Raspberry Pi home server: Difference between revisions
m (→OwnCloud) |
|||
Line 121: | Line 121: | ||
Opencloud requires the PHP modules ''zip dom XMLWriter XMLReader libxml SimpleXML''. These were installed above as php7.0-zip php7.0-xml. | Opencloud requires the PHP modules ''zip dom XMLWriter XMLReader libxml SimpleXML''. These were installed above as php7.0-zip php7.0-xml. | ||
nginx config is now adapted to serve OwnCloud from the subfolder /owncloud | |||
upstream php-handler { | |||
server 127.0.0.1:9000; | |||
#server unix:/var/run/php/php7.0-fpm.sock; | |||
} | |||
# | |||
server { | |||
listen 80 default_server; | |||
listen [::]:80 default_server; | |||
server_name install.pulspc.dk; | |||
return 301 https://$server_name$request_uri; | |||
} | |||
# | |||
server { | |||
listen 443 ssl default_server; | |||
listen [::]:443 ssl default_server; | |||
server_name install.pulspc.dk; | |||
# | |||
ssl_certificate /etc/letsencrypt/live/install.pulspc.dk/fullchain.pem; | |||
ssl_certificate_key /etc/letsencrypt/live/install.pulspc.dk/privkey.pem; | |||
# | |||
root /data/websites/rpiii/html; | |||
index index.php index.html index.hmt; | |||
# | |||
# Disable gzip to avoid the removal of the ETag header | |||
gzip off; | |||
# | |||
error_page 404 /404.html; | |||
error_page 500 502 503 504 /50x.html; | |||
location = /50x.html { | |||
root /data/websites/rpiii/html; | |||
} | |||
# | |||
# Error & Access logs | |||
error_log /data/websites/rpiii/logs/error.log error; | |||
access_log /data/websites/rpiii/logs/access.log; | |||
# | |||
location / { | |||
index index.php index.html index.hmt; | |||
} | |||
# | |||
location ~ /.well-known { | |||
allow all; | |||
} | |||
# | |||
## Begin - PHP | |||
location ~ \.php$ { | |||
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; | |||
fastcgi_split_path_info ^(.+\.php)(/.+)$; | |||
fastcgi_index index.php; | |||
include fastcgi_params; | |||
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; | |||
fastcgi_param HTTPS on; | |||
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice | |||
fastcgi_intercept_errors on; | |||
} | |||
## End - PHP | |||
# | |||
location ^~ /owncloud { | |||
# | |||
# set max upload size | |||
client_max_body_size 12G; | |||
fastcgi_buffers 64 4K; | |||
# | |||
# Disable gzip to avoid the removal of the ETag header | |||
gzip off; | |||
# | |||
# Uncomment if your server is build with the ngx_pagespeed module | |||
# This module is currently not supported. | |||
#pagespeed off; | |||
# | |||
error_page 403 /owncloud/core/templates/403.php; | |||
error_page 404 /owncloud/core/templates/404.php; | |||
# | |||
location /owncloud { | |||
rewrite ^ /owncloud/index.php$uri; | |||
} | |||
location ~ ^/owncloud/(?:build|tests|config|lib|3rdparty|templates|data)/ { | |||
return 404; | |||
} | |||
location ~ ^/owncloud/(?:\.|autotest|occ|issue|indie|db_|console) { | |||
return 404; | |||
} | |||
# | |||
location ~ ^/owncloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) { | |||
fastcgi_split_path_info ^(.+\.php)(/.*)$; | |||
include fastcgi_params; | |||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |||
fastcgi_param PATH_INFO $fastcgi_path_info; | |||
fastcgi_param HTTPS on; | |||
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice | |||
fastcgi_param front_controller_active true; | |||
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; | |||
fastcgi_intercept_errors on; | |||
} | |||
# | |||
location ~ ^/owncloud/(?:updater|ocs-provider)(?:$|/) { | |||
try_files $uri $uri/ =404; | |||
index index.php; | |||
} | |||
# | |||
# Adding the cache control header for js and css files | |||
# Make sure it is BELOW the PHP block | |||
location ~* \.(?:css|js)$ { | |||
try_files $uri /owncloud/index.php$uri$is_args$args; | |||
add_header Cache-Control "public, max-age=7200"; | |||
# Add headers to serve security related headers (It is intended to have those duplicated to the ones above) | |||
# Before enabling Strict-Transport-Security headers please read into this topic first. | |||
#add_header Strict-Transport-Security "max-age=15552000; includeSubDomains"; | |||
add_header X-Content-Type-Options nosniff; | |||
add_header X-Frame-Options "SAMEORIGIN"; | |||
add_header X-XSS-Protection "1; mode=block"; | |||
add_header X-Robots-Tag none; | |||
add_header X-Download-Options noopen; | |||
add_header X-Permitted-Cross-Domain-Policies none; | |||
# Optional: Don't log access to assets | |||
access_log off; | |||
} | |||
# | |||
location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ { | |||
try_files $uri /owncloud/index.php$uri$is_args$args; | |||
# Optional: Don't log access to other assets | |||
access_log off; | |||
} | |||
} | |||
} | |||
== PiHole DNS == | == PiHole DNS == |
Revision as of 21:07, 16 April 2017
About this page.
