centos7下nextcloud安裝部署文檔

nos安裝部署文檔

2020年9月4日

17:00

一、配置環境設置鏡像

配置Yum源  nginx源

Mkdir /dev/liuyan

Mount /dev/cdrom /dev/liuyan

[root@localhost ~]# cat /etc/yum.repos.d/local.repo

[aa]

name=aa

baseurl=file:///dev/liuyan

gpgcheck=0

enabled=1

 

[nginx]

name=nginx

baseurl=http://nginx.org/packages/centos/$releasever/$basearch/

gpgcheck=0

enabled=1

安裝Nginx

yum -y install epel-release

  yum -y install nginx

 

 需要再添加一個yum源來安裝php-fpm，可以使用webtatic（這個yum源對國內網絡來說恐怕有些慢，當然你也可以選擇其它的yum源）

rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm

 

  安裝php7-fpm和一些其它的必要的組件

yum -y install php70w-fpm php70w-cli php70w-gd php70w-mcrypt php70w-mysql php70w-pear php70w-xml php70w-mbstring php70w-pdo php70w-json php70w-pecl-apcu php70w-pecl-apcu-devel

安裝完成檢查一下是否安裝成功

Php  -v

 

 配置php-fpm

vim /etc/php-fpm.d/www.conf

user = nginx

group = nginx

listen = 127.0.0.1:9000

env[HOSTNAME] = $HOSTNAME                     //去掉下面幾行注釋

env[PATH] = /usr/local/bin:/usr/bin:/bin

env[TMP] = /tmp

env[TMPDIR] = /tmp

env[TEMP] = /tmp

在/var/lib目錄下為session路徑創建一個新的文件夾，並將用戶名和組設為nginx

mkdir -p /var/lib/php/session

chown nginx:nginx -R /var/lib/php/session/

 ll -d /var/lib/php/session/

 

 啟動Nginx和php-fpm服務，並添加開機啟動

systemctl start php-fpm

Systemctl start nginx

systemctl enable php-fpm

systemctl enable nginx

 

 二、安裝並配置mariadb

安裝

yum -y install mariadb mariadb-server

 

 啟動數據庫並設置開機自啟

systemctl  start mariadb

systemctl  enable mariadb

 

設置數據庫密碼

 mysql_secure_installation

 

  

 創建數據庫

create database nextcloud_db;

創建用戶設置密碼

create user nextcloud_yan@localhost identified by '123456';

Query OK, 0 rows affected (0.00 sec)

賦權

grant all privileges on nextcloud_db.* to nextcloud_yan@localhost identified by '123456';

Query OK, 0 rows affected (0.00 sec)

刷新權限

flush privileges;

Query OK, 0 rows affected (0.00 sec)

 三、為Nextcloud生成自簽名SSL證書

創建目錄

mkdir /etc/nginx/cert

cd /etc/nginx/cert/

openssl req -new -x509 -days 365 -nodes -out /etc/nginx/cert/nextcloud.crt -keyout /etc/nginx/cert/nextcloud.key

 

 chmod 777 /etc/nginx/cert/

chmod 666 /etc/nginx/cert/*

 

 四、下載並安裝nextcloud

上傳文件nextcloud到 指定目錄

 

 解壓

unzip nextcloud-12.0.4.zip

 

  mv nextcloud /usr/share/nginx/html/

 

 五、設置nginx虛擬主機

進入Nginx的虛擬主機配置文件所在目錄並創建一個新的虛擬主機配置（記得修改兩個server_name為自己的域名） 我設置的域名為textcloud.com

cd /etc/nginx/conf.d/

Vi nextcloud.conf

 upstream php-handler {

    server 127.0.0.1:9000;

    #server unix:/var/run/php5-fpm.sock;

}

    

server {

    listen 80;

    server_name nextcloud.kevin-inc.com;

    # enforce https

    return 301 https://$server_name$request_uri;

}

    

server {

    listen 443 ssl;

    server_name nextcloud.kevin-inc.com;

    

    ssl_certificate /etc/nginx/cert/nextcloud.crt;

    ssl_certificate_key /etc/nginx/cert/nextcloud.key;

    

    # Add headers to serve security related headers

    # Before enabling Strict-Transport-Security headers please read into this

    # topic first.

    add_header Strict-Transport-Security "max-age=15768000;

    includeSubDomains; preload;";

    add_header X-Content-Type-Options nosniff;

    add_header X-Frame-Options "SAMEORIGIN";

    add_header X-XSS-Protection "1; mode=block";

    add_header X-Robots-Tag none;

    add_header X-Download-Options noopen;

    add_header X-Permitted-Cross-Domain-Policies none;

    

    # Path to the root of your installation

    root /usr/share/nginx/html/nextcloud/;

    

    location = /robots.txt {

        allow all;

        log_not_found off;

        access_log off;

    }

    

    # The following 2 rules are only needed for the user_webfinger app.

    # Uncomment it if you're planning to use this app.

    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;

    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json

    # last;

    

    location = /.well-known/carddav {

      return 301 $scheme://$host/remote.php/dav;

    }

    location = /.well-known/caldav {

      return 301 $scheme://$host/remote.php/dav;

