20 April 2022

Install ClamAV on CentOS 7

Here is how to add the open source antivirus tool ClamAV to the CentOS machine and configure it automatically run a virus scan on newly uploaded files. ClamAV detects all forms of malware including Trojan horses, viruses, and worms, and it operates on all major file types including Windows, Linux, and Mac files, compressed files, executables, image files, Flash, PDF, and many others. ClamAV’s Freshclam daemon automatically updates its malware signature database at scheduled intervals.

yum -y install clamav clamav-scanner clamav-scanner-systemd clamav-server clamav-server-systemd clamav-update

First edit freshclam.conf and configure your options.

vi /etc/freshclam.conf

Freshclam updates your malware database, so you want it to run frequently to get updated malware signatures. Run it manually post-installation to download your first set of malware signatures:

freshclam

Next, edit scan.conf.

vi /etc/clamd.d/scan.conf

Uncomment this line

LocalSocket /run/clamd.scan/clamd.sock

When you’re finished you must enable the clamd service file and start clamd:

systemctl enable clamd@scan.service
systemctl start clamd@scan.service

Note, the default cron job for ClamAV runs every 3 hours to check for updates.

12 April 2022

Install PHP 8.1 on CentOS 7

To install PHP 8, you will need to add the EPEL and Remi repositories to your machine.

yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm --import http://download.fedoraproject.org/pub/eprl/RPM-GPG-KEY-EPEL-7

yum -y install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
rpm --import https://rpms.remirepo.net/RPM-GPG-KEY-remi

You can verify the repositories were added by using the command below to look for the “php8” packages are there.

sudo yum list php

Install “yum-utils”

sudo yum -y install yum-utils

Enable the Remi repo for PHP, after disabling any existing repo for PHP.

sudo yum-config-manager --disable 'remi-php*'
sudo yum-config-manager --enable remi-php81

Install PHP and all of the required extensions

sudo yum -y install php php-{bcmath,cli,common,curl,devel,gd,imagick,intl,json,mbstring,mcrypt,mysql,mysqlnd,pdo,pear,pecl-apcu,pecl-apcu-devel,ldap,xml,zip} 

Verify PHP is installed and the version. You can see I was able to install PHP v8.1.4

sudo php -v
PHP version info

Open the php.ini config file and set your timezone. You will need to uncomment the line for date.timezone and set it to your timezone of choice and set it to your timezone of choice. .

sudo vi /etc/php.ini
date.timezone = Pacific/Honolulu

12 April 2022

Install PHP 8.0 on CentOS 7

To install PHP 8, you will need to add the EPEL and Remi repositories to your machine.

yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm --import http://download.fedoraproject.org/pub/eprl/RPM-GPG-KEY-EPEL-7

yum -y install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
rpm --import https://rpms.remirepo.net/RPM-GPG-KEY-remi

You can verify the repositories were added by using the command below to look for the “php8” packages are there.

sudo yum list php

Install “yum-utils”

sudo yum -y install yum-utils

Enable the Remi repository for PHP, after disabling any existing repo for PHP.

sudo yum-config-manager --disable 'remi-php*'
sudo yum-config-manager --enable remi-php80

Install PHP and all of the required extensions

sudo yum -y install php php-{bcmath,cli,common,curl,devel,gd,imagick,intl,json,mbstring,mcrypt,mysql,mysqlnd,pdo,pear,pecl-apcu,pecl-apcu-devel,ldap,xml,zip}

Verify PHP is installed and the version. You can see I was able to install PHP v8.0.17

sudo php -v

Open the php.ini config file and set your timezone. You will need to uncomment the line for date.timezone and set it to your timezone of choice.

sudo vi /etc/php.ini
date.timezone = Pacific/Honolulu
12 April 2022

Install MariaDB on CentOS 7

Add the MariaDB repository to your machine

sudo cat <<EOF | sudo tee /etc/yum.repos.d/MariaDB.repo
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.6/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
EOF

Clean the yum cache

sudo yum makecache fast

Install MariaDB 10.6

sudo yum -y install MariaDB-server MariaDB-client

Start and enable MariaDB service:

sudo systemctl start mariadb
sudo systemctl enable mariadb

Secure or instance of Maria DB by running the ‘mariadb_secure_installation‘ command.

sudo mariadb-secure-installation
mariadb secure installation script

Enter your root credentials when prompted. For the next two prompts, if you have your root account protected correctly, it will tell you so and you can follow the recommendation to enter ‘n’ for them.

more mariadb secure installation script

For the next four prompts, enter ‘Y’ for them.

last of the mariadb secure installation script

Check your MariaDB and what version it is running this command below or login into the database and check as shown in the image below.

sudo mysql -V
Checking MariaDB version

11 April 2022

Installing NextCloud on CentOS 7

So I’m going to walk thru installing Nextcloud on CentOS 7. Your mileage will vary if you attempt to use this as a guide to install NextCloud on CentOS 8 (which is EOL) or CentOS Stream 8/9 as it is not intended for those versions of CentOS.

