Recently found the most simple method of installing Nextcloud in a BSD 12.2 jail. GIT provided me access to AccidentalAdmin⌠where the code can be found. See code below
#!/bin/sh
Instructions on how to use this script
chmod +x SCRIPTNAME.sh
sudo ./SCRIPTNAME.sh
This script will install a Nextcloud instance on a FreeBSD box.
Change the default pkg repository from quarterly to latest
sed -ip âs/quarterly/latest/gâ /etc/pkg/FreeBSD.conf
Update packages (it will first download the pkg repo from latest)
secondly it will upgrade any installed packages.
pkg upgrade -y
Install Apache
pkg install -y apache24
Add service to be fired up at boot time
sysrc apache24_enable=âYESâ
Install MySQL
pkg install -y mysql80-server
Add service to be fired up at boot time
sysrc mysql_enable=âYESâ
Install PHP 7.4 and its âfunnyâ dependencies
pkg install -y php74 php74-mysqli php74-extensions
Install the âold fashionedâ Expect to automate the mysql_secure_installation part
pkg install -y expect
Set a ServerName directive in Apache HTTP. Place a name to your server.
sed -i -e âs/#ServerName www.example.com:80/ServerName California/gâ /usr/local/etc/apache24/httpd.conf
Configure Apache HTTP to use MPM Event instead of the Prefork default
Disable the Prefork MPM
sed -i -e â/prefork/s/LoadModule/#LoadModule/â /usr/local/etc/apache24/httpd.conf
Enable the Event MPM
sed -i -e â/event/s/#LoadModule/LoadModule/â /usr/local/etc/apache24/httpd.conf
Enable the proxy module for PHP-FPM to use it
sed -i -e â/mod_proxy.so/s/#LoadModule/LoadModule/â /usr/local/etc/apache24/httpd.conf
Enable the FastCGI module for PHP-FPM to use it
sed -i -e â/mod_proxy_fcgi.so/s/#LoadModule/LoadModule/â /usr/local/etc/apache24/httpd.conf
Enable PHP to use the FPM process manager
sysrc php_fpm_enable=âYESâ
Create configuration file for Apache HTTP to âspeakâ PHP
touch /usr/local/etc/apache24/modules.d/003_php-fpm.conf
Add the configuration into the file
echo "
DirectoryIndex index.php
<FilesMatch â.(php)$â>
SetHandler proxy:unix:/tmp/php-fpm.sock|fcgi://localhost/
" >> /usr/local/etc/apache24/modules.d/003_php-fpm.conf
Set the PHPâs default configuration
cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini
Install GNU Sed
pkg install -y gsed
Configure PHP-FPM to use a UNIX socket instead of a TCP one
This configuration is better for standalone boxes
gsed -i âs/127.0.0.1:9000//tmp/php-fpm.sock/gâ /usr/local/etc/php-fpm.d/www.conf
gsed -i âs/;listen.owner/listen.owner/gâ /usr/local/etc/php-fpm.d/www.conf
gsed -i âs/;listen.group/listen.group/gâ /usr/local/etc/php-fpm.d/www.conf
Fire up the services
service apache24 start
service mysql-server start
service php-fpm start
Make the hideous âsafeâ install for MySQL
pkg install -y pwgen
DB_ROOT_PASSWORD=$(pwgen 32 --secure --numerals --capitalize) && export DB_ROOT_PASSWORD && echo $DB_ROOT_PASSWORD >> /root/db_root_pwd.txt
SECURE_MYSQL=$(expect -c "
set timeout 10
set DB_ROOT_PASSWORD â$DB_ROOT_PASSWORDâ
spawn mysql_secure_installation
expect âPress y|Y for Yes, any other key for No:â
send ây\râ
expect âPlease enter 0 = LOW, 1 = MEDIUM and 2 = STRONG:â
send â0\râ
expect âNew password:â
send â$DB_ROOT_PASSWORD\râ
expect âRe-enter new password:â
send â$DB_ROOT_PASSWORD\râ
expect âDo you wish to continue with the password provided?(Press y|Y for Yes, any other key for No) :â
send âY\râ
expect âRemove anonymous users?â
send ây\râ
expect âDisallow root login remotely?â
send ây\râ
expect âRemove test database and access to it?â
send ây\râ
expect âReload privilege tables now?â
send ây\râ
expect eof
")
echo â$SECURE_MYSQLâ
Enable TLS connections with a self signed certificate.