This page contains explanation of the things i did to make different projects live together on a single Raspberri Pi.
https://www.pestmeester.nl/ is the base inspiration for my Home Server. https://github.com/pi-hole/ provides super easy installation of an AdBlocking Domain Name Server functionality. https://github.com/pivpn/ provides super easy installation and administration of OpenVPN Server funnctionality.
Hardware
Raspberry Pi 3 Model B 4 Gb MicroSD card. USB Harddrive, 500 Gb SSHD Raspberry Pi Camera Board v2.
Basic installation
Download and write Raspian Lite to the MicroSD card
Raspi-config
Go thrugh all the menu points of the Rapsberry Pi SOftware Configuration Tool, and change the basic configuration to fit the needs of this Home Server.
Hardening + SSH
Follow the guide: Hardened SSH daemon using the 'sudo' command when root powah is required.
Add USB HD
I configured /dev/sdb1 to be mounted on /data, not the strange UUID..
Nginx, PHP7, MySQL
First the 'easy' stuff. Answer all install questions wisely!
sudo apt-get install nginx php-apc mysql-server
Then, because PHP 7 is not available in jessie repo I get it from the stretch repo:
# Add the GPG keys needed to use the stretch repository sudo gpg --keyserver pgpkeys.mit.edu --recv-key 8B48AD6246925553 sudo gpg -a --export 8B48AD6246925553 | sudo apt-key add - sudo gpg --keyserver pgpkeys.mit.edu --recv-key 7638D0442B90D010 sudo gpg -a --export 7638D0442B90D010 | sudo apt-key add - # Add the stretch repo as a source for apt sudo echo "deb http://httpredir.debian.org/debian stretch main contrib non-free" | sudo tee /etc/apt/sources.list.d/debian-stretch.list # Update the local apt index so the stretch repo is present sudo apt-get -y update # Install the needed PHP7 packages sudo apt-get -y install -y php7.0-fpm php7.0-curl php7.0-gd php7.0-cli php7.0-mcrypt php7.0-mysql php7.0-mbstring php7.0-zip php7.0-xml php7.0-common php7.0-json -t stretch # Remove the stretcg repo as a source sudo rm /etc/apt/sources.list.d/debian-stretch.list # Lastly I update the local apt source lists so stretch repo is removed. sudo apt-get -y update
Then continue the pestmeester guide but change the nginx configuration (/etc/nginx/sites-available/[your_configuration_file_name]) so it utilizes PHP7 and not the missing PHP5 ;-) Here you see what i use:
## Begin - PHP location ~ \.php$ { fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; } ## End - PHP
LetsEncrypt
This is my /etc/nginx/sites-available/[your_configuration_file_name] that force all clients to use HTTPS, and PHP7 :
server { listen 80 default_server; listen [::]:80 default_server; server_name install.pulspc.dk; return 301 https://$server_name$request_uri; } # server { listen 443 ssl default_server; listen [::]:443 ssl default_server; server_name install.pulspc.dk; # ssl_certificate /etc/letsencrypt/live/install.pulspc.dk/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/install.pulspc.dk/privkey.pem; # root /data/websites/rpiii/html; index index.php index.html index.htm; # error_page 404 /404.html; error_page 500 502 503 504 /50x.html; location = /50x.html { root /data/websites/rpiii/html; } # # Error & Access logs error_log /data/websites/rpiii/logs/error.log error; access_log /data/websites/rpiii/logs/access.log; # location / { index index.html index.php; } # location ~ /.well-known { allow all; } ## Begin - PHP location ~ \.php$ { fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; } ## End - PHP }
PHPMyAdmin
This requires php7.0-mbstring wich was installed earlier from the stretch repo :-)
OwnCloud
Make sure to check for / download the latest version. Find the information here.
