簡介
NextCloud 是一款開源網(wǎng)絡(luò)硬盤系統(tǒng)尊浓,最新版本是12逞频,NextCloud 源代碼完全開放,你可以在開源許可協(xié)議的約束下免費使用栋齿,對于需要專業(yè)支持的用戶可以購買 NextCloud 官方的專業(yè)版訂閱服務(wù)苗胀。同時它還支持Android和IOS客戶端,方便同步瓦堵。
詳情參見:NextCloud官網(wǎng)
前提
要搭建云服務(wù)基协,請確保你已經(jīng)有一臺VPS。因為要配置服務(wù)器菇用,你還需要有一個域名澜驮,這些你都可在阿里云或騰訊云進行購買。
VPS系統(tǒng)
Ubuntu 16.0.4
搭建方式
搭建NextCloud有兩種方式惋鸥,一是以Docker方式安裝杂穷,另一種以php環(huán)境下安裝,本文以php方式安裝卦绣,以Docker方式安裝參見Docker安裝私有云盤NextCloud過程記錄耐量,下面開始安裝。
安裝依賴
服務(wù)器
這里我們使用nginx作為服務(wù)器滤港,通過以下命令安裝nginx
apt-get install nginx
數(shù)據(jù)庫
NextCloud可用的數(shù)據(jù)庫有MySQL/MariaDB廊蜒,PostgreSQL,Oracle蜗搔。官方推薦MySQL/MariaDB劲藐,這里以mysql為例,執(zhí)行以下指令安裝mysql:
apt-get install mysql-server
mysql_secure_installation
期間會讓你設(shè)置root密碼和密碼強度樟凄,請自行判斷聘芜。
運行環(huán)境要求
執(zhí)行下面的命令安裝php
apt-get install php
官方要求php5.0+,通過以下指令查看php版本
php -v
這里推薦使用php7.0缝龄,有更高的性能表現(xiàn)汰现。
然后安裝NextCloud所需的其它php依賴
apt-get install php-zip
apt-get install php-dompdf
apt-get install php-xml
apt-get install php-mbstring
apt-get install php-curl
apt-get install php-mysql
這樣環(huán)境就安裝完畢了。
安裝NextCloud
進入安裝目錄/var/www下叔壤,通過下面的命令下載NextCloud 12并解壓:
wget https://download.nextcloud.com/server/releases/nextcloud-12.0.3.zip
unzip nextcloud-*.zip
配置數(shù)據(jù)庫
NextCloud需要一個數(shù)據(jù)庫保存數(shù)據(jù)瞎饲,這里以Mysql為例創(chuàng)建數(shù)據(jù)庫,其它數(shù)據(jù)庫相似炼绘,
進入mysql命令界面:
mysql -u root -p
創(chuàng)建數(shù)據(jù)庫
create database your_db;
再為NextCloud創(chuàng)建一個數(shù)據(jù)庫用戶:
create user 'your_username'@'localhost' identified by 'your_passwd'
其中your_username是用戶名,localhost指明只能通過本地訪問嗅战。要想通過遠程訪問可改為remote同時配置你的mysql訪問策略。your_passwd即所對應(yīng)的密碼。
如果遇到Your password does not satisfy the current policy requirements 問題驮捍,這是因為你的密碼強度級別設(shè)置太高疟呐,通過set global validate_password_policy=0可以設(shè)置為最低級別,關(guān)于密碼強度的說明請參考百度东且。
為所創(chuàng)建的用戶授予權(quán)限:
grant all privileges on your_db.* to 'your_username'@'localhost' identified by 'your_passwd';
flush privileges;
quit
到此數(shù)據(jù)庫的部分已經(jīng)完成了启具。
配置Nginx服務(wù)器
進入/etc/nginx/sites-available/目錄下
cd /etc/nginx/sites-available/
創(chuàng)建一個文件cloud(文件名任意,可讀性好珊泳,最好為你的域名就行),
touch cloud
進入/etc/nginx/sites-enabled/目錄
cd /etc/nginx/sites-enabled/
執(zhí)行以下命令創(chuàng)建鏈接
ln -s ../sites-available/cloud cloud
編輯cloud
vi cloud
在NextCoud的配置官方文檔中可以找到nginx服務(wù)器的配置鲁冯。復(fù)制到cloud中,需要修改的部分已用中文注釋
upstream php-handler {
#server 127.0.0.1:9000;
server unix:/var/run/php/php7.0-fpm.sock; #使用sock加速磁盤訪問
}
#若使用https色查,取消下面這段注釋
#server {
# listen 80;
# server_name cloud.example.com; #將cloud.example.com替換為你的域名
# # enforce https
# return 301 https://$server_name$request_uri;
#}
server {
#listen 443 ssl http2; #若使用https薯演,取消本行注釋,同時注釋下面這行
listen 80;
server_name cloud.example.com; #將cloud.example.com替換為你的域名
#若使用https综慎,取消注釋下面兩行
#ssl_certificate /etc/ssl/nginx/cloud.example.com.crt;
#ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Path to the root of your installation
root /var/www/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location / {
rewrite ^ /index.php$uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
# fastcgi_param HTTPS on; # 若使用https取消這行注釋
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff|svg|gif)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Don't log access to other assets
access_log off;
}
}
至此服務(wù)器已經(jīng)配置完成涣仿。
重啟服務(wù)器:
systemctl reload nginx.service
打開瀏覽器勤庐,輸入你的域名示惊,若一切正常,就可以看到安裝界面了愉镰,若仍有依賴未安裝米罚,按照提示進行安裝即可。
可能遇到的問題
-
你沒有安裝php-*依賴
解:請確保你已經(jīng)安裝完上面的所有php依賴
-
安裝后打開瀏覽器出現(xiàn)502異常
解:這是由于你解壓nextcloud壓縮文件時是作為root(或其它)用戶進行操作的丈探,而php使用的用戶默認為www-data录择,你需要更改文件所有者:
cd /var/www chown -R www-data:www-data nextcloud/
管理界面出現(xiàn)安全警告:
-
PHP 的設(shè)置似乎有問題, 無法獲取系統(tǒng)環(huán)境變量. 使用 getenv("PATH") 測試時僅返回空結(jié)果
解:取消
/etc/php/7.0/fpm/pool.d/www.conf中這幾行的注釋;env[HOSTNAME] = $HOSTNAME ;env[PATH] = /usr/local/bin:/usr/bin:/bin ;env[TMP] = /tmp ;env[TMPDIR] = /tmp ;env[TEMP] = /tmp -
內(nèi)存緩存未配置
解:請查看性能優(yōu)化一節(jié)。
性能優(yōu)化
nextcloud支持內(nèi)存加速碗降,它可支持3種方式APCu隘竭,Memcached,Redis讼渊。這里只展示APCu的配置动看,其它方式可參考官方配置。
配置APCu步驟
安裝apcu
sudo apt-get update
sudo apt-get install php-apcu -y
打開/var/www/nextcloud/config/config.php文件爪幻,添加下面這行
'memcache.local' => '\OC\Memcache\APCu',
最終的config.php類似這樣
<?php
$CONFIG = array (
'instanceid' => '',
'passwordsalt' => '',
'secret' => '',
'trusted_domains' =>
array (
0 => 'cloud.host.com',
),
'datadirectory' => '/var/www/nextcloud/data',
'overwrite.cli.url' => 'https://cloud.host.com',
'dbtype' => 'mysql',
'version' => '12.0.3.3',
'dbname' => 'nextcloud_db',
'dbhost' => 'localhost:3306',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'nextcloud',
'dbpassword' => '*_mycloud',
'installed' => true,
'memcache.local' => '\OC\Memcache\APCu', #添加到這里
);
重啟php7.0-fpm服務(wù)
sudo systemctl reload php7.0-fpm.service
重啟服務(wù)器
sudo systemctl reload nginx.service
若此時進入管理界面菱皆,沒有任何安全警告,恭喜你挨稿,你以完成nextcloud的搭建工作仇轻,nextcloud還擁有大量的插件協(xié)助你的工作,敬請發(fā)現(xiàn)吧奶甘!
配置HTTPS
在前面的配置中篷店,并沒有啟用https,通過https的方式訪問網(wǎng)站臭家,別人竊取你密碼的機會將會大大減少疲陕。實現(xiàn)HTTPS訪問需要SSL證書吭产,但是SSL證書一般都需要購買,好在有免費開源的let's encrypt證書可用鸭轮,let's encrypt的配置一般相當(dāng)麻煩臣淤,正因為此certbot誕生了,通過這款開源工具窃爷,你可以很快安裝好SSL證書邑蒋。下面開始SSL的安裝:
安裝cerbot
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx
自動安裝SSL
certbot
cerbot會自動識別你的服務(wù)器和域名,請根據(jù)提示進行操作按厘,安裝期間它會告訴你安裝好的證書所在位置医吊。
這里需要注意的是let's encrypt為了讓所有人都能享受到證書服務(wù),你的子域名每周只能重復(fù)申請3-5次證書逮京,主域名一旦申請超過3次就會被限制申請卿堂,只有等5天后才能再次申請。所以申請好的證書請保管好懒棉,沒有其它問題不要經(jīng)常申請草描。詳情參見官方說明頻率限制。
現(xiàn)在解除掉/etc/nginx/sites-enabled/cloud文件中關(guān)于https的限制策严,最終的cloud文件如下所示:
upstream php-handler {
# server 127.0.0.1:9000;
server unix:/var/run/php/php7.0-fpm.sock;
}
server {
listen 80;
server_name cloud.example.com;
# enforce https
return 301 https://$server_name$request_uri;
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
server {
listen 443 ssl http2;
server_name cloud.example.com;
#ssl_certificate /etc/ssl/nginx/cloud.example.com.crt;
#ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
add_header Strict-Transport-Security "max-age=15768000;includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Path to the root of your installation
root /var/www/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location / {
rewrite ^ /index.php$uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff|svg|gif)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Don't log access to other assets
access_log off;
}
ssl_certificate /etc/letsencrypt/live/cloud.manlier.top/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/cloud.manlier.top/privkey.pem; # managed by Certbot
}
你也可以看到certbot幫你修改的部分
最后重啟你的服務(wù)器
systemctl reload nginx.service
如果你使用類谷歌瀏覽器穗慕,網(wǎng)址左側(cè)應(yīng)該會顯示一把小綠鎖,表示你成功配置好了https服務(wù)
