OwnCloud Server Administration Manual Own Cloud

User Manual:

Open the PDF directly: View PDF PDF.
Page Count: 311 [warning: Documents this large are best viewed by clicking the View PDF Link!]

ownCloud Server Administration
Manual
Release 9.0
The ownCloud developers
January 24, 2018
CONTENTS
1 ownCloud 9.0 Server Administration Manual Introduction 1
1.1 Introduction ............................................... 1
1.2 ownCloud Videos and Blogs ....................................... 1
1.3 Target Audience ............................................. 1
2 ownCloud 9.0 Release Notes 3
2.1 Changes in 9.0.11 ............................................ 3
2.2 Changes in 9.0 .............................................. 3
2.3 Enterprise 9.0 ............................................... 4
2.4 Changes in 8.2 .............................................. 4
2.5 Changes in 8.1 .............................................. 4
2.6 Enterprise 8.1 Only ............................................ 5
2.7 ownCloud 8.0 ............................................... 5
2.8 Enterprise 8.0 Only ............................................ 7
2.9 ownCloud 7 Release Notes ........................................ 7
2.10 Enterprise 7 Only ............................................. 9
3 What’s New for Admins in ownCloud 9.0 11
3.1 Enterprise Only .............................................. 11
4 Installation 13
4.1 System Requirements .......................................... 13
4.2 ownCloud Deployment Recommendations ............................... 15
4.3 Preferred Linux Installation Method ................................... 22
4.4 Installation Wizard ............................................ 25
4.5 Installing ownCloud From the Command Line ............................. 30
4.6 Changing the Web Route ......................................... 31
4.7 Installing and Managing Apps ...................................... 32
4.8 Supported Apps in ownCloud ...................................... 34
4.9 Manual Installation on Linux ...................................... 35
4.10 ownCloud Community Appliance .................................... 42
4.11 Installing PHP 5.4 on RHEL 6 and CentOS 6 .............................. 44
4.12 Installing PHP 5.5 on RHEL 7 and CentOS 7 .............................. 45
4.13 SELinux Configuration .......................................... 46
4.14 nginx Example Configurations ...................................... 49
5 ownCloud Server Configuration 59
5.1 Warnings on Admin Page ........................................ 59
5.2 Importing System-wide and Personal SSL Certificates ......................... 61
5.3 Using the occ Command ......................................... 62
5.4 Configuring the Activity App ...................................... 82
i
5.5 Configuring the ClamAV Antivirus Scanner ............................... 82
5.6 Configuring Memory Caching ...................................... 85
5.7 Background Jobs ............................................. 90
5.8 Config.php Parameters .......................................... 93
5.9 Email Configuration ........................................... 110
5.10 Linking External Sites .......................................... 118
5.11 Custom Client Download Repositories ................................. 120
5.12 Knowledge Base Configuration ..................................... 122
5.13 Language Configuration ......................................... 122
5.14 Logging Configuration .......................................... 123
5.15 Hardening and Security Guidance .................................... 124
5.16 Reverse Proxy Configuration ....................................... 127
5.17 Using Third Party PHP Components ................................... 128
5.18 JavaScript and CSS Asset Management ................................. 128
5.19 Automatic Configuration Setup ..................................... 129
5.20 ownCloud Server Tuning ......................................... 131
5.21 Enable index.php-less URLs ....................................... 132
6 User Management 135
6.1 User Management ............................................ 135
6.2 Resetting a Lost Admin Password .................................... 139
6.3 Resetting a User Password ........................................ 140
6.4 User Authentication with IMAP, SMB, and FTP ............................ 140
6.5 User Authentication with LDAP ..................................... 142
6.6 LDAP User Cleanup ........................................... 156
6.7 User Provisioning API .......................................... 157
7 File Sharing and Management 173
7.1 File Sharing ............................................... 173
7.2 Configuring Federation Sharing ..................................... 176
7.3 Uploading big files > 512MB ...................................... 180
7.4 Configuring the Collaborative Documents App ............................. 184
7.5 Providing Default Files .......................................... 185
7.6 Configuring External Storage (GUI) ................................... 187
7.7 Configuring External Storage (Configuration File) ........................... 207
7.8 External Storage Authentication mechanisms .............................. 207
7.9 Encryption Configuration ........................................ 208
7.10 Transactional File Locking ........................................ 217
7.11 Previews Configuration ......................................... 218
7.12 Controlling File Versions and Aging ................................... 220
8 Database Configuration 221
8.1 Converting Database Type ........................................ 221
8.2 Database Configuration ......................................... 222
9 Mimetypes Management 229
9.1 Mimetype Aliases ............................................ 229
9.2 Mimetype mapping ............................................ 229
9.3 Icon retrieval ............................................... 230
10 Maintenance 231
10.1 Maintenance Mode Configuration .................................... 231
10.2 Backing up ownCloud .......................................... 231
10.3 How to Upgrade Your ownCloud Server ................................. 233
10.4 Upgrade ownCloud From Packages ................................... 235
ii
10.5 Upgrading ownCloud with the Updater App ............................... 237
10.6 Manual ownCloud Upgrade ....................................... 240
10.7 Restoring ownCloud ........................................... 241
10.8 Migrating to a Different Server ..................................... 242
11 Issues and Troubleshooting 245
11.1 General Troubleshooting ......................................... 245
11.2 Code Signing ............................................... 250
12 Enterprise Edition Only 255
12.1 Enterprise Edition Installation ...................................... 255
12.2 Creating Branded ownCloud Clients (Enterprise only) ......................... 261
12.3 Enterprise Server Branding (Enterprise only) .............................. 262
12.4 External Storage (Enterprise only) .................................... 264
12.5 User Management (Enterprise only) ................................... 284
12.6 Enterprise File Management (Enterprise Only) ............................. 293
12.7 Enterprise Logging Apps (Enterprise only) ............................... 300
12.8 Enterprise Firewall (Enterprise only) .................................. 301
12.9 Enterprise Troubleshooting ....................................... 305
iii
iv
CHAPTER
ONE
OWNCLOUD 9.0 SERVER ADMINISTRATION MANUAL
INTRODUCTION
1.1 Introduction
Welcome to the ownCloud Server Administration Guide. This guide describes administration tasks for ownCloud, the
flexible open source file synchronization and sharing solution. ownCloud includes the ownCloud server, which runs
on Linux, client applications for Microsoft Windows, Mac OS X and Linux, and mobile clients for the Android and
Apple iOS operating systems.
Current editions of ownCloud manuals are always available online at doc.owncloud.org and doc.owncloud.com.
ownCloud server is available in three editions:
The free community-supported Server. This is the core server for all editions.
The Standard Subscription for customers who want paid support for the core Server, without Enterprise appli-
cations.
The Enterprise Subscription provides paid support for the Enterprise Edition. This includes the core Server and
Enterprise apps.
See What’s New for Admins in ownCloud 9.0 for more information on the different ownCloud editions.
1.2 ownCloud Videos and Blogs
See the official ownCloud channel and ownClouders community channel on YouTube for tutorials, overviews, and
conference videos.
Visit ownCloud Planet for news and developer blogs.
1.3 Target Audience
This guide is for users who want to install, administer, and optimize their ownCloud servers. To learn more about the
ownCloud Web user interface, and desktop and mobile clients, please refer to their respective manuals:
ownCloud User Manual
ownCloud Desktop Client
ownCloud Android App
ownCloud iOS App
1
ownCloud Server Administration Manual, Release 9.0
2 Chapter 1. ownCloud 9.0 Server Administration Manual Introduction
CHAPTER
TWO
OWNCLOUD 9.0 RELEASE NOTES
2.1 Changes in 9.0.11
Dear ownCloud administrator, please find below the changes and known issues in ownCloud Server 9.0.11 that need
your attention:
The full ownCloud Server 9.0.11 changelog can be found here: https://owncloud.org/changelog/#latest9.0
Added “occ files:scan” repair mode to repair filecache inconsistencies We recommend to use this command
when directed to do so in the upgrade process. Please check the ownCloud documentation for more information
(https://doc.owncloud.com/server/10.0/admin_manual/configuration/server/occ_command.html?highlight=occ#the-
repair-option).
2.2 Changes in 9.0
9.0 requires .ico files for favicons. This will change in 9.1, which will use .svg files. See Changing favicon in the
Developer Manual.
Home folder rule is enforced in the user_ldap application in new ownCloud installations; see User Authentication with
LDAP. This affects ownCloud 8.0.10, 8.1.5 and 8.2.0 and up.
The Calendar and Contacts apps have been rewritten and the CalDAV and CardDAV backends of these apps
were merged into ownCloud core. During the upgrade existing Calendars and Addressbooks are automati-
cally migrated (except when using the the IMAP user backend). As a fallback for failed upgrades, when
using the IMAP user backend or as an option to test a migration dav:migrate-calendars and/or
dav:migrate-addressbooks scripts are available (only in oC 9.0) via the occ command. See Using the
occ Command.
Warning: After upgrading to ownCloud 9.0 and before continuing to upgrade to 9.1 make sure that all of your
and your users Calendars and Addressbooks are migrated correctly. Especially when using the IMAP user
backend (other user backends might be also affected) you need to manually run the mentioned occ migration
commands described above.
Updates on systems with large datasets will take longer, due to the addition of checksums to the oC database. See
https://github.com/owncloud/core/issues/22747.
Linux packages are available from our official download repository . New in 9.0: split packages. owncloud installs
ownCloud plus dependencies, including Apache and PHP. owncloud-files installs only ownCloud. This is useful
for custom LAMP stacks, and allows you to install your own LAMP apps and versions without packaging conflicts
with ownCloud. See Preferred Linux Installation Method.
3
ownCloud Server Administration Manual, Release 9.0
New option for the ownCloud admin to enable or disable sharing on individual external mountpoints (see Mount
Options). Sharing on such mountpoints is disabled by default.
2.3 Enterprise 9.0
owncloud-enterprise packages are no longer available for CentOS6, RHEL6, Debian7, or any version of
Fedora. A new package, owncloud-enterprise-files, is available for all supported platforms. This new
package comes without dependencies, and is installable on a larger number of platforms. System administrators
on these older distros must install their own LAMP stacks and databases. On newer supported distros, install
owncloud-enterprise as usual. See Installing & Upgrading ownCloud Enterprise Edition.
2.4 Changes in 8.2
New location for Linux package repositories; ownCloud admins must manually change to the new repos. See How to
Upgrade Your ownCloud Server
PHP 5.6.11+ breaks the LDAP wizard with a ‘Could not connect to LDAP’ error. See
https://github.com/owncloud/core/issues/20020.
filesystem_check_changes in config.php is set to 0 by default. This prevents unnecessary update checks
and improves performance. If you are using external storage mounts such as NFS on a remote storage server, set this
to 1 so that ownCloud will detect remote file changes.
XSendFile support has been removed, so there is no longer support for serving static files from your ownCloud server.
LDAP issue: 8.2 uses the memberof attribute by default. If this is not activated on your LDAP server your user groups
will not be detected, and you will see this message in your ownCloud log: Error PHP Array to string
conversion at /var/www/html/owncloud/lib/private/template/functions.php#36. Fix
this by disabling the memberof attribute on your ownCloud server with the occ command, like this example on
Ubuntu Linux:
sudo -u www-data php occ ldap:set-config "s01" useMemberOfToDetectMembership 0
Run sudo -u www-data php occ ldap:show-config to find the correct sNN value; if there is not one
then use empty quotes, "". (See Using the occ Command.)
Users of the Linux Package need to update their repository setup as described in this blogpost.
2.5 Changes in 8.1
Use APCu only if available in version 4.0.6 and higher. If you install an older version, you will see a APCu below
version 4.0.6 is installed, for stability and performance reasons we recommend
to update to a newer APCu version warning on your ownCloud admin page.
SMB external storage now based on php5-libsmbclient, which must be downloaded from the ownCloud soft-
ware repositories (installation instructions).
“Download from link” feature has been removed.
The .htaccess and index.html files in the data/ directory are now updated after every update. If you make
any modifications to these files they will be lost after updates.
The SabreDAV browser at /remote.php/webdav has been removed.
Using ownCloud without a trusted_domain configuration will not work anymore.
4 Chapter 2. ownCloud 9.0 Release Notes
ownCloud Server Administration Manual, Release 9.0
The logging format for failed logins has changed and considers now the proxy configuration in config.php.
A default set of security and privacy HTTP headers have been added to the ownCloud .htaccess file, and ownCloud
administrators may now customize which headers are sent.
More strict SSL certificate checking improves security but can result in “cURL error 60: SSL certificate problem:
unable to get local issuer certificate” errors with certain broken PHP versions. Please verify your SSL setup, update
your PHP or contact your vendor if you receive these errors.
The persistent file-based cache (e.g. used by LDAP integration) has been dropped and replaced with a memory-only
cache, which must be explicitly configured. See User Authentication with LDAP. Memory cache configuration for
the ownCloud server is no longer automatic, requiring installation of your desired cache backend and configuration in
config.php (see Configuring Memory Caching.)
The OC_User_HTTP backend has been removed. Administrators are encouraged to use the user_webdavauth
application instead.
ownCloud ships now with its own root certificate bundle derived from Mozilla’s root certificates file. The system root
certificate bundle will not be used anymore for most requests.
When you upgrade from ownCloud 8.0, with encryption enabled, to 8.1, you must enable the new encryption backend
and migrate your encryption keys. See Encryption migration to ownCloud 8.0.
Encryption can no longer be disabled in ownCloud 8.1. It is planned to re-add this feature to the command line client
for a future release.
It is not recommended to upgrade encryption-enabled systems from ownCloud Server 8.0 to version 8.1.0 as there is a
chance the migration will break. We recommend migrating to the first bugfix release, ownCloud Server 8.1.1.
Due to various technical issues, by default desktop sync clients older than 1.7 are not allowed to connect and sync
with the ownCloud server. This is configurable via the minimum.supported.desktop.version switch in
config.php.
Previews are now generated at a maximum size of 2048 x 2048 pixels. This is configurable via the preview_max_x
and preview_max_y switches in config.php.
The ownCloud 8 server is not supported on any version of Windows.
The 8.1.0 release has a minor bug which makes app updates fail at first try. Reload the apps page and try again, and
the update will succeed.
The forcessl option within the config.php and the Enforce SSL option within the Admin-Backend was
removed. This now needs to be configured like described in Use HTTPS.
WebDAV file locking was removed in oC 8.1 which causes Finder on Mac OS X to mount WebDAV read-only.
2.6 Enterprise 8.1 Only
The SharePoint Drive app does not verify the SSL certificate of the SharePoint server or the ownCloud server, as it is
expected that both devices are in the same trusted environment.
2.7 ownCloud 8.0
2.7.1 Manual LDAP Port Configuration
When you are configuring the LDAP user and group backend application, ownCloud may not auto-detect the LDAP
server’s port number, so you will need to enter it manually.
2.6. Enterprise 8.1 Only 5
ownCloud Server Administration Manual, Release 9.0
2.7.2 No Preview Icon on Text Files
There is no preview icon displayed for text files when the file contains fewer than six characters.
2.7.3 Remote Federated Cloud Share Cannot be Reshared With Local Users
When you mount a Federated Cloud share from a remote ownCloud server, you cannot re-share it with your local
ownCloud users. (See Configuring Federation Sharing to learn more about federated cloud sharing)
2.7.4 Manually Migrate Encryption Keys after Upgrade
If you are using the Encryption app and upgrading from older versions of ownCloud to ownCloud 8.0, you must
manually migrate your encryption keys. See Encryption migration to ownCloud 8.0.
2.7.5 Windows Server Not Supported
Windows Server is not supported in ownCloud 8.
2.7.6 PHP 5.3 Support Dropped
PHP 5.3 is not supported in ownCloud 8, and PHP 5.4 or better is required.
2.7.7 Disable Apache Multiviews
If Multiviews are enabled in your Apache configuration, this may cause problems with content negotiation, so disable
Multiviews by removing it from your Apache configuration. Look for lines like this:
<Directory /var/www/owncloud>
Options Indexes FollowSymLinks Multiviews
Delete Multiviews and restart Apache.
2.7.8 ownCloud Does Not Follow Symlinks
ownCloud’s file scanner does not follow symlinks, which could lead to infinite loops. To avoid this do not use soft or
hard links in your ownCloud data directory.
2.7.9 No Commas in Group Names
Creating an ownCloud group with a comma in the group name causes ownCloud to treat the group as two groups.
2.7.10 Hebrew File Names Too Large on Windows
On Windows servers Hebrew file names grow to five times their original size after being translated to Unicode.
6 Chapter 2. ownCloud 9.0 Release Notes
ownCloud Server Administration Manual, Release 9.0
2.7.11 Google Drive Large Files Fail with 500 Error
Google Drive tries to download the entire file into memory, then write it to a temp file, and then stream it to the client,
so very large file downloads from Google Drive may fail with a 500 internal server error.
2.7.12 Encrypting Large Numbers of Files
When you activate the Encryption app on a running server that has large numbers of files, it is possible that you will
experience timeouts. It is best to activate encryption at installation, before accumulating large numbers of files on your
ownCloud server.
2.8 Enterprise 8.0 Only
2.8.1 Sharepoint Drive SSL Not Verified
The SharePoint Drive app does not verify the SSL certificate of the SharePoint server or the ownCloud server, as it is
expected that both devices are in the same trusted environment.
2.8.2 No Federated Cloud Sharing with Shibboleth
Federated Cloud Sharing (formerly Server-to-Server file sharing)does not work with Shibboleth .
2.8.3 Direct Uploads to SWIFT do not Appear in ownCloud
When files are uploaded directly to a SWIFT share mounted as external storage in ownCloud, the files do not appear
in ownCloud. However, files uploaded to the SWIFT mount through ownCloud are listed correctly in both locations.
2.8.4 SWIFT Objectstore Incompatible with Encryption App
The current SWIFT implementation is incompatible with any app that uses direct file I/O and circumvents the own-
Cloud virtual filesystem. Using the Encryption app on a SWIFT object store incurs twice as many HTTP requests and
increases latency significantly.
2.8.5 App Store is Back
The ownCloud App Store has been re-enabled in oC 8. Note that third-party apps are not supported.
2.9 ownCloud 7 Release Notes
2.9.1 Manual LDAP Port Configuration
When you are configuring the LDAP user and group backend application, ownCloud may not auto-detect the LDAP
server’s port number, so you will need to enter it manually.
2.8. Enterprise 8.0 Only 7
ownCloud Server Administration Manual, Release 9.0
2.9.2 LDAP Search Performance Improved
Prior to 7.0.4, LDAP searches were substring-based and would match search attributes if the substring occurred any-
where in the attribute value. Rather, searches are performed on beginning attributes. With 7.0.4, searches will match
at the beginning of the attribute value only. This provides better performance and a better user experience.
Substring searches can still be performed by prepending the search term with “*”.For example, a search for te will
find Terri, but not Nate:
occ ldap:search "te"
If you want to broaden the search to include Nate, then search for *te:
occ ldap:search "*te"
Refine searches by adjusting the User Search Attributes field of the Advanced tab in your LDAP configura-
tion on the Admin page. For example, if your search attributes are givenName and sn you can find users by first
name + last name very quickly. For example, you’ll find Terri Hanson by searching for te ha. Trailing whitespaces
are ignored.
2.9.3 Protecting ownCloud on IIS from Data Loss
Under certain circumstances, running your ownCloud server on IIS could be at risk of data loss. To prevent this, follow
these steps.
In your ownCloud server configuration file, owncloud\config\config.php, set
config_is_read_only to true.
Set the config.php file to read-only.
When you make server updates config.php must be made writeable. When your updates are completed
re-set it to read-only.
2.9.4 Antivirus App Modes
The Antivirus App offers three modes for running the ClamAV anti-virus scanner: as a daemon on the ownCloud
server, a daemon on a remote server, or an executable mode that calls clamscan on the local server. We recommend
using one of the daemon modes, as they are the most reliable.
2.9.5 “Enable Only for Specific Groups” Fails
Some ownCloud applications have the option to be enabled only for certain groups. However, when you select specific
groups they do not get access to the app.
2.9.6 Changes to File Previews
For security and performance reasons, file previews are available only for image files, covers of MP3 files, and text
files, and have been disabled for all other filetypes. Files without previews are represented by generic icons according
to their file types.
2.9.7 4GB Limit on SFTP Transfers
Because of limitations in phpseclib, you cannot upload files larger than 4GB over SFTP.
8 Chapter 2. ownCloud 9.0 Release Notes
ownCloud Server Administration Manual, Release 9.0
2.9.8 “Not Enough Space Available” on File Upload
Setting user quotas to unlimited on an ownCloud installation that has unreliable free disk space reporting– for
example, on a shared hosting provider– may cause file uploads to fail with a “Not Enough Space Available” error. A
workaround is to set file quotas for all users instead of unlimited.
2.9.9 No More Expiration Date On Local Shares
In older versions of ownCloud, you could set an expiration date on both local and public shares. Now you can set an
expiration date only on public shares, and local shares do not expire when public shares expire.
2.9.10 Zero Quota Not Read-Only
Setting a user’s storage quota should be the equivalent of read-only, however, users can still create empty files.
2.10 Enterprise 7 Only
2.10.1 No Federated Cloud Sharing with Shibboleth
Federated Cloud Sharing (formerly Server-to-Server file sharing) does not work with Shibboleth .
2.10.2 Windows Network Drive
Windows Network Drive runs only on Linux servers because it requires the Samba client, which is included in all
Linux distributions.
php5-libsmbclient is also required, and there may be issues with older versions of libsmbclient; see Using
External Storage > Installing and Configuring the Windows Network Drive App in the Enterprise Admin manual for
more information.
By default CentOS has activated SELinux, and the httpd process can not make outgoing network connections.
This will cause problems with curl, ldap and samba libraries. Again, see Using External Storage > Installing and
Configuring the Windows Network Drive App in the Enterprise Admin manual for instructions.
2.10.3 Sharepoint Drive SSL
The SharePoint Drive app does not verify the SSL certificate of the SharePoint server or the ownCloud server, as it is
expected that both devices are in the same trusted environment.
2.10.4 Shibboleth and WebDAV Incompatible
Shibboleth and standard WebDAV are incompatible, and cannot be used together in ownCloud. If Shibboleth is
enabled, the ownCloud client uses an extended WebDAV protocol
2.10.5 No SQLite
SQLite is no longer an installation option for ownCloud Enterprise Edition, as it not suitable for multiple-user instal-
lations or managing large numbers of files.
2.10. Enterprise 7 Only 9
ownCloud Server Administration Manual, Release 9.0
2.10.6 No App Store
The App Store is disabled for the Enterprise Edition.
2.10.7 LDAP Home Connector Linux Only
The LDAP Home Connector application requires Linux (with MySQL, MariaDB, or PostgreSQL) to operate correctly.
10 Chapter 2. ownCloud 9.0 Release Notes
CHAPTER
THREE
WHAT’S NEW FOR ADMINS IN OWNCLOUD 9.0
See the ownCloud 9.0 Features page on Github for a comprehensive list of new features and updates.
ownCloud has many improvements. Some of our new features are:
Split Linux packaging, dividing ownCloud and dependencies into two separate packages (Preferred Linux In-
stallation Method)
Separate encryption for home storage and remote storage; you may encrypt remote storage without encrypting
local storage. (Encryption Configuration)
New command to transfer files from one user to another. (Transferring Files to Another User)
Streamlined Federation sharing with user and group name auto-fill. See (Creating a new Federation Share (9.0+
only))
Configurable password reset URL. See (Resetting a User Password)
Command-line options added to the Updater app. (Upgrading ownCloud with the Updater App)
Many new occ commands. (Using the occ Command)
Admin option to enable and disable sharing on external storage mountpoints. (Mount Options)
New occ commands for migrating contacts and calendars from 8.2, if auto-migration during upgrade fails, and
new commands for creating addressbooks and calendars (Dav Commands)
New optional second name attribute in the LDAP app, so that user names appear as User Foo (optional
2nd attribute) (Directory Settings)
3.1 Enterprise Only
Advanced tagging management with the Workflow app. (Advanced File Tagging With the Workflow App (Enter-
prise only))
Advanced authentication backends. (Enterprise-Only Authentication Options)
Password policy app for share links, for setting password requirements such as minimum length and required
characters. (Share Link Password Policy)
11
ownCloud Server Administration Manual, Release 9.0
12 Chapter 3. What’s New for Admins in ownCloud 9.0
CHAPTER
FOUR
INSTALLATION
4.1 System Requirements
4.1.1 Memory
Memory requirements for running an ownCloud server are greatly variable, depending on the numbers of users and
files, and volume of server activity. ownCloud needs a minimum of 128MB RAM, and we recommend a minimum of
512MB.
4.1.2 Recommended Setup for Running ownCloud
For best performance,stability,support, and full functionality we officially recommend and support:
Ubuntu 16.04
• MySQL/MariaDB
PHP 7.0
Apache 2.4 with mod_php
4.1.3 Supported Platforms
If you are not able to use one or more of the above tools, the following options are also supported.
Server
Debian 7 and 8
SUSE Linux Enterprise Server 12 and 12 SP1
Red Hat Enterprise Linux/Centos 6.5 and 7 (7 is 64-bit only)
Ubuntu 14.04 LTS
Web Server
Apache 2.4 with mod_php
13
ownCloud Server Administration Manual, Release 9.0
Databases
Oracle 11g (Enterprise edition only)
• PostgreSQL
Hypervisors
• Hyper-V
VMware ESX
• Xen
• KVM
Desktop
Windows 7+
Mac OS X 10.7+ (64-bit only)
Ubuntu 16.10
Ubuntu 16.04
Ubuntu 14.04
Debian 7.0
Debian 8.0
CentOS 7
Fedora 24
Fedora 25
openSUSE Leap 42.1
openSUSE Leap 42.2
Note: For Linux distributions, we support, if technically feasible, the latest 2 versions per platform and the previous
LTS.
Mobile
iOS 9.0+
Android 4.0+
Web Browser
IE11+ (except Compatibility Mode)
Firefox 14+
Chrome 18+
Safari 5+
14 Chapter 4. Installation
ownCloud Server Administration Manual, Release 9.0
See Manual Installation on Linux for minimum software versions for installing ownCloud.
4.1.4 Database Requirements for MySQL / MariaDB
The following is currently required if you’re running ownCloud together with a MySQL / MariaDB database:
Disabled or BINLOG_FORMAT = MIXED configured Binary Logging (See: MySQL / MariaDB with Binary
Logging Enabled)
InnoDB storage engine (MyISAM is not supported, see: MySQL / MariaDB storage engine)
“READ COMMITED” transaction isolation level (See: MySQL / MariaDB “READ COMMITED” transaction
isolation level)
4.2 ownCloud Deployment Recommendations
What is the best way to install and maintain ownCloud? The answer to that is “it depends” because every ownCloud
customer has their own particular needs and IT infrastructure. ownCloud and the LAMP stack are highly-configurable,
so we will present three typical scenarios and make best-practice recommendations for both software and hardware.
4.2.1 General Recommendations
Note: Whatever the size of your organization, always keep one thing in mind: the amount of data stored in ownCloud
will only grow. Plan ahead.
Consider setting up a scale-out deployment, or using Federated Cloud Sharing to keep individual ownCloud instances
to a manageable size.
Operating system: Linux.
Web server: Apache 2.4.
Database: MySQL/MariaDB.
PHP 5.5+. PHP 5.4 is the minimum supported version; note that it reached end-of-life in September 2015 and
is no longer supported by the PHP team. Some Linux vendors, such as Red Hat, still support PHP 5.4. 5.6+ is
recommended. mod_php is the recommended Apache module because it provides the best performance.
4.2.2 Small Workgroups or Departments
Number of users Up to 150 users.
Storage size 100 GB to 10TB.
High availability level Zero-downtime backups via Btrfs snapshots, component failure leads to interruption of
service. Alternate backup scheme on other filesystems: nightly backups with service interruption.
Recommended System Requirements
One machine running the application server, Web server, database server and local storage.
Authentication via an existing LDAP or Active Directory server.
Components One server with at least 2 CPU cores, 16GB RAM, local storage as needed.
4.2. ownCloud Deployment Recommendations 15
ownCloud Server Administration Manual, Release 9.0
Operating system Enterprise-grade Linux distribution with full support from OS vendor. We recommend Red
Hat Enterprise Linux or SUSE Linux Enterprise Server 12.
SSL Configuration The SSL termination is done in Apache. A standard SSL certificate is needed, installed
according to the Apache documentation.
Load Balancer None.
Database MySQL, MariaDB or PostgreSQL. We currently recommend MySQL / MariaDB, as our customers
have had good experiences when moving to a Galera cluster to scale the DB.
Backup Install owncloud, ownCloud data directory and database on Btrfs filesystem. Make regular snapshots
at desired intervals for zero downtime backups. Mount DB partitions with the “nodatacow” option to
prevent fragmentation.
Alternatively, make nightly backups with service interruption:
Shut down Apache.
Create database dump.
Push data directory to backup.
Push database dump to backup.
Start Apache.
Then optionally rsync to a backup storage or tape backup. (See the Maintenance section of the Adminis-
tration manual for tips on backups and restores.)
Authentication User authentication via one or several LDAP or Active Directory servers. (See User Authenti-
cation with LDAP for information on configuring ownCloud to use LDAP and AD.)
Session Management Local session management on the application server. PHP sessions are stored
in a tmpfs mounted at the operating system-specific session storage location. You can find
out where that is by running grep -R ’session.save_path’ /etc/php5 and then add it
to the /etc/fstab file, for example: echo "tmpfs /var/lib/php5/pool-www tmpfs
defaults,noatime,mode=1777 0 0" >> /etc/fstab.
Memory Caching A memcache speeds up server performance, and ownCloud supports four memcaches; refer
to Configuring Memory Caching for information on selecting and configuring a memcache.
Storage Local storage.
ownCloud Edition Standard Edition. (See ownCloud Server or Enterprise Edition for comparisons of the
ownCloud editions.)
4.2.3 Mid-sized Enterprises
Number of users 150 to 1,000 users.
Storage size Up to 200TB.
16 Chapter 4. Installation
ownCloud Server Administration Manual, Release 9.0
High availability level Every component is fully redundant and can fail without service interruption. Backups
without service interruption
Recommended System Requirements
2 to 4 application servers.
A cluster of two database servers.
Storage on an NFS server.
Authentication via an existing LDAP or Active Directory server.
Components
2 to 4 application servers with 4 sockets and 32GB RAM.
2 DB servers with 4 sockets and 64GB RAM.
1 HAproxy load balancer with 2 sockets and 16GB RAM.
NFS storage server as needed.
Operating system Enterprise grade Linux distribution with full support from OS vendor. Red Hat Enterprise
Linux or SUSE Linux Enterprise Server 12 are recommended.
SSL Configuration The SSL termination is done in the HAProxy load balancer. A standard SSL certificate is
needed, installed according to the HAProxy documentation.
Load Balancer HAProxy running on a dedicated server in front of the application servers. Sticky session needs
to be used because of local session management on the application servers.
Database MySQL/MariaDB Galera cluster with master-master replication.
Backup Minimum daily backup without downtime. All MySQL/MariaDB statements should be replicated to a
backup MySQL/MariaDB slave instance.
Create a snapshot on the NFS storage server.
At the same time stop the MySQL replication.
Create a MySQL dump of the backup slave.
Push the NFS snapshot to the backup.
Push the MySQL dump to the backup.
Delete the NFS snapshot.
4.2. ownCloud Deployment Recommendations 17
ownCloud Server Administration Manual, Release 9.0
Restart MySQL replication.
Authentication User authentication via one or several LDAP or Active Directory servers. (See User Authenti-
cation with LDAP for information on configuring ownCloud to use LDAP and AD.)
LDAP Read-only slaves should be deployed on every application server for optimal scalability
Session Management Session management on the application server. PHP sessions are stored in
a tmpfs mounted at the operating system-specific session storage location. You can find out
where that is by running grep -R ’session.save_path’ /etc/php5 and then add it
to the /etc/fstab file, for example: echo "tmpfs /var/lib/php5/pool-www tmpfs
defaults,noatime,mode=1777 0 0" >> /etc/fstab.
Memory Caching A memcache speeds up server performance, and ownCloud supports four memcaches; refer
to Configuring Memory Caching for information on selecting and configuring a memcache.
Storage Use an off-the-shelf NFS solution, such as IBM Elastic Storage or RedHat Ceph.
ownCloud Edition Enterprise Edition. (See ownCloud Server or Enterprise Edition for comparisons of the
ownCloud editions.)
4.2.4 Large Enterprises and Service Providers
Number of users 5,000 to >100,000 users.
Storage size Up to 1 petabyte.
High availabily level Every component is fully redundant and can fail without service interruption. Backups
without service interruption
Recommended System Requirements
4 to 20 application/Web servers.
A cluster of two or more database servers.
Storage is an NFS server, or an object store that is S3 compatible.
Cloud federation for a distributed setup over several data centers.
Authentication via an existing LDAP or Active Directory server, or SAML.
Components
4 to 20 application servers with 4 sockets and 64GB RAM.
4 DB servers with 4 sockets and 128GB RAM
2 Hardware load balancer, for example BIG IP from F5
NFS storage server as needed.
Operating system RHEL 7 with latest service packs.
SSL Configuration The SSL termination is done in the load balancer. A standard SSL certificate is needed,
installed according to the load balancer documentation.
Load Balancer A redundant hardware load-balancer with heartbeat, for example F5 Big-IP. This runs two load
balancers in front of the application servers.
Database MySQL/MariaDB Galera Cluster with 4x master – master replication.
18 Chapter 4. Installation
ownCloud Server Administration Manual, Release 9.0
4.2. ownCloud Deployment Recommendations 19
ownCloud Server Administration Manual, Release 9.0
Backup Minimum daily backup without downtime. All MySQL/MariaDB statements should be replicated to a
backup MySQL/MariaDB slave instance.
Create a snapshot on the NFS storage server.
At the same time stop the MySQL replication.
Create a MySQL dump of the backup slave.
Push the NFS snapshot to the backup.
Push the MySQL dump to the backup.
Delete the NFS snapshot.
Restart MySQL replication.
Authentication User authentication via one or several LDAP or Active Directory servers, or SAML/Shibboleth.
(See User Authentication with LDAP and Shibboleth Integration.)
LDAP Read-only slaves should be deployed on every application server for optimal scalability.
Session Management Redis should be used for the session management storage.
Caching Redis for distributed in-memory caching (see Configuring Memory Caching).
Storage An off-the-shelf NFS solution should be used. Examples are IBM Elastic Storage or RedHAT Ceph.
Optionally, an S3 compatible object store can also be used.
ownCloud Edition Enterprise Edition. (See ownCloud Server or Enterprise Edition for comparisons of the
ownCloud editions.)
4.2.5 Hardware Considerations
Solid-state drives (SSDs) for I/O.
Separate hard disks for storage and database, SSDs for databases.
Multiple network interfaces to distribute server synchronisation and backend traffic across multiple subnets.
Single Machine / Scale-Up Deployment
The single-machine deployment is widely used in the community.
Pros:
Easy setup: no session storage daemon, use tmpfs and memory caching to enhance performance, local storage.
No network latency to consider.
To scale buy a bigger CPU, more memory, larger hard drive, or additional hard drives.
Cons:
Fewer high availability options.
The amount of data in ownCloud tends to continually grow. Eventually a single machine will not scale; I/O
performance decreases and becomes a bottleneck with multiple up- and downloads, even with solid-state drives.
20 Chapter 4. Installation
ownCloud Server Administration Manual, Release 9.0
Scale-Out Deployment
Provider setup:
DNS round robin to HAProxy servers (2-n, SSL offloading, cache static resources)
Least load to Apache servers (2-n)
Memcached/Redis for shared session storage (2-n)
Database cluster with single Master, multiple slaves and proxy to split requests accordingly (2-n)
GPFS or Ceph via phprados (2-n, 3 to be safe, Ceph 10+ nodes to see speed benefits under load)
Pros:
Components can be scaled as needed.
High availability.
Test migrations easier.
Cons:
More complicated to setup.
Network becomes the bottleneck (10GB Ethernet recommended).
Currently DB filecache table will grow rapidly, making migrations painful in case the table is altered.
What About Nginx / PHP-FPM?
Could be used instead of HAproxy as the load balancer. But on uploads stores the whole file on disk before handing it
over to PHP-FPM.
A Single Master DB is Single Point of Failure, Does Not Scale
When master fails another slave can become master. However, the increased complexity carries some risks: Multi-
master has the risk of split brain, and deadlocks. ownCloud tries to solve the problem of deadlocks with high-level file
locking.
4.2.6 Software Considerations
Operating System
We are dependent on distributions that offer an easy way to install the various components in up-to-date versions.
ownCloud has a partnership with RedHat and SUSE for customers who need commercial support. Canonical, the
parent company of Ubuntu Linux, also offers enterprise service and support. Debian and Ubuntu are free of cost,
and include newer software packages. CentOS is the community-supported free-of-cost Red Hat Enterprise Linux
clone. openSUSE is community-supported, and includes many of the same system administration tools as SUSE
Linux Enterprise Server.
Web server
Taking Apache and Nginx as the contenders, Apache with mod_php is currently the best option, as Nginx does not
support all features necessary for enterprise deployments. Mod_php is recommended instead of PHP_FPM, because
in scale-out deployments separate PHP pools are simply not necessary.
4.2. ownCloud Deployment Recommendations 21
ownCloud Server Administration Manual, Release 9.0
Relational Database
More often than not the customer already has an opinion on what database to use. In general, the recommendation is
to use what their database administrator is most familiar with. Taking into account what we are seeing at customer
deployments, we recommend MySQL/MariaDB in a master-slave deployment with a MySQL proxy in front of them
to send updates to master, and selects to the slave(s).
The second best option is PostgreSQL (alter table does not lock table, which makes migration less painful) although
we have yet to find a customer who uses a master-slave setup.
What about the other DBMS?
Sqlite is adequate for simple testing, and for low-load single-user deployments. It is not adequate for production
systems.
Microsoft SQL Server is not a supported option.
Oracle DB is the de facto standard at large enterprises and is fully supported with ownCloud Enterprise Edition
only.
4.2.7 File Storage
While many customers are starting with NFS, sooner or later that requires scale-out storage. Currently the options are
GPFS or GlusterFS, or an object store protocol like S3 (supported in Enterprise Edition only) or Swift. S3 also allows
access to Ceph Storage.
4.2.8 Session Storage
Redis: provides persistence, nice graphical inspection tools available, supports ownCloud high-level file locking.
If Shibboleth is a requirement you must use Memcached, and it can also be used to scale-out shibd session
storage (see Memcache StorageService).
4.2.9 References
Database High Availability
Performance enhancements for Apache and PHP
How to Set Up a Redis Server as a Session Handler for PHP on Ubuntu 14.04
4.3 Preferred Linux Installation Method
For production environments, we recommend the installation from the tar archive. This applies in particular to scenar-
ios, where the Web server, storage and database are on separate machines. In this constellation, all dependencies and
requirements are managed by the package management of your operating system, while the ownCloud code itself is
maintained in a sequence of simple steps as documented in our instructions for the Manual Installation on Linux and
the Manual ownCloud Upgrade
The package installation is for single-server setups only.
22 Chapter 4. Installation
ownCloud Server Administration Manual, Release 9.0
4.3.1 Changes in ownCloud 9
Linux distribution packages (from Open Build Service) have been divided into multiple packages for ownCloud 9:
owncloud,owncloud-deps and owncloud-files.
Install the metapackage owncloud to get a complete installation with all dependencies.
The owncloud-files package installs only ownCloud, without Apache, database, or PHP dependencies.
The owncloud-deps packages install all dependencies: Apache, PHP, and MySQL. owncloud-deps is not
intended to be installed by itself, but rather is pulled in by the metapackage owncloud.
owncloud-files is available for the following distributions, but not owncloud-deps.
You will have to install your own LAMP stack first. This allows you to create your own
custom LAMP stack without dependency conflicts with the ownCloud package. Browse
http://download.owncloud.org/download/repositories/9.1/owncloud/ to find the owncloud-files package
for your distro:
Ubuntu 14.04, 16.04
Debian 7, 8
RHEL 6, 7
CentOS 6 SCL, 7
SLES 12, 12 SP1
openSUSE 13.2, Leap 42.1
ownCloud packages with dependencies are available for the following Linux distributions:
Ubuntu 14.04, 16.04
Debian 8
RHEL 7
CentOS 7
SLES 12
openSUSE 13.2, Leap 42.1
Repositories for Fedora, openSUSE Tumbleweed and Ubuntu 15.04 were dropped. If you use Fedora, use the tar
archive with your own LAMP stack. openSUSE users can rely on LEAP packages for Tumbleweed.
Follow the instructions on the download page to install ownCloud. Then run the Installation Wizard to complete your
installation. (see Installation Wizard).
Warning: Do not move the folders provided by these packages after the installation, as this will break updates.
See the System Requirements for the recommended ownCloud setup and supported platforms.
4.3.2 Repos: Stable or Major Release?
You may use either of the following repositories for ownCloud 9.0:
https://download.owncloud.org/download/repositories/stable/owncloud/
https://download.owncloud.org/download/repositories/9.0/owncloud/
4.3. Preferred Linux Installation Method 23
ownCloud Server Administration Manual, Release 9.0
When you use the Stable repo, you never have to change it as it always tracks the current stable ownCloud version
through all major releases: 8.2, 9.0, and so on. (Major releases are indicated by the second number, so 8.0, 8.1, 8.2,
and 9.0 were all major releases.)
If you wish to track a specific major release, such as 9.0 or 9.1, then use that repo. That way you won’t accidentally
find yourself looking at an upgrade to the next major release before you’re ready.
4.3.3 Installing ownCloud Enterprise Edition
See Installing & Upgrading ownCloud Enterprise Edition for instructions on installing ownCloud Enterprise edition.
4.3.4 Downgrading Not Supported
Downgrading is not supported and risks corrupting your data! If you want to revert to an older ownCloud version,
install it from scratch and then restore your data from backup. Before doing this, file a support ticket (if you have paid
support) or ask for help in the ownCloud forums to see if your issue can be resolved without downgrading.
4.3.5 BINLOG_FORMAT = STATEMENT
If your ownCloud installation fails and you see this in your ownCloud log:
An unhandled exception has been thrown: exception ‘PDOException’ with message
’SQLSTATE[HY000]: General error: 1665 Cannot execute statement: impossible to
write to binary log since BINLOG_FORMAT = STATEMENT and at least one table
uses a storage engine limited to row-based logging. InnoDB is limited to
row-logging when transaction isolation level is READ COMMITTED or READ
UNCOMMITTED.’
See MySQL / MariaDB with Binary Logging Enabled.
4.3.6 Additional Installation Guides and Notes
See Installation Wizard for important steps such as choosing the best database and setting correct directory permis-
sions.
See SELinux Configuration for a suggested configuration for SELinux-enabled distributions such as Fedora and Cen-
tOS.
If your distribution is not listed, your Linux distribution may maintain its own ownCloud packages, or you may prefer
to install from source code (see Manual Installation on Linux).
Archlinux: The current stable version is in the official community repository, and more packages are in the Arch User
Repository.
Mageia: The Mageia Wiki has a good page on installing ownCloud from the Mageia software repository.
Running ownCloud in a subdirectory: If you’re running ownCloud in a subdirectory and want to use CalDAV or
CardDAV clients make sure you have configured the correct Service discovery URLs.
Note for MySQL/MariaDB environments: Please refer to MySQL / MariaDB with Binary Logging Enabled on how
to correctly configure your environment if you have binary logging enabled.
24 Chapter 4. Installation
ownCloud Server Administration Manual, Release 9.0
4.4 Installation Wizard
4.4.1 Quick Start
When ownCloud prerequisites are fulfilled and all ownCloud files are installed, the last step to completing the instal-
lation is running the Installation Wizard. This is just three steps:
1. Point your Web browser to http://localhost/owncloud
2. Enter your desired administrator’s username and password.
3. Click Finish Setup.
You’re finished and can start using your new ownCloud server.
Of course, there is much more that you can do to set up your ownCloud server for best performance and security. In
the following sections we will cover important installation and post-installation steps. Note that you must follow the
instructions in Setting Strong Permissions in order to use the occ Command.
Data Directory Location
Database Choice
Trusted Domains
Setting Strong Permissions
4.4.2 Data Directory Location
Click Storage and Database to expose additional installation configuration options for your ownCloud data directory
and database.
You should locate your ownCloud data directory outside of your Web root if you are using an HTTP server other than
Apache, or you may wish to store your ownCloud data in a different location for other reasons (e.g. on a storage
4.4. Installation Wizard 25
ownCloud Server Administration Manual, Release 9.0
server). It is best to configure your data directory location at installation, as it is difficult to move after installation.
You may put it anywhere; in this example is it located in /var/oc_data. This directory must already exist, and
must be owned by your HTTP user (see Setting Strong Directory Permissions).
4.4.3 Database Choice
When installing ownCloud Server & ownCloud Enterprise editions the administrator may choose one of 3 supported
database products.
SQLite
Is the default database for ownCloud Server, but is not available and not supported for the ownCloud Enterprise edition.
SQLite will be installed by the ownCloud packages and all the necessary dependencies will be satisfied. See see
Manual Installation on Linux for a detailed listing of required and optional PHP modules.
If you used the packages to install ownCloud, you may “Finish Setup” with no additional steps to configure ownCloud
using the SQLite database for limited use.
Please note that SQLite is good only for testing and lightweight single user setups. There is no client synchronization
support. Therefore, other devices will not be able to synchronize with the data stored in an ownCloud SQLite database.
26 Chapter 4. Installation
ownCloud Server Administration Manual, Release 9.0
MYSQL/MariaDB
Is the ownCloud recommended database. See MySQL/MariaDB. It may be used with either ownCloud Server or
ownCloud Enterprise editions.
First you should install the recommended MySQL/MariaDB database. Use package: sudo apt-get
install mariadb-server
If you have an administrator login that has permissions to create and modify databases, you may choose “Storage
& Database”. Then enter your database administrator name, password and any name you want for your ownCloud
database.
Otherwise, use these steps to create temporary database administrator account.
sudo mysql --user=root mysql
CREATE USER ’dbadmin’@’localhost’ IDENTIFIED BY ’Apassword’;
GRANT ALL PRIVILEGES ON *.*TO ’dbadmin’@’localhost’ WITH GRANT
OPTION;
FLUSH PRIVILEGES;
exit
PostgreSQL
Is also supported by ownCloud.
To install PostgreSQL, use the apt-get (or other apt-driving) command: sudo apt-get install
postgresql
You may view more information about the PostgreSQL database system at: http://www.postgresql.org
In order to allow ownCloud access to the database, create a known password for the default user “postgres” added
when the database is installed.
sudo -i -u postgres psql
postgres=# \password
Enter new password:
Enter it again:
postgres=# \q
exit
Oracle11g
Is only supported for the ownCloud Enterprise edition.
Database Setup By ownCloud
Your database and PHP connectors must be installed before you run the Installation Wizard by clicking the “Finish
setup” button.
4.4. Installation Wizard 27
ownCloud Server Administration Manual, Release 9.0
After you enter your temporary or root administrator login for your database, the installer creates a special database
user with privileges limited to the ownCloud database. Then ownCloud needs only this special ownCloud database
user and drops the temporary or root database login.
This new user is named from your ownCloud admin user, with an oc_ prefix, and then given a random password. The
ownCloud database user and password are written into config.php:
| For MySQL/MariaDB:
| ‘‘’dbuser’ => ’oc_dbadmin’,‘‘
| ‘‘’dbpassword’ => ’pX65Ty5DrHQkYPE5HRsDvyFHlZZHcm’,‘‘
|
| For PostgreSQL:
| ‘‘’dbuser’ => ’oc_postgres’,‘‘
| ‘‘’dbpassword’ => ’pX65Ty5DrHQkYPE5HRsDvyFHlZZHcm’,‘‘
Click Finish Setup, and start using your new ownCloud server.
Now we will look at some important post-installation steps.
4.4.4 Trusted Domains
All URLs used to access your ownCloud server must be whitelisted in your config.php file, under the
trusted_domains setting. Users are allowed to log into ownCloud only when they point their browsers to a
URL that is listed in the trusted_domains setting. You may use IP addresses and domain names. A typical
configuration looks like this:
’trusted_domains’ =>
array (
0 => ’localhost’,
1 => ’server1.example.com’,
2 => ’192.168.1.50’,
),
28 Chapter 4. Installation
ownCloud Server Administration Manual, Release 9.0
The loopback address, 127.0.0.1, is automatically whitelisted, so as long as you have access to the physical server
you can always log in. In the event that a load balancer is in place there will be no issues as long as it sends the correct
X-Forwarded-Host header. When a user tries a URL that is not whitelisted the following error appears:
4.4.5 Setting Strong Directory Permissions
For hardened security we recommend setting the permissions on your ownCloud directories as strictly as possible,
and for proper server operations. This should be done immediately after the initial installation and before running the
setup. Your HTTP user must own the config/,data/ and apps/ directories so that you can configure ownCloud,
create, modify and delete your data files, and install apps via the ownCloud Web interface.
You can find your HTTP user in your HTTP server configuration files. Or you can use PHP Version and Information
(Look for the User/Group line).
The HTTP user and group in Debian/Ubuntu is www-data.
The HTTP user and group in Fedora/CentOS is apache.
The HTTP user and group in Arch Linux is http.
The HTTP user in openSUSE is wwwrun, and the HTTP group is www.
Note: When using an NFS mount for the data directory, do not change its ownership from the default. The simple
act of mounting the drive will set proper permissions for ownCloud to write to the directory. Changing ownership as
above could result in some issues if the NFS mount is lost.
The easy way to set the correct permissions is to copy and run this script. Replace the ocpath variable with the path
to your ownCloud directory, and replace the htuser and htgroup variables with your HTTP user and group:
#!/bin/bash
ocpath=’/var/www/owncloud’
htuser=’www-data’
htgroup=’www-data’
rootuser=’root’
printf "Creating possible missing Directories\n"
mkdir -p $ocpath/data
mkdir -p $ocpath/assets
mkdir -p $ocpath/updater
4.4. Installation Wizard 29
ownCloud Server Administration Manual, Release 9.0
printf "chmod Files and Directories\n"
find ${ocpath}/ -type f -print0 | xargs -0 chmod 0640
find ${ocpath}/ -type d -print0 | xargs -0 chmod 0750
printf "chown Directories\n"
chown -R ${rootuser}:${htgroup} ${ocpath}/
chown -R ${htuser}:${htgroup} ${ocpath}/apps/
chown -R ${htuser}:${htgroup} ${ocpath}/assets/
chown -R ${htuser}:${htgroup} ${ocpath}/config/
chown -R ${htuser}:${htgroup} ${ocpath}/data/
chown -R ${htuser}:${htgroup} ${ocpath}/themes/
chown -R ${htuser}:${htgroup} ${ocpath}/updater/
chmod +x ${ocpath}/occ
printf "chmod/chown .htaccess\n"
if [ -f ${ocpath}/.htaccess ]
then
chmod 0644 ${ocpath}/.htaccess
chown ${rootuser}:${htgroup} ${ocpath}/.htaccess
fi
if [ -f ${ocpath}/data/.htaccess ]
then
chmod 0644 ${ocpath}/data/.htaccess
chown ${rootuser}:${htgroup} ${ocpath}/data/.htaccess
fi
If you have customized your ownCloud installation and your filepaths are different than the standard installation, then
modify this script accordingly.
This lists the recommended modes and ownership for your ownCloud directories and files:
All files should be read-write for the file owner, read-only for the group owner, and zero for the world
All directories should be executable (because directories always need the executable bit set), read-write for the
directory owner, and read-only for the group owner
The apps/ directory should be owned by [HTTP user]:[HTTP group]
The config/ directory should be owned by [HTTP user]:[HTTP group]
The themes/ directory should be owned by [HTTP user]:[HTTP group]
The assets/ directory should be owned by [HTTP user]:[HTTP group]
The data/ directory should be owned by [HTTP user]:[HTTP group]
The [ocpath]/.htaccess file should be owned by root:[HTTP group]
The data/.htaccess file should be owned by root:[HTTP group]
Both .htaccess files are read-write file owner, read-only group and world
These strong permissions prevent upgrading your ownCloud server; see Setting Permissions for Updating for a script
to quickly change permissions to allow upgrading.
4.5 Installing ownCloud From the Command Line
It is now possible to install ownCloud entirely from the command line. This is convenient for scripted operations,
headless servers, and sysadmins who prefer the command line. There are three stages to installing ownCloud via the
30 Chapter 4. Installation
ownCloud Server Administration Manual, Release 9.0
command line:
1. Download and install the ownCloud code via your package manager, or download and unpack the tarball in the
appropriate directories. (See Preferred Linux Installation Method and Manual Installation on Linux.)
2. Change the ownership of your owncloud directory to your HTTP user, like this example for Debian/Ubuntu. You
must run occ as your HTTP user; see Run occ As Your HTTP User:
$ sudo chown -R www-data:www-data /var/www/owncloud/
3. Use the occ command to complete your installation. This takes the place of running the graphical Installation
Wizard:
$ cd /var/www/owncloud/
$ sudo -u www-data php occ maintenance:install --database
"mysql" --database-name "owncloud" --database-user "root" --database-pass
"password" --admin-user "admin" --admin-pass "password"
ownCloud is not installed - only a limited number of commands are available
ownCloud was successfully installed
Note that you must change to the root ownCloud directory, as in the example above, to run occ
maintenance:install, or the installation will fail with a PHP fatal error message.
Supported databases are:
- sqlite (SQLite3 - ownCloud Community edition only)
- mysql (MySQL/MariaDB)
- pgsql (PostgreSQL)
- oci (Oracle - ownCloud Enterprise edition only)
See Command Line Installation for more information.
Finally, apply the correct strong permissions to your ownCloud files and directories (see Setting Strong Directory
Permissions). This is an extremely important step. It helps protect your ownCloud installation, and ensures that it will
run correctly.
4.5.1 BINLOG_FORMAT = STATEMENT
If your ownCloud installation fails and you see this in your ownCloud log:
An unhandled exception has been thrown: exception ‘PDOException’ with message
’SQLSTATE[HY000]: General error: 1665 Cannot execute statement: impossible to
write to binary log since BINLOG_FORMAT = STATEMENT and at least one table
uses a storage engine limited to row-based logging. InnoDB is limited to
row-logging when transaction isolation level is READ COMMITTED or READ
UNCOMMITTED.’
See MySQL / MariaDB with Binary Logging Enabled.
4.6 Changing the Web Route
This admin manual assumes that the owncloud server shall be accessible under the web route /owncloud – this is
also where the Linux packages make the server appear. You can change this in your Web server configuration, for
example from https://example.com/owncloud/ to https://example.com/.
Basic system administrator and Apache configuration knowledge is prerequisite. Several configuration files need to be
kept in sync when changing the Web route location.
4.6. Changing the Web Route 31
ownCloud Server Administration Manual, Release 9.0
On an Ubuntu-14.04 system the following files are typically involved:
/etc/apache2/conf-enabled/owncloud.conf
/var/www/owncloud/config/config.php
/var/www/owncloud/.htaccess
4.6.1 Example: Moving from /owncloud to /
Edit the file /etc/apache2/conf-enabled/owncloud.conf to say:
Alias /"/var/www/owncloud/"
Edit /var/www/owncloud/config/config.php to say:
’overwrite.cli.url’ => ’http://localhost/’,
Edit the file /var/www/owncloud/.htaccess to say:
...
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####
...
<IfModule mod_rewrite.c>
RewriteBase /
...
Optionally also set your document root, though this is generally not needed or recommended. Edit the file
/etc/apache2/sites-enabled/000-default.conf to say:
DocumentRoot /var/www/owncloud
Note: Since owncloud version 9.0.2 we support short URLs without index.php. The rewrite mechanisms involved
a RewriteBase rule in .htaccess which is auto-generated when owncloud is first started. Depending on the exact
way owncloud was installed (upgrade or fresh, plain tar archive, or packages) you may or may not find a RewriteBase
in your .htaccess files. If it is not yet there, make sure to double check once the ownCloud server is up and running.
4.7 Installing and Managing Apps
After installing ownCloud, you may provide added functionality by installing applications.
4.7.1 Supported Apps
See Supported Apps in ownCloud for a list of supported Enterprise edition apps.
4.7.2 Viewing Enabled Apps
During the ownCloud installation, some apps are enabled by default. To see which apps are enabled go to your Apps
page.
You will see which apps are enabled, not enabled, and recommended. You’ll also see additional filters, such as
Multimedia, Productivity, and Tool for finding more apps quickly.
32 Chapter 4. Installation
ownCloud Server Administration Manual, Release 9.0
4.7.3 Managing Apps
In the Apps page you can enable or disable applications. Some apps have configurable options on the Apps page,
such as Enable only for specific groups, but mainly they are enabled or disabled here, and are configured on your
ownCloud Admin page, Personal page, or in config.php.
4.7.4 Adding Third Party Apps
Some apps are developed and supported by ownCloud directly. These have an Official tag. Apps with the Approved
tag are community-developed and supported; they are maintained by trusted developers, and are under active develop-
ment. Only Official and Approved apps are linked on the Apps page by default.
Click the app name to view a description of the app and any of the app settings in the Application View field. Clicking
the Enable button will enable the app. If the app is not part of the ownCloud installation, it will be downloaded from
the app store, installed and enabled.
Click the gear icon on the lower left to browse experimental apps in the ownCloud Apps Store. Install experimental
apps at your own risk.
Sometimes the installation of a third-party app fails silently, possibly because ’appcodechecker’ => true, is
enabled in config.php. When appcodechecker is enabled it checks if third-party apps are using the private
API, rather than the public API. If they are then they will not be installed.
Note: If you would like to create or add your own ownCloud app, please refer to the developer manual.
4.7.5 Using Custom App Directories
Use the apps_paths array in config.php to set any custom apps directory locations. The key path defines the
absolute file system path to the app folder. The key url defines the HTTP web path to that folder, starting at the
4.7. Installing and Managing Apps 33
ownCloud Server Administration Manual, Release 9.0
ownCloud web root. The key writable indicates if a user can install apps in that folder.
Note: To ensure that the default /apps/ folder only contains apps shipped with ownCloud, follow this example to
setup an /apps2/ folder which will be used to store all other apps.
<?php
"apps_paths" => array (
0 => array (
"path" => OC::$SERVERROOT."/apps",
"url" => "/apps",
"writable" => false,
),
1 => array (
"path" => OC::$SERVERROOT."/apps2",
"url" => "/apps2",
"writable" => true,
),
),
4.7.6 Using Your Own Appstore
You can enable the installation of apps from your own apps store. This requires that you can write to at least one of
the configured apps directories.
To enable installation from your own apps store:
1. Set the appstoreenabled parameter to “true”.
This parameter is used to enable your apps store in ownCloud.
2. Set the appstoreurl to the URL of your ownCloud apps store.
This parameter is used to set the http path to the ownCloud apps store. The appstore server must use OCS (Open
Collaboration Services).
<?php
"appstoreenabled" => true,
"appstoreurl" => "https://api.owncloud.com/v1",
4.8 Supported Apps in ownCloud
4.8.1 AGPL Apps
• Activity
• AntiVirus
Collaborative Tags
• Comments
• Encryption
External Sites
External Storage
34 Chapter 4. Installation
ownCloud Server Administration Manual, Release 9.0
ownCloud WebDAV Endpoint (handles old and new webdav endpoints)
Federated File Sharing (allows file sharing across ownCloud instances)
Federation (allows usernname auto-complete across ownCloud instances)
Files (cannot be disabled)
Files PDF Viewer
Files Sharing
Files TextEditor
Files Trashbin
Files Versions
Files VideoPlayer
First Run Wizard
• Gallery
• Notifications
Object Storage (Swift)
Provisioning API
Template Editor (for notification emails)
Update Notifications
User External
User LDAP
4.8.2 Enterprise-Only Apps
Enterprise License Key
Files Drop
File Firewall
LDAP Home Connector
Log user and Sharing actions (1 new app, replacing the 2 former logging apps)
Object Storage (S3)
• SharePoint
Shibboleth (SAML)
Windows Network Drives (requires External Storage)
• Workflow
4.9 Manual Installation on Linux
Installing ownCloud on Linux from our Open Build Service packages is the preferred method (see Preferred Linux
Installation Method). These are maintained by ownCloud engineers, and you can use your package manager to keep
your ownCloud server up-to-date.
