Installing NextCloud on CentOS 7

So I’m going to walk thru installing Nextcloud on CentOS 7. Your mileage will vary if you attempt to use this as a guide to install NextCloud on CentOS 8 (which is EOL) or CentOS Stream 8/9 as it is not intended for those versions of CentOS.

Nextcloud is an open-source self-hosted sync and file sharing server that was forked from OwnCloud. It is written in PHP and JavaScript and supports multiple databases like MySQL, PostgreSQL, SQLite, and Oracle Database.

Before we get started, we will need to make sure we are set up with a LAMP stack. LAMP stands for Linux, Apache, MySQL, PHP. It’s bascially setting us up as a web server. And since we are going to be a webserver, we should also add Let’s Encrypt for SSL on our machine.

First step is to update your system.

yum -y update

Install PHP

To install PHP 8, you will need to add the EPEL and Remi repositories to your machine. You should also import the repo’s signing key.

yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm --import http://download.fedoraproject.org/pub/eprl/RPM-GPG-KEY-EPEL-7

yum -y install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
rpm --import https://rpms.remirepo.net/RPM-GPG-KEY-remi

You can verify the repositories were added by using the command below to look for the “php8” packages are there.

yum list php

Install “yum-utils”

yum -y install yum-utils

Enable the Remi repository for PHP, after disabling any existing repo for PHP.

yum-config-manager --disable 'remi-php*'
yum-config-manager --enable remi-php80

Install PHP and all of the required extensions

yum -y install php php-{bcmath,cli,common,curl,devel,gd,imagick,intl,json,mbstring,mcrypt,mysql,mysqlnd,pdo,pear,pecl-apcu,pecl-apcu-devel,ldap,xml,zip}

Verify PHP is installed and the version. You can see I was able to install PHP v8.0.17

php -v

Open the php.ini config file and set your timezone. You will need to uncomment the line for date.timezone and set it to your timezone of choice.

vi /etc/php.ini

date.timezone = Pacific/Honolulu

Raise PHP’s memory limit

sed -i '/^memory_limit =/s/=.*/= 512M/' /etc/php.ini

Install Apache

Install Apache on your machine.

yum -y install httpd mod_ssl

Start Apache and enable the Apache service at boot.

systemctl start httpd
systemctl enable httpd

Install MariaDB

Add the MariaDB repository to your machine

cat <<EOF | sudo tee /etc/yum.repos.d/MariaDB.repo
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.6/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
EOF

Clean the yum cache

yum makecache fast

Install MariaDB 10.6

yum -y install MariaDB-server MariaDB-client

Start and enable MariaDB service:

systemctl start mariadb
systemctl enable mariadb

Secure or instance of Maria DB by running the ‘mariadb_secure_installation‘ command.

mariadb-secure-installation

Enter your root credentials when prompted. For the next two prompts, if you have your root account protected correctly, it will tell you so and you can follow the recommendation to enter ‘n’ for them.

For the next four prompts, enter ‘Y’ for them.

last of the mariadb secure installation script

Check your MariaDB and what version it is running this command below or login into the database and check as shown in the image below.

mysql -V

Create the Database and the user account for NextCloud using the commands below.

Take note of what you set for:
<nextcloud_db> : This will be the name of your NextCloud database.
<nextcloud_user> : This will be the NextCloud user.
<nextcloud_pw> : This is a strong password that you have created for your ‘nextcloud_user’.

mysql -u root -p

create database <nextcloud_db>;
create user '<nextclouduser>'@'localhost' identified BY '<nextcloud_pw>';
grant all privileges on <nextcloud_db>.* to '<nextclouduser>'@'localhost';
flush privileges;
\q

Give Apache access to MariaDB

setsebool -P httpd_can_network_connect_db 1

Let us go ahead and reboot the system before we proceed with installing NextCloud.

init 6

Installing NextCloud

Download the packages needed to download and unzip NextCloud

yum -y install wget unzip

Next, download the latest stable release of NextCloud to your system.

wget https://download.nextcloud.com/server/releases/latest.zip

Unzip the file we just downloaded, move the extracted folder, and then delete the zip file.

unzip latest.zip
mv nextcloud/ /var/www/html/
rm -f latest.zip

Create a data directory to store files that get uploaded to NextCloud. If you use a symlink, this can be any type of path to a NAS, SAN, or NFS. Give Apache permiss

mkdir /var/www/html/nextcloud/data
chown apache:apache -R /var/www/html/nextcloud/data

Give the Apache user and group ownership of the NextCloud folder.

chown apache:apache -R /var/www/html/nextcloud

The next step will create an Apache VirtualHost configuration file.

vi /etc/httpd/conf.d/nextcloud.conf

Copy and paste the following code block into the file.
Note: Make sure to update the “ServerName” and “ServerAdmin” settings to suit your environment. The “ServerName” is its FQDN, so remember to setup your DNS entry for it, if necessary.

