笔者 NextCloud 使用的是 Nginx 环境. 其他环境请参考对应的官方文档.
准备条件:
- CentOS 7 X64
- NextCloud 14
CentOS 7 基本安装配置
本安装过程默认读者已经将 CentOS 7 环境完全准备好了. 如果你的系统是新安装的默认最小系统, 请参考这里: CentOS 7 网络配置 与 CentOS 7 安装 SSH 服务器. 以上两项可以保证最后能够正常访问 NextCloud.
添加 epel 仓库
有很多软件位于 EPEL 仓库中, 而默认情况下安装的 CentOS 中没有该仓库, 因此需要自己手动添加.
$ sudo yum -y install epel-release
添加 Webtatic 仓库
php7-fpm 依赖需要
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
准备 NextCloud 运行环境
安装 PHP7-FPM
执行以下命令:
$ sudo yum -y install php70w-fpm php70w-cli php70w-gd php70w-mcrypt php70w-mysql php70w-pear php70w-xml php70w-mbstring php70w-pdo php70w-json php70w-pecl-apcu php70w-pecl-apcu-devel
安装完成后, 查看 php 版本 php -v
$ php -v
PHP 7.0.32 (cli) (built: Sep 15 2018 07:54:46) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
配置 PHP7-FPM
-
配置 PHP7-FPM 使用 nginx 用户运行, 并监听 9000 端口
用于配置 PHP-FPM 与 Nginx 协同运行.
$ sudo vi /etc/php-fpm.d/www.conf-
修改 user 与 group 为 nginx.
; RPM: apache Choosed to be able to access some dir as httpd user = nginx ; RPM: Keep a group allowed to write in log dir. group = nginx -
确保 PHP-FPM 运行在指定端口
; Note: This value is mandatory. listen = 127.0.0.1:9000 -
启用 php-fpm 的系统环境变量
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from ; the current environment. ; Default Value: clean env env[HOSTNAME] = $HOSTNAME env[PATH] = /usr/local/bin:/usr/bin:/bin env[TMP] = /tmp env[TMPDIR] = /tmp env[TEMP] = /tmp
保存退出.
-
-
在
/var/lib/目录下新建文件夹session, 拥有者改为ngnix$ mkdir -p /var/lib/php/session $ chown nginx:nginx -R /var/lib/php/session/ -
启动 PHP-FPM 和 Nginx,并设置为随开机启动服务
$ sudo systemctl start php-fpm $ sudo systemctl start nginx $ sudo systemctl enable php-fpm $ sudo systemctl enable nginx
安装/配置 MariaDB
MariaDB 安装与 Root 配置
$ sudo yum -y install mariadb mariadb-server
$ sudo systemctl start mariadb
$ sudo systemctl enable mariadb
配置 MariaDB 的 root 用户密码. 此处跟随着提示即可.
$ mysql_secure_installation
Set root password? [Y/n] Y
New password:
Re-enter new password:
Remove anonymous users? [Y/n] Y
Disallow root login remotely? [Y/n] Y
Remove test database and access to it? [Y/n] Y
Reload privilege tables now? [Y/n] Y
添加 nextcloud 的 user 与数据库
$ mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 2586
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database nextcloud_db;
MariaDB [(none)]> create user nextclouduser@localhost identified by 'password!@#';
MariaDB [(none)]> grant all privileges on nextcloud_db.* to nextclouduser@localhost identified by 'password!@#';
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit;
生成 SSL 证书
我们使用的是 https 进行访问. 因此需要一个 SSL 证书. 当然这块的证书你可以选择免费的 SSL 证书, 也可以选择自签一个. 这里使用的是自签的 SSL 证书.
$ mkdir -p /etc/nginx/cert/
$ openssl req -new -x509 -days 365 -nodes -out /etc/nginx/cert/nextcloud.crt -keyout /etc/nginx/cert/nextcloud.key
$ sudo chmod 700 /etc/nginx/cert
$ sudo chmod 600 /etc/nginx/cert/nextcloud.key /etc/nginx/cert/nextcloud.crt
下载 NextCloud
-
安装
wget与unzip$ yum -y install wget unzip -
下载与验证 NextCloud
$ cd ~/ $ wget https://download.nextcloud.com/server/releases/nextcloud-14.0.4.zip $ wget https://download.nextcloud.com/server/releases/nextcloud-14.0.4.zip.sha256 $ sha256sum -c nextcloud-14.0.4.zip.sha256 < nextcloud-14.0.4.zip -
解压并将 NextCloud 剪切到
/usr/share/nginx/html/目录下$ unzip nextcloud-10.0.2.zip $ sudo cp -R nextcloud/ /usr/share/nginx/html/ -
新建
data文件夹, 并变更nextcloud所有者为nginx$ cd /usr/share/nginx/html/ $ sudo mkdir -p nextcloud/data/ $ chown nginx:nginx -R nextcloud/
配置 NextCloud
在 Nginx 中为 Nextcloud 配置虚拟主机
$ sudo vi /etc/nginx/conf.d/nextcloud.conf
upstream php-handler {
server 127.0.0.1:9000;
#server unix:/var/run/php/php7.0-fpm.sock;
}
server {
listen 80;
listen [::]:80;
server_name 你的地址;
# enforce https
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name 你的地址;
# Use Mozilla's guidelines for SSL/TLS settings
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
# NOTE: some settings below might be redundant
ssl_certificate /etc/nginx/cert/nextcloud.crt.crt;
ssl_certificate_key /etc/nginx/cert/nextcloud.crt.key;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Path to the root of your installation
root /var/www/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location / {
rewrite ^ /index.php$request_uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff2?|svg|gif)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}
}
保存文件, 并测试 nginx -t. 如果测试结果通过, 重启服务. sudo systemctl restart nginx
配置 SELinux 和 FirewallD 规则
首先, 安装一个管理软件配置 SELinux
$ yum -y install policycoreutils-python
运行一下命令配置 SELinux 规则:
$ sudo semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/data(/.*)?'
$ sudo semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/config(/.*)?'
$ sudo semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/apps(/.*)?'
$ sudo semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/assets(/.*)?'
$ sudo semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/.htaccess'
$ sudo semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/.user.ini'
$ sudo restorecon -Rv '/usr/share/nginx/html/nextcloud/'
启用 firewalld 服务并设置随系统启动, 。
$ sudo systemctl start firewalld
$ sudo systemctl enable firewalld
开启 http 和 https 端口,然后重新加载防火墙。
$ sudo firewall-cmd --permanent --add-service=http
$ sudo firewall-cmd --permanent --add-service=https
$ sudo firewall-cmd --reload
至此, 所有的安装工作全部完成(除了最后一步的 NextCloud 配置).
打开浏览器,输入你的 NextCloud 域名,根据页面提示进行配置即可. 完成后, 你就可以享用 NextCloud 带来的便捷了.
小结
百度出来的资料有一些细节方面的问题. 单在官方文档中, 这些问题统统不存在. 所以, 安装过程中, 如果出现问题, 重新按照官方文档来一遍, 一般就没问题了.
另外笔者下载的是 NextCloud 14 版本的, 该版本少了一些插件, 如果下载管理的 ocDownloader 目前只支持到 13.