4.9. Manual Installation on Linux 35
ownCloud Server Administration Manual, Release 9.0
Note: Enterprise customers should refer to Installing & Upgrading ownCloud Enterprise Edition
If there are no packages for your Linux distribution, or you prefer installing from the source tarball, you can setup
ownCloud from scratch using a classic LAMP stack (Linux, Apache, MySQL/MariaDB, PHP). This document pro-
vides a complete walk-through for installing ownCloud on Ubuntu 14.04 LTS Server with Apache and MariaDB, using
the ownCloud .tar archive.
Prerequisites
Example Installation on Ubuntu 14.04 LTS Server
BINLOG_FORMAT = STATEMENT
Apache Web Server Configuration
Enabling SSL
Installation Wizard
Setting Strong Directory Permissions
SELinux Configuration Tips
php.ini Configuration Notes
php-fpm Configuration Notes
Other Web Servers
Note: Admins of SELinux-enabled distributions such as CentOS, Fedora, and Red Hat Enterprise Linux may need to
set new rules to enable installing ownCloud. See SELinux Configuration Tips for a suggested configuration.
4.9.1 Prerequisites
The ownCloud .tar archive contains all of the required PHP modules. This section lists all required and optional PHP
modules. Consult the PHP manual for more information on modules. Your Linux distribution should have packages for
all required modules. You can check the presence of a module by typing php -m | grep -i <module_name>.
If you get a result, the module is present.
Required:
php5 (>= 5.4)
PHP module ctype
PHP module dom
PHP module GD
PHP module iconv
PHP module JSON
PHP module libxml (Linux package libxml2 must be >=2.7.0)
PHP module mb multibyte
PHP module posix
PHP module SimpleXML
PHP module XMLWriter
36 Chapter 4. Installation
ownCloud Server Administration Manual, Release 9.0
PHP module zip
PHP module zlib
Database connectors (pick the one for your database:)
PHP module sqlite (>= 3, usually not recommended for performance reasons)
PHP module pdo_mysql (MySQL/MariaDB)
PHP module pgsql (requires PostgreSQL >= 9.0)
Recommended packages:
PHP module curl (highly recommended, some functionality, e.g. HTTP user authentication, depends on this)
PHP module fileinfo (highly recommended, enhances file analysis performance)
PHP module bz2 (recommended, required for extraction of apps)
PHP module intl (increases language translation performance and fixes sorting of non-ASCII characters)
PHP module mcrypt (increases file encryption performance)
PHP module openssl (required for accessing HTTPS resources)
Required for specific apps:
PHP module ldap (for LDAP integration)
PHP module ftp (for FTP storage / external user authentication)
PHP module imap (for external user authentication)
PHP module smbclient (SMB/CIFS integration)
Note: SMB/Windows Network Drive mounts require the PHP module smbclient; see SMB/CIFS.
Recommended for specific apps (optional):
PHP module exif (for image rotation in pictures app)
PHP module gmp (for SFTP storage)
For enhanced server performance (optional) select one of the following memcaches:
PHP module apc
PHP module apcu
PHP module memcached
PHP module redis (>= 2.2.6+, required for Transactional File Locking)
See Configuring Memory Caching to learn how to select and configure a memcache.
For preview generation (optional):
PHP module imagick
avconv or ffmpeg
OpenOffice or LibreOffice
For command line processing (optional):
PHP module pcntl (enables command interruption by pressing ctrl-c)
4.9. Manual Installation on Linux 37
ownCloud Server Administration Manual, Release 9.0
You don’t need the WebDAV module for your Web server (i.e. Apache’s mod_webdav), as ownCloud has a built-in
WebDAV server of its own, SabreDAV. If mod_webdav is enabled you must disable it for ownCloud. (See Apache
Web Server Configuration for an example configuration.)
4.9.2 Example Installation on Ubuntu 14.04 LTS Server
Note: See Manual installation details for multiple distros, ownCloud 9.0 and 9.1 for installation hints for RHEL 7.2
and SLES 12.
On a machine running a pristine Ubuntu 14.04 LTS server, install the required and recommended modules for a typical
ownCloud installation, using Apache and MariaDB, by issuing the following commands in a terminal:
apt-get install apache2 mariadb-server libapache2-mod-php5
apt-get install php5-gd php5-json php5-mysql php5-curl
apt-get install php5-intl php5-mcrypt php5-imagick
• This installs the packages for the ownCloud core system. libapache2-mod-php5 provides the fol-
lowing PHP extensions: bcmath bz2 calendar Core ctype date dba dom ereg exif
fileinfo filter ftp gettext hash iconv libxml mbstring mhash openssl pcre
Phar posix Reflection session shmop SimpleXML soap sockets SPL standard
sysvmsg sysvsem sysvshm tokenizer wddx xml xmlreader xmlwriter zip zlib. If
you are planning on running additional apps, keep in mind that they might require additional packages. See
Prerequisites for details.
At the installation of the MySQL/MariaDB server, you will be prompted to create a root password. Be sure to
remember your password as you will need it during ownCloud database setup.
Now download the archive of the latest ownCloud version:
Go to the ownCloud Download Page.
Go to Download ownCloud Server > Download > Archive file for server owners and download either the
tar.bz2 or .zip archive.
This downloads a file named owncloud-x.y.z.tar.bz2 or owncloud-x.y.z.zip (where x.y.z is the version number).
Download its corresponding checksum file, e.g. owncloud-x.y.z.tar.bz2.md5, or owncloud-x.y.z.tar.bz2.sha256.
Verify the MD5 or SHA256 sum:
md5sum -c owncloud-x.y.z.tar.bz2.md5 < owncloud-x.y.z.tar.bz2
sha256sum -c owncloud-x.y.z.tar.bz2.sha256 < owncloud-x.y.z.tar.bz2
md5sum -c owncloud-x.y.z.zip.md5 < owncloud-x.y.z.zip
sha256sum -c owncloud-x.y.z.zip.sha256 < owncloud-x.y.z.zip
You may also verify the PGP signature:
wget https://download.owncloud.org/community/owncloud-x.y.z.tar.bz2.asc
wget https://owncloud.org/owncloud.asc
gpg --import owncloud.asc
gpg --verify owncloud-x.y.z.tar.bz2.asc owncloud-x.y.z.tar.bz2
Now you can extract the archive contents. Run the appropriate unpacking command for your archive type:
tar -xjf owncloud-x.y.z.tar.bz2
unzip owncloud-x.y.z.zip
This unpacks to a single owncloud directory. Copy the ownCloud directory to its final destination. When you
are running the Apache HTTP server you may safely install ownCloud in your Apache document root:
38 Chapter 4. Installation
ownCloud Server Administration Manual, Release 9.0
cp -r owncloud /path/to/webserver/document-root
where /path/to/webserver/document-root is replaced by the document root of your Web server:
cp -r owncloud /var/www
On other HTTP servers it is recommended to install ownCloud outside of the document root.
4.9.3 BINLOG_FORMAT = STATEMENT
If your ownCloud installation fails and you see this in your ownCloud log:
An unhandled exception has been thrown: exception ‘PDOException’ with message
’SQLSTATE[HY000]: General error: 1665 Cannot execute statement: impossible to
write to binary log since BINLOG_FORMAT = STATEMENT and at least one table
uses a storage engine limited to row-based logging. InnoDB is limited to
row-logging when transaction isolation level is READ COMMITTED or READ
UNCOMMITTED.’
See MySQL / MariaDB with Binary Logging Enabled.
4.9.4 Apache Web Server Configuration
On Debian, Ubuntu, and their derivatives, Apache installs with a useful configuration so all you have to do is create a
/etc/apache2/sites-available/owncloud.conf file with these lines in it, replacing the Directory and
other filepaths with your own filepaths:
Alias /owncloud "/var/www/owncloud/"
<Directory /var/www/owncloud/>
Options +FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /var/www/owncloud
SetEnv HTTP_HOME /var/www/owncloud
</Directory>
Then create a symlink to /etc/apache2/sites-enabled:
ln -s/etc/apache2/sites-available/owncloud.conf /etc/apache2/sites-enabled/owncloud.conf
Additional Apache Configurations
For ownCloud to work correctly, we need the module mod_rewrite. Enable it by running:
a2enmod rewrite
Additional recommended modules are mod_headers,mod_env,mod_dir and mod_mime:
4.9. Manual Installation on Linux 39
ownCloud Server Administration Manual, Release 9.0
a2enmod headers
a2enmod env
a2enmod dir
a2enmod mime
If you’re running mod_fcgi instead of the standard mod_php also enable:
a2enmod setenvif
You must disable any server-configured authentication for ownCloud, as it uses Basic authentication internally
for DAV services. If you have turned on authentication on a parent folder (via e.g. an AuthType Basic
directive), you can turn off the authentication specifically for the ownCloud entry. Following the above example
configuration file, add the following line in the <Directory section:
Satisfy Any
When using SSL, take special note of the ServerName. You should specify one in the server configuration, as
well as in the CommonName field of the certificate. If you want your ownCloud to be reachable via the internet,
then set both of these to the domain you want to reach your ownCloud server.
Now restart Apache:
service apache2 restart
If you’re running ownCloud in a subdirectory and want to use CalDAV or CardDAV clients make sure you have
configured the correct Service discovery URLs.
4.9.5 Enabling SSL
Note: You can use ownCloud over plain HTTP, but we strongly encourage you to use SSL/TLS to encrypt all of your
server traffic, and to protect user’s logins and data in transit.
Apache installed under Ubuntu comes already set-up with a simple self-signed certificate. All you have to do is to
enable the ssl module and the default site. Open a terminal and run:
a2enmod ssl
a2ensite default-ssl
service apache2 reload
Note: See Security (Import SSL Certificates) for help on managing self-signed certificates.
4.9.6 Installation Wizard
After restarting Apache you must complete your installation by running either the graphical Installation Wizard, or
on the command line with the occ command. To enable this, temporarily change the ownership on your ownCloud
directories to your HTTP user (see Setting Strong Directory Permissions to learn how to find your HTTP user):
chown -R www-data:www-data /var/www/owncloud/
Note: Admins of SELinux-enabled distributions may need to write new SELinux rules to complete their ownCloud
installation; see SELinux Configuration Tips.
To use occ see Installing ownCloud From the Command Line.
To use the graphical Installation Wizard see Installation Wizard.
40 Chapter 4. Installation
ownCloud Server Administration Manual, Release 9.0
4.9.7 Setting Strong Directory Permissions
After completing installation, you must immediately set the directory permissions in your ownCloud installation as
strictly as possible for stronger security. Please refer to Setting Strong Directory Permissions.
Now your ownCloud server is ready to use.
4.9.8 SELinux Configuration Tips
See SELinux Configuration for a suggested configuration for SELinux-enabled distributions such as Fedora and Cen-
tOS.
4.9.9 php.ini Configuration Notes
Keep in mind that changes to php.ini may have to be configured on more than one ini file. This can be the case, for
example, for the date.timezone setting.
php.ini - used by the Web server:
/etc/php5/apache2/php.ini
or
/etc/php5/fpm/php.ini
or ...
php.ini - used by the php-cli and so by ownCloud CRON jobs:
/etc/php5/cli/php.ini
4.9.10 php-fpm Configuration Notes
Security: Use at least PHP => 5.5.22 or >= 5.6.6
Due to a bug with security implications in older PHP releases with the handling of XML data you are highly encour-
aged to run at least PHP 5.5.22 or 5.6.6 when in a threaded environment.
System environment variables
When you are using php-fpm, system environment variables like PATH, TMP or others are not automatically popu-
lated in the same way as when using php-cli. A PHP call like getenv(’PATH’); can therefore return an empty
result. So you may need to manually configure environment varibles in the appropropriate php-fpm ini/config file.
Here are some example root paths for these ini/config files:
Ubuntu/Mint CentOS/Red Hat/Fedora
/etc/php5/fpm/ /etc/php-fpm.d/
In both examples, the ini/config file is called www.conf, and depending on the distro version or customizations you
have made, it may be in a subdirectory.
Usually, you will find some or all of the environment variables already in the file, but commented out like this:
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp
4.9. Manual Installation on Linux 41
ownCloud Server Administration Manual, Release 9.0
Uncomment the appropriate existing entries. Then run printenv PATH to confirm your paths, for example:
$ printenv PATH
/home/user/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:
/sbin:/bin:/
If any of your system environment variables are not present in the file then you must add them.
When you are using shared hosting or a control panel to manage your ownCloud VM or server, the configuration files
are almost certain to be located somewhere else, for security and flexibility reasons, so check your documentation for
the correct locations.
Please keep in mind that it is possible to create different settings for php-cli and php-fpm, and for different
domains and Web sites. The best way to check your settings is with PHP Version and Information.
Maximum upload size
If you want to increase the maximum upload size, you will also have to modify your php-fpm configuration and
increase the upload_max_filesize and post_max_size values. You will need to restart php5-fpm and
your HTTP server in order for these changes to be applied.
.htaccess notes for Apache
ownCloud comes with its own owncloud/.htaccess file. Because php-fpm can’t read PHP settings in
.htaccess these settings and permissions must be set in the owncloud/.user.ini file.
4.9.11 Other Web Servers
nginx Example Configurations
Other HTTP servers
Univention Corporate Server installation
4.10 ownCloud Community Appliance
ownCloud has a publicly developed community appliance on GitHub. Download the latest release from the Appliances
tab on the ownCloud server installation page. The easiest way to get the VM up and running is by using VirtualBox
and downloading the OVA image from the installation page.
4.10.1 Instructions for VirtualBox and OVA
Follow these steps to get the appliance working:
1. Download the Virtual Machine image zip file and unpack it.
2. Start VirtualBox and click on File ... >Import Appliance and import your new ownCloud image.
3. Click the green Start arrow. After a minute you should see the console greeting message.
4. Note the username and password here. It is a random password that we generate for you on first boot. If you log
in at the console, you’ll be prompted to change the password. This is optional.
5. With your Web browser try http://localhost:8888 or http://localhost:80 or the address
printed on the console. One of them should work. If not, please review and adjust the network setup of Virtual-
box to bridged mode.
42 Chapter 4. Installation
ownCloud Server Administration Manual, Release 9.0
6. You should see a Web page with login credentials (if you haven’t changed them already) and a list of URLs to try
to reach the ownCloud web service. Which one works, again depends on the network setup of your hypervisor.
Note: You should write down your admin password, and make sure the login credentials are no longer displayed.
Click the [Hide Credentials] button. When using the ownCloud Proxy app, this Web page may be publicly visible.
Note: Inside the VM, ownCloud runs with a default disk size of 40 GB and its own MySQL database. The ownCloud
admin user is also a valid account on the Ubuntu system that runs inside the VM. You can administer the VM via SSH.
For VMware
You can follow most of the steps above, however, after opening the VMX file, you will have to configure Bridged
Network as Network Adapter
4.10.2 Software Appliances
There are a number of unofficial pre-made virtual machine-based appliances:
Tech and Me - ownCloud VM on Ubuntu 16.04 with PHP 7, MySQL, and Apache, fully configured environment.
SUSE Studio, ownCloud on openSuSE, which runs directly from an USB stick.
Amahi home server
4.10. ownCloud Community Appliance 43
ownCloud Server Administration Manual, Release 9.0
Figure 4.1: Click to enlarge
4.11 Installing PHP 5.4 on RHEL 6 and CentOS 6
Red Hat Enterprise Linux and CentOS 6 still ship with PHP 5.3. ownCloud requires PHP 5.4 or better. There are
several third-party repositories that supply PHP 5.4, but you must use the Software Collections (SCL) repository to be
in compliance with your RHEL support contract, and not any other third-party repository.
4.11.1 RHEL 6
Follow these steps to install PHP 5.4 from SCL. First you must use your Subscription Manager to enable SCL:
subscription-manager repos --enable rhel-server-rhscl-6-eus-rpms
Then install PHP 5.4 and these modules:
yum install php54 php54-php php54-php-gd php54-php-mbstring
You must also install the updated database module for your database. This example installs the new PHP 5.4 module
for MySQL/MariaDB:
yum install php54-php-mysqlnd
Disable loading the old PHP 5.3 Apache module:
mv /etc/httpd/conf.d/php.conf /etc/httpd/conf.d/php53.off
You should now have a /etc/httpd/conf.d/php54-php.conf file, which loads the correct PHP 5.4 module for Apache.
Then restart Apache:
service httpd restart
Verify with PHP Version and Information that your Apache server is using PHP 5.4 and loading the correct modules.
4.11.2 CentOS 6
First install the SCL repo:
44 Chapter 4. Installation
ownCloud Server Administration Manual, Release 9.0
yum install centos-release-SCL
Then install PHP 5.4 and these modules:
yum install php54 php54-php php54-php-gd php54-php-mbstring
You must also install the updated database module. This installs the new PHP 5.4 module for MySQL/MariaDB:
yum install php54-php-mysqlnd
Disable loading the old PHP 5.3 Apache module:
mv /etc/httpd/conf.d/php.conf /etc/httpd/conf.d/php53.off
You should now have a /etc/httpd/conf.d/php54-php.conf file, which loads the correct PHP 5.4 module for Apache.
Finally, restart Apache:
service httpd restart
Verify with PHP Version and Information that your Apache server is using PHP 5.4 and loading the correct modules.
4.12 Installing PHP 5.5 on RHEL 7 and CentOS 7
PHP 5.4 has been end-of-life since September 2015 and is no longer supported by the PHP team. RHEL 7 still ships
with PHP 5.4, and Red Hat supports it. ownCloud also supports PHP 5.4, so upgrading is not required. However, it is
highly recommended to upgrade to PHP 5.5+ for best security and performance.
Before upgrading, evaluate all of your PHP apps for compatibility with PHP 5.5.
4.12.1 RHEL 7 Upgrade to PHP 5.5
To upgrade to PHP 5.5, you must use the Software Collections (SCL) repository to be in compliance with your RHEL
support contract, and not any other third-party repository. Follow these steps to install PHP 5.5 from SCL. First you
must use your Subscription Manager to enable SCL:
subscription-manager repos --enable rhel-server-rhscl-7-eus-rpms
Then install PHP 5.5 and these modules:
yum install php55 php55-php php55-php-gd php55-php-mbstring
You must also install the updated database module for your database. This installs the new PHP 5.5 module for
MySQL/MariaDB:
yum install php55-php-mysqlnd
If you are using the ownCloud LDAP app, you need this module:
yum install php55-php-ldap
Disable loading the old PHP Apache modules by changing their names:
mv /etc/httpd/conf.d/php.conf /etc/httpd/conf.d/php54.off
mv /etc/httpd/conf.modules.d/10-php.conf /etc/httpd/conf.modules.d/10-php54.off
Copy the PHP 5.5 Apache modules into place:
4.12. Installing PHP 5.5 on RHEL 7 and CentOS 7 45
ownCloud Server Administration Manual, Release 9.0
cp /opt/rh/httpd24/root/etc/httpd/conf.d/php55-php.conf /etc/httpd/conf.d/
cp /opt/rh/httpd24/root/etc/httpd/conf.modules.d/10-php55-php.conf /etc/httpd/conf.modules.d/
cp /opt/rh/httpd24/root/etc/httpd/modules/libphp55-php5.so /etc/httpd/modules/
Then restart Apache:
service httpd restart
Verify with phpinfo that your Apache server is using PHP 5.5 and loading the correct modules; see PHP Version
and Information to learn how to use phpinfo.
4.12.2 CentOS 7 Upgrade to PHP 5.5
To upgrade to PHP 5.5, use the Red Hat Software Collections (SCL) repository.
Before upgrading, evaluate all of your PHP apps for compatibility with PHP 5.5.
Follow these steps to install PHP 5.5 from SCL. First install the SCL repository:
yum install centos-release-scl
Then install PHP 5.5 and these modules:
yum install php55 php55-php php55-php-gd php55-php-mbstring
You must also install the updated database module for your database. This installs the new PHP 5.5 module for
MySQL/MariaDB:
yum install php55-php-mysqlnd
If you are using the ownCloud LDAP app, you need this module:
yum install php55-php-ldap
Disable loading the old PHP Apache modules by changing their names:
mv /etc/httpd/conf.d/php.conf /etc/httpd/conf.d/php54.off
mv /etc/httpd/conf.modules.d/10-php.conf /etc/httpd/conf.modules.d/10-php54.off
Copy the PHP 5.5 Apache modules into place:
cp /opt/rh/httpd24/root/etc/httpd/conf.d/php55-php.conf /etc/httpd/conf.d/
cp /opt/rh/httpd24/root/etc/httpd/conf.modules.d/10-php55-php.conf /etc/httpd/conf.modules.d/
cp /opt/rh/httpd24/root/etc/httpd/modules/libphp55-php5.so /etc/httpd/modules/
Then restart Apache:
service httpd restart
Verify with phpinfo that your Apache server is using PHP 5.5 and loading the correct modules; see PHP Version
and Information to learn how to use phpinfo.
4.13 SELinux Configuration
When you have SELinux enabled on your Linux distribution, you may run into permissions problems after a new
ownCloud installation, and see permission denied errors in your ownCloud logs.
When you are testing ownCloud or troubleshooting,
46 Chapter 4. Installation
ownCloud Server Administration Manual, Release 9.0
The following settings should work for most SELinux systems that use the default distro profiles. Run these commands
as root, and remember to adjust the filepaths in these examples for your installation:
semanage fcontext -a -t httpd_sys_rw_content_t ’/var/www/html/owncloud/data(/.*)?’
semanage fcontext -a -t httpd_sys_rw_content_t ’/var/www/html/owncloud/config(/.*)?’
semanage fcontext -a -t httpd_sys_rw_content_t ’/var/www/html/owncloud/apps(/.*)?’
semanage fcontext -a -t httpd_sys_rw_content_t ’/var/www/html/owncloud/assets(/.*)?’
semanage fcontext -a -t httpd_sys_rw_content_t ’/var/www/html/owncloud/.htaccess’
semanage fcontext -a -t httpd_sys_rw_content_t ’/var/www/html/owncloud/.user.ini’
restorecon -Rv ’/var/www/html/owncloud/’
If you uninstall ownCloud you need to remove the ownCloud directory labels. To do this execute the following
commands as root after uninstalling ownCloud:
semanage fcontext -d ’/var/www/html/owncloud/data(/.*)?’
semanage fcontext -d ’/var/www/html/owncloud/config(/.*)?’
semanage fcontext -d ’/var/www/html/owncloud/apps(/.*)?’
semanage fcontext -d ’/var/www/html/owncloud/assets(/.*)?’
semanage fcontext -d ’/var/www/html/owncloud/.htaccess’
semanage fcontext -d ’/var/www/html/owncloud/.user.ini’
restorecon -Rv ’/var/www/html/owncloud/’
Note: The assets folder is only required if JavaScript and CSS Asset Management is enabled.
(asset-pipeline.enabled’ => true, in config.php)
If you have customized SELinux policies and these examples do not work, you must give the HTTP server write access
to these directories:
/var/www/html/owncloud/data
/var/www/html/owncloud/config
/var/www/html/owncloud/apps
/var/www/html/owncloud/assets
4.13.1 Enable updates via the web interface
To enable updates via the ownCloud web interface, you may need this to enable writing to the ownCloud directories:
setsebool httpd_unified on
When the update is completed, disable write access:
setsebool -P httpd_unified off
4.13.2 Disallow write access to the whole web directory
For security reasons it’s suggested to disable write access to all folders in /var/www/ (default):
setsebool -P httpd_unified off
4.13.3 Allow access to a remote database
An additional setting is needed if your installation is connecting to a remote database:
4.13. SELinux Configuration 47
ownCloud Server Administration Manual, Release 9.0
setsebool -P httpd_can_network_connect_db on
4.13.4 Allow access to LDAP server
Use this setting to allow LDAP connections:
setsebool -P httpd_can_connect_ldap on
4.13.5 Allow access to remote network
ownCloud requires access to remote networks for functions such as Server-to-Server sharing, external storages or the
app store. To allow this access use the following setting:
setsebool -P httpd_can_network_connect on
4.13.6 Allow access to network memcache
This setting is not required if httpd_can_network_connect is already on:
setsebool -P httpd_can_network_memcache on
4.13.7 Allow access to SMTP/sendmail
If you want to allow ownCloud to send out e-mail notifications via sendmail you need to use the following setting:
setsebool -P httpd_can_sendmail on
4.13.8 Allow access to CIFS/SMB
If you have placed your datadir on a CIFS/SMB share use the following setting:
setsebool -P httpd_use_cifs on
4.13.9 Allow access to FuseFS
If your owncloud data folder resides on a Fuse Filesystem (e.g. EncFS etc), this setting is required as well:
setsebool -P httpd_use_fusefs on
4.13.10 Allow access to GPG for Rainloop
If you use a the rainloop webmail client app which supports GPG/PGP, you might need this:
setsebool -P httpd_use_gpg on
48 Chapter 4. Installation
ownCloud Server Administration Manual, Release 9.0
4.13.11 Troubleshooting
For general Troubleshooting of SELinux and its profiles try to install the package setroubleshoot and run:
sealert -a /var/log/audit/audit.log > /path/to/mylogfile.txt
to get a report which helps you configuring your SELinux profiles.
Another tool for troubleshooting is to enable a single ruleset for your ownCloud directory:
semanage fcontext -a -t httpd_sys_rw_content_t ’/var/www/html/owncloud(/.*)?’
restorecon -RF /var/www/html/owncloud
It is much stronger security to have a more fine-grained ruleset as in the examples at the beginning, so use this only
for testing and troubleshooting. It has a similar effect to disabling SELinux, so don’t use it on production systems.
See this discussion on GitHub to learn more about configuring SELinux correctly for ownCloud.
4.14 nginx Example Configurations
This page covers example nginx configurations to use with running an ownCloud server. Note that nginx is not
officially supported, and this page is community-maintained. (Thank you, contributors!)
You need to insert the following code into your nginx configuration file.
The configuration assumes that ownCloud is installed in /var/www/owncloud and that it is accessed via
http(s)://cloud.example.com.
Adjust server_name,root,ssl_certificate and ssl_certificate_key to suit your needs.
Make sure your SSL certificates are readable by the server (see nginx HTTP SSL Module documentation).
add_header statements are only taken from the current level and are not cascaded from or to a different
level. All necessary add_header statements must be defined in each level needed. For better readability it
is possible to move common add header statements into a separate file and include that file wherever necessary.
However, each add_header statement must be written in a single line to prevent connection problems with
sync clients.
4.14.1 Example Configurations
Be careful about line breaks if you copy the examples, as long lines may be broken for page formatting.
Thanks to @josh4trunks for providing / creating these configuration examples.
You can use ownCloud over plain http, but we strongly encourage you to use SSL/TLS to encrypt all of your server
traffic, and to protect user’s logins and data in transit.
Remove the server block containing the redirect
Change listen 443 ssl to listen 80;
Remove ssl_certificate and ssl_certificate_key.
Remove fastcgi_params HTTPS on;
4.14. nginx Example Configurations 49
ownCloud Server Administration Manual, Release 9.0
ownCloud in the webroot of nginx
The following config should be used when ownCloud is placed in the webroot of your nginx installation.
upstream php-handler {
server 127.0.0.1:9000;
#server unix:/var/run/php5-fpm.sock;
}
server {
listen 80;
server_name cloud.example.com;
# enforce https
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name cloud.example.com;
ssl_certificate /etc/ssl/nginx/cloud.example.com.crt;
ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this topic first.
#add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Path to the root of your installation
root /var/www/owncloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you’re planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/acme-challenge { }
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
50 Chapter 4. Installation
ownCloud Server Administration Manual, Release 9.0
# Disable gzip to avoid the removal of the ETag header
gzip off;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
location / {
rewrite ^ /index.php$uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
return 404;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
return 404;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off; #Available since nginx 1.7.11
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~*\.(?:css|js)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=7200";
# Add headers to serve security related headers (It is intended to have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into this topic first.
#add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don’t log access to assets
access_log off;
}
location ~*\.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
4.14. nginx Example Configurations 51
ownCloud Server Administration Manual, Release 9.0
try_files $uri /index.php$uri$is_args$args;
# Optional: Don’t log access to other assets
access_log off;
}
}
ownCloud in a subdir of nginx
The following config should be used when ownCloud is placed within a subdir of your nginx installation.
upstream php-handler {
server 127.0.0.1:9000;
#server unix:/var/run/php5-fpm.sock;
}
server {
listen 80;
server_name cloud.example.com;
# enforce https
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name cloud.example.com;
ssl_certificate /etc/ssl/nginx/cloud.example.com.crt;
ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this topic first.
#add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Path to the root of your installation
root /var/www/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you’re planning to use this app.
#rewrite ^/.well-known/host-meta /owncloud/public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /owncloud/public.php?service=host-meta-json last;
location = /.well-known/carddav {
return 301 $scheme://$host/owncloud/remote.php/dav;
}
location = /.well-known/caldav {
52 Chapter 4. Installation
ownCloud Server Administration Manual, Release 9.0
return 301 $scheme://$host/owncloud/remote.php/dav;
}
location /.well-known/acme-challenge { }
location ^~ /owncloud {
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Disable gzip to avoid the removal of the ETag header
gzip off;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
error_page 403 /owncloud/core/templates/403.php;
error_page 404 /owncloud/core/templates/404.php;
location /owncloud {
rewrite ^ /owncloud/index.php$uri;
}
location ~ ^/owncloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
return 404;
}
location ~ ^/owncloud/(?:\.|autotest|occ|issue|indie|db_|console) {
return 404;
}
location ~ ^/owncloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off; #Available since nginx 1.7.11
}
location ~ ^/owncloud/(?:updater|ocs-provider)(?:$|/) {
try_files $uri $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~*\.(?:css|js)$ {
try_files $uri /owncloud/index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=7200";
# Add headers to serve security related headers (It is intended to have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into this topic first.
#add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
4.14. nginx Example Configurations 53
ownCloud Server Administration Manual, Release 9.0
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don’t log access to assets
access_log off;
}
location ~*\.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
try_files $uri /owncloud/index.php$uri$is_args$args;
# Optional: Don’t log access to other assets
access_log off;
}
}
}
Suppressing Log Messages
If you’re seeing meaningless messages in your logfile, for example client denied by server configuration:
/var/www/data/htaccesstest.txt, add this section to your nginx configuration to suppress them:
location = /data/htaccesstest.txt {
allow all;
log_not_found off;
access_log off;
}
JavaScript (.js) or CSS (.css) files not served properly
A common issue with custom nginx configs is that JavaScript (.js) or CSS (.css) files are not served properly leading
to a 404 (File not found) error on those files and a broken webinterface.
