跳到主內容

BookStack 知識庫安裝流程 -Debian\Ubuntu

這套由 Jason Cheng 節省哥所介紹的開源軟體,BookStack 這是一套免費又開源軟體可以拿來當成一書籍來使用,這套系統是由目前最熱門的 PHP MVC 裡的 Laravel 架構所寫出來的,可以記錄有關於技術及備忘錄

運行環境


環境都是在 「Proxmox VE 」 虛擬系統上架設,都是以 「 LXC 」模式為主,除非有特殊狀況會告知使用 「 VM 」 模式

  • 系統環境: Debian 10
  • Web 服務: Nginx 1.19
  • PHP 服務: PHP 8.0
  • 資料庫服務: MariaDB 10.5

安裝過程


WEB 服務安裝

可以參考本知識庫的 WBE 服務安裝流程 Nginx 模組擴充 - Debain \ Ubuntu

MairaDB 安裝

sudo apt-get install software-properties-common dirmngr
sudo apt-key adv --fetch-keys 'https://mariadb.org/mariadb_release_signing_key.asc'
sudo add-apt-repository 'deb [arch=amd64,arm64,ppc64el] https://ftp.ubuntu-tw.org/mirror/mariadb/repo/10.5/debian buster main'
  • 安裝 MariaDB 服務
sudo apt update
sudo apt install mariadb-server
  • 啟動服務
systemctl enable mariadb ; systemctl start mariadb 
  • 設定資料庫的基本設定
mysql_secure_installation   # 設定資料庫的root密碼

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.

You already have your root account protected, so you can safely answer 'n'.

# 以下的詢問就以預設為主直接按 Enter 即可

Switch to unix_socket authentication [Y/n]
Enabled successfully!
Reloading privilege tables..
 ... Success!


You already have your root account protected, so you can safely answer 'n'.

# 這裡要求輸入 root 的密碼

Change the root password? [Y/n]
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n]
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n]
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

BookStack 資料庫設定

mysql -u root -p   # 登入資料庫裡設定資表及權限

CREATE DATABASE IF NOT EXISTS bookstackdb DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci; #在資料庫裡新增BookStack表單
GRANT ALL PRIVILEGES ON bookstackdb.* TO 'bookstackuser'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION; #密碼請自己輸入好記錄的密碼
FLUSH PRIVILEGES;
PHP 服務設定

  • 下載 GPG 密鑰
sudo apt update
sudo apt install -y lsb-release ca-certificates apt-transport-https software-properties-common
  • 新增 PHP 來源庫
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/sury-php.list
  • 導入金鑰
wget -qO - https://packages.sury.org/php/apt.gpg | sudo apt-key add -
  • PHP 套件安裝
apt install curl php8.0 php8.0-{common,mbstring,fpm,mysql,gd,cli,opcache,curl,ldap,odbc,xmlrpc,soap,intl,zip,tidy,xml} -y
  • 安裝好 PHP 要去修改 「vim /etc/php/8.0/fpm/php.ini」 設定檔
修改前
;cgi.fix_pathinfo=1
修改後
cgi.fix_pathinfo=0
修改時區
[Date]
修改前
;date.timezone = 
修改後
date.timezone = Asia/Taipei
修改資料上傳限制
; 上傳檔案大小上限(單一檔案大小)
upload_max_filesize = 50M 

; POST 大小上限(所有檔案大小加總)
post_max_size = 200M

; 記憶體用量上限
memory_limit = 512M

; Script執行時間上限(單位:秒)
max_execution_time = 600

; Script處理資料時間上限(單位:秒)
max_input_time = 600

; Socket無回應斷線時間(單位:秒)
default_socket_timeout = 600

存檔
:wq
  • 設定「php-fpm」「vim /etc/php/8.0/fpm/pool.d/www.conf
; 由誰使用此服務
; RPM: apache user chosen to provide access to the same directories as httpd
;user = apache
user = www-data
; RPM: Keep a group allowed to write in log dir.
;group = apache
group = www-data


; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server.
; Default Values: user and group are set as the running user
;                 mode is set to 0660
listen.owner = www-data
listen.group = www-data
listen.mode = 0660

; 最後一行增加此行
php_value[session.save_path]    = /var/www/html/sessions

修改好存檔
:wq
  • 重啟及開機自動啟動 php-fpm 服務
systemctl start php8.0-fpm ; systemctl enable php8.0-fpm
Nginx 設定檔