Nextcloud is an open-source self-hosted sync and file sharing server that was forked from OwnCloud. It is written in PHP and JavaScript and supports multiple databases like MySQL, PostgreSQL, SQLite, and Oracle Database.

Before we get started, we will need to make sure we are set up with a LAMP stack. LAMP stands for Linux, Apache, MySQL, PHP. It’s bascially setting us up as a web server. And since we are going to be a webserver, we should also add Let’s Encrypt for SSL on our machine.

First step is to update your system.

yum -y update

Install PHP

To install PHP 8, you will need to add the EPEL and Remi repositories to your machine. You should also import the repo’s signing key.

yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm --import http://download.fedoraproject.org/pub/eprl/RPM-GPG-KEY-EPEL-7

yum -y install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
rpm --import https://rpms.remirepo.net/RPM-GPG-KEY-remi

You can verify the repositories were added by using the command below to look for the “php8” packages are there.

yum list php

Install “yum-utils”

yum -y install yum-utils

Enable the Remi repository for PHP, after disabling any existing repo for PHP.

yum-config-manager --disable 'remi-php*'
yum-config-manager --enable remi-php80

Install PHP and all of the required extensions

yum -y install php php-{bcmath,cli,common,curl,devel,gd,imagick,intl,json,mbstring,mcrypt,mysql,mysqlnd,pdo,pear,pecl-apcu,pecl-apcu-devel,ldap,xml,zip}

Verify PHP is installed and the version. You can see I was able to install PHP v8.0.17

php -v

Open the php.ini config file and set your timezone. You will need to uncomment the line for date.timezone and set it to your timezone of choice.

vi /etc/php.ini

date.timezone = Pacific/Honolulu

Raise PHP’s memory limit

sed -i '/^memory_limit =/s/=.*/= 512M/' /etc/php.ini

Install Apache

Install Apache on your machine.

yum -y install httpd mod_ssl

Start Apache and enable the Apache service at boot.

systemctl start httpd
systemctl enable httpd

Install MariaDB

Add the MariaDB repository to your machine

cat <<EOF | sudo tee /etc/yum.repos.d/MariaDB.repo
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.6/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
EOF

Clean the yum cache

yum makecache fast

Install MariaDB 10.6

yum -y install MariaDB-server MariaDB-client

Start and enable MariaDB service:

systemctl start mariadb
systemctl enable mariadb

Secure or instance of Maria DB by running the ‘mariadb_secure_installation‘ command.

mariadb-secure-installation
mariadb secure installation script

Enter your root credentials when prompted. For the next two prompts, if you have your root account protected correctly, it will tell you so and you can follow the recommendation to enter ‘n’ for them.

more mariadb secure installation script

For the next four prompts, enter ‘Y’ for them.

last of the mariadb secure installation script

Check your MariaDB and what version it is running this command below or login into the database and check as shown in the image below.

mysql -V
Checking MariaDB version

Create the Database and the user account for NextCloud using the commands below.

Take note of what you set for:
<nextcloud_db> : This will be the name of your NextCloud database.
<nextcloud_user> : This will be the NextCloud user.
<nextcloud_pw> : This is a strong password that you have created for your ‘nextcloud_user’.

mysql -u root -p

create database <nextcloud_db>;
create user '<nextclouduser>'@'localhost' identified BY '<nextcloud_pw>';
grant all privileges on <nextcloud_db>.* to '<nextclouduser>'@'localhost';
flush privileges;
\q

Give Apache access to MariaDB

setsebool -P httpd_can_network_connect_db 1

Let us go ahead and reboot the system before we proceed with installing NextCloud.

init 6

Installing NextCloud

Download the packages needed to download and unzip NextCloud

yum -y install wget unzip

Next, download the latest stable release of NextCloud to your system.

wget https://download.nextcloud.com/server/releases/latest.zip

Unzip the file we just downloaded, move the extracted folder, and then delete the zip file.

unzip latest.zip
mv nextcloud/ /var/www/html/
rm -f latest.zip

Create a data directory to store files that get uploaded to NextCloud. If you use a symlink, this can be any type of path to a NAS, SAN, or NFS. Give Apache permiss

mkdir /var/www/html/nextcloud/data
chown apache:apache -R /var/www/html/nextcloud/data

Give the Apache user and group ownership of the NextCloud folder.

chown apache:apache -R /var/www/html/nextcloud

The next step will create an Apache VirtualHost configuration file.

vi /etc/httpd/conf.d/nextcloud.conf

Copy and paste the following code block into the file.
Note: Make sure to update the “ServerName” and “ServerAdmin” settings to suit your environment. The “ServerName” is its FQDN, so remember to setup your DNS entry for it, if necessary.