This could be caused by the:
location ~*\.(?:css|js)$ {
block shown above not located below the:
location ~ \.php(?:$|/) {
block. Other custom configurations like caching JavaScript (.js) or CSS (.css) files via gzip could also cause such
issues.
Performance Tuning
nginx (<1.9.5) <ngx_http_spdy_module nginx (+1.9.5) <ngx_http_http2_module
To use http_v2 for nginx you have to check two things:
1.) be aware that this module is not built in by default due to a dependency to the openssl version used on
your system. It will be enabled with the --with-http_v2_module configuration parameter during
compilation. The dependency should be checked automatically. You can check the presence of http_v2
with nginx -V 2>&1 | grep http_v2 -o. An example of how to compile nginx can be found
in section “Configure nginx with the nginx-cache-purge module” below.
54 Chapter 4. Installation
ownCloud Server Administration Manual, Release 9.0
2.) When you have used SPDY before, the nginx config has to be changed from listen 443 ssl
spdy; to listen 443 ssl http2;
nginx: caching ownCloud gallery thumbnails
One of the optimizations for ownCloud when using nginx as the Web server is to combine FastCGI caching with
“Cache Purge”, a 3rdparty nginx module that adds the ability to purge content from FastCGI,proxy,SCGI and uWSGI
caches. This mechanism speeds up thumbnail presentation as it shifts requests to nginx and minimizes php invocations
which otherwise would take place for every thumbnail presented every time.
The following procedure is based on an Ubuntu 14.04 system. You may need to adapt it according your OS type and
release.
Note: Unlike Apache, nginx does not dynamically load modules. All modules needed must be compiled into nginx.
This is one of the reasons for nginx´s performance. It is expected to have an already running nginx installation with a
working configuration set up as described in the ownCloud documentation.
nginx module check
As a first step, it is necessary to check if your nginx installation has the nginx cache purge module compiled in:
nginx -V 2>&1 | grep ngx_cache_purge -o
If your output contains ngx_cache_purge, you can continue with the configuration, otherwise you need to manu-
ally compile nginx with the module needed.
Compile nginx with the nginx-cache-purge module
1. Preparation:
cd /opt
wget http://nginx.org/keys/nginx_signing.key
sudo apt-key add nginx_signing.key
sudo vi /etc/apt/sources.list.d/nginx.list
Add the following lines (if different, replace {trusty} by your distribution name):
deb http://nginx.org/packages/mainline/ubuntu/ trusty nginx
deb -src http://nginx.org/packages/mainline/ubuntu/ trusty nginx
Then run sudo apt-get update
Note: If you’re not overly cautious and wish to install the latest and greatest nginx packages and features, you may
have to install nginx from its mainline repository. From the nginx homepage: “In general, you should deploy nginx
from its mainline branch at all times. If you would like to use standard nginx from the latest mainline branch but
without compiling in any additional modules, just run sudo apt-get install nginx.
2. Download the nginx source from the ppa repository
cd /opt
sudo apt-get build-dep nginx
sudo apt-get source nginx
3. Download module(s) to be compiled in and configure compiler arguments
4.14. nginx Example Configurations 55
ownCloud Server Administration Manual, Release 9.0
ls -la
Please replace {release} with the release downloaded:
cd /opt/nginx-{release}/debian
If folder “modules” is not present, do:
sudo mkdir modules
cd modules
sudo git clone https://github.com/FRiCKLE/ngx_cache_purge.git
sudo vi /opt/nginx-{release}/debian/rules
If not present, add the following line at the top under:
#export DH_VERBOSE=1:
MODULESDIR = $(CURDIR)/debian/modules
And at the end of every configure command add:
--add-module=$(MODULESDIR)/ngx_cache_purge
Don’t forget to escape preceeding lines with a backslash \. The parameters may now look like:
--with-cc-opt="$(CFLAGS)" \
--with-ld-opt="$(LDFLAGS)" \
--with-ipv6 \
--add-module=$(MODULESDIR)/ngx_cache_purge
4. Compile and install nginx
cd /opt/nginx-{release}
sudo dpkg-buildpackage -uc -b
ls -la /opt
sudo dpkg --install /opt/nginx_{release}~{distribution}_amd64.deb
5. Check if the compilation and installation of the ngx_cache_purge module was successful
nginx -V 2>&1 | grep ngx_cache_purge -o
It should now show: ngx_cache_purge
Show nginx version including all features compiled and installed:
nginx -V 2>&1 | sed s/" --"/"\n\t--"/g
6. Mark nginx to be blocked from further updates via apt-get
sudo dpkg --get-selections | grep nginx
For every nginx component listed run sudo apt-mark hold <component>
7. Regular checks for nginx updates
Do a regular visit on the nginx news page and proceed in case of updates with items 2 to 5.
Configure nginx with the nginx-cache-purge module
1. Preparation Create a directory where nginx will save the cached thumbnails. Use any path that fits to your
environment. Replace {path} in this example with your path created:
56 Chapter 4. Installation
ownCloud Server Administration Manual, Release 9.0
sudo mkdir -p /usr/local/tmp/cache
2. Configuration
sudo vi /etc/nginx/sites-enabled/{your-ownCloud-nginx-config-file}
Add at the beginning, but outside the server{} block:
# cache_purge
fastcgi_cache_path {path} levels=1:2 keys_zone=OWNCLOUD:100m inactive=60m;
map $request_uri $skip_cache {
default 1;
~*/thumbnail.php 0;
~*/apps/galleryplus/ 0;
~*/apps/gallery/ 0;
}
Note: Please adopt or delete any regex line in the map block according your needs and the ownCloud version used.
As an alternative to mapping, you can use as many if statements in your server block as necessary:
set $skip_cache 1;
if ($request_uri ~*"thumbnail.php") { set $skip_cache 0; }
if ($request_uri ~*"/apps/galleryplus/") { set $skip_cache 0; }
if ($request_uri ~*"/apps/gallery/") { set $skip_cache 0; }
Add inside the server{} block, as an example of a configuration:
# cache_purge (with $http_cookies we have unique keys for the user)
fastcgi_cache_key $http_cookie$request_method$host$request_uri;
fastcgi_cache_use_stale error timeout invalid_header http_500;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
location ~ \.php(?:$/) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_pass php-handler;
# cache_purge
fastcgi_cache_bypass $skip_cache;
fastcgi_no_cache $skip_cache;
fastcgi_cache OWNCLOUD;
fastcgi_cache_valid 60m;
fastcgi_cache_methods GET HEAD;
}
Note: Note regarding the fastcgi_pass parameter: Use whatever fits your configuration. In the example above,
an upstream was defined in an nginx global configuration file. This may look like:
upstream php-handler {
server unix:/var/run/php5-fpm.sock;
# or
# server 127.0.0.1:9000;
}
4.14. nginx Example Configurations 57
ownCloud Server Administration Manual, Release 9.0
3. Test the configuration
sudo nginx -s reload
Open your browser and clear your cache.
Logon to your ownCloud instance, open the gallery app, move thru your folders and watch while the thumbnails
are generated for the first time.
You may also watch with eg. htop your system load while the thumbnails are processed.
Go to another app or logout and relogon.
Open the gallery app again and browse to the folders you accessed before. Your thumbnails should appear more
or less immediately.
htop will not show up additional load while processing, compared to the high load before.
58 Chapter 4. Installation
CHAPTER
FIVE
OWNCLOUD SERVER CONFIGURATION
5.1 Warnings on Admin Page
Your ownCloud server has a built-in configuration checker, and it reports its findings at the top of your Admin page.
These are some of the warnings you might see, and what to do about them.
5.1.1 Cache Warnings
“No memory cache has been configured. To enhance your performance please configure a memcache if available.
ownCloud supports multiple php caching extentions:
APC (PHP 5.4 only)
APCu (PHP 5.5+, minimum required PHP extension version 4.0.6)
• Memcached
Redis (minimum required PHP extension version: 2.2.6)
You will see this warning if you have no caches installed and enabled, or if your cache does not have the required
minimum version installed; older versions are disabled because of performance problems.
If you see “{Cache} below version {Version} is installed. for stability and performance reasons we recommend to
update to a newer {Cache} version” then you need to upgrade, or, if you’re not using it, remove it.
You are not required to use any caches, but caches improve server performance. See Configuring Memory Caching.
5.1.2 Transactional file locking is disabled
“Transactional file locking is disabled, this might lead to issues with race conditions.
59
ownCloud Server Administration Manual, Release 9.0
Please see Transactional File Locking on how to correctly configure your environment for transactional file locking.
5.1.3 You are accessing this site via HTTP
“You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead.
Please take this warning seriously; using HTTPS is a fundamental security measure. You must configure your Web
server to support it, and then there are some settings in the Security section of your ownCloud Admin page to enable.
The following pages describe how to enable HTTPS on the Apache and Nginx Web servers.
Enabling SSL (on Apache)
Use HTTPS
nginx Example Configurations
5.1.4 The test with getenv(“PATH”) only returns an empty response
Some environments are not passing a valid PATH variable to ownCloud. The php-fpm Configuration Notes provides
the information about how to configure your environment.
5.1.5 The “Strict-Transport-Security” HTTP header is not configured
“The “Strict-Transport-Security” HTTP header is not configured to least “15768000” seconds. For enhanced security
we recommend enabling HSTS as described in our security tips.
The HSTS header needs to be configured within your Web server by following the Enable HTTP Strict Transport
Security documentation
5.1.6 /dev/urandom is not readable by PHP
“/dev/urandom is not readable by PHP which is highly discouraged for security reasons. Further information can be
found in our documentation.
This message is another one which needs to be taken seriously. Please have a look at the Give PHP read access to
/dev/urandom documentation.
5.1.7 Your Web server is not yet set up properly to allow file synchronization
“Your web server is not yet set up properly to allow file synchronization because the WebDAV interface seems to be
broken.
At the ownCloud community forums a larger FAQ is maintained containing various information and debugging hints.
5.1.8 Outdated NSS / OpenSSL version
“cURL is using an outdated OpenSSL version (OpenSSL/$version). Please update your operating system or features
such as installing and updating apps via the app store or Federated Cloud Sharing will not work reliably.
“cURL is using an outdated NSS version (NSS/$version). Please update your operating system or features such as
installing and updating apps via the app store or Federated Cloud Sharing will not work reliably.
There are known bugs in older OpenSSL and NSS versions leading to misbehaviour in combination with remote hosts
using SNI. A technology used by most of the HTTPS websites. To ensure that ownCloud will work properly you
60 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
need to update OpenSSL to at least 1.0.2b or 1.0.1d. For NSS the patch version depends on your distribution and an
heuristic is running the test which actually reproduces the bug. There are distributions such as RHEL/CentOS which
have this backport still pending.
5.1.9 Your Web server is not set up properly to resolve /.well-known/caldav/ or
/.well-known/carddav/
Both URLs need to be correctly redirected to the DAV endpoint of ownCloud. Please refer to Service discovery for
more info.
5.1.10 Some files have not passed the integrity check
Please refer to the Fixing Invalid Code Integrity Messages documentation how to debug this issue.
5.1.11 Your database does not run with “READ COMMITED” transaction isolation
level
“Your database does not run with “READ COMMITED” transaction isolation level. This can cause problems when
multiple actions are executed in parallel.
Please refer to MySQL / MariaDB “READ COMMITED” transaction isolation level how to configure your database
for this requirement.
5.2 Importing System-wide and Personal SSL Certificates
Modern Web browsers try to keep us safe, and so they blast us with scary warnings when sites have the smallest errors
in their SSL certificates, or when they use self-signed SSL certificates. ownCloud admins encounter this when creating
Federation shares, or setting up external storage mounts. There is no reason against using self-signed certificates on
your own networks; they’re fast, free, and easy.
5.2.1 Importing Personal SSL Certificates
ownCloud has several methods for importing self-signed certificates so that you don’t have to hassle with Web browser
warnings. When you allow your users to create their own external storage mounts or Federation shares, they can import
SSL certificates for those shares on their Personal pages.
Click the Import root certificate button to open a file picker. You can distribute copies of your SSL certificates to
your users (via an ownCloud share!), or users can download them from their Web browsers. Click on the little padlock
icon and click through until you see a View Certificate button, then keep going until you can download it. In Firefox
and Chromium there is an Export button for downloading your own copy of a site’s SSL certificate.
5.2. Importing System-wide and Personal SSL Certificates 61
ownCloud Server Administration Manual, Release 9.0
Figure 5.1: Click “More information” in Firefox to import SSL certificate
5.2.2 Site-wide SSL Import
The personal imports only work for individual users. You can enable site-wide SSL certificates for all of your users
on your ownCloud admin page. To enable this, you must add this line to your config.php file:
’enable_certificate_management’ => true,
Then you’ll have a Import root certificate button on your admin page, just like the one on your personal page.
5.2.3 Using OCC to Import and Manage SSL Certificates
The occ command has options for listing and managing your SSL certificates:
security:certificates list trusted certificates
security:certificates:import import trusted certificate
security:certificates:remove remove trusted certificate
See Using the occ Command to learn about how to use occ.
5.3 Using the occ Command
ownCloud’s occ command (ownCloud console) is ownCloud’s command-line interface. You can perform many com-
mon server operations with occ, such as installing and upgrading ownCloud, manage users, encryption, passwords,
LDAP setting, and more.
occ is in the owncloud/ directory; for example /var/www/owncloud on Ubuntu Linux. occ is a PHP script.
You must run it as your HTTP user to ensure that the correct permissions are maintained on your ownCloud files
and directories. In ownCloud 8.2+ you may run it from any directory (specifying the filepath); in previous releases it
had to be run from the owncloud/ directory.
5.3.1 occ Command Directory
Run occ As Your HTTP User
Apps Commands
Background Jobs Selector
62 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
Config Commands
Dav Commands
Database Conversion
Encryption
Federation Sync
File Operations
Files External
Integrity Check
l10n, Create Javascript Translation Files for Apps
LDAP Commands
Logging Commands
Maintenance Commands
Security (Import SSL Certificates)
Shibboleth Modes (Enterprise Edition only)
Trashbin
User Commands
Versions
Command Line Installation
Command Line Upgrade
5.3.2 Run occ As Your HTTP User
The HTTP user is different on the various Linux distributions. See Setting Strong Directory Permissions to learn how
to find your HTTP user.
The HTTP user and group in Debian/Ubuntu is www-data.
The HTTP user and group in Fedora/CentOS is apache.
The HTTP user and group in Arch Linux is http.
The HTTP user in openSUSE is wwwrun, and the HTTP group is www.
If your HTTP server is configured to use a different PHP version than the default (/usr/bin/php), occ should be run
with the same version. For example, in CentOS 6.5 with SCL-PHP54 installed, the command looks like this:
sudo -u apache /opt/rh/php54/root/usr/bin/php /var/www/html/owncloud/occ
Running occ with no options lists all commands and options, like this example on Ubuntu:
sudo -u www-data php occ
ownCloud version 9.0.0
Usage:
command [options] [arguments]
Options:
-h, --help Display this help message
5.3. Using the occ Command 63
ownCloud Server Administration Manual, Release 9.0
-q, --quiet Do not output any message
-V, --version Display this application version
--ansi Force ANSI output
--no-ansi Disable ANSI output
-n, --no-interaction Do not ask any interactive question
--no-warnings Skip global warnings, show command output only
-v|vv|vvv, --verbose Increase the verbosity of messages: 1 for normal output,
2 for more verbose output and 3 for debug
Available commands:
check check dependencies of the server
environment
help Displays help for a command
list Lists commands
status show some status information
upgrade run upgrade routines after installation of
a new release. The release has to be
installed before.
This is the same as sudo -u www-data php occ list.
Run it with the -h option for syntax help:
sudo -u www-data php occ -h
Display your ownCloud version:
sudo -u www-data php occ -V
ownCloud version 9.0.0
Query your ownCloud server status:
sudo -u www-data php occ status
- installed: true
- version: 9.0.0.19
- versionstring: 9.0.0
- edition:
occ has options, commands, and arguments. Options and arguments are optional, while commands are required. The
syntax is:
occ [options] command [arguments]
Get detailed information on individual commands with the help command, like this example for the
maintenance:mode command:
sudo -u www-data php occ help maintenance:mode
Usage:
maintenance:mode [options]
Options:
--on enable maintenance mode
--off disable maintenance mode
-h, --help Display this help message
-q, --quiet Do not output any message
-V, --version Display this application version
--ansi Force ANSI output
--no-ansi Disable ANSI output
-n, --no-interaction Do not ask any interactive question
--no-warnings Skip global warnings, show command output only
64 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
-v|vv|vvv, --verbose Increase the verbosity of messages: 1 for normal output,
2 for more verbose output and 3 for debug
The status command from above has an option to define the output format. The default is plain text, but it can also
be json:
sudo -u www-data php occ status --output=json
{"installed":true,"version":"9.0.0.19","versionstring":"9.0.0","edition":""}
or json_pretty:
sudo -u www-data php occ status --output=json_pretty
{
"installed": true,
"version": "9.0.0.19",
"versionstring": "9.0.0",
"edition": ""
}
This output option is available on all list and list-like commands: status,check,app:list,config:list,
encryption:status and encryption:list-modules
5.3.3 Apps Commands
The app commands list, enable, and disable apps:
app
app:check-code check code to be compliant
app:disable disable an app
app:enable enable an app
app:getpath Get an absolute path to the app directory
(added in 9.0)
app:list List all available apps
List all of your installed apps, and show whether they are enabled or disabled:
sudo -u www-data php occ app:list
Enable an app, for example the External Storage Support app:
sudo -u www-data php occ app:enable files_external
files_external enabled
Disable an app:
sudo -u www-data php occ app:disable files_external
files_external disabled
app:check-code has multiple checks: it checks if an app uses ownCloud’s public API (OCP) or private API (OC_),
and it also checks for deprecated methods and the validity of the info.xml file. By default all checks are enabled.
The Activity app is an example of a correctly-formatted app:
sudo -u www-data php occ app:check-code notifications
App is compliant - awesome job!
If your app has issues, you’ll see output like this:
5.3. Using the occ Command 65
ownCloud Server Administration Manual, Release 9.0
sudo -u www-data php occ app:check-code foo_app
Analysing /var/www/owncloud/apps/files/foo_app.php
4 errors
line 45: OCP\Response - Static method of deprecated class must not be
called
line 46: OCP\Response - Static method of deprecated class must not be
called
line 47: OCP\Response - Static method of deprecated class must not be
called
line 49: OC_Util - Static method of private class must not be called
You can get the full filepath to an app:
sudo -u www-data php occ app:getpath notifications
/var/www/owncloud/apps/notifications
5.3.4 Background Jobs Selector
Use the background command to select which scheduler you want to use for controlling background jobs, Ajax,
Webcron, or Cron. This is the same as using the Cron section on your ownCloud Admin page:
background
background:ajax Use ajax to run background jobs
background:cron Use cron to run background jobs
background:webcron Use webcron to run background jobs
This example selects Ajax:
sudo -u www-data php occ background:ajax
Set mode for background jobs to ’ajax’
The other two commands are:
background:cron
background:webcron
See Background Jobs to learn more.
5.3.5 Config Commands
The config commands are used to configure the ownCloud server:
config
config:app:delete Delete an app config value
config:app:get Get an app config value
config:app:set Set an app config value
config:import Import a list of configs
config:list List all configs
config:system:delete Delete a system config value
config:system:get Get a system config value
config:system:set Set a system config value
You can list all configuration values with one command:
sudo -u www-data php occ config:list
66 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
By default, passwords and other sensitive data are omitted from the report, so the output can be posted publicly (e.g.
as part of a bug report). In order to generate a full backport of all configuration values the --private flag needs to
be set:
sudo -u www-data php occ config:list --private
The exported content can also be imported again to allow the fast setup of similar instances. The import command
will only add or update values. Values that exist in the current configuration, but not in the one that is being imported
are left untouched:
sudo -u www-data php occ config:import filename.json
It is also possible to import remote files, by piping the input:
sudo -u www-data php occ config:import < local-backup.json
Note: While it is possible to update/set/delete the versions and installation statuses of apps and ownCloud itself,
it is not recommended to do this directly. Use the occ app:enable,occ app:disable and occ update
commands instead.
Getting a Single Configuration Value
These commands get the value of a single app or system configuration:
sudo -u www-data php occ config:system:get version
9.0.0.19
sudo -u www-data php occ config:app:get activity installed_version
2.2.1
Setting a Single Configuration Value
These commands set the value of a single app or system configuration:
sudo -u www-data php occ config:system:set logtimezone
--value="Europe/Berlin"
System config value logtimezone set to Europe/Berlin
sudo -u www-data php occ config:app:set files_sharing
incoming_server2server_share_enabled --value="yes" --type=boolean
Config value incoming_server2server_share_enabled for app files_sharing set to yes
The config:system:set command creates the value, if it does not already exist. To update an existing value, set
--update-only:
sudo -u www-data php occ config:system:set doesnotexist --value="true"
--type=boolean --update-only
Value not updated, as it has not been set before.
Note that in order to write a Boolean, float, or integer value to the configuration file, you need to specify the type on
your command. This applies only to the config:system:set command. The following values are known:
boolean
integer
float
5.3. Using the occ Command 67
ownCloud Server Administration Manual, Release 9.0
string (default)
When you want to e.g. disable the maintenance mode run the following command:
sudo -u www-data php occ config:system:set maintenance --value=false
--type=boolean
ownCloud is in maintenance mode - no app have been loaded
System config value maintenance set to boolean false
Setting an array Configuration Value
Some configurations (e.g. the trusted domain setting) are an array of data. In order to set (and also get) the value of
one key, you can specify multiple config names separated by spaces:
sudo -u www-data php occ config:system:get trusted_domains
localhost
owncloud.local
sample.tld
To replace sample.tld with example.com trusted_domains => 2 needs to be set:
sudo -u www-data php occ config:system:set trusted_domains 2
--value=example.com
System config value trusted_domains => 2 set to string example.com
sudo -u www-data php occ config:system:get trusted_domains
localhost
owncloud.local
example.com
Deleting a Single Configuration Value
These commands delete the configuration of an app or system configuration:
sudo -u www-data php occ config:system:delete maintenance:mode
System config value maintenance:mode deleted
sudo -u www-data php occ config:app:delete appname provisioning_api
Config value provisioning_api of app appname deleted
The delete command will by default not complain if the configuration was not set before. If you want to be notified in
that case, set the --error-if-not-exists flag:
sudo -u www-data php occ config:system:delete doesnotexist
--error-if-not-exists
Config provisioning_api of app appname could not be deleted because it did not
exist
5.3.6 Dav Commands
A set of commands to create addressbooks, calendars, and to migrate addressbooks from 8.2 when you upgrade to 9.0:
dav
dav:create-addressbook Create a dav addressbook
dav:create-calendar Create a dav calendar
dav:migrate-addressbooks Migrate addressbooks from the contacts
68 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
app to core
dav:migrate-calendars Migrate calendars from the calendar app to
core
dav:sync-birthday-calendar Synchronizes the birthday calendar
dav:sync-system-addressbook Synchronizes users to the system
addressbook
The syntax for dav:create-addressbook and dav:create-calendar is dav:create-addressbook
[user] [name]. This example creates the addressbook mollybook for the user molly:
sudo -u www-data php occ dav:create-addressbook molly mollybook
This example creates a new calendar for molly:
sudo -u www-data php occ dav:create-calendar molly mollycal
Molly will immediately see these on her Calendar and Contacts pages.
In 9.0, the CalDAV server has been integrated into core. Your existing calendars and contacts should migrate automat-
ically when you upgrade. If something goes wrong you can try a manual migration. First delete any partially-migrated
calendars or addressbooks. Then run this command to migrate user’s contacts:
sudo -u www-data php occ dav:migrate-addressbooks [user]
Run this command to migrate calendars:
sudo -u www-data php occ dav:migrate-calendars [user]
See ownCloud 9.0 - calendar migration analysis for help with troubleshooting and reporting problems.
dav:sync-birthday-calendar adds all birthdays to your calendar from addressbooks shared with you. This
example syncs to your calendar from user bernie:
sudo -u www-data php occ dav:sync-birthday-calendar bernie
dav:sync-system-addressbook synchronizes all users to the system addressbook:
sudo -u www-data php occ dav:sync-system-addressbook
Added in 9.0.
5.3.7 Database Conversion
The SQLite database is good for testing, and for ownCloud servers with small single-user workloads that do not use
sync clients, but production servers with multiple users should use MariaDB, MySQL, or PostgreSQL. You can use
occ to convert from SQLite to one of these other databases.
db
db:convert-type Convert the ownCloud database to the newly
configured one
db:generate-change-script generates the change script from the current
connected db to db_structure.xml
You need:
Your desired database and its PHP connector installed.
The login and password of a database admin user.
The database port number, if it is a non-standard port.
5.3. Using the occ Command 69
ownCloud Server Administration Manual, Release 9.0
This is example converts SQLite to MySQL/MariaDB:
sudo -u www-data php occ db:convert-type mysql oc_dbuser 127.0.0.1
oc_database
For a more detailed explanation see Converting Database Type
5.3.8 Encryption
occ includes a complete set of commands for managing encryption:
encryption
encryption:change-key-storage-root Change key storage root
encryption:decrypt-all Disable server-side encryption and
decrypt all files
encryption:disable Disable encryption
encryption:enable Enable encryption
encryption:enable-master-key Enable the master key. Only available
for fresh installations with no existing
encrypted data! There is also no way to
disable it again.
encryption:encrypt-all Encrypt all files for all users
encryption:list-modules List all available encryption modules
encryption:migrate initial migration to encryption 2.0
encryption:set-default-module Set the encryption default module
encryption:show-key-storage-root Show current key storage root
encryption:status Lists the current status of encryption
encryption:status shows whether you have active encryption, and your default encryption module. To enable
encryption you must first enable the Encryption app, and then run encryption:enable:
sudo -u www-data php occ app:enable encryption
sudo -u www-data php occ encryption:enable
sudo -u www-data php occ encryption:status
- enabled: true
- defaultModule: OC_DEFAULT_MODULE
encryption:change-key-storage-root is for moving your encryption keys to a different folder. It takes
one argument, newRoot, which defines your new root folder. The folder must exist, and the path is relative to your
root ownCloud directory:
sudo -u www-data php occ encryption:change-key-storage-root ../../etc/oc-keys
You can see the current location of your keys folder:
sudo -u www-data php occ encryption:show-key-storage-root
Current key storage root: default storage location (data/)
encryption:list-modules displays your available encryption modules. You will see a list of modules only
if you have enabled the Encryption app. Use encryption:set-default-module [module name] to set
your desired module.
encryption:encrypt-all encrypts all data files for all users. You must first put your ownCloud server into
single-user mode to prevent any user activity until encryption is completed.
encryption:decrypt-all decrypts all user data files, or optionally a single user:
sudo -u www-data php occ encryption:decrypt freda
70 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
Users must have enabled recovery keys on their Personal pages. You must first put your ownCloud server into single-
user mode to prevent any user activity until decryption is completed.
Use encryption:disable to disable your encryption module. You must first put your ownCloud server into
single-user mode to prevent any user activity.
encryption:enable-master-key creates a new master key, which is used for all user data instead of individual
user keys. This is especially useful to enable single-sign on. Use this only on fresh installations with no existing data,
or on systems where encryption has not already been enabled. It is not possible to disable it.
encryption:migrate migrates encryption keys after a major ownCloud version upgrade. You may optionally
specify individual users in a space-delimited list.
See Encryption Configuration to learn more.
5.3.9 Federation Sync
Note: This command is only available when the “Federation” app (federation) is enabled.
Synchronize the addressbooks of all federated ownCloud servers:
federation:sync-addressbooks Synchronizes addressbooks of all
federated clouds
In ownCloud 9.+, servers connected with federation shares can share user address books, and auto-complete usernames
in share dialogs. Use this command to synchronize federated servers:
sudo -u www-data php occ federation:sync-addressbooks
Added in 9.0.
5.3.10 File Operations
occ has three commands for managing files in ownCloud:
files
files:cleanup cleanup filecache
files:scan rescan filesystem
files:transfer-ownership All files and folders are moved to another
user - shares are moved as well. (Added in 9.0)
The files:scan command scans for new files and updates the file cache. You may rescan all files, per-user, a
space-delimited list of users, and limit the search path. If not using --quiet, statistics will be shown at the end of
the scan:
sudo -u www-data php occ files:scan --help
Usage:
files:scan [-p|--path="..."] [-q|--quiet] [-v|vv|vvv --verbose] [--all]
[user_id1] ... [user_idN]
Arguments:
user_id will rescan all files of the given user(s)
Options:
--path limit rescan to the user/path given
--all will rescan all files of all known users
--quiet suppress any output
5.3. Using the occ Command 71
ownCloud Server Administration Manual, Release 9.0
--verbose files and directories being processed are shown
additionally during scanning
Verbosity levels of -vv or -vvv are automatically reset to -v
When using the --path option, the path must consist of following components:
"user_id/files/path"
or
"user_id/files/mount_name"
or
"user_id/files/mount_name/path"
where the term files is mandatory.
Example:
--path="/alice/files/Music"
In the example above, the user_id alice is determined implicitly from the path component given.
The --path,--all and [user_id] parameters and are exclusive - only one must be specified.
files:cleanup tidies up the server’s file cache by deleting all file entries that have no matching entries in the
storage table.
You may transfer all files and shares from one user to another. This is useful before removing a user:
sudo -u www-data php occ files:transfer-ownership <source-user>
<destination-user>
5.3.11 Files External
These commands replace the data/mount.json configuration file used in ownCloud releases before 9.0.
Note: These commands are only available when the “External storage support” app (files_external) is enabled.
Commands for managing external storage:
files_external
files_external:applicable Manage applicable users and groups for a mount
files_external:backends Show available authentication and storage backends
files_external:config Manage backend configuration for a mount
files_external:create Create a new mount configuration
files_external:delete Delete an external mount
files_external:export Export mount configurations
files_external:import Import mount configurations
files_external:list List configured mounts
files_external:option Manage mount options for a mount
files_external:verify Verify mount configuration
These commands replicate the functionality in the ownCloud Web GUI, plus two new features:
files_external:export and files_external:import.