<VirtualHost *:80>
  ServerName nextcloud.pwwf.com
  ServerAdmin nextcloud.admin@pwwf.com
  DocumentRoot /var/www/html/nextcloud
  <directory /var/www/html/nextcloud>
    Require all granted
    AllowOverride All
    Options FollowSymLinks MultiViews
    SetEnv HOME /var/www/html/nextcloud
    SetEnv HTTP_HOME /var/www/html/nextcloud
  </directory>
</VirtualHost>

Configure SELinux

Install the SEMange package.

yum -y install policycoreutils-python

Add the context rules to allow NextCloud to write data into its directories.


semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/data'
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/config(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/apps(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/3rdparty(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/.htaccess'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/.user.ini'

restorecon -Rv /var/www/html

Configure Firewall

Set the firewall to allow http traffic.

firewall-cmd --add-service={http,https} --permanent
firewall-cmd --reload

Completing the NextCloud UI and Setup

Open your web browser of choice and enter either the server name URL you entered in the ‘nextcloud.conf’ file, or alternatively you could use the IP address of your machine, to access the NextCloud Web GUI.

example – http://nextcloud.pwwf.com/
http://10.1.2.169/

The first fields are for creating an admin account for your NextCloud instance. Set it to anything you wish, just don’t forget those credentials.

Then select “MySQL/MariaDB” and configure the database fields with the information we used earlier when we set up the database in MariaDB.

Then click on the “Install” button at the very bottom of the page.

Once the install completes, your dashboard will be ready to use.
In your browser, go to: http://<ServerName>/nextcloud/index.php/apps/dashboard

example: http://nextcloud.pwwf.com/nextcloud/index.php/apps/dashboard

Configure SSL with Let’s Encrypt

Having HTTP access is great… but I think that we would like to have some security. There are plenty of paid services out there to get an SSL from. But for this post let us add SSL encryption using the FREE resource that is Let’s Encrypt so that we can utilize HTTPS without any additional cost.

The first thing we need to do is install certbot.

yum -y install epel-release certbot

Next we will need to request our SSL certificate for this machine.

export DOMAIN="nextcloud.pwwf.com"
export EMAIL="admin@playswellwithflavors.com"
sudo certbot certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring

Note: If certbot is not working for you, you will need to figure out whatever issue it is having before proceeding. If you cannot resolve it, the rest of this article will not benefit you. Unfortunately, troubleshooting certbot is outside the scope of this article.

After the SSL certificate has successfully been generated, it is time to edit your Apache config file for NextCloud, again.

vi /etc/httpd/conf.d/nextcloud.conf

Make your configuration file look like what I have below.
Note: Make sure to update the “ServerName” and “ServerAdmin” settings to suit your environment.

<VirtualHost *:80>
  ServerName nextcloud.pwwf.com
  ServerAdmin nextcloud.admin@pwwf.com
  Redirect permanent / https://nextcloud.pwwf.com
</VirtualHost>

<IfModule mod_ssl.c>
   <VirtualHost *:443>
  ServerName nextcloud.pwwf.com
  ServerAdmin nextcloud.admin@pwwf.com
     DocumentRoot /var/www/html/nextcloud
     <directory /var/www/html/nextcloud>
        Require all granted
        AllowOverride All
        Options FollowSymLinks MultiViews

      <IfModule mod_dav.c>
        Dav off
      </IfModule>

        SetEnv HOME /var/www/html/nextcloud
        SetEnv HTTP_HOME /var/www/html/nextcloud
    </directory>

    <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
    SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key

RewriteEngine On
RewriteRule ^/\.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
RewriteRule ^/\.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
RewriteRule ^/\.well-known/host-meta https://%{SERVER_NAME}/public.php?service=host-meta [QSA,L]
RewriteRule ^/\.well-known/host-meta\.json https://%{SERVER_NAME}/public.php?service=host-meta-json [QSA,L]
RewriteRule ^/\.well-known/webfinger https://%{SERVER_NAME}/public.php?service=webfinger [QSA,L]


   </VirtualHost>
</IfModule>

In your browser, you can now go to: https://<ServerName>/nextcloud/index.php/apps/dashboard

example: https://nextcloud.pwwf.com/nextcloud/index.php/apps/dashboard

Other Stuff

Enable OPCache

yum -y install php-opcache

Edit the opcache ini file like so

vi /etc/php.d/10-opcache.ini

Enable these values

zend_extension=opcache
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1

Then restart Apache

systemctl restart httpd

Pretty Links

To remove the “index.php” from every URL, open the Nextcloud config file.

vi /var/www/html/nextcloud/config/config.php

Depending on how your config file is setup, you will add one of the following entries below based on how your URL is configured. If you get this wrong, don’t worry, you will see an “Internal Server Error” message instead of your NextCloud page and will have to come back into this file and change it.

