Adding Extra Services
by Damien
Why?
An important part of any website is having the features that the users require. I am a user to my own website, so it is in my interest to make it useful to me. If this becomes useful to other people, this is a nice coincidence.
What?
- OwnCloud - A Google Drive replacement that includes some nifty features for sharing files within the server and with other servers. (If you want an account, email me at damien@techiedamien.xyz stating why you want it and what you will use it for)
- Searx - A meta search engine. This search engine will in turn make your search to a configurable list of search engines and compile the results for you. This results in increased privacy and better results!
- Jitsi - A video conferencing tool similar to zoom. Jitsi uses end to end encryption (unlike many other tools out there) and can use peer to peer connections (after the initial connection to the server) which leads to increased bandwidth and better quality.
You may have noticed that all these services are open source, which is awesome because, not only can you audit the code yourself, you can freely edit and use the code as you see fit!
How?
If you want to set this up for yourself, the best course of action is to follow the official documentation in most cases. This works great for Searx and Jitsi, but OwnCloud only has documentation for LAMP setups. I use NginX instead of Apache however, so I had to adapt the instructions as follows:
- Install php 3.7 and the following modules with this command (on Debian):
apt install php-fpm php-common php-mysql php-gmp php-curl php-intl php-mbstring php-xmlrpc php-gd php-xml php-cli php-zip
- Now install mariadb-server and mariadb-client.
- Run mysql_secure_installation and choose 'Y' for everything
- Now login to the database with
mysql -u root -p
and run: CREATE DATABASE owncloud;
CREATE USER 'ownclouduser'@'localhost' IDENTIFIED BY 'pick_a_secure_password';
GRANT ALL ON owncloud.* TO 'ownclouduser'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEDGES;
EXIT;
- Download and extract OwnCloud from their website into a location of your choice (I recommend /var/www/owncloud)
- With that done, we can now configure NginX with the config at the end of this list.
- Before that will work, we first need to set up ssl certificates, so make sure certbot is installed, and run
certbot certonly --manual --preferred-challenges=dns --email <YOUR_EMAIL> --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d <YOUR_SUBDOMAIN>
# This file should be at /etc/nginx/sites-available/owncloud and linked to /etc/nginx/sites-enabled
upstream php-handler {
server unix:/var/run/php/php7.3-fpm.sock;
}
server {
root /var/www/owncloud;
index index.php;
server_name <YOUR_SUBDOMAIN>;
client_max_body_size 512M;
fastcgi_buffers 16 4K;
fastcgi_ignore_headers X-Accel-Buffering;
gzip off;
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options "noopen";
add_header X-Permitted-Cross-Domain-Policies none;
listen [::]:443 ssl;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/<YOUR_SUBDOMAIN>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<YOUR_SUBDOMAIN>/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/<YOUR_SUBDOMAIN>/chain.pem;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location / {
rewrite ^/remote/(.*) /remote.php last;
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
try_files $uri $uri/ =404;
}
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the location ~ \.php(?:$|/) { block
location ~* \.(?:css|js)$ {
add_header Cache-Control "public, max-age=7200";
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options "noopen";
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
# Optional: Don't log access to other assets
location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
access_log off;
}
}
#Redirect traffic to https
server {
if ($host = <YOUR_SUBDOMAIN>) {
return 301 https://$host$request_uri;
}
listen 80;
listen [::]:80;
server_name <YOUR_SUBDOMAIN>;
return 404;
}
Now restart php-fpm, NginX, mariadb and navigate to your subdomain in a browser, use the credentials made in step 4.2 and create your admin user! Now head to settings and mess around with them to get the configuration that you want.