This is the third post in my “ownCloud series” and the first in a series of posts in “Going the Extra Mile” with your ownCloud instance. The aim here is to share with everyone things that may help you improve your performance, secure your instance, and increase the use case of ownCloud in your environment.

 

image

 

As a reminder, you can find the previous posts here:

Installation and Getting Started guide here:
http://gabrielbeaver.me/2015/07/owncloud-series-getting-started/

A walkthrough of the Web UI here:
http://gabrielbeaver.me/2015/12/owncloud-series-a-walk-in-your-cloud/

 

While we have configured all the basics to install ownCloud and have toured the interface in the previous posts, here we’ll begin going the extra mile. In particular with this post, focusing on configuring “memory cache” on your ownCloud instance.

 

What is memory cache and why do I need it?

ownCloud has a great post what it is and why it’s needed here:

https://owncloud.org/blog/making-owncloud-faster-through-caching/

 

If you have followed my installation guide post, on the Admin section of your ownCloud you should see a “Security & setup warnings” section at the top, notifying you that  you have no memory cache configured:

 

clip_image021

Configuring Redis for caching:

While ownCloud supports APC, APCu, Memcached, and Redis, in my view Redis is the best choice for your installation. ownCloud makes the case that Redis, while more complex, is more advanced and is the “recommended option” to configure.

You should do your own research on the differences between all the caching options and make your decision. In this post we’ll go in favor of, the best option in my opinion, Redis.

Redis is, to quote the official site, “An open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker.”

You can learn more about Redis here:

http://redis.io/topics/introduction

 

You can find an excellent post on configuring Redis on Ubuntu 14.04 at the link below by Daniel Hansson. Please visit his site and donate if you can. I donated before posting this to say thanks. I will be using his guide with screenshots of the setup.

Daniel – if you happen to read this, many thanks for your efforts on documenting the Redis setup.

https://www.techandme.se/how-to-configure-redis-cache-in-ubuntu-14-04-with-owncloud/

This guide was written with the same intent of many of my posts; that is to share some specific knowledge with the world, but also to serve as an archive for personal reference later. I had a few places where I made some minor changes to the setup.

 

Let’s begin the process of configuring Redis on your server.

Remove APC and Memcached:

# sudo php5dismod apcu && sudo apt-get purge php5-apcu -y

 

clip_image001

 

# rm /etc/php5/mods-available/apcu-cli.ini

 

clip_image002

 

# sudo apt-get purge --auto-remove memcached -y && php5dismod memcached

 

clip_image003

 

Dependencies:

# sudo apt-get update && sudo apt-get install build-essential -y

 

clip_image004

 

clip_image005

 

TCL for testing:

# sudo apt-get install tcl8.5 -y

 

clip_image006

 

Install:

# wget http://download.redis.io/releases/redis-stable.tar.gz && tar xzf redis-stable.tar.gz
# sudo mv redis-stable redis

 

clip_image007

 

Run make and test:

# cd redis && sudo make && taskset -c 1 make test

 

You should see this:

clip_image008

If you see any errors, reboot your VM and try again. This was my experience in 2 of 3 installations.

If test is fine, proceed:

# sudo make install

 

clip_image009

 

# cd utils && sudo ./install_server.sh

 

clip_image010

Keeping the default settings is fine. After installing, check the version:

# redis-server -v

 

clip_image011

 

Next you need to install phpmodule for ownCloud:

# sudo apt-get install php-pear php5-dev

 

clip_image012

 

# sudo pecl install -Z redis

 

clip_image013

 

clip_image014

Notice the last line, we’ll do this. Create redis.ini extension:

# sudo touch /etc/php5/mods-available/redis.ini

 

In the blog post he says to do this, but it still gives permissions error:

# sudo echo 'extension=redis.so' && /etc/php5/mods-available/redis.ini

 

I simply edited the file with nano:

# sudo nano /etc/php5/mods-available/redis.ini

 

clip_image015

 

clip_image016

 

Enable module (added the second sudo not in post otherwise it fail):

# sudo php5enmod redis && sudo service apache2 restart

 

clip_image017

 

Test module version:

# php --ri redis

 

clip_image018

 

Lastly, we reconfigure owncloud config file:

# sudo nano /var/www/owncloud/config/config.php

Add this to the config:

'memcache.local' = '\\OC\\Memcache\\Redis',
'filelocking.enabled' = 'true',
'memcache.distributed' = '\\OC\\Memcache\\Redis',
'memcache.locking' = '\\OC\\Memcache\\Redis',
'redis' =
array (
'host' = 'localhost',
'port' = 6379,
'timeout' = 0,
'dbindex' = 0,
),

Below is a look at the config files, before and after:

Before:

clip_image019
AFTER:

clip_image020
At this point we can now confirm, within ownCloud with another before and after:

Before:

clip_image021

 

After:

clip_image022

 

All the checks passed! That’s it for configuring your memory caching. In the next post, I’ll show you how to configure OpenVPN on your server, and securely sync you data via VPN from your PC and mobile devices!

If this posting has helped you or you have any questions or comments, please leave them below. Thanks for reading.

In the first post, we started with a fresh install of Ubuntu server and finished with logging into the ownCloud web portal for the first time. In this post, we’ll be picking up right where we left off, focusing on a complete walkthrough in your cloud to help you understand the web management interface of ownCloud.

We’ll start with the Personal, Users, Admin, and Help sections. Then talk about the apps. Let’s Go!

At the top right of the web page, you should see the login name you chose. Click on it, and then select “Personal”. On this page there will be several sub-sections.

 

Sync Clients:

You’ll see direct links to the desktop and mobile sync clients.There are sync clients for Windows, Mac, and Linux desktops along with Android and iOS apps. These clients are used for file synchronization, with function just like the Dropbox or Box, et al file sync clients, except with more features. You also have a gauge showing you how much space is available for you to use.

Password:

Pretty simple, to change your password.