If your line for “overwrite.cli.url” looks like this

'overwrite.cli.url' => 'https://nextcloud.pwwf.com',

then add this line of code under it.

'htaccess.RewriteBase' => '/',

OR – If your line for “overwrite.cli.url” looks like this

'overwrite.cli.url' => 'https://nextcloud.pwwf.com/nextcloud',

Then you will want to add the following line of code under it.

'htaccess.RewriteBase' => '/nextcloud',

Run the following command

sudo -u apache php /var/www/html/nextcloud/occ maintenance:update:htaccess

Now go back to your browser and in the address bar, enter your pretty url without the ‘index.php’ in it…
In my case, it will be “https://nextcloud.pwwf.com/”

Proxy override

I was having an issue with the UI inside NextCloud. I could view folders and files, but I could not create new folders or files. After some troubleshooting recreating the NextCloud server and testing before adding the SSL certificate and also after adding the certificate, as well as testing bypassing the proxy I was able to confirm that the proxy was indeed causing me my headaches. This should help you if you are behind a proxy…

vi /var/www/html/nextcloud/config/config.php

Under your line for “overwrite.cli.url” add this entry.

'overwriteprotocol' => 'https',

This will make sure that any requests, and replies, are done over HTTPS and now HTTP.

Max Upload

PHP is going to try to limit the file upload size that you can use. Since I know you are going to probably want to save/share some large files, let us update those limits to something more realistic.

vi /etc/php.ini

Search the file and update these values to your desired limit, I’m going to set it to 10GB.

upload_max_filesize = 10240M
post_max_size = 10342M

While you can adjust these values to your environment, just remember to always make your “post_max_size” a little bit larger than your “upload_max_filesize”. This will keep you from having any issues when uploading a file that is the same size as your max upload limit.

Lastly, you will need to restart Apache.

systemctl restart httpd

Trash Cleanup

So NextCloud isn’t always great at cleaning up your deleted files. By design, it is set to hold on to your deleted items for 30 days, then it only forces a delete if you are running low on space. Since you’re probably sitting on at least a few terabytes of storage, those deleted files may never actually get deleted.

vi /var/www/html/nextcloud/config/config.php

Open your NextCloud config file.

Here is how you can control NextCloud’s behavior with these settings.

auto – default setting. keeps files and folders in the trash bin for 30 days and automatically deletes anytime after that if space is needed (note: files may not be deleted if space is not needed).
D, auto – keeps files and folders in the trash bin for D+ days, delete anytime if space needed (note: files may not be deleted if space is not needed)
auto, D – delete all files in the trash bin that are older than D days automatically, delete other files anytime if space needed
D1, D2 – keep files and folders in the trash bin for at least D1 days and delete when exceeds D2 days (note: files will not be deleted automatically if space is needed)
disabled – trash bin auto clean disabled, files and folders will be kept forever

To automatically delete the files after 30 days and allow NextCloud to purge them sooner if space is needed, you can add this line.

'trashbin_retention_obligation' => 'auto, 30',

To retain the files for 30 days and then absolutely purge them after 40 days, you would add this line.

'trashbin_retention_obligation' => '30, 40',

Install ClamAV

Here is how to add the open source antivirus tool ClamAV to the CentOS machine and configure it automatically run a virus scan on newly uploaded files. ClamAV detects all forms of malware including Trojan horses, viruses, and worms, and it operates on all major file types including Windows, Linux, and Mac files, compressed files, executables, image files, Flash, PDF, and many others. ClamAV’s Freshclam daemon automatically updates its malware signature database at scheduled intervals.

yum -y install clamav clamav-scanner clamav-scanner-systemd clamav-server clamav-server-systemd clamav-update

First edit freshclam.conf and configure your options.

vi /etc/freshclam.conf

Freshclam updates your malware database, so you want it to run frequently to get updated malware signatures. Run it manually post-installation to download your first set of malware signatures:

freshclam

Next, edit scan.conf.

vi /etc/clamd.d/scan.conf

Uncomment this line

LocalSocket /run/clamd.scan/clamd.sock

When you’re finished you must enable the clamd service file and start clamd:

systemctl enable clamd@scan.service
systemctl start clamd@scan.service

Cron Jobs

You will first want to check if there are any existing cronjobs.

crontab -u www-data -l

If you don’t see any NextCloud cron job after running the command above, add one.

crontab -u www-data -e

Add this line at the bottom to the last line, to check/run the NextCloud cron every 5 minutes.

