来自 Arch Linux 中文维基

本文内容或本节内容已经过期。

原因: 请提供模板的第一个位置参数以概括原因。 (在Talk:Nextcloud讨论)

本文或本节需要翻译。要贡献翻译,请访问简体中文翻译团队

附注: A large portion of the article is not translated(在 Talk:Nextcloud# 中讨论)

根据 Wikipedia:Nextcloud:

Nextcloud是一套客户机——服务器软件(依赖被称为apps的组件),能够实现诸如共享,协作以及沟通的需要,比如:

Nextcloud是开源的,并且它基于开放标准。数据主权是Nextcloud的一大优势,也就是说,你可以部署自己的Nextcloud实例来摆脱诸如Dropbox,Office365和Google Drive等专有(甚至不可信)的服务的束缚。

Nextcloud可以按照你的需求部署在小至单板计算机(比如树莓派),大到有数百万用户的超大型数据中心中。Nextcloud具有一套精心设计的授权方案以及可选的联邦方案(用于连接多个独立的实例),所以Nextcloud同样非常适合在企业环境下部署。

Nextcloud是ownCloud的分支,有关其历史,请参看其Wikipedia页面

安装概览

完全安装的Nextcloud应当(至少)包含以下组件:

一个web服务器;与之配套的应用服务器,用来运行Nextcloud(即PHP代码);一个供Nextcloud使用的数据库

这篇文章将会讲解使用MariaDB/MySQL或PostgreSQL作为数据库和以下web服务器与应用服务器的组合:

  • Nginx->uWSGI(plus uwsgi-plugin-php)
  • Nginx->FPM
  • Apache HTTP server(using mod_proxy_usgi)->uWSGI(plus uwsgi-plugin-php)
  • Apache HTTP server(using mod_proxy_fcgi)->FPM

Nextcloud 包符合 Web 应用包指导规范。它要求 Web 应用程序应当由专门的用户运行——在本例中为 nextcloud。这就是为什么要使用应用服务器。出于相同的理由,使用php-apache直接在Apache中执行Nextcloud的PHP代码也是不可能的。

安装

注意: nextcloud提供了基于php或基于php-legacy的安装(依赖元软件包php-interpreter)。本文强烈建议使用php-legacy包安装以保证安全(也能让你高枕无忧)。详情请看迁移到php-legacy。本文假定您使用了php-legacy进行安装。

安装nextcloud。当被问及时,选择php-legacy作为您的php版本,这会拉取相当多的依赖。大多数必要的PHP扩展都将以这种方式进行处理。此外,您必须安装php-legacy-gd(最好是作为依赖包安装,利用pacman的--asdeps选项实现)。

同时建议你安装下面的软件包(同样使用--asdeps选项):

其他可选依赖将在后面介绍,具体内容取决于您的安装配置(比如:您选择了什么样的数据库)。

请注意,php-legacy自带一部分模块(即bcmath、exif、gmp、intl和sysvsem),这些模块不必显式安装。

配置

PHP

本指南不会修改PHP的主配置文件/etc/php-legacy/php.ini,Nextcloud的PHP配置会放在单独的地方,不干扰其它使用PHP的应用程序。这些文件被放在:

  • 一份php.ini的副本,存放在/ext/webapps/nextcloud(用于occ命令行工具以及后台作业)。这是一份初始php.ini的完整复制,由php-legacy提供,Nextcloud将对其进行一些修改,以供使用。
  • 应用程序服务器的相关配置。将在应用程序服务器的部分介绍这些内容。

/etc/php-legacy/php.ini复制到/etc/webapps/nextcloud(当然,最好是从php-legacy的tarball中解压一份php.ini,php-legacy包存放在/var/cache/pacman/pkg)。然后,虽然不是绝对必须的,但请纪律性修改文件的所有权:

# cp /etc/php-legacy/php.ini /etc/webapps/nextcloud
# chown nextcloud:nextcloud /etc/webapps/nextcloud/php.ini

Nextcloud文档中列出的大部分所需的PHP模块已经在刚刚复制的默认PHP配置文件中启用。但还需手动启用以下扩展:

/etc/webapps/nextcloud/php.ini
extension=exif
extension=gd
extension=iconv
extension=intl
extension=sysvsem
; bcmath and gmp for passwordless login
extension=bcmath
extension=gmp
; sodium for the argon2 hashing algorithm
extension=sodium
; in case you installed php-legacy-imagick (as recommended)
extension=imagick

根据你准备使用的数据库,启用相应的pdo_xxxx模块。请参阅:数据库

date.timezone设置为您的首选时区,例如:

/etc/webapps/nextcloud/php.ini
date.timezone = Asia/Shanghai

将PHP的内存限制放宽到至少512MiB:

/etc/webapps/nextcloud/php.ini
memory_limit = 512M

为了提高安全性,你也可以配置open_basedir,但这不是必要的。这限制了 Nextcloud 的 PHP 代码可以读取和写入文件的位置。经过验证的设置是:

/etc/webapps/nextcloud/php.ini
open_basedir=/var/lib/nextcloud:/tmp:/usr/share/webapps/nextcloud:/etc/webapps/nextcloud:/dev/urandom:/usr/lib/php-legacy/modules:/var/log/nextcloud:/proc/meminfo:/proc/cpuinfo

根据您安装的其他扩展,您可能需要扩充此列表,例如,如果您选择了Redis,则需要扩展 /run/redis

配置opcache是不必要的,因为这份php.ini只用于occ命令行工具和后台作业,这二者并不经常运行PHP进程。

Nextcloud

将以下条目加入nextcloud的配置文件中:

/etc/webapps/nextcloud/config/config.php
'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => 'cloud.mysite.com',
  ),    
'overwrite.cli.url' => 'https://cloud.mysite.com/',
'htaccess.RewriteBase' => '/',

将示例的主机名cloud.mysite.com修改成你的。如果你的Nextcloud需要通过子文件夹访问(比如https://www.mysite.com/nextcloudoverwrite.cli.urlhtaccess.RewriteBase 必须做出相应更改。

系统和环境

确保Nextcloud使用刚刚编辑的php.ini作为occ工具的配置文件,设置NEXTCLOUD_PHP_CONFIG环境变量:

$ export NEXTCLOUD_PHP_CONFIG=/etc/webapps/nextcloud/php.ini

同时将其加入.bashrc(或.bash_profile)使其永久生效。 出于隐私和安全方面的考量,请为会话数据创建专用目录:

# install --owner=nextcloud --group=nextcloud --mode=700 -d /var/lib/nextcloud/sessions


网页应用的配置文件在 /etc/webapps/nextcloud/config/config.php

注意: Nextcloud 应当把用户数据存放在 /var/lib/nextcloud/data/,因为该目录只能被 root 和应用本身访问。要安装使用这个网页应用的软件,请使用 /var/lib/nextcloud/apps/

数据目录

默认情况下,Nextcloud 将用户数据存放在 /var/lib/nextcloud/data/,这个位置可以调节:

/etc/webapps/nextcloud/config/config.php
$CONFIG = [
/* [..] */
'datadirectory' => '/var/lib/nextcloud/data',
/* [..] */
]
注意: nextcloud 用户需要有对 datadirectory 的写入权限。

可写应用目录

nextcloud 不可写入默认应用目录 /usr/share/webapps/nextcloud/apps/,因为它是软件包的一部分。

要从应用商店安装应用,使用一个独立的、可写的目录是可以的。它默认指向 /var/lib/nextcloud/apps/,并可以通过一个在网页应用根目录下的符号链接 (/usr/share/webapps/nextcloud/wapps) 来访问。

这个目录是可调整的:

/etc/webapps/nextcloud/config/config.php
$CONFIG = [
/* [..] */
'apps_paths' => [
        [
                'path'=> '/usr/share/webapps/nextcloud/apps',
                'url' => '/apps',
                'writable' => false,
        ],
        [
                'path'=> '/var/lib/nextcloud/apps',
                'url' => '/wapps',
                'writable' => true,
        ],
],
/* [..] */
]
注意:
  • 声明为 writableapps_paths 条目需要可由 nextcloud 用户写入。此外,需要在 /usr/share/webapps/nextcloud/ 中创建指向该目录的符号链接。
  • 上面的语法使用 PHP 的短数组语法。这可以用大多数指南使用的语法编写:
/etc/webapps/nextcloud/config/config.php
$CONFIG = (
/* [..] */
  'apps_paths' => array (
        0 => array (
                'path' => '/usr/share/webapps/nextcloud/apps',
                'url' => '/apps',
                'writable' => false,
        ),
        1 => array (
                'path' => '/var/lib/nextcloud/apps',
                'url' => '/wapps',
                'writable' => true,
        ),
  ),
/* [..] */
)

日志目录

默认情况下,日志生成在 /var/log/nextcloud/nextcloud.log,这个位置是可以调整的:

/etc/webapps/nextcloud/config/config.php
$CONFIG = [
/* [..] */
'logfile' => '/var/log/nextcloud/nextcloud.log',
]
/* [..] */

数据库

MariaDB/MySQL是Nextcloud的推荐选择。

Nextcloud数据库的相关资料大都与MariaDB / MySQL有关。Nextcloud开发人员承认,他们不太了解其它数据库的专业知识

PostgreSQL据说可以提供比MariaDB/MySQL更好的性能,并且方言更少。SQLite主要支持测试/开发安装,不建议用于生产环境。受支持的数据库列表中还包括了Oracle database,但本指南不对其作介绍。

1.MariaDB / MySQL

自从2013年以来,MariaDB一直作为Arch Linux中的MySQL默认实现。

如果你想在安装Nextcloud的主机上同时运行数据库,请配置并启动MariaDB(如果你尚未这样做)。请查看此文档获得更多信息。不要忘记使用mariadb-install-db命令初始化MariaDB。为了提高安全性,建议将MariaDB配置为仅侦听本地Unix套接字

/etc/my.cnf.d/server.cnf
[mysqld]
skip_networking

Nextcloud的官方文档推荐将事务隔离级别设置为READ-COMMITTED。当你预计有大量并发事务从而造成负载过高时,这一点尤其重要。

/etc/my.cnf.d/server.cnf
[mysqld]
transaction_isolation=READ-COMMITTED

设置binlog_format=ROW的建议已经过时,MariaDB现行版本的默认设置“MIXED”的表现已经足够好。

以数据库用户root身份启动命令行工具mysql。(默认密码为空,应当尽快修改)

$ mysql -u root -p

为Nextcloud创建用户和与之配套的数据库:

CREATE USER 'nextcloud'@'localhost' IDENTIFIED BY 'db-password';
CREATE DATABASE IF NOT EXISTS nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
GRANT ALL PRIVILEGES on nextcloud.* to 'nextcloud'@'localhost';
FLUSH privileges;

(用自行设置的Nextcloud数据库用户的密码替换dp-password字段。完成后使用\q命令退出。)

注意: MariaDB对于UTF8编码的解释存在缺陷,这导致了MariaDB无法存储码位在0x10000及以上的字符(比如emoji)。MariaDB在5.5版本引入了一种新的编码来“修复”这个问题,它叫做utf8mb4.所以千万不要使用MariaDB的utf8编码,请使用utf8mb4。如果需要迁移,请参阅此文档

在PHP中启用相应扩展:

/etc/webapps/nextcloud/php.ini
extension=pdo_mysql

Nextcloud管理手册中提供的信息不同,对MariaDB进行额外设置是不必要的。


使用以下命令完成对数据库的安装:

$ occ maintenance:install \
    --database=mysql \
    --database-name=nextcloud \
    --database-host=localhost:/run/mysqld/mysqld.sock \
    --database-user=nextcloud \
    --database-pass=db-password \
    --admin-pass=admin-password \
    --admin-email=admin-email \
    --data-dir=/var/lib/nextcloud/data