Use files_external:export to export all admin mounts to stdout, and files_external:export
[user_id] to export the mounts of the specified ownCloud user.
Use files_external:import [filename] to import legacy JSON configurations, and to copy external
mount configurations to another ownCloud server.
72 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
Added in 9.0.
5.3.12 Integrity Check
Apps which have an official tag MUST be code signed starting with ownCloud 9.0. Unsigned official apps won’t be
installable anymore. Code signing is optional for all third-party applications:
integrity
integrity:check-app Check app integrity using a signature.
integrity:check-core Check core integrity using a signature.
integrity:sign-app Signs an app using a private key.
integrity:sign-core Sign core using a private key
After creating your signing key, sign your app like this example:
sudo -u www-data php occ integrity:sign-app --privateKey=/Users/lukasreschke/contacts.key --certificate=/Users/lukasreschke/CA/contacts.crt --path=/Users/lukasreschke/Programming/contacts
Verify your app:
sudo -u www-data php occ integrity:check-app --path=/pathto/app appname
When it returns nothing, your app is signed correctly. When it returns a message then there is an error. See Code
Signing in the Developer manual for more detailed information.
integrity:sign-core is for ownCloud core developers only.
See Code Signing to learn more.
Added in 9.0.
5.3.13 l10n, Create Javascript Translation Files for Apps
This command is for app developers to update their translation mechanism from ownCloud 7 to ownCloud 8 and later.
5.3.14 LDAP Commands
Note: These commands are only available when the “LDAP user and group backend” app (user_ldap) is enabled.
These LDAP commands appear only when you have enabled the LDAP app. Then you can run the following LDAP
commands with occ:
ldap
ldap:check-user checks whether a user exists on LDAP.
ldap:create-empty-config creates an empty LDAP configuration
ldap:delete-config deletes an existing LDAP configuration
ldap:search executes a user or group search
ldap:set-config modifies an LDAP configuration
ldap:show-config shows the LDAP configuration
ldap:show-remnants shows which users are not available on
LDAP anymore, but have remnants in
ownCloud.
ldap:test-config tests an LDAP configuration
Search for an LDAP user, using this syntax:
5.3. Using the occ Command 73
ownCloud Server Administration Manual, Release 9.0
sudo -u www-data php occ ldap:search [--group] [--offset="..."]
[--limit="..."] search
Searches will match at the beginning of the attribute value only. This example searches for givenNames that start with
“rob”:
sudo -u www-data php occ ldap:search "rob"
This will find robbie, roberta, and robin. Broaden the search to find, for example, jeroboam with the asterisk
wildcard:
sudo -u www-data php occ ldap:search "*rob"
User search attributes are set with ldap:set-config (below). For example, if your search attributes are
givenName and sn you can find users by first name + last name very quickly. For example, you’ll find Terri
Hanson by searching for te ha. Trailing whitespaces are ignored.
Check if an LDAP user exists. This works only if the ownCloud server is connected to an LDAP server:
sudo -u www-data php occ ldap:check-user robert
ldap:check-user will not run a check when it finds a disabled LDAP connection. This prevents users that exist
on disabled LDAP connections from being marked as deleted. If you know for certain that the user you are searching
for is not in one of the disabled connections, and exists on an active connection, use the --force option to force it
to check all active LDAP connections:
sudo -u www-data php occ ldap:check-user --force robert
ldap:create-empty-config creates an empty LDAP configuration. The first one you create has no
configID, like this example:
sudo -u www-data php occ ldap:create-empty-config
Created new configuration with configID ’’
This is a holdover from the early days, when there was no option to create additional configurations. The second, and
all subsequent, configurations that you create are automatically assigned IDs:
sudo -u www-data php occ ldap:create-empty-config
Created new configuration with configID ’s01’
Then you can list and view your configurations:
sudo -u www-data php occ ldap:show-config
And view the configuration for a single configID:
sudo -u www-data php occ ldap:show-config s01
ldap:delete-config [configID] deletes an existing LDAP configuration:
sudo -u www-data php occ ldap:delete s01
Deleted configuration with configID ’s01’
The ldap:set-config command is for manipulating configurations, like this example that sets search attributes:
sudo -u www-data php occ ldap:set-config s01 ldapAttributesForUserSearch
"cn;givenname;sn;displayname;mail"
ldap:test-config tests whether your configuration is correct and can bind to the server:
74 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
sudo -u www-data php occ ldap:test-config s01
The configuration is valid and the connection could be established!
ldap:show-remnants is for cleaning up the LDAP mappings table, and is documented in LDAP User Cleanup.
5.3.15 Logging Commands
These commands view and configure your ownCloud logging preferences:
log
log:manage manage logging configuration
log:owncloud manipulate ownCloud logging backend
Run log:owncloud to see your current logging status:
sudo -u www-data php occ log:owncloud
Log backend ownCloud: enabled
Log file: /opt/owncloud/data/owncloud.log
Rotate at: disabled
Use the --enable option to turn on logging. Use --file to set a different log file path. Set your rotation by log
file size in bytes with --rotate-size; 0 disables rotation.
log:manage sets your logging backend, log level, and timezone. The defaults are owncloud,Warning, and UTC.
Available options are:
–backend [owncloud, syslog, errorlog]
–level [debug, info, warning, error]
5.3.16 Maintenance Commands
Use these commands when you upgrade ownCloud, manage encryption, perform backups and other tasks that require
locking users out until you are finished:
maintenance
maintenance:mimetype:update-db Update database mimetypes and update
filecache
maintenance:mimetype:update-js Update mimetypelist.js
maintenance:mode set maintenance mode
maintenance:repair repair this installation
maintenance:singleuser set single user mode
maintenance:mode locks the sessions of all logged-in users, including administrators, and displays a status screen
warning that the server is in maintenance mode. Users who are not already logged in cannot log in until maintenance
mode is turned off. When you take the server out of maintenance mode logged-in users must refresh their Web
browsers to continue working:
sudo -u www-data php occ maintenance:mode --on
sudo -u www-data php occ maintenance:mode --off
Putting your ownCloud server into single-user mode allows admins to log in and work, but not ordinary users. This is
useful for performing maintenance and troubleshooting on a running server:
sudo -u www-data php occ maintenance:singleuser --on
Single user mode enabled
Turn it off when you’re finished:
5.3. Using the occ Command 75
ownCloud Server Administration Manual, Release 9.0
sudo -u www-data php occ maintenance:singleuser --off
Single user mode disabled
The maintenance:repair command runs automatically during upgrades to clean up the database, so while you
can run it manually there usually isn’t a need to:
sudo -u www-data php occ maintenance:repair
maintenance:mimetype:update-db updates the ownCloud database and file cache with changed
mimetypes found in config/mimetypemapping.json. Run this command after modifying
config/mimetypemapping.json. If you change a mimetype, run maintenance:mimetype:update-db
--repair-filecache to apply the change to existing files.
5.3.17 Security (Import SSL Certificates)
Use these commands to manage server-wide SSL certificates. These are useful when you create federation shares with
other ownCloud servers that use self-signed certificates:
security
security:certificates list trusted certificates
security:certificates:import import trusted certificate
security:certificates:remove remove trusted certificate
This example lists your installed certificates:
sudo -u www-data php occ security:certificates
Import a new certificate:
sudo -u www-data php occ security:import /path/to/certificate
Remove a certificate:
sudo -u www-data php occ security:remove [certificate name]
5.3.18 Shibboleth Modes (Enterprise Edition only)
Note: This command is only available when the “Shibboleth user backend” app (user_shibboleth) is enabled.
shibboleth:mode sets your Shibboleth mode to notactive,autoprovision, or ssoonly:
shibboleth:mode [mode]
5.3.19 Trashbin
Note: This command is only available when the “Deleted files” app (files_trashbin) is enabled.
The trashbin:cleanup command removes the deleted files of the specified users in a space-delimited list, or all
users if none are specified.
trashbin
trashbin:cleanup Remove deleted files
76 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
This example removes the deleted files of all users:
sudo -u www-data php occ trashbin:cleanup
Remove all deleted files
Remove deleted files for users on backend Database
freda
molly
stash
rosa
edward
This example removes the deleted files of users molly and freda:
sudo -u www-data php occ trashbin:cleanup molly freda
Remove deleted files of molly
Remove deleted files of freda
5.3.20 User Commands
The user commands create and remove users, reset passwords, display a simple report showing how many users you
have, and when a user was last logged in:
user
user:add adds a user
user:delete deletes the specified user
user:lastseen shows when the user was logged it last
time
user:report shows how many users have access
user:resetpassword Resets the password of the named user
You can create a new user with their display name, login name, and any group memberships with the user:add
command. The syntax is:
user:add [--password-from-env] [--display-name[="..."]] [-g|--group[="..."]]
uid
The display-name corresponds to the Full Name on the Users page in your ownCloud Web UI, and the uid is
their Username, which is their login name. This example adds new user Layla Smith, and adds her to the users and
db-admins groups. Any groups that do not exist are created:
sudo -u www-data php occ user:add --display-name="Layla Smith"
--group="users" --group="db-admins" layla
Enter password:
Confirm password:
The user "layla" was created successfully
Display name set to "Layla Smith"
User "layla" added to group "users"
User "layla" added to group "db-admins"
Go to your Users page, and you will see your new user.
password-from-env allows you to set the user’s password from an environment variable. This prevents the
password from being exposed to all users via the process list, and will only be visible in the history of the user (root)
running the command. This also permits creating scripts for adding multiple new users.
To use password-from-env you must run as “real” root, rather than sudo, because sudo strips environment
variables. This example adds new user Fred Jones:
5.3. Using the occ Command 77
ownCloud Server Administration Manual, Release 9.0
export OC_PASS=newpassword
su -s /bin/sh www-data -c ’php occ user:add --password-from-env
--display-name="Fred Jones" --group="users" fred’
The user "fred" was created successfully
Display name set to "Fred Jones"
User "fred" added to group "users"
You can reset any user’s password, including administrators (see Resetting a Lost Admin Password):
sudo -u www-data php occ user:resetpassword layla
Enter a new password:
Confirm the new password:
Successfully reset password for layla
You may also use password-from-env to reset passwords:
export OC_PASS=newpassword
su -s /bin/sh www-data -c ’php occ user:resetpassword --password-from-env
layla’
Successfully reset password for layla
You can delete users:
sudo -u www-data php occ user:delete fred
View a user’s most recent login:
sudo -u www-data php occ user:lastseen layla
layla’s last login: 09.01.2015 18:46
Generate a simple report that counts all users, including users on external user authentication servers such as LDAP:
sudo -u www-data php occ user:report
+------------------+----+
| User Report | |
+------------------+----+
| Database | 12 |
| LDAP | 86 |
| | |
| total users | 98 |
| | |
| user directories | 2 |
+------------------+----+
5.3.21 Versions
Note: This command is only available when the “Versions” app (files_versions) is enabled.
Use this command to delete file versions for specific users, or for all users when none are specified:
versions
versions:cleanup Delete versions
This example deletes all versions for all users:
sudo -u www-data php occ versions:cleanup
Delete all versions
Delete versions for users on backend Database
78 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
freda
molly
stash
rosa
edward
You can delete versions for specific users in a space-delimited list:
sudo -u www-data php occ versions:cleanup
Delete versions of freda
Delete versions of molly
5.3.22 Command Line Installation
These commands are available only after you have downloaded and unpacked the ownCloud archive, and taken no
further installation steps.
You can install ownCloud entirely from the command line. After downloading the tarball and copying ownCloud
into the appropriate directories, or after installing ownCloud packages (See Preferred Linux Installation Method and
Manual Installation on Linux) you can use occ commands in place of running the graphical Installation Wizard.
Apply correct permissions to your ownCloud directories; see Setting Strong Directory Permissions. Then choose your
occ options. This lists your available options:
sudo -u www-data php /var/www/owncloud/occ
ownCloud is not installed - only a limited number of commands are available
ownCloud version 9.0.0
Usage:
[options] command [arguments]
Options:
--help (-h) Display this help message
--quiet (-q) Do not output any message
--verbose (-v|vv|vvv) Increase the verbosity of messages: 1 for normal
output, 2 for more verbose output and 3 for debug
--version (-V) Display this application version
--ansi Force ANSI output
--no-ansi Disable ANSI output
--no-interaction (-n) Do not ask any interactive question
Available commands:
check check dependencies of the server environment
help Displays help for a command
list Lists commands
status show some status information
app
app:check-code check code to be compliant
l10n
l10n:createjs Create javascript translation files for a given app
maintenance
maintenance:install install ownCloud
Display your maintenance:install options:
sudo -u www-data php occ help maintenance:install
ownCloud is not installed - only a limited number of commands are available
Usage:
5.3. Using the occ Command 79
ownCloud Server Administration Manual, Release 9.0
maintenance:install [--database="..."] [--database-name="..."]
[--database-host="..."] [--database-user="..."] [--database-pass[="..."]]
[--database-table-prefix[="..."]] [--admin-user="..."] [--admin-pass="..."]
[--data-dir="..."]
Options:
--database Supported database type (default: "sqlite")
--database-name Name of the database
--database-host Hostname of the database (default: "localhost")
--database-user User name to connect to the database
--database-pass Password of the database user
--database-table-prefix Prefix for all tables (default: oc_)
--admin-user User name of the admin account (default: "admin")
--admin-pass Password of the admin account
--data-dir Path to data directory (default:
"/var/www/owncloud/data")
--help (-h) Display this help message
--quiet (-q) Do not output any message
--verbose (-v|vv|vvv) Increase the verbosity of messages: 1 for normal
output, 2 for more verbose output and 3 for debug
--version (-V) Display this application version
--ansi Force ANSI output
--no-ansi Disable ANSI output
--no-interaction (-n) Do not ask any interactive question
This example completes the installation:
cd /var/www/owncloud/
sudo -u www-data php occ maintenance:install --database
"mysql" --database-name "owncloud" --database-user "root" --database-pass
"password" --admin-user "admin" --admin-pass "password"
ownCloud is not installed - only a limited number of commands are available
ownCloud was successfully installed
Supported databases are:
- sqlite (SQLite3 - ownCloud Community edition only)
- mysql (MySQL/MariaDB)
- pgsql (PostgreSQL)
- oci (Oracle - ownCloud Enterprise edition only)
5.3.23 Command Line Upgrade
These commands are available only after you have downloaded upgraded packages or tar archives, and before you
complete the upgrade.
List all options, like this example on CentOS Linux:
sudo -u apache php occ upgrade -h
Usage:
upgrade [--skip-migration-test] [--dry-run] [--no-app-disable]
Options:
--skip-migration-test skips the database schema migration simulation and
update directly
--dry-run only runs the database schema migration simulation, do
not actually update
--no-app-disable skips the disable of third party apps
80 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
--help (-h) Display this help message.
--quiet (-q) Do not output any message.
--verbose (-v|vv|vvv) Increase the verbosity of messages: 1 for normal output,
2 for more verbose output and 3 for debug.
--version (-V) Display this application version.
--ansi Force ANSI output.
--no-ansi Disable ANSI output.
--no-interaction (-n) Do not ask any interactive question
When you are performing an update or upgrade on your ownCloud server (see the Maintenance section of this manual),
it is better to use occ to perform the database upgrade step, rather than the Web GUI, in order to avoid timeouts. PHP
scripts invoked from the Web interface are limited to 3600 seconds. In larger environments this may not be enough,
leaving the system in an inconsistent state. After performing all the preliminary steps (see How to Upgrade Your
ownCloud Server) use this command to upgrade your databases, like this example on CentOS Linux. Note how it
details the steps:
sudo -u www-data php occ upgrade
ownCloud or one of the apps require upgrade - only a limited number of
commands are available
Turned on maintenance mode
Checked database schema update
Checked database schema update for apps
Updated database
Updating <gallery> ...
Updated <gallery> to 0.6.1
Updating <activity> ...
Updated <activity> to 2.1.0
Update successful
Turned off maintenance mode
Enabling verbosity displays timestamps:
sudo -u www-data php occ upgrade -v
ownCloud or one of the apps require upgrade - only a limited number of commands are available
2015-06-23T09:06:15+0000 Turned on maintenance mode
2015-06-23T09:06:15+0000 Checked database schema update
2015-06-23T09:06:15+0000 Checked database schema update for apps
2015-06-23T09:06:15+0000 Updated database
2015-06-23T09:06:15+0000 Updated <files_sharing> to 0.6.6
2015-06-23T09:06:15+0000 Update successful
2015-06-23T09:06:15+0000 Turned off maintenance mode
If there is an error it throws an exception, and the error is detailed in your ownCloud logfile, so you can use the log
output to figure out what went wrong, or to use in a bug report:
Turned on maintenance mode
Checked database schema update
Checked database schema update for apps
Updated database
Updating <files_sharing> ...
Exception
ServerNotAvailableException: LDAP server is not available
Update failed
Turned off maintenance mode
Before completing the upgrade, ownCloud first runs a simulation by copying all database tables to new tables, and
then performs the upgrade on them, to ensure that the upgrade will complete correctly. The copied tables are deleted
after the upgrade. This takes twice as much time, which on large installations can be many hours, so you can omit this
step with the --skip-migration-test option:
5.3. Using the occ Command 81
ownCloud Server Administration Manual, Release 9.0
sudo -u www-data php occ upgrade --skip-migration-test
You can perform this simulation manually with the --dry-run option:
sudo -u www-data php occ upgrade --dry-run
5.4 Configuring the Activity App
You can configure your ownCloud server to automatically send out e-mail notifications to your users for various events
like:
A file or folder has been shared
A new file or folder has been created
A file or folder has been changed
A file or folder has been deleted
Users can see actions (delete, add, modify) that happen to files they have access to. Sharing actions are only visible to
the sharer and sharee.
5.4.1 Enabling the Activity App
The Activity App is shipped and enabled by default. If it is not enabled simply go to your ownCloud Apps page to
enable it.
5.4.2 Configuring your ownCloud for the Activity App
To configure your ownCloud to send out e-mail notifications a working Email Configuration is mandatory.
Furthermore it is recommended to configure the background job Webcron or Cron as described in Background Jobs.
There is also a configuration option activity_expire_days available in your config.php (See Config.php
Parameters) which allows you to clean-up older activies from the database.
5.5 Configuring the ClamAV Antivirus Scanner
You can configure your ownCloud server to automatically run a virus scan on newly-uploaded files with the Antivirus
App for Files. The Antivirus App for Files integrates the open source anti-virus engine ClamAV with ownCloud.
ClamAV detects all forms of malware including Trojan horses, viruses, and worms, and it operates on all major file
types including Windows, Linux, and Mac files, compressed files, executables, image files, Flash, PDF, and many
others. ClamAV’s Freshclam daemon automatically updates its malware signature database at scheduled intervals.
ClamAV runs on Linux and any Unix-type operating system, and Microsoft Windows. However, it has only been
tested with ownCloud on Linux, so these instructions are for Linux systems. You must first install ClamAV, and then
install and configure the Antivirus App for Files on ownCloud.
82 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
5.5.1 Installing ClamAV
As always, the various Linux distributions manage installing and configuring ClamAV in different ways.
Debian, Ubuntu, Linux Mint On Debian and Ubuntu systems, and their many variants, install ClamAV with these
commands:
apt-get install clamav clamav-daemon
The installer automatically creates default configuration files and launches the clamd and freshclam daemons.
You don’t have to do anything more, though it’s a good idea to review the ClamAV documentation and your settings
in /etc/clamav/. Enable verbose logging in both clamd.conf and freshclam.conf until you get any kinks
worked out.
Red Hat 7, CentOS 7 On Red Hat 7 and related systems you must install the Extra Packages for Enterprise Linux
(EPEL) repository, and then install ClamAV:
yum install epel-release
yum install clamav clamav-scanner clamav-scanner-systemd clamav-server
clamav-server-systemd clamav-update
This installs two configuration files: /etc/freshclam.conf and /etc/clamd.d/scan.conf. You must
edit both of these before you can run ClamAV. Both files are well-commented, and man clamd.conf and man
freshclam.conf explain all the options. Refer to /etc/passwd and /etc/group when you need to verify
the ClamAV user and group.
First edit /etc/freshclam.conf and configure your options. freshclam updates your malware database, so
you want it to run frequently to get updated malware signatures. Run it manually post-installation to download your
first set of malware signatures:
freshclam
The EPEL packages do not include an init file for freshclam, so the quick and easy way to set it up for regular
checks is with a cron job. This example runs it every hour at 47 minutes past the hour:
# m h dom mon dow command
47 * * * * /usr/bin/freshclam --quiet
Please avoid any multiples of 10, because those are when the ClamAV servers are hit the hardest for updates.
Next, edit /etc/clamd.d/scan.conf. When you’re finished you must enable the clamd service file and start
clamd:
systemctl enable clamd@scan.service
systemctl start clamd@scan.service
That should take care of everything. Enable verbose logging in scan.conf and freshclam.conf until it is
running the way you want.
5.5.2 Enabling the Antivirus App for Files
Simply go to your ownCloud Apps page to enable it.
5.5.3 Configuring ClamAV on ownCloud
Next, go to your ownCloud Admin page and set your ownCloud logging level to Everything.
Now find your Antivirus Configuration panel on your Admin page.
5.5. Configuring the ClamAV Antivirus Scanner 83
ownCloud Server Administration Manual, Release 9.0
84 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
ClamAV runs in one of three modes:
Daemon (Socket): ClamAV is running on the same server as ownCloud. The ClamAV daemon, clamd, runs in
the background. When there is no activity clamd places a minimal load on your system. If your users upload
large volumes of files you will see high CPU usage.
Daemon: ClamAV is running on a different server. This is a good option for ownCloud servers with high
volumes of file uploads.
Executable: ClamAV is running on the same server as ownCloud, and the clamscan command is started and
then stopped with each file upload. clamscan is slow and not always reliable for on-demand usage; it is better
to use one of the daemon modes.
Daemon (Socket) ownCloud should detect your clamd socket and fill in the Socket field. This is the
LocalSocket option in clamd.conf. You can run netstat to verify:
netstat -a|grep clam
unix 2 [ ACC ] STREAM LISTENING 15857 /var/run/clamav/clamd.ctl
The Stream Length value sets the number of bytes read in one pass. 10485760 bytes, or ten megabytes,
is the default. This value should be no larger than the PHP memory_limit settings, or physical memory if
memory_limit is set to -1 (no limit).
Action for infected files found while scanning gives you the choice of logging any alerts
without deleting the files, or immediately deleting infected files.
Daemon For the Daemon option you need the hostname or IP address of the remote server running ClamAV, and the
server’s port number.
Executable The Executable option requires the path to clamscan, which is the interactive ClamAV scanning com-
mand. ownCloud should find it automatically.
When you are satisfied with how ClamAV is operating, you might want to go back and change all of your logging to
less verbose levels.
5.6 Configuring Memory Caching
You can significantly improve your ownCloud server performance with memory caching, where frequently-requested
objects are stored in memory for faster retrieval. There are two types of caches to use: a PHP opcode cache, which is
commonly called opcache, and data caching for your Web server. If you do not install and enable a local memcache
you will see a warning on your ownCloud admin page. A memcache is not required and you may safely ignore the
warning if you prefer.
5.6. Configuring Memory Caching 85
ownCloud Server Administration Manual, Release 9.0
86 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
Note: If you enable only a distributed cache in your config.php (memcache.distributed) and not a local
cache (memcache.local) you will still see the cache warning.
A PHP opcache stores compiled PHP scripts so they don’t need to be re-compiled every time they are called. PHP
bundles the Zend OPcache in core since version 5.5, so you don’t need to install an opcache for PHP 5.5+.
If you are using PHP 5.4, which is the oldest supported PHP version for ownCloud, you may install the Alternative
PHP Cache (APC). This is both an opcache and data cache. APC has not been updated since 2012 and is essentially
dead, and PHP 5.4 is old and lags behind later releases. If it is possible to upgrade to a later PHP release that is the
best option.
Data caching is supplied by the Alternative PHP Cache, user (APCu) in PHP 5.5+, Memcached, or Redis.
ownCloud supports multiple memory caching backends, so you can choose the type of memcache that best fits your
needs. The supported caching backends are:
APC A local cache for systems running PHP 5.4.
APCu, APCu 4.0.6 and up required. A local cache for systems running PHP 5.5 and up.
Memcached Distributed cache for multi-server ownCloud installations.
Redis, PHP module 2.2.6 and up required. For distributed caching.
Memcaches must be explicitly configured in ownCloud 8.1 and up by installing and enabling your desired cache, and
then adding the appropriate entry to config.php (See Config.php Parameters for an overview of all possible config
parameters).
You may use both a local and a distributed cache. Recommended caches are APCu and Redis. After installing and
enabling your chosen memcache, verify that it is active by running PHP Version and Information.
5.6.1 APC
APC is only for systems running PHP 5.4 and older. The oldest supported PHP version in ownCloud is 5.4.
Note: RHEL 6 and CentOS 6 ship with PHP 5.3 and must be upgraded to PHP 5.4 to run ownCloud. See Installing
PHP 5.4 on RHEL 6 and CentOS 6.
On Red Hat/CentOS/Fedora systems running PHP 5.4, install php-pecl-apc. On Debian/Ubuntu/Mint systems
install php-apc. Then restart your Web server.
After restarting your Web server, add this line to your config.php file:
’memcache.local’ => ’\OC\Memcache\APC’,
Refresh your ownCloud admin page, and the cache warning should disappear.
5.6.2 APCu
PHP 5.5 and up include the Zend OPcache in core, and on most Linux distributions it is enabled by default. However,
it does not bundle a data cache. APCu is a data cache, and it is available in most Linux distributions. On Red
Hat/CentOS/Fedora systems running PHP 5.5 and up install php-pecl-apcu. On Debian/Ubuntu/Mint systems
install php5-apcu. On Ubuntu 14.04LTS, the APCu version is 4.0.2, which is too old to use with ownCloud.
ownCloud requires 4.0.6+. You may install 4.0.7 from Ubuntu backports with this command:
apt-get install php5-apcu/trusty-backports
5.6. Configuring Memory Caching 87
ownCloud Server Administration Manual, Release 9.0
Then restart your Web server.
After restarting your Web server, add this line to your config.php file:
’memcache.local’ => ’\OC\Memcache\APCu’,
Refresh your ownCloud admin page, and the cache warning should disappear.
5.6.3 Memcached
Memcached is a reliable oldtimer for shared caching on distributed servers, and performs well with ownCloud with
one exception: it is not suitable to use with Transactional File Locking because it does not store locks, and data can
disappear from the cache at any time (Redis is the best memcache for this).
Note: Be sure to install the memcached PHP module, and not memcache, as in the following examples. ownCloud
supports only the memcached PHP module.
Setting up Memcached is easy. On Debian/Ubuntu/Mint install memcached and php5-memcached. The installer
will automatically start memcached and configure it to launch at startup.
On Red Hat/CentOS/Fedora install memcached and php-pecl-memcached. It will not start automatically, so
you must use your service manager to start memcached, and to launch it at boot as a daemon.
You can verify that the Memcached daemon is running with ps ax:
ps ax | grep memcached
19563 ? Sl 0:02 /usr/bin/memcached -m 64 -p 11211 -u memcache -l
127.0.0.1
Restart your Web server, add the appropriate entries to your config.php, and refresh your ownCloud admin page.
This example uses APCu for the local cache, Memcached as the distributed memcache, and lists all the servers in the
shared cache pool with their port numbers:
’memcache.local’ => ’\OC\Memcache\APCu’,
’memcache.distributed’ => ’\OC\Memcache\Memcached’,
’memcached_servers’ => array(
array(’localhost’, 11211),
array(’server1.example.com’, 11211),
array(’server2.example.com’, 11211),
),
5.6.4 Redis
Redis is an excellent modern memcache to use for both distributed caching, and as a local cache for Transactional File
Locking because it guarantees that cached objects are available for as long as they are needed.
The Redis PHP module must be version 2.2.6+. If you are running a Linux distribution that does not package the
supported versions of this module, or does not package Redis at all, see Additional Redis Installation Help.
On Debian/Ubuntu/Mint install redis-server and php5-redis. The installer will automatically launch
redis-server and configure it to launch at startup.
On CentOS and Fedora install redis and php-pecl-redis. It will not start automatically, so you must use your
service manager to start redis, and to launch it at boot as a daemon.
You can verify that the Redis daemon is running with ps ax:
88 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
ps ax | grep redis
22203 ? Ssl 0:00 /usr/bin/redis-server 127.0.0.1:6379
Restart your Web server, add the appropriate entries to your config.php, and refresh your ownCloud admin page.
This example config.php configuration uses Redis for the local server cache:
’memcache.local’ => ’\OC\Memcache\Redis’,
’redis’ => array(
’host’ => ’localhost’,
’port’ => 6379,
),
For best performance, use Redis for file locking by adding this:
’memcache.locking’ => ’\OC\Memcache\Redis’,
If you want to connect to Redis configured to listen on an Unix socket (which is recommended if Redis is running on
the same system as ownCloud) use this example config.php configuration:
’memcache.local’ => ’\OC\Memcache\Redis’,
’redis’ => array(
’host’ => ’/var/run/redis/redis.sock’,
’port’ => 0,
),
Redis is very configurable; consult the Redis documentation to learn more.
5.6.5 Cache Directory Location
The cache directory defaults to data/$user/cache where $user is the current user. You may use the
’cache_path’ directive in config.php (See Config.php Parameters) to select a different location.
5.6.6 Recommendations Based on Type of Deployment
Small/Private Home Server
Only use APCu:
’memcache.local’ => ’\OC\Memcache\APCu’,
Small Organization, Single-server Setup
Use APCu for local caching, Redis for file locking:
’memcache.local’ => ’\OC\Memcache\APCu’,
’memcache.locking’ => ’\OC\Memcache\Redis’,
’redis’ => array(
’host’ => ’localhost’,
’port’ => 6379,
),
5.6. Configuring Memory Caching 89
ownCloud Server Administration Manual, Release 9.0
Large Organization, Clustered Setup
Use Redis for everything except local memcache. Use the server’s IP address or hostname so that it is accessible to
other hosts:
’memcache.distributed’ => ’\OC\Memcache\Redis’,
’memcache.locking’ => ’\OC\Memcache\Redis’,
’memcache.local’ => ’\OC\Memcache\APCu’,
’redis’ => array(
’host’ => ’server1’, //hostname example
’host’ => ’12.34.56.78’, //IP address example
’port’ => 6379,
),
Additional notes for Redis vs. APCu on Memory Caching
APCu is faster at local caching than Redis. If you have enough memory, use APCu for Memory Caching and Redis
for File Locking. If you are low on memory, use Redis for both.