*/5 * * * * php -f /var/www/nextcloud/cron.php

Open and edit your NextCloud config file to schedule the maintenance hours in UTC time.

vi /etc/httpd/conf.d/nextcloud.conf

'maintenance_window_start' => 10,

Other things…

https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/index.html

Category: CentOS, Linux, NextCloud | LEAVE A COMMENT

10 April 2022

Upgrade CentOS 8 to CentOS 8 Stream

With CentOS 8 now EOL, it is officially time to upgrade CentOS 8 virtual machines to CentOS 8 Stream. The good news is that it is even quicker and easier than the upgrade from CentOS 7 to CentOS 8 was.

First things first… Take a backup of your virtual machine, or at least a snapshot so that you have something you can revert back to if something goes wrong in this process.

Take a look at what release your CentOS machine is currently running.

cat /etc/centos-release
cat /etc/os-release

As you can see this machine is currently on CentOS 8.5.2111.

At this point, I’m going to enter “sudo su” on my VM and then enter my credentials, so that I can continue as ‘root’ and I don’t have to type “sudo” before every single command.

To begin, start by updating your system.

dnf -y update

The next step is to update your machine to the current CentOS Stream release package.

dnf -y install centos-release-stream --allowerasing

This step repoints the machine to the CentOS Stream repository rather than the CentOS 8 repository.

sudo dnf swap centos-linux-repos centos-stream-repos

List and view all of the enabled repositories. You should see they are set to “CentOS Stream 8”.

sudo dnf repolist

Next, synchronize all of the installed packages on your machine.

Note: For situational awareness, this step will upgrade or downgrade packages to match the new CentOS Stream ABI/API and will apparently break 100% RHEL compatibility due to the ABI/API change. This is the perfect example of why you would want to take a full backup of the system before making any changes, just in case the ABI/API change breaks one of your applications running on the system.

dnf -y distro-sync

Reboot your system.

init 6

Confirm that we are now running on CentOS 8 Stream.

cat /etc/centos-release
cat /etc/os-release

We can now see that this machine is now running on CentOS Stream 8.

Category: CentOS, Linux | LEAVE A COMMENT

9 April 2022

Upgrade CentOS 7 to CentOS 8

Warning: CentOS 8 has reached End of Life (EOL) and is no longer supported. You should really consider moving to a supported OS such as CentOS 8 Stream.

I was looking at some virtual machines earlier today and I realized that they were not running the most current version of CentOS. Since I am going to upgrade them, I figured it’d be the perfect time to document the process of how to do it.

The first thing I do is make a backup of my virtual machine. You can’t recover from an accident if you don’t have a recovery point. At the very least, make sure you have taken a snapshot of your virtual machine.

Next, I verify what version of CentOS I’m on by running the following command.

cat /etc/centos-release

From the screenshot below you can see that I am currently on version 7.9.2009.

At this point, I’m going to enter “sudo su” on my VM and then enter my credentials, so that I can continue as ‘root’ and I don’t have to type “sudo” before every single command.

First step is to install the EPEL repository.

yum -y install epel-release

Next, install both ‘yum-utils’ and ‘rpmconf’ by using this command.

yum -y install yum-utils rpmconf

Next, use ‘rpmconf’ to resolve the RPM packages that are in use on your VM.

rpmconf -a

Then clean up any packages that are not required by your system.

package-cleanup --leaves

package-cleanup --orphans

Go ahead and reboot the system.

init 6

Log back in and do “sudo su” again.
CentOS uses the dnf package manager as its new default package manager, so time to install it.

yum -y install dnf

With dnf installed, it is time to remove the yum package manager.

dnf -y remove yum yum-metadata-parser
rm -Rf /etc/yum

Update all of the dnf packages.

dnf -y update

The next step is to install the CentOS 8 release package.

dnf -y install http://vault.centos.org/8.5.2111/BaseOS/x86_64/os/Packages/{centos-linux-repos-8-3.el8.noarch.rpm,centos-linux-release-8.5-1.2111.el8.noarch.rpm,centos-gpg-keys-8-3.el8.noarch.rpm}

Then upgrade the EPEL repository.

dnf -y upgrade https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
rpm --import http://download.fedoraproject.org/pub/eprl/RPM-GPG-KEY-EPEL-8

