Linux、Nginx、MariaDB环境下部署Nextcloud14的过程

前几天，脑子一抽买了阿里云ECS后，一直有点后悔，但已经买了，也退不掉。所以这几天一直在想着装个什么，不能浪费啊！！！最后思来想去，决定要不装个私有云盘玩玩。网上的私有云盘有SeaFile、Owncloud、Nextcloud这三个主要的。通过综合比较，SeaFile不免费，Owncloud与Nextcloud原是一家，最终决定那就先装Nextcloud吧。既然决定了，那就不能闲着，说干就干！！

本此主要在CentOS7.4下安装和配置最新版本的 Nextcloud 14，并且会通过 Nginx 和 PHP7.2-FPM 来运行 Nextcloud，同时使用 MariaDB 做为数据库系统。

阿里云ECS的系统是Centos7.4版本

[root@chyiyanghost~]#cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core) 

将自带的epel、nginx、php全部卸载（rpm -e … –nodeps）

[root@chyiyanghost~]#rpm -qa|grep php
[root@chyiyanghost~]#rpm -qa|grep php-common
[root@chyiyanghost~]#rpm -qa|grep nginx

CentOS默认的yum源中并不包含Nginx和php-fpm，首先要为CentOS添加epel源：

[root@chyiyanghost~]#yum -y install epel-release
[root@chyiyanghost~]#yum -y install nginx

需要再添加一个yum源来安装php-fpm，可以使用webtatic

[root@chyiyanghost~]#rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm

安装php7.2-fpm和一些其它的必要的组件

[root@chyiyanghost~]#yum -y install php72w-fpm php72w-cli php72w-gd php72w-mcrypt php72w-mysql php72w-pear php72w-xml php72w-mbstring php72w-pdo php72w-json php72w-pecl-apcu php72w-pecl-apcu-devel

需要说明的是php72为php7.2，如果要装php7.1就改为php71，php7.0就是php70
完成后，检查一下php-fpm是否已正常安装

[root@chyiyanghost~]#php -v
PHP 7.2.11 (cli) (built: Oct 11 2018 19:14:35) (NTS)
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies

配置php-fpm

root@chyiyanghost~]#vim /etc/php-fpm.d/www.conf
.....
user = nginx                                    //将用户和组都改为nginx
group = nginx
.....
listen = 127.0.0.1:9000                         //php-fpm所监听的端口为9000
......
env[HOSTNAME] = $HOSTNAME                       //去掉下面几行注释
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

按ESC，输入wq！保存退出。
在/var/lib目录下为session路径创建一个新的文件夹，并将用户名和组设为nginx

[root@chyiyanghost~]#mkdir -p /var/lib/php/session
[root@chyiyanghost~]#chown nginx:nginx -R /var/lib/php/session/
[root@chyiyanghost~]#ll -d /var/lib/php/session/
drwxr-xr-x 2 nginx nginx 4096 Nov 1 12:23 /var/lib/php/session/

启动Nginx和php-fpm服务，并添加开机启动

[root@chyiyanghost~]#systemctl start php-fpm
[root@chyiyanghost~]#systemctl start nginx
[root@chyiyanghost~]#systemctl enable php-fpm
Created symlink from /etc/systemd/system/multi-user.target.wants/php-fpm.service to /usr/lib/systemd/system/php-fpm.service. //提示成功信息
[root@chyiyanghost~]#systemctl enable nginx
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.     //提示成功信息

使用MaraiDB作为Nextcloud数据库。yum安装MaraiDB服务

[root@chyiyanghost~]#yum -y install mariadb mariadb-server

启动MariaDB服务并添加开机启动

[root@chyiyanghost~]#systemctl start mariadb
[root@chyiyanghost~]#systemctl enable mariadb
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.  //提示信息

接下来设置MariaDB的root密码

[root@chyiyanghost~]#mysql_secure_installation             //按照提示设置密码，首先会询问当前密码，密码默认为空，直接回车即可
Enter current password for root (enter for none):          //直接回车
Set root password?[Y/n]Y
New password:                                              //输入新密码
Re-enter new password:                                     //再次输入新密码
Remove anonymous users?[Y/n]Y
Disallow root login remotely?[Y/n]Y
Remove test database and access to it?[Y/n]Y
Reload privilege tables now?[Y/n]Y

设置完MariaDB的密码后，使用命令行登录MariaDB，并为Nextcloud创建相应的用户和数据库。
例如数据库为nextcloud_db，用户为nextclouduser，密码为nextcloudpasswd：

[root@chyiyanghost~]#mysql -p
......
MariaDB [(none)]>create database nextcloud_db;
Query OK, 1 row affected (0.00sec)
MariaDB [(none)]>create user nextclouduser@localhost identified by'nextcloudpasswd';
Query OK, 0 rows affected (0.00sec)
MariaDB [(none)]>grant all privileges on nextcloud_db.* to nextclouduser@localhost identified by'nextcloudpasswd';
Query OK, 0 rows affected (0.00sec)
MariaDB [(none)]>flush privileges;
Query OK, 0 rows affected (0.00sec)
MariaDB [(none)]>exit
Bye

为SSL证书创建一个新的文件夹：

[root@chyiyanghost~]#mkdir -p /etc/nginx/cert/
[root@chyiyanghost~]#cd /etc/nginx/cert/
[root@chyiyanghost cert]#openssl req -new -x509 -days 365 -nodes -out /etc/nginx/cert/nextcloud.crt -keyout /etc/nginx/cert/nextcloud.key
.....
Country Name (2 letter code) [XX]:cn                                           //国家
State or Province Name (full name) []:shaanxi                                  //省份
Locality Name (eg, city) [Default City]:shaanxi                                //地区名字
Organization Name (eg, company) [Default Company Ltd]:chyiyang                 //公司名
Organizational Unit Name (eg, section) []:Technology                           //部门
Common Name (eg, your name or your server's hostname) []:chyiyang              //CA主机名
Email Address []:330601425@qq.com

然后将证书文件的权限设置为660

[root@chyiyanghost cert]#chmod 700 /etc/nginx/cert
[root@chyiyanghost cert]#chmod 600 /etc/nginx/cert/*

[root@chyiyanghost~]#yum -y install wget unzip
[root@chyiyanghost~]#cd /usr/local/src/
[root@chyiyanghost src]#wget https://download.nextcloud.com/server/releases/nextcloud-14.0.3.zip
[root@chyiyanghost src]#unzip nextcloud-14.0.3.zip
[root@nextcloud-server src]#ls
nextcloud nextcloud-14.0.3.zip
[root@chyiyanghost src]#mv nextcloud /usr/share/nginx/html/

进入Nginx的root目录，并为Nextcloud创建data目录，将Nextcloud的用户和组修改为nginx

[root@chyiyanghost src]#mv nextcloud /usr/share/nginx/html/
[root@chyiyanghost src]#cd /usr/share/nginx/html/
[root@chyiyanghost html]#mkdir -p nextcloud/data/
[root@chyiyanghost html]#chown nginx:nginx -R nextcloud/
[root@chyiyanghost html]#ll -d nextcloud
drwxr-xr-x 15 nginx nginx 4096 Nov  1 15:50 nextcloud

进入Nginx的虚拟主机配置文件所在目录并创建一个新的虚拟主机配置（记得修改两个server_name为自己的域名）：

[root@chyiyanghost html]#cd /etc/nginx/conf.d/
[root@chyiyanghost conf.d]#vim nextcloud.conf
upstream php-handler {
    server 127.0.0.1:9000;
    #server unix:/var/run/php5-fpm.sock;
}     
server {
    listen 80;
    server_name chyiyang.net;
    # enforce https
    return 301 https://$server_name$request_uri;
}     
server {
    listen 443 ssl;
    server_name chyiyang.net;     
    ssl_certificate /etc/nginx/cert/nextcloud.crt;
    ssl_certificate_key /etc/nginx/cert/nextcloud.key;     
    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    add_header Strict-Transport-Security "max-age=15768000;
    includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;     
    # Path to the root of your installation
    root /usr/share/nginx/html/nextcloud/;     
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
     
    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php service=host-meta-json
    # last;
     
    location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }
     
    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;
     
    # Disable gzip to avoid the removal of the ETag header
    gzip off;
     
    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;
     
    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;
     
    location / {
        rewrite ^ /index.php$uri;
    }
     
    location ~ ^/( :build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }
    location ~ ^/( :\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }
     
    location ~ ^/( :index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php( :$|/) {
        include fastcgi_params;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        #Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }
     
    location ~ ^/( :updater|ocs-provider)( :$|/) {
        try_files $uri/ =404;
        index index.php;
    }
     
    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~* \.( :css|js)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=7200";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        add_header Strict-Transport-Security "max-age=15768000;includeSubDomains; preload;";
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
    }
     
    location ~* \.( :svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

接下来测试以下配置文件是否有错误，确保没有问题后重启Nginx服务。

[root@chyiyanghost conf.d]#nginx -t
nginx:the configuration file /etc/nginx/nginx.conf syntax is ok
nginx:configuration file /etc/nginx/nginx.conf test is successful
[root@chyiyanghost conf.d]#systemctl restart nginx

可以选择关闭Firewalld和SELinux

[root@chyiyanghost~]#systemctl stop firewalld

[root@chyiyanghost~]#systemctl disable firewalld

[root@chyiyanghost~]#setenforce 0

[root@chyiyanghost~]#getenforce
disable

[root@chyiyanghost~]#cat /etc/sysconfig/selinux
......
SELINUX=disabled

首先需要安装SElinux管理工具policycoreutils-python

[root@chyiyanghost~]#yum -y install policycoreutils-python

接着设置SELinux

[root@chyiyanghost~]#semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/data(/.*)'
[root@chyiyanghost~]#semanage fcontext -a -t httpd_sys_rw_content_t'/usr/share/nginx/html/nextcloud/config(/.*)'
[root@chyiyanghost~]#semanage fcontext -a -t httpd_sys_rw_content_t'/usr/share/nginx/html/nextcloud/apps(/.*)'
[root@chyiyanghost~]#semanage fcontext -a -t httpd_sys_rw_content_t'/usr/share/nginx/html/nextcloud/assets(/.*)'
[root@chyiyanghost~]#semanage fcontext -a -t httpd_sys_rw_content_t'/usr/share/nginx/html/nextcloud/.htaccess'
[root@chyiyanghost~]#semanage fcontext -a -t httpd_sys_rw_content_t'/usr/share/nginx/html/nextcloud/.user.ini'
[root@chyiyanghost~]#restorecon -Rv'/usr/share/nginx/html/nextcloud/'

接下来设置Firewlld防火墙，为Nextcloud开放http和https两个端口

[root@chyiyanghost~]#systemctl start firewalld
[root@chyiyanghost~]#systemctl enable firewalld
[root@chyiyanghost~]#firewall-cmd --permanent --add-service=http
[root@chyiyanghost~]#firewall-cmd --permanent --add-service=https
[root@chyiyanghost~]#firewall-cmd --reload

解析上面nginx中配置的域名chyiyang.net，访问访问http://chyiyang.net进行Nextcloud界面安装（访问http域名会自动跳转到https，安装提示安装即可！）

至此，nextcloud算是部署完成了。