><volume</span><span class="w"> </span><span class="na">user=</span><span class="s">"user3"</span><span class="w"> </span><span class="na">fstype=</span><span class="s">"davfs"</span><span class="w"> </span><span class="na">path=</span><span class="s">"https://fqdm.org/remote.php/webdav/"</span><span class="w"> </span><span class="na">mountpoint=</span><span class="s">"the/mountpoint/path"</span><span class="w"> </span><span class="na">options=</span><span class="s">"uid=user3,gid=user3_group,file_mode=0770,dir_mode=0770"</span><span class="w"> </span><span class="nt">/></span>
<span class="w"> </span><span class="cm"><!-- pam_mount parameters: General tunables --></span>
<span class="cm"><!--</span>
<span class="cm"><luserconf name=".pam_mount.conf.xml" /></span>
<span class="cm">--></span>
<span class="cm"><!-- Note that commenting out mntoptions will give you the defaults.</span>
<span class="cm"> You will need to explicitly initialize it with the empty string</span>
<span class="cm"> to reset the defaults to nothing. --></span>
<span class="nt"><mntoptions</span><span class="w"> </span><span class="na">allow=</span><span class="s">"nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other"</span><span class="w"> </span><span class="nt">/></span>
<span class="cm"><!--</span>
<span class="cm"><mntoptions deny="suid,dev" /></span>
<span class="cm"><mntoptions allow="*" /></span>
<span class="cm"><mntoptions deny="*" /></span>
<span class="cm">--></span>
<span class="nt"><mntoptions</span><span class="w"> </span><span class="na">require=</span><span class="s">"nosuid,nodev"</span><span class="w"> </span><span class="nt">/></span>
<span class="nt"><logout</span><span class="w"> </span><span class="na">wait=</span><span class="s">"0"</span><span class="w"> </span><span class="na">hup=</span><span class="s">"0"</span><span class="w"> </span><span class="na">term=</span><span class="s">"0"</span><span class="w"> </span><span class="na">kill=</span><span class="s">"0"</span><span class="w"> </span><span class="nt">/></span>
<span class="w"> </span><span class="cm"><!-- pam_mount parameters: Volume-related --></span>
<span class="nt"><mkmountpoint</span><span class="w"> </span><span class="na">enable=</span><span class="s">"1"</span><span class="w"> </span><span class="na">remove=</span><span class="s">"true"</span><span class="w"> </span><span class="nt">/></span>
<span class="nt"></pam_mount></span>
</code></pre></div>
<p>TAADAAA! If you did follow these instructions correctly, when you log in an account, you should now see an ownCloud WebDAV share mounted.</p>
<p>If not, logging in a terminal session is pretty useful. If something fails, <code>davfs2</code> will tell you. If you can't figure it out, you can always try to get more infos by enabling the <code>debug</code> parameters in <code>davfs2.conf</code> and <code>pam_mount.conf.xml</code>.</p>
<h2>Problems</h2>
<p>As well as this setup works, there are still a few problems you should be aware of:</p>
<ul>
<li>
<p>This is not made for massive file modifications. If someone tries to copy a 30Gb directory with the davfs mount, you will have problems.</p>
</li>
<li>
<p>There can be a quite big lag when opening a directory (10 seconds and more) if you have a bad ping or a bad network connection.</p>
</li>
<li>
<p><strong>All of your users' ownCloud passwords are in kept in plaintext on the client's drive</strong>. Please don't add your administrative account in the list, this could end up badly.</p>
</li>
</ul>Installer un serveur Owncloud (French)2016-05-21T00:00:00-04:002016-05-21T00:00:00-04:00Louis-Philippe Véronneautag:veronneau.org,2016-05-21:/installer-un-serveur-owncloud-french-fr.html<p>Le but de ce post est de donner un guide simple étape par étape
de l'installation d'Owncloud sur un serveur Debian Jessie.</p>
<h2>Installation de base</h2>
<p>Toutes les étapes qui suivent prennent pour acquis pour vous être dans le compte superutilisateur (<code>root</code>) de votre serveur.</p>
<h3>Installer Owncloud</h3>
<p>On utilise le package …</p><p>Le but de ce post est de donner un guide simple étape par étape