5.6.7 Additional Redis Installation Help
If your version of Mint or Ubuntu does not package the required version of php5-redis, then try this Redis guide
on Tech and Me for a complete Redis installation on Ubuntu 14.04 using PECL. These instructions are adaptable for
any distro that does not package the supported version, or that does not package Redis at all, such as SUSE Linux
Enterprise Server and Red Hat Enterprise Linux.
The Redis PHP module must be at least version 2.2.6.
See https://pecl.php.net/package/redis
On Debian/Mint/Ubuntu, use apt-cache to see the available php5-redis version, or the version of your installed
package:
apt-cache policy php5-redis
On CentOS and Fedora, the yum command shows available and installed version information:
yum search php-pecl-redis
5.7 Background Jobs
A system like ownCloud sometimes requires tasks to be done on a regular basis without the need for user interaction
or hindering ownCloud performance. For that purpose, as a system administrator, you can define background jobs (for
example, database clean-ups) which are executed without any need for user interaction.
These jobs are typically referred to as cron jobs. Cron jobs are commands or shell-based scripts that are scheduled
to run periodically at fixed times, dates, or intervals. cron.php is an ownCloud internal process that runs such
background jobs on demand.
ownCloud plug-in applications register actions with cron.php automatically to take care of typical housekeeping
operations, such as garbage collecting of temporary files or checking for newly updated files using filescan() for
externally mounted file systems.
90 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
5.7.1 Parameters
In the admin settings menu you can configure how cron-jobs should be executed. You can choose between the follow-
ing options:
• AJAX
• Webcron
• Cron
5.7.2 Cron Jobs
You can schedule cron jobs in three ways – using AJAX, Webcron, or cron. The default method is to use AJAX.
However, the recommended method is to use cron. The following sections describe the differences between each
method.
AJAX
The AJAX scheduling method is the default option. Unfortunately, however, it is also the least reliable. Each time a
user visits the ownCloud page, a single background job is executed. The advantage of this mechanism is that it does
not require access to the system nor registration with a third party service. The disadvantage of this mechanism, when
compared to the Webcron service, is that it requires regular visits to the page for it to be triggered.
Note: Especially when using the Activity App or external storages, where new files are added, updated or deleted one
of the two methods below should be preferred.
Webcron
By registering your ownCloud cron.php script address at an external webcron service (for example, easyCron), you
ensure that background jobs are executed regularly. To use this type of service, your server you must be able to access
your server using the Internet. For example:
URL to call: http[s]://<domain-of-your-server>/owncloud/cron.php
Cron
Using the operating system cron feature is the preferred method for executing regular tasks. This method enables the
execution of scheduled jobs without the inherent limitations the Web server might have.
To run a cron job on a *nix system, every 15 minutes, under the default Web server user (often, www-data or
wwwrun), you must set up the following cron job to call the cron.php script:
# crontab -u www-data -e
*/15 ****php -f /var/www/owncloud/cron.php
You can verify if the cron job has been added and scheduled by executing:
# crontab -u www-data -l
*/15 ****php -f /var/www/owncloud/cron.php
Note: You have to replace the path /var/www/owncloud/cron.php with the path to your current ownCloud
installation.
5.7. Background Jobs 91
ownCloud Server Administration Manual, Release 9.0
Note: On some systems it might be required to call php-cli instead of php.
Available Background Jobs
A number of existing background jobs are available to be run just for specific tasks.
Note: These jobs are generally only needed on large instances and can be run as background jobs. If the number of
users in your installation ranges between 1,000 and 3,000, or if you’re using LDAP and it becomes a bottleneck, then
admins can delete several entries in the oc_jobs table and replace them with the corresponding occ command, which
you can see here:
OCA\Files_Trashbin\BackgroundJob\ExpireTrash -> occ trashbin:expire
OCA\Files_Versions\BackgroundJob\ExpireVersions -> occ versions:expire
OCA\DAVCardDAV\SyncJob -> occ dav:sync-system-addressbook
OCA\Federation\SyncJob -> occ federation:sync-addressbooks
If used, these should be scheduled to run on a daily basis.
While not exhaustive, these include:
ExpireTrash
The ExpireTrash job, contained in OCA\Files_Trashbin\BackgroundJob\ExpireTrash, will remove any
file in the ownCloud trash bin which is older than the specified maximum file retention time. It can be run, as follows,
using the OCC command:
occ trashbin:expire
ExpireVersions
The ExpireVersions job, contained in OCA\Files_Versions\BackgroundJob\ExpireVersions, will ex-
pire versions of files which are older than the specified maximum version retention time. It can be run, as follows,
using the OCC command:
occ versions:expire
SyncJob (CardDAV)
The CardDAV SyncJob, contained in OCA\DAV\CardDAV\SyncJob, syncs the local system address book, updat-
ing any existing contacts, and deleting any expired contacts. It can be run, as follows, using the OCC command:
occ dav:sync-system-addressbook
SyncJob (Federation)
OCAFederationSyncJob
92 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
It can be run, as follows, using the OCC command:
occ federation:sync-addressbooks
5.8 Config.php Parameters
ownCloud uses the config/config.php file to control server operations. config/config.sample.php
lists all the configurable parameters within ownCloud, along with example or default values. This document provides
a more detailed reference. Most options are configurable on your Admin page, so it is usually not necessary to edit
config/config.php.
Note: The installer creates a configuration containing the essential parameters. Only manually add configuration
parameters to config/config.php if you need to use a special value for a parameter. Do not copy everything
from config/config.sample.php . Only enter the parameters you wish to modify!
ownCloud supports loading configuration parameters from multiple files. You can add arbitrary files ending
with .config.php in the config/ directory, for example you could place your email server configuration in
email.config.php. This allows you to easily create and manage custom configurations, or to divide a large com-
plex configuration file into a set of smaller files. These custom files are not overwritten by ownCloud, and the values
in these files take precedence over config.php.
5.8.1 Default Parameters
These parameters are configured by the ownCloud installer, and are required for your ownCloud server to operate.
’instanceid’ => ’’,
This is a unique identifier for your ownCloud installation, created automatically by the installer. This example is for
documentation only, and you should never use it because it will not work. A valid instanceid is created when you
install ownCloud.
‘instanceid’ => ‘d3c944a9a’,
’passwordsalt’ => ’’,
The salt used to hash all passwords, auto-generated by the ownCloud installer. (There are also per-user salts.) If you
lose this salt you lose all your passwords. This example is for documentation only, and you should never use it.
’trusted_domains’ =>
array (
’demo.example.org’,
’otherdomain.example.org’,
),
Your list of trusted domains that users can log into. Specifying trusted domains prevents host header poisoning. Do
not remove this, as it performs necessary security checks.
’datadirectory’ => ’/var/www/owncloud/data’,
Where user files are stored; this defaults to data/ in the ownCloud directory. The SQLite database is also stored
here, when you use SQLite.
(SQLite is not available in ownCloud Enterprise Edition)
5.8. Config.php Parameters 93
ownCloud Server Administration Manual, Release 9.0
’version’ => ’’,
The current version number of your ownCloud installation. This is set up during installation and update, so you
shouldn’t need to change it.
’dbtype’ => ’sqlite’,
Identifies the database used with this installation. See also config option supportedDatabases
Available:
sqlite (SQLite3 - Not in Enterprise Edition)
mysql (MySQL/MariaDB)
pgsql (PostgreSQL)
oci (Oracle - Enterprise Edition Only)
’dbhost’ => ’’,
Your host server name, for example localhost,hostname,hostname.example.com, or the IP address. To
specify a port use hostname:####; to specify a Unix socket use localhost:/path/to/socket.
’dbname’ => ’owncloud’,
The name of the ownCloud database, which is set during installation. You should not need to change this.
’dbuser’ => ’’,
The user that ownCloud uses to write to the database. This must be unique across ownCloud instances using the same
SQL database. This is set up during installation, so you shouldn’t need to change it.
’dbpassword’ => ’’,
The password for the database user. This is set up during installation, so you shouldn’t need to change it.
’dbtableprefix’ => ’’,
Prefix for the ownCloud tables in the database.
’installed’ => false,
Indicates whether the ownCloud instance was installed successfully; true indicates a successful installation, and
false indicates an unsuccessful installation.
5.8.2 Default config.php Examples
When you use SQLite as your ownCloud database, your config.php looks like this after installation. The SQLite
database is stored in your ownCloud data/ directory. SQLite is a simple, lightweight embedded database that is
good for testing and for simple installations, but for production ownCloud systems you should use MySQL, MariaDB,
or PosgreSQL.
<?php
$CONFIG = array (
’instanceid’ => ’occ6f7365735’,
’passwordsalt’ => ’2c5778476346786306303’,
’trusted_domains’ =>
array (
0 => ’localhost’,
1 => ’studio’,
94 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
),
’datadirectory’ => ’/var/www/owncloud/data’,
’dbtype’ => ’sqlite3’,
’version’ => ’7.0.2.1’,
’installed’ => true,
);
This example is from a new ownCloud installation using MariaDB:
<?php
$CONFIG = array (
’instanceid’ => ’oc8c0fd71e03’,
’passwordsalt’ => ’515a13302a6b3950a9d0fdb970191a’,
’trusted_domains’ =>
array (
0 => ’localhost’,
1 => ’studio’,
2 => ’192.168.10.155’
),
’datadirectory’ => ’/var/www/owncloud/data’,
’dbtype’ => ’mysql’,
’version’ => ’7.0.2.1’,
’dbname’ => ’owncloud’,
’dbhost’ => ’localhost’,
’dbtableprefix’ => ’oc_’,
’dbuser’ => ’oc_carla’,
’dbpassword’ => ’67336bcdf7630dd80b2b81a413d07’,
’installed’ => true,
);
5.8.3 User Experience
These optional parameters control some aspects of the user interface. Default values, where present, are shown.
’default_language’ => ’en’,
This sets the default language on your ownCloud server, using ISO_639-1 language codes such as en for English, de
for German, and fr for French. It overrides automatic language detection on public pages like login or shared items.
User’s language preferences configured under “personal -> language” override this setting after they have logged in.
’defaultapp’ => ’files’,
Set the default app to open on login. Use the app names as they appear in the URL after clicking them in the Apps
menu, such as documents, calendar, and gallery. You can use a comma-separated list of app names, so if the first app
is not enabled for a user then ownCloud will try the second one, and so on. If no enabled apps are found it defaults to
the Files app.
’knowledgebaseenabled’ => true,
true enables the Help menu item in the user menu (top right of the ownCloud Web interface). false removes the
Help item.
’enable_avatars’ => true,
true enables avatars, or user profile photos. These appear on the User page, on user’s Personal pages and are used
by some apps (contacts, mail, etc). false disables them.
5.8. Config.php Parameters 95
ownCloud Server Administration Manual, Release 9.0
’allow_user_to_change_display_name’ => true,
true allows users to change their display names (on their Personal pages), and false prevents them from changing
their display names.
’remember_login_cookie_lifetime’ => 60*60*24*15,
Lifetime of the remember login cookie, which is set when the user clicks the remember checkbox on the login screen.
The default is 15 days, expressed in seconds.
’session_lifetime’ => 60 *60 *24,
The lifetime of a session after inactivity; the default is 24 hours, expressed in seconds.
’session_keepalive’ => true,
Enable or disable session keep-alive when a user is logged in to the Web UI.
Enabling this sends a “heartbeat” to the server to keep it from timing out.
’skeletondirectory’ => ’/path/to/owncloud/core/skeleton’,
The directory where the skeleton files are located. These files will be copied to the data directory of new users. Leave
empty to not copy any skeleton files.
’user_backends’ => array(
array(
’class’ => ’OC_User_IMAP’,
’arguments’ => array(’{imap.gmail.com:993/imap/ssl}INBOX’)
)
),
The user_backends app (which needs to be enabled first) allows you to configure alternate authentication back-
ends. Supported backends are: IMAP (OC_User_IMAP), SMB (OC_User_SMB), and FTP (OC_User_FTP).
’lost_password_link’ => ’https://example.org/link/to/password/reset’,
If your user backend does not allow to reset the password (e.g. when it’s a read-only user backend like LDAP),
you can specify a custom link, where the user is redirected to, when clicking the “reset password” link after a failed
login-attempt.
5.8.4 Mail Parameters
These configure the email settings for ownCloud notifications and password resets.
’mail_domain’ => ’example.com’,
The return address that you want to appear on emails sent by the ownCloud server, for example
oc-admin@example.com, substituting your own domain, of course.
’mail_from_address’ => ’owncloud’,
FROM address that overrides the built-in sharing-noreply and lostpassword-noreply FROM addresses.
’mail_smtpdebug’ => false,
Enable SMTP class debugging.
96 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
’mail_smtpmode’ => ’sendmail’,
Which mode to use for sending mail: sendmail,smtp,qmail or php.
If you are using local or remote SMTP, set this to smtp.
If you are using PHP mail you must have an installed and working email system on the server. The program used to
send email is defined in the php.ini file.
For the sendmail option you need an installed and working email system on the server, with
/usr/sbin/sendmail installed on your Unix system.
For qmail the binary is /var/qmail/bin/sendmail, and it must be installed on your Unix system.
’mail_smtphost’ => ’127.0.0.1’,
This depends on mail_smtpmode. Specify the IP address of your mail server host. This may contain multiple hosts
separated by a semi-colon. If you need to specify the port number append it to the IP address separated by a colon,
like this: 127.0.0.1:24.
’mail_smtpport’ => 25,
This depends on mail_smtpmode. Specify the port for sending mail.
’mail_smtptimeout’ => 10,
This depends on mail_smtpmode. This sets the SMTP server timeout, in seconds. You may need to increase this if
you are running an anti-malware or spam scanner.
’mail_smtpsecure’ => ’’,
This depends on mail_smtpmode. Specify when you are using ssl or tls, or leave empty for no encryption.
’mail_smtpauth’ => false,
This depends on mail_smtpmode. Change this to true if your mail server requires authentication.
’mail_smtpauthtype’ => ’LOGIN’,
This depends on mail_smtpmode. If SMTP authentication is required, choose the authentication type as LOGIN
(default) or PLAIN.
’mail_smtpname’ => ’’,
This depends on mail_smtpauth. Specify the username for authenticating to the SMTP server.
’mail_smtppassword’ => ’’,
This depends on mail_smtpauth. Specify the password for authenticating to the SMTP server.
5.8.5 Proxy Configurations
’overwritehost’ => ’’,
The automatic hostname detection of ownCloud can fail in certain reverse proxy and CLI/cron situations. This option
allows you to manually override the automatic detection; for example www.example.com, or specify the port
www.example.com:8080.
’overwriteprotocol’ => ’’,
5.8. Config.php Parameters 97
ownCloud Server Administration Manual, Release 9.0
When generating URLs, ownCloud attempts to detect whether the server is accessed via https or http. However,
if ownCloud is behind a proxy and the proxy handles the https calls, ownCloud would not know that ssl is in use,
which would result in incorrect URLs being generated.
Valid values are http and https.
’overwritewebroot’ => ’’,
ownCloud attempts to detect the webroot for generating URLs automatically.
For example, if www.example.com/owncloud is the URL pointing to the ownCloud instance, the webroot is
/owncloud. When proxies are in use, it may be difficult for ownCloud to detect this parameter, resulting in invalid
URLs.
’overwritecondaddr’ => ’’,
This option allows you to define a manual override condition as a regular expression for the remote IP address. For
example, defining a range of IP addresses starting with 10.0.0. and ending with 1 to 3: ^10\.0\.0\.[1-3]$
’overwrite.cli.url’ => ’’,
Use this configuration parameter to specify the base URL for any URLs which are generated within own-
Cloud using any kind of command line tools (cron or occ). The value should contain the full base URL:
https://www.example.com/owncloud
’htaccess.RewriteBase’ => ’/’,
To have clean URLs without /index.php this parameter needs to be configured.
This parameter will be written as “RewriteBase” on update and installation of ownCloud to your .htaccess file. While
this value is often simply the URL path of the ownCloud installation it cannot be set automatically properly in every
scenario and needs thus some manual configuration.
In a standard Apache setup this usually equals the folder that ownCloud is accessible at. So if ownCloud is accessible
via “https://mycloud.org/owncloud” the correct value would most likely be “/owncloud”. If ownCloud is running
under “https://mycloud.org/” then it would be “/”.
Note that above rule is not valid in every case, there are some rare setup cases where this may not apply. However, to
avoid any update problems this configuration value is explicitly opt-in.
After setting this value run occ maintenance:update:htaccess and when following conditions are met ownCloud uses
URLs without index.php in it:
mod_rewrite is installed
mod_env is installed
’proxy’ => ’’,
The URL of your proxy server, for example proxy.example.com:8081.
’proxyuserpwd’ => ’’,
The optional authentication for the proxy to use to connect to the internet.
The format is: username:password.
5.8.6 Deleted Items (trash bin)
These parameters control the Deleted files app.
98 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
’trashbin_retention_obligation’ => ’auto’,
If the trash bin app is enabled (default), this setting defines the policy for when files and folders in the trash bin will
be permanently deleted.
The app allows for two settings, a minimum time for trash bin retention, and a maximum time for trash bin retention.
Minimum time is the number of days a file will be kept, after which it may be deleted. Maximum time is the number of
days at which it is guaranteed to be deleted. Both minimum and maximum times can be set together to explicitly define
file and folder deletion. For migration purposes, this setting is installed initially set to “auto”, which is equivalent to
the default setting in ownCloud 8.1 and before.
Available values:
auto default setting. keeps files and folders in the trash bin for 30 days and automatically deletes anytime after
that if space is needed (note: files may not be deleted if space is not needed).
D, auto keeps files and folders in the trash bin for D+ days, delete anytime if space needed (note: files may
not be deleted if space is not needed)
auto, D delete all files in the trash bin that are older than D days automatically, delete other files anytime if
space needed
D1, D2 keep files and folders in the trash bin for at least D1 days and delete when exceeds D2 days
disabled trash bin auto clean disabled, files and folders will be kept forever
5.8.7 File versions
These parameters control the Versions app.
’versions_retention_obligation’ => ’auto’,
If the versions app is enabled (default), this setting defines the policy for when versions will be permanently deleted.
The app allows for two settings, a minimum time for version retention, and a maximum time for version retention.
Minimum time is the number of days a version will be kept, after which it may be deleted. Maximum time is the
number of days at which it is guaranteed to be deleted. Both minimum and maximum times can be set together to
explicitly define version deletion. For migration purposes, this setting is installed initially set to “auto”, which is
equivalent to the default setting in ownCloud 8.1 and before.
Available values:
auto default setting. Automatically expire versions according to expire rules. Please refer to Files_versions
online documentation for more info.
D, auto keep versions at least for D days, apply expire rules to all versions that are older than D days
auto, D delete all versions that are older than D days automatically, delete other versions according to expire
rules
D1, D2 keep versions for at least D1 days and delete when exceeds D2 days
disabled versions auto clean disabled, versions will be kept forever
5.8.8 ownCloud Verifications
ownCloud performs several verification checks. There are two options, true and false.
’appcodechecker’ => true,
5.8. Config.php Parameters 99
ownCloud Server Administration Manual, Release 9.0
Checks an app before install whether it uses private APIs instead of the proper public APIs. If this is set to true it will
only allow to install or enable apps that pass this check.
’updatechecker’ => true,
Check if ownCloud is up-to-date and shows a notification if a new version is available.
’updater.server.url’ => ’https://updates.owncloud.com/server/’,
URL that ownCloud should use to look for updates
’has_internet_connection’ => true,
Is ownCloud connected to the Internet or running in a closed network?
’check_for_working_webdav’ => true,
Allows ownCloud to verify a working WebDAV connection. This is done by attempting to make a WebDAV request
from PHP.
’check_for_working_wellknown_setup’ => true,
Allows ownCloud to verify a working .well-known URL redirects. This is done by attempting to make a request from
JS to https://your-domain.com/.well-known/caldav/
’check_for_working_htaccess’ => true,
This is a crucial security check on Apache servers that should always be set to true. This verifies that the
.htaccess file is writable and works.
If it is not, then any options controlled by .htaccess, such as large file uploads, will not work. It also runs checks
on the data/ directory, which verifies that it can’t be accessed directly through the Web server.
’config_is_read_only’ => false,
In certain environments it is desired to have a read-only configuration file.
When this switch is set to true ownCloud will not verify whether the configuration is writable. However, it will not
be possible to configure all options via the Web interface. Furthermore, when updating ownCloud it is required to
make the configuration file writable again for the update process.
5.8.9 Logging
’log_type’ => ’owncloud’,
By default the ownCloud logs are sent to the owncloud.log file in the default ownCloud data directory.
If syslogging is desired, set this parameter to syslog. Setting this parameter to errorlog will use the PHP
error_log function for logging.
’logfile’ => ’/var/log/owncloud.log’,
Log file path for the ownCloud logging type.
Defaults to [datadirectory]/owncloud.log
’loglevel’ => 2,
Loglevel to start logging at. Valid values are: 0 = Debug, 1 = Info, 2 = Warning, 3 = Error, and 4 = Fatal. The default
value is Warning.
100 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
’syslog_tag’ => ’ownCloud’,
If you maintain different instances and aggregate the logs, you may want to distinguish between them. syslog_tag
can be set per instance with a unique id. Only available if log_type is set to syslog.
The default value is ownCloud.
’log.condition’ => [
’shared_secret’ => ’57b58edb6637fe3059b3595cf9c41b9’,
’users’ => [’sample-user’],
’apps’ => [’files’],
],
Log condition for log level increase based on conditions. Once one of these conditions is met, the required log level is
set to debug. This allows to debug specific requests, users or apps
Supported conditions:
shared_secret: if a request parameter with the name log_secret is set to this value the condition
is met
users: if the current request is done by one of the specified users, this condition is met
apps: if the log message is invoked by one of the specified apps, this condition is met
Defaults to an empty array.
’logdateformat’ => ’F d, Y H:i:s’,
This uses PHP.date formatting; see http://php.net/manual/en/function.date.php
’logtimezone’ => ’Europe/Berlin’,
The default timezone for logfiles is UTC. You may change this; see http://php.net/manual/en/timezones.php
’log_query’ => false,
Append all database queries and parameters to the log file. Use this only for debugging, as your logfile will become
huge.
’cron_log’ => true,
Log successful cron runs.
’cron.lockfile.location’ => ’’,
Location of the lock file for cron executions can be specified here.
Default is within the tmp directory. The file is named in the following way: owncloud-server-$INSTANCEID-
cron.lock where $INSTANCEID is the string specified in the instanceid field. Because the cron lock file is
accessed at regular intervals, it may prevent enabled disk drives from spinning down. A different location for this file
can solve such issues.
’log_rotate_size’ => false,
Enables log rotation and limits the total size of logfiles. The default is 0, or no rotation. Specify a size in bytes, for
example 104857600 (100 megabytes = 100 * 1024 * 1024 bytes). A new logfile is created with a new name when the
old logfile reaches your limit. If a rotated log file is already present, it will be overwritten.
5.8. Config.php Parameters 101
ownCloud Server Administration Manual, Release 9.0
5.8.10 Alternate Code Locations
Some of the ownCloud code may be stored in alternate locations.
’3rdpartyroot’ => ’’,
ownCloud uses some 3rd party PHP components to provide certain functionality.
These components are shipped as part of the software package and reside in owncloud/3rdparty. Use this option
to configure a different location. For example, if your location is /var/www/owncloud/foo/3rdparty, then the correct
configuration is ‘3rdpartyroot’ => ‘/var/www/owncloud/foo/’,
’3rdpartyurl’ => ’’,
If you have an alternate 3rdpartyroot, you must also configure the URL as seen by a Web browser.
’customclient_desktop’ =>
’http://owncloud.org/sync-clients/’,
’customclient_android’ =>
’https://play.google.com/store/apps/details?id=com.owncloud.android’,
’customclient_ios’ =>
’https://itunes.apple.com/us/app/owncloud/id543672169?mt=8’,
This section is for configuring the download links for ownCloud clients, as seen in the first-run wizard and on Personal
pages.
5.8.11 Apps
Options for the Apps folder, Apps store, and App code checker.
’appstoreenabled’ => true,
When enabled, admins may install apps from the ownCloud app store.
’appstoreurl’ => ’https://api.owncloud.com/v1’,
The URL of the appstore to use.
’appstore.experimental.enabled’ => false,
Whether to show experimental apps in the appstore interface
Experimental apps are not checked for security issues and are new or known to be unstable and under heavy develop-
ment. Installing these can cause data loss or security breaches.
’apps_paths’ => array(
array(
’path’=> ’/var/www/owncloud/apps’,
’url’ => ’/apps’,
’writable’ => true,
),
),
Use the apps_paths parameter to set the location of the Apps directory, which should be scanned for available apps,
and where user-specific apps should be installed from the Apps store. The path defines the absolute file system path
to the app folder. The key url defines the HTTP Web path to that folder, starting from the ownCloud webroot. The
key writable indicates if a Web server can write files to that folder.
102 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
5.8.12 Previews
ownCloud supports previews of image files, the covers of MP3 files, and text files. These options control enabling and
disabling previews, and thumbnail size.
’enable_previews’ => true,
By default, ownCloud can generate previews for the following filetypes:
Image files
Covers of MP3 files
Text documents
Valid values are true, to enable previews, or false, to disable previews
’preview_max_x’ => 2048,
The maximum width, in pixels, of a preview. A value of null means there is no limit.
’preview_max_y’ => 2048,
The maximum height, in pixels, of a preview. A value of null means there is no limit.
’preview_max_scale_factor’ => 10,
If a lot of small pictures are stored on the ownCloud instance and the preview system generates blurry previews, you
might want to consider setting a maximum scale factor. By default, pictures are upscaled to 10 times the original size.
A value of 1or null disables scaling.
’preview_max_filesize_image’ => 50,
max file size for generating image previews with imagegd (default behaviour) If the image is bigger, it’ll try other
preview generators, but will most likely show the default mimetype icon
Value represents the maximum filesize in megabytes Default is 50 Set to -1 for no limit
’preview_libreoffice_path’ => ’/usr/bin/libreoffice’,
custom path for LibreOffice/OpenOffice binary
’preview_office_cl_parameters’ =>
’ --headless --nologo --nofirststartwizard --invisible --norestore ’.
’-convert-to pdf -outdir ’,
Use this if LibreOffice/OpenOffice requires additional arguments.
’enabledPreviewProviders’ => array(
’OC\Preview\PNG’,
’OC\Preview\JPEG’,
’OC\Preview\GIF’,
’OC\Preview\BMP’,
’OC\Preview\XBitmap’,
’OC\Preview\MP3’,
’OC\Preview\TXT’,
’OC\Preview\MarkDown’
),
Only register providers that have been explicitly enabled
The following providers are enabled by default:
5.8. Config.php Parameters 103
ownCloud Server Administration Manual, Release 9.0
• OC\Preview\PNG
• OC\Preview\JPEG
• OC\Preview\GIF
• OC\Preview\BMP
• OC\Preview\XBitmap
• OC\Preview\MarkDown
• OC\Preview\MP3
• OC\Preview\TXT
The following providers are disabled by default due to performance or privacy concerns:
• OC\Preview\Illustrator
• OC\Preview\Movie
• OC\Preview\MSOffice2003
• OC\Preview\MSOffice2007
• OC\Preview\MSOfficeDoc
• OC\Preview\OpenDocument
• OC\Preview\PDF
• OC\Preview\Photoshop
• OC\Preview\Postscript
• OC\Preview\StarOffice
• OC\Preview\SVG
• OC\Preview\TIFF
• OC\Preview\Font
Note: Troubleshooting steps for the MS Word previews are available at the Configuring the Collaborative Documents
App section of the Administrators Manual.
The following providers are not available in Microsoft Windows:
• OC\Preview\Movie
• OC\Preview\MSOfficeDoc
• OC\Preview\MSOffice2003
• OC\Preview\MSOffice2007
• OC\Preview\OpenDocument
• OC\Preview\StarOffice
5.8.13 LDAP
Global settings used by LDAP User and Group Backend
’ldapUserCleanupInterval’ => 51,
104 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
defines the interval in minutes for the background job that checks user existence and marks them as ready to be cleaned
up. The number is always minutes. Setting it to 0 disables the feature.
See command line (occ) methods ldap:show-remnants and user:delete
5.8.14 Comments
Global settings for the Comments infrastructure
’comments.managerFactory’ => ’\OC\Comments\ManagerFactory’,
Replaces the default Comments Manager Factory. This can be utilized if an own or 3rdParty CommentsManager
should be used that – for instance – uses the filesystem instead of the database to keep the comments.
’systemtags.managerFactory’ => ’\OC\SystemTag\ManagerFactory’,
Replaces the default System Tags Manager Factory. This can be utilized if an own or 3rdParty SystemTagsManager
should be used that – for instance – uses the filesystem instead of the database to keep the comments.
5.8.15 Maintenance
These options are for halting user activity when you are performing server maintenance.
’maintenance’ => false,
Enable maintenance mode to disable ownCloud
If you want to prevent users from logging in to ownCloud before you start doing some maintenance work, you need
to set the value of the maintenance parameter to true. Please keep in mind that users who are already logged-in are
kicked out of ownCloud instantly.
’singleuser’ => false,
When set to true, the ownCloud instance will be unavailable for all users who are not in the admin group.
5.8.16 SSL
’openssl’ => array(
’config’ => ’/absolute/location/of/openssl.cnf’,
),
Extra SSL options to be used for configuration.
’enable_certificate_management’ => false,
Allow the configuration of system wide trusted certificates
5.8.17 Memory caching backend configuration
Available cache backends:
\OC\Memcache\APC Alternative PHP Cache backend
\OC\Memcache\APCu APC user backend
\OC\Memcache\ArrayCache In-memory array-based backend (not recommended)
5.8. Config.php Parameters 105
ownCloud Server Administration Manual, Release 9.0
\OC\Memcache\Memcached Memcached backend
\OC\Memcache\Redis Redis backend
\OC\Memcache\XCache XCache backend
Advice on choosing between the various backends:
APCu should be easiest to install. Almost all distributions have packages. Use this for single user environment
for all caches.
