近期网盘们越来越坑…加上一年前想搭建的 ownCloud 没成功,那时候技术还不行😂
端午节下定决心要搭建好,于是用了大概半天的时间折腾完了
Q:为什么要搞这么久?
A:ownCloud 在 Nginx 到处都是坑。
本文环境
- LNMP ( Centos 7.3 + Nginx 1.12.0 + MySQL 5.7 + PHP 7.1 )
建议使用 lnmp.org (v1.4) 或者 ulnmp.uni9k.me 提供的一键安装包 - ossfs
安装 ossfs
正式版下载地址:https://help.aliyun.com/document_detail/32196.html
安装命令
sudo yum localinstall <your_ossfs_package>
设置 bucket name 和 AccessKeyId/Secret 信息,将其存放在 /etc/passwd-ossfs 文件中,注意这个文件的权限必须正确设置,建议设为 640。
echo my-bucket:my-access-key-id:my-access-key-secret > /etc/passwd-ossfs chmod 640 /etc/passwd-ossfs
安装完 ownCloud 后记得将 ossfs 设置为开机启动
安装 ownCloud
从 https://download.owncloud.org/ 下载程序,并解压到站点目录
赋予正确权限
chown -R www:www <website_path> chmod -R 0755 <website_path>
修改 Nginx 配置文件,这是博主总结出来的配置(也是本文最重要的部分😓)
upstream php-handler {
#server 127.0.0.1:9000;
server unix:/tmp/php-cgi.sock;
}
server {
listen 80;
server_name example.com;
# enforce https
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name example.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/cloud.jackyu.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cloud.jackyu.cn/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_session_cache builtin:1000 shared:SSL:10m;
# openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
#ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this topic first.
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
add_header X-Webkit-CSP "script-src 'self' 'unsafe-inline' 'unsafe-eval'";
#add_header X-Content-Type-Options nosniff;
#add_header X-Frame-Options "SAMEORIGIN";
#add_header X-XSS-Protection "1; mode=block";
#add_header X-Robots-Tag none;
#add_header X-Download-Options noopen;
#add_header X-Permitted-Cross-Domain-Policies none;
# Path to the root of your installation
root /home/wwwroot/cloud.jackyu.cn;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
location ^~ /.well-known/acme-challenge { }
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Disable gzip to avoid the removal of the ETag header
gzip off;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
location / {
rewrite ^ /index.php$uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
return 404;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
return 404;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
include enable-php-pathinfo.conf; # LNMP 附带
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off; #Available since NGINX 1.7.11
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* \.(?:css|js)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "max-age=15778463";
# Add headers to serve security related headers (It is intended to have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into this topic first.
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Don't log access to other assets
access_log off;
}
}
配置完成后,应该可以正常访问了
按实际情况进行安装
然后
cd <website_path> mv data ocdata mkdir data ossfs my-bucket <website_path>/data -ourl=http://oss-cn-hangzhou-internal.aliyuncs.com -ouid=1001 -ogid=1001 -o allow_other -o umask=007 -o noxattr mv ocdata/* data/ # 博主的 oss 位于杭州,url 可用内网,-ouid -ogid对应的是 php 的用户ID 和用户组 ID,可用 id <user> 查询
这样就算完工了
安全性警告可以看官方文档来修复
header 的问题,我的配置文件已经解决了相关的错误
代码完整性问题注意 lnmp 自动生成的 .user.ini
关于 PHP 访问 /dev/urandom
fastcgi.conf 文件位于 nginx 的配置文件夹中,添加红字部分
fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root/:/tmp/:/proc/:/dev/urandom";
cron 的启用方法
*/15 * * * * /usr/bin/php -f <website_path>/cron.php
如果有什么问题可以直接在下方留言~
Done~
文章最后修订于 2017年6月8日
评论 (0)