Full Name:

Set your full name here, this does NOT change your login name. Just makes it more personal. This is the name that is displayed in the top-right corner of the page.

Email:

Configure an email address for your user. This should be an email address where you can receive email. IMPORTANT – We have not configured our server to send emails yet, we will do this later.

Groups:

By default your first user is an admin, in the admin group. More on Groups in a bit. Profile picture: You can select an avatar if you want. Since this is a new server, you’ll need to “upload new”.

 

clip_image001

 

Profile Picture:

We’ll upload a profile picture in a later post!

Language:

ownCloud has the ability to utilize many other languages. You can configure this for your user here. This is a per-user setting. You can change this globally in the config.php file.

Notifications:

ownCloud has two ways to manage change notifications, Mail and Stream.

Federated Cloud:

This feature was introduced in ownCloud version 7, its server to server sharing. New in ownCloud 8.1 is the Federated Cloud ID. Learn more about it here: https://owncloud.org/federation/

 

clip_image002

 

clip_image003

 

Here is an official ownCloud introductory video on ownCloud Federation:

 

 

Next, we’ll click back at the top-right and then select “Users”

Here we can create and remove users and groups. One major point is you can limit storage space per-user, in any quantity you would like. It is especially helpful in scenarios where space is limited.

Perhaps the biggest use I have had from creating users is creating accounts for specific purposes. For example, I have found at times there are issues with sharing calendars. To share an account with multiple people, I simply create a user named “Calendar” and we use that account to centralize a few calendars.

 

image

 

As you can see above, we can create new users, groups, and set storage limits. There is also the ability to grant/deny access to your ownCloud via LDAP. You can learn more about configuring LDAP with ownCloud here:

https://doc.owncloud.org/server/8.0/admin_manual/configuration_user/user_auth_ldap.html

 

Next, we’ll click again at the top-right and select “Admin”.

The Admin page is broken into several sections.

First – if there are any Security or Setup Warnings, they will appear at the very top. These are generally items that come up in fresh installations or after major upgrades. For example, we can improve performance by making some system level changes to transaction file locking and mem cache and we have direct links to ownCloud documentation to improve it.

Then you have the remaining sections:

Sharing:

image

File Handling:

Setting limits on upload file sizes

Mail templates:

You can create custom templates based on several actions. Activity notifications, Sharing Emails, and a Lost Password email for example. All can be customized for your usage.

Cron:

Here you decide how to handle background jobs. Simply clicking the “i” you have a direct link to official ownCloud documentation on configuring these. Very helpful.

https://doc.owncloud.org/server/8.2/go.php?to=admin-background-jobs

 

image

 

Server-side encryption:

Important to notice, if you prepare to turn this feature on, be prepared to not be able to go back. Again, more detail on encryption can be found by clicking the “i” link.

https://doc.owncloud.org/server/8.2/go.php?to=admin-encryption

image

 

Email server:

Here is where you can configure the FROM address and mail settings from your ownCloud server. Your ownCloud server will detect your servers capabilities. You can use php mail, SMTP, and others such as sendmail.

 

image

 

Log:

Here you can view the log events generated, you can sort them in several ways, from Fatal Only, to Everything. These are especially helpful in troubleshooting errors with application plugins, upgrades, or random issues. Almost everytime I’ve had an issue, I’ve been able to utilize the log to help track it down.

image

 

Tips & Tricks:

Here you’ll find links to to helpful items to help you get started with ownCloud. Backups, Monitoring, Performance Improvement, Theming, Securing your instance, and more. Keep an eye on this section when you upgrade for help improving, customizing, and securing your instance.

 

image

 

Updates:

ownCloud has vastly improved the upgrade process over the years. Now it is easier than ever to upgrade your instance directly from the admin page. You can opt for one of four selections, the default being Production. With Stable, Beta, and Daily builds the remaining options for you.


image

image

 

At the very bottom we have the indicator of the update channel, and exact version in use.

 

Next we will quickly go over the Help section. If you click in the top-right once more, and select Help, you will see that you have direct access to the ownCloud user manual right from your ownCloud.

This information is all local to your server, so if you are unable to access the internet directly from your server, or if the owncloud documentation is unavailable, or any other scenario, you’ll always have the admin guide available to you.

 

image

 

Now let’s review some of the default apps.

At the home screen of your ownCloud, you see files and folders. If you click the dropdown, you will get a menu like the one pictured below:

 

image

Here you can select Files, Activity, Gallery, and Apps.

Activity:

Here you can see where files and folders were, uploaded, renamed, shared, and much more. Most important, if you cannot sync or share a file, you will usually find a reason for that here. Our instance is new, so nothing here yet!

image

Gallery:

The Gallery is simply used to view images. Having used ownCloud for years, I can say this app has been much improved. The fullscreen viewer you can quickly download the photo, spin up a slideshow, or browse through photos. The Gallery is able to smart sort your photos so even if they are not in a single folder, the Gallery will recognize the file types and make them viewable with Gallery.

image

image

image

 

Apps:

In my view, the Apps are where ownCloud really has the greatest potential to shine with limitless customization.

By default you have several apps and features enabled, but you can enable/disable these as you’d like at any time.

 

image

If you want to enable the LDAP app for example, ownCloud will prevent you from failure if you don’t have the prerequisites.

image

Want to stream Music from your ownCloud to your computer or view your news RSS feeds from anywhere via your ownCloud? Simply enable the Multimedia apps Music and News.

 

image

 

Want to centralize your Bookmarks, configure remotely syncable Calendars and Contacts? Do you want to view your Gmail or other email or have a backup when access could be blocked to the mail server outright, direct from your ownCloud?

