Maximum PC

Create a Pi Cloud with OwnCloud

YOU’LL NEED THIS

THERE ARE PLENTY OF CLOUD file storage and sharing services, so why would you want the hassle of setting up your own? There are many reasons, beyond the perfectly acceptable “because you can.” Commercial services have limits on the amount of data you can store. They may or may not encrypt your data, but it is their encryption—you can’t be sure that they can’t read it. If you’re sharing between computers on the same network, your data still has to go to their server, over a relatively slow upstream link, before it can be downloaded to another computer in the next room. On the other hand, commercial providers have large data farms, with plenty of redundant storage and connectivi­ty, and, usually, comprehens­ive backup procedures. If you want to run your own cloud storage, you have to take responsibi­lity for that. –NEIL BOTHWICK 1 ESSENTIAL GEAR You’re still reading, so we assume you are interested in doing this. The three things you need are: an always-on computer, some suitable software, and a decent amount of storage space. The first one could be any Linux computer you leave turned on, but we are going to use a Raspberry Pi for this [ Image A]. It’s ideally suited for the low-powered, always-on needs of a home network. You may have heard of the software, it’s called OwnCloud ( www. owncloud.org), and for the storage space, you need to add some to the Raspberry Pi. For initial testing, a decent-sized SD card will give sufficient storage. As your storage needs grow, a USB external disk may be called for. 2 SETTING UP THE PI We are going to use the latest version of Raspbian on the Pi, although these instructio­ns work with any distro based on Debian, so you could equally follow them on an Ubuntu desktop. Download the latest Raspbian Lite image from www.raspberryp­i. org/downloads/raspbian, and copy it to an SD card. Then put in it the Raspberry Pi, and fire it up. Raspbian Lite is a headless version, which means all commands are entered in an SSH session, so open a terminal on your computer, and run:

$ ssh pi@IP-ADDRESS using the IP address of your Pi. The default password is “raspberry,” so the first thing to do is run:

$ sudo raspi-config and change the password to something else. Then select the option to resize the filesystem to fit your SD card. You should also go into the advanced options section, and give the Pi a hostname. When you exit raspi-config and reboot, it should then be accessible using the hostname you gave it (although this does depend on your router).

Your Raspberry Pi is assigned an IP address by your router’s DHCP server. While such addresses are assigned dynamicall­y, DHCP servers generally remember which address they gave to which hardware, and give the same one each time. You can set up your server to use a static IP address, of course, but it’s generally not necessary, especially if you set a hostname in raspi-config to give the Raspberry Pi a useful name. This is the local address we are talking about—some sort of static address or domain is needed if you want to be able to connect to your cloud storage from outside of your network. If you don’t have a static address, one of the dynamic DNS services would be useful. 3 INSTALL A WEB SERVER OwnCloud is a web applicatio­n [ Image B], so it needs a web server to run it. Apache is the most popular web server, but it’s a bit heavyweigh­t for a Pi, especially as we don’t need all its capabiliti­es. Lightweigh­t, but very functional, alternativ­es include lighttpd ( www.lighttpd. net) and Nginx ( http://nginx.org)— we are using the former here. SSH into your Pi, make sure everything is up to date, then install lighttpd (known to its friends as “lighty”), and the required PHP modules with: $ apt-get update $ apt-get upgrade

$ apt-get install lighttpd php5-cgi php5-gd php5-curl php5sqlite

Now point a browser at http://<IP-ADDRESS-OF-PI>, and you’ll see the lighttpd placeholde­r page [ Image C]. We’ll disable access to this later on, after we’ve set up the homepage.

Now it’s time to install OwnCloud, which is basically a case of unpacking the tarball into the web server’s DocumentRo­ot— the directory from which it serves files. In the Raspbian install of lighttpd, this is /var/www/html, so unpack the tarball with:

$ sudo tar -C /var/www/ html -xf owncloud-9.0.2.tar.bz2 4 INSTALLING OWNCLOUD OwnCloud defaults to storing its data inside its DocumentRo­ot, which isn’t particular­ly secure. It’s safer to create a directory elsewhere for this, and make it owned by the user running the web server—www-data for Debian systems. $ sudo mkdir -p /var/owncloud/data $ sudo chown -R www-data: /var/owncloud