Remember to config for PHP7
sudo vi /etc/php/7.0/fpm/pool.d/www.conf
Opencloud requires the PHP modules zip dom XMLWriter XMLReader libxml SimpleXML. These were installed above as php7.0-zip php7.0-xml.
nginx config is now adapted to serve OwnCloud from the subfolder /owncloud
upstream php-handler { server 127.0.0.1:9000; #server unix:/var/run/php/php7.0-fpm.sock; } # server { listen 80 default_server; listen [::]:80 default_server; server_name install.pulspc.dk; return 301 https://$server_name$request_uri; } # server { listen 443 ssl default_server; listen [::]:443 ssl default_server; server_name install.pulspc.dk; # ssl_certificate /etc/letsencrypt/live/install.pulspc.dk/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/install.pulspc.dk/privkey.pem; # root /data/websites/rpiii/html; index index.php index.html index.hmt; # # Disable gzip to avoid the removal of the ETag header gzip off; # error_page 404 /404.html; error_page 500 502 503 504 /50x.html; location = /50x.html { root /data/websites/rpiii/html; } # # Error & Access logs error_log /data/websites/rpiii/logs/error.log error; access_log /data/websites/rpiii/logs/access.log; # location / { index index.php index.html index.hmt; } # location ~ /.well-known { allow all; } # ## Begin - PHP location ~ \.php$ { fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; fastcgi_param HTTPS on; fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice fastcgi_intercept_errors on; } ## End - PHP # location ^~ /owncloud { # # set max upload size client_max_body_size 12G; fastcgi_buffers 64 4K; # # Disable gzip to avoid the removal of the ETag header gzip off; # # Uncomment if your server is build with the ngx_pagespeed module # This module is currently not supported. #pagespeed off; # error_page 403 /owncloud/core/templates/403.php; error_page 404 /owncloud/core/templates/404.php; # location /owncloud { rewrite ^ /owncloud/index.php$uri; }
location ~ ^/owncloud/(?:build|tests|config|lib|3rdparty|templates|data)/ { return 404; } location ~ ^/owncloud/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } # location ~ ^/owncloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) { fastcgi_split_path_info ^(.+\.php)(/.*)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param HTTPS on; fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice fastcgi_param front_controller_active true; fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; fastcgi_intercept_errors on; } # location ~ ^/owncloud/(?:updater|ocs-provider)(?:$|/) { try_files $uri $uri/ =404; index index.php; } # # Adding the cache control header for js and css files # Make sure it is BELOW the PHP block location ~* \.(?:css|js)$ { try_files $uri /owncloud/index.php$uri$is_args$args; add_header Cache-Control "public, max-age=7200"; # Add headers to serve security related headers (It is intended to have those duplicated to the ones above) # Before enabling Strict-Transport-Security headers please read into this topic first. #add_header Strict-Transport-Security "max-age=15552000; includeSubDomains"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; # Optional: Don't log access to assets access_log off; } # location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ { try_files $uri /owncloud/index.php$uri$is_args$args; # Optional: Don't log access to other assets access_log off; } } }
PiHole DNS
This must be installed using the option to NOT install the normally included webinterface, because that will require lighttpd, wich is not compatible with OwnCloud ;-) All PiHole administration must consequentially be done using terminal commands.