跳到主內容

NextCloud - Debian

  已經很久沒有更新,更新一下 NextCloud 怎麼在 Debian 環境上安裝並且後面會在介紹怎麼結合 OxOffice 線上編輯文書方式,NextCloud 是一套雲端硬碟服務,就像您把資料丟到 Google 硬碟或者 NAS ,但您有考慮到金錢考慮及資料重要性,可以利用已沒有在使用電腦設備來架設這一套私有雲服務。

  如果未來您的站台會結合 OxOffice 的話會注意 NextCloud 版本,如果版本太新有可能會讓 OxOffice 無法正常運行,會建議先參考 OxOffice 官方所提供的消息,目前 OxOffice 對應 NextCloud 版本是 24 版(2022.12.11)。

社群版功能若沒有辦法符合企業所使用的功能,可以考慮採買商業版的服務來使用

112.09.20 更新版本及修改內容

運行環境


環境都是在 「Proxmox VE 」 虛擬系統上架設,都是以 「 LXC 」模式為主,除非有特殊狀況會告知使用 「 VM 」 模式

  • 系統環境: Debian 11
  • Web 服務: Nginx 1.23.3
  • PHP 服務: PHP 8.2
  • 資料庫服務: MariaDB 11.1

NextCloud 安裝流程


Nginx

  可以參考本工作室的之前寫的文章 Nginx 模組擴充 - Debian \ Ubuntu

MariaDB 安裝

  可以參考本工作室的之前寫的文章在 Debian 系統上安裝 MariaDB

  • 增加 NextCloud 資料表 mariadb -u root -p
-- 在資料庫裡新增nextcloud_db表單
CREATE DATABASE nextcloud_db;
-- 密碼請自己輸入好記錄的密碼
GRANT ALL PRIVILEGES ON nextcloud_db.* TO 'nextclouduser'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;
FLUSH PRIVILEGES;
quit;
PHP 安裝

  • 下載 GPG 密鑰
sudo apt update
sudo apt install -y lsb-release ca-certificates apt-transport-https software-properties-common
  • 新增 PHP 來源庫
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/sury-php.list
  • 導入金鑰
wget -qO - https://packages.sury.org/php/apt.gpg | sudo apt-key add -
  • PHP 套件安裝
apt update && apt install curl php8.2 php8.2-{common,mbstring,fpm,mysql,gd,cli,opcache,curl,ldap,odbc,xmlrpc,soap,intl,zip,tidy,xml,imagick,mcrypt,readline,bz2,smbclient,imap,bcmath,gmp} -y
  • 安裝好 PHP 要去修改 「vim /etc/php/8.2/fpm/php.inivim /etc/php/8.2/cli/php.ini」 設定檔
# 修改前
;cgi.fix_pathinfo=1
# 修改後
cgi.fix_pathinfo=0

# 修改時區
[Date]
# 修改前
;date.timezone = 
# 修改後
date.timezone = Asia/Taipei

# 修改資料上傳限制
; 上傳檔案大小上限(單一檔案大小)
upload_max_filesize = 50M 

; POST 大小上限(所有檔案大小加總)
post_max_size = 200M

; 記憶體用量上限
memory_limit = 512M

; Script執行時間上限(單位:秒)
max_execution_time = 600

; Script處理資料時間上限(單位:秒)
max_input_time = 600

; Socket無回應斷線時間(單位:秒)
default_socket_timeout = 600
  • 使用 bash 指令方式修改
# 指令方式修改
sed -i "s|^;cgi.fix_pathinfo=1.*$|cgi.fix_pathinfo=0|" /etc/php/8.2/fpm/php.ini
sed -i "s|^;cgi.fix_pathinfo=1.*$|cgi.fix_pathinfo=0|" /etc/php/8.2/cli/php.ini

sed -i "s|^;date.timezone =.*$|date.timezone = Asia/Taipei|" /etc/php/8.2/fpm/php.ini
sed -i "s|^;date.timezone =.*$|date.timezone = Asia/Taipei|" /etc/php/8.2/cli/php.ini

sed -i "s|^upload_max_filesize = 2M.*$|upload_max_filesize = 50M|" /etc/php/8.2/fpm/php.ini
sed -i "s|^upload_max_filesize = 2M.*$|upload_max_filesize = 50M|" /etc/php/8.2/cli/php.ini

sed -i "s|^post_max_size = 8M.*$|post_max_size = 200M|" /etc/php/8.2/fpm/php.ini
sed -i "s|^post_max_size = 8M.*$|post_max_size = 200M|" /etc/php/8.2/cli/php.ini

