系统工程 - 建设篇
第一章 宝塔面板+NextCloud文档云 搭建流程
下章内容
前言
为方便局域网的线上协同办公,部署一套NextCloud文档云系统,后台使用宝塔Linux面板搭建,方便运维。NextCloud的前身是OwnCloud
ESXi底层:VMware VMvisor 6.7.0
NextCloud目标版本:NextCloud 24.0.1
宝塔面板目标版本:Linux面板 7.9.1
Linux系统版本:CentOS 7.9 Minimal 2009
Nginx版本:1.21.4
MySQL版本:8.0.24
PHP版本:7.4
Redis版本:6.2.6
实施步骤
1. 安装CentOS操作系统
2. 部署宝塔面板
3. 宝塔面板安装LNMP模块,并配置Nginx、MySQL、PHP等模块
4. 部署NextCloud文档云,对NextCloud进行配置调优
5. NextCloud同步域控LDAP
前置条件
- 内网有域控LDAP目录服务
- Linux虚拟机需要联网
- 准备Xshell等连接工具,安装lrzsz、zip、unzip等工具
部署宝塔面板
安装CentOS操作系统
(略)
配置CentOS操作系统
配置网卡,开启sshd服务,远程连接Linux
配置网关(CentOS默认网关的名称从ip addr里查看)
vi /etc/sysconfig/network-scripts/ifcfg-ens192
BOOTPROTO=static
ONBOOT=yes
IPADDR=1.1.1.1
PREFIX=24
GATEWAY=1.1.1.254
DNS1=1.1.1.11
DNS2=1.1.1.12
:x
systemctl restart network
修改sshd的监听端口,允许root登录ssh
vi /etc/ssh/sshd_config
Port 2234
PermitRootLogin yes
PasswordAuthentication yes
:x
systemctl restart sshd
检查本地firewalld防火墙配置
iptables -nvL # 检查防火墙规则
firewall-cmd --state # 检查防火墙启用状态
firewall-cmd --list-all # 查看当前防火墙的规则列表
firewall-cmd --zone=public --permanent --add-port=2234/tcp # 给当前防火墙的public区域 添加 允许TCP2234的规则
firewall-cmd --reload # 重载防火墙配置
iptables -nvL # 检查防火墙规则
可选关闭selinux
getenforce # 查看selinux状态
setenforce 0 # 临时关闭selinux
vim /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled # 永久关闭selinux
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Xshell连接Linux
ssh root@1.1.1.1 2234
确认是否有必备工具和基础环境升级
rpm -qa | grep -E "lrzsz|wget|zip" # 查看已安装的软件包
yum list | grep -E "lrzsz|wget|zip" # yum线上查询软件包, 带@base的是已安装, 带@updates的是已安装但有新版本可以更新, 其他状态都是未安装
yum update # 更新yum源软件包列表
hostname -i # 查看当前主机名
hostnamectl set-hostname baota # 修改当前主机名
安装Linux宝塔面板
更多宝塔面板版本请参考宝塔官网:宝塔社区版本
Linux面板 7.9.1版本安装
yum install -y wget && wget -O install.sh http://download.bt.cn/install/install_6.0.sh && sh install.sh ed8484bec
/etc/init.d/bt default # 查看宝塔初始化的默认配置
浏览器访问内网面板地址
初始化部署宝塔面板需要绑定宝塔账号
推荐安装套件一般选择LNMP(此案例使用编译安装,性能更稳定,支持更多丰富功能)
等待LNMP安装完成后,对面板的基础配置依次修改如下
1. [面板设置] - 修改[面板密码] # 改完需要重新登录
2. [面板设置] - 修改[面板账号] # 改完需要重新登录
3. [面板设置] - 设置[绑定宝塔账号] # 自行登录堡塔官方注册账号
4. [面板设置] - 关闭[在线客服]
5. [面板设置] - 修改[面板端口] # 改完自动跳转
6. [面板设置] - 修改[绑定域名] # 改完自动跳转
7. [面板设置] - 修改[安全入口]
8. [面板设置] - 开启[面板SSL] # 改完自动跳转
9. [面板设置] - 设置[设置消息通道] - [发送者设置]
10. [面板设置] - 修改[未认证响应状态]
以上步骤必须依次进行,否则容易出现找不到密码得去SSH重置宝塔的风险行为。
完成面板基础配置后,安装一些必要的功能插件,软件商店处下载即可
安装好必要的功能插件后,新建网站或数据库应用及系统防火墙等等操作,参考宝塔官方手册
Nginx 1.21.4
PHP-7.4
Redis 6.2.6
MySQL 8.0.24
phpMyAdmin 4.4
系统防火墙 3.1
木马查杀工具 3.0
Pure-Ftpd 1.0.49
其他软件可选安装
系统防火墙只开启特定端口
配置宝塔面板的LNMP
Nginx配置
vim /www/server/nginx/conf/nginx.conf
user www www;
worker_processes auto;
error_log /www/wwwlogs/nginx_error.log crit;
pid /www/server/nginx/logs/nginx.pid;
worker_rlimit_nofile 51200;
stream {
