BookStack 知識庫安裝流程

這套由 Jason Cheng 大大所介紹的開源軟體, BookStack 這是一套免費又開源軟體可以拿來當成一書籍來使用,這套系統是由目前最熱門的 「 PHP MVC 」 裡的 Laravel 架構所寫出來的,可以記錄有關於技術及備忘錄

109.04.19 本篇重新修正並且改用 Markdowe 方式來編輯

運行環境


Proxmox VE 虛擬主機的,LXC 模式運行

  • 系統環境:CentOS 7
  • Web服務:Nginx 1.17
  • 網頁服務:PHP 7.4
  • 資料庫服務:Mariadb 10.4

WEB 服務安裝


可以參考本知識庫的 WBE 服務安裝流程,啟用Nginx 支援到 OpenSSL TLS1.3 安全協定

資料庫服務安裝


  • 首先新增加 MariaDB.repo 官方載點

  • 手動新增 Mariadb 來源庫

vim /etc/yum.repos.d/MariaDB.repo
  • 填入以下的內容
# MariaDB 10.4 CentOS repository list - created 2020-04-19 04:41 UTC
# http://downloads.mariadb.org/mariadb/repositories/
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.4/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
  • 安裝 MaridDB 服務
yum install MariaDB-server MariaDB-client -y
  • 資料庫安裝及設定
systemctl enable mariadb ; systemctl start mariadb   # 啟動資料庫服
mysql_secure_installation   # 設定資料庫的root密碼

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.

You already have your root account protected, so you can safely answer 'n'.

# 以下的詢問就以預設為主直接按 Enter 即可

Switch to unix_socket authentication [Y/n]
Enabled successfully!
Reloading privilege tables..
 ... Success!


You already have your root account protected, so you can safely answer 'n'.

Change the root password? [Y/n]
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n]
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n]
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!
  • 登入資料庫設定資料表及權限
# 登入資料庫裡設定資表及權限
mysql -u root -p   

# 在資料庫裡新增BookStack表單
CREATE DATABASE IF NOT EXISTS bookstackdb DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;

# 密碼請自己輸入好記錄的密碼
GRANT ALL PRIVILEGES ON bookstackdb.* TO 'bookstackuser'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;

# 重新載入設定值
FLUSH PRIVILEGES;

# 離開資料庫
quit

PHP 服務安裝


  • 先安裝額外的套件及載點
yum install -y epel-release yum-utils
  • 因內鍵預設版本是 PHP 5.4 因此本版官方已不在維護,建議直接安裝當時官方所提供主要版本,現在安裝版本是 PHP 7.4
rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
yum-config-manager --disable remi-php54
yum-config-manager --enable remi-php74
  • 安裝 PHP 套件
yum install -y php php-mysqlnd php-pdo php-xml php-pear php-devel php-mbstring re2c gcc-c++ gcc \
php-fpm php-mysql php-gd php-cli php-json php-opcache php-curl php-ldap php-odbc php-xmlrpc php-soap \
curl curl-devel php-intl php-zip php-openssl php-tidy php-tokenizer php-xml
  • 安裝好 PHP 要去修改 vim /etc/php.ini 設定檔
修改前
;cgi.fix_pathinfo=1
修改後
cgi.fix_pathinfo=0
修改時區
[Date]
修改前
;date.timezone = 
修改後
date.timezone = Asia/Taipei
修改資料上傳限制
; 上傳檔案大小上限(單一檔案大小)
upload_max_filesize = 50M 

; POST 大小上限(所有檔案大小加總)
post_max_size = 200M

; 記憶體用量上限
memory_limit = 512M

; Script執行時間上限(單位:秒)
max_execution_time = 600

; Script處理資料時間上限(單位:秒)
max_input_time = 600

; Socket無回應斷線時間(單位:秒)
default_socket_timeout = 600

存檔
:wq
  • 設定 PHP-FPM vim /etc/php-fpm.d/www.conf
由誰使用此服務
; RPM: apache user chosen to provide access to the same directories as httpd
;user = apache
user = nginx
; RPM: Keep a group allowed to write in log dir.
;group = apache
group =nginx

; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server.
; Default Values: user and group are set as the running user
;                 mode is set to 0660
listen.owner = nginx
listen.group = nginx
listen.mode = 0660

php_value[session.save_path]    = /var/www/html/sessions

修改好存檔
:wq
  • 重啟及開機自動啟動 PHP-FPM 服務
systemctl restart php-fpm ; systemctl enable php-fpm

