I give up - SPECIFIC omv4.X and nextcloud thread

  • I do think OMV is a great project.
    I do think Nextcloud is also a great project.


    Unfortunately, adding two great project together sometimes doesn't work, or failed, or end ups being not so successful.


    I spend sometimes (2 weeks times, around 20 hours ) trying to make them work together and failed because i am consider myself as a medium linux user and get bored quicly.


    So i decided to do my homework and start from a clean debian-9.3.0-amd64-netinst with only the common-tools and openssh installed ( 128 paquets )


    It took me around 10 hours to learn/apply/built my system from sratch.


    Now, i am able to do whatever i want with it.


    I can send you my "notes" with a list of steps i did ( not completes, just giving directions ) ... on request.


    final system is:



    Nextcloud server 12.0.5 --> 13.0.0 no problems so far
    based A8-6500 8GO RAID6 8*6TO
    4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04)
    / apache 2.4.25 --> 2.4.29 / php 7.0.27 / 10.1.26-MariaDB / mysqlnd 5.0.12
    / phpadmin 4.6.6deb4 / Redis server v=3.2.6 / HTTP2 /

  • So i decided to do my homework and start from a clean debian-9.3.0-amd64-netinst with only the common-tools and openssh installed ( 128 paquets )

    I assume this is what I will do too. I like OMV but by using it I moved from a beginner linux user to a almost medium user and already sometimes struggled with the presets of OMV for my purposes. So I would appreciate if you can sent me your notes!

  • small info: it seem somepeople are trying to use a vulnerability in the diffie-hellman-group1-sha1 called logjam attack.


    here an exemple:
    sshd[11867]: Unable to negotiate with 103.89.88.40 port 53879: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]


    In order to protect my server, i had to twek my ssl config like this: ( A+ on sslabs )


    <IfModule mod_ssl.c>


    <VirtualHost *:443>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    # http2
    Protocols h2 http/1.1
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    SSLCertificateFile /etc/letsencrypt/live/nextcloud.rkn.ovh/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.rkn.ovh/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
    ServerName nextcloud.rkn.ovh
    # Guarantee HTTPS for 6 Month including Sub Domains
    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
    </VirtualHost>


    # modern configuration, tweak to your needs
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    #SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDS$
    # super strong cypher avoiding attacks like logjam
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
    SSLHonorCipherOrder on
    SSLCompression off
    SSLSessionTickets off
    SSLOptions +StrictRequire



    # OCSP Stapling, only in httpd 2.3.3 and later
    SSLUseStapling on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingCache shmcb:/var/run/ocsp(128000)



    # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
    </IfModule>




    the Include /etc/letsencrypt/options-ssl-apache.conf is midified too
    # Baseline setting to Include for SSL sites


    SSLEngine on


    # Intermediate configuration, tweak to your needs
    #SSLProtocol all -SSLv2 -SSLv3
    #SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AE$
    #SSLHonorCipherOrder on
    #SLCompression off


    #SSLOptions +StrictRequire


    # Add vhost name to log entries:
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
    LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common


    #CustomLog /var/log/apache2/access.log vhost_combined
    #LogLevel warn
    #ErrorLog /var/log/apache2/error.log


    # Always ensure Cookies have "Secure" set (JAH 2012/1)
    #Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"

  • I landed on this thread via internet search. Apologize for the necro but did want to offer a suggestion/idea that I haven't seen discussed. Not an OMV user yet so I have not tested this, but it did work for me on Debian Stretch after struggling to get NextCloud running. Will probably test in in the next few days on OMV, but in case somebody has time to beat me to it, would be curious! No promises that this won't break something and recognize that I am a novice.


    NextCloudPi (https://github.com/nextcloud/nextcloudpi) or (https://ownyourbits.com/2017/0…ready-raspberry-pi-image/) bundles everything together and looks reasonably secure (perhaps more secure for the average user trying to self-configure). You get Apache, MariaDB, some reasonable defaults, and a web interface to manage a whole bunch of "plugins" including LetsEncrypt, Fail2Ban, and what not. Specifically checks for Debian 9 to run the install command. Basically runs all of the apt commands and configuration as a script. You'd need to run it in a VM or a container.


    I apt installed LXC on Debian Stretch, started a new Debian Stretch LXC container, and ran the install command (CAUTION: I assume this would completely bork your OMV install if you ran it on the host rather than in the container)


    I don't see any reason that wouldn't work on OMV4. You'd apt install lxc libvirt0 libpam-cgroup libpam-cgfs bridge-utils
    Start a Debian Stretch container, attach to the container, double check that you are attached to the container, and run the NextCloudPi install command. Come back a few minutes later, set passwords, tweak configuration, and you're off.


    Slightly trickier (but still not as bad as standing up NextCloud from scratch, IMO) will be configuring storage/permissions and networking. Out of the gate, the container will be NATed and you'll have to either port forward through OMV or configure a bridge interface to expose the container to a real IP. Those seem pretty solvable though. Highly recommend reading through the Debian LXC page (https://wiki.debian.org/LXC) and the LXC developer documentation (https://linuxcontainers.org/lxc/getting-started/).



    4/13 Edit:


    Took a bit more tinkering than I expected, but not too bad. Got LXC running on OMV, set up a network bridge, and tested running a privileged container. I'm not smart enough to know whether that is any greater threat than installing NextCloud and its components directly on OMV. Anyway, took steps to run unprivileged LXC containers, created a new Debian Stretch AMD64 container with sudo, and executed the NextCloudPi install command. 10 minutes later and I have a working NextCloud web interface.


    Ideally I would like storage to be shared between the OMV user and the NextCloud user, but have not figured out the best way to make that work with permissions and unprivileged LXC container limitations. Will probably update this if I figure that out. If anybody wants specific steps I'll try to retrace.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!