注意将db-passwordadmin-passwordadmin-email替换成自己设定的相对应的值。这个命令可以使Nextcloud与数据库运行在同一台主机上。关于更多选项,请查看官方文档(输入occ help maintenance:install)。查看“occ”工具使用方法来了解此工具的详细信息。

2.PostgreSQL

如果你想在安装Nextcloud的主机上同时运行数据库,请配置并启动PostgreSQL(如果你尚未这样做)。请查看此文档获得更多信息。为了提高安全性,建议将PostgreSQL配置为仅侦听本地Unix套接字

/var/lib/postgres/data/postgresql.conf
listen_addresses = ''

特别的,请不要忘记使用initdb命令初始化数据库。接下来使用PostgreSQL的命令行工具psql创建一个名为nextcloud的用户,然后为其创建一个同样名为nextcloud的数据库:

[postgres]$ psql
CREATE USER nextcloud WITH PASSWORD 'db-password';
CREATE DATABASE nextcloud TEMPLATE template0 ENCODING 'UNICODE';
ALTER DATABASE nextcloud OWNER TO nextcloud;
GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud;
\q

(用自行设置的Nextcloud数据库用户的密码替换dp-password字段。)

下载PHP依赖包php-legacy-pgsql(使用pacman --asdpes选项),然后启用相应的PHP扩展:

/etc/webapps/nextcloud/php.ini
extension=pdo_pgsql

使用以下命令完成对数据库的安装:

$ occ maintenance:install \
    --database=pgsql \
    --database-name=nextcloud \
    --database-host=/run/postgresql \
    --database-user=nextcloud \
    --database-pass=db-password \
    --admin-pass=admin-password \
    --admin-email=admin-email \
    --data-dir=/var/lib/nextcloud/data

注意将db-passwordadmin-passwordadmin-email替换成自己设定的相对应的值。这个命令可以使Nextcloud与数据库运行在同一台主机上。关于更多选项,请查看官方文档(输入occ help maintenance:install)。查看“occ”工具使用方法来了解此工具的详细信息。

应用服务器

uwsgiFPM是两种常用的应用服务器,可用于处理PHP代码。其中FPM专门用于PHP,FPM与web服务器之间使用的通信协议是fastcgi。FPM的文档仍有改进的空间。而uWSGI可以通过安装插件来支持包含PHP在内的一部分语言,uWSGI与web服务器之间使用的通信协议是uwsgi(小写)。uWSGI有大量的文档可供查看,虽然大量的文档可能会导致阅读困难以及混乱。

1. uWSGI

uWSGI有自己的文章。在那里可以找到很多有用的信息。最好作为依赖安装uwsgi和它的插件uwsgi-plugin-php-legacy,比如使用--asdpes选项。若要使用uWSGI运行Nextcloud代码,你必须为uWSGI创建一个专门的配置文件(nextcloud.ini)并且定义一个systemd服务。

警告: 必须说明的一点:uWSGI最近维护得很少,其PHP插件更是维护甚少。这已经引发了一些问题,现在只能通过Arch Linux软件包的维护者修补uWSGI代码解决问题,即不能在上游解决。

1.1 nextcloud.ini

Nextcloud已经包含了一个示例文件,该文件已经位于正确的位置/etc/uwsgi/nextcloud.ini。通常情况下你都必须根据你的需求调整此文件。你应该找到一份具有大量注释的修改版本(与nextcloud自带的相比)。它提供了一个简洁的Nextcloud配置供个人使用(中等负载)。

通常情况下,应当将启用的扩展,扩展的配置以及open_basedir/etc/webapps/nextcloud/php.ini同步(opcache除外)。

提示:/etc/uwsgi/nextcloud.ini的更改应该会变得更广泛。在软件包更新期间,将创建一个名为nextcloud.ini.pacnew的文件,以防止nextcloud提供的原始文件发生更改。为了更好的检查新文件的更改情况并将其应用到/etc/uwsgi/nextcloud.ini中去,可以采取以下方法:

获取软件包提供nextcloud.ini的文件(例如直接从软件包中解压),存储一份它的副本,并将其命名为nextcloud.ini.package。 如果因nextcloud更新而产生了nextcloud.ini.pacnew文件,你可以通过下面的命令比对新旧文件的差异:

diff nextcloud.ini.package nextcloud.ini.pacnew

有选择性的应用更改到你自己的nextcloud.ini,这具体取决于它们是否适用于你的版本

nextcloud.ini.pacnew替换nextcloud.ini.package

1.2 uWSGI服务

uwsgi软件包提供了一个模板单元文件(uwsgi@.service)。实例ID(此处为nextcloud)用于选择正确的配置文件。启用(enable)启动(start)uwsgi@nextcloud.service

如果你有多个(比如2个)像这样运行,这时可以考虑使用emperor模式,这样更节约资源。

2. FPM

如果选择FPM作为你的应用服务器,下载php-legacy-fpm(最好作为依赖包安装 --asdeps

FPM的配置包含一份与它提供的全部应用相关的php.ini副本,一份专为每个应用(此处为Nextcloud)生成的pool file文件。最后,还需要调整systemd服务文件。

2.1 php-fpm.ini

如前文所述,本指南将不会修改PHP主配置文件/etc/php-legacy/php.ini,而是创建并修改它的副本:

# cp /etc/php-legacy/php.ini /etc/php-legacy/php-fpm.ini

确保该文件由root所有且仅能被root修改。(-rw-r--r-- 1 root root ... php-fpm.ini)。启用 op-cache(取消该行的注释)。

/etc/php-legacy/php-fpm.ini
zend_extension=opcache

然后将下面的内容放到[opcache]行下面

/etc/php-legacy/php-fpm.ini
opcache.enable = 1
opcache.interned_strings_buffer = 16
opcache.max_accelerated_files = 10000
opcache.memory_consumption = 128
opcache.save_comments = 1
opcache.revalidate_freq = 1
警告: 不要尝试通过php_value[...]和php_flag[...]来把上面这些设置放到pool file中。否则FPM进程会在第一个请求处崩溃。

2.2 nextcloud.conf

下一步是创建pool file。它负责为Nextcloud应用程序生成专用的FPM进程。创建文件/etc/php-legacy/php-fpm.d/nextcloud.conf,你也许可以借鉴这个预先配置好的版本

确保pool file由root所有且仅能被root修改。(-rw-r--r-- 1 root root ... nextcloud.conf)。取决于是否开启访问记录(预配置版本中已开启),应当为日志文件创建相应的目录(预配置版本中是/var/log/php-fpm-legacy/access)。按你的想法修改配置(特别是pm...php_value[...]以及php_flag[...])。php_value[...]php_flag[...]应当与文件/etc/webapps/nextcloud/php.ini中的相一致(而不是/etc/php-legacy/php-fpm.ini)。

也可以通过修改php-fpm.ini文件来达到同样的目的,但是对php-fpm.ini的修改将对所有由FPM提供服务的应用生效。

提示:php-legacy-fpm自带一个名为www.conf的pool file的文件,但是在本指南中不发挥任何作用。一个防止其生效的好方法是将其重命名为www.conf.package并创建一个仅包含注释行(以分号开头的行)的文件www.conf。使用这种方法可以将www.conf变成空操作文件。该文件同样不会因php-legacy-fpm的更新而被覆盖。在更新中,新文件被命名为www.conf.pacnew,你通过可以对比www.conf.packagewww.conf.pacnew来检查新文件中是否有重大更改。如果发现了需要重新生成nextcloud.conf的更改,请在对nextcloud.conf操作完成后,将www.conf.pacnew重命名为www.conf.package

2.3 systemd服务

FPM作为systemd的一个服务运行。你应该修改服务的配置来使其能够运行Nextcloud。最好的方法是通过drop-in文件(:

/etc/systemd/system/php-fpm-legacy.service.d/override.conf
[Service]
ExecStart=
ExecStart=/usr/bin/php-fpm-legacy --nodaemonize --fpm-config /etc/php-legacy/php-fpm.conf --php-ini /etc/php-legacy/php-fpm.ini
ReadWritePaths=/var/lib/nextcloud
ReadWritePaths=/etc/webapps/nextcloud/config
  • 它将ExecStart行替换为上一节中提到的php-fpm.ini的启动命令。
  • 它将/var/lib/nextcloud和/etc/webapps/nextcloud/config目录(及其下所有内容全部置为可写。原始服务定义的ProtectSystem=full会默认将/usr,/boot和/etc作为只读目录对FPM进程开放。

不要忘记启用启动php-fpm-legacy服务。

2.4 保持/etc目录整洁

Nextcloud会默认创建uWSGI的配置文件/etc/uwsgi/nextcloud.ini.该文件对你没有任何作用(虽然也没有任何危害)如果你无论如何都不想它出现在你的目录中。将以下代码添加到/etc/pacman.conf中:

/etc/pacman.conf
# uWSGI configuration that comes with Nextcloud is not needed
NoExtract = etc/uwsgi/nextcloud.ini

Web服务器

有相当数量的web服务器可供选择。但你无论作何选择都要记住,Nextcloud应用必须用其自己的系统用户nextcloud运行。所以才需要将请求转发到上文提到的应用服务器中。

1. nginx

有关nginx的配置,显然已经超过了本文的覆盖范围。可以查看相关文章了解更多信息。Nextcloud的官方文档中也提供了详细配置文件可供参考。你可以自行决定如何将这些代码引入到你的nginx配置文件中。一种常见的方法是使用/etc/nginx/sites-available/etc/nginx/sites-enabled目录来单独配置不同的服务器(也被称作虚拟主机)。请参看:Nginx#管理服务器入口

如果使用了nextcloud文档中提供的nginx配置,应将根目录更改为:

cloud.mysite.com.conf
root /usr/share/webapps/nextcloud;

upstream php-handler { ... }的部分是不必要的。只需要在location中指定fastcgi_pass unix:/run/php-fpm-legacy/nextcloud.sock;当使用uWSGI替代FPM时,应将location替换成:

cloud.mysite.com.conf
location ~ \.php(?:$|/) {
    include uwsgi_params;
    uwsgi_modifier1 14;
    # Avoid duplicate headers confusing OC checks
    uwsgi_hide_header X-Frame-Options;
    uwsgi_hide_header X-XSS-Protection;
    uwsgi_hide_header X-Content-Type-Options;
    uwsgi_hide_header X-Robots-Tag;
    uwsgi_hide_header X-Download-Options;
    uwsgi_hide_header X-Permitted-Cross-Domain-Policies;
    uwsgi_pass unix:/run/uwsgi/nextcloud.sock;

}

你可能需要解决以下问题(部分):

  • 你的服务器名称,即你的Nextcloud能够访问的服务器部分的URL。
  • 用于签名的名称和用于SSL/TLS的密钥。
  • 访问记录存放的位置。
  • Certbot(或其他ACME客户端)用于存放域验证质询的位置。在这里,alias可能比try_files更合适。
  • 用于访问Nextcloud的路径(访问URL中服务器名称和端口的权限)。
  • 你正在使用的应用服务器(uWSGI或FPM),即nginx将以何种方式、向何处传递触发的PHP代码(见上文)。
  • 配置OCSP装订

Nginx无需安装任何其他模块,因为其本就支持这两种协议:FastCGI和uwsgi。

2.Apache HTTP服务器

apache HTTP服务器中有许多有用的信息。Nextcloud的文档中同样有一些配置样例,你也可以从/usr/share/doc/nextcloud/apache.example.conf中找到它们。对mod_php的隐性依赖将不再可用,需要使用mod_proxy_fcgi或mod_proxy_uwsgi。

你可以在本站中找到使apache与FPM协同工作的方法。uWSGI的文档中有使apache与uWSGI和mod_proxy_uwsgi协同工作以处理PHP代码的方法。注意apache包含了mod_proxy_fcgi以及mod_proxy_uswgi两个插件。它们应按需开启。

下面是运行Nextcloud所需的模块:

/etc/httpd/conf/httpd.conf
# these are already loaded in a standard Apache installation
LoadModule headers_module modules/mod_headers.so
LoadModule env_module modules/mod_env.so
LoadModule dir_module modules/mod_dir.so
LoadModule mime_module modules/mod_mime.so
LoadModule setenvif_module modules/mod_setenvif.so

# these need to be uncommented explicitly
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule proxy_module modules/mod_proxy.so

# either this one in case you use FPM
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
# or this one in case you opt for uWSGI
LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so

取消注释下面的代码来引入TLS配置参数:

/etc/httpd/conf/httpd.conf
Include conf/extra/httpd-ssl.conf

有关如何优化TLS配置的详细信息,参看Mozilla SSL配置工具

请参阅以下两个示例配置文件,具体取决于你希望如何访问Nextcloud:

  • 通过主机名访问(例:https://cloud.mysite.com/),把这段代码放入/etc/httpd/conf/extra/httpd-vhosts.conf中。
  • 通过子文件夹访问(例:https://www.mysite.com/nextcloud/),把这段代码放入/etc/httpd/conf/httpd.conf中。

当然,你应该按照自己的实际情况来修改示例的配置文件。当你使用uWSGI时,用SetHandler "proxy:unix:/run/uwsgi/nextcloud.sock|uwsgi://nextcloud/"替换SetHandler行。

Nextcloud包自带一个.htaccess文件,它已经处理了很多重写和标题内容。运行 occ maintenance:update:htaccess 以适配此文件。/etc/webapps/nextcloud/config/config.php中的htaccess.RewriteBase参数对此至关重要。

Background jobs

Nextcloud requires certain tasks to be run on a scheduled basis. See Nextcloud's documentation for some details. The easiest (and most reliable) way to set up these background jobs is to use the systemd service and timer units that are already installed by nextcloud. The service unit needs some tweaking so that the job uses the correct PHP ini-file (and not the global php.ini). Create a drop-in file and add:

/etc/systemd/system/nextcloud-cron.service.d/override.conf
[Service]
ExecStart=
ExecStart=/usr/bin/php-legacy -c /etc/webapps/nextcloud/php.ini -f /usr/share/webapps/nextcloud/cron.php

After that enable and start nextcloud-cron.timer (not the service).

As recommended by the documentation add the parameter

/etc/webapps/nextcloud/config/config.php
....
'maintenance_window_start' => 0,
....

to Nextcloud's configuration file. The value is the hour of the day in UTC defining the start of a 4 hours window. Time consuming jobs that need to be run only once a day will be scheduled in this time frame, i.e. outside working hours.

警告: Do not try to install and use nextcloud-systemd-timersAUR. It is outdated and unmaintained.

In-memory caching

Nextcloud's documentation recommends to apply some kind of in-memory object cache to significantly improve performance.

注意: Mind that push notify (the Nextcloud service that replaces client polling by notification by the server thus drastically reducing sync latency) depends on Redis.

APCu

Install php-legacy-apcu (as dependency --asdeps). Enable the extension in the relevant configuration files. These are

  • /etc/webapps/nextcloud/php.ini used by the occ command and the background jobs and
  • depending on the application server you use either
    • /etc/uwsgi/nextcloud.ini in case of uWSGI or
    • /etc/php-legacy/php-fpm.d/nextcloud.conf in case of FPM.

In /etc/webapps/nextcloud/php.ini add the lines

/etc/webapps/nextcloud/php.ini
extension=apcu
apc.ttl=7200
apc.enable_cli = 1

(preferably somewhere below Module Settings).

For the other two files the setting to activate APCu is already in place and only needs to be uncommented. Two other configuration parameters related to APCu are also already there. No need to touch /etc/php-legacy/php.ini or /etc/php-legacy/conf.d/apcu.ini.

Restart your application server (not the web server as Nextcloud's documentation claims). Add the following line to your Nextcloud configuration file:

/etc/webapps/nextcloud/config/config.php
'memcache.local' => '\OC\Memcache\APCu',

Redis

Install php-legacy-igbinary and php-legacy-redis (as dependency --asdeps) in case you run this component locally (i.e. on the same host as Nextcloud). Alternatively the Redis server can be run on a different machine. For more information see Nextcloud's documentation.

注意: Using Redis does not exclude using APCu in parallel as a local cache. In fact, Nextcloud's documentation recommends this setup.

Enable the required extensions igbinary and redis in the relevant configuration files. These are:

  • /etc/webapps/nextcloud/php.ini used by the occ command and the background jobs and
  • depending on the application server you use either
    • /etc/uwsgi/nextcloud.ini in case of uWSGI or
    • /etc/php-legacy/php-fpm.d/nextcloud.conf in case of FPM.

Locate the existing sections where other extensions are enabled and add two additional lines corresponding to igbinary and redis.

注意: It is important to load extension=igbinary before extension=redis. Otherwise occ will report an error (/usr/lib/php-legacy/modules/redis.so: undefined symbol: igbinary_serialize).

In case you have specified the open_basedir option in the above configuration files and use Redis locally with a local Unix socket, you have to extend the list of directories where PHP is allowed to read and write files. Locate the relevant lines in the files specified above and add the directory containing the local Unix socket created by Redis, e.g. /run/redis.

注意: The sample configuration files nextcloud.ini and nextcloud.conf mentionend in the #Application server section already have open_basedir enabled. So in case you use a copy of one of these files you have to adapt it.

Extend your Nextcloud configuration as follows:

/etc/webapps/nextcloud/config/config.php
'memcache.local' => '\OC\Memcache\APCu',
'memcache.distributed' => '\OC\Memcache\Redis',
'memcache.locking' => '\OC\Memcache\Redis',
'redis' => [
     'host'     => '/run/redis/redis.sock',
     'port'     => 0,
     'dbindex'  => 0,
     'password' => '',
     'timeout'  => 1.5,
],

Again, adapt /run/redis/redis.sock as required. dbindex, password and timeout are optional.

In case Redis runs on a different machine:

/etc/webapps/nextcloud/config/config.php
'memcache.local' => '\OC\Memcache\APCu',
'memcache.distributed' => '\OC\Memcache\Redis',
'memcache.locking' => '\OC\Memcache\Redis',
'redis' => [
     'host' => 'redis-host.mysite.com',
     'port' => 6379,
],

redis-host.mysite.com is just a placeholder. Adapt to your actual setup.

Security Hardening

See the Nextcloud documentation and Security. Nextcloud additionally provides a Security scanner.

uWSGI

You can run Nextcloud in its own process and service by using the uWSGI application server with uwsgi-plugin-php. This allows you to define a PHP configuration only for this instance of PHP, without the need to edit the global php.ini and thus keeping your web application configurations compartmentalized. uWSGI itself has a wealth of features to limit the resource use and to harden the security of the application, and by being a separate process it can run under its own user.

The only part that differs from #Nginx is the location ~ \.php(?:$|/) {} block:

  location ~ \.php(?:$|/) {
    include uwsgi_params;
    uwsgi_modifier1 14;
    # Avoid duplicate headers confusing OC checks
    uwsgi_hide_header X-Frame-Options;
    uwsgi_hide_header X-XSS-Protection;
    uwsgi_hide_header X-Content-Type-Options;
    uwsgi_hide_header X-Robots-Tag;
    uwsgi_pass unix:/run/uwsgi/nextcloud.sock;
    }

Then create a config file for uWSGI:

/etc/uwsgi/nextcloud.ini
[uwsgi]
; load the required plugins
plugins = php
; force the sapi name to 'apache', this will enable the opcode cache  
php-sapi-name = apache

; set master process name and socket
; '%n' refers to the name of this configuration file without extension
procname-master = uwsgi %n
master = true
socket = /run/uwsgi/%n.sock

; drop privileges
uid    = nextcloud
gid    = nextcloud
umask  = 027

; run with at least 1 process but increase up to 4 when needed
processes = 4
cheaper = 1

; reload whenever this config file changes
; %p is the full path of the current config file
touch-reload = %p

; disable uWSGI request logging
;disable-logging = true

; enforce a DOCUMENT_ROOT
php-docroot     = /usr/share/webapps/%n
; limit allowed extensions
php-allowed-ext = .php
; and search for index.php if required
php-index = index.php

; set php configuration for this instance of php, no need to edit global php.ini
php-set = date.timezone=Etc/UTC
;php-set = open_basedir=/tmp/:/usr/share/webapps/nextcloud:/etc/webapps/nextcloud:/dev/urandom
php-set = expose_php=false
; avoid security risk of leaving sessions in world-readable /tmp
php-set = session.save_path=/usr/share/webapps/nextcloud/data

; port of php directives set upstream in /usr/share/webapps/nextcloud/.user.ini for use with PHP-FPM
php-set = upload_max_filesize=513M
php-set = post_max_size=513M
php-set = memory_limit=512M
php-set = output_buffering=off

; load all extensions only in this instance of php, no need to edit global php.ini
;; required core modules
php-set = extension=gd
php-set = extension=iconv
;php-set = extension=zip     # enabled by default in global php.ini

;; database connectors
;; uncomment your selected driver
;php-set = extension=pdo_sqlite
;php-set = extension=pdo_mysql
;php-set = extension=pdo_pgsql

;; recommended extensions
;php-set = extension=curl    # enabled by default in global php.ini
php-set = extension=bz2
php-set = extension=intl

;; required for specific apps
;php-set = extension=ldap    # for LDAP integration
;php-set = extension=ftp     # for FTP storage / external user authentication
;php-set = extension=imap    # for external user authentication, requires php-imap

;; recommended for specific apps
;php-set = extension=exif    # for image rotation in pictures app, requires exiv2
;php-set = extension=gmp     # for SFTP storage

;; for preview generation
;; provided by packages in AUR
; php-set = extension=imagick

; opcache
php-set = zend_extension=opcache

; user cache
; provided by php-acpu, to be enabled **either** here **or** in /etc/php/conf.d/apcu.ini
php-set = extension=apcu
; per https://github.com/krakjoe/apcu/blob/simplify/INSTALL
php-set = apc.ttl=7200
php-set = apc.enable_cli=1

; web server is already handling URL rewriting, so tell NextCloud not to repeat this
env = front_controller_active=true

cron2 = minute=-15,unique=1 /usr/bin/php -f /usr/share/webapps/nextcloud/cron.php 1>/dev/null
注意: * Do not forget to set your timezone and uncomment the required database connector in the uWSGI config file
  • The open_basedir directive is optional and commented out. You can uncomment to harden security. Be aware that it may occasionally break things.
  • Use php-docroot = /usr/share/webapps if placing nextcloud in /nextcloud subdirectory.
警告: The way the Nextcloud background job is currently set up with uWSGI cron will make use of the default global configuration from /etc/php/php.ini. This means that none of the specific parameters defined (e.g. required modules) will be enabled, leading to various issues. One solution is to copy /etc/php/php.ini to e.g. /etc/uwsgi/cron-php.ini, make the required modifications there (mirroring /etc/uwsgi/nextcloud.ini parameters) and referencing it in the cron directive by adding the -c /etc/uwsgi/cron-php.ini option to php invocation.

Activation

uWSGI provides a template unit that allows to start and enable application using their configuration file name as instance identifier. For example, starting uwsgi@nextcloud.socket would start it on demand referencing the configuration file /etc/uwsgi/nextcloud.ini.

To enable the uwsgi service by default at start-up, enable uwsgi@nextcloud.socket.

注意: Here we make use of systemd socket activation to prevent unnecessary resources consumption when no connections are made to the instance. If you would rather have it constantly active, simply remove the .socket part to start and enable the service instead.

See also UWSGI#Running uWSGI.

Synchronization

Desktop

The official client can be installed with the owncloud-client or nextcloud-client package. Alternative versions are available in the AUR: owncloud-client-gitAUR. Additional packages are needed for some features:

  • Auto-login: All of them use qtkeychain-qt5 to store and retrieve account-specific access tokens. To achieve auto-login when the client starts, one of optional dependencies of qtkeychain should be installed as well. Moreover, if you choose libsecret as the backend for qtkeychain, a service that provides org.freedesktop.secrets should be running when the client starts.
  • File manager integration: for nextcloud-client, integration with file managers (e.g., show Nextcloud folders in GTK+ file dialogs) requires another package nextcloud-client-cloudproviders. owncloud-client already includes cloudproviders supports by default.

Calendar

To access your Nextcloud calendars using Mozilla Thunderbird's Lightning calendar you would use the following URL:

https://ADDRESS/remote.php/caldav/calendars/USERNAME/CALENDARNAME

To access your Nextcloud calendars using CalDAV-compatible programs like Kontact or Evolution, you would use the following URL:

https://ADDRESS/remote.php/caldav

For details see the official documentation.

Contacts

To sync contacts with Thunderbird, see these instructions[失效链接 2021-05-17 ⓘ] from the official doc.

Mounting files with davfs2

If you want to mount your Nextcloud using WebDAV, install davfs2 (as described in davfs2).

To mount your Nextcloud, use:

# mount -t davfs https://your_domain/nextcloud/remote.php/dav/files/username/ /path/to/mount

You can also create an entry for this in /etc/fstab

/etc/fstab
https://your_domain/nextcloud/remote.php/dav/files/username/ /path/to/mount davfs rw,user,noauto 0 0
提示:In order to allow automount you can also store your username (and password if you like) in a file as described in davfs2#Storing credentials.
注意: If creating/copying files is not possible, while the same operations work on directories, see davfs2#Creating/copying files not possible and/or freezes.

Mounting files in GNOME Files (Nautilus)

You can access the files directly in Nautilus ('+ Other Locations') through WebDAV protocol - use the link as shown in your Nextcloud installation Web GUI (typically: https://example.org/remote.php/webdav/[失效链接 2021-05-17 ⓘ]) but replace the protocol name from 'https' to 'davs'. Nautilus will ask for user name and password when trying to connect.

Android

Download the official Nextcloud app from Google Play or F-Droid.

To enable contacts and calendar sync (Android 4+):

  1. download DAVx5 (Play Store, F-Droid)
  2. Enable mod_rewrite.so in httpd.conf
  3. create a new DAVdroid account in the Account settings, and specify your "short" server address and login/password couple, e.g. https://cloud.example.com (there is no need for the /remote.php/{carddav,webdav} part if you configured your web server with the proper redirections, as illustrated previously in the article; DAVdroid will find itself the right URLs)

iOS

Download the official Nextcloud app from the App Store.

Tips and tricks

Using the ownCloud console

A useful tool for server administration is occ, documented here. You can perform many common server operations with occ, such as managing users and configuring apps.

提示: A convenience wrapper around /usr/share/webapps/nextcloud/occ is provided with /usr/bin/occ, which automatically runs as the default user (nextcloud), using the default PHP and PHP configuration file. The environment variables NEXTCLOUD_USER, NEXTCLOUD_PHP and NEXTCLOUD_PHP_CONFIG can be used to specify a non-default user, PHP executable and PHP configuration file (respectively).
警告: When using php-apcu for caching, make sure to set apc.enable_cli=1 in /etc/php/conf.d/apcu.ini, as the occ command will otherwise run out of memory (FS#69726).

Pacman hook

To automatically upgrade the Nextcloud database on package update, you can make use of the included pacman hook:

 # mkdir -vp /etc/pacman.d/hooks
 # ln -sv /usr/share/doc/nextcloud/nextcloud.hook /etc/pacman.d/hooks/
注意: The packaged pacman hook implies, that the global php.ini is used for the application.

Running Nextcloud in a subdirectory

By including the default nextcloud.conf in httpd.conf, Nextcloud will take control of port 80 and your localhost domain.

If you would like to have Nextcloud run in a subdirectory, then

For apache, edit the /etc/httpd/conf/extra/nextcloud.conf you included and comment out the <VirtualHost *:80> ... </VirtualHost> part of the include file.

For nginx, you can use the following config when using Nextcloud with uwsgi:

/etc/nginx/conf.d/nextcloud.conf
location = /.well-known/carddav {
  return 301 $scheme://$host/nextcloud/remote.php/dav;
}

location = /.well-known/caldav {
  return 301 $scheme://$host/nextcloud/remote.php/dav;
}

location /.well-known/acme-challenge { }

location ^~ /nextcloud {

  root /usr/share/webapps;

  # set max upload size
  client_max_body_size 512M;
  fastcgi_buffers 64 4K;

  # Disable gzip to avoid the removal of the ETag header
  gzip off;

  # Uncomment if your server is build with the ngx_pagespeed module
  # This module is currently not supported.
  #pagespeed off;

  location /nextcloud {
    rewrite ^ /nextcloud/index.php$uri;
  }

  location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
    deny all;
  }

  location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) {
    deny all;
  }

  location ~ ^/nextcloud/(?:updater|ocs-provider)(?:$|/) {
    try_files $uri/ =404;
    index index.php;
  }

  location ~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
    include uwsgi_params;
    uwsgi_modifier1 14;
    # Avoid duplicate headers confusing OC checks
    uwsgi_hide_header X-Frame-Options;
    uwsgi_hide_header X-XSS-Protection;
    uwsgi_hide_header X-Content-Type-Options;
    uwsgi_hide_header X-Robots-Tag;
    uwsgi_pass unix:/run/uwsgi/owncloud.sock;
  }

  # Adding the cache control header for js and css files
  # Make sure it is BELOW the PHP block
  location ~* \.(?:css|js) {
    try_files $uri /nextcloud/index.php$uri$is_args$args;
    add_header Cache-Control "public, max-age=7200";
    # Add headers to serve security related headers  (It is intended
    # to have those duplicated to the ones above)
    # Before enabling Strict-Transport-Security headers please read
    # into this topic first.
    # add_header Strict-Transport-Security "max-age=15768000;
    # includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    # Optional: Do not log access to assets
    access_log off;
  }

  location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg) {
    try_files $uri /nextcloud/index.php$uri$is_args$args;
    # Optional: Do not log access to other assets
    access_log off;
  }
}
注意: Do not forget to configure the .well-known URLs for service discovery. For more information please see General troubleshooting and service discovery section of Nextcloud documentation.

Docker

See the ownCloud or Nextcloud repository for Docker.

Upload and share from File Manager

shareLinkCreator provides the ability to upload a file to OwnCloud via a supported file manager and receive a link to the uploaded file which can then be emailed or shared in another way.

Defining Background Jobs

Nextcloud requires scheduled execution of some tasks, and by default it achieves this by using AJAX, however AJAX is the least reliable method, and it is recommended to use Cron instead. However, Arch Linux ships with systemd, so the preferred way of executing scheduled tasks is a systemd timer.

Manual install

First create a service:

/etc/systemd/system/nextcloudcron.service
[Unit]
Description=Nextcloud cron.php job

[Service]
User=nextcloud
ExecStart=/usr/bin/php -f /usr/share/webapps/nextcloud/cron.php

[Install]
WantedBy=basic.target

Then create a timer for that service:

/etc/systemd/system/nextcloudcron.timer
[Unit]
Description=Run Nextcloud cron.php every 5 minutes

[Timer]
OnBootSec=5min
OnUnitActiveSec=5min
Unit=nextcloudcron.service

[Install]
WantedBy=timers.target

Activate timer

Start/enable nextcloudcron.timer.

Confirm that it is running by running

# systemctl list-timers

AUR package

Install nextcloud-systemd-timersAUR.

Provided services can be checked with:

$ pacman -Ql nextcloud-systemd-timers

For instance, to run the cron.php script every 5 minutes:

# systemctl start nextcloud-cron.timer
# systemctl enable nextcloud-cron.timer

Collabora Online Office integration

这篇文章的某些内容需要扩充。

原因: What is the correct domain (or server_name in the config) when Nextcloud runs in a subdirectory? (在 Talk:Nextcloud 中讨论)

Solution with Docker

The first, install a docker package to provide collabora files and setup a Collabora server.

Start/enable docker.service.

Then, download the official Docker image:

# docker pull collabora/code

And, installing a Collabora server. Make sure cloud//.example//.com is your nextcloud's domain, not a collabora :

# docker run -t -d -p 127.0.0.1:9980:9980 -e "domain=cloud\\.example\\.com" --restart always --cap-add MKNOD collabora/code

Also make sure to escape all dots with double backslashes (\), since this string will be evaluated as a regular expression (and your bash 'eats' the first backslash.) If you want to use the docker container with more than one Nextcloud, you will need to use 'domain=cloud\\.example\\.com\|second\\.example\\.com' instead. (All hosts are separated by \|.) When using `localhost` as domain for testing you need to add --net host to ensure the docker container can access your Nextcloud server.

If you need to delete or reinstall Collabora server use:

For recognition CONTAINER_ID of server

# docker ps

Stop and delete

# docker stop CONTAINER_ID
# docker rm CONTAINER_ID

Futher, follow the instruction of webserver you are using:

Nginx setup example:

Add following to your nextcloud domain config or add new config file in /etc/nginx/conf.d/ directory, (Do not forget to change office.example.com and ssl_certificate to the right values. If you are using docker image, change http to https.)

/etc/nginx/conf.d/example.conf
 upstream office.example.com {
    server 127.0.0.1:9980;
}

server {
    listen 443 ssl;
    server_name office.example.com;
 
    ssl_certificate /etc/letsencrypt/live/office.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/office.example.com/privkey.pem;

    # static files
    location ^~ /loleaflet {
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Host $host;
    }

    # WOPI discovery URL
    location ^~ /hosting/discovery {
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Host $host;
    }

    # Main websocket
    location ~ /lool/(.*)/ws$ {
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        proxy_read_timeout 36000s;
    }

    # Admin Console websocket
    location ^~ /lool/adminws {
	proxy_buffering off;
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        proxy_read_timeout 36000s;
    }

    # download, presentation and image upload
    location ~ /lool {
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Host $host;
    }

    location ^~ /hosting/capabilities {
        proxy_pass http://localhost:9980;
        proxy_set_header Host $http_host;
    }

}

Restart a nginx:

# nginx -s reload

or restart nginx.service.

Apache setup example:

Add following to nextcloud config file. Do not forget to change to the right values

/etc/httpd/conf/extra/nextcloud.conf
<VirtualHost *:443>
ServerName office.nextcloud.com:443

# SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
SSLEngine on
SSLCertificateFile /path/to/signed_certificate
SSLCertificateChainFile /path/to/intermediate_certificate
SSLCertificateKeyFile /path/to/private/key
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on

# Encoded slashes need to be allowed
AllowEncodedSlashes NoDecode

# Container uses a unique non-signed certificate
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off

# keep the host
ProxyPreserveHost On

# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of LibreOffice Online
ProxyPass           /loleaflet https://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse    /loleaflet https://127.0.0.1:9980/loleaflet

# WOPI discovery URL
ProxyPass           /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse    /hosting/discovery https://127.0.0.1:9980/hosting/discovery

# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon

# Admin Console websocket
ProxyPass   /lool/adminws wss://127.0.0.1:9980/lool/adminws

# Download as, Fullscreen presentation and Image upload operations
ProxyPass           /lool https://127.0.0.1:9980/lool
ProxyPassReverse    /lool https://127.0.0.1:9980/lool
</VirtualHost>

After configuring these do restart your apache by restarting httpd.service.

Install the Nextcloud app

Go to the Apps section and choose “Office & Text”, install the “Collabora Online” app. In admin panel select Collabora Online tab and specific the server's domain you have setup before.

Solution without Docker

The collabora-online-server-nodockerAUR package provides the Collabora Office (the desktop suite) and the “CODE” (Collabora Online Development Edition