Use Redis or Memcached for distributed environments. For the local cache (you can configure two) take APCu.
’memcache.local’ => ’\OC\Memcache\APCu’,
Memory caching backend for locally stored data
Used for host-specific data, e.g. file paths
’memcache.distributed’ => ’\OC\Memcache\Memcached’,
Memory caching backend for distributed data
Used for installation-specific data, e.g. database caching
If unset, defaults to the value of memcache.local
’redis’ => array(
’host’ => ’localhost’, // can also be a unix domain socket: ’/tmp/redis.sock’
’port’ => 6379,
’timeout’ => 0.0,
’password’ => ’’, // Optional, if not defined no password will be used.
’dbindex’ => 0, // Optional, if undefined SELECT will not run and will use Redis Server’s default DB Index.
),
Connection details for redis to use for memory caching.
For enhanced security it is recommended to configure Redis to require a password. See http://redis.io/topics/security
for more information.
’memcached_servers’ => array(
// hostname, port and optional weight. Also see:
// http://www.php.net/manual/en/memcached.addservers.php
// http://www.php.net/manual/en/memcached.addserver.php
array(’localhost’, 11211),
//array(’other.host.local’, 11211),
),
Server details for one or more memcached servers to use for memory caching.
’cache_path’ => ’’,
Location of the cache folder, defaults to data/$user/cache where $user is the current user. When specified, the
format will change to $cache_path/$user where $cache_path is the configured cache directory and $user
is the user.
5.8.18 Using Object Store with ownCloud
’objectstore’ => array(
’class’ => ’OC\\Files\\ObjectStore\\Swift’,
’arguments’ => array(
// trystack will user your facebook id as the user name
106 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
’username’ => ’facebook100000123456789’,
// in the trystack dashboard go to user -> settings -> API Password to
// generate a password
’password’ => ’Secr3tPaSSWoRdt7’,
// must already exist in the objectstore, name can be different
’container’ => ’owncloud’,
// create the container if it does not exist. default is false
’autocreate’ => true,
// required, dev-/trystack defaults to ’RegionOne’
’region’ => ’RegionOne’,
// The Identity / Keystone endpoint
’url’ => ’http://8.21.28.222:5000/v2.0’,
// required on dev-/trystack
’tenantName’ => ’facebook100000123456789’,
// dev-/trystack uses swift by default, the lib defaults to ’cloudFiles’
// if omitted
’serviceName’ => ’swift’,
// The Interface / url Type, optional
’urlType’ => ’internal’
),
),
This example shows how to configure ownCloud to store all files in a swift object storage.
It is important to note that ownCloud in object store mode will expect exclusive access to the object store container
because it only stores the binary data for each file. The metadata is currently kept in the local database for performance
reasons.
WARNING: The current implementation is incompatible with any app that uses direct file IO and circumvents our
virtual filesystem. That includes Encryption and Gallery. Gallery will store thumbnails directly in the filesystem and
encryption will cause severe overhead because key files need to be fetched in addition to any requested file.
One way to test is applying for a trystack account at http://trystack.org/
5.8.19 Sharing
Global settings for Sharing
’sharing.managerFactory’ => ’\OC\Share20\ProviderFactory’,
Replaces the default Share Provider Factory. This can be utilized if own or 3rdParty Share Providers be used that – for
instance – uses the filesystem instead of the database to keep the share information.
5.8.20 All other configuration options
’dbdriveroptions’ => array(
PDO::MYSQL_ATTR_SSL_CA => ’/file/path/to/ca_cert.pem’,
),
Additional driver options for the database connection, eg. to enable SSL encryption in MySQL.
’sqlite.journal_mode’ => ’DELETE’,
sqlite3 journal mode can be specified using this configuration parameter - can be ‘WAL’ or ‘DELETE’ see for more
details https://www.sqlite.org/wal.html
5.8. Config.php Parameters 107
ownCloud Server Administration Manual, Release 9.0
’supportedDatabases’ => array(
’sqlite’,
’mysql’,
’pgsql’,
’oci’,
),
Database types that are supported for installation.
Available:
sqlite (SQLite3 - Not in Enterprise Edition)
mysql (MySQL)
pgsql (PostgreSQL)
oci (Oracle - Enterprise Edition Only)
’tempdirectory’ => ’/tmp/owncloudtemp’,
Override where ownCloud stores temporary files. Useful in situations where the system temporary directory is on a
limited space ramdisk or is otherwise restricted, or if external storages which do not support streaming are in use.
The Web server user must have write access to this directory.
’hashingCost’ => 10,
The hashing cost used by hashes generated by ownCloud Using a higher value requires more time and CPU power to
calculate the hashes
’blacklisted_files’ => array(’.htaccess’),
Blacklist a specific file or files and disallow the upload of files with this name. .htaccess is blocked by default.
WARNING: USE THIS ONLY IF YOU KNOW WHAT YOU ARE DOING.
’share_folder’ => ’/’,
Define a default folder for shared files and folders other than root.
’theme’ => ’’,
If you are applying a theme to ownCloud, enter the name of the theme here.
The default location for themes is owncloud/themes/.
’cipher’ => ’AES-256-CFB’,
The default cipher for encrypting files. Currently AES-128-CFB and AES-256-CFB are supported.
’minimum.supported.desktop.version’ => ’1.7.0’,
The minimum ownCloud desktop client version that will be allowed to sync with this server instance. All connections
made from earlier clients will be denied by the server. Defaults to the minimum officially supported ownCloud version
at the time of release of this server version.
When changing this, note that older unsupported versions of the ownCloud desktop client may not function as ex-
pected, and could lead to permanent data loss for clients or other unexpected results.
’quota_include_external_storage’ => false,
EXPERIMENTAL: option whether to include external storage in quota calculation, defaults to false.
108 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
’filesystem_check_changes’ => 0,
Specifies how often the local filesystem (the ownCloud data/ directory, and NFS mounts in data/) is checked for
changes made outside ownCloud. This does not apply to external storages.
0 -> Never check the filesystem for outside changes, provides a performance increase when it’s certain that no changes
are made directly to the filesystem
1 -> Check each file or folder at most once per request, recommended for general use if outside changes might happen.
’part_file_in_storage’ => true,
On default ownCloud will store the part files created during upload in the same storage as the upload target. Setting
this to false will store the part files in the root of the users folder which might be required to work with certain external
storage setups that have limited rename capabilities.
’asset-pipeline.enabled’ => false,
All css and js files will be served by the Web server statically in one js file and one css file if this is set to true. This
improves performance.
’assetdirectory’ => ’/var/www/owncloud’,
The parent of the directory where css and js assets will be stored if pipelining is enabled; this defaults to the ownCloud
directory. The assets will be stored in a subdirectory of this directory named ‘assets’. The server must be configured
to serve that directory as $WEBROOT/assets.
You will only likely need to change this if the main ownCloud directory is not writeable by the Web server in your
configuration.
’mount_file’ => ’/var/www/owncloud/data/mount.json’,
Where mount.json file should be stored, defaults to data/mount.json in the ownCloud directory.
’filesystem_cache_readonly’ => false,
When true, prevent ownCloud from changing the cache due to changes in the filesystem for all storage.
’secret’ => ’’,
Secret used by ownCloud for various purposes, e.g. to encrypt data. If you lose this string there will be data corruption.
’trusted_proxies’ => array(’203.0.113.45’, ’198.51.100.128’),
List of trusted proxy servers
If you configure these also consider setting forwarded_for_headers which otherwise defaults to
HTTP_X_FORWARDED_FOR (the X-Forwarded-For header).
’forwarded_for_headers’ => array(’HTTP_X_FORWARDED’, ’HTTP_FORWARDED_FOR’),
Headers that should be trusted as client IP address in combination with trusted_proxies. If the HTTP header looks like
‘X-Forwarded-For’, then use ‘HTTP_X_FORWARDED_FOR’ here.
If set incorrectly, a client can spoof their IP address as visible to ownCloud, bypassing access controls and making
logs useless!
Defaults to ‘HTTP_X_FORWARED_FOR’ if unset
’max_filesize_animated_gifs_public_sharing’ => 10,
5.8. Config.php Parameters 109
ownCloud Server Administration Manual, Release 9.0
max file size for animating gifs on public-sharing-site.
If the gif is bigger, it’ll show a static preview
Value represents the maximum filesize in megabytes. Default is 10. Set to -1 for no limit.
’filelocking.enabled’ => true,
Enables transactional file locking.
This is enabled by default.
Prevents concurrent processes from accessing the same files at the same time. Can help prevent side effects that would
be caused by concurrent operations. Mainly relevant for very large installations with many users working with shared
files.
’memcache.locking’ => ’\\OC\\Memcache\\Redis’,
Memory caching backend for file locking
Because most memcache backends can clean values without warning using redis is highly recommended to avoid data
loss.
’debug’ => false,
Set this ownCloud instance to debugging mode
Only enable this for local development and not in production environments This will disable the minifier and outputs
some additional debug information
’copied_sample_config’ => true,
This entry is just here to show a warning in case somebody copied the sample configuration. DO NOT ADD THIS
SWITCH TO YOUR CONFIGURATION!
If you, brave person, have read until here be aware that you should not modify ANY settings in this file without reading
the documentation.
5.8.21 App config options
Retention for activities of the activity app:
’activity_expire_days’ => 365,
Every day a cron job is ran, which deletes all activities for all users which are older then the number of days that is set
for activity_expire_days
’wnd.logging.enable’ => true,
This enables debug logs for the windows_network_drive app.
5.9 Email Configuration
ownCloud is capable of sending password reset emails, notifying users of new file shares, changes in files, and activity
notifications. Your users configure which notifications they want to receive on their Personal pages.
ownCloud does not contain a full email server, but rather connects to your existing mail server. You must have a
functioning mail server for ownCloud to be able to send emails. You may have a mail server on the same machine as
ownCloud, or it may be a remote server.
110 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
ownCloud 7 introduces a new feature, the graphical Email Configuration Wizard.
With the new wizard, connecting ownCloud to your mail server is fast and easy. The wizard fills in the values in
config/config.php, so you may use either or both as you prefer.
The ownCloud Email wizard supports three types of mail server connections: SMTP, PHP, and Sendmail. Use the
SMTP configurator for a remote server, and PHP or Sendmail when your mail server is on the same machine as
ownCloud.
Note: The Sendmail option refers to the Sendmail SMTP server, and any drop-in Sendmail replacement such as
Postfix, Exim, or Courier. All of these include a sendmail binary, and are freely-interchangeable.
5.9.1 Configuring an SMTP Server
You need the following information from your mailserver administrator to connect ownCloud to a remote SMTP
server:
Encryption type: None, SSL/TLS or STARTTLS
The From address you want your outgoing ownCloud mails to use
Whether authentication is required
Authentication method: None, Login, Plain, or NT LAN Manager
The server’s IP address or fully-qualified domain name
Login credentials, if required
Your changes are saved immediately, and you can click the Send Email button to test your configuration. This sends a
test message to the email address you configured on your Personal page. The test message says:
If you received this email, the settings seem to be correct.
--
5.9. Email Configuration 111
ownCloud Server Administration Manual, Release 9.0
ownCloud
web services under your control
5.9.2 Configuring PHP and Sendmail
Configuring PHP or Sendmail requires only that you select one of them, and then enter your desired return address.
How do you decide which one to use? PHP mode uses your local sendmail binary. Use this if you want to use
php.ini to control some of your mail server functions, such as setting paths, headers, or passing extra command
options to the sendmail binary. These vary according to which server you are using, so consult your server’s
documentation to see what your options are.
In most cases the smtp option is best, because it removes the extra step of passing through PHP, and you can control
all of your mail server options in one place, in your mail server configuration.
112 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
5.9.3 Using Email Templates
Another useful new feature is editable email templates. Now you can edit ownCloud’s email templates on your Admin
page. These are your available templates:
Sharing email (HTML) – HTML version of emails notifying users of new file shares
Sharing email (plain text fallback) – Plain text email notifying users of new file shares
Lost password mail – Password reset email for users who lose their passwords.
Activity notification mail – Notification of activities that users have enabled in the Notifications section of their
Personal pages.
In addition to providing the email templates, this feature enables you to apply any preconfigured themes to the email.
To modify an email template to users:
1. Access the Admin page.
2. Scroll to the Mail templates section.
3. Select a template from the drop-down menu.
4. Make any desired modifications to the template.
The templates are written in PHP and HTML, and are already loaded with the relevant variables such as username,
share links, and filenames. You can, if you are careful, edit these even without knowing PHP or HTML; don’t touch
any of the code, but you can edit the text portions of the messages. For example, this the lost password mail template:
<?php
echo str_replace(’{link}’, $_[’link’], $l->t(’Use the following link to
reset your password: {link}’));
You could change the text portion of the template, Use the following link to reset your
password: to say something else, such as Click the following link to reset your password.
If you did not ask for a password reset, ignore this message.
Again, be very careful to change nothing but the message text, because the tiniest coding error will break the template.
Note: You can edit the templates directly in the template text box, or you can copy and paste them to a text editor for
modification and then copy and paste them back to the template text box for use when you are done.
5.9.4 Setting Mail Server Parameters in config.php
If you prefer, you may set your mail server parameters in config/config.php. The following examples are for
SMTP, PHP, Sendmail, and Qmail.
SMTP
If you want to send email using a local or remote SMTP server it is necessary to enter the name or IP address of
the server, optionally followed by a colon separated port number, e.g. :425. If this value is not given the default
port 25/tcp will be used unless you change that by modifying the mail_smtpport parameter. Multiple servers can be
entered, separated by semicolons:
5.9. Email Configuration 113
ownCloud Server Administration Manual, Release 9.0
<?php
"mail_smtpmode" => "smtp",
"mail_smtphost" => "smtp-1.server.dom;smtp-2.server.dom:425",
"mail_smtpport" => 25,
or
<?php
"mail_smtpmode" => "smtp",
"mail_smtphost" => "smtp.server.dom",
"mail_smtpport" => 425,
If a malware or SPAM scanner is running on the SMTP server it might be necessary that you increase the SMTP
timeout to e.g. 30s:
<?php
"mail_smtptimeout" => 30,
If the SMTP server accepts insecure connections, the default setting can be used:
<?php
"mail_smtpsecure" => ’’,
If the SMTP server only accepts secure connections you can choose between the following two variants:
SSL/TLS
A secure connection will be initiated using SSL/TLS via SMTPS on the default port 465/tcp:
<?php
"mail_smtphost" => "smtp.server.dom:465",
"mail_smtpsecure" => ’ssl’,
STARTTLS
A secure connection will be initiated using STARTTLS via SMTP on the default port 25/tcp:
<?php
"mail_smtphost" => "smtp.server.dom",
"mail_smtpsecure" => ’tls’,
An alternative is the port 587/tcp (recommended):
<?php
"mail_smtphost" => "smtp.server.dom:587",
"mail_smtpsecure" => ’tls’,
114 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
Authentication
And finally it is necessary to configure if the SMTP server requires authentication, if not, the default values can be
taken as is.
<?php
"mail_smtpauth" => false,
"mail_smtpname" => "",
"mail_smtppassword" => "",
If SMTP authentication is required you have to set the required username and password and can optionally choose
between the authentication types LOGIN (default) or PLAIN.
<?php
"mail_smtpauth" => true,
"mail_smtpauthtype" => "LOGIN",
"mail_smtpname" => "username",
"mail_smtppassword" => "password",
PHP mail
If you want to use PHP mail it is necessary to have an installed and working email system on your server. Which
program in detail is used to send email is defined by the configuration settings in the php.ini file. (On *nix systems
this will most likely be Sendmail.) ownCloud should be able to send email out of the box.
<?php
"mail_smtpmode" => "php",
"mail_smtphost" => "127.0.0.1",
"mail_smtpport" => 25,
"mail_smtptimeout" => 10,
"mail_smtpsecure" => "",
"mail_smtpauth" => false,
"mail_smtpauthtype" => "LOGIN",
"mail_smtpname" => "",
"mail_smtppassword" => "",
Sendmail
If you want to use the well known Sendmail program to send email, it is necessary to have an installed and working
email system on your *nix server. The sendmail binary (/usr/sbin/sendmail) is usually part of that system. ownCloud
should be able to send email out of the box.
<?php
"mail_smtpmode" => "sendmail",
"mail_smtphost" => "127.0.0.1",
"mail_smtpport" => 25,
"mail_smtptimeout" => 10,
"mail_smtpsecure" => "",
"mail_smtpauth" => false,
"mail_smtpauthtype" => "LOGIN",
"mail_smtpname" => "",
"mail_smtppassword" => "",
5.9. Email Configuration 115
ownCloud Server Administration Manual, Release 9.0
qmail
If you want to use the qmail program to send email, it is necessary to have an installed and working qmail email system
on your server. The sendmail binary (/var/qmail/bin/sendmail) will then be used to send email. ownCloud should be
able to send email out of the box.
<?php
"mail_smtpmode" => "qmail",
"mail_smtphost" => "127.0.0.1",
"mail_smtpport" => 25,
"mail_smtptimeout" => 10,
"mail_smtpsecure" => "",
"mail_smtpauth" => false,
"mail_smtpauthtype" => "LOGIN",
"mail_smtpname" => "",
"mail_smtppassword" => "",
5.9.5 Send a Test Email
To test your email configuration, save your email address in your personal settings and then use the Send email button
in the Email Server section of the Admin settings page.
5.9.6 Using Self-Signed Certificates
When using self-signed certificates on the remote SMTP server the certificate must be imported into ownCloud. Please
refer to Importing System-wide and Personal SSL Certificates for more information.
5.9.7 Troubleshooting
If you are unable to send email, try turning on debugging. Do this by enabling the mail_smtpdebug parameter
in config/config.php.
<?php
"mail_smtpdebug" => true;
Note: Immediately after pressing the Send email button, as described before, several SMTP -> get_lines(): ...
messages appear on the screen. This is expected behavior and can be ignored.
Question: Why is my web domain different from my mail domain?
Answer: The default domain name used for the sender address is the hostname where your ownCloud installation is
served. If you have a different mail domain name you can override this behavior by setting the following configuration
parameter:
<?php
"mail_domain" => "example.com",
This setting results in every email sent by ownCloud (for example, the password reset email) having the domain part
of the sender address appear as follows:
116 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
no-reply@example.com
Question: How can I find out if an SMTP server is reachable?
Answer: Use the ping command to check the server availability:
ping smtp.server.dom
PING smtp.server.dom (ip-address) 56(84) bytes of data.
64 bytes from your-server.local.lan (192.168.1.10): icmp_req=1 ttl=64
time=3.64ms
Question: How can I find out if the SMTP server is listening on a specific TCP port?
Answer: The best way to get mail server information is to ask your mail server admin. If you are the mail server
admin, or need information in a hurry, you can use the netstat command. This example shows all active servers on
your system, and the ports they are listening on. The SMTP server is listening on localhost port 25.
# netstat -pant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State ID/Program name
tcp 0 0 0.0.0.0:631 0.0.0.0:*LISTEN 4418/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:*LISTEN 2245/exim4
tcp 0 0 127.0.0.1:3306 0.0.0.0:*LISTEN 1524/mysqld
25/tcp is unencrypted smtp
110/tcp/udp is unencrypted pop3
143/tcp/udp is unencrypted imap4
465/tcp is encrypted smtps
993/tcp/udp is encrypted imaps
995/tcp/udp is encrypted pop3s
Question: How can I determine if the SMTP server supports SMTPS?
Answer: A good indication that the SMTP server supports SMTPS is that it is listening on port 465.
Question: How can I determine what authorization and encryption protocols the mail server supports?
Answer: SMTP servers usually announce the availability of STARTTLS immediately after a connection has been
established. You can easily check this using the telnet command.
Note: You must enter the marked lines to obtain the information displayed.
telnet smtp.domain.dom 25
Trying 192.168.1.10...
Connected to smtp.domain.dom.
Escape character is ’^]’.
220 smtp.domain.dom ESMTP Exim 4.80.1 Tue, 22 Jan 2013 22:39:55 +0100
EHLO your-server.local.lan # <<< enter this command
250-smtp.domain.dom Hello your-server.local.lan [ip-address]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN CRAM-MD5 # <<< Supported auth protocols
250-STARTTLS # <<< Encryption is supported
5.9. Email Configuration 117
ownCloud Server Administration Manual, Release 9.0
250 HELP
QUIT # <<< enter this command
221 smtp.domain.dom closing connection
Connection closed by foreign host.
5.9.8 Enabling Debug Mode
If you are unable to send email, it might be useful to activate further debug messages by enabling the mail_smtpdebug
parameter:
<?php
"mail_smtpdebug" => true,
Note: Immediately after pressing the Send email button, as described before, several SMTP -> get_lines(): ...
messages appear on the screen. This is expected behavior and can be ignored.
5.10 Linking External Sites
You can embed external Web sites inside your ownCloud pages with the External Sites app, as this screenshot shows.
Figure 5.2: Click to enlarge
This is useful for quick access to important Web pages such as the ownCloud manuals and informational pages for
your company, and for presenting external pages inside your custom ownCloud branding, if you use your own custom
themes.
The External sites app is included in all versions of ownCloud. Go to Apps > Not Enabled to enable it. Then go to
your ownCloud Admin page to create your links, which are saved automatically. There is a dropdown menu to select
an icon, but there is only one default icon so you don’t have to select one. Hover your cursor to the right of your links
to make the trashcan icon appear when you want to remove them.
The links appear in the ownCloud dropdown menu on the top left after refreshing your page, and have globe icons.
118 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
Figure 5.3: Click to enlarge
5.10. Linking External Sites 119
ownCloud Server Administration Manual, Release 9.0
Your links may or may not work correctly due to the various ways that Web browsers and Web sites handle HTTP
and HTTPS URLs, and because the External Sites app embeds external links in IFrames. Modern Web browsers try
very hard to protect Web surfers from dangerous links, and safety apps like Privacy Badger and ad-blockers may block
embedded pages. It is strongly recommended to enforce HTTPS on your ownCloud server; do not weaken this, or
any of your security tools, just to make embedded Web pages work. After all, you can freely access them outside of
ownCloud.
Most Web sites that offer login functionalities use the X-Frame-Options or Content-Security-Policy
HTTP header which instructs browsers to not allow their pages to be embedded for security reasons (e.g. “Clickjack-
ing”). You can usually verify the reason why embedding the website is not possible by using your browser’s console
tool. For example, this page has an invalid SSL certificate.
On this page, X-Frame-Options prevents the embedding.
There isn’t much you can do about these issues, but if you’re curious you can see what is happening.
5.11 Custom Client Download Repositories
You may configure the URLs to your own download repositories for your ownCloud desktop clients and mobile apps
in config/config.php. This example shows the default download locations:
120 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
5.11. Custom Client Download Repositories 121
ownCloud Server Administration Manual, Release 9.0
<?php
"customclient_desktop" => "https://owncloud.org/sync-clients/",
"customclient_android" => "https://play.google.com/store/apps/details?id=com.owncloud.android",
"customclient_ios" => "https://itunes.apple.com/us/app/owncloud/id543672169?mt=8",
Simply replace the URLs with the links to your own preferred download repos.
You may test alternate URLs without editing config/config.php by setting a test URL as an environment vari-
able:
export OCC_UPDATE_URL=https://test.example.com
When you’re finished testing you can disable the environment variable:
unset OCC_UPDATE_URL
5.12 Knowledge Base Configuration
The usage of ownCloud is more or less self explaining but nevertheless a user might run into a problem where he needs
to consult the documentation or knowledge base. To ease access to the ownCloud documentation and knowledge base,
a help menu item is shown in the settings menu by default.
5.12.1 Parameters
If you want to disable the ownCloud help menu item you can use the knowledgebaseenabled parameter inside the
config/config.php.
<?php
"knowledgebaseenabled" => true,
Note: Disabling the help menu item might increase the number of support requests you have to answer in the future
5.13 Language Configuration
In normal cases ownCloud will automatically detect the language of the Web-GUI. If this does not work properly
or you want to make sure that ownCloud always starts with a given language, you can use the default_language
parameter.
Please keep in mind, that this will not effect a users language preference, which has been configured under “personal
-> language” once he has logged in.
Please check settings/languageCodes.php for the list of supported language codes.
5.13.1 Parameters
<?php
"default_language" => "en",
This parameters can be set in the config/config.php
122 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
5.14 Logging Configuration
Use your ownCloud log to review system status, or to help debug problems. You may adjust logging levels, and choose
between using the ownCloud log or your syslog.
5.14.1 Parameters
Logging levels range from DEBUG, which logs all activity, to FATAL, which logs only fatal errors.
0: DEBUG: All activity; the most detailed logging.
1: INFO: Activity such as user logins and file activities, plus warnings, errors, and fatal errors.
2: WARN: Operations succeed, but with warnings of potential problems, plus errors and fatal errors.
3: ERROR: An operation fails, but other services and operations continue, plus fatal errors.
4: FATAL: The server stops.
By default the log level is set to 2(WARN). Use DEBUG when you have a problem to diagnose, and then reset your
log level to a less-verbose level as DEBUG outputs a lot of information, and can affect your server performance.
Logging level parameters are set in the config/config.php file, or on the Admin page of your ownCloud Web
GUI.
ownCloud
All log information will be written to a separate log file which can be viewed using the log viewer on your Admin
page. By default, a log file named owncloud.log will be created in the directory which has been configured by the
datadirectory parameter in config/config.php.
The desired date format can optionally be defined using the logdateformat parameter in config/config.php.
By default the PHP date function parameter “c” is used, and therefore the date/time is written in the format “2013-
01-10T15:20:25+02:00”. By using the date format in the example below, the date/time format will be written in the
format “January 10, 2013 15:20:25”.
"log_type" => "owncloud",
"logfile" => "owncloud.log",
"loglevel" => "3",
"logdateformat" => "F d, Y H:i:s",
syslog
All log information will be sent to your default syslog daemon.
"log_type" => "syslog",
"logfile" => "",
"loglevel" => "3",
Conditional Logging Level Increase
You can configure the logging level to automatically increase to debug when one of three conditions are met:
#shared_secret: If a request parameter with the name log_secret is set to this value the condition is met.
#users: If the current request is done by one of the specified users, this condition is met.
5.14. Logging Configuration 123
ownCloud Server Administration Manual, Release 9.0
#apps: If the log message is invoked by one of the specified apps, this condition is met.
The following example demonstrates what all three conditions look like:
’log.condition’ => [
’shared_secret’ => ’57b58edb6637fe3059b3595cf9c41b9’,
’users’ => [’sample-user’],
’apps’ => [’files’],
],
5.15 Hardening and Security Guidance
ownCloud aims to ship with secure defaults that do not need to get modified by administrators. However, in some
cases some additional security hardening can be applied in scenarios were the administrator has complete control over
the ownCloud instance. This page assumes that you run ownCloud Server on Apache2 in a Linux environment.
Note: ownCloud will warn you in the administration interface if some critical security-relevant options are missing.
However, it is still up to the server administrator to review and maintain system security.
5.15.1 Limit on Password Length
ownCloud uses the bcrypt algorithm, and thus for security and performance reasons, e.g. Denial of Service as CPU
demand increases exponentially, it only verifies the first 72 characters of passwords. This applies to all passwords that
you use in ownCloud: user passwords, passwords on link shares, and passwords on external shares.
5.15.2 Operating system
Give PHP read access to /dev/urandom
ownCloud uses a RFC 4086 (“Randomness Requirements for Security”) compliant mixer to generate cryptographically
secure pseudo-random numbers. This means that when generating a random number ownCloud will request multiple
random numbers from different sources and derive from these the final random number.
The random number generation also tries to request random numbers from /dev/urandom, thus it is highly recom-
mended to configure your setup in such a way that PHP is able to read random data from it.
Note: When having an open_basedir configured within your php.ini file, make sure to include
/dev/urandom.
Enable hardening modules such as SELinux
It is highly recommended to enable hardening modules such as SELinux where possible. See SELinux Configuration
to learn more about SELinux.
5.15.3 Deployment
124 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
Place data directory outside of the web root
It is highly recommended to place your data directory outside of the Web root (i.e. outside of /var/www). It is easiest
to do this on a new installation.
Disable preview image generation
ownCloud is able to generate preview images of common filetypes such as images or text files. By default the preview
generation for some file types that we consider secure enough for deployment is enabled by default. However, admin-
istrators should be aware that these previews are generated using PHP libraries written in C which might be vulnerable
to attack vectors.
For high security deployments we recommend disabling the preview generation by setting the enable_previews
switch to false in config.php. As an administrator you are also able to manage which preview providers are
enabled by modifying the enabledPreviewProviders option switch.
5.15.4 Use HTTPS
Using ownCloud without using an encrypted HTTPS connection opens up your server to a man-in-the-middle (MITM)
attack, and risks the interception of user data and passwords. It is a best practice, and highly recommended, to always
use HTTPS on production servers, and to never allow unencrypted HTTP.
How to setup HTTPS on your Web server depends on your setup; please consult the documentation for your HTTP
server. The following examples are for Apache.
Redirect all unencrypted traffic to HTTPS
To redirect all HTTP traffic to HTTPS administrators are encouraged to issue a permanent redirect using the 301 status
code. When using Apache this can be achieved by adding a setting such as the following in the Apache VirtualHosts
configuration containing the <VirtualHost *:80> entry:
Redirect permanent / https://example.com/
Enable HTTP Strict Transport Security
While redirecting all traffic to HTTPS is good, it may not completely prevent man-in-the-middle attacks. Thus ad-
ministrators are encouraged to set the HTTP Strict Transport Security header, which instructs browsers to not allow
any connection to the ownCloud instance using HTTP, and it attempts to prevent site visitors from bypassing invalid
certificate warnings.
This can be achieved by setting the following settings within the Apache VirtualHost file containing the
<VirtualHost *:443> entry:
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
</IfModule>
If you don’t have access to your Apache configuration it is also possible to add this to the main .htaccess file
shipped with ownCloud. Make sure you’re adding it below the line:
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####
5.15. Hardening and Security Guidance 125
ownCloud Server Administration Manual, Release 9.0
This example configuration will make all subdomains only accessible via HTTPS. If you have subdomains not acces-
sible via HTTPS, remove includeSubDomains.
Note: This requires the mod_headers extension in Apache.
When using nginx as a Web server an example is already included in the nginx Example Configurations:
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
You need to remove the #and reload nginx to enable this change.