<VirtualHost *:80>
  ServerName nextcloud.pwwf.com
  ServerAdmin nextcloud.admin@pwwf.com
  DocumentRoot /var/www/html/nextcloud
  <directory /var/www/html/nextcloud>
    Require all granted
    AllowOverride All
    Options FollowSymLinks MultiViews
    SetEnv HOME /var/www/html/nextcloud
    SetEnv HTTP_HOME /var/www/html/nextcloud
  </directory>
</VirtualHost>

Configure SELinux

Install the SEMange package.

yum -y install policycoreutils-python

Add the context rules to allow NextCloud to write data into its directories.


semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/data'
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/config(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/apps(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/3rdparty(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/.htaccess'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/.user.ini'

restorecon -Rv /var/www/html

Configure Firewall

Set the firewall to allow http traffic.

firewall-cmd --add-service={http,https} --permanent
firewall-cmd --reload

Completing the NextCloud UI and Setup

Open your web browser of choice and enter either the server name URL you entered in the ‘nextcloud.conf’ file, or alternatively you could use the IP address of your machine, to access the NextCloud Web GUI.

example – http://nextcloud.pwwf.com/
http://10.1.2.169/

The first fields are for creating an admin account for your NextCloud instance. Set it to anything you wish, just don’t forget those credentials.

Then select “MySQL/MariaDB” and configure the database fields with the information we used earlier when we set up the database in MariaDB.

Then click on the “Install” button at the very bottom of the page.

Once the install completes, your dashboard will be ready to use.
In your browser, go to: http://<ServerName>/nextcloud/index.php/apps/dashboard

example: http://nextcloud.pwwf.com/nextcloud/index.php/apps/dashboard

Configure SSL with Let’s Encrypt

Having HTTP access is great… but I think that we would like to have some security. There are plenty of paid services out there to get an SSL from. But for this post let us add SSL encryption using the FREE resource that is Let’s Encrypt so that we can utilize HTTPS without any additional cost.

The first thing we need to do is install certbot.

yum -y install epel-release certbot

Next we will need to request our SSL certificate for this machine.

export DOMAIN="nextcloud.pwwf.com"
export EMAIL="admin@playswellwithflavors.com"
sudo certbot certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring

Note: If certbot is not working for you, you will need to figure out whatever issue it is having before proceeding. If you cannot resolve it, the rest of this article will not benefit you. Unfortunately, troubleshooting certbot is outside the scope of this article.

After the SSL certificate has successfully been generated, it is time to edit your Apache config file for NextCloud, again.

vi /etc/httpd/conf.d/nextcloud.conf

Make your configuration file look like what I have below.
Note: Make sure to update the “ServerName” and “ServerAdmin” settings to suit your environment.

<VirtualHost *:80>
  ServerName nextcloud.pwwf.com
  ServerAdmin nextcloud.admin@pwwf.com
  Redirect permanent / https://nextcloud.pwwf.com
</VirtualHost>

<IfModule mod_ssl.c>
   <VirtualHost *:443>
  ServerName nextcloud.pwwf.com
  ServerAdmin nextcloud.admin@pwwf.com
     DocumentRoot /var/www/html/nextcloud
     <directory /var/www/html/nextcloud>
        Require all granted
        AllowOverride All
        Options FollowSymLinks MultiViews

      <IfModule mod_dav.c>
        Dav off
      </IfModule>

        SetEnv HOME /var/www/html/nextcloud
        SetEnv HTTP_HOME /var/www/html/nextcloud
    </directory>

    <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
    SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key

RewriteEngine On
RewriteRule ^/\.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
RewriteRule ^/\.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
RewriteRule ^/\.well-known/host-meta https://%{SERVER_NAME}/public.php?service=host-meta [QSA,L]
RewriteRule ^/\.well-known/host-meta\.json https://%{SERVER_NAME}/public.php?service=host-meta-json [QSA,L]
RewriteRule ^/\.well-known/webfinger https://%{SERVER_NAME}/public.php?service=webfinger [QSA,L]


   </VirtualHost>
</IfModule>

In your browser, you can now go to: https://<ServerName>/nextcloud/index.php/apps/dashboard

example: https://nextcloud.pwwf.com/nextcloud/index.php/apps/dashboard

Other Stuff

Enable OPCache

yum -y install php-opcache

Edit the opcache ini file like so

vi /etc/php.d/10-opcache.ini

Enable these values

zend_extension=opcache
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1

Then restart Apache

systemctl restart httpd

Pretty Links

To remove the “index.php” from every URL, open the Nextcloud config file.

vi /var/www/html/nextcloud/config/config.php

Depending on how your config file is setup, you will add one of the following entries below based on how your URL is configured. If you get this wrong, don’t worry, you will see an “Internal Server Error” message instead of your NextCloud page and will have to come back into this file and change it.