Key and certificate generation
SECURE_APACHE=$(expect -c "
set timeout 10
spawn openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /usr/local/etc/apache24/server.key -out /usr/local/etc/apache24/server.crt
expect âCountry Name (2 letter code) [AU]:â
send âUS\râ
expect âState or Province Name (full name) [Some-State]:â
send âNorth Carolina\râ
expect âLocality Name (eg, city) :â
send âNewport\râ
expect âOrganization Name (eg, company) [Internet Widgits Pty Ltd]:â
send âTech-man\râ
expect âOrganizational Unit Name (eg, section) :â
send âOperations\râ
expect âCommon Name (e.g. server FQDN or YOUR name) :â
send âDavid Henzler\râ
expect âEmail Address :â
send âdhenzler@sonic.net\râ
expect eof
")
echo â$SECURE_APACHEâ
Because we have generated a certificate + key we will enable SSL/TLS in the server.
Enable TLS connections in the server.
sed -i -e â/mod_ssl.so/s/#LoadModule/LoadModule/â /usr/local/etc/apache24/httpd.conf
Enable the serverâs default TLS configuration to be applied.
sed -i -e â/httpd-ssl.conf/s/#Include/Include/â /usr/local/etc/apache24/httpd.conf
Enable TLS session cache.
sed -i -e â/mod_socache_shmcb.so/s/#LoadModule/LoadModule/â /usr/local/etc/apache24/httpd.conf
Enable the rewrite module
sed -i -e â/mod_rewrite.so/s/#LoadModule/LoadModule/â /usr/local/etc/apache24/httpd.conf
Restart Apache HTTP to apply changes
service apache24 restart
Configure PHP (already installed by the previous FAMP script) to use 512M instead of the default 128M
gsed -i âs/memory_limit = 128M/memory_limit = 512M/gâ /usr/local/etc/php.ini
Install specific PHP dependencies for Nextcloud
pkg install -y php74-zip php74-mbstring php74-gd php74-zlib php74-curl php74-openssl php74-pdo_mysql php74-pecl-imagick php74-intl php74-bcmath php74-gmp php74-fileinfo
Restart the PHP-FPM service so it acknowledges the recently installed PHP packages
service php-fpm restart
Install Nextcloud
Fetch Nextcloud
fetch -o /usr/local/www/nextcloud-21.0.2.zip https://download.nextcloud.com/server/releases/nextcloud-21.0.2.zip
Unzip Nextcloud
unzip -d /usr/local/www/ /usr/local/www/nextcloud-21.0.2.zip
Change the ownership so the Apache user (www) owns it
chown -R www:www /usr/local/www/nextcloud
Make a backup copy of the currently working httpd.conf file
cp /usr/local/etc/apache24/httpd.conf /usr/local/etc/apache24/httpd.conf.backup
Add the configuration needed for Apache to serve Nextcloud
echo "
Alias /nextcloud /usr/local/www/nextcloud
AcceptPathInfo On
<Directory /usr/local/www/nextcloud>
AllowOverride All
Require all granted
" >> /usr/local/etc/apache24/httpd.conf
Enable VirtualHost
gsed -i âs/#Include etc/apache24/extra/httpd-vhosts.conf/Include etc/apache24/extra/httpd-vhosts.conf/gâ /usr/local/etc/apache24/httpd.conf
Remove the old existing VirtualHost configuration (thereâs always a sample available)
rm /usr/local/etc/apache24/extra/httpd-vhosts.conf
Create an empty VirtualHost configuration file
touch /usr/local/etc/apache24/extra/httpd-vhosts.conf
Set a VirtualHost configuration for Nextcloud
Mind there is no configuration for port 80.
echo "
Virtual Hosts
Required modules: mod_log_config
If you want to maintain multiple domains/hostnames on your
machine you can setup VirtualHost containers for them. Most configurations
use only name-based virtual hosts so the server doesnât need to worry about
IP addresses. This is indicated by the asterisks in the directives below.