log_format tcp_format '$time_local|$remote_addr|$protocol|$status|$bytes_sent|$bytes_received|$session_time|$upstream_addr|$upstream_bytes_sent|$upstream_bytes_received|$upstream_connect_time';
access_log /www/wwwlogs/tcp-access.log tcp_format;
error_log /www/wwwlogs/tcp-error.log;
include /www/server/panel/vhost/nginx/tcp/*.conf;
}
events
{
use epoll;
worker_connections 51200;
multi_accept on;
}
http
{
include mime.types;
#include luawaf.conf;
include proxy.conf;
default_type application/octet-stream;
server_names_hash_bucket_size 512;
client_header_buffer_size 64k;
large_client_header_buffers 4 32k;
client_max_body_size 5120m;
sendfile on;
tcp_nopush on;
keepalive_timeout 60;
tcp_nodelay on;
fastcgi_connect_timeout 3600;
fastcgi_send_timeout 3600;
fastcgi_read_timeout 3600;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 256k;
fastcgi_intercept_errors on;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE [1-6]\.";
limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn_zone $server_name zone=perserver:10m;
server_tokens off;
access_log off;
server
{
listen 888;
server_name phpmyadmin;
index index.html index.htm index.php;
root /www/server/phpmyadmin;
allow 127.0.0.1;
allow ::1;
deny all;
location ~ /tmp/ {
return 403;
}
#error_page 404 /404.html;
include enable-php.conf;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ /\.
{
deny all;
}
access_log /www/wwwlogs/access.log;
}
include /www/server/panel/vhost/nginx/*.conf;
}
[性能调整]修改如下
MySQL配置
按实际服务器的运行内存进行调整,重启数据库即可,无其他改动。
PHP配置
php安装如下扩展
ionCube 脚本解密 用于解密ionCube Encoder加密脚本!
fileinfo 通用扩展 若可用内存小于1G,可能会安装不上
opcache 缓存器 用于加速PHP脚本!
redis 缓存器 基于内存亦可持久化的Key-Value数据库
mcrypt 通用扩展 mcrypt加密/解密
apcu 缓存器 脚本缓存器
imagemagick 通用扩展 Imagick高性能图形库
sg11 脚本加密 php代码混淆加密
ldap 通用扩展 php官方扩展
gmp 通用扩展 php官方扩展
php.ini配置文件默认启用opcache,添加opcache的save-comments,APCu扩展默认安装后不启用,需手动添加配置启用APCu
vim /www/server/php/74/etc/php.ini
[Zend Opcache]
...
opcache.revalidate_freq=60
...
opcache.save_comments=1
...
[apcu]
apc.enable_cli=1
FPM配置文件的启动用户为默认的www,监听的sock文件权限为777,添加env的配置。其他无改动
vim /www/server/php/74/etc/php-fpm.conf
[www]
...
listen.owner = www
listen.group = www
listen.mode = 0777
user = www
group = www
...
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
取消shell_exec的禁用函数
根据实际服务器的运行内存进行性能调整
PHP启用Redis对象存储
phpinfo()检查各个功能是否成功启用
Redis配置
给redis配置requirepass密码
redis开启Unix套接字监听
vim /www/server/redis/redis.conf
unixsocket /tmp/redis.sock
unixsocketperm 777
宝塔开启禁ping,修改ssh端口,开启系统防火墙,可选关闭selinux
getenforce # 查看selinux状态
setenforce 0 # 临时关闭selinux
vim /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled # 永久关闭selinux
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
宝塔新建网站和数据库,做计划定时备份
修改站点的基础配置,取消防跨站攻击
使用伪静态配置
vim /www/server/panel/vhost/rewrite/testnextcloud.xxx.com.conf
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`.