de l'installation d'Owncloud sur un serveur Debian Jessie.</p>
<h2>Installation de base</h2>
<p>Toutes les étapes qui suivent prennent pour acquis pour vous être dans le compte superutilisateur (<code>root</code>) de votre serveur.</p>
<h3>Installer Owncloud</h3>
<p>On utilise le package manager de Debian pour installer Owncloud:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>aptitude<span class="w"> </span>update<span class="w"> </span><span class="o">&&</span><span class="w"> </span>aptitude<span class="w"> </span>install<span class="w"> </span>owncloud
</code></pre></div>
<p>Le package <code>owncloud</code> de Debian installe les fichiers dans /usr/share/owncloud</p>
<h3>Créer une database mysql</h3>
<p>Il faut commencer par se logger dans mysql avec un compte administrateur:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>mysql<span class="w"> </span>-u<span class="w"> </span>root<span class="w"> </span>-p
</code></pre></div>
<p>Une fois dans l'interface de mysql, on souhaite créer un database et en donner
les droits complets à un user:</p>
<div class="highlight"><pre><span></span><code>mysql> CREATE DATABASE nom_de_la_db;
mysql> GRANT ALL PRIVILEGES ON nom_de_la_db.* TO 'nom_du_user'@'hostname' IDENTIFIED BY 'mot_de_passe';
mysql> FLUSH PRIVILEGES;
mysql> quit;
</code></pre></div>
<h3>Créer un Vhost Apache</h3>
<p>Pour terminer la configuration d'Owncloud, il est nécessaire d'avoir accès à
l'interface web. Pour cela, on met le site en ligne avec Apache:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span><span class="nb">cd</span><span class="w"> </span>/etc/apache2/sites-available
$<span class="w"> </span>vim<span class="w"> </span>fqdm.conf
</code></pre></div>
<p><code>fqdm</code>, le <em>fully qualified domain name</em> est votre nom de domaine complet. Le VHost recommandé est le suivant:</p>
<div class="highlight"><pre><span></span><code>#<span class="nt"><VirtualHost</span> <span class="err">*:443</span><span class="nt">></span>
<span class="w"> </span>#ServerName<span class="w"> </span>fqdm.com
<span class="w"> </span>#ServerAdmin<span class="w"> </span>foo@fqdm.com
<span class="w"> </span>#DocumentRoot<span class="w"> </span>/usr/share/owncloud
<span class="w"> </span>#ErrorLog<span class="w"> </span><span class="cp">${</span><span class="n">APACHE_LOG_DIR</span><span class="cp">}</span>/error.log
<span class="w"> </span>#Alias<span class="w"> </span>/owncloud<span class="w"> </span>/usr/share/owncloud
<span class="w"> </span>#<span class="nt"><Directory</span> <span class="err">/usr/share/owncloud</span><span class="nt">></span>
<span class="w"> </span>#Options<span class="w"> </span>Indexes<span class="w"> </span>FollowSymLinks<span class="w"> </span>MultiViews
<span class="w"> </span>#AllowOverride<span class="w"> </span>All
<span class="w"> </span>#Require<span class="w"> </span>all<span class="w"> </span>granted
<span class="w"> </span>#SetEnv<span class="w"> </span>MOD_X_SENDFILE_ENABLED<span class="w"> </span>1
<span class="w"> </span>#XSendFile<span class="w"> </span>On
<span class="w"> </span>#XSendFilePath<span class="w"> </span>/data
<span class="w"> </span>#<span class="nt"></Directory></span>
<span class="w"> </span>#SSLEngine<span class="w"> </span>on
<span class="w"> </span>#SSLCertificateFile<span class="w"> </span>/etc/ssl/owncloud/cert.crt
<span class="w"> </span>#SSLCertificateKeyFile<span class="w"> </span>/etc/ssl/owncloud/key.pem
<span class="w"> </span>#SSLCertificateChainFile<span class="w"> </span>/etc/ssl/owncloud/GandiStandardSSLCA.pem
<span class="w"> </span>#SSLProtocol<span class="w"> </span>all<span class="w"> </span>-SSLv2<span class="w"> </span>-SSLv3
<span class="w"> </span>#SSLCipherSuite<span class="w"> </span>ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
<span class="w"> </span>#SSLHonorCipherOrder<span class="w"> </span>on
<span class="w"> </span>#SSLCompression<span class="w"> </span>off
#<span class="nt"></VirtualHost></span>
<span class="nt"><VirtualHost</span> <span class="err">*:80</span><span class="nt">></span>
<span class="w"> </span>ServerName<span class="w"> </span>fqdm.com