Please see the documentation at
URL:http://httpd.apache.org/docs/2.4/vhosts/
for further details before you try to setup virtual hosts.
You may use the command line option â-Sâ to verify your virtual host
configuration.
VirtualHost example:
Almost any Apache directive may go into a VirtualHost container.
The first VirtualHost section is used for all requests that do not
match a ServerName or ServerAlias in any block.
<VirtualHost :80>
ServerName Nextcloud
ServerAlias Nextcloud
DocumentRoot â/usr/local/www/nextcloudâ
ErrorLog â/var/log/nextcloud-error_logâ
CustomLog â/var/log/nextcloud-access_logâ common
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.)$ https://%{HTTP_HOST}$1 [R=301,L]
Protocols h2 h2c http/1.1
<VirtualHost *:443>
ServerName Nextcloud
ServerAlias Nextcloud
DocumentRoot â/usr/local/www/nextcloudâ
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLCertificateFile â/usr/local/etc/apache24/server.crtâ
SSLCertificateKeyFile â/usr/local/etc/apache24/server.keyâ
ErrorLog â/var/log/nextcloud-error_logâ
CustomLog â/var/log/nextcloud-access_logâ common
Protocols h2 http/1.1
Include /usr/local/etc/apache24/extra/nextcloud-security.conf
" >> /usr/local/etc/apache24/extra/httpd-vhosts.conf
Create empty file to place the Security Rules later
touch /usr/local/etc/apache24/extra/nextcloud-security.conf
Add Security Rules to protect Nextcloud
echo "
RewriteEngine on
Condition to block suspicious request methods.
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC,OR]
Condition to block the specified user agents from programs and bots.
RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader|fetch) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|â|"|)|(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
Condition to block suspicious header requests.
RewriteCond %{HTTP_ACCEPT} (localhost|loopback|127.0.0.1) [NC,OR]
RewriteCond %{HTTP_COOKIE} (localhost|loopback|127.0.0.1) [NC,OR]
RewriteCond %{HTTP_FORWARDED} (localhost|loopback|127.0.0.1) [NC,OR]
RewriteCond %{HTTP_HOST} (localhost|loopback|127.0.0.1) [NC,OR]
RewriteCond %{HTTP_PROXY_CONNECTION} (localhost|loopback|127.0.0.1) [NC,OR]
RewriteCond %{HTTP_REFERER} (localhost|loopback|127.0.0.1) [NC,OR]
Condition to block Proxy/LoadBalancer/WAF bypass
RewriteCond %{HTTP:X-Client-IP} (localhost|loopback|127.0.0.1) [NC,OR]
RewriteCond %{HTTP:X-Forwarded-For} (localhost|loopback|127.0.0.1) [NC,OR]
RewriteCond %{HTTP:X-Forwarded-Scheme} (localhost|loopback|127.0.0.1) [NC,OR]
RewriteCond %{HTTP:X-Real-IP} (localhost|loopback|127.0.0.1) [NC,OR]
RewriteCond %{HTTP:X-Forwarded-By} (localhost|loopback|127.0.0.1) [NC,OR]
RewriteCond %{HTTP:X-Originating-IP} (localhost|loopback|127.0.0.1) [NC,OR]
RewriteCond %{HTTP:X-Forwarded-From} (localhost|loopback|127.0.0.1) [NC,OR]
RewriteCond %{HTTP:X-Forwarded-Host} (localhost|loopback|127.0.0.1) [NC,OR]
RewriteCond %{HTTP:X-Remote-Addr} (localhost|loopback|127.0.0.1) [NC,OR]
Condition to block requests that incorporate the specified expressions in them. Avoid injection.