Next, clean up the dnf cached files.

dnf clean all
rm -rf /var/cache/dnf

CentOS Linux 8 had actually reached the End Of Life (EOL) as of December 31st, 2021. Which means that CentOS 8 will no longer receive development from the official CentOS project. After that EOL date, if you need to update your CentOS (yes, that means us right now), you need to change the mirrors to point to vault.centos.org where they are archived. So a better option would actually be to upgrade to CentOS Stream instead, but we’ll save that for another post…
Here is how to change the mirrors.

cd /etc/yum.repos.d/
sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
dnf update
cd

There are two packages, dracut-network and rpmconf, that conflict with upgradingand need to be removed.

dnf remove dracut-network rpmconf

Remove the old CentOS 7 kernel

rpm -e `rpm -q kernel`

Remove any conflicting packages that are not needed any longer

rpm -e --nodeps sysvinit-tools

Now run the upgrade for CentOS 8

dnf -y --releasever=8 --allowerasing --setopt=deltarpm=false distro-sync

Next it is time to install a new kernel on your VM.

dnf -y install kernel-core

The final step to perform is to install CentOS 8 minimal packages

dnf -y groupupdate "Core" "Minimal Install"

Now if you recheck you can see that both the CentOS version and the kernel version have been updated.

Category: CentOS, Linux | LEAVE A COMMENT

1 April 2022

Bitnami Start or Stop Services

I found a great Bitnami Docs KB article describing how to check the status of, and stop/start/restart the services running on your Bitnami instance.

Each Bitnami stack includes a control script that lets you easily check the status of, stop, start and restart services.

These are the commands that you would use. If you use them as-is below it will perform the specified action against all the Bitnami services on your instance.

sudo /opt/bitnami/ctlscript.sh status
sudo /opt/bitnami/ctlscript.sh start
sudo /opt/bitnami/ctlscript.sh stop
sudo /opt/bitnami/ctlscript.sh restart

Or use any of the above against a single service that is running, such as Apache only, by passing the service’s name as an argument after the desired action, such as restart.

sudo /opt/bitnami/ctlscript.sh restart apache

The easiest way to learn the names of the services that are on your Bitnami instance is by simply checking all of their statuses with the status command as it returns the names of all the services on your instance.

sudo /opt/bitnami/ctlscript.sh status

Category: Bitnami, Linux, WordPress | LEAVE A COMMENT

13 November 2021

Adding a wildcard SSL certificate to your WordPress site

So this one threw me for a little bit of a loop when I was first trying to figure it out, even though it shouldn’t have. I was just overthinking it. There was plenty of documentation out there for adding a certificate to a single site, but there is not much when it comes to adding a wildcard certificate to a multi-site WordPress install. I guess that was where I had gotten confused. For reference, this was the specific KB article that helped me the most.

For folks that don’t know what I’m talking about, a multi-site install is one where you can host different WordPress sites on the same server. Meaning that site1.<yoursite>.com and site2 .<yoursite>.com could both reside on the same server even if they are about completely different content. Thus you would only have to cover the cost to host one server, instead of paying for two, one for each host. Yes, they do share some resources, so there are some possible drawbacks… But for most personal sites it should not really be an issue for a few sites to share the same host.

You will need OpenSSL installed on your machine before we continue. It’ll likely already be installed if you are using LInux. If it’s not installed please use your OS’s package manager to install it.

Generate a new private key:

sudo openssl genrsa -out /opt/bitnami/apache2/conf/server.key 2048

Use that key to create a certificate:
***IMPORTANT: Enter the server domain name when the below command asks for the “Common Name”.***

sudo openssl req -new -key /opt/bitnami/apache2/conf/server.key -out /opt/bitnami/apache2/conf/cert.csr

Send the cert.csr file to your Certificate Authority (CA). After they complete their validation checks, they will issue you your new certificate.

Download your certificates. You should have received two files, one was your new certificate and the other file is the CA’s certificate. Rename them as follows:

STAR_YourSite_com.crt –> server.crt
STAR_YourSite_com.ca-bundle –> server-ca.crt

Backup your private key after generating a password-protected version in the pem format.

sudo openssl rsa -des3 -in /opt/bitnami/apache2/conf/server.key -out privkey.pem

Note: To regenerate the key and remove the password protection, you can use this command:

sudo openssl rsa -in privkey.pem -out /opt/bitnami/apache2/conf/server.key

We’re almost done. Next you’ll open the Apache configuration file to verify it’s setup to use the certificates you just uploaded. The config file can be found at: /opt/bitnami/apache2/conf/bitnami/

Scroll down until you find “<VirtualHost _default_:443>” and verify that it is pointing to the correct certificate, key, and CA certificate bundle that you uploaded earlier. You should find the below lines, if you don’t, go ahead and add them.

SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"
SSLCACertificateFile "/opt/bitnami/apache2/conf/server-ca.crt"

Note: It’s easiest to use these default names and not a custom name for these files. If you use a custom name you might need to update that name in other spots of the Apache config file, and you’ll have to google that on your own. If your cert/key is using another name, I recommend just renaming them to the default names above that Apache uses.

After we have copied our files over and have verified that the Apache config file is correct, we are going to update the file persmissions on our certificate files. We will make them readable by the root user only with the following commands:

sudo chown root:root /opt/bitnami/apache2/conf/server*
sudo chmod 600 /opt/bitnami/apache2/conf/server*

Open port 443 in the server firewall. If you’re using Bitnami you can reference this KB.

Restart your server.

Once it comes up, you should now be able to connect to your site using HTTPS.

If you are looking for where to purchase an SSL certificate, check out SSLs.com. I use them for my projects. I’ve shopped around, and they have the best deals that I have found anywhere on the Internet.

Category: AWS, Bitnami, WordPress | LEAVE A COMMENT

23 April 2021

WordPress tweaks

(Updated 12/6/2021) Here are a few tweaks that I have found and use on my WordPress installs to harden them and improve security. This post is mostly for my own benefit – for when I have to stand up a new server and can’t recollect what I did to my current server/site…. That said, I hope it helps you too.

Please note: While these work for me… I can not guarantee they will work for you.
Please make a backup of your site before you make any changes. I’m not responsible for any changes you make.

Follow my post about adding a SSL certificate to your site.

2. The one comes from the ReallySimpleSSL plugin. It’s a great plugin to use to migrate your site to SSL. Anyways, in one of their articles (link) they go over some settings to add to your site’s htaccess file. Please read their article, before adding the following lines so you understand what each is doing. (Just for reference, here is an article describing how the htaccess file works). If you are running bitnami, try look in “/opt/bitnami/apps/wordpress/conf”.

Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS
Header always set Content-Security-Policy "upgrade-insecure-requests"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Expect-CT "max-age=7776000, enforce"
Header always set Referrer-Policy: "no-referrer-when-downgrade"

Another header that now needs to get added to your htaccess file is a “permissions-policy”, more info can be found here.

Header always set Permissions-Policy "geolocation=(); midi=(); notifications=(); push=(); sync-xhr=(); accelerometer=(); gyroscope=(); magnetometer=(); payment=(); camera=(); microphone=(); usb=(); xr=(); speaker=(self); vibrate=(); fullscreen=(self);"

After updating your htaccess file, restart your apache service using the command below,

sudo /opt/bitnami/ctlscript.sh restart apache

Then scan your site’s headers using SecurityHeaders.com to verify that you pass with an A+.

3. A backup/restore solution for your site. I use and recommend the plugin called Up d raftPlus.

4. A solution like WPS Hide Login to hide the normal login page. This will help reduce login attempts done by bots.

5. A firewall and malware scanner solution like Wordfence.

6. Run your site’s URL thru the Qualys SSL Server Test, and address any SSL shortcoming the server might have.

That’s it for now. I’ll try to update this post with more tweaks and hardening suggestions as I implement things.

Category: Bitnami, WordPress | LEAVE A COMMENT

24 April 2020

RDP on Raspberry Pi

If you are like me, the computers around my house are predominately Windows based. Which is fine until you try to remotely connect to the desktop of your RPi. The Raspbian OS just doesn’t work MS’s Remote Desktop Protocol out of the box.

It can though, and all it takes a few is a few steps to enable to the RDP on Raspbian. And in my opinion, since I’m mostly on Windows, it is well worth it just for the convenience. I’ll be using Raspbian Buster in my examples below. If you’re not already on Buster, check out my article on upgrading Stretch to Buster.

Installing Xrdp on Rpi

Lets begin by updating your RPi with the following commands.

sudo apt update && sudo apt upgrade

Lets install Pixel on our RPi. Pixel is the default desktop environment on Raspbian desktop images. It’s stable, light weight, and fast. Which is perfect for running remotely on our RPi. To install Pixel, use the command below.

sudo apt-get install raspberrypi-ui-mods xinit xserver-xorg

After installing Pixel, it’s time for a reboot

sudo reboot now

Next we install the Xrdp package. It is available in the default Raspbian repositories. Use the command below to install Xrdp.

sudo apt install xrdp

The service will automatically start once it has installed, but we can check it’s status with the following command. It should display the status of “running” on the screen.

systemctl show -p SubState --value xrdp

Lastly we need to add the user that is running the service to the “ssl-cert” group. Xrdp uses the key file “/etc/ssl/private/ssl-cert-snakeoil.key” which is only read-able to the users of the “ssl-cert” group. USe the folowing command to add the user to the group.

sudo adduser xrdp ssl-cert

Your RPi now supports RDP! You can easily connect to it using the MS Remote Desktop Connection your Windows machines.

