Nextcloud安装和配置指南(一)

由 夏日冰菓 发布

记录一下坑爹的Nextcloud安装教程

nextcloud

NextCloud知名的开源网盘,直接全平台客户端,支持访问文件修改历史,支持分享和限时分享,支持外部磁盘,支持对接其他网盘,支持生产环境,支持在线预览和编辑,支持本地文件加密(服务器都不能访问查看那种),支持热更新。又折腾了几天,尽可能把NextCloud优化到高效可用的状态,查阅了不少文章教程,也碰了不少坑。为了节约性能,这里使用Docker+NextcloudFPM版本来搭建,本地NGINX来做代理,实现高效访问。

版本介绍:

  • nextcloud:latest:默认最新版本,新手友好。使用debian容器搭建,自带阿帕奇web服务,特点就是简单方便,一键部署就可以使用,缺点就是包略大。
  • nextcloud:fpm:在debian容器的基础上不带阿帕奇web服务,需要配套web程序才能使用,如NGINX。
  • nextcloud:alpine:使用alpine作为容器,空间占据少,适合小主机使用。

简易版,一键部署

一键Docker部署Nextcloud,容器自带阿帕奇,直接访问ip就可以使用

docker run -d \
--name=nextcloud \
-p 8080:80 \
-v /DISK/nextcloud:/var/www/html \
nextcloud:latest

部署完成之后直接访问ip:8080,优化部分看后面

FPM-alpine版本

在alpine容器的基础上不自带阿帕奇WEB服务,适合小主机使用

docker run -d \
--name=nextcloud \
-p 9000:9000 \
-v /DISK/nextcloud:/var/www/html \
nextcloud:fpm-alpine

部署完成之后需要配置NGINX文件,这的是坑爹的地方。

安装NGINX服务程序

#  debian 
apt install nginx -y
#  centos
dnf install nginx -y

编辑配置文件

Nextcloud部署之后,通过编辑配置文件使网页版可用
/etc/nginx/conf.d新建配置文件nextcloud.conf

upstream php-handler {
    server 127.0.0.1:9000;     # 指定FPM服务端口
    #server unix:/var/run/php/php7.4-fpm.sock;
}

# Set the `immutable` cache control options only for assets with a cache busting `v` argument
map $arg_v $asset_immutable {
    "" "";
    default "immutable";
}


server {
    listen 80;
    listen [::]:80;
    server_name nextcloud.pro;      # 定义域名

    # Enforce HTTPS
    return 301 https://$server_name$request_uri;
}

server {
    listen 443      ssl http2;
    listen [::]:443 ssl http2;
    server_name nextcloud.pro;      # 定义域名

    root /DISK/nextcloud;      # Docker映射出来的容器地址

    # SSL文件
    ssl_certificate "/SSL/nextcloud/fullchain.pem";
    ssl_certificate_key "/SSL/nextcloud/privkey.pem";

    # 避免后台检查显示:HTTP的请求头 "Strict-Transport-Security" 未设置为至少 "15552000" 秒. 为了提高安全性,建议参照security tips ↗中的说明启用HSTS.
    add_header Strict-Transport-Security "max-age=31536000";


    client_max_body_size 512M;
    client_body_timeout 300s;
    fastcgi_buffers 64 4K;

    # 避免在网页安装Nextcloud等待时间过长而显示504错误
    fastcgi_read_timeout 86400;


    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # HTTP response headers borrowed from Nextcloud `.htaccess`
    add_header Referrer-Policy                      "no-referrer"   always;
    add_header X-Content-Type-Options               "nosniff"       always;
    add_header X-Download-Options                   "noopen"        always;
    add_header X-Frame-Options                      "SAMEORIGIN"    always;
    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
    add_header X-Robots-Tag                         "none"          always;
    add_header X-XSS-Protection                     "1; mode=block" always;


    fastcgi_hide_header X-Powered-By;
    index index.php index.html /index.php$request_uri;



    #  避免后台检查显示:
    #  项目您的网页服务器未正确设置以解析“/.well-known/caldav”。更多信息请参见文档。
    #  您的网页服务器未正确设置以解析“/.well-known/carddav”。更多信息请参见文档。
    location = / {
        if ( $http_user_agent ~ ^DavClnt ) {
            return 302 /remote.php/webdav/$is_args$args;
        }
        rewrite /.well-known/carddav /remote.php/dav permanent;
        rewrite /.well-known/caldav /remote.php/dav permanent;
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }


    # for `/.well-known`.
    location ^~ /.well-known {
        # The rules in this block are an adaptation of the rules
        # in `.htaccess` that concern `/.well-known`.

        location = /.well-known/carddav { return 301 /remote.php/dav/; }
        location = /.well-known/caldav  { return 301 /remote.php/dav/; }

        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
        
        rewrite /.well-known/carddav /remote.php/dav permanent;
       rewrite /.well-known/caldav /remote.php/dav permanent;
        # Let Nextcloud's API for `/.well-known` URIs handle all other
        # requests by passing them to the front-end controller.
        return 301 /index.php$request_uri;
    }


    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }

    location ~ \.php(?:$|/) {
        # Required for legacy support
        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;

        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;

        try_files $fastcgi_script_name =404;

        include fastcgi_params;

        #  这里注意了,如果是使用DockerFPM来部署,这里需要修如下
        #  fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;

        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;

        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
        fastcgi_param front_controller_active true;     # Enable pretty urls
        fastcgi_pass php-handler;

        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;

        fastcgi_max_temp_file_size 0;
        rewrite /.well-known/carddav /remote.php/dav permanent;
       rewrite /.well-known/caldav /remote.php/dav permanent;
    }

    location ~ \.(?:css|js|svg|gif|jpg|jpg|ico|wasm|tflite|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463, $asset_immutable";
        access_log off;     # Optional: Don't log access to assets

        location ~ \.wasm$ {
            default_type application/wasm;
        }
    }

    location ~ \.woff2?$ {
        try_files $uri /index.php$request_uri;
        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
        access_log off;     # Optional: Don't log access to assets
    }

    # Rule borrowed from `.htaccess`
    location /remote {
        return 301 /remote.php$request_uri;
    }

    location / {
        try_files $uri $uri/ /index.php$request_uri;
        rewrite /.well-known/carddav /remote.php/dav permanent;
       rewrite /.well-known/caldav /remote.php/dav permanent;

    }
}

重新加载服务

加载成功后,访问域名开始安装使用

nginx -s reload

暂无评论

发表评论