sed -i "s|^memory_limit = 128M.*$|memory_limit = 512M|" /etc/php/8.2/fpm/php.ini
sed -i "s|^memory_limit = 128M.*$|memory_limit = 512M|" /etc/php/8.2/cli/php.ini

sed -i "s|^max_execution_time = 30.*$|max_execution_time = 600|" /etc/php/8.2/fpm/php.ini
sed -i "s|^max_execution_time = 30.*$|max_execution_time = 600|" /etc/php/8.2/cli/php.ini

sed -i "s|^max_input_time = 60.*$|max_input_time = 600|" /etc/php/8.2/fpm/php.ini
sed -i "s|^max_input_time = 60.*$|max_input_time = 600|" /etc/php/8.2/cli/php.ini

sed -i "s|^default_socket_timeout = 60.*$|default_socket_timeout = 600|" /etc/php/8.2/fpm/php.ini
sed -i "s|^default_socket_timeout = 60.*$|default_socket_timeout = 600|" /etc/php/8.2/cli/php.ini
  • 設定「php-fpm」「vim /etc/php/8.2/fpm/pool.d/www.conf
; 由誰使用此服務
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
;       will be used.
user = www-data
group = www-data

; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions. The owner
; and group can be specified either by name or by their numeric IDs.
; Default Values: user and group are set as the running user
;                 mode is set to 0660
listen.owner = www-data
listen.group = www-data
;listen.mode = 0660

env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

; 最後面新增加 sessions 存放目錄
php_value[session.save_path]    = /var/www/html/sessions
  • 使用 bash 方式修改
sed -i "s|^;env\[HOSTNAME\] = \$HOSTNAME.*$|env\[HOSTNAME\] = \$HOSTNAME|" /etc/php/8.2/fpm/pool.d/www.conf
sed -i "s|^;env\[PATH\] = \/usr\/local\/bin\:\/usr\/bin\:\/bin.*$|env\[PATH\] = \/usr\/local\/bin\:\/usr\/bin\:\/bin|" /etc/php/8.2/fpm/pool.d/www.conf
sed -i "s|^;env\[TMP\] = \/tmp.*$|env\[TMP\] = \/tmp|" /etc/php/8.2/fpm/pool.d/www.conf
sed -i "s|^;env\[TMPDIR\] = \/tmp.*$|env\[TMPDIR\] = \/tmp|" /etc/php/8.2/fpm/pool.d/www.conf
sed -i "s|^;env\[TEMP\] = \/tmp.*$|env\[TEMP\] = \/tmp|" /etc/php/8.2/fpm/pool.d/www.conf
  • 重啟及開機自動啟動 php-fpm 服務
systemctl start php8.2-fpm && systemctl enable php8.2-fpm
or
systemctl enable --now php8.2-fpm
  • 建立目錄
mkdir -p /var/www/html/sessions
chown -R www-data:www-data /var/www/html/sessions

Nginx 服務設定檔


全域設定

user www-data;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
#
events {
    worker_connections 1024;
}
#
http {
    log_format main
        '$remote_addr - $remote_user [$time_local] "$request" '
        '$status $body_bytes_sent "$http_referer" '
        '"$http_user_agent" "$http_x_forwarded_for"';
    #
    access_log /var/log/nginx/access.log main;
    #
    server_tokens off;
    #
    resolver 168.95.1.1 8.8.8.8 1.1.1.1 valid=300s;
    resolver_timeout 5s;
    #
    # Restoring the original visitor IP for your web application
    set_real_ip_from 127.0.0.1;
    # use any of the following two
    # real_ip_header CF-Connecting-IP;
    real_ip_header X-Forwarded-For;
    #
    # Default is 60, May need to be increased for very large uploads
    #
    sendfile on;
    #
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # set max upload size
    client_max_body_size 1G;
    fastcgi_buffers 64 4K;
    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml
        application/javascript
        application/json
        application/ld+json
        application/manifest+json
        application/rss+xml
        application/vnd.geo+json
        application/vnd.ms-fontobject
        application/x-font-ttf
        application/x-web-app-manifest+json
        application/xhtml+xml
        application/xml
        font/opentype
        image/bmp
        image/svg+xml
        image/x-icon
        text/cache-manifest
        text/css
        text/plain
        text/vcard
        text/vnd.rim.location.xloc
        text/vtt
        text/x-component
        text/x-cross-domain-policy;
    #
    #開啟Brotli壓縮
    brotli on;
    #壓縮等級,0 到 11,默認值是 6,過大會額外消耗服務器CPU
    brotli_comp_level 6;
    #設置需要進行壓縮的最小響應大小,單位為字節
    brotli_min_length 512;
    #指定哪些MIME類型進行壓縮
    brotli_types text/plain
        text/javascript
        text/css
        text/xml
        text/x-component
        application/javascript
        application/x-javascript
        application/xml
        application/json
        application/xhtml+xml
        application/rss+xml
        application/atom+xml
        application/x-font-ttf
        application/vnd.ms-fontobject
        image/svg+xml
        image/x-icon
        font/opentype;
    #是否允許查找預處好的、以 .br 结尾的壓缩文件。可選值為 on、off、always
    brotli_static always;
    #
    include /etc/nginx/mime.types;
    include /etc/nginx/conf.d/*.conf;
    #
    default_type application/octet-stream;
}
服務設定
upstream php-handler {
    # server 127.0.0.1:9000;
    server unix:/run/php/php8.1-fpm.sock;
}

