CentOS 8.2 搭建私有云 NextCloud

写在最前面

读万卷书不如行万里路
之前家里有个群晖DS218+，关机一个多月回来后发现无法开机，返厂维修搞不定直接折价给我退钱了(感谢jd售后)。想着DS720+即将发布就暂未入手老款机型，左等右等，等到花儿都谢了(截至7月2号还未发布新品)。无意间逛咸鱼发现一款100⁺元小主机，甚欢喜。低功耗cpu_双核1037u，千兆网卡，2.5寸SATA。很小巧，金属机身，满意，最最最重要【便宜】，这价格就不用报备了，开心拿下。_{(要不要上张图呢，算了，广告嫌疑)}

安装系统与软件

系统

小主机可以安装Windows _x64嵌入式版本，使用还算流畅。
作为喜欢折腾的我肯定不满现状，于是乎，格盘重装CentOS
重装系统很简单，CentOS8.2 下载地址¹（163下载速度真不赖）

系统更新、安装小工具

8.2的软件包维护使用的dnf命令，使用起来很方便，超级舒心

##更新
dnf update
##安装net-tools 、 unzip
dnf install -y net-tools unzip
###################常用dnf命令####################
#     dnf search nginx #查找安装包               #
#     dnf info nginx.x86_64 #查看nginx版本       #
#################################################

关闭防火墙、SELINUX

#状态
systemctl status  firewalld
#停止
systemctl stop firewalld
#删除自启动		
systemctl disable firewalld
#启动
##systemctl start firewalld
#设置自启动
##systemctl enable  firewalld

getenforce
#临时调整 重启失效
setenforce 0
cd /etc/selinux/
cp config config_`date +%Y%m%d`
##永久关闭SELINUX
sed -i 's/SELINUX=enforcing/SELINUX=Permissive/' config
getenforce

安装Nginx

#安装nginx
dnf install -y nginx

cd /etc/nginx
#删除nginx.conf中的空行和注释行
mv nginx.conf nginx.conf_`date +%Y%m%d`
grep -Ev '#|^%|^$' nginx.conf_`date +%Y%m%d` > nginx.conf
##赋权
chown nginx:nginx -R /usr/share/nginx/html

#启动nginx
systemctl start nginx
#状态
systemctl status nginx
##获取ip地址
ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d '/'

浏览器验证http://ip

安装PHP

#安装php
dnf install -y php
#启动php-fpm
systemctl start php-fpm

安装Mysql

#安装mysql
dnf install -y mysql-server
#初始化mysql	
/usr/sbin/mysqld --initialize --user=mysql
#启动mysql
systemctl start mysqld
#查询密码
grep password /var/log/mysql/mysqld.log

mysql -uroot -p
mysql> alter user 'root'@'localhost' identified by 'new-passwd';
mysql> flush privileges;
mysql> quit;

Nginx和PHP整合

##新增index.php用于测试
echo -e "<?php \nphpinfo();\n?>" > /usr/share/nginx/html/index.php
chown nginx:nginx /usr/share/nginx/html/index.php
##备份配置文件
cp /etc/nginx/conf.d/php-fpm.conf /etc/nginx/conf.d/php-fpm.conf_`date +%Y%m%d`
cp /etc/php-fpm.d/www.conf /etc/php-fpm.d/www.conf_`date +%Y%m%d`

#vi /etc/nginx/nginx.conf

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
    worker_connections 1024;
}
http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    root		/usr/share/nginx/html;
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    include /etc/nginx/conf.d/*.conf;
    server {
        listen       5001 default_server;
        listen       [::]:5001 default_server;
        server_name  _;
        include /etc/nginx/default.d/*.conf;
    	location / {
    	}
		#主要是增加这一段以及修改监听端口
		location ~ \.php$ {
	    	fastcgi_pass unix:/run/php-fpm/www.sock;
	    	fastcgi_index index.php;
	    	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	    	include fastcgi_params;
		}
    	error_page 404 /404.html;
    	location = /40x.html {
        }
    	error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        }
    }
}

#vi /etc/php-fpm.d/www.conf

;修改user、group
[www]
user = nginx
group = nginx
;Nextcloud客户端提及需要新增如下一行
;env[PATH] = /usr/local/bin:/usr/bin:/bin:/usr/local/php/bin

#重启服务

systemctl restart nginx
systemctl restart php-fpm

浏览器验证http://ip:5001/index.php

安装NextCloud

Nextcloud下载

版本自行确认：nextcloud-19.0.0[^{nextcloud-19.0.0}]、nextcloud-20.0.0[^{nextcloud-20.0.0}]

生成自签名ssl证书

如有域名可以自行去域名提供商处下载

mkdir -p /etc/nginx/cert
cd /etc/nginx/cert/
openssl req -new -x509 -days 365 -nodes -out /etc/nginx/cert/nextcloud.crt -keyout /etc/nginx/cert/nextcloud.key
##自用 可以随意填写
Country Name (2 letter code) [XX]:cn                       		#国家
State or Province Name (full name) []:Shanghai                  #省份
Locality Name (eg, city) [Default City]:Shanghai               	#地区名字
Organization Name (eg, company) [Default Company Ltd]:Admin    	#公司名
Organizational Unit Name (eg, section) []:Admin            		#部门
Common Name (eg, your name or your server's hostname) []:Admin  #CA主机名
Email Address []:Admin@Admin.com                                #Email地址
# 修改证书和文件夹权限
chmod 600 /etc/nginx/cert/*
chmod 700 /etc/nginx/cert

Nextcloud安装

以nextcloud-19.0.0版本为例：

ftp上传nextcloud-19.0.0.zip至/usr/share/nginx/html

cd /usr/share/nginx/html
unzip nextcloud-19.0.0.zip

#vi /etc/nginx/conf.d/nextcloud.conf³
server、server_name、ssl、root 按需修改

upstream php-handler {
    #server 127.0.0.1:9000;
    server unix:/run/php-fpm/www.sock;
}
server {
    listen 80;
    listen [::]:80;
    server_name cloud.example.com;
    # enforce https
    return 301 https://$server_name:443$request_uri;
}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name cloud.example.com;

    ssl_certificate /etc/nginx/cert/nextcloud.crt;
    ssl_certificate_key /etc/nginx/cert/nextcloud.key;

    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # Path to the root of your installation
    root /usr/share/nginx/html/nextcloud;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    location = /.well-known/carddav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }
    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;
    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
    location / {
        rewrite ^ /index.php;
    }
    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
        deny all;
    }
    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }
    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) {
        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;
        # Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        # Enable pretty urls
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }
    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
        try_files $uri/ =404;
        index index.php;
    }
    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463";
        add_header Referrer-Policy "no-referrer" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Download-Options "noopen" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Permitted-Cross-Domain-Policies "none" always;
        add_header X-Robots-Tag "none" always;
        add_header X-XSS-Protection "1; mode=block" always;
        access_log off;
    }
    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ {
        try_files $uri /index.php$request_uri;
        access_log off;
    }
}

#修改nginx.conf，删除server
#vi /etc/nginx/nginx.conf

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
    worker_connections 1024;
}
http {
    #fastcgi_buffers 8 128k;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    include /etc/nginx/conf.d/*.conf;
}

服务启动

##先赋权
chown nginx:nginx -R /var/lib/php/session/
chown nginx:nginx -R /usr/share/nginx/html
##重启nginx
systemctl restart nginx
##重启php-fpm
systemctl restart php-fpm
##重启mysql
systemctl restart mysqld

页面配置

https://ip:port/

后续

未完待续，如有以为及时评价留言^^