<span class="w"> </span>ServerAdmin<span class="w"> </span>foo@fqdm.com
<span class="w"> </span>Alias<span class="w"> </span>/owncloud<span class="w"> </span>/usr/share/owncloud
<span class="w"> </span>#Redirect<span class="w"> </span>/<span class="w"> </span>https://fqdm.com/
<span class="nt"></VirtualHost></span>
</code></pre></div>
<p>Comme nous n'avons pas encore crée de certificat SSL ou activés certains
modules d'Apache, certaines lignes sont commentées. Comme résultat, le site
est pour l'instant mis en ligne sur fqdm.com sans protection HTTPS.</p>
<p>Il faut maintenant activer le site et le module rewrite d'Apache,
nécessaire au bon fonctionnement du site:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>a2ensite<span class="w"> </span>fqdm.conf
$<span class="w"> </span>a2enmod<span class="w"> </span>rewrite
$<span class="w"> </span>service<span class="w"> </span>apache2<span class="w"> </span>restart
</code></pre></div>
<h3>Configuration d'Owncloud via l'interface web</h3>
<p>Une fois le site activé, il faut configurer Owncloud via l'interface web. Pour
ce faire, on va au <a href="http://fqdm.com">http://fqdm.com</a> et on suit l'installation automatisée, en
choissant mysql comme base de données et en rentrant les identifiants que l'on
a spécifié plus tôt en créant le nouvel utilisateur dans mysql.</p>
<p>Et voilà! En théorie, Owncloud devrait être accessible en se connectant avec
le compte administrateur!</p>
<h2>Optimisation de la sécurité et des performances</h2>
<p>Une fois l'installation de base complétée, il est préférable d'optimiser
certains paramètres, tant pour améliorer la sécurité que de la performance.</p>
<h3>Mettre en place un certificat HTTPS</h3>
<p>Il est <strong>fortement recommandé</strong> d'utiliser un certificat HTTPS pour sécuriser
les connexions sur le site.</p>
<p>La création d'un certificat SSL n'est pas couvert par ce post, mais je recommande vivement les services offerts par <a href="https://letsencrypt.org">Let's Encrypt</a>. En plus d'être gratuits, Let's Encrypt met beaucoup l'accent sur l'automatisation, une excellente chose.</p>
<p>Une fois le certificat créé, on modifie le VHost apache pour utiliser une
connexion sécurisée:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>vim<span class="w"> </span>/etc/apache2/sites-available/fqdm.conf
<span class="nt"><VirtualHost</span> <span class="err">*:443</span><span class="nt">></span>
<span class="w"> </span>ServerName<span class="w"> </span>fqdm.com
<span class="w"> </span>ServerAdmin<span class="w"> </span>foo@fqdm.com
<span class="w"> </span>DocumentRoot<span class="w"> </span>/usr/share/owncloud
<span class="w"> </span>ErrorLog<span class="w"> </span><span class="cp">${</span><span class="n">APACHE_LOG_DIR</span><span class="cp">}</span>/error.log
<span class="w"> </span>Alias<span class="w"> </span>/owncloud<span class="w"> </span>/usr/share/owncloud
<span class="w"> </span><span class="nt"><Directory</span> <span class="err">/usr/share/owncloud</span><span class="nt">></span>
<span class="w"> </span>Options<span class="w"> </span>Indexes<span class="w"> </span>FollowSymLinks<span class="w"> </span>MultiViews
<span class="w"> </span>AllowOverride<span class="w"> </span>All
<span class="w"> </span>Require<span class="w"> </span>all<span class="w"> </span>granted
<span class="w"> </span>#SetEnv<span class="w"> </span>MOD_X_SENDFILE_ENABLED<span class="w"> </span>1
<span class="w"> </span>#XSendFile<span class="w"> </span>On
<span class="w"> </span>#XSendFilePath<span class="w"> </span>/data
<span class="w"> </span><span class="nt"></Directory></span>
<span class="w"> </span>SSLEngine<span class="w"> </span>on
<span class="w"> </span>SSLCertificateFile<span class="w"> </span>/path/to/ssl/cert
<span class="w"> </span>SSLCertificateKeyFile<span class="w"> </span>/path/to/ssl/key
<span class="w"> </span>SSLCertificateChainFile<span class="w"> </span>/path/to/ssl/chainfile
<span class="w"> </span>SSLProtocol<span class="w"> </span>all<span class="w"> </span>-SSLv2<span class="w"> </span>-SSLv3
<span class="w"> </span>SSLCipherSuite<span class="w"> </span>ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
