简介
NextCloud 是一款开源网络硬盘系统,最新版本是12,NextCloud 源代码完全开放,你可以在开源许可协议的约束下免费使用,对于需要专业支持的用户可以购买 NextCloud 官方的专业版订阅服务。同时它还支持Android和IOS客户端,方便同步。
详情参见:NextCloud官网
前提
要搭建云服务,请确保你已经有一台VPS。因为要配置服务器,你还需要有一个域名,这些你都可在阿里云或腾讯云进行购买。
VPS系统
Ubuntu 16.0.4
搭建方式
搭建NextCloud有两种方式,一是以Docker方式安装,另一种以php环境下安装,本文以php方式安装,以Docker方式安装参见Docker安装私有云盘NextCloud过程记录,下面开始安装。
安装依赖
服务器
这里我们使用nginx作为服务器,通过以下命令安装nginx
apt-get install nginx
数据库
NextCloud可用的数据库有MySQL/MariaDB,PostgreSQL,Oracle。官方推荐MySQL/MariaDB,这里以mysql为例,执行以下指令安装mysql:
apt-get install mysql-server
mysql_secure_installation
期间会让你设置root密码和密码强度,请自行判断。
运行环境要求
执行下面的命令安装php
apt-get install php
官方要求php5.0+,通过以下指令查看php版本
php -v
这里推荐使用php7.0,有更高的性能表现。
然后安装NextCloud所需的其它php依赖
apt-get install php-zip
apt-get install php-dompdf
apt-get install php-xml
apt-get install php-mbstring
apt-get install php-curl
apt-get install php-mysql
这样环境就安装完毕了。
安装NextCloud
进入安装目录/var/www下,通过下面的命令下载NextCloud 12并解压:
wget https://download.nextcloud.com/server/releases/nextcloud-12.0.3.zip
unzip nextcloud-*.zip
配置数据库
NextCloud需要一个数据库保存数据,这里以Mysql为例创建数据库,其它数据库相似,
进入mysql命令界面:
mysql -u root -p
创建数据库
create database your_db;
再为NextCloud创建一个数据库用户:
create user 'your_username'@'localhost' identified by 'your_passwd'
其中your_username是用户名,localhost指明只能通过本地访问。要想通过远程访问可改为remote同时配置你的mysql访问策略。your_passwd即所对应的密码。
如果遇到Your password does not satisfy the current policy requirements 问题,这是因为你的密码强度级别设置太高,通过set global validate_password_policy=0可以设置为最低级别,关于密码强度的说明请参考百度。
为所创建的用户授予权限:
grant all privileges on your_db.* to 'your_username'@'localhost' identified by 'your_passwd';
flush privileges;
quit
到此数据库的部分已经完成了。
配置Nginx服务器
进入/etc/nginx/sites-available/目录下
cd /etc/nginx/sites-available/
创建一个文件cloud(文件名任意,可读性好,最好为你的域名就行),
touch cloud
进入/etc/nginx/sites-enabled/目录
cd /etc/nginx/sites-enabled/
执行以下命令创建链接
ln -s ../sites-available/cloud cloud
编辑cloud
vi cloud
在NextCoud的配置官方文档中可以找到nginx服务器的配置。复制到cloud中,需要修改的部分已用中文注释
upstream php-handler {
#server 127.0.0.1:9000;
server unix:/var/run/php/php7.0-fpm.sock; #使用sock加速磁盘访问
}
#若使用https,取消下面这段注释
#server {
# listen 80;
# server_name cloud.example.com; #将cloud.example.com替换为你的域名
# # enforce https
# return 301 https://$server_name$request_uri;
#}
server {
#listen 443 ssl http2; #若使用https,取消本行注释,同时注释下面这行
listen 80;
server_name cloud.example.com; #将cloud.example.com替换为你的域名
#若使用https,取消注释下面两行
#ssl_certificate /etc/ssl/nginx/cloud.example.com.crt;
#ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Path to the root of your installation
root /var/www/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location / {
rewrite ^ /index.php$uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
# fastcgi_param HTTPS on; # 若使用https取消这行注释
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff|svg|gif)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Don't log access to other assets
access_log off;
}
}
至此服务器已经配置完成。
重启服务器:
systemctl reload nginx.service
打开浏览器,输入你的域名,若一切正常,就可以看到安装界面了,若仍有依赖未安装,按照提示进行安装即可。
可能遇到的问题
-
你没有安装php-*依赖
解:请确保你已经安装完上面的所有php依赖
-
安装后打开浏览器出现502异常
解:这是由于你解压nextcloud压缩文件时是作为root(或其它)用户进行操作的,而php使用的用户默认为www-data,你需要更改文件所有者:
cd /var/www chown -R www-data:www-data nextcloud/
管理界面出现安全警告:
-
PHP 的设置似乎有问题, 无法获取系统环境变量. 使用 getenv("PATH") 测试时仅返回空结果
解:取消
/etc/php/7.0/fpm/pool.d/www.conf中这几行的注释;env[HOSTNAME] = $HOSTNAME ;env[PATH] = /usr/local/bin:/usr/bin:/bin ;env[TMP] = /tmp ;env[TMPDIR] = /tmp ;env[TEMP] = /tmp -
内存缓存未配置
解:请查看性能优化一节。
性能优化
nextcloud支持内存加速,它可支持3种方式APCu,Memcached,Redis。这里只展示APCu的配置,其它方式可参考官方配置。
配置APCu步骤
安装apcu
sudo apt-get update
sudo apt-get install php-apcu -y
打开/var/www/nextcloud/config/config.php文件,添加下面这行
'memcache.local' => '\OC\Memcache\APCu',
最终的config.php类似这样
'',
'passwordsalt' => '',
'secret' => '',
'trusted_domains' =>
array (
0 => 'cloud.host.com',
),
'datadirectory' => '/var/www/nextcloud/data',
'overwrite.cli.url' => 'https://cloud.host.com',
'dbtype' => 'mysql',
'version' => '12.0.3.3',
'dbname' => 'nextcloud_db',
'dbhost' => 'localhost:3306',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'nextcloud',
'dbpassword' => '*_mycloud',
'installed' => true,
'memcache.local' => '\OC\Memcache\APCu', #添加到这里
);
重启php7.0-fpm服务
sudo systemctl reload php7.0-fpm.service
重启服务器
sudo systemctl reload nginx.service
若此时进入管理界面,没有任何安全警告,恭喜你,你以完成nextcloud的搭建工作,nextcloud还拥有大量的插件协助你的工作,敬请发现吧!
配置HTTPS
在前面的配置中,并没有启用https,通过https的方式访问网站,别人窃取你密码的机会将会大大减少。实现HTTPS访问需要SSL证书,但是SSL证书一般都需要购买,好在有免费开源的let's encrypt证书可用,let's encrypt的配置一般相当麻烦,正因为此certbot诞生了,通过这款开源工具,你可以很快安装好SSL证书。下面开始SSL的安装:
安装cerbot
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx
自动安装SSL
certbot
cerbot会自动识别你的服务器和域名,请根据提示进行操作,安装期间它会告诉你安装好的证书所在位置。
这里需要注意的是let's encrypt为了让所有人都能享受到证书服务,你的子域名每周只能重复申请3-5次证书,主域名一旦申请超过3次就会被限制申请,只有等5天后才能再次申请。所以申请好的证书请保管好,没有其它问题不要经常申请。详情参见官方说明频率限制。
现在解除掉/etc/nginx/sites-enabled/cloud文件中关于https的限制,最终的cloud文件如下所示:
upstream php-handler {
# server 127.0.0.1:9000;
server unix:/var/run/php/php7.0-fpm.sock;
}
server {
listen 80;
server_name cloud.example.com;
# enforce https
return 301 https://$server_name$request_uri;
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
server {
listen 443 ssl http2;
server_name cloud.example.com;
#ssl_certificate /etc/ssl/nginx/cloud.example.com.crt;
#ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
add_header Strict-Transport-Security "max-age=15768000;includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Path to the root of your installation
root /var/www/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location / {
rewrite ^ /index.php$uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff|svg|gif)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Don't log access to other assets
access_log off;
}
ssl_certificate /etc/letsencrypt/live/cloud.manlier.top/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/cloud.manlier.top/privkey.pem; # managed by Certbot
}
你也可以看到certbot帮你修改的部分
最后重启你的服务器
systemctl reload nginx.service
如果你使用类谷歌浏览器,网址左侧应该会显示一把小绿锁,表示你成功配置好了https服务