Raspberry Pi home server: Difference between revisions

From munkjensen.net/wiki
Line 200: Line 200:
             rewrite ^ /owncloud/index.php$uri;
             rewrite ^ /owncloud/index.php$uri;
         }
         }
 
        #
         location ~ ^/owncloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
         location ~ ^/owncloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
             return 404;
             return 404;

Revision as of 21:08, 16 April 2017

About this page.

This page contains explanation of the things i did to make different projects live together on a single Raspberri Pi.

https://www.pestmeester.nl/ is the base inspiration for my Home Server.
https://github.com/pi-hole/ provides super easy installation of an AdBlocking Domain Name Server functionality.
https://github.com/pivpn/ provides super easy installation and administration of OpenVPN Server funnctionality.

Hardware

Raspberry Pi 3 Model B
4 Gb MicroSD card.
USB Harddrive, 500 Gb SSHD
Raspberry Pi Camera Board v2.

Basic installation

Download and write Raspian Lite to the MicroSD card

Raspi-config

Go thrugh all the menu points of the Rapsberry Pi SOftware Configuration Tool, and change the basic configuration to fit the needs of this Home Server.

Hardening + SSH

Follow the guide: Hardened SSH daemon using the 'sudo' command when root powah is required.

Add USB HD

I configured /dev/sdb1 to be mounted on /data, not the strange UUID..

Nginx, PHP7, MySQL

First the 'easy' stuff. Answer all install questions wisely!

sudo apt-get install nginx php-apc mysql-server

Then, because PHP 7 is not available in jessie repo I get it from the stretch repo:

# Add the GPG keys needed to use the stretch repository
sudo gpg --keyserver pgpkeys.mit.edu --recv-key  8B48AD6246925553      
sudo gpg -a --export 8B48AD6246925553 | sudo apt-key add -
sudo gpg --keyserver pgpkeys.mit.edu --recv-key 7638D0442B90D010      
sudo gpg -a --export 7638D0442B90D010 | sudo apt-key add -
# Add the stretch repo as a source for apt
sudo echo "deb http://httpredir.debian.org/debian stretch main contrib non-free" | sudo tee /etc/apt/sources.list.d/debian-stretch.list
# Update the local apt index so the stretch repo is present
sudo apt-get -y update
# Install the needed PHP7 packages
sudo apt-get -y install -y php7.0-fpm php7.0-curl php7.0-gd php7.0-cli php7.0-mcrypt php7.0-mysql php7.0-mbstring php7.0-zip php7.0-xml php7.0-common php7.0-json -t stretch
# Remove the stretcg repo as a source
sudo rm /etc/apt/sources.list.d/debian-stretch.list
# Lastly I update the local apt source lists so stretch repo is removed.
sudo apt-get -y update

Then continue the pestmeester guide but change the nginx configuration (/etc/nginx/sites-available/[your_configuration_file_name]) so it utilizes PHP7 and not the missing PHP5 ;-) Here you see what i use:

## Begin - PHP
location ~ \.php$ {
  fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
  fastcgi_split_path_info ^(.+\.php)(/.+)$;
  fastcgi_index index.php;
  include fastcgi_params;
  fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
}
## End - PHP

LetsEncrypt

This is my /etc/nginx/sites-available/[your_configuration_file_name] that force all clients to use HTTPS, and PHP7 :

server {
       listen 80 default_server;
       listen [::]:80 default_server;
       server_name install.pulspc.dk;
       return 301 https://$server_name$request_uri;
}
#
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
   server_name install.pulspc.dk;
   #
   ssl_certificate          /etc/letsencrypt/live/install.pulspc.dk/fullchain.pem;
   ssl_certificate_key      /etc/letsencrypt/live/install.pulspc.dk/privkey.pem;
   #
   root /data/websites/rpiii/html;
   index index.php index.html index.htm;
   #
   error_page 404 /404.html;
   error_page 500 502 503 504 /50x.html;
   location = /50x.html {
       root /data/websites/rpiii/html;
   }
   #
   # Error & Access logs
   error_log /data/websites/rpiii/logs/error.log error;
   access_log /data/websites/rpiii/logs/access.log;
   #
   location / {
       index index.html index.php;
   }
   #
   location ~ /.well-known {
               allow all;
   }
   ## Begin - PHP
   location ~ \.php$ {
     fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
     fastcgi_split_path_info ^(.+\.php)(/.+)$;
     fastcgi_index index.php;
     include fastcgi_params;
     fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
   }
   ## End - PHP
}

PHPMyAdmin

This requires php7.0-mbstring wich was installed earlier from the stretch repo :-)

OwnCloud

Make sure to check for / download the latest version. Find the information here.