If your line for “overwrite.cli.url” looks like this

'overwrite.cli.url' => 'https://nextcloud.pwwf.com',

then add this line of code under it.

'htaccess.RewriteBase' => '/',

OR – If your line for “overwrite.cli.url” looks like this

'overwrite.cli.url' => 'https://nextcloud.pwwf.com/nextcloud',

Then you will want to add the following line of code under it.

'htaccess.RewriteBase' => '/nextcloud',

Run the following command

sudo -u apache php /var/www/html/nextcloud/occ maintenance:update:htaccess

Now go back to your browser and in the address bar, enter your pretty url without the ‘index.php’ in it…
In my case, it will be “https://nextcloud.pwwf.com/”

Proxy override

I was having an issue with the UI inside NextCloud. I could view folders and files, but I could not create new folders or files. After some troubleshooting recreating the NextCloud server and testing before adding the SSL certificate and also after adding the certificate, as well as testing bypassing the proxy I was able to confirm that the proxy was indeed causing me my headaches. This should help you if you are behind a proxy…

vi /var/www/html/nextcloud/config/config.php

Under your line for “overwrite.cli.url” add this entry.

'overwriteprotocol' => 'https',

This will make sure that any requests, and replies, are done over HTTPS and now HTTP.

Max Upload

PHP is going to try to limit the file upload size that you can use. Since I know you are going to probably want to save/share some large files, let us update those limits to something more realistic.

vi /etc/php.ini

Search the file and update these values to your desired limit, I’m going to set it to 10GB.

upload_max_filesize = 10240M
post_max_size = 10342M

While you can adjust these values to your environment, just remember to always make your “post_max_size” a little bit larger than your “upload_max_filesize”. This will keep you from having any issues when uploading a file that is the same size as your max upload limit.

Lastly, you will need to restart Apache.

systemctl restart httpd

Trash Cleanup

So NextCloud isn’t always great at cleaning up your deleted files. By design, it is set to hold on to your deleted items for 30 days, then it only forces a delete if you are running low on space. Since you’re probably sitting on at least a few terabytes of storage, those deleted files may never actually get deleted.

vi /var/www/html/nextcloud/config/config.php

Open your NextCloud config file.

Here is how you can control NextCloud’s behavior with these settings.

  • auto – default setting. keeps files and folders in the trash bin for 30 days and automatically deletes anytime after that if space is needed (note: files may not be deleted if space is not needed).
  • D, auto – keeps files and folders in the trash bin for D+ days, delete anytime if space needed (note: files may not be deleted if space is not needed)
  • auto, D – delete all files in the trash bin that are older than D days automatically, delete other files anytime if space needed
  • D1, D2 – keep files and folders in the trash bin for at least D1 days and delete when exceeds D2 days (note: files will not be deleted automatically if space is needed)
  • disabled – trash bin auto clean disabled, files and folders will be kept forever

To automatically delete the files after 30 days and allow NextCloud to purge them sooner if space is needed, you can add this line.

'trashbin_retention_obligation' => 'auto, 30',

To retain the files for 30 days and then absolutely purge them after 40 days, you would add this line.

'trashbin_retention_obligation' => '30, 40',

Install ClamAV

Here is how to add the open source antivirus tool ClamAV to the CentOS machine and configure it automatically run a virus scan on newly uploaded files. ClamAV detects all forms of malware including Trojan horses, viruses, and worms, and it operates on all major file types including Windows, Linux, and Mac files, compressed files, executables, image files, Flash, PDF, and many others. ClamAV’s Freshclam daemon automatically updates its malware signature database at scheduled intervals.

yum -y install clamav clamav-scanner clamav-scanner-systemd clamav-server clamav-server-systemd clamav-update

First edit freshclam.conf and configure your options.

vi /etc/freshclam.conf

Freshclam updates your malware database, so you want it to run frequently to get updated malware signatures. Run it manually post-installation to download your first set of malware signatures:

freshclam

Next, edit scan.conf.

vi /etc/clamd.d/scan.conf

Uncomment this line

LocalSocket /run/clamd.scan/clamd.sock

When you’re finished you must enable the clamd service file and start clamd:

systemctl enable clamd@scan.service
systemctl start clamd@scan.service

Cron Jobs

You will first want to check if there are any existing cronjobs.

crontab -u www-data -l

If you don’t see any NextCloud cron job after running the command above, add one.

crontab -u www-data -e

Add this line at the bottom to the last line, to check/run the NextCloud cron every 5 minutes.

*/5 * * * * php -f /var/www/nextcloud/cron.php

Open and edit your NextCloud config file to schedule the maintenance hours in UTC time.

vi /etc/httpd/conf.d/nextcloud.conf
'maintenance_window_start' => 10,

Other things…

https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/index.html