Connecting to your RPi from Windows

From your windows machine, click on the ‘Start menu’ or Windows Search field and type “remote”.

Once the Remote Desktop Connection App launches, enter the IP address of your RPi. Then click the “Connect” button.

Enter the login credentials for your RPi. Then click ‘Ok’.

BAM! Just like that you have successfully connected to and just RDP-ed into your RPi. Well done!

Category: Linux, RaspberryPi, Raspbian | LEAVE A COMMENT

18 April 2020

Network (RPi) Printer

Using a simple RPi we can turn an otherwise normal USB printer into a network printer. Making it easier to print from anywhere in your house, and using any computer in your house. Literally breathing a bit more life into your “old” printer that you were just considering tossing away.

We’ll take advantage of the CUPS software to make this happen. CUPS stands for Common Unix Printing System and is what runs most Linux printing software. It’s going to be the bit that does the communication to your printer to properly print your files. Lets get started…

To save some time before you do do this… First check if your printer is supported by visiting this link: https://www.openprinting.org/printers

Setting up CUPS

Open a terminal window or SSH into your RPi.

Make sure your RPi is up-to-date with the following commands:

sudo apt-get update sudo apt-get upgrade

Install CUPS with the following command

sudo apt-get install cups

Add the user ‘pi’ to the ‘lpadmin’ group. This will allow your user ‘pi’ to access all of the administrative functions of CUPS without having to be a superuser. Use the following command.

sudo usermod -a -G lpadmin pi

We need to make CUPS accessible to your whole network. Currently it is only accessible on the RPi itself. To allow it to accept all traffic, use the following commands.

sudo cupsctl --remote-any sudo /etc/init.d/cups restart

You can now access the RPi print server from any computer on your network. Use the following command if you are unsure of your IP adderss.

hostname -I

Now with that IP address open a web browser and enter the following url, replacing <ip-address> with the IP address of your RPi

http://<ip-address>:631

To allow our CUPS printer server to talk to Windows and to let our windows computers print to it, we need to setup SAMBA on the RPi. Use the following command to install SAMBA.

sudo apt-get install samba

After installing SAMBA, we will need to make a few edit it’s configuration file. Use the following command to open it’s config file in the nano editor.

sudo nano /etc/samba/smb.conf

Scroll down to the end of the file. Edit it to make it match the following:

# CUPS print server  
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = yes
read only = yes
create mask = 0700

# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = no
guest ok = no

Save and exit the editor by pressing ‘Ctrl-X’, then ‘Y’, then ‘Enter’

Restart SAMBA with the following command to load our configuration changes.

sudo systemctl restart smbd

Adding a printer to CUPS

Now with the software portion installed, we need to add the printer to CUPS. Make sure that you have turned the printer ‘On’ and that you have it connected to your RPi.

Open a web browser and enter the following url, replacing <ip-address> with the IP address of your RPi

http://<ip-address>:631

Click on the ‘Administrative’ tab at the top of the page.
Then click the “Add Printer” button.

On the ‘Add Printer’ screen select the name of the printer you want to set up, and click “Continue”.
In this example, we are setting up a HP LaserJet P2055d printer.

Note: If your printer appear on the screen, make sure that it is indeed ‘On’ and connected to your RPi. After verifying that it is, if it is still not appearing, you may need to try restarting your RPi while leaving the printer ‘On’ and connected.

This screen is where you give your printer a name, set a description for it, and a location. The most important thing to do on this screen is to click the tick box for “Sharing: Share This Printer”

On this screen you will select the model of your printer. CUPS tries to auto-detect the model of printer and will select a driver based off what you select. Your selection will differ from mine. Once you are happy with your selection, click the “Add Printer” button at the bottom.

The final screen will let you set the default printer options; paper size, tray, resolution, double-sided, etc….

While not required, I like to give the RPi one more reboot after adding the printer.

To check the status of the print and it’s print queue, use the following command on the RPi.

lpq HP_LaserJet_P2055d

It will display the printer name and if it’s “ready” and if any print jobs are pending.

