Saturday, April 30, 2016

OwnCloud server on Raspberry Pi 3

<- Raspberry Pi as Classroom Server and Digital Pet

Encouraged by the performance of running a basic wiki engine on the new Raspberry Pi 3, we can try a more resource intensive service. OwnCloud is a popular web based file-sharing solution, similar to Google drive or Dropbox. Reports of running OwnCloud on the original Raspberry Pi have generally been discouraging for performance reasons.

We continue using the same lightweight web server setup from the last tutorial. Although not really recommended, we are using sqlite instead of a server based database, primarily out of simplicity and to minimize the amount of services we need to run within the tight memory constraints of the Raspberry Pi.

The basic installation of the ownCloud server is as simple as downloading the desired version and moving it to a path in the web server root directory:

$ sudo wget
$ sudo tar xvf owncloud-8.2.3.tar.bz2 
$ sudo mv owncloud /var/www/
$ sudo chown -R www-data:www-data /var/www/owncloud

OwnCloud requires a series of additional PHP modules which we can install with

sudo apt-get install openssl ssl-cert php5-cli php5-sqlite php5-gd php5-common php5-cgi php-pear 
 php-apc curl libapr1 libtool curl libcurl4-openssl-dev php-xml-parser php5-dev php5-gd 

OwnCloud requires https enabled, which most easily can be done by adding/uncommenting the following at the beginning of the server section in /etc/nginx/sites-available/default:

listen 80 default_server;
listen [::]:80 default_server;

# SSL configuration
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
include snippets/snakeoil.conf;

This is using a self-signed certificate to assert the identity of the server, which most browsers will block with a security warning. This could be avoided by obtaining a certificate from one of the certification authorities trusted by the browser, but such certificates can only be obtained for the identity of a public fully qualified domain name and not for an ad-hoc self defined name in .local.

In order to enable support for the ownCloud installation in /var/www/owncloud add the following additional location section at the end of the main server section in /etc/nginx/sites-available/default:

location ^~ /owncloud {
  # set max upload size
  client_max_body_size 512M;
  fastcgi_buffers 64 4K;

  # Disable gzip to avoid the removal of the ETag header
  gzip off;

  # Uncomment if your server is build with the ngx_pagespeed module
  # This module is currently not supported.
  #pagespeed off;

  index index.php;

  error_page 403 /owncloud/core/templates/403.php;
  error_page 404 /owncloud/core/templates/404.php;

  location ~ ^/owncloud/(build|tests|config|lib|3rdparty|templates|data)/ {
   deny all;

  location ~ ^/owncloud/(?:\.|autotest|occ|issue|indie|db_|console) {
   deny all;

  rewrite ^/owncloud/remote/(.*) /owncloud/remote.php last;
  rewrite ^/owncloud/core/doc/([^\/]+)(?:$|/) /owncloud/core/doc/$1/index.html;

  try_files $uri $uri/ =404;

  location ~ \.php(?:$|/) {
   fastcgi_split_path_info ^(.+\.php)(/.+)$;
   include fastcgi_params;
   fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
   fastcgi_param PATH_INFO $fastcgi_path_info;
   fastcgi_param HTTPS on;
   fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
   #fastcgi_pass php-handler;
   fastcgi_pass unix:/var/run/php5-fpm.sock;
   fastcgi_intercept_errors on;

  # Adding the cache control header for js and css files
  # Make sure it is BELOW the location ~ \.php(?:$|/) { block
  location ~* \.(?:css|js)$ {
   add_header Cache-Control "public, max-age=7200";
   # Add headers to serve security related headers
   # Before enabling Strict-Transport-Security headers please read into this topic first.
   # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
   add_header X-Content-Type-Options nosniff;
   add_header X-Frame-Options "SAMEORIGIN";
   add_header X-XSS-Protection "1; mode=block";
   add_header X-Robots-Tag none;
   # Optional: Don't log access to assets
   access_log off;

  # Optional: Don't log access to other assets
  location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf|svg)$ {
   access_log off;

After restarting the server with sudo /etc/init.d/nginx restart. The use the browser to navigate to http://raspberrypi.local/owncloud/ and follow the instructions for database setup (use Sqlite) and creating and admin account.

After that, log in as the admin user and use the admin settings in the upper right part of the screen to add new users and continue configuring the server settings.

For a single user setup, this very basic installation of ownCloud is surprisingly usable for file sharing for at least a small number of files.