    }

    

    # set max upload size

    client_max_body_size 512M;

    fastcgi_buffers 64 4K;

    

    # Disable gzip to avoid the removal of the ETag header

    gzip off;

    

    # Uncomment if your server is build with the ngx_pagespeed module

    # This module is currently not supported.

    #pagespeed off;

    

    error_page 403 /core/templates/403.php;

    error_page 404 /core/templates/404.php;

    

    location / {

        rewrite ^ /index.php$uri;

    }

    

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {

        deny all;

    }

    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {

        deny all;

    }

    

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {

        include fastcgi_params;

        fastcgi_split_path_info ^(.+\.php)(/.*)$;

        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

        fastcgi_param PATH_INFO $fastcgi_path_info;

        fastcgi_param HTTPS on;

        #Avoid sending the security headers twice

        fastcgi_param modHeadersAvailable true;

        fastcgi_param front_controller_active true;

        fastcgi_pass php-handler;

        fastcgi_intercept_errors on;

        fastcgi_request_buffering off;

    }

    

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {

        try_files $uri/ =404;

        index index.php;

    }

    

    # Adding the cache control header for js and css files

    # Make sure it is BELOW the PHP block

    location ~* \.(?:css|js)$ {

        try_files $uri /index.php$uri$is_args$args;

        add_header Cache-Control "public, max-age=7200";

        # Add headers to serve security related headers (It is intended to

        # have those duplicated to the ones above)

        # Before enabling Strict-Transport-Security headers please read into

        # this topic first.

        add_header Strict-Transport-Security "max-age=15768000;includeSubDomains; preload;";

        add_header X-Content-Type-Options nosniff;

        add_header X-Frame-Options "SAMEORIGIN";

        add_header X-XSS-Protection "1; mode=block";

        add_header X-Robots-Tag none;

        add_header X-Download-Options noopen;

        add_header X-Permitted-Cross-Domain-Policies none;

        # Optional: Don't log access to assets

        access_log off;

    }

    

    location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {

        try_files $uri /index.php$uri$is_args$args;

        # Optional: Don't log access to other assets

        access_log off;

    }

}

   

測試配置文件是否有問題

 nginx -t

 

 啟動nginx

設置開機自啟

[root@localhost conf.d]# systemctl restart nginx

[root@localhost conf.d]# systemctl enable nginx

[root@localhost conf.d]# systemctl status nginx

● nginx.service - nginx - high performance web server

   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)

   Active: active (running) since Tue 2020-09-01 14:17:04 CST; 11s ago

     Docs: http://nginx.org/en/docs/

 Main PID: 10119 (nginx)

   CGroup: /system.slice/nginx.service

           ├─10119 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx....

           └─10120 nginx: worker process

 

Sep 01 14:17:04 localhost.localdomain systemd[1]: Starting nginx - high perfo...

Sep 01 14:17:04 localhost.localdomain systemd[1]: Started nginx - high perfor...

Hint: Some lines were ellipsized, use -l to show in full.

[root@localhost conf.d]#

 

  六、設置防火牆

[root@localhost conf.d]# systemctl status firewalld

● firewalld.service - firewalld - dynamic firewall daemon

   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)

   Active: active (running) since Tue 2020-09-01 11:43:27 CST; 2h 36min ago

     Docs: man:firewalld(1)

 Main PID: 755 (firewalld)

   CGroup: /system.slice/firewalld.service

           └─755 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid

 

Sep 01 11:43:27 localhost.localdomain systemd[1]: Starting firewalld - dynami...

Sep 01 11:43:27 localhost.localdomain systemd[1]: Started firewalld - dynamic...

Hint: Some lines were ellipsized, use -l to show in full.

[root@localhost conf.d]# systemctl stop firewalld

[root@localhost conf.d]#

設置開機不自啟

Systemctl disabled firewalld

首先需要安裝SElinux管理工具policycoreutils-python

yum -y install policycoreutils-pythonalld

 

 如果打開了防火牆，則需要設置Firewalld和SELinux

首先需要安裝SElinux管理工具policycoreutils-python

[root@nextcloud-server ~]# yum -y install policycoreutils-python

接着設置SELinux

[root@nextcloud-server ~]# semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/data(/.*)?'

[root@nextcloud-server ~]# semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/config(/.*)?'

[root@nextcloud-server ~]# semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/apps(/.*)?'

[root@nextcloud-server ~]# semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/assets(/.*)?'

[root@nextcloud-server ~]# semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/.htaccess'

[root@nextcloud-server ~]# semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/.user.ini'

[root@nextcloud-server ~]# restorecon -Rv '/usr/share/nginx/html/nextcloud/'

 接下來設置Firewlld防火牆，為Nextcloud開放http和https兩個端口

[root@nextcloud-server ~]# systemctl start firewalld

[root@nextcloud-server ~]# systemctl enable firewalld

[root@nextcloud-server ~]# firewall-cmd --permanent --add-service=http

[root@nextcloud-server ~]# firewall-cmd --permanent --add-service=https

[root@nextcloud-server ~]# firewall-cmd --reload