So if you know anything about managing Windows systems then you know about GPOs. In my honest opinion, GPOs are one of the greatest tools available in Windows. GPOs let you administratively manage all aspects of your computers. You can literally set about 99.9999% of any settings you ever wanted to configure on a computer.
One of the things that make GPOs so great is that it is expandable in that you can add new administrative templates as you add new software to your workstations in your domain. So not only can you manage just about any Microsoft or Windows setting, but you can also add in templates for third-party software from most of the big software venders and enterprise applications, as well as add new templates when new Microsoft releases new OSes and software.
The biggest downside of GPOs is that they can feel like a daunting wall when you first get started implementing them simply because there are sooo many settings that you can potentially configure – where to begin!?! And how do you figure out where to set some of those really odd settings. Well don’t worry, I don’t know anyone that remembers exactly where each setting is. For me, there are two resources that I regularly use to help me find the settings that I want to configure.
This is an official Microsoft tool that lets you search all of the various settings that are available to you in all Microsoft products. It’s a great resource to find where things are set just by using a keyword. Think of it as “Bing” (or “Google”) for GPOs. Out of these two links, this site is the easiest to navigate when looking specifically for Microsoft and Windows settings.
This site includes all of the Microsoft settings, but where it really shines is all of the third-party software settings it has indexed for you. If need to figure out where to set something in Chrome or Adobe or any other software, this site has you covered.
So this last site is just a bonus as it is not exactly a GPO site, but it comes in handy. It’s a way to convert registry settings into powershell commands that you can run. Paste your reg key into it and it will spit out the corresponding PS command for it.
I recently updated my home install of NextCloud right before I went to bed, and when I checked it the next day it was stuck in maintenance mode. Ugh… Thankfully it is easy enough to fix, but you will have to log onto the server to run an occ command from the command line.
The first thing you should try is completing the upgrade with this command.
If you ever forget your admin password, hopefully, you have someone else who is an administrator that can reset it for you. If that is not an option, then the worst-case scenario is that you can log into the server that is hosting your NextCloud and reset the password via the command line with the occ command.
sudo -u www-data php /var/www/nextcloud/occ user:resetpassword admin
Enter a new password:
Confirm the new password:
Successfully reset password for admin
The "www-data" user is going to be the user you have setup as your web service that run NextCloud. If you followed my post about setting up NextCloud, or if you are running on RHEL/CentOS/Fedora, that that user is going to be "apache".
If your Nextcloud username is not "admin", then substitute the username that you setup as your Nextcloud admin.
The Azure Serial console can be disabled and re-enabled for an entire subscription by using the following commands in the Azure CLI. To get the current status of the serial console in your subscripton use the following command:
$subscriptionId=$(az account show --output=json | jq -r .id)
az resource show --ids "/subscriptions/$subscriptionId/providers/Microsoft.SerialConsole/consoleServices/default" --output=json --api-version="2018-05-01" | jq .properties
To enable the serial console for a subscription, use the following commands:
$subscriptionId=$(az account show --output=json | jq -r .id)
az resource invoke-action --action enableConsole --ids "/subscriptions/$subscriptionId/providers/Microsoft.SerialConsole/consoleServices/default" --api-version="2018-05-01"
To disabled the serial console for a subscription, use the following commands:
$subscriptionId=$(az account show --output=json | jq -r .id)
az resource invoke-action --action disableConsole --ids "/subscriptions/$subscriptionId/providers/Microsoft.SerialConsole/consoleServices/default" --api-version="2018-05-01"
Here is how to add the open source antivirus tool ClamAV to the CentOS machine and configure it automatically run a virus scan on newly uploaded files. ClamAV detects all forms of malware including Trojan horses, viruses, and worms, and it operates on all major file types including Windows, Linux, and Mac files, compressed files, executables, image files, Flash, PDF, and many others. ClamAV’s Freshclam daemon automatically updates its malware signature database at scheduled intervals.
First edit freshclam.conf and configure your options.
vi /etc/freshclam.conf
Freshclam updates your malware database, so you want it to run frequently to get updated malware signatures. Run it manually post-installation to download your first set of malware signatures:
freshclam
Next, edit scan.conf.
vi /etc/clamd.d/scan.conf
Uncomment this line
LocalSocket /run/clamd.scan/clamd.sock
When you’re finished you must enable the clamd service file and start clamd:
Verify PHP is installed and the version. You can see I was able to install PHP v8.1.4
sudo php -v
Open the php.ini config file and set your timezone. You will need to uncomment the line for date.timezone and set it to your timezone of choice and set it to your timezone of choice. .
Secure or instance of Maria DB by running the ‘mariadb_secure_installation‘ command.
sudo mariadb-secure-installation
Enter your root credentials when prompted. For the next two prompts, if you have your root account protected correctly, it will tell you so and you can follow the recommendation to enter ‘n’ for them.