Remember to config for PHP7

sudo vi /etc/php/7.0/fpm/pool.d/www.conf

Opencloud requires the PHP modules zip dom XMLWriter XMLReader libxml SimpleXML. These were installed above as php7.0-zip php7.0-xml.

nginx config is now adapted to serve OwnCloud from the subfolder /owncloud

upstream php-handler {
   server 127.0.0.1:9000;
   #server unix:/var/run/php/php7.0-fpm.sock;
}
#
server {
       listen 80 default_server;
       listen [::]:80 default_server;
       server_name install.pulspc.dk;
       return 301 https://$server_name$request_uri;
}
#
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
   server_name install.pulspc.dk;
   #
   ssl_certificate          /etc/letsencrypt/live/install.pulspc.dk/fullchain.pem;
   ssl_certificate_key      /etc/letsencrypt/live/install.pulspc.dk/privkey.pem;
   #
   root /data/websites/rpiii/html;
   index index.php index.html index.hmt;
   #
   # Disable gzip to avoid the removal of the ETag header
   gzip off;
   #
   error_page 404 /404.html;
   error_page 500 502 503 504 /50x.html;
   location = /50x.html {
       root /data/websites/rpiii/html;
   }
   #
   # Error & Access logs
   error_log /data/websites/rpiii/logs/error.log error;
   access_log /data/websites/rpiii/logs/access.log;
   #
   location / {
       index index.php index.html index.hmt;
   }
   #
   location ~ /.well-known {
               allow all;
   }
   #
   ## Begin - PHP
   location ~ \.php$ {
      fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
      fastcgi_split_path_info ^(.+\.php)(/.+)$;
      fastcgi_index index.php;
      include fastcgi_params;
      fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
      fastcgi_param HTTPS on;
      fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
      fastcgi_intercept_errors on;
   }
   ## End - PHP
   #
location ^~ /owncloud {
       #
       # set max upload size
       client_max_body_size 12G;
       fastcgi_buffers 64 4K;
       #
       # Disable gzip to avoid the removal of the ETag header
       gzip off;
       #
       # Uncomment if your server is build with the ngx_pagespeed module
       # This module is currently not supported.
       #pagespeed off;
       #
       error_page 403 /owncloud/core/templates/403.php;
       error_page 404 /owncloud/core/templates/404.php;
       #
       location /owncloud {
           rewrite ^ /owncloud/index.php$uri;
       }
       #
       location ~ ^/owncloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
           return 404;
       }
       location ~ ^/owncloud/(?:\.|autotest|occ|issue|indie|db_|console) {
           return 404;
       }
       #
       location ~ ^/owncloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
           fastcgi_split_path_info ^(.+\.php)(/.*)$;
           include fastcgi_params;
           fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
           fastcgi_param PATH_INFO $fastcgi_path_info;
           fastcgi_param HTTPS on;
           fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
           fastcgi_param front_controller_active true;
           fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
           fastcgi_intercept_errors on;
       }
       #
       location ~ ^/owncloud/(?:updater|ocs-provider)(?:$|/) {
           try_files $uri $uri/ =404;
           index index.php;
       }
       #
       # Adding the cache control header for js and css files
       # Make sure it is BELOW the PHP block
       location ~* \.(?:css|js)$ {
           try_files $uri /owncloud/index.php$uri$is_args$args;
           add_header Cache-Control "public, max-age=7200";
           # Add headers to serve security related headers  (It is intended to have those duplicated to the ones above)
           # Before enabling Strict-Transport-Security headers please read into this topic first.
           #add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
           add_header X-Content-Type-Options nosniff;
           add_header X-Frame-Options "SAMEORIGIN";
           add_header X-XSS-Protection "1; mode=block";
           add_header X-Robots-Tag none;
           add_header X-Download-Options noopen;
           add_header X-Permitted-Cross-Domain-Policies none;
           # Optional: Don't log access to assets
           access_log off;
       }
       #
       location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
           try_files $uri /owncloud/index.php$uri$is_args$args;
           # Optional: Don't log access to other assets
           access_log off;
       }
   }
}

PiHole DNS

This must be installed using the option to NOT install the normally included webinterface, because that will require lighttpd, wich is not compatible with OwnCloud ;-)
All PiHole administration must consequentially be done using terminal commands.

PiVPN server

WebCam, Htaccess password protected

Public accesible webpage.