location ^~ /.well-known {
# The rules in this block are an adaptation of the rules
# in `.htaccess` that concern `/.well-known`.
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /index.php$request_uri;
}
# Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
location ~* \.(?:css|js)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=7200";
add_header Strict-Transport-Security "max-age=15768000;includeSubDomains; preload;";
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag "none";
add_header X-Download-Options "noopen";
add_header X-Permitted-Cross-Domain-Policies "none";
access_log off;
}
location ~ \.(?:svg|gif|png|jpg|ico|wasm|tflite)$ {
try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
location ~ \.wasm$ {
default_type application/wasm;
}
}
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}
修改站点对应的vhost文件
vim /www/server/panel/vhost/nginx/testnextcloud.xxx.com.conf
server
{
listen 80;
listen 443 ssl http2;
server_name testnextcloud.xxx.com;
index index.php index.html /index.php$request_uri;
root /www/wwwroot/nextcloud/;
#SSL-START SSL相关配置,请勿删除或修改下一行带注释的404规则
#error_page 404/404.html;
ssl_certificate /www/server/panel/vhost/cert/testnextcloud.xxx.com/fullchain.pem;
ssl_certificate_key /www/server/panel/vhost/cert/testnextcloud.xxx.com/privkey.pem;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
error_page 497 https://$host$request_uri;
#SSL-END
#ERROR-PAGE-START 错误页配置,可以注释、删除或修改
#error_page 404 /404.html;
#error_page 502 /502.html;
#ERROR-PAGE-END
#PHP-INFO-START PHP引用配置,可以注释或修改
include enable-php-74.conf;
#PHP-INFO-END
#REWRITE-START URL重写规则引用,修改后将导致面板设置的伪静态规则失效
include /www/server/panel/vhost/rewrite/testnextcloud.xxx.com.conf;
#REWRITE-END
# HSTS settings
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
# set max upload size and increase upload timeout:
client_max_body_size 5G;
client_body_timeout 300s;
fastcgi_buffers 64 4K;
gzip off;
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
#禁止访问的文件或目录
location ~ ^/(\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md)
{
return 404;
}
#一键申请SSL证书验证目录相关设置
location ~ \.well-known{
allow all;
}
access_log /www/wwwlogs/testnextcloud.xxx.com.log;
error_log /www/wwwlogs/testnextcloud.xxx.com.error.log;
}
修改nginx对应php版本的模板文件
vim /www/server/nginx/conf/enable-php-74.conf
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
# Required for legacy support
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass unix:/tmp/php-cgi-74.sock;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_max_temp_file_size 0;
}
vim /www/server/nginx/conf/enable-php.conf
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
# Required for legacy support
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass unix:/tmp/php-cgi-74.sock;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_max_temp_file_size 0;
}
修改nginx对应proxy代理的超时时间
vim /www/server/nginx/conf/proxy.conf
...
proxy_connect_timeout 600;
proxy_read_timeout 600;
...
宝塔给nextcloud文档云启用SSL证书(自签证书)
openssl req -new -x509 -days 365 -nodes -out /www/server/panel/vhost/cert/nextcloud.crt -keyout /www/server/panel/vhost/cert/nextcloud.key
参数名称 | SSL证书取值 | 参数值 |
---|---|---|
Country Name | CN | 国家代码,比如中国就是CN |
State or Province Name | … | 省名称,比如广东是填gd或GuangDong |
Locality Name | … | 城市名称,比如广州是填gz或GuangZhou |
Organization Name | … Technology Co., Ltd. | 机构名称,一般参考企查查看到的公司工商信息的英文名 |
Organizational Unit Name | … Department | 机构单位名称,填写SSL证书所属的公司部门 |
Common Name | *.xx.com | 一般填写网站的域名,可以用泛域名的形式 |
Email Address | …@xx.cn | 邮件地址 |
复制自签证书的key和crt到站点文件,站点配置SSL
cat /www/server/panel/vhost/cert/nextcloud.crt # pem文件
cat /www/server/panel/vhost/cert/nextcloud.key # key文件
[root@localhost ]# openssl x509 -in /www/server/panel/vhost/cert/nextcloud.crt -text -noout # 查看SSL证书详情
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
99:93:18:xx:xx:xx:93:5f
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=..., L=..., O=... Technology Co., Ltd., OU=... Department, CN=*.xx.com/emailAddress=xx@xx.com
Validity
Not Before: Jun 1 05:34:19 2022 GMT
Not After : Jun 1 05:34:19 2023 GMT
Subject: C=CN, ST=..., L=..., O=... Technology Co., Ltd., OU=... Department, CN=*.xx.com/emailAddress=xx@xx.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
...