RewriteCond %{THE_REQUEST} (?|*|%2a)+(%20+|\s+|%20+\s+|\s+%20+|\s+%20+\s+)(http|https)(:/|/) [NC,OR]
Condition to block any request containing the etc/passwd string and avoid system passwords exfiltration.
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
Condition to block the execution of CGI programs.
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
Condition to block requests that jump into the next line. Avoid injection.
RewriteCond %{THE_REQUEST} (%0A|%0D|\r|\n) [NC,OR]
Condition to block any Sharepoint services call.
RewriteCond %{REQUEST_URI} owssvr.dll [NC,OR]
Condition to block requests that simulate to come from the specified expressions. Avoid injection.
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} .opendirviewer. [NC,OR]
RewriteCond %{HTTP_REFERER} users.skynet.be.* [NC,OR]
Condition to block requests that incorporate the specified expressions in them.
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(..//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
Condition to block any PHP execution. Avoid injection.
RewriteCond %{QUERY_STRING} =PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (../|%2e%2e%2f|%2e%2e/|..%2f|%2e.%2f|%2e./|.%2e%2f|.%2e/) [NC,OR]
Condition to block FTP usage. Avoid uploads.
RewriteCond %{QUERY_STRING} ftp: [NC,OR]
Condition to block any requests jumping over paths or injecting/retrieving objects.
RewriteCond %{QUERY_STRING} (http|https): [NC,OR]
RewriteCond %{QUERY_STRING} =|w| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.)/self/(.)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.)cPath=(http|https)://(.)$ [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C).script.(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]s)+cript.(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C).embed.(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^e]e)+mbed.(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C).object.(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^o]o)+bject.(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C).iframe.(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]i)+frame.(>|%3E) [NC,OR]
Condition to block with the intention to en/de-code strings in base64
RewriteCond %{QUERY_STRING} base64_encode.(.) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]([^)]) [NC,OR]
Condition to block
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) [OR]
Condition to block requests that incorporate the specified expressions in them. Avoid injection.
RewriteCond %{QUERY_STRING} ^.((|)|<|>|%3c|%3e). [NC,OR]
RewriteCond %{QUERY_STRING} ^.(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f). [NC,OR]
Condition to block requests which declare the specified values in the string query. Avoid injection.
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
Condition to block requests intending to retrieve or inject content in the motd file or /etc and /bin directories.
RewriteCond %{QUERY_STRING} (.{1,}/)+(motd|etc|bin) [NC,OR]
Condition to block any string referencing to the host or loopback interface.
RewriteCond %{QUERY_STRING} (localhost|loopback|127.0.0.1) [NC,OR]
Condition to block requests that incorporate the specified expressions in them. Avoid injection.
RewriteCond %{QUERY_STRING} (<|>|â|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
Condition to block SQL injection attacks
RewriteCond %{QUERY_STRING} concat[^(]*( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]a)+ll([^s]s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} -[sdcr].(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|â|"|)|%0A|%0D|%22|%27|%3C|%3E|%00).(/*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
The rewrite rule itself. Any match gets blocked.