Nginx 服務設定檔


Nginx proxy 代理服務全域設定
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
#
events {
    worker_connections 1024;
}
#
http {
    log_format main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
#
    access_log /var/log/nginx/access.log  main;
#
    server_tokens off;
#CDN
#cfip4
        set_real_ip_from 173.245.48.0/20; #cfipv4
        set_real_ip_from 103.21.244.0/22; #cfipv4
        set_real_ip_from 103.22.200.0/22; #cfipv4
        set_real_ip_from 103.31.4.0/22; #cfipv4
        set_real_ip_from 141.101.64.0/18; #cfipv4
        set_real_ip_from 108.162.192.0/18; #cfipv4
        set_real_ip_from 190.93.240.0/20; #cfipv4
        set_real_ip_from 188.114.96.0/20; #cfipv4
        set_real_ip_from 197.234.240.0/22; #cfipv4
        set_real_ip_from 198.41.128.0/17; #cfipv4
        set_real_ip_from 162.158.0.0/15; #cfipv4
        set_real_ip_from 104.16.0.0/12; #cfipv4
        set_real_ip_from 172.64.0.0/13; #cfipv4
        set_real_ip_from 131.0.72.0/22; #cfipv4
#cfip6
        set_real_ip_from 2400:cb00::/32; #cfipv6
        set_real_ip_from 2606:4700::/32; #cfipv6
        set_real_ip_from 2803:f800::/32; #cfipv6
        set_real_ip_from 2405:b500::/32; #cfipv6
        set_real_ip_from 2405:8100::/32; #cfipv6
        set_real_ip_from 2a06:98c0::/29; #cfipv6
        set_real_ip_from 2c0f:f248::/32; #cfipv6
#lock
#使用以下任意一个即可
    real_ip_header CF-Connecting-IP;
#    real_ip_header X-Forwarded-For;
#
#
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
#
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Xss-Protection "1; mode=block";
    add_header X-Powered-By eiblog/1.3.0;
    add_header X-Content-Type-Options nosniff;
    add_header Referrer-Policy "no-referrer-when-downgrade";
    add_header Cache-Control no-cache;
#
    client_max_body_size 2048m;
    client_body_buffer_size 256k;
    client_body_timeout 1800s;
    client_header_timeout 1800s;
    fastcgi_intercept_errors on;
    fastcgi_buffers 4 64K;
#
    resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 168.95.1.1 168.95.192.1 valid=300s;
    resolver_timeout 5s;
#
# Default is 60, May need to be increased for very large uploads
#
    sendfile on;
#
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
#
    gzip on;
    gzip_vary on;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_min_length 1000;
    gzip_proxied any;
    gzip_disable "msie6";
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;
#
#開啟Brotli壓縮
    brotli on;
#壓縮等級,0 到 11,默認值是 6,過大會額外消耗服務器CPU
    brotli_comp_level 6;
#設置需要進行壓縮的最小響應大小,單位為字節
    brotli_min_length 512;
#指定哪些MIME類型進行壓縮
    brotli_types text/plain text/javascript text/css text/xml text/x-component application/javascript application/x-javascript application/xml application/json application/xhtml+xml application/rss+xml application/atom+xml application/x-font-ttf application/vnd.ms-fontobject image/svg+xml image/x-icon font/opentype;
#是否允許查找預處好的、以 .br 结尾的壓缩文件。可選值為 on、off、always
    brotli_static always;
#
    include /etc/nginx/mime.types;
    include /etc/nginx/conf.d/*.conf;
#
    default_type application/octet-stream;
}
Nginx Proxy 代理服務設定
server {
	listen                           80;
	server_name                      您的hostname或是IP;
	rewrite ^(.*)$ https://${server_name}$1 permanent;
}
#
server {
	#                                使用 https 和 http/2 協定
	listen                           443 ssl http2;
	#                                上述的 IPv6 方式
	listen                           [::]:443 ssl http2;
	server_name                      您的hostname或是IP;
	#
	#                                certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
	#
	#                                SSL 憑證證書路徑
	ssl_certificate                  /etc/nginx/ssl/fullchain.pem;
	#                                私鑰路徑
	ssl_certificate_key              /etc/nginx/ssl/privkey.pem;
	#                                緩存有效期
	ssl_session_timeout              1d;
	#                                緩存憑證類型和大小
	ssl_session_cache                shared:SSL:50m;
	#
	#                                intermediate configuration. tweak to your needs.
	#
	#                                使用的加密協定
	ssl_protocols                    TLSv1.1 TLSv1.2 TLSv1.3;
	#                                加密演算法,越前面的優先級越高
	ssl_ciphers                      'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5';
	#                                交握過程使用 Server 的首選加演算法,這裡使用 Client 為首選
	ssl_prefer_server_ciphers        on;
	#
	access_log                       /var/log/nginx/bookstack_access.log;
	error_log                        /var/log/nginx/bookstack_error.log;
	#
	location / {
		proxy_pass                      https://您的hostname或是IP;
		proxy_next_upstream             error timeout invalid_header http_500 http_502 http_503;
		proxy_set_header                Host $host;
		proxy_set_header                X-Real_IP $remote_addr;
		proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header                X-Forwarded-Proto https;
		proxy_headers_hash_max_size     1024;
		proxy_headers_hash_bucket_size  128;
		proxy_redirect                  off;
		proxy_pass_header               Authorization;
	}
	#
	location ~* \.(?:ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
		proxy_pass                      https://您的hostname或是IP;
	}