Simply enable and configure the Apps!

image

 

One small piece about Apps is to look at the settings option at the bottom-left. Here you can say whether you want to “Enable epiramental apps”.

image

 

Finally – if you are a user of desktop linux you may be familiar with the app sites like KDE-apps.org and gnomefiles.org.

ownCloud has an “appstore” with a nearly mirror look and feel. Here developers can share their development creations that you can import into your ownCloud. Most all of the apps give you minimum system requirements, and how to install the app.

https://apps.owncloud.com/

You can also find the ownCloud project on github.

https://github.com/owncloud

 

image

You can also connect with the ownCloud community on freenode IRC #owncloud. Just make sure you’ve taken a look on the forums and in the documentation for your questions, before asking the community.

 

This completes the walkthrough of the ownCloud user interface. In the next post we’ll get back to configuring our ownCloud and hopefully begin to work with some real data. If you’ve enjoyed this post or can think of any way to improve it, please let me know in the comments! Thanks for reading.

In one of my work environments we use Fortigate firewalls. With a complex rule-set, including multiple VDOMs, there are times where we need to figure out why some traffic (source) is not reaching its destination.

We had such a case recently, and I wrote this up for documentation, sharing is caring :). I’ve changed the IPs, vlans, vlinks, and VDOMs involved to obfuscate the data, but it should still prove to be a good example for you. In this example I assume you only know how to SSH into your firewall and that you know which VDOM the source or destination is in which you want to troubleshoot…

Problem – Determine why 192.168.1.10, is unable to reach 172.16.1.10 on TCP 25 as Fortigate and server firewall rules are configured properly to allow this traffic.

Troubleshooting – Setup debug mode and then reproduce the issue.

=============================================================================
### Start an SSH session ###
=============================================================================

mycomputer:~ Gabe$ ssh gabe.beaver@noneofyourbiz.net
gabe.beaver@noneofyourbiz.net’s password:

=============================================================================
### Here I show you the options – most always going to config vdom ###
### Notice these section match the web UI in separation ###
=============================================================================

FORTIGATE01 #
config Configure object.
get Get dynamic and system information.
show Show configuration.
exit Exit the CLI.

FORTIGATE01 # config
global config global
vdom config vdom

FORTIGATE01 # config vdom

=============================================================================
### Next you need to specify the specific VDOM you want to work with ###
### There is an offset root is ID:0; so VDOM0 is actually ID:1 ###
=============================================================================

FORTIGATE01 (vdom) # edit VDOM0
current vf=VDOM0:1

=============================================================================
### We want to start with a clear plate: ###
=============================================================================

FORTIGATE01 (VDOM0) # diag debug flow filter clear

FORTIGATE01 (VDOM0) # diag debug reset

FORTIGATE01 (VDOM0) # diag debug disable

=============================================================================
### Make sure to enable console trace message and function ###
=============================================================================

FORTIGATE01 (VDOM0) # diag debug flow show console enable
show trace messages on console

FORTIGATE01 (VDOM0) # diag debug flow show function-name enable
show function name

=============================================================================
### Now we enter the parameters to trace traffic, in this example I am ###
### Looking for traffic from my VPN PPP adapter, SMTP traffic into VDOM0 ###
### Where X is the number of lines, I usually say 100 ###
=============================================================================

FORTIGATE01 (VDOM0) # diag debug flow filter dport 25

FORTIGATE01 (VDOM0) # diag debug flow filter addr 192.168.1.10

FORTIGATE01 (VDOM0) # diag debug enable

FORTIGATE01 (VDOM0) # diag debug flow trace start X

=============================================================================
### Now begin your testing – you should see console data from test ###
### If you do not see data, you are too restrictive or data is not ###
### Reaching the VDOM or firewall, verify routes and test data ###
### Below is sample data from specific source, saddr 192.168.1.10:25 ###
=============================================================================

id=13 trace_id=4407 func=resolve_ip_tuple_fast line=4299 msg=”vd-VDOM0 received a packet(proto=6, 192.168.1.10:53023->172.16.1.10:25) from vlan20.”
id=13 trace_id=4407 func=init_ip_session_common line=4430 msg=”allocate a new session-c5e8064b”
id=13 trace_id=4407 func=vf_ip4_route_input line=1603 msg=”find a route: gw-10.20.1.1 via vlink11″
id=13 trace_id=4407 func=__iprope_tree_check line=534 msg=”use addr/intf hash, len=10″
id=13 trace_id=4407 func=fw_forward_handler line=664 msg=”Allowed by Policy-7:”
id=13 trace_id=4408 func=resolve_ip_tuple_fast line=4299 msg=”vd-root received a packet(proto=6, 192.168.1.10:53023->172.16.1.10:25) from vlink10.”
id=13 trace_id=4408 func=init_ip_session_common line=4430 msg=”allocate a new session-c5e8064c”
id=13 trace_id=4408 func=vf_ip4_route_input line=1603 msg=”find a route: gw-10.10.1.1 via port0″
id=13 trace_id=4408 func=__iprope_tree_check line=534 msg=”use addr/intf hash, len=4″
id=13 trace_id=4408 func=fw_forward_handler line=534 msg=”Denied by forward policy check”
id=13 trace_id=4409 func=resolve_ip_tuple_fast line=4299 msg=”vd-VDOM0 received a packet(proto=6, 192.168.1.10:53023->172.16.1.10:25) from vlan20.”
id=13 trace_id=4409 func=resolve_ip_tuple_fast line=4335 msg=”Find an existing session, id-c5e8064b, original direction”
id=13 trace_id=4409 func=ipv4_fast_cb line=50 msg=”enter fast path”
id=13 trace_id=4410 func=resolve_ip_tuple_fast line=4299 msg=”vd-root received a packet(proto=6, 192.168.1.10:53023->172.16.1.10:25) from vlink10.”
id=13 trace_id=4410 func=init_ip_session_common line=4430 msg=”allocate a new session-c5e818ae”
id=13 trace_id=4410 func=vf_ip4_route_input line=1603 msg=”find a route: gw-10.10.1.1 via port0″
id=13 trace_id=4410 func=__iprope_tree_check line=534 msg=”use addr/intf hash, len=4″
id=13 trace_id=4410 func=fw_forward_handler line=534 msg=”Denied by forward policy check”
id=13 trace_id=4411 func=resolve_ip_tuple_fast line=4299 msg=”vd-VDOM0 received a packet(proto=6, 192.168.1.10:53023->172.16.1.10:25) from vlan20.”
id=13 trace_id=4411 func=resolve_ip_tuple_fast line=4335 msg=”Find an existing session, id-c5e8064b, original direction”
id=13 trace_id=4411 func=ipv4_fast_cb line=50 msg=”enter fast path”
id=13 trace_id=4412 func=resolve_ip_tuple_fast line=4299 msg=”vd-root received a packet(proto=6, 192.168.1.10:53023->172.16.1.10:25) from vlink10.”
id=13 trace_id=4412 func=init_ip_session_common line=4430 msg=”allocate a new session-c5e831ff”
id=13 trace_id=4412 func=vf_ip4_route_input line=1603 msg=”find a route: gw-10.10.1.1 via port0″
id=13 trace_id=4412 func=__iprope_tree_check line=534 msg=”use addr/intf hash, len=4″
id=13 trace_id=4412 func=fw_forward_handler line=534 msg=”Denied by forward policy check”