# Set the `immutable` cache control options only for assets with a cache busting `v` argument
map $arg_v $asset_immutable {
    "" "";
    default "immutable";
}
server {
    listen 80;
    server_name 您的網域;
    
    # Prevent nginx HTTP Server Detection
    server_tokens off;
  
    # Enforce HTTPS
    return 301 https://$server_name$request_uri;
}
#
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name 您的網域;
  
    # Path to the root of your installation
    root /var/www/html/nextcloud;
    
    # Use Mozilla's guidelines for SSL/TLS settings
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
    ssl_certificate /etc/nginx/ssl/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets on;
    
    # Prevent nginx HTTP Server Detection
    server_tokens off;
    #
    # intermediate configuration. tweak to your needs.
    #
    ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1;
    ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5';
    ssl_prefer_server_ciphers on;
    #
    access_log /var/log/nginx/nc_access.log;
    error_log /var/log/nginx/nc_error.log;
    #
    # HSTS settings
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;

    # set max upload size and increase upload timeout:
    client_max_body_size 512M;
    client_body_timeout 300s;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Pagespeed is not supported by Nextcloud, so if your server is built
    # with the `ngx_pagespeed` module, uncomment this line to disable it.
    #pagespeed off;

    # The settings allows you to optimize the HTTP2 bandwitdth.
    # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
    # for tunning hints
    client_body_buffer_size 512k;

    # HTTP response headers borrowed from Nextcloud `.htaccess`
    add_header Referrer-Policy                      "no-referrer"   always;
    add_header X-Content-Type-Options               "nosniff"       always;
    add_header X-Download-Options                   "noopen"        always;
    add_header X-Frame-Options                      "SAMEORIGIN"    always;
    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
    add_header X-Robots-Tag                         "none"          always;
    add_header X-XSS-Protection                     "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # Specify how to handle directories -- specifying `/index.php$request_uri`
    # here as the fallback means that Nginx always exhibits the desired behaviour
    # when a client requests a path that corresponds to a directory that exists
    # on the server. In particular, if that directory contains an index.php file,
    # that file is correctly served; if it doesn't, then the request is passed to
    # the front-end controller. This consistent behaviour means that we don't need
    # to specify custom rules for certain paths (e.g. images and other assets,
    # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
    # `try_files $uri $uri/ /index.php$request_uri`
    # always provides the desired behaviour.
    index index.php index.html /index.php$request_uri;

    # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
    location = / {
        if ( $http_user_agent ~ ^DavClnt ) {
            return 302 /remote.php/webdav/$is_args$args;
        }
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # Make a regex exception for `/.well-known` so that clients can still
    # access it despite the existence of the regex rule
    # `location ~ /(\.|autotest|...)` which would otherwise handle requests
    # for `/.well-known`.
    location ^~ /.well-known {
        # The rules in this block are an adaptation of the rules
        # in `.htaccess` that concern `/.well-known`.

        location = /.well-known/carddav { return 301 /remote.php/dav/; }
        location = /.well-known/caldav  { return 301 /remote.php/dav/; }

        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

        # Let Nextcloud's API for `/.well-known` URIs handle all other
        # requests by passing them to the front-end controller.
        return 301 /index.php$request_uri;
    }

    # Rules borrowed from `.htaccess` to hide certain paths from clients
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }

    # Ensure this block, which passes PHP files to the PHP process, is above the blocks
    # which handle static assets (as seen below). If this block is not declared first,
    # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
    # to the URI, resulting in a HTTP 500 error response.
    location ~ \.php(?:$|/) {
        # Required for legacy support
        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;

        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;

        try_files $fastcgi_script_name =404;