Proper SSL configuration
Default SSL configurations by Web servers are often not state-of-the-art, and require fine-tuning for an optimal perfor-
mance and security experience. The available SSL ciphers and options depend completely on your environment and
thus giving a generic recommendation is not really possible.
We recommend using the Mozilla SSL Configuration Generator to generate a suitable configuration suited for your
environment, and the free Qualys SSL Labs Tests gives good guidance on whether your SSL server is correctly
configured.
Also ensure that HTTP compression is disabled to mitigate the BREACH attack.
5.15.5 Use a dedicated domain for ownCloud
Administrators are encouraged to install ownCloud on a dedicated domain such as cloud.domain.tld instead of do-
main.tld to gain all the benefits offered by the Same-Origin-Policy.
5.15.6 Ensure that your ownCloud instance is installed in a DMZ
As ownCloud supports features such as Federated File Sharing we do not consider Server Side Request Forgery
(SSRF) part of our threat model. In fact, given all our external storage adapters this can be considered a feature and
not a vulnerability.
This means that a user on your ownCloud instance could probe whether other hosts are accessible from the ownCloud
network. If you do not want this you need to ensure that your ownCloud is properly installed in a segregated network
and proper firewall rules are in place.
5.15.7 Serve security related Headers by the Web server
Basic security headers are served by ownCloud already in a default environment. These include:
X-Content-Type-Options: nosniff
Instructs some browsers to not sniff the mimetype of files. This is used for example to prevent
browsers from interpreting text files as JavaScript.
X-XSS-Protection: 1; mode=block
Instructs browsers to enable their browser side Cross-Site-Scripting filter.
X-Robots-Tag: none
Instructs search machines to not index these pages.
X-Frame-Options: SAMEORIGIN
126 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
Prevents embedding of the ownCloud instance within an iframe from other domains to prevent Click-
jacking and other similar attacks.
These headers are hard-coded into the ownCloud server, and need no intervention by the server administrator.
For optimal security, administrators are encouraged to serve these basic HTTP headers by the Web server to enforce
them on response. To do this Apache has to be configured to use the .htaccess file and the following Apache
modules need to be enabled:
• mod_headers
• mod_env
Administrators can verify whether this security change is active by accessing a static resource served by the Web server
and verify that the above mentioned security headers are shipped.
5.16 Reverse Proxy Configuration
ownCloud can be run through a reverse proxy, which can cache static assets such as images, CSS or JS files, move the
load of handling HTTPS to a different server or load balance between multiple servers.
5.16.1 Defining Trusted Proxies
For security, you must explicitly define the proxy servers that ownCloud is to trust. Connections from trusted proxies
will be specially treated to get the real client information, for use in access control and logging. Parameters are
configured in config/config.php
Set the trusted_proxies parameter as an array of IP address to define the servers ownCloud should trust as proxies.
This parameter provides protection against client spoofing, and you should secure those servers as you would your
ownCloud server.
A reverse proxy can define HTTP headers with the original client IP address, and ownCloud can use those headers
to retrieve that IP address. ownCloud uses the de-facto standard header ‘X-Forwarded-For’ by default, but this can
be configured with the forwarded_for_headers parameter. This parameter is an array of PHP lookup strings, for
example ‘X-Forwarded-For’ becomes ‘HTTP_X_FORWARDED_FOR’. Incorrectly setting this parameter may allow
clients to spoof their IP address as visible to ownCloud, even when going through the trusted proxy! The correct value
for this parameter is dependent on your proxy software.
5.16.2 Overwrite Parameters
The automatic hostname, protocol or webroot detection of ownCloud can fail in certain reverse proxy situations. This
configuration allows the automatic detection to be manually overridden.
If ownCloud fails to automatically detect the hostname, protocol or webroot you can use the overwrite parameters
inside the config/config.php. The overwritehost parameter is used to set the hostname of the proxy. You can
also specify a port. The overwriteprotocol parameter is used to set the protocol of the proxy. You can choose between
the two options http and https. The overwritewebroot parameter is used to set the absolute web path of the proxy
to the ownCloud folder. When you want to keep the automatic detection of one of the three parameters you can leave
the value empty or don’t set it. The overwritecondaddr parameter is used to overwrite the values dependent on the
remote address. The value must be a regular expression of the IP addresses of the proxy. This is useful when you use
a reverse SSL proxy only for https access and you want to use the automatic detection for http access.
5.16. Reverse Proxy Configuration 127
ownCloud Server Administration Manual, Release 9.0
5.16.3 Example
Multiple Domains Reverse SSL Proxy
If you want to access your ownCloud installation http://domain.tld/owncloud via a multiple domains reverse SSL
proxy https://ssl-proxy.tld/domain.tld/owncloud with the IP address 10.0.0.1 you can set the following parameters
inside the config/config.php.
<?php
$CONFIG = array (
"trusted_proxies" => [’10.0.0.1’],
"overwritehost" => "ssl-proxy.tld",
"overwriteprotocol" => "https",
"overwritewebroot" => "/domain.tld/owncloud",
"overwritecondaddr" => "^10\.0\.0\.1$",
);
Note: If you want to use the SSL proxy during installation you have to create the config/config.php otherwise
you have to extend the existing $CONFIG array.
5.17 Using Third Party PHP Components
ownCloud uses some third party PHP components to provide some of its functionality. These components are part of
the software package and are contained in the /3rdparty folder.
5.17.1 Managing Third Party Parameters
When using third party components, keep the following parameters in mind:
3rdpartyroot – Specifies the location of the 3rd-party folder. To change the default location of this folder, you
can use this parameter to define the absolute file system path to the folder location.
3rdpartyurl – Specifies the http web path to the 3rdpartyroot folder, starting at the ownCloud web root.
An example of what these parameters might look like is as follows:
<?php
"3rdpartyroot" => OC::$SERVERROOT."/3rdparty",
"3rdpartyurl" => "/3rdparty",
5.18 JavaScript and CSS Asset Management
In production environments, JavaScript and CSS files should be delivered in a concatenated and compressed format.
ownCloud can automatically collect all JavaScript and CSS files, aggregate and compress them to then save the result
in a folder called ‘assets’ which can be found in the folder where ownCloud has been installed.
If your Web server has write access to your ownCloud installation, then the ‘assets’ folder will be automatically created
for you, otherwise, you need to create it yourself before enabling that option and you must give write access to your
Web server user.
128 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
Assets found in that folder will from now on be served as static files by your Web server and will be automatically
refreshed whenever ownCloud or one of its apps is updated. It’s important to note that apps installed via git might
not always update their version number with every commit and this could lead to an out-of-sync asset folder. It is not
recommended to enable asset-pipelining when using apps pulled via git.
5.18.1 Parameters
<?php
$CONFIG = array (
...
’asset-pipeline.enabled’ => true,
...
);
You can set this parameter in the config/config.php
5.19 Automatic Configuration Setup
If you need to install ownCloud on multiple servers, you normally do not want to set up each instance separately as
described in Database Configuration. For this reason, ownCloud provides an automatic configuration feature.
To take advantage of this feature, you must create a configuration file, called
../owncloud/config/autoconfig.php, and set the file parameters as required. You can specify any
number of parameters in this file. Any unspecified parameters appear on the “Finish setup” screen when you first
launch ownCloud.
The ../owncloud/config/autoconfig.php is automatically removed after the initial configuration has been
applied.
5.19.1 Parameters
When configuring parameters, you must understand that two parameters are named differently in this configuration
file when compared to the standard config.php file.
autoconfig.php config.php
directory datadirectory
dbpass dbpassword
5.19.2 Automatic Configurations Examples
The following sections provide sample automatic configuration examples and what information is requested at the end
of the configuration.
Data Directory
Using the following parameter settings, the “Finish setup” screen requests database and admin credentials settings.
<?php
$AUTOCONFIG = array(
"directory" => "/www/htdocs/owncloud/data",
);
5.19. Automatic Configuration Setup 129
ownCloud Server Administration Manual, Release 9.0
SQLite Database
Using the following parameter settings, the “Finish setup” screen requests data directory and admin credentials set-
tings.
<?php
$AUTOCONFIG = array(
"dbtype" => "sqlite",
"dbname" => "owncloud",
"dbtableprefix" => "",
);
MySQL Database
Using the following parameter settings, the “Finish setup” screen requests data directory and admin credentials set-
tings.
<?php
$AUTOCONFIG = array(
"dbtype" => "mysql",
"dbname" => "owncloud",
"dbuser" => "username",
"dbpass" => "password",
"dbhost" => "localhost",
"dbtableprefix" => "",
);
Note: Keep in mind that the automatic configuration does not eliminate the need for creating the database user and
database in advance, as described in Database Configuration.
PostgreSQL Database
Using the following parameter settings, the “Finish setup” screen requests data directory and admin credentials set-
tings.
<?php
$AUTOCONFIG = array(
"dbtype" => "pgsql",
"dbname" => "owncloud",
"dbuser" => "username",
"dbpass" => "password",
"dbhost" => "localhost",
"dbtableprefix" => "",
);
Note: Keep in mind that the automatic configuration does not eliminate the need for creating the database user and
database in advance, as described in Database Configuration.
All Parameters
Using the following parameter settings, because all parameters are already configured in the file, the ownCloud instal-
lation skips the “Finish setup” screen.
130 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
<?php
$AUTOCONFIG = array(
"dbtype" => "mysql",
"dbname" => "owncloud",
"dbuser" => "username",
"dbpass" => "password",
"dbhost" => "localhost",
"dbtableprefix" => "",
"adminlogin" => "root",
"adminpass" => "root-password",
"directory" => "/www/htdocs/owncloud/data",
);
Note: Keep in mind that the automatic configuration does not eliminate the need for creating the database user and
database in advance, as described in Database Configuration.
5.20 ownCloud Server Tuning
5.20.1 Using cron to perform background jobs
See Background Jobs for a description and the benefits.
5.20.2 Enable JavaScript and CSS Asset Management
See JavaScript and CSS Asset Management for a description and the benefits.
5.20.3 Caching
Caching improves performance by storing data, code, and other objects in memory. Memory cache configuration
for the ownCloud server is no longer automatic in ownCloud 8.1 and up, but must be installed and configured. See
Configuring Memory Caching.
5.20.4 Using MariaDB/MySQL instead of SQLite
MySQL or MariaDB are preferred because of the performance limitations of SQLite with highly concurrent applica-
tions, like ownCloud.
See the section Database Configuration for how to configure ownCloud for MySQL or MariaDB. If your installation is
already running on SQLite then it is possible to convert to MySQL or MariaDB using the steps provided in Converting
Database Type.
5.20.5 Using Redis-based Transactional File Locking
File locking is enabled by default, using the database locking backend. This places a significant load on your database.
See the section Transactional File Locking for how to configure ownCloud to use Redis-based Transactional File
Locking.
5.20. ownCloud Server Tuning 131
ownCloud Server Administration Manual, Release 9.0
5.20.6 SSL / Encryption App
SSL (HTTPS) and file encryption/decryption can be offloaded to a processor’s AES-NI extension. This can both speed
up these operations while lowering processing overhead. This requires a processor with the AES-NI instruction set.
Here are some examples how to check if your CPU / environment supports the AES-NI extension:
For each CPU core present: grep flags /proc/cpuinfo or as a summary for all cores: grep -m 1
^flags /proc/cpuinfo If the result contains any aes, the extension is present.
Search eg. on the Intel web if the processor used supports the extension Intel Processor Feature Filter You may
set a filter by "AES New Instructions" to get a reduced result set.
For versions of openssl >= 1.0.1, AES-NI does not work via an engine and will not show up in the openssl
engine command. It is active by default on the supported hardware. You can check the openssl version via
openssl version -a
If your processor supports AES-NI but it does not show up eg via grep or coreinfo, it is maybe disabled in the
BIOS.
If your environment runs virtualized, check the virtualization vendor for support.
5.21 Enable index.php-less URLs
Since ownCloud 9.0.3 you need to explicitly configure and enable index.php-less URLs (e.g.
https://example.com/apps/files/ instead of https://example.com/index.php/apps/files/). The following documen-
tation provides the needed steps to configure this for the Apache Web server. These steps are not necessary when
using nginx as a web server because it is already enabled in the nginx Example Configurations.
5.21.1 Prerequisites
Before being able to use index.php-less URLs you need to enable the mod_rewrite and mod_env Apache modules.
Furthermore a configured AllowOverride All directive within the vhost of your Web server is needed. Please
have a look at the Apache manual for how to enable and configure these.
Furthermore these instructions are only working when using Apache together with the mod_php Apache module for
PHP. Other modules like php-fpm or mod_fastcgi are unsupported.
Finally the user running your Web server (e.g. www-data) needs to be able to write into the .htaccess file shipped
within the ownCloud root directory (e.g. /var/www/owncloud/.htaccess). If you have applied Setting Strong
Directory Permissions the user might be unable to write into this file and the needed update will fail. You need to
revert this strong permissions temporarily by following the steps described in Setting Permissions for Updating.
5.21.2 Configuration steps
The first step is to configure the overwrite.cli.url and htaccess.RewriteBase config.php options (See
Config.php Parameters). If you’re accessing your ownCloud instance via https://example.com/ the following
two options need to be added / configured:
’overwrite.cli.url’ => ’https://example.com’,
’htaccess.RewriteBase’ => ’/’,
If the instance is accessed via https://example.com/owncloud the following configuration is needed:
132 Chapter 5. ownCloud Server Configuration
ownCloud Server Administration Manual, Release 9.0
’overwrite.cli.url’ => ’https://example.com/owncloud’,
’htaccess.RewriteBase’ => ’/owncloud’,
As a second step ownCloud needs to enable index.php-less URLs. This is done:
during the next update of your ownCloud instance
by manually running the occ command occ maintenance:update:htaccess (See Using the occ Com-
mand)
Afterwards your instance should have index.php-less URLs enabled.
5.21.3 Troubleshooting
If accessing your ownCloud installation fails after following these instructions and you see messages like this in your
ownCloud log:
The requested uri(\\/login) cannot be processed by the script ’\\/owncloud\\/index.php’
make sure that you have configured the two config.php options listed above correctly.
5.21. Enable index.php-less URLs 133
ownCloud Server Administration Manual, Release 9.0
134 Chapter 5. ownCloud Server Configuration
CHAPTER
SIX
USER MANAGEMENT
6.1 User Management
On the User management page of your ownCloud Web UI you can:
Create new users
View all of your users in a single scrolling window
Filter users by group
See what groups they belong to
Edit their full names and passwords
See their data storage locations
View and set quotas
Create and edit their email addresses
Send an automatic email notification to new users
Delete them with a single click
The default view displays basic information about your users.
The Group filters on the left sidebar lets you quickly filter users by their group memberships, and create new groups.
Click the gear icon on the lower left sidebar to set a default storage quota, and to display additional fields: Show
storage location, Show last log in, Show user backend, Send email to new users, and Show email address.
135
ownCloud Server Administration Manual, Release 9.0
136 Chapter 6. User Management
ownCloud Server Administration Manual, Release 9.0
User accounts have the following properties:
Login Name (Username) The unique ID of an ownCloud user, and it cannot be changed.
Full Name The user’s display name that appears on file shares, the ownCloud Web interface, and emails. Admins and
users may change the Full Name anytime. If the Full Name is not set it defaults to the login name.
Password The admin sets the new user’s first password. Both the user and the admin can change the user’s password
at anytime.
Groups You may create groups, and assign group memberships to users. By default new users are not assigned to any
groups.
Group Admin Group admins are granted administrative privileges on specific groups, and can add and remove users
from their groups.
Quota The maximum disk space assigned to each user. Any user that exceeds the quota cannot upload or sync data.
You have the the option to include external storage in user quotas.
6.1.1 Creating a New User
To create a user account:
Enter the new user’s Login Name and their initial Password
Optionally, assign Groups memberships
Click the Create button
Login names may contain letters (a-z, A-Z), numbers (0-9), dashes (-), underscores (_), periods (.) and at signs (@).
After creating the user, you may fill in their Full Name if it is different than the login name, or leave it for the user to
complete.
If you have checked Send email to new user in the control panel on the lower left sidebar, you may also enter the new
user’s email address, and ownCloud will automatically send them a notification with their new login information. You
may edit this email using the email template editor on your Admin page (see Email Configuration).
6.1.2 Reset a User’s Password
You cannot recover a user’s password, but you can set a new one:
6.1. User Management 137
ownCloud Server Administration Manual, Release 9.0
Hover your cursor over the user’s Password field
Click on the pencil icon
Enter the user’s new password in the password field, and remember to provide the user with their password
If you have encryption enabled, there are special considerations for user password resets. Please see Encryption
Configuration.
6.1.3 Renaming a User
Each ownCloud user has two names: a unique Login Name used for authentication, and a Full Name, which is their
display name. You can edit the display name of a user, but you cannot change the login name of any user.
To set or change a user’s display name:
Hover your cursor over the user’s Full Name field
Click on the Pencil icon
Enter the user’s new display name
6.1.4 Granting Administrator Privileges to a User
ownCloud has two types of administrators: Super Administrators and Group Administrators. Group administrators
have the rights to create, edit and delete users in their assigned groups. Group administrators cannot access system
settings, or add or modify users in the groups that they are not Group Administrators for. Use the dropdown menus
in the Group Admin column to assign group admin privileges.
Super Administrators have full rights on your ownCloud server, and can access and modify all settings. To assign
the Super Administrators role to a user, simply add them to the admin group.
6.1.5 Managing Groups
You can assign new users to groups when you create them, and create new groups when you create new users. You may
also use the Add Group button at the top of the left pane to create new groups. New group members will immediately
have access to file shares that belong to their new groups.
6.1.6 Setting Storage Quotas
Click the gear on the lower left pane to set a default storage quota. This is automatically applied to new users. You
may assign a different quota to any user by selecting from the Quota dropdown, selecting either a preset value or
138 Chapter 6. User Management
ownCloud Server Administration Manual, Release 9.0
entering a custom value. When you create custom quotas, use the normal abbreviations for your storage values such
as 500 MB, 5 GB, 5 TB, and so on.
You now have a configurable option in config.php that controls whether external storage is counted against user’s
quotas. This is still experimental, and may not work as expected. The default is to not count external storage as part
of user storage quotas. If you prefer to include it, then change the default false to true.:
’quota_include_external_storage’ => false,
Metadata (such as thumbnails, temporary files, and encryption keys) takes up about 10% of disk space, but is not
counted against user quotas. Users can check their used and available space on their Personal pages. Only files that
originate with users count against their quotas, and not files shared with them that originate from other users. For
example, if you upload files to a different user’s share, those files count against your quota. If you re-share a file that
another user shared with you, that file does not count against your quota, but the originating user’s.
Encrypted files are a little larger than unencrypted files; the unencrypted size is calculated against the user’s quota.
Deleted files that are still in the trash bin do not count against quotas. The trash bin is set at 50% of quota. Deleted
file aging is set at 30 days. When deleted files exceed 50% of quota then the oldest files are removed until the total is
below 50%.
When version control is enabled, the older file versions are not counted against quotas.
When a user creates a public share via URL, and allows uploads, any uploaded files count against that user’s quota.
6.1.7 Deleting users
Deleting a user is easy: hover your cursor over their name on the Users page until a trashcan icon appears at the far
right. Click the trashcan, and they’re gone. You’ll see an undo button at the top of the page, which remains until you
refresh the page. When the undo button is gone you cannot recover the deleted user.
All of the files owned by the user are deleted as well, including all files they have shared. If you need to preserve the
user’s files and shares, you must first download them from your ownCloud Files page, which compresses them into a
zip file, or use a sync client to copy them to your local computer. See File Sharing to learn how to create persistent file
shares that survive user deletions.
6.2 Resetting a Lost Admin Password
The normal ways to recover a lost password are:
1. Click the password reset link on the login screen; this appears after a failed login attempt. This works only if you
have entered your email address on your Personal page in the ownCloud Web interface, so that the ownCloud
server can email a reset link to you.
2. Ask another ownCloud server admin to reset it for you.
If neither of these is an option, then you have a third option, and that is using the occ command. occ is in the
owncloud directory, for example /var/www/owncloud/occ.occ has a command for resetting all user pass-
words, user:resetpassword. It is best to run occ as the HTTP user, as in this example on Ubuntu Linux:
$ sudo -u www-data php /var/www/owncloud/occ user:resetpassword admin
Enter a new password:
Confirm the new password:
Successfully reset password for admin
If your ownCloud username is not admin, then substitute your ownCloud username.
6.2. Resetting a Lost Admin Password 139
ownCloud Server Administration Manual, Release 9.0
You can find your HTTP user in your HTTP configuration file. These are the default Apache HTTP user:group on
Linux distros:
Centos, Red Hat, Fedora: apache:apache
Debian, Ubuntu, Linux Mint: www-data:www-data
openSUSE: wwwrun:www
See Using the occ Command to learn more about using the occ command.
6.3 Resetting a User Password
The ownCloud login screen displays a Wrong password. Reset it? message after a user enters an incorrect pass-
word, and then ownCloud automatically resets their password. However, if you are using a read-only authentication
backend such as LDAP or Active Directory, this will not work. In this case you may specify a custom URL in your
config.php file to direct your user to a server than can handle an automatic reset:
’lost_password_link’ => ’https://example.org/link/to/password/reset’,
6.4 User Authentication with IMAP, SMB, and FTP
You may configure additional user backends in ownCloud’s configuration config/config.php using the follow-
ing syntax:
<?php
"user_backends" => array (
0 => array (
"class" => ...,
"arguments" => array (
0 => ...
),
),
),
Note: A non-blocking or correctly configured SELinux setup is needed for these backends to work. Please refer to
the SELinux Configuration.
Currently the “External user support” (user_external) app, which you need to enable first (See Installing and Managing
Apps) provides the following user backends:
6.4.1 IMAP
Provides authentication against IMAP servers
Class: OC_User_IMAP
Arguments: a mailbox string as defined in the PHP documentation
Dependency: php-imap (See Manual Installation on Linux)
Example:
140 Chapter 6. User Management
ownCloud Server Administration Manual, Release 9.0
<?php
"user_backends" => array (
0 => array (
"class" => "OC_User_IMAP",
"arguments" => array (
0 => ’{imap.gmail.com:993/imap/ssl}’
),
),
),
6.4.2 SMB
Provides authentication against Samba servers
Class: OC_User_SMB
Arguments: the samba server to authenticate against
Dependency: PHP smbclient module or smbclient (see SMB/CIFS)
Example:
<?php
"user_backends" => array (
0 => array (
"class" => "OC_User_SMB",
"arguments" => array (
0 => ’localhost’
),
),
),
6.4.3 FTP
Provides authentication against FTP servers
Class: OC_User_FTP
Arguments: the FTP server to authenticate against
Dependency: php-ftp (See Manual Installation on Linux)
Example:
<?php
"user_backends" => array (
0 => array (
"class" => "OC_User_FTP",
"arguments" => array (
0 => ’localhost’
),
),
),
6.4. User Authentication with IMAP, SMB, and FTP 141
ownCloud Server Administration Manual, Release 9.0
6.5 User Authentication with LDAP
ownCloud ships with an LDAP application to allow LDAP users (including Active Directory) to appear in your own-
Cloud user listings. These users will authenticate to ownCloud with their LDAP credentials, so you don’t have to
create separate ownCloud user accounts for them. You will manage their ownCloud group memberships, quotas, and
sharing permissions just like any other ownCloud user.
Note: The PHP LDAP module is required; this is supplied by php5-ldap on Debian/Ubuntu, and php-ldap on
CentOS/Red Hat/Fedora. PHP 5.4+ is required in ownCloud 8.1.
The LDAP application supports:
LDAP group support
File sharing with ownCloud users and groups
Access via WebDAV and ownCloud Desktop Client
Versioning, external Storage and all other ownCloud features
Seamless connectivity to Active Directory, with no extra configuration required
Support for primary groups in Active Directory
Auto-detection of LDAP attributes such as base DN, email, and the LDAP server port number
Only read access to your LDAP (edit or delete of users on your LDAP is not supported)
Warning: The LDAP app is not compatible with the User backend using remote HTTP servers
app. You cannot use both of them at the same time.
Note: A non-blocking or correctly configured SELinux setup is needed for the LDAP backend to work. Please refer
to the SELinux Configuration.
6.5.1 Configuration
First enable the LDAP user and group backend app on the Apps page in ownCloud. Then go to your Admin
page to configure it.
The LDAP configuration panel has four tabs. A correctly completed first tab (“Server”) is mandatory to access the
other tabs. A green indicator lights when the configuration is correct. Hover your cursor over the fields to see some
pop-up tooltips.
Server Tab
Start with the Server tab. You may configure multiple servers if you have them. At a minimum you must supply the
LDAP server’s hostname. If your server requires authentication, enter your credentials on this tab. ownCloud will then
attempt to auto-detect the server’s port and base DN. The base DN and port are mandatory, so if ownCloud cannot
detect them you must enter them manually.
Server configuration: Configure one or more LDAP servers. Click the Delete Configuration button to remove the
active configuration.
Host: The host name or IP address of the LDAP server. It can also be a ldaps:// URI. If you enter the port number, it
speeds up server detection.
142 Chapter 6. User Management
ownCloud Server Administration Manual, Release 9.0
Examples:
directory.my-company.com
ldaps://directory.my-company.com
directory.my-company.com:9876
Port: The port on which to connect to the LDAP server. The field is disabled in the beginning of a new configuration.
If the LDAP server is running on a standard port, the port will be detected automatically. If you are using a
non-standard port, ownCloud will attempt to detect it. If this fails you must enter the port number manually.
Example:
389
User DN: The name as DN of a user who has permissions to do searches in the LDAP directory. Leave it empty for
anonymous access. We recommend that you have a special LDAP system user for this.
Example:
uid=owncloudsystemuser,cn=sysusers,dc=my-company,dc=com
Password: The password for the user given above. Empty for anonymous access.
Base DN: The base DN of LDAP, from where all users and groups can be reached. You may enter multiple base
DNs, one per line. (Base DNs for users and groups can be set in the Advanced tab.) This field is mandatory.
ownCloud attempts to determine the Base DN according to the provided User DN or the provided Host, and you
must enter it manually if ownCloud does not detect it.
Example:
dc=my-company,dc=com
User Filter
Use this to control which LDAP users are listed as ownCloud users on your ownCloud server. In order to control
which LDAP users can login to your ownCloud server use the Login filter. Those LDAP users who have access but
6.5. User Authentication with LDAP 143
ownCloud Server Administration Manual, Release 9.0
are not listed as users (if there are any) will be hidden users. You may bypass the form fields and enter a raw LDAP
filter if you prefer.
only those object classes: ownCloud will determine the object classes that are typically available for user objects in
your LDAP. ownCloud will automatically select the object class that returns the highest amount of users. You
may select multiple object classes.
only from those groups: If your LDAP server supports the member-of-overlay in LDAP filters, you can define
that only users from one or more certain groups are allowed to appear in user listings in ownCloud. By default,
no value will be selected.
You may select multiple groups.
If your LDAP server does not support the member-of-overlay in LDAP filters, the input field is disabled. Please
contact your LDAP administrator.
Edit raw filter instead: Clicking on this text toggles the filter mode and you can enter the raw LDAP filter directly.
Example:
(&(objectClass=inetOrgPerson)(memberOf=cn=owncloudusers,ou=groups,
dc=example,dc=com))
x users found: This is an indicator that tells you approximately how many users will be listed in ownCloud. The
number updates automatically after any changes.
Login Filter
The settings in the Login Filter tab determine which LDAP users can log in to your ownCloud system and which
attribute or attributes the provided login name is matched against (e.g. LDAP/AD username, email address). You may
144 Chapter 6. User Management
ownCloud Server Administration Manual, Release 9.0
select multiple user details. (You may bypass the form fields and enter a raw LDAP filter if you prefer.)
You may override your User Filter settings on the User Filter tab by using a raw LDAP filter.
LDAP Username: If this value is checked, the login value will be compared to the username in the LDAP directory.
The corresponding attribute, usually uid or samaccountname will be detected automatically by ownCloud.
LDAP Email Address: If this value is checked, the login value will be compared to an email address in the LDAP
directory; specifically, the mailPrimaryAddress and mail attributes.
Other Attributes: This multi-select box allows you to select other attributes for the comparison. The list is generated
automatically from the user object attributes in your LDAP server.
Edit raw filter instead: Clicking on this text toggles the filter mode and you can enter the raw LDAP filter directly.
The %uid placeholder is replaced with the login name entered by the user upon login.
Examples:
only username:
(&(objectClass=inetOrgPerson)(memberOf=cn=owncloudusers,ou=groups,
dc=example,dc=com)(uid=%uid)
username or email address:
((&(objectClass=inetOrgPerson)(memberOf=cn=owncloudusers,ou=groups,
dc=example,dc=com)(|(uid=%uid)(mail=%uid)))
Group Filter
By default, no LDAP groups will be available in ownCloud. The settings in the group filter tab determine which groups
will be available in ownCloud. You may also elect to enter a raw LDAP filter instead.
6.5. User Authentication with LDAP 145
ownCloud Server Administration Manual, Release 9.0
only those object classes: ownCloud will determine the object classes that are typically available for group objects
in your LDAP server. ownCloud will only list object classes that return at least one group object. You can select
multiple object classes. A typical object class is “group”, or “posixGroup”.
only from those groups: ownCloud will generate a list of available groups found in your LDAP server. and then you
select the group or groups that get access to your ownCloud server.
Edit raw filter instead: Clicking on this text toggles the filter mode and you can enter the raw LDAP filter directly.
Example:
objectClass=group
objectClass=posixGroup
y groups found: This tells you approximately how many groups will be available in ownCloud. The number updates
automatically after any change.
6.5.2 Advanced Settings
The LDAP Advanced Setting section contains options that are not needed for a working connection. This provides
controls to disable the current configuration, configure replica hosts, and various performance-enhancing options.
The Advanced Settings are structured into three parts:
Connection Settings
Directory Settings
Special Attributes
Connection Settings
Configuration Active: Enables or Disables the current configuration. By default, it is turned off. When ownCloud
makes a successful test connection it is automatically turned on.
146 Chapter 6. User Management
ownCloud Server Administration Manual, Release 9.0
6.5. User Authentication with LDAP 147
ownCloud Server Administration Manual, Release 9.0
Backup (Replica) Host: If you have a backup LDAP server, enter the connection settings here. ownCloud will then
automatically connect to the backup when the main server cannot be reache