准备工作
环境搭建
1、PHP
CentOS7下配置PHP74环境 - 瓜子的博客 (how2do.cc)
2、Nginx
安装Nginx:
yum install nginx -y
添加nginx组和用户
groupadd nginx
useradd -m -g nginx nginx
为nginx创建会话目录并将权限给nginx:
mkdir -p /var/lib/php/session
chown nginx:nginx -R /var/lib/php/session/
3、Mysql
RedHat7系Linux下MySQL的安装配置 - 瓜子的博客 (how2do.cc)
安装好后进入mysql执行下列语句创建nextcloud数据库和用户:
CREATE DATABASE nextcloud;
CREATE USER nc@localhost IDENTIFIED BY 'yourPassword';
GRANT ALL PRIVILEGES ON nextcloud.* TO nc@localhost IDENTIFIED BY 'yourPassword';
FLUSH PRIVILEGES;
4、Nextcloud
获取最新版nextcloud
wget https://download.nextcloud.com/server/releases/latest.zip
解压
unzip latest.zip
将解压出的nextcloud文件夹移动到 /usr/share/nginx/html/,没有的话创建这个文件夹 mkdir -p /usr/share/nginx/html/
mv nextcloud /usr/share/nginx/html/
创建用户数据目录并赋权限:
mkdir -p /usr/share/nginx/html/nextcloud/data/
chown nginx:nginx -R /usr/share/nginx/html/nextcloud
参数配置
PHP参数配置
在这一个步骤中,我们将配置 php-fpm 与 Nginx 协同运行。php-fpm 将使用 nginx 用户来运行,并监听 9000 端口。
使用 vim 编辑默认的 php-fpm 配置文件
vim /etc/php-fpm.d/www.conf
使用 /搜索 user =找到 user = apache
group = apache,将其更改为
user = nginx
group = nginx
使用 /继续搜索 listen =确保 php-fpm 运行在指定端口。
listen = 127.0.0.1:9000
继续搜索 ;env[,删除这些变量前面的 ;来启用它们
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
继续搜索 pm.max,找到 pm.max_children =,
将这些参数改为如下的值以优化低访问量下php内存占用的问题
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 3
按 shift+:键,输入 wq保存并退出vim
Nginx参数配置
新建一个nginx的配置文件,用来逆向代理指向nextcloud:
vim /etc/nginx/conf.d/nextcloud.conf
添加以下内容:
upstream php-handler {
server 127.0.0.1:9000;
#server unix:/var/run/php-fpm.sock;
}
server {
listen 80;
server_name your.domain.name;(替换为你的域名)
# enforce https
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name your.domain.name;(替换为你的域名)
ssl_certificate /etc/nginx/cert/nextcloud.crt;
ssl_certificate_key /etc/nginx/cert/nextcloud.key;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
add_header Strict-Transport-Security "max-age=15768000;
includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Path to the root of your installation
root /usr/share/nginx/html/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Disable gzip to avoid the removal of the ETag header
gzip off;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
location / {
rewrite ^ /index.php$uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
include fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* \.(?:css|js)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=7200";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
add_header Strict-Transport-Security "max-age=15768000;
includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Don't log access to other assets
access_log off;
}
}
安装openssl并生成自签名SSL证书:
yum install openssl
为 SSL 文件创建新目录:
mkdir -p /etc/nginx/cert/
如下,使用 openssl 生成一个新的 SSL 证书
openssl req -new -x509 -days 365 -nodes -out /etc/nginx/cert/nextcloud.crt -keyout /etc/nginx/cert/nextcloud.key
最后使用 chmod 命令为所有证书文件设置权限
chmod 700 /etc/nginx/cert
chmod 600 /etc/nginx/cert/*
重启nginx:
systemctl restart nginx
防火墙配置
开放 80 和 443两个端口
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload