个人云存储服务nextcloud(一):在ubuntu+nginx+mysql上部署

一、环境:系统: ubuntu 1804数据库: mysql服务器: nginx二、环境配置:1. 安装ubuntu1804:(不做赘述)2. 安装mysql:sudo apt-get install mysql-server经过一系列配置之后可以正常使用.(不做赘述…)2.1 创建nextcloud的数据库:为nextcloud服务单独创建一个数据及数据表方便管理:1...

浅弋、璃鱼

3051人浏览 · 2019-04-25 18:03:11

浅弋、璃鱼 · 2019-04-25 18:03:11 发布

一、环境:

系统: ubuntu 1804

数据库: mysql

服务器: nginx

二、环境配置:

1. 安装ubuntu1804:

(不做赘述)

2. 安装mysql:

sudo apt-get install mysql-server

经过一系列配置之后可以正常使用.
(不做赘述…)

2.1 创建nextcloud的数据库:

为nextcloud服务单独创建一个数据及数据表方便管理:
1.创建数据库:

create database ncloud charset=utf8;

2.创建用户并绑定数据库权限:

# 新建用户nextcloud,绑定ncloud数据库的所有权限
mysql> grant all privileges on ncloud.* to "nextcloud"@"%" identified by "12345679";
Query OK, 0 rows affected, 1 warning (0.00 sec)

# 刷新
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

3.安装nginx服务器:

sudo apt-get install nginx nginx-extras

安装完成后, 浏览器输入: 127.0.0.1, 检查服务器是否安装成功并启动
在这里插入图片描述

ps: 附上nginx的常用命令:
启动命令：sudo service nginx {start|stop|restart|reload|force-reload|status|configtest|rotate|upgrade}
查看版本：sudo nginx -v
检查配置文件：sudo nginx -t
查看端口被占用情况：netstat -apn
更精确的查找：netstat -apn | grep 80

4.安装PHP及相关应用:

这一项不能直接参考nextcloud的官方文档, 因为官方文档给出的是Apache的php依赖,所以,

sudo apt-get -y install php-fpm php-cli php-json php-curl php-imap php-gd php-mysql php-xml php-zip php-intl php-imagick php-mbstring

配置PHP:

$ sudo sed -i "s/memory_limit = .*/memory_limit = 512M/" /etc/php/7.2/fpm/php.ini
$ sudo sed -i "s/;date.timezone.*/date.timezone = UTC/" /etc/php/7.2/fpm/php.ini
$ sudo sed -i "s/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=1/" /etc/php/7.2/fpm/php.ini
$ sudo sed -i "s/upload_max_filesize = .*/upload_max_filesize = 200M/" /etc/php/7.2/fpm/php.ini
$ sudo sed -i "s/post_max_size = .*/post_max_size = 200M/" /etc/php/7.2/fpm/php.ini

ps:
配置的时候不要盲目的复制,要核对好php的版本.

重启PHP-FPM：

sudo systemctl restart php7.2-fpm

这个时候可以测试一下php是否安装成功并与nginx服务器联通

5.下载NextCloud:

(下载的问题,直接去官网下载压缩包,活着使用wget命令进行下载)

解压到 /var/www/ 目录并更改权限：

unzip nextcloud-xx.xx.zip
sudo mkdir /var/www/
sudo mv nextcloud/ /var/www/
sudo chown -R www-data: /var/www/nextcloud

6. 安装配置Nginx:

6.1生成生成自签名证书:

我们可以创建一个目录用来存放所有SSL相关文件，在/etc/nginx下创建：

$ sudo mkdir /etc/nginx/ssl

创建 SSL密钥和证书文件：

$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

我们来看一看上面命令各个选项的意思：

openssl：这是创建和管理OpenSSL密钥、证书和其它文件的命令行工具
req：指定使用X.509证书签名要求（CSR）
-x509：创建自签名证书，而不生成签名请求
-nodes：证书不使用密码，我们需要Nginx能直接读取文件，在重启Nginx时，不用输入密码
-days 365:：证书的有效时间，这里是一年
-newkey rsa:2048：同时生成一个新证书和新密钥，RSA密钥长度：2048位
-keyout：密钥生成的路径
-out：证书生成的路径

执行上面命令，需要回答一系列问题。其中，最重要的一个问题是Common Name (e.g. server FQDN or YOUR name)，输入你的域名。如果没有域名的话，使用ip地址。
问题大似如下：

Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:hainan
Locality Name (eg, city) []:sanya
Organization Name (eg, company) [Internet Widgits Pty Ltd]:topspeedsnail.
Organizational Unit Name (eg, section) []:topspeedsnail
Common Name (e.g. server FQDN or YOUR name) []:your_domain.com
Email Address []:admin@your_domain.com

这样在/etc/nginx/ssl目录下生成了2个文件,就是nginx ssl的认证证书

官方的nginx配置文件

upstream php-handler {
	# php-fpm的服务需要根据自己的实际去改
    #server 127.0.0.1:9000;
    server unix:/var/run/php/php7.2-fpm.sock;
}

server {
    listen 80;
    listen [::]:80;
    # 域名根据自己的实际情况去改
    server_name cloud.example.com;
    # enforce https
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    # 域名根据自己的实际情况去改
    server_name cloud.example.com;

    # Use Mozilla's guidelines for SSL/TLS settings
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
    # NOTE: some settings below might be redundant
    # 下边两个是ssl的证书文件,很重要,需要根据实际情况去改
    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header Referrer-Policy no-referrer;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # Path to the root of your installation
    # 这里是nextcloud的项目文件目录,需要根据实际情况去改
    root /var/www/nextcloud/;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

    # The following rule is only needed for the Social app.
    # Uncomment it if you're planning to use this app.
    # rewrite ^/.well-known/webfinger /public.php?service=webfinger last;

    location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }

    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    location / {
        rewrite ^ /index.php$request_uri;
    }

    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
        deny all;
    }
    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        #Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
        try_files $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff2?|svg|gif)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
        #
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        add_header Referrer-Policy no-referrer;

        # Optional: Don't log access to assets
        access_log off;
    }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
        try_files $uri /index.php$request_uri;
        # Optional: Don't log access to other assets
        access_log off;
    }
}