The server also needs write access to some directorie­s in the DocumentRo­ot, which you do with this command: $ sudo chown -R www-data: /var/www/html/owncloud/ {apps,config,themes,updater,.user.ini}

Don’t be tempted to simply chown the whole Owncloud directory; it’s more secure if you only allow the web server to write to the directorie­s it needs to. If you try to open http://IP-ADDRESS/ owncloud in your browser, you get a “Forbidden” error, so there’s clearly some more configurat­ion to do. There are various pre-made configurat­ions in /etc/lighttpd/conf-available. You enable them with the lighttpd-enable-mod command, which symlinks them into the conf-enabled directory. Run: $ sudo lighttpd-enable-mod accesslog $ sudo lighttpd-enable-mod fastcgi $ sudo lighttpd-enable-mod fastcgi-php

then restart the server with:

$ sudo systemctl restart lighttpd and reload the page in your browser. Here you are asked to create an admin user and password, Click on “Storage & database” below this, and change the data folder to /var/ owncloud/data. After a bit of whirring and clicking (well, the Pi is silent, but that’s what it feels like), the OwnCloud homepage shows up. At this point, you can create folders and upload files by clicking the “+” icon above the file list.

At the top-right of the display, you will see your username as a drop-down menu. As your user is also the admin, this menu has extra options—for example, you can create users and groups (these are for OwnCloud only, not to be confused with system users and groups). There is also an admin option, and selecting this loads a page with various settings and a couple of warnings at the top. The first warns you that you are using HTTP and not HTTPS to transfer files. This is not a problem if you are only running OwnCloud on your private LAN, and it does make life a little easier for the Pi. If you are sharing files over the Internet, using HTTPS is a good idea, and is covered later on. 5 OWNCLOUD ADMIN The other warning is about a memory cache. This isn’t required, but does speed things up. To set this up, install the APCu (Alternativ­e PHP Cache) program and then restart the server: $ sudo apt-get install php5-apcu $ sudo systemctl restart lighttpd

Then enable the cache in OwnCloud by editing /var/www/html/owncloud/config/config.php and adding

‘memcache.local’ => ‘\OC\Memcache\ APCu to the end of the file, just before the final closing parenthesi­s. After editing, the end of the file should look like: ‘installed’ => true, ‘memcache.local’ => ‘\OC\ Memcache\ APCu’, );

6 SECURING ACCESS OwnCloud already has usernames and passwords to control access, but if you are going to open your OwnCloud setup to the world at large, you need to take some extra precaution­s. First of all, the advice to locate the data directory outside of the web server’s scope becomes even more important. If you cannot do this for any reason, you can disable access to it by lighttpd by editing /etc/lighttpd/lighttpd.conf, and adding: $HTTP[“url”] =~ “^/owncloud/data/” {

url.access-deny = (“”)

This blocks all access to the data directory. Then you should disable all directory listings by adding: $HTTP[“url”] =~ “^/owncloud($|/)” {

dir-listing.activate = “disable”

OwnCloud includes an Apache .htaccess file to implement these measures, but lighttpd does not use .htaccess files, so you have to put everything in the configurat­ion file, then restart the server. Many server administra­tors discourage the use of .htaccess anyway, as it means every page load causes them all to be parsed again, while configurat­ion files load only once at startup.

The other important step for remote usage is to use HTTPS instead of HTTP. You can do this with a self-signed certificat­e. First, you need to create a certificat­e: $ cd /etc/ lighttpd $ sudo openssl req -new -x509 -keyout server.pem -out server. pem -days 365 -nodes $ sudo chmod 400 server.pem $ sudo lighttpd-enable-mod ssl

While you’re at it, add HSTS (HTTP Strict Transport Security) by creating the file conf-enabled/10-hsts.conf, containing: server.modules += ( “mod_setenv” ) $HTTP[“scheme”] == “https” {

setenv.add-response-header = ( “Strict-TransportS­ecurity” => “max-age=31536000”) }

You can change the name and location of the certificat­e file as long as you edit the setting for sss.pemfile in 10-ssl. conf to match. Using a self-signed certificat­e causes your browser to warn you, until you add an exception, but if you are only using it to access your own files from outside, that isn’t an issue. For more serious use, a proper SSL certificat­e is a better idea. Once you restart the server, you can access it as https://your.server/owncloud.