=============================================================================
### When you finish testing, disable debugging and clear the filters ###
=============================================================================

FORTIGATE01 (VDOM0) # diag debug reset

FORTIGATE01 (VDOM0) # diag debug disable

FORTIGATE01 (VDOM0) # diag debug flow filter clear

FORTIGATE01 (VDOM0) # end

FORTIGATE01 #
config Configure object.
get Get dynamic and system information.
show Show configuration.
exit Exit the CLI.

FORTIGATE01 # exit
Connection to noneofyourbiz.net closed.

With the debug we were able to find “Denied by forward policy check”.

http://kb.fortinet.com/kb/documentLink.do?externalID=FD31702

In our case we worked with Fortinet support and the issue was a problem with the NAT configuration for the subnet. Support resolved it almost immediately thanks to our ability to provide them a debug.

Many of my friends have heard me talk a great deal about ownCloud. I talk about it, because it is a tool that does so much for me and is completely FREE and open source. You can run ownCloud on a server at home or anywhere you can run a Linux server. As of version 8, Windows Server is no longer supported, so you’ll need to install ownCloud on a Linux server. Don’t worry – you don’t have to be a Linux superuser to run it. This guide will give you everything you need to setup your operating system AND ownCloud, with simplicity and security top of mind.

Here is a perfect description of ownCloud:

I pay $9/month for a virtual server that hosts ownCloud, a wordpress blog, and few other things. ownCloud is my central point for my Calendar, Contacts, notes, tasks (reminders), files and folders (read:Dropbox/OneDrive), bookmarks, Email, and more! I would like to contribute to the project, but since I am not a developer, I decided to use what I do know about ownCloud by sharing my experiences to help others get started. I’ll provide some detail on how I use it that may help others get the best out of ownCloud.

There are many guides online in doing this; however, in this series, I will focus on giving you the complete steps to go from a fresh Ubuntu server installation (14.04 in this guide), to https only, https://cloud.your-domain.com. Then we’ll go beyond in future posts about applications (webmail, calendars, contacts, bookmarks, etc), tweaking, etc.

Important notes:
1 – This installation will be in a subdomain, for example: https://cloud.contoso.com, NOT in a subfolder https://www.contoso.com/cloud. I prefer the flexibility of subdomains, but you can tailor this to your choice – just know this is how I’ll detail the installation.

2- I assume that you are either using this in a home testing environment, or that you have purchased a domain and configured DNS to point to your server’s public IP. If you don’t have public DNS you’ll need to edit your hosts file, here is how:
Windows – http://www.howtogeek.com/howto/27350/beginner-geek-how-to-edit-your-hosts-file/
Mac – http://www.imore.com/how-edit-your-macs-hosts-file-and-why-you-would-want
Linux – simply edit the /etc/hosts file

3 – This will be HTTPS only, HTTP will redirect to HTTPS. It will use self-signed certificates. Obviously in production, you’d buy a cert.

4 – If this post helps you in any way or if I can improve this installation guide, drop me a comment.

Follow Linode’s excellent getting started guide:

https://www.linode.com/docs/getting-started#ubuntu-1404–debian-7

Then secure your server:

https://www.linode.com/docs/security/securing-your-server/

Before going any further, I recommend you’ve completed these previous steps. I highly recommend following the entire “Securing Your Server” section above before continuing ! Don’t use the root user, pretty please.

Using SSH key pair for login, disabling root login, configuring a firewall… These steps are always important for ubuntu server setups and shouldn’t be skipped.

I SSH to many servers with key authentication. I highly recommend creating a config file in your ssh directory. Here is how to achieve this:

https://gabrielbeaver.me/2015/07/multi-ssh-key-profile-config-linuxmacos/

Root

Now let’s get to installing ownCloud. Update your OS:

# sudo apt-get update && sudo apt-get upgrade

Enable SSH, if you haven’t already:

# sudo apt-get install openssh-server

Install apache2:

# sudo apt-get install apache2

Install PHP:

# sudo apt-get install php5 php5-mysql && sudo apt-get install php5-curl php5-gd php5-imagick php5-intl php5-json php5-mcrypt

Let’s go ahead and set the apache ServerName. If you don’t you’ll see this message when restarting the service:

“AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1. Set the ‘ServerName’ directive globally to suppress this message”

# sudo nano /etc/apache2/conf-available/servername.conf

In the file simply type:

ServerName localhost

(control+X, Y. enter)

# sudo a2enconf servername

Let’s go ahead and enable SSL, the rewrite module, and restart apache for the ServerName and SSL to take effect:

# sudo a2enmod ssl && sudo a2enmod rewrite && sudo service apache2 restart

Now we will configure the post and upload max file size limits. As you’ll be uploading files, we want to ensure the limitation is proper, as opposed to just running a simple CMS site.

# sudo nano /etc/php5/apache2/php.ini
post_max_size = 8M
upload_max_filesize = 2M

I set mine to 2G for 2 Gigabytes.

Install MySQL (Remember to document the root password you choose):

# sudo apt-get install mysql-server

Remove test users, DBs, and root remote access:

# sudo mysql_secure_installation

Create ownCloud Database, and Database User (make sure to change CREATE_PASSWORD to the password you want to use):

# sudo mysql -u root -p
mysql> CREATE USER 'ownclouduser'@'localhost' IDENTIFIED BY 'CREATE_PASSWORD';
mysql> CREATE DATABASE owncloud;
mysql> GRANT ALL ON owncloud.* TO 'ownclouduser'@'localhost';
mysql> FLUSH PRIVILEGES;
mysql> exit

Last step before we begin is to create a directory in which to store the owncloud user data. It is HIGHLY recommended you not use /var/www/owncloud/data, and to use a directory outside of this and that the apache user be the owner. More on this in a bit.

# sudo mkdir /owncloud && sudo mkdir /owncloud/data
# sudo chown -R www-data:www-data /owncloud/data

Now we will install ownCloud. Find latest release here (copy the tar.bz2 link in step1):

https://owncloud.org/install/#instructions-server

We will grab the compressed file, uncompress it to a specific folder, not just simply to the apache root, delete the source, then configure proper permissions on the owncloud directory (make sure to edit the owncloud-x.x.x.tar.bz2 for your version!):

# wget https://download.owncloud.org/community/owncloud-8.2.1.tar.bz2
# sudo tar -xvf owncloud-8.2.1.tar.bz2 -C /var/www/
# rm owncloud-8.2.1.tar.bz2
# sudo chown www-data:www-data -R /var/www/owncloud/

Next we need to configure the apache site. There are multiple steps to configure this bit.

Configure the HTTP port 80 site.
Generate certificates (Self-signed in this guide)
Configure the HTTPS port 443 site.

First, we’ll configure the HTTP port 80 site, with the knowledge that we will being forwarding traffic to HTTPS.

Example, if you visit http://cloud.your-domain.com, you will be automatically redirected to https://cloud-your-domain.com

# nano /etc/apache2/sites-available/owncloud.conf
<VirtualHost *:80>
     ServerAdmin you@domain.com
     ServerName cloud.your-domain-here.com
       # I add permanent redirect in the next line - choice is up to you #
     Redirect permanent / https://cloud.your-domain-here.com/
     DocumentRoot /var/www/owncloud
 
     <Directory />
                Options FollowSymLinks
                AllowOverride All
    </Directory>
 
 
     ErrorLog ${APACHE_LOG_DIR}/owncloud-HTTP-error.log
     CustomLog ${APACHE_LOG_DIR}/owncloud-HTTP-access.log combined
</VirtualHost>

Next we will configure certificates we’ll use for the HTTPS site. We create a directory to dump SSL certificates, another directory specifically for owncloud. The certificate will be good for 10 years and for it to create server.key and server.crt files should be in the /etc/apache2/ssl/owncloud folder.

When prompted fill in the information, common name should be “cloud.your-domain.com”.

# sudo mkdir /etc/apache2/ssl && sudo mkdir /etc/apache2/ssl/owncloud
# sudo openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/apache2/ssl/owncloud/server.key -out /etc/apache2/ssl/owncloud/server.crt

Now we create the HTTPS site:

# sudo nano /etc/apache2/sites-available/owncloud-ssl.conf

Here is an example, notice the SSLCertificateFile and SSLCertificateKeyFile mapped to what we just created.

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin webmaster@localhost
                ServerName cloud.gabrielbeaver.me
                # I add Header info base on doc.owncloud.org v8.1 admin guide #
                Header always add Strict-Transport-Security "max-age=15768000; preload"
                DocumentRoot /var/www/owncloud
                <Directory />
                        Options FollowSymLinks
                        AllowOverride All
                </Directory>
 
                <Directory /var/www/owncloud>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
                </Directory>
 
                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined
 
                SSLEngine on
                SSLCertificateFile /etc/apache2/ssl/server.crt
                SSLCertificateKeyFile /etc/apache2/ssl/server.key
 
                #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
                #SSLCACertificatePath /etc/ssl/certs/
                #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
                #SSLCARevocationPath /etc/apache2/ssl.crl/
                #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
                #SSLVerifyClient require
                #SSLVerifyDepth  10
 
                #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>
 
                BrowserMatch "MSIE [2-6]" \
                                nokeepalive ssl-unclean-shutdown \
                                downgrade-1.0 force-response-1.0
                # MSIE 7 and newer should be able to use keepalive
                BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
 
        </VirtualHost>
</IfModule>

Enable the HTTP site first, reload apache:

# sudo a2ensite owncloud.conf && sudo service apache2 reload

If no errors detected, we enable the headers mod, then HTTPS site, reload apache:

# sudo a2enmod headers
# sudo a2ensite owncloud-ssl.conf && sudo service apache2 reload

Navigate to your site https://cloud.your-domain.com

You should get a reminder that the certificate is not trusted, this is okay, as you can verify the data you entered!

2015-07-23_02-19-26

Then you will see the owncloud welcome page, but take your time here and confirm your settings are correct before proceeding!

2015-07-23_02-20-23

 

Specify a username and password for the admin account (document this), change the location of the Data folder to what we made above! Then simply enter in the db user, db user password, the db we created earlier, leave localhost as this refers to the server’s local mysql instance.

2015-07-23_02-28-24
When you hit Finish setup, you should be brought to the login screen!

2015-07-23_02-29-22

 

In my next posts in the series, I will show you how to tweak the server, and show how I have further configured ownCloud, my Ubuntu server, and utilize the applications every day.