<span class="w"> </span>SSLHonorCipherOrder<span class="w"> </span>on
<span class="w"> </span>SSLCompression<span class="w"> </span>off
<span class="nt"></VirtualHost></span>
<span class="nt"><VirtualHost</span> <span class="err">*:80</span><span class="nt">></span>
<span class="w"> </span>ServerName<span class="w"> </span>fqdm.com
<span class="w"> </span>ServerAdmin<span class="w"> </span>foo@fqdm.com
<span class="w"> </span>#Alias<span class="w"> </span>/owncloud<span class="w"> </span>/usr/share/owncloud
<span class="w"> </span>Redirect<span class="w"> </span>/<span class="w"> </span>https://fqdm.com/
<span class="nt"></VirtualHost></span>
</code></pre></div>
<p>Assurez-vous que le module ssl est activé et redémarrez apache:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>a2enmod<span class="w"> </span>ssl
$<span class="w"> </span>service<span class="w"> </span>apache2<span class="w"> </span>restart
</code></pre></div>
<h3>Utiliser un autre dossier pour les données d'utilisateurs</h3>
<p>Par défaut, Owncloud enregistre les données des utilisateurs dans
/usr/share/owncloud/data. Il est intéressant de déplacer ce dossier
pour éviter qu'il soit réécrit par erreur durant une mise à jour:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>service<span class="w"> </span>apache2<span class="w"> </span>stop
$<span class="w"> </span>mkdir<span class="w"> </span>/data
$<span class="w"> </span>mkdir<span class="w"> </span>/data/Owncloud-data
$<span class="w"> </span>mv<span class="w"> </span>/usr/share/owncloud/data<span class="w"> </span>/data/Owncloud-data/
$<span class="w"> </span>chown<span class="w"> </span>-R<span class="w"> </span>www-data:www-data<span class="w"> </span>/data/Owncloud-data/
</code></pre></div>
<p>Une fois le dossier déplacé, il faut modfier la configuration d'Owncloud,
plus précisément cette ligne dans <code>config.php</code></p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>vim<span class="w"> </span>/usr/share/owncloud/config/config.php
><span class="w"> </span><span class="s1">'datadirectory'</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s1">'/data/Owncloud-data/data'</span>,
$<span class="w"> </span>service<span class="w"> </span>apache2<span class="w"> </span>restart
</code></pre></div>
<h3>Utiliser XSendfile</h3>
<p>Il est possible d'accélérer le transfert de fichiers avec le module X-Sendfile
d'Apache. On va donc décommenter les lignes suivantes dans le VHost précédement
créé:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>vim<span class="w"> </span>/etc/apache2/sites-available/fqdm.conf
><span class="w"> </span>SetEnv<span class="w"> </span>MOD_X_SENDFILE_ENABLED<span class="w"> </span><span class="m">1</span>
><span class="w"> </span>XSendFile<span class="w"> </span>On
><span class="w"> </span>XSendFilePath<span class="w"> </span>/data/Owncloud-data
$<span class="w"> </span>aptitude<span class="w"> </span>install<span class="w"> </span>libapache2-mod-xsendfile
$<span class="w"> </span>a2enmod<span class="w"> </span>xsendfile
$<span class="w"> </span>service<span class="w"> </span>apache2<span class="w"> </span>restart
</code></pre></div>
<p><strong>Attention!</strong></p>
<p>Tous les dossiers externes qu'Owncloud utilise doivent être spécifiés
avec la ligne XSendFilePath dans le VHost. Par exemple, si on décide de rajouter un
partage local au compte d'un utilisateur, il faut le spécifier à XSendfile. Sinon
l'utlisateur ne sera pas en mesure de télécharger les fichiers en question.</p>
<h3>Utiliser fail2ban pour empêcher les attaques par force brute sur un compte</h3>
<p>Par défaut, il serait possible à une personne mal intentionnée d'utiliser un programme
pour tester tous les mots de passe possibles pour un compte. <code>fail2ban</code> permet de restreindre
ces attaques en bannissant un adresse ip s'étant trompée x nombres de fois de suite. On
commence par configurer <code>fail2ban</code>:</p>
<div class="highlight"><pre><span></span><code><span class="err">$</span><span class="w"> </span><span class="n">aptitude</span><span class="w"> </span><span class="n">install</span><span class="w"> </span><span class="n">fail2ban</span>