}

本機全域設定
mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig   # 備份原本預設的設定檔
vim /etc/nginx/nginx.conf   # 新增新的nginx設定檔
---
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
#
events {
    worker_connections 1024;
}
#
http {
    log_format main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
#
    access_log /var/log/nginx/access.log  main;
#
#
    client_max_body_size 2048m;
    client_body_buffer_size 256k;
    client_body_timeout 1800s;
    client_header_timeout 1800s;
    fastcgi_intercept_errors on;
    fastcgi_buffers 4 64K;
#
    server_tokens off;
#
# Default is 60, May need to be increased for very large uploads
#
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
#
    include /etc/nginx/mime.types;
    include /etc/nginx/conf.d/*.conf;
    default_type application/octet-stream;
# Restoring the original visitor IP for your web application
    set_real_ip_from 127.0.0.1;
# use any of the following two
# real_ip_header CF-Connecting-IP;
    real_ip_header X-Forwarded-For;
#
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
#
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Powered-By eiblog/1.3.0;
    add_header X-Content-Type-Options nosniff;
    add_header Referrer-Policy "no-referrer-when-downgrade";
    add_header Cache-Control no-cache;
#
    brotli on;
    brotli_comp_level 6;
    brotli_min_length 512;
    brotli_types text/plain text/javascript text/css text/xml text/x-component application/javascript application/x-javascript application/xml application/json application/xhtml+xml application/rss+xml application/atom+xml application/x-font-ttf application/vnd.ms-fontobject image/svg+xml image/x-icon font/opentype;
    brotli_static always;
}
本機服務器設定檔
vim /etc/nginx/conf.d/bookstack.conf   #網頁的設定檔

#
server {
    listen 80;
    server_name 您的hostname或是IP;
    rewrite ^(.*)$ https://${server_name}$1 permanent;
}
#
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name 您的hostname或是IP;
    root /var/www/html/BookStack/public;
#
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
#
    ssl_certificate /etc/nginx/ssl/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets on;
#
# intermediate configuration. tweak to your needs.
#
    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5';
    ssl_prefer_server_ciphers on;
#
    access_log /var/log/nginx/bookstack_access.log;
    error_log /var/log/nginx/bookstack_error.log;
#
    client_max_body_size 1G;
    fastcgi_buffers 64 4K;
#
    index index.php;
#
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }
#
#
    location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README) {
        deny all;
    }
#
    location ~ \.php(?:$|/) {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        #fastcgi_pass unix:/var/run/php-fpm.sock;
        fastcgi_pass 127.0.0.1:9000;
    }
#
    location ~* \.(?:ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
        expires 30d;
        access_log off;
    }
}

BookStack 服務安裝


  • 安裝 Composer 作曲家服務
# 將dirs更改為我們希望將composer安裝到的位置
cd /usr/local/bin   

# 安裝 composer
curl -sS https://getcomposer.org/installer | php   

# 重新命名 composer
mv composer.phar composer   
  • BookStack 放置位置
# 希望將 BookStack 存放的位置   
cd /var/www/html   

# 新增from php sessions
mkdir /var/www/html/sessions   

# 從github上下載最新版本的BookStackApp資料
git clone https://github.com/BookStackApp/BookStack.git --branch release --single-branch   

# 進入到 BookStack 目錄下用 composer 安裝服務
cd BookStack && composer install --no-dev 
  • BookStack 設定
# 複製範本設定文件
cp .env.example .env   

# 更新與數據庫中的新的配置,以及其他設置
vim .env   
---
DB_HOST=localhost
DB_DATABASE=bookstackdb
DB_USERNAME=bookstackuser
DB_PASSWORD=bookstackpass
---

All other settings are fine as default, but feel free to change any others as you see fit.

# 在.env中生成並更新APP_KEY
php artisan key:generate --force   

# 將所有權更改為Web服務器用戶
chown -R nginx:nginx /var/www/html/{BookStack,sessions}   

# 產生新的資料庫表及其他設定
php artisan migrate --force   
  • 開啟瀏灠器輸入 http://server_ip  預設帳號為:[email protected] 密碼為: password



參考相關網頁