 

What if you need to SSH with key authentication to more than a single host from your laptop or server? This came up while rebuilding a host, its worth sharing…

If you only ssh to a single host, you’d never have an issue, but when you need to generate a second key, you’ll need to create a config file in your ssh directory. The config file can then know where to find the private key to match for your ssh session on the remote host. Here is how this works. I have subfolders for each server and use the config file to point to them (You can configure this how you wish, just ensure you have rights to the path!).

Files and folder layout:

/Users/Gabe/.ssh/Server1/(contains id_rsa and id_rsa.pub files)
/Users/Gabe/.ssh/Server2/(contains id_rsa and id_rsa.pub files)

The config file is placed here and does the magic:

/Users/Gabe/.ssh/config

Here is what is the config file looks like when firing up a terminal:

# nano /Users/Gabe/.ssh/config

2015-07-23_02-55-20

 

To connect an ssh session, simply type:

# ssh Server1

Let’s say we needed to add a third local key-pair entry to an SSH host at 192.168.1.5 for remote user named Spiderman. It would look like this:

 

2015-07-23_02-57-24

 

2015-07-23_02-56-35

Win.

Side note – probably best to configure limited permissions on your private id_rsa files!

# sudo chmod 600 /path/to/id_rsa

As part of my day to day duties as a “Systems Administrator”, I configure site-to-site VPN tunnels from my company’s hosted devices, to remote endpoints of all types. The most common scenario being IPSec VPN tunnels, with the endpoints on my side being a Fortigate and Cisco ASA devices. Our team has done well over the years to establish policies and procedures, with a standard VPN form to make the setup of these tunnels rather elementary. It’s easy and mostly painless.

Raise your hand if setting up VPN tunnels is your idea of fun? Several emails back and forth, complicated, and the more frustrating the better, right? Nobody? Bueller? So – quick and painless sounds good right? Well, the folks over at AWS either skipped the “work smarter not harder” life lesson, or didn’t get my memo on “quick and painless site-to-site VPN setups”©, which leads me to my post today.

Today I’d like to share with everyone my experience with setting up redundant VPN tunnels from a Cisco ASA 5500 series device on my side, to Redundant Amazon Virtual Gateways.

You can find the official Amazon documentation on this configuration here, which is quite helpful:

http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Cisco_ASA.html

You can also see there are quite a few threads online about this, so it seems to be a fairly common problem:

https://www.google.com/search?q=cisco+ASA+Amazon+IPSec&ie=utf-8&oe=utf-8#q=cisco+ASA+Amazon+IPSec+P2+error

There are a few gotchas in this configuration. Specifically in this post I address three, and specifically with the VPN Tunnel type. Here are the things I ran into that will hopefully help others in setting up their HA AWS VPN tunnels.

Let’s go.

1 – Thou shalt use AES-128 on the IPSec Proposal, not 256 even though it is 2015.

All of our tunnels use 256 in every other case, so this caught me off guard at first. The documentation does not explicitly say 128bit, it simply says AES. The 128-bit is a static value on the Amazon side, unfortunately. Perhaps this is the case to allow for more endpoint flexibility, in regards to older models. Perhaps they are just having fun with us? :)

2 – In your access list, make sure thou are only using a single extended permit statement. It will probably look like this:

access-list INTERFACE cryptomap_XX extended permit ip any 172.31.0.0 255.255.0.0

Where INTERFACE = public or whichever interface
Where XX = crypto map policy number

This applies to both sides. You’ll have to use networks, as opposed to several individual entries. Lock down access via policies. Don’t use multiple /32 entries. If you do, expect failure. Make sure both sides match.

3 – Most important! Thou shalt change the VPN tunnel type FROM Bidirectional, TO Initiate-Only!

It took me quite a while to figure out. If you search Google, there are tons of threads on VPN IPSec and Phase 2 problems to ASA remote endpoints. This golden forum post below is what helped me finally figure it out. As you can see, many many people have problems with this:

https://forums.aws.amazon.com/thread.jspa?threadID=141058

“If you are getting those errors for “AWS_ENDPOINT_1” then try adding the following command to your crypto map settings:

crypto map map-name seq-num set connection-type originate-only

This will force the ASA to reject initiation requests from us. As we still send 0.0.0.0/0 so this will never match thus cause tunnel failures.”

The client configured their side properly, but the Amazon virtual device sends quad 0’s no matter what you place in your network settings. Again, this is probably to comply with older devices, or simple configs to work with a wide audience, and the setting is static! I’m just not doing quad 0’s, sorry AWS dudes.

I have photographic proof this is indeed true:

quad-zero-final

So, what does originate-only mean, compared to bidirectional? Here are the Cisco definitions of the tunnel types:

bidirectional—This specifies that this peer can accept and originate connections based on this crypto map entry. This is the default connection type for all Site-to-Site connections.

originate-only—This specifies that this peer initiates the first proprietary exchange in order to determine the appropriate peer to which to connect.

So – my ASA will originate the connection to AWS, not the other way around. This is key as we know Amazon will just spout out quad 0’s at us if it originates and that is just… the worst.

The config for originate-only looks like this:

crypto map MAP_NAME XX set connection-type originate-only

If you created the tunnel in the ASDM, you can find the crypto map name if you know the priority, with a command like this:

ASA# sh run crypto | incl 12

crypto map publicnew10_map 12 match address public_cryptomap_10
crypto map publicnew10_map 12 set pfs
crypto map publicnew10_map 12 set connection-type originate-only
crypto map publicnew10_map 12 set peer x.x.x.x
crypto map publicnew10_map 12 set transform-set ESP-AES-128-SHA
crypto map publicnew10_map 12 set security-association lifetime seconds 3600

It looks like this in the ASDM:

originate only

Now I am aware of setting multiple peers for the same tunnel. You can find out how to do this here:

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/67912-pix2pix-vpn-pix70-asdm.html

However, I tried setting it up the multiple peer with a tunnel map for the secondary per Cisco documentation, and it did not work in my scenario. YMMV. If I get another one of these in future, I’ll try it in a single tunnel config, but for now it is working properly as only the active node of the Amazon VPN virtual appliance handles requests.