  • 反向代理設定檔
server {
	listen 80;
	server_name 網域名稱;
	rewrite ^(.*)$ https://${server_name}$1 permanent;
}
#
server {
	# 使用 https 和 http/2 協定
	listen 443 ssl http2;
	# 上述的 IPv6 方式
	listen [::]:443 ssl http2;
	server_name 網域名稱;
	#
	# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
	#
	# SSL 憑證證書路徑
	ssl_certificate /etc/nginx/ssl/fullchain.pem;
	# 私鑰路徑
	ssl_certificate_key /etc/nginx/ssl/privkey.pem;
	# 緩存有效期
	ssl_session_timeout 1d;
	# 緩存憑證類型和大小
	ssl_session_cache shared:SSL:50m;
	#
	# intermediate configuration. tweak to your needs.
	#
	# 使用的加密協定
	ssl_protocols TLSv1.3 TLSv1.2;
	# 加密演算法,越前面的優先級越高
	ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5';
	# 交握過程使用 Server 的首選加演算法,這裡使用 Client 為首選
	ssl_prefer_server_ciphers on;
	#
	access_log /var/log/nginx/bookstack_access.log;
	error_log /var/log/nginx/bookstack_error.log;
	#
	location / {
        # 這段是因為在 bookstack 某個改版後就設定成公開狀態,可以用這個方式把這個頁面轉回首頁。
		if ($request_uri ~* "revisions") {
            rewrite ^ / permanent;
        }
		proxy_pass https://站台位置;
		proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
		proxy_set_header Host $host;
		proxy_set_header X-Real_IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto https;
		proxy_headers_hash_max_size 1024;
		proxy_headers_hash_bucket_size 128;
		proxy_redirect off;
		proxy_pass_header Authorization;
	}
	#
	location ~* \.(?:ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
        # 這段是因為在 bookstack 某個改版後就設定成公開狀態,可以用這個方式把這個頁面轉回首頁。
		if ($request_uri ~* "revisions") {
            rewrite ^ / permanent;
        }
		proxy_pass https://站台位置;
	}
}

  • 設定檔位置
mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig   # 備份原本預設的設定檔
vim /etc/nginx/nginx.conf   # 新增新的nginx設定檔
  • 全域設定
user www-data;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
#
events {
    worker_connections 1024;
}
#
http {
    log_format main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
#
    access_log /var/log/nginx/access.log  main;
#
#
    client_body_timeout 120s;
#
    server_tokens off;
#
# Default is 60, May need to be increased for very large uploads
#
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
#
    include /etc/nginx/mime.types;
    include /etc/nginx/conf.d/*.conf;
    default_type application/octet-stream;
#
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
#
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Powered-By eiblog/1.3.0;
    add_header X-Content-Type-Options nosniff;
    add_header Referrer-Policy "no-referrer-when-downgrade";
    add_header Cache-Control no-cache;
#
    brotli on;
    brotli_comp_level 6;
    brotli_min_length 512;
    brotli_types text/plain text/javascript text/css text/xml text/x-component application/javascript application/x-javascript application/xml application/json application/xhtml+xml application/rss+xml application/atom+xml application/x-font-ttf application/vnd.ms-fontobject image/svg+xml image/x-icon font/opentype;
    brotli_static always;
}
  • 在 conf.d 目錄下新增設定檔
vim /etc/nginx/conf.d/bookstack.conf   #網頁的設定檔
  • 服務器設定檔
#
server {
    listen 80;
    server_name 您的網域;
    rewrite ^(.*)$ https://${server_name}$1 permanent;
}
#
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name 您的網域;
    root /var/www/html/BookStack/public;
#
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
#
    ssl_certificate /etc/nginx/ssl/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets on;
#
# intermediate configuration. tweak to your needs.
#
    ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1;
    ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5';
    ssl_prefer_server_ciphers on;
#
    access_log /var/log/nginx/bookstack_access.log;
    error_log /var/log/nginx/bookstack_error.log;
#
    client_max_body_size 1G;
    fastcgi_buffers 64 4K;
#
    index index.php;
#
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }
#
#
    location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README) {
        deny all;
    }
#
    location ~ \.php(?:$|/) {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_pass   unix:/run/php/php8.0-fpm.sock;
    }
#
    location ~* \.(?:ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
        expires 30d;
        access_log off;
    }
}

BookStack 服務安裝


  • 安裝 Composer 作曲家服務
cd /usr/local/bin   # 將dirs更改為我們希望將composer安裝到的位置
curl -sS https://getcomposer.org/installer | php   # 安裝 composer
mv composer.phar composer   # 重新命名 composer
  • BookStack 放置位置,因 Debian 沒有此目錄需要手動增加此目錄
mkdir -p /var/www/html # 手動增加目錄
cd /var/www/html   # 希望將 BookStack 存放的位置   
mkdir /var/www/html/sessions   # 新增from php sessions
git clone https://github.com/BookStackApp/BookStack.git --branch release --single-branch   # 從github上下載最新版本的BookStackApp資料
cd BookStack && composer install --no-dev    # 進入到BookStack目錄下用composer安裝服務
  • BookStack 設定
cp .env.example .env   # 複製範本設定文件
vim .env   # 更新與數據庫中的新的配置,以及其他設置
---
DB_HOST=localhost
DB_DATABASE=bookstackdb
DB_USERNAME=bookstackuser
DB_PASSWORD=bookstackpass
---

All other settings are fine as default, but feel free to change any others as you see fit.

php artisan key:generate --force   # 在.env中生成並更新APP_KEY
chown -R www-data:www-data /var/www/html/{BookStack,sessions}   # 將所有權更改為Web服務器用戶
php artisan migrate --force   # 產生新的資料庫表及其他設定
  • 開啟瀏灠器輸入 http://server_ip 預設帳號為: [email protected]、密碼為:password

備註





參考相關網頁