<span class="err">$</span><span class="w"> </span><span class="n">vim</span><span class="w"> </span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">fail2ban</span><span class="o">/</span><span class="k">filter</span><span class="p">.</span><span class="n">d</span><span class="o">/</span><span class="n">owncloud</span><span class="p">.</span><span class="n">conf</span>
<span class="o">></span><span class="w"> </span><span class="o">[</span><span class="n">Definition</span><span class="o">]</span>
<span class="o">></span><span class="w"> </span><span class="n">failregex</span><span class="o">=</span><span class="err">{</span><span class="ss">"app"</span><span class="err">:</span><span class="ss">"core"</span><span class="p">,</span><span class="ss">"message"</span><span class="err">:</span><span class="ss">"Login failed: user '.*' , wrong password, IP:<HOST>"</span><span class="p">,</span><span class="ss">"level"</span><span class="err">:</span><span class="mi">2</span><span class="p">,</span><span class="ss">"time"</span><span class="err">:</span><span class="ss">".*"</span><span class="err">}</span>
<span class="err">$</span><span class="w"> </span><span class="n">vim</span><span class="w"> </span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">fail2ban</span><span class="o">/</span><span class="n">jail</span><span class="p">.</span><span class="k">local</span>
<span class="o">></span><span class="w"> </span><span class="o">[</span><span class="n">owncloud</span><span class="o">]</span>
<span class="o">></span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">true</span>
<span class="o">></span><span class="w"> </span><span class="k">filter</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">owncloud</span><span class="w"> </span>
<span class="o">></span><span class="w"> </span><span class="n">port</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">80</span><span class="p">,</span><span class="mi">443</span><span class="w"> </span>
<span class="o">></span><span class="w"> </span><span class="n">logpath</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">/</span><span class="nf">var</span><span class="o">/</span><span class="nf">log</span><span class="o">/</span><span class="n">owncloud</span><span class="p">.</span><span class="nf">log</span>
<span class="o">></span><span class="w"> </span><span class="n">maxrety</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span>
<span class="o">></span><span class="w"> </span><span class="n">bantime</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1200</span>
</code></pre></div>
<p>On s'assure maintenant qu'Owncloud enregistre les bonnes informations:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>vim<span class="w"> </span>/usr/share/owncloud/congfig/config.php
><span class="w"> </span><span class="s1">'loglevel'</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s1">'2'</span>,
><span class="w"> </span><span class="s1">'log_authfailip'</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span>true,
</code></pre></div>
<p>Il ne reste plus qu'à redémarrer fail2ban:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>service<span class="w"> </span>fail2ban<span class="w"> </span>restart
</code></pre></div>
<h3>Changer la manière dont le cron est appellé</h3>
<p>Il est plus efficace de rouler la cronjob via le cron du serveur que par PHP.
On commence donc par sélectionner l'option "cron" dans le menu administrateur
d'Owncloud.</p>
<p>Il faut par la suite rajouter une cronjob à www-data:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>crontab<span class="w"> </span>-u<span class="w"> </span>www-data<span class="w"> </span>-e
><span class="w"> </span>*/15<span class="w"> </span>*<span class="w"> </span>*<span class="w"> </span>*<span class="w"> </span>*<span class="w"> </span>php<span class="w"> </span>-f<span class="w"> </span>/var/www/owncloud/cron.php<span class="w"> </span>><span class="w"> </span>/dev/null<span class="w"> </span><span class="m">2</span>><span class="p">&</span><span class="m">1</span>
</code></pre></div>