So there ya go, if Google brought you here, I hope this post has helped you with your ASA to AWS HA VPN tunnel config and the quad 0 nightmare :)

Any thoughts you want to share? Did my post help you or am I way off base? I always love comments.

Thanks,
Gabe

banner_arch

Lately I’ve been using ArchLinux quite a bit. In fact, I use it in a VM on my Mac everyday for various tools and utilities. When you talk about or read about Archlinux online, the most common complaint and challenging aspect for most users is the initial installation process. Sure, it’s not a simple point-and-click based installation, but the installation process is very well documented on the Arch Wiki for a vast variety of hardware systems and situations. In fact, the Wiki for Arch is an extremely valuable overall resource. It’s arguably one of the most well documented distributions. That coupled with the package management via pacman, and the packages available from the Archlinux User Repository (AUR), make it my personal favorite.

It’s unfortunate that many people find the install process off-putting, don’t try, or try and give up on Arch due to the difficulty. I’ve always thought a large part of the fun with using Linux was the tinkering and experience based learning aspect. The installation of the system is a one-time thing after which, you never have to do again.

By completing the installation in the “Arch Way”, you know exactly how your hard drive is partitioned, exactly how the OS was installed, what is loaded at boot, etc. You have a solid minimal linux OS and the powerful pacman package manager at your fingertips. I don’t know about you but downloading and installing all my updates with “sudo pacman -Syu” then entering my password is super simple.

I highly recommend any new users to run the installation in a virtual machine first. One resource, a YouTube video that helped me create my first Arch install was this one here by midfingr. He’s got some other good video guides as well. YouTube in general is an excellent resource in seeing all the Desktop Environments (DE), themes, tweaks, and ways people are using Linux. Also the Google+ ArchLinux community is quite active. You can discuss troubleshooting problems with your system, see screenshots of people’s setup, etc.

Here is my current setup:

screenFetch-2014-05-20_19-31-20

 

I highly recommend doing your install after having read the Wiki and following their notes as a guide. After having done about half a dozen or so Arch installs at this point, I have some notes and can pump out the install pretty fast. Here are my quick and dirty notes on how to install Archlinux, mostly for my reference but it may help others. I am assuming you’ve downloaded the ISO from the website and have booted to the target system:

Important note – It’s recommended to use a separate home partition, but I don’t usually do that. I just have the system and swap space partitions only. I’ll include notes on that in case you want a separate home directory. Sentences with # symbols are notes, everything else are shell entries.

# Start off with Partitioning. Make new partitions, 1- root or / 2- swap, set type on swap to 82, use a to toggle bootable flag on system /

# Use cfdisk for this (don’t forget to write changes and to make the root / bootable
cfdisk

# List partitions to confirm you did cfdisk proper, then create filesystems and mount
fdisk -lfdisk /dev/sda
mkfs.ext4 /dev/sda1
mount /dev/sda1 /mnt
mkswap /dev/sda2
swapon /dev/sda2

#If you created a separate partition for home directory, assuming sda3…
mkfs.ext4 /dev/sda3
mount /dev/sda3 /mnt/home

# Need Wireless?
lspci -k
ls /sys/class/net
iw dev

# “wlp3s0″ is the result of listing the contents of /sys/class/net, set your entry below differently is applicable
ip link set wlp3s0 up
ip link show wlp3s0
dmesg | grep firmware
wifi-menu wlp3s0
ping -c 3 www.google.com

# Setup base install
pacstrap /mnt base base-devel
genfstab -p /mnt >> /mnt/etc/fstab

# Now we move over to the new base OS and configure it
arch-chroot /mnt

### You are in the new system now
# Set hostname
nano /etc/hostsname

# Set Timezone, Find your zone, then link to your /etc/localtime
ls /usr/share/zoneinfo/
ln -s /usr/share/zoneinfo/America/New_York /etc/localtime

# Continue System Config, root password, grub, etc.
mkinitcpio -p linux
passwd
pacman -S grub-bios
grub-install —recheck /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg

# If you are installing on a disk that already has windows, make sure to add Windows to grub.cfg, otherwise its not a bootable option. fdisk -l, find the starred windows partition.
# Nano in and configure it
nano /boot/grub/grub.cfg

# Config:
menuentry ‘Windows version here’ {
set root=‘(hd0,msdos1)’
chainloader +1
}

# Install dialog and wifi-menu
pacman -S dialog
pacman -S wpa_supplicant

# Reboot into the new base Arch system to continue the configuration
reboot

# Get and IP address, again steps included if you need wifi and are not wired
dhcpd
systemctl enable dhcpd.service
ip link show wlp3s0
wifi-menu wlp3s0
ping -c 3 www.google.com

# Update the repo, update your machine, the
pacman -Syy
pacman -Syu

# Create non-root user add to sudoers
useradd -m -g users -s /bin/bash username_here
passwd username_here
nano /etc/sudoers

At this point, you can install and configure the DE of your choice, again consult the wiki. This is my base load that I have saved to a VM template. The base work is done, I just install the DE (KDE, GNOME, OpenBox, i3, etc) and DM (KDM, SLiM, GDM, etc) of my choice.

Hope this has been helpful, and thanks for reading.

A video I made with my children. Description:

Over the past several months, I have been using a new technique on occasion to help calm down disagreements between my kids. Believe it or not, my children don’t always get along (I know its hard to believe). It’s especially effective when my 4 year old son and two year old daughter argue.

When they start raising their voices or whining, I just start copying (my daughter says “coffee’ing”) them by moving my lips, but without actually saying the words. Almost every time the kids go from fighting mad, to laughing uncontrollably. 