RewriteRule ^(.*)$ - [F]
" >> /usr/local/etc/apache24/extra/nextcloud-security.conf
Restart Apache service
service apache24 restart
Create the database for Nextcloud and user. Mind this is MySQL version 8
NEW_DB_NAME=$(pwgen 8 --secure --numerals --capitalize) && export NEW_DB_NAME && echo $NEW_DB_NAME >> /root/new_db_name.txt
NEW_DB_USER_NAME=$(pwgen 10 --secure --numerals --capitalize) && export NEW_DB_USER_NAME && echo $NEW_DB_USER_NAME >> /root/new_db_user_name.txt
NEW_DB_PASSWORD=$(pwgen 32 --secure --numerals --capitalize) && export NEW_DB_PASSWORD && echo $NEW_DB_PASSWORD >> /root/newdb_pwd.txt
NEW_DATABASE=$(expect -c "
set timeout 10
spawn mysql -u root -p
expect âEnter password:â
send â$DB_ROOT_PASSWORD\râ
expect âroot@localhost [(none)]>â
send âCREATE DATABASE $NEW_DB_NAME;\râ
expect âroot@localhost [(none)]>â
send âCREATE USER â$NEW_DB_USER_NAMEâ@âlocalhostâ IDENTIFIED WITH mysql_native_password BY â$NEW_DB_PASSWORDâ;\râ
expect âroot@localhost [(none)]>â
send âGRANT ALL PRIVILEGES ON $NEW_DB_NAME.* TO â$NEW_DB_USER_NAMEâ@âlocalhostâ;\râ
expect âroot@localhost [(none)]>â
send âFLUSH PRIVILEGES;\râ
expect âroot@localhost [(none)]>â
send âexit\râ
expect eof
")
echo â$NEW_DATABASEâ
Now Visit your server ip and finish the GUI install.
Be aware of the default SQLite DB install. Select the MySQL option!!
https://yourserverip/nextcloud
Automatic NextCloud install using MySQL instead of the default SQLite
NEXTCLOUD_USER=$(pwgen 10 --secure --numerals --capitalize) && export NEXTCLOUD_USER && echo $NEXTCLOUD_USER >> /root/nextcloud_user.txt
NEXTCLOUD_PWD=$(pwgen 32 --secure --numerals --capitalize) && export NEXTCLOUD_PWD && echo $NEXTCLOUD_PWD >> /root/nextcloud_pwd.txt
su -m www -c âphp /usr/local/www/nextcloud/occ maintenance:install --database âmysqlâ --database-name â$NEW_DB_NAMEâ --database-user â$NEW_DB_USER_NAMEâ --database-pass â$NEW_DB_PASSWORDâ --admin-user â$NEXTCLOUD_USERâ --admin-pass â$NEXTCLOUD_PWDââ
Add your ip or domain name as a trusted domain for Nextcloud. Remember to adapt this to your needs. Otherwise a warning message will appear in your screen.
This setup doesnât use a domain name, itâs ready to be used with an IP. Adjust the NIC name âem0â here as convenient.
TRUSTED_DOMAIN=$(ifconfig em0 | grep "inet " | awk â{ print $2; exit }â) && export TRUSTED_DOMAIN && echo $TRUSTED_DOMAIN >> /root/trusted_domain.txt
su -m www -c âphp /usr/local/www/nextcloud/occ config:system:set trusted_domains 1 --value="$TRUSTED_DOMAIN"â
No one but root can read these files. Read only permissions.
chmod 400 /root/db_root_pwd.txt
chmod 400 /root/new_db_name.txt
chmod 400 /root/new_db_user_name.txt
chmod 400 /root/newdb_pwd.txt
chmod 400 /root/nextcloud_user.txt
chmod 400 /root/nextcloud_pwd.txt
chmod 400 /root/trusted_domain.txt
Display the new database, username and password generated on MySQL
echo âDisplay DB name, username and password locationâ
echo âYour DB_ROOT_PASSWORD is written on this file /root/db_root_pwd.txtâ
echo âYour NEW_DB_NAME is written on this file /root/new_db_name.txtâ
echo âYour NEW_DB_USER_NAME is written on this file /root/new_db_user_name.txtâ
echo âYour NEW_DB_PASSWORD is written on this file /root/newdb_pwd.txtâ
Display the automatically generated username and password for Nextcloud
echo âYour Nextcloud username is written on this file /root/nextcloud_user.txtâ
echo âYour Nextcloud password is written on this file /root/nextcloud_pwd.txtâ