部署NextCloud
下载NextCloud并安装
cd /www/wwwroot
wget https://download.nextcloud.com/server/releases/nextcloud-24.0.1.zip # 下载nextcloud 24.0.1
unzip nextcloud-24.0.1.zip # 解压zip文件
chown www:www -R nextcloud # nextcloud文件夹归属者修改为www
mkdir ncdata # 新建数据盘文件,使用LVM逻辑卷挂载到该目录
chown www:www -R ncdata # ncdata文件夹归属者修改为www
rm /www/wwwroot/nextcloud/404.html
rm /www/wwwroot/ncdata/404.html
配置nextcloud
初始化nextcloud默认禁用了audit和ldap的功能,现在开启这功能
设置admin账号的电子邮箱和网站名称
调整通知的类型
nextcloud启用cron定时任务,配置电子邮件服务器
vim /etc/systemd/system/nextcloud.service
[Unit]
Description=Nextcloud cron.php job
[Service]
User=www
ExecStart=/usr/bin/php -f /www/wwwroot/nextcloud/cron.php
KillMode=process
vim /etc/systemd/system/nextcloud.timer
[Unit]
Description=Run Nextcloud cron.php every 5 minutes
[Timer]
OnBootSec=5min
OnUnitActiveSec=5min
Unit=nextcloud.service
[Install]
WantedBy=timers.target
systemctl enable --now nextcloud.timer # 开机自启并立即启动定时器
nextcloud自动化检查系统是否正常部署并优化完整
对nextcloud进行redis及其他配置优化
vim /www/wwwroot/nextcloud/config/config.php
<?php
$CONFIG = array (
'instanceid' => '...',
'passwordsalt' => '...',
'secret' => '...',
'trusted_domains' =>
array (
0 => 'nextcloud.xx.com',
),
'datadirectory' => '/www/wwwroot/ncdata',
'dbtype' => 'mysql',
'version' => '24.0.1.1',
'overwrite.cli.url' => 'https://nextcloud.xx.com',
'dbname' => 'nextcloud',
'dbhost' => 'localhost',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'nextcloud',
'dbpassword' => '...',
'installed' => true,
'default_language' => 'zh_CN',
'default_locale' => 'zh',
'force_language' => 'zh_CN',
'force_locale' => 'zh',
'default_phone_region' => 'CN',
'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
'mail_from_address' => 'support',
'mail_smtpmode' => 'smtp',
'mail_sendmailmode' => 'smtp',
'mail_domain' => 'xx.cn',
'mail_smtpauth' => 1,
'mail_smtpauthtype' => 'LOGIN',
'mail_smtpport' => '465',
'mail_smtphost' => 'smtp.xx.com',
'mail_smtpname' => 'xx@xx.cn',
'mail_smtppassword' => '...',
'mail_smtpsecure' => 'ssl',
'log_type' => 'file',
'logfile' => '/www/wwwroot/ncdata/logs/nc.log',
'loglevel' => '1',
'logtimezone' => 'Asia/Shanghai',
'logdateformat' => 'F d, Y H:i:s',
'log.condition' =>
array(
'apps' =>
array(
0 => 'admin_audit',
),
),
'memcache.locking' => '\\OC\\Memcache\\Redis',
'memcache.local' => '\\OC\Memcache\\APCu',
'memcache.distributed' => '\\OC\\Memcache\\Redis',
'redis' =>
array(
'host' => '/tmp/redis.sock',
'port' => 0,
'dbindex' => 0,
'password' => '...',
'timeout' => 1.5,
),
);
用户头像使用中文字体生成
C:\Users\Administrator> scp -P 2222 C:\Windows\Fonts\simhei.ttf root@nextcloud.xx.com:/tmp
[root@localhost ]# mv /tmp/simhei.ttf /www/wwwroot/nextcloud/core/fonts/
vim /www/wwwroot/nextcloud/lib/private/Avatar/Avatar.php
...
$font = __DIR__ . '/../../core/fonts/simhei.ttf'; # 字体文件修改成simhei.ttf
...
...
$font = __DIR__ . '/../../../core/fonts/simhei.ttf'; # 字体文件修改成simhei.ttf
再次调用自动化检查