This does two things.
1) Shortens and stops the fight (Win!)
2) Helps me keep my sanity

Your mileage my vary. This statement and unsolicited parenting advice not verified by Parent’s Magazine or any other resource.

The other night I decided to sing along with my daughter while I recorded it and then it evolved. Hope you enjoy and laugh along with us :)


The Beavers

 

large field of dreams blu-ray5

The beginning of April is an exciting time in United States. With the arrival of Spring time, we say goodbye to winter blizzards and cabin fever, and hello to warmer weather and the start of the Major League Baseball season.

Baseball has long been regarded as our “national pastime” in the US. It’s no wonder with it’s rich history and players through the last hundred years like Ruth, Mays, and Cobb.  Clemente, Yastrzemski, Berra, and Aaron. It would take forever to list out all the players, teams, seasons, special plays, and the overall impact the game itself has had in the lives of many Americans over the past several generations.

I recall stories my dad told me about baseball as a kid. He talked with such joy of listening to the world series on the radio. How excited he was to get out of school and listen to the game in the car with his dad. He mentioned the kids in his neighborhood would play pickup baseball games, and trade baseball cards (they would put the average player cards in their bike spokes).

As a kid growing up in the late 80’s and 90’s, I played in my first tee-ball league at 4 years old. From then on, I wanted to be the next Ken Griffey Jr, Ryne Sandberg, or Cal Ripken Jr. I spent almost every spring through fall playing little league, all-stars, AAU, and eventually high school and American Legion baseball. I enjoyed watching the home run race between Mark McGwire and Sammy Sosa in 1998. ESPN would break into the games and show their at-bats. History was being rewritten and Maris’ record would be broken. I enjoyed watching the Yankees win multiple world series, with the Red Sox at home on the couch :)

I loved playing middle infield and looked up to stars like Roberto Alomar, Derek Jeter, and even players like the lesser known Atlanta Braves shortstop Rafael Belliard. Belliard, at 5’6” tall and 150 lbs soaking wet, was someone I looked up to as a kid because he was always the smallest guy on the field. He didn’t play every game, but when he did play, he played hard. It was proof that with hard work and skill, anyone could make it. I played my final season of baseball in the American Legion, in North Carolina’s Area III division in 2006 having enjoyed all my years playing a game that I loved, but caring little for the professional game.

Playing in the Majors, a childhood dream, I had just lost larger interest in watching or keeping up with the sport. Some of this had to do with being busy with college and my career, starting a family, but a significant part of the lack of interest was due to many disappointing things that happened over the years, and still persist. The lack of energy in the game and cheating.

Make no mistake, Baseball is a cheater’s game, not an honest man’s game. You lie, cheat, steal, and you take every advantage you can get. The pitcher tries to fool the hitter with every single pitch. Players steal bases, coaches try to steal signs, what about the old hidden ball trick, or Knoblauch slowing Lonnie Smith in a fake double play in the ’91 world series. These are all just part of playing the game. You can play this game and still be respected by just about everyone, including your rivals. I know Red Sox fans who have lots of respect for Derek Jeter, the way he plays the game, carries himself on and off the field. Even though he’s cheated on the field via his acting skills. Then there is the other kind of cheating altogether…

The race between Sosa and McGwire, was a scam, a fake. The memories of seeing slammin’ Sammy do the home run hop, and McGwire hug his children after winning the race were tainted by the fact these players were medically enhanced, steroid abusers. And over the last decade, baseball has been drug down, pun intended, by this “steroid era”. Since 2005 there have been 50+ suspensions. The 2013 season alone had 14 suspensions!

But there are other problems with the game. Prime time being one of them. The world series, and all-star games, all starting at 7:30PM+, in “Prime time” is great for commercial revenue, and I understand the game is indeed a business, but my 5 year old son along with my younger kids go to bed at 8-8:30PM each night. Gone are the early days of the baseball’s history where most stadiums did not have lights and games were only played during the day. Now almost all the day games are only on Sunday and you’ve got games like Giants vs Dodgers at 8:00PM PDT.  My memories of watching Cubs games on WGN during the day in the summers and the memories and fun my dad had as a child in the 60’s, of listening to the world series, all-star, and even regular season day games, are all but gone.

The final thing I think that is lacking is energy in the game. Maybe it’s free agency, and the big contracts, or perhaps it’s just me. Watch this clip below, the entire clip is great, but specifically at the 11:40, 34:00, and the ending at the 40:15 mark. The excitement, the energy of the players, the crowd, and Harry Caray proclaiming “It might be! It could be! It is! Holy cow!!!” The quality of the video is weak, but the sound and energy in that stadium almost 30 years ago, it just gives me chills. It’s not something you see in baseball much anymore, especially outside of the post season, in the majority of baseball stadiums throughout the season.

As the NFL has been branded by some over the last few years as the “No Fun League”, MLB in my book has been a Major League Bummer in many aspects over the last 15 years. Baseball is still an excellent game with tons of passionate fan bases and I’m hopeful the game will get better. They’ve introduced a “challenge system” this year, which may be a great thing for the game, it will take a few seasons to know for sure, but it’s great that the MLB is willing to take a risk on something to better the game.

The way the Red Sox won the 2013 world series for the city of Boston after last year’s tragedy was special. If baseball can avoid blunders like launching the season in Australia, spitting in umpires faces, and multiple grand jury indictments of players, while geting back to exciting young players and teams like Andrew McCutchen and the Pirates, baseball can be fun again. I purchased the audio pack on MLB.com and will be listening in on some games, mostly Yankee, Mariner, and Cubs games, throughout the 2014 season. When I tune in this year on TV or live audio stream, I hope to find America’s “national pastime” and not TMZ.

Today I completed the migration of my blog from shared hosting to an Ubuntu 12.04 LTS cloudserver at Cloudservers.com.

I’ll be on the lookout for any broken links or other site issues. If you happen to encounter any please let me know.

Thanks!

Gabe