部署 ownCloud X 个人云

近期网盘们越来越坑…加上一年前想搭建的 ownCloud 没成功，那时候技术还不行😂

端午节下定决心要搭建好，于是用了大概半天的时间折腾完了

Q：为什么要搞这么久？

A：ownCloud 在 Nginx 到处都是坑。

本文环境

• LNMP （ Centos 7.3 + Nginx 1.12.0 + MySQL 5.7 + PHP 7.1 ）
  建议使用 lnmp.org (v1.4) 或者 ulnmp.uni9k.me 提供的一键安装包
• ossfs

安装 ossfs

正式版下载地址：https://help.aliyun.com/document_detail/32196.html

安装命令

sudo yum localinstall <your_ossfs_package>

设置 bucket name 和 AccessKeyId/Secret 信息，将其存放在 /etc/passwd-ossfs 文件中，注意这个文件的权限必须正确设置，建议设为 640。

echo my-bucket:my-access-key-id:my-access-key-secret > /etc/passwd-ossfs
chmod 640 /etc/passwd-ossfs

安装完 ownCloud 后记得将 ossfs 设置为开机启动

安装 ownCloud

从 https://download.owncloud.org/ 下载程序，并解压到站点目录

赋予正确权限

chown -R www:www <website_path>
chmod -R 0755 <website_path>

修改 Nginx 配置文件，这是博主总结出来的配置（也是本文最重要的部分😓）

upstream php-handler {
 #server 127.0.0.1:9000;
 server unix:/tmp/php-cgi.sock;
}

server {
 listen 80;
 server_name example.com;
 # enforce https
 return 301 https://$server_name$request_uri;
}

server {
 listen 443 ssl;
 server_name example.com;

 ssl on;
 ssl_certificate /etc/letsencrypt/live/cloud.jackyu.cn/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/cloud.jackyu.cn/privkey.pem;
 ssl_session_timeout 5m;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
 ssl_session_cache builtin:1000 shared:SSL:10m;
 # openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
 #ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;

 # Add headers to serve security related headers
 # Before enabling Strict-Transport-Security headers please read into this topic first.
 add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
 add_header X-Webkit-CSP "script-src 'self' 'unsafe-inline' 'unsafe-eval'";
 #add_header X-Content-Type-Options nosniff;
 #add_header X-Frame-Options "SAMEORIGIN";
 #add_header X-XSS-Protection "1; mode=block";
 #add_header X-Robots-Tag none;
 #add_header X-Download-Options noopen;
 #add_header X-Permitted-Cross-Domain-Policies none;


 # Path to the root of your installation
 root /home/wwwroot/cloud.jackyu.cn;

 location = /robots.txt {
 allow all;
 log_not_found off;
 access_log off;
 }

 # The following 2 rules are only needed for the user_webfinger app.
 # Uncomment it if you're planning to use this app.
 rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
 rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

 location = /.well-known/carddav {
 return 301 $scheme://$host/remote.php/dav;
 }
 location = /.well-known/caldav {
 return 301 $scheme://$host/remote.php/dav;
 }

 location ^~ /.well-known/acme-challenge { }

 # set max upload size
 client_max_body_size 512M;
 fastcgi_buffers 64 4K;

 # Disable gzip to avoid the removal of the ETag header
 gzip off;

 # Uncomment if your server is build with the ngx_pagespeed module
 # This module is currently not supported.
 #pagespeed off;

 error_page 403 /core/templates/403.php;
 error_page 404 /core/templates/404.php;

 location / {
 rewrite ^ /index.php$uri;
 }

 location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
 return 404;
 }
 location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
 return 404;
 }

 location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
 include enable-php-pathinfo.conf; # LNMP 附带
 fastcgi_split_path_info ^(.+\.php)(/.*)$;
 include fastcgi_params;
 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 fastcgi_param PATH_INFO $fastcgi_path_info;
 fastcgi_param HTTPS on;
 fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
 fastcgi_param front_controller_active true;
 fastcgi_pass php-handler;
 fastcgi_intercept_errors on;
 fastcgi_request_buffering off; #Available since NGINX 1.7.11
 
 }

 location ~ ^/(?:updater|ocs-provider)(?:$|/) {
 try_files $uri $uri/ =404;
 index index.php;
 }

 # Adding the cache control header for js and css files
 # Make sure it is BELOW the PHP block
 location ~* \.(?:css|js)$ {
 try_files $uri /index.php$uri$is_args$args;
 add_header Cache-Control "max-age=15778463";
 # Add headers to serve security related headers (It is intended to have those duplicated to the ones above)
 # Before enabling Strict-Transport-Security headers please read into this topic first.
 add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
 add_header X-Content-Type-Options nosniff;
 add_header X-Frame-Options "SAMEORIGIN";
 add_header X-XSS-Protection "1; mode=block";
 add_header X-Robots-Tag none;
 add_header X-Download-Options noopen;
 add_header X-Permitted-Cross-Domain-Policies none;
 # Optional: Don't log access to assets
 access_log off;
 }

 location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
 try_files $uri /index.php$uri$is_args$args;
 # Optional: Don't log access to other assets
 access_log off;
 }

}

配置完成后，应该可以正常访问了

按实际情况进行安装

然后

cd <website_path>
mv data ocdata
mkdir data
ossfs my-bucket <website_path>/data -ourl=http://oss-cn-hangzhou-internal.aliyuncs.com -ouid=1001 -ogid=1001 -o allow_other -o umask=007 -o noxattr
mv ocdata/* data/
# 博主的 oss 位于杭州，url 可用内网，-ouid -ogid对应的是 php 的用户ID 和用户组 ID，可用 id <user> 查询

这样就算完工了

安全性警告可以看官方文档来修复

header 的问题，我的配置文件已经解决了相关的错误

代码完整性问题注意 lnmp 自动生成的 .user.ini

关于 PHP 访问 /dev/urandom

fastcgi.conf 文件位于 nginx 的配置文件夹中，添加红字部分

fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root/:/tmp/:/proc/:/dev/urandom";

cron 的启用方法

*/15  *  *  *  * /usr/bin/php -f <website_path>/cron.php

如果有什么问题可以直接在下方留言~

Done~

 

文章最后修订于 2017年6月8日