        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;

        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
        fastcgi_param front_controller_active true;     # Enable pretty urls
        fastcgi_pass php-handler;

        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;

        fastcgi_max_temp_file_size 0;
    }

    location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463, $asset_immutable";
        access_log off;     # Optional: Don't log access to assets

        location ~ \.wasm$ {
            default_type application/wasm;
        }
    }

    location ~ \.woff2?$ {
        try_files $uri /index.php$request_uri;
        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
        access_log off;     # Optional: Don't log access to assets
    }

    # Rule borrowed from `.htaccess`
    location /remote {
        return 301 /remote.php$request_uri;
    }

    location / {
        try_files $uri $uri/ /index.php$request_uri;
    }
}
代理設定檔
server {
    listen 80;
    server_name 您的網域;
    rewrite ^(.*)$ https://${server_name}$1 permanent;
}
#
server {
    # 使用 https 和 http/2 協定
    listen 443 ssl http2;
    # 上述的 IPv6 方式
    listen [::]:443 ssl http2;
    server_name 您的網域;
    #
    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    #
    # SSL 憑證證書路徑
    ssl_certificate /etc/nginx/ssl/fullchain.pem;
    # 私鑰路徑
    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
    # 緩存有效期
    ssl_session_timeout 1d;
    # 緩存憑證類型和大小
    ssl_session_cache shared:SSL:50m;
    #
    # intermediate configuration. tweak to your needs.
    #
    # 使用的加密協定
    ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1;
    # 加密演算法,越前面的優先級越高
    ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5';
    # 交握過程使用 Server 的首選加演算法,這裡使用 Client 為首選
    ssl_prefer_server_ciphers on;
    #
    access_log /var/log/nginx/nc_access.log;
    error_log /var/log/nginx/nc_error.log;
    #
    location /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
    location /.well-known/caldav {
        return 301 $scheme://$host/remote.php/dav;
    }
    #
    location / {
        proxy_pass https://服務主機位置;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
        proxy_set_header Host $host;
        proxy_set_header X-Real_IP $remote_addr;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Host $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_headers_hash_max_size 1024;
        proxy_headers_hash_bucket_size 128;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
        add_header Front-End-Https on;
        client_max_body_size 0;
        proxy_redirect off;
        proxy_pass_header Authorization;
        proxy_connect_timeout 3600s;
        proxy_send_timeout 3600s;
        proxy_read_timeout 3600s;
        proxy_buffers 16 4k;
        proxy_buffer_size 2k;
    }
    #
    location ~* \.(?:ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
        proxy_pass https://服務主機位置;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
        proxy_set_header Host $host;
        proxy_set_header X-Real_IP $remote_addr;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Host $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_headers_hash_max_size 1024;
        proxy_headers_hash_bucket_size 128;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
        add_header Front-End-Https on;
        client_max_body_size 0;
        proxy_redirect off;
        proxy_pass_header Authorization;
        proxy_connect_timeout 3600s;
        proxy_send_timeout 3600s;
        proxy_read_timeout 3600s;
        proxy_buffers 16 4k;
        proxy_buffer_size 2k;
    }
}

Nextcloud 安裝


cd /var/www/html

wget https://download.nextcloud.com/server/releases/nextcloud-24.0.8.tar.bz2

# 解壓
tar -jxvf nextcloud-24.0.8.tar.bz2

# 建立 data 目錄
mkdir nextcloud/data

# 權限
chown -R www-data:www-data /var/www/html/nextcloud
chmod -R 755 /var/www/html/nextcloud
  • 接下在瀏灠器上輸入 https://您的服務網址
  • 新增管理者的帳號及密碼,再選擇下面的儲存空間和資料庫,預設是 SQLite 版本,我們要修改成 MariaDB 版本

nc-01.png

  • 選擇 MySQL/MariaDB

nc-02.png

  • 輸入連資料庫的帳號、密碼及要連接的資料庫名稱

nc-03.png

  • 填入完成之後,按下完成設定,系統就會開始建置服務

nc-04.png

  • 成功建置完服務會自動導到 NexctCloud 的頁面

nc-05.png

  • 因 BUBU 在重新安裝一次發現到有這樣子的問題,要在 NextCloud 設定檔設定 vim /var/www/html/nextcloud/config/config.php,這裡要新增加信任的網域及內網的 IP,如果未來有設要跟 NextCloud 結合會建在這裡增網域及 IP
  'trusted_domains' => 
  array (
    0 => '[sub.domain].com',
    1 => '192.168.1.41',
  ),



參考相關網頁