Secure Collaboration

Getting Your Own System

After a manual installation or a "canned" version by the provider, you now have a pristine Ubuntu installation. Besides the basic services, you have no software. In most cases, these "essential services" are restricted to SSH, which allows logins via the remote shell. Your first task now awaits you: SSH login with an SSH key is far safer than using a password. The public part of an SSH key belongs in ~/.ssh/authorized_keys. You can find instructions online [1] for Linux, Windows, and OS X on how to create an SSH key.

The first round of updates then follow: The basic installation of a distribution is usually only revised every few months. Updates to individual packages are released many times in between. Run

apt-get update
apt-get -y dist-upgrade

to install the latest updates after the basic install. This process regularly installs a new operating system kernel on the system, which requires a reboot (with the reboot command). When the system comes back after the restart, you can start installing ownCloud, and ownCloud needs a web server.

Setting Up Apache

OwnCloud is a PHP application that only works sensibly in conjunction with a web server. Nginx is a possibility, but the combination of Apache and ownCloud is certainly more widespread. Apache in a current version is included in Ubuntu, so you just need to install the apache2 package. However, Apache on Ubuntu is not set up out the box to support SSL for secure connections, which is unacceptable: The transfer of corporate data should be always encrypted.

The good news is that Apache itself is easily extended to include SSL functionality. For this purpose, you need the SSL certificate issued by an SSL Certificate Authority along with the corresponding private key; you should install these files in the /etc/apache2/ssl that you create with mkdir, if it does not exist. For simplicity's sake, I am assuming in this example that the certificate is named owncloud.crt and that owncloud.key is the matching key. The command

sudo a2enmod ssl && sudo service apache2 restart

enables the SSL module for Apache.

Configuring the SSL Default Page

Next, focus your attention on the /etc/apache2/sites-available/default-ssl.conf file, where you will find two lines that start with SSLCertificateFile and SSLCertificateKeyFile (Figure 1). The entries /etc/apache2/ssl/owncloud.crt and /etc/apache2/ssl/owncloud.key are correct for this example. The line that begins with DocumentRoot needs the value /var/www. So that the web server knows its name, the ServerName keyword must be present and must have a correct value (e.g., owncloud.example.com). If you want the setup to be accessible under alias domains (e.g., storage.example.com), you need to add a ServerAlias record. The shared domain must match the SSL certificate you use, because users with SSL-based access will otherwise see a certificate warning. Also, the value for SSLEngine must be on. Finally, copy the text in Listing 1 to the file.

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>

Figure 1: Some changes to the configuration of the Apache web server are necessary for the web browser to support SSL.

For each of the keywords mentioned, you have to remove the # at the beginning of the line if the respective line is commented out; then, type

sudo a2ensite default-ssl.conf
sudo a2enmod headers
sudo service apache2 restart

to enable the default SSL page, enable the module that allows the modification of HTTP headers in Apache, and restart Apache.

That's it: Apache now has an SSL certificate. By the way, if you have never been through the process of issuing an SSL certificate, you will find instructions online [2]. The referenced article refers to Let's Encrypt, a service that issues free SSL/TLS certificates.