You also have to configure your router to forward the relevant incoming port to your OwnCloud server. This is normally port 80 for HTTP, and port 443 for HTTPS. If you want to enforce HTTPS usage when connecting from outside, only forward port 443 on your router.

There is another way to handle access from outside: to use a VPN. It is beyond the scope of this article to explain how to do that, but if you regularly connect to your network from outside, running OpenVPN or using a service such as ZeroTier One saves you having to set up and secure for external access for each of your services. 7 EXPLORING OWNCLOUD So, you have set up OwnCloud, and you can upload and download files, but you could do that with just a web server. What makes OwnCloud useful are its abilities to share files and other data. Click on the drop-down menu by your user name, and go to the “Users” page to create

users and groups. Each user has their own password, and just as with the Linux system, they can be collected into groups. Once you have created a user, you can share folders and files with them. Click on the share icon to the right of the file or folder name to open the sharing pane. Type part of a user or group name to see a list of matches, then select the one you want. It’s also possible to share with a user on another OwnCloud server by typing “user@server. address/owncloud.” Once you have added a user to share with, a number of checkboxes enable you to specify what they can do with that share: whether they can re-share it with others, and whether they can edit, overwrite, or delete files you created.

If you just want someone to be able to download a file, without giving them access to the rest of your OwnCloud, check the “Share link” box; this gives you a URL that you can pass to them to view or download the file directly. If you are concerned about others using this link, you can password-protect it or set an expiry date. 8 COLLABORAT­ION Being able to let others view and upload files is good, but OwnCloud also allows for collaborat­ion [ Image D]. At the moment, this is limited to word processor documents in ODT, DOC, and DOCX format. The first step is to enable the Documents app: select “Apps” from the drop-down menu at the top-left of the display, type “documents” in the search box, then press the “Enable” button for the app. Go back to the drop-down menu, and you’ll see a new option for “Documents.” From here, you can open an existing document, create a new one, or upload one from your computer. See the “Share” button at the top of the word processor display? Avoid it, as it doesn’t work in the current release. Instead, go back to the “Files” view, and share the file from there. Make sure you enable the “Can edit” and “Can change” options, then each user can open the file in their Documents app, and make changes. As other users edit the file, you can see the changes in your editor, color-coded to show which user made which change [ Image E]. 9 KEEPING IN SYNC Keeping your cloud documents synchroniz­ed with your desktop and mobile computers is easy, as there are synchroniz­ation programs for the three major desktop operating systems (Ubuntu, OpenSUSE, and Fedora), as well as Windows and Mac, along with mobile apps for various platforms. Install them in the usual way, then add an account with your server address and login details. As with the browser access, if you are using a self-signed SSL certificat­e, you are asked whether to accept it the first time you connect. Then you can choose which folders to sync between the computer and server. The default is to keep a copy of everything on the server in ~/ownCloud, but you can choose individual directorie­s to sync. You can sync whichever folders you want; there is no arbitrary limit as with most commercial­ly provided servers, especially their free versions. Once set up, the desktop client [ Image F] sits in the system tray, and notifies you when files are updated. Setting up the mobile clients is similar, but if you want to be able to sync when out and about, you need to set up your router, and OwnCloud, for external access.

There’s a couple of tweaks you may want to make. We mentioned disabling the lighttpd placeholde­r page: You can delete the index.lighttpd.html placeholde­r file from the DocumentRo­ot, then prevent any directory listings of that URL by adding this to /etc/lighttpd/lighttpd.conf: $HTTP[“url”] =~ “^/$” {

dir-listing.activate = “disable”

The default maximum file upload size is 512MB, which is possibly sufficient for Internet use, but you may want to exchange larger files over your LAN. You can change the limit in the “File Handling” section of the “Admin” page. If you see a message about missing permission­s, make sure owncloud/.user.ini is owned by www-data, and restart the server. It may take a few minutes for this change to take effect. If you start uploading large files, you’ll soon fill the Pi’s SD card. If you attach a USB hard drive, copy the contents of /var/owncloud/data to the drive, then mount the drive at /var/owncloud/data, you can have as much space as you want. That should get you started with OwnCloud, but there are plenty of other options to explore.