For the next four prompts, enter ‘Y’ for them.
Check your MariaDB and what version it is running this command below or login into the database and check as shown in the image below.
So I’m going to walk thru installing Nextcloud on CentOS 7. Your mileage will vary if you attempt to use this as a guide to install NextCloud on CentOS 8 (which is EOL) or CentOS Stream 8/9 as it is not intended for those versions of CentOS.
Nextcloud is an open-source self-hosted sync and file sharing server that was forked from OwnCloud. It is written in PHP and JavaScript and supports multiple databases like MySQL, PostgreSQL, SQLite, and Oracle Database.
Before we get started, we will need to make sure we are set up with a LAMP stack. LAMP stands for Linux, Apache, MySQL, PHP. It’s bascially setting us up as a web server. And since we are going to be a webserver, we should also add Let’s Encrypt for SSL on our machine.
First step is to update your system.
yum -y update
Install PHP
To install PHP 8, you will need to add the EPEL and Remi repositories to your machine. You should also import the repo’s signing key.
Verify PHP is installed and the version. You can see I was able to install PHP v8.0.17
php -v
Open the php.ini config file and set your timezone. You will need to uncomment the line for date.timezone and set it to your timezone of choice.
vi /etc/php.ini
date.timezone = Pacific/Honolulu
Raise PHP’s memory limit
sed -i '/^memory_limit =/s/=.*/= 512M/' /etc/php.ini
Install Apache
Install Apache on your machine.
yum -y install httpd mod_ssl
Start Apache and enable the Apache service at boot.
systemctl start httpd
systemctl enable httpd
Install MariaDB
Add the MariaDB repository to your machine
cat <<EOF | sudo tee /etc/yum.repos.d/MariaDB.repo
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.6/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
EOF
Clean the yum cache
yum makecache fast
Install MariaDB 10.6
yum -y install MariaDB-server MariaDB-client
Start and enable MariaDB service:
systemctl start mariadb
systemctl enable mariadb
Secure or instance of Maria DB by running the ‘mariadb_secure_installation‘ command.
mariadb-secure-installation
Enter your root credentials when prompted. For the next two prompts, if you have your root account protected correctly, it will tell you so and you can follow the recommendation to enter ‘n’ for them.
For the next four prompts, enter ‘Y’ for them.
Check your MariaDB and what version it is running this command below or login into the database and check as shown in the image below.
mysql -V
Create the Database and the user account for NextCloud using the commands below.
Take note of what you set for: <nextcloud_db> : This will be the name of your NextCloud database. <nextcloud_user> : This will be the NextCloud user. <nextcloud_pw> : This is a strong password that you have created for your ‘nextcloud_user’.
mysql -u root -p
create database <nextcloud_db>;
create user '<nextclouduser>'@'localhost' identified BY '<nextcloud_pw>';
grant all privileges on <nextcloud_db>.* to '<nextclouduser>'@'localhost';
flush privileges;
\q
Give Apache access to MariaDB
setsebool -P httpd_can_network_connect_db 1
Let us go ahead and reboot the system before we proceed with installing NextCloud.
init 6
Installing NextCloud
Download the packages needed to download and unzip NextCloud
yum -y install wget unzip
Next, download the latest stable release of NextCloud to your system.
Create a data directory to store files that get uploaded to NextCloud. If you use a symlink, this can be any type of path to a NAS, SAN, or NFS. Give Apache permiss
Give the Apache user and group ownership of the NextCloud folder.
chown apache:apache -R /var/www/html/nextcloud
The next step will create an Apache VirtualHost configuration file.
vi /etc/httpd/conf.d/nextcloud.conf
Copy and paste the following code block into the file. Note: Make sure to update the “ServerName” and “ServerAdmin” settings to suit your environment. The “ServerName” is its FQDN, so remember to setup your DNS entry for it, if necessary.
<VirtualHost *:80>
ServerName nextcloud.pwwf.com
ServerAdmin nextcloud.admin@pwwf.com
DocumentRoot /var/www/html/nextcloud
<directory /var/www/html/nextcloud>
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
SetEnv HOME /var/www/html/nextcloud
SetEnv HTTP_HOME /var/www/html/nextcloud
</directory>
</VirtualHost>
Configure SELinux
Install the SEMange package.
yum -y install policycoreutils-python
Add the context rules to allow NextCloud to write data into its directories.
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/data'
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/config(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/apps(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/3rdparty(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/.htaccess'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/.user.ini'
restorecon -Rv /var/www/html
Open your web browser of choice and enter either the server name URL you entered in the ‘nextcloud.conf’ file, or alternatively you could use the IP address of your machine, to access the NextCloud Web GUI.
example – http://nextcloud.pwwf.com/ http://10.1.2.169/
The first fields are for creating an admin account for your NextCloud instance. Set it to anything you wish, just don’t forget those credentials.
Then select “MySQL/MariaDB” and configure the database fields with the information we used earlier when we set up the database in MariaDB.
Then click on the “Install” button at the very bottom of the page.
Once the install completes, your dashboard will be ready to use. In your browser, go to: http://<ServerName>/nextcloud/index.php/apps/dashboard
Having HTTP access is great… but I think that we would like to have some security. There are plenty of paid services out there to get an SSL from. But for this post let us add SSL encryption using the FREE resource that is Let’s Encrypt so that we can utilize HTTPS without any additional cost.
The first thing we need to do is install certbot.
yum -y install epel-release certbot
Next we will need to request our SSL certificate for this machine.
Note: If certbot is not working for you, you will need to figure out whatever issue it is having before proceeding. If you cannot resolve it, the rest of this article will not benefit you. Unfortunately, troubleshooting certbot is outside the scope of this article.
After the SSL certificate has successfully been generated, it is time to edit your Apache config file for NextCloud, again.
vi /etc/httpd/conf.d/nextcloud.conf
Make your configuration file look like what I have below. Note: Make sure to update the “ServerName” and “ServerAdmin” settings to suit your environment.
To remove the “index.php” from every URL, open the Nextcloud config file.
vi /var/www/html/nextcloud/config/config.php
Depending on how your config file is setup, you will add one of the following entries below based on how your URL is configured. If you get this wrong, don’t worry, you will see an “Internal Server Error” message instead of your NextCloud page and will have to come back into this file and change it.
If your line for “overwrite.cli.url” looks like this
Now go back to your browser and in the address bar, enter your pretty url without the ‘index.php’ in it… In my case, it will be “https://nextcloud.pwwf.com/”
Proxy override
I was having an issue with the UI inside NextCloud. I could view folders and files, but I could not create new folders or files. After some troubleshooting recreating the NextCloud server and testing before adding the SSL certificate and also after adding the certificate, as well as testing bypassing the proxy I was able to confirm that the proxy was indeed causing me my headaches. This should help you if you are behind a proxy…
vi /var/www/html/nextcloud/config/config.php
Under your line for “overwrite.cli.url” add this entry.
'overwriteprotocol' => 'https',
This will make sure that any requests, and replies, are done over HTTPS and now HTTP.
Max Upload
PHP is going to try to limit the file upload size that you can use. Since I know you are going to probably want to save/share some large files, let us update those limits to something more realistic.
vi /etc/php.ini
Search the file and update these values to your desired limit, I’m going to set it to 10GB.
While you can adjust these values to your environment, just remember to always make your “post_max_size” a little bit larger than your “upload_max_filesize”. This will keep you from having any issues when uploading a file that is the same size as your max upload limit.
Lastly, you will need to restart Apache.
systemctl restart httpd
Trash Cleanup
So NextCloud isn’t always great at cleaning up your deleted files. By design, it is set to hold on to your deleted items for 30 days, then it only forces a delete if you are running low on space. Since you’re probably sitting on at least a few terabytes of storage, those deleted files may never actually get deleted.
vi /var/www/html/nextcloud/config/config.php
Open your NextCloud config file.
Here is how you can control NextCloud’s behavior with these settings.
auto – default setting. keeps files and folders in the trash bin for 30 days and automatically deletes anytime after that if space is needed (note: files may not be deleted if space is not needed).
D, auto – keeps files and folders in the trash bin for D+ days, delete anytime if space needed (note: files may not be deleted if space is not needed)
auto, D – delete all files in the trash bin that are older than D days automatically, delete other files anytime if space needed
D1, D2 – keep files and folders in the trash bin for at least D1 days and delete when exceeds D2 days (note: files will not be deleted automatically if space is needed)
disabled – trash bin auto clean disabled, files and folders will be kept forever
To automatically delete the files after 30 days and allow NextCloud to purge them sooner if space is needed, you can add this line.
'trashbin_retention_obligation' => 'auto, 30',
To retain the files for 30 days and then absolutely purge them after 40 days, you would add this line.
'trashbin_retention_obligation' => '30, 40',
Install ClamAV
Here is how to add the open source antivirus tool ClamAV to the CentOS machine and configure it automatically run a virus scan on newly uploaded files. ClamAV detects all forms of malware including Trojan horses, viruses, and worms, and it operates on all major file types including Windows, Linux, and Mac files, compressed files, executables, image files, Flash, PDF, and many others. ClamAV’s Freshclam daemon automatically updates its malware signature database at scheduled intervals.
First edit freshclam.conf and configure your options.
vi /etc/freshclam.conf
Freshclam updates your malware database, so you want it to run frequently to get updated malware signatures. Run it manually post-installation to download your first set of malware signatures:
freshclam
Next, edit scan.conf.
vi /etc/clamd.d/scan.conf
Uncomment this line
LocalSocket /run/clamd.scan/clamd.sock
When you’re finished you must enable the clamd service file and start clamd: