笔者 NextCloud 使用的是 Nginx 环境. 其他环境请参考对应的官方文档.
准备条件:
- CentOS 7 X64
- NextCloud 14
CentOS 7 基本安装配置
本安装过程默认读者已经将 CentOS 7 环境完全准备好了. 如果你的系统是新安装的默认最小系统, 请参考这里: CentOS 7 网络配置 与 CentOS 7 安装 SSH 服务器. 以上两项可以保证最后能够正常访问 NextCloud.
添加 epel 仓库
有很多软件位于 EPEL 仓库中, 而默认情况下安装的 CentOS 中没有该仓库, 因此需要自己手动添加.
$ sudo yum -y install epel-release
添加 Webtatic 仓库
php7-fpm 依赖需要
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
准备 NextCloud 运行环境
安装 PHP7-FPM
执行以下命令:
$ sudo yum -y install php70w-fpm php70w-cli php70w-gd php70w-mcrypt php70w-mysql php70w-pear php70w-xml php70w-mbstring php70w-pdo php70w-json php70w-pecl-apcu php70w-pecl-apcu-devel
安装完成后, 查看 php 版本 php -v
$ php -v
PHP 7.0.32 (cli) (built: Sep 15 2018 07:54:46) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
配置 PHP7-FPM
-
配置 PHP7-FPM 使用 nginx 用户运行, 并监听 9000 端口
用于配置 PHP-FPM 与 Nginx 协同运行.
$ sudo vi /etc/php-fpm.d/www.conf
-
修改 user 与 group 为 nginx.
; RPM: apache Choosed to be able to access some dir as httpd user = nginx ; RPM: Keep a group allowed to write in log dir. group = nginx
-
确保 PHP-FPM 运行在指定端口
; Note: This value is mandatory. listen = 127.0.0.1:9000
-
启用 php-fpm 的系统环境变量
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from ; the current environment. ; Default Value: clean env env[HOSTNAME] = $HOSTNAME env[PATH] = /usr/local/bin:/usr/bin:/bin env[TMP] = /tmp env[TMPDIR] = /tmp env[TEMP] = /tmp
保存退出.
-
-
在
/var/lib/
目录下新建文件夹session
, 拥有者改为ngnix
$ mkdir -p /var/lib/php/session $ chown nginx:nginx -R /var/lib/php/session/
-
启动 PHP-FPM 和 Nginx,并设置为随开机启动服务
$ sudo systemctl start php-fpm $ sudo systemctl start nginx $ sudo systemctl enable php-fpm $ sudo systemctl enable nginx
安装/配置 MariaDB
MariaDB 安装与 Root 配置
$ sudo yum -y install mariadb mariadb-server
$ sudo systemctl start mariadb
$ sudo systemctl enable mariadb
配置 MariaDB 的 root 用户密码. 此处跟随着提示即可.
$ mysql_secure_installation
Set root password? [Y/n] Y
New password:
Re-enter new password:
Remove anonymous users? [Y/n] Y
Disallow root login remotely? [Y/n] Y
Remove test database and access to it? [Y/n] Y
Reload privilege tables now? [Y/n] Y
添加 nextcloud 的 user 与数据库
$ mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 2586
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database nextcloud_db;
MariaDB [(none)]> create user nextclouduser@localhost identified by 'password!@#';
MariaDB [(none)]> grant all privileges on nextcloud_db.* to nextclouduser@localhost identified by 'password!@#';
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit;
生成 SSL 证书
我们使用的是 https 进行访问. 因此需要一个 SSL 证书. 当然这块的证书你可以选择免费的 SSL 证书, 也可以选择自签一个. 这里使用的是自签的 SSL 证书.
$ mkdir -p /etc/nginx/cert/
$ openssl req -new -x509 -days 365 -nodes -out /etc/nginx/cert/nextcloud.crt -keyout /etc/nginx/cert/nextcloud.key
$ sudo chmod 700 /etc/nginx/cert
$ sudo chmod 600 /etc/nginx/cert/nextcloud.key /etc/nginx/cert/nextcloud.crt
下载 NextCloud
-
安装
wget
与unzip
$ yum -y install wget unzip
-
下载与验证 NextCloud
$ cd ~/ $ wget https://download.nextcloud.com/server/releases/nextcloud-14.0.4.zip $ wget https://download.nextcloud.com/server/releases/nextcloud-14.0.4.zip.sha256 $ sha256sum -c nextcloud-14.0.4.zip.sha256 < nextcloud-14.0.4.zip
-
解压并将 NextCloud 剪切到
/usr/share/nginx/html/
目录下$ unzip nextcloud-10.0.2.zip $ sudo cp -R nextcloud/ /usr/share/nginx/html/
-
新建
data
文件夹, 并变更nextcloud
所有者为nginx
$ cd /usr/share/nginx/html/ $ sudo mkdir -p nextcloud/data/ $ chown nginx:nginx -R nextcloud/
配置 NextCloud
在 Nginx 中为 Nextcloud 配置虚拟主机
$ sudo vi /etc/nginx/conf.d/nextcloud.conf
upstream php-handler {
server 127.0.0.1:9000;
#server unix:/var/run/php/php7.0-fpm.sock;
}
server {
listen 80;
listen [::]:80;
server_name 你的地址;
# enforce https
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name 你的地址;
# Use Mozilla's guidelines for SSL/TLS settings
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
# NOTE: some settings below might be redundant
ssl_certificate /etc/nginx/cert/nextcloud.crt.crt;
ssl_certificate_key /etc/nginx/cert/nextcloud.crt.key;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Path to the root of your installation
root /var/www/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location / {
rewrite ^ /index.php$request_uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff2?|svg|gif)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}
}
保存文件, 并测试 nginx -t
. 如果测试结果通过, 重启服务. sudo systemctl restart nginx
配置 SELinux 和 FirewallD 规则
首先, 安装一个管理软件配置 SELinux
$ yum -y install policycoreutils-python
运行一下命令配置 SELinux 规则:
$ sudo semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/data(/.*)?'
$ sudo semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/config(/.*)?'
$ sudo semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/apps(/.*)?'
$ sudo semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/assets(/.*)?'
$ sudo semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/.htaccess'
$ sudo semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/.user.ini'
$ sudo restorecon -Rv '/usr/share/nginx/html/nextcloud/'
启用 firewalld 服务并设置随系统启动, 。
$ sudo systemctl start firewalld
$ sudo systemctl enable firewalld
开启 http 和 https 端口,然后重新加载防火墙。
$ sudo firewall-cmd --permanent --add-service=http
$ sudo firewall-cmd --permanent --add-service=https
$ sudo firewall-cmd --reload
至此, 所有的安装工作全部完成(除了最后一步的 NextCloud 配置).
打开浏览器,输入你的 NextCloud 域名,根据页面提示进行配置即可. 完成后, 你就可以享用 NextCloud 带来的便捷了.
小结
百度出来的资料有一些细节方面的问题. 单在官方文档中, 这些问题统统不存在. 所以, 安装过程中, 如果出现问题, 重新按照官方文档来一遍, 一般就没问题了.
另外笔者下载的是 NextCloud 14 版本的, 该版本少了一些插件, 如果下载管理的 ocDownloader
目前只支持到 13.
参考
NextCloud Admin Manual
在 CentOS 7 中安装 Nextcloud