Adding RPi printer to Windows 10

One thing I noticed when trying to add the printer to to my Windows 10 machines is that I had initially had problems auto-detecting and adding it. It just simply would not work. After a bit of searching the internet, I found a solution that did work for me.

Click on the ‘Start Menu’ and start typing “Printers”, then click on ‘Printers & scanner’.

Click on ‘Add a printer or scanner’

Windows will begin searching for printers… After a moment a link that appears that says “The printer that I want isn’t listed”. Click on that link.

This will open a ‘Add Printer’ window.
Click on the option “Select a shared printer by name”

Enter the “name” of your shared printer in the following format, then click ‘Next’.

http://<RPi/CUPS-IP_Address>:631/printers/<PrinterName>

Replace <RPi/CUP-IP_Address> with the IP address of your RPi
Replace <PrinterName> with the name of your shared printer

Note: You might have to manually select your printer driver if it is not automatically detected.

The page will show that the printer has been successfully added, and it will appear in your “Printers & scanners”

You can now print to your RPi printer!

Category: Linux, RaspberryPi, Raspbian | LEAVE A COMMENT

12 April 2020

Upgrade Raspbian Stretch to Buster

These instructions are taken from the Raspberry Pi Blog.

As with all major version changes, it is my recommendation to download a new clean image and start fresh with a clean system. (Raspbian Download page)
I don’t know what changes people have made to their system, and so have no idea what may break when you move to Buster. The instructions below will likely work on your system. However, that does not guarantee that it will work on your system.

I cannot provide support (or be held responsible) for any problems that arise if you try it. You have been warned! Make a backup before even considering to attempt this…

Open a terminal or SSH window to your RPi.
In the files /etc/apt/sources.list and /etc/apt/sources.list.d/raspi.list, change every use of the word “stretch” to “buster”.

sudo nano /etc/apt/sources.list
sudo nano /etc/apt/sources.list.d/raspi.list

Then run the following command

sudo apt update && sudo apt dist-upgrade

Wait for the upgrade to complete, answering ‘yes’ to any prompt. There may also be a point at which the install pauses while a page of information is shown on the screen – hold the ‘space’ key to scroll through all of this and then hit ‘q’ to continue.

The update will take anywhere from half an hour to several hours, depending on your network speed. When it completes, reboot your Raspberry Pi.

When the Pi has rebooted, launch ‘Appearance Settings’ from the main menu, go to the ‘Defaults’ tab, and press whichever ‘Set Defaults’ button is appropriate for your screen size in order to load the new UI theme.

Buster will have installed several new applications which we do not support. To remove these, open a terminal window and run the following command.

sudo apt purge timidity lxmusic gnome-disk-utility deluge-gtk evince wicd wicd-gtk clipit usermode gucharmap gnome-system-tools pavucontrol

Then run

sudo apt autoremove

The reboot your RPi one last time to complete the upgrade process.

To check the OS version of Raspbian you are running, run this command.

cat /etc/os-release

And remember…. Make a new backup of your RPi once you have finished testing things out on your new upgraded OS version.

Category: Linux, RaspberryPi, Raspbian | LEAVE A COMMENT

12 April 2020

Restoring your RPi

As I’ve said before, the data running on your RPi is only as good as it’s last backup. You have already backed up your RPi, right?

This article is going to cover how to restore the backup image of your RPi with Windows. While can also restore it using Linux or MacOS, I’m not going to cover those as I primarily use the Windows Operating System. If you desire more info on the RPi backup/restore process, please consult the official documentation here.

Restore on Windows

In Windows, we’ll use a utility called “Win32 Disk Imager”. If you followed my previous article on backing up your RPi you should already have it installed. If you haven’t, please go download and install Win32 Disk Imager onto your computer. It is this software that will allow us to restore the full image copy we made back to the micro-SD card of your RPi.

On your Windows computer, open the Win32 Disk Imager program.

In the upper right, under ‘Device’, select the drive letter of the card reader.
Mine is “D:\”, your will likely be different.

In the ‘Image File’ box, click on the folder button to browse to, and select, the location of your backup image file, which you’d like to restore.

Click the ‘Write’ button at the button to begin restoring your backup image.
There will be a popup message that warns about writing to the device, click ‘Yes’ and it will begin your restore

Once the restore completes, there will be a popup message stating that the write is complete that you need to click ‘OK’ to.

Your restore is now complete!

Go ahead and eject the card from your card reader and return it to your RPi. You can then reconnect the power and turn it back on. Everything should be there, exactly as it was at the time you made the backup.

Category: Backups, Linux, RaspberryPi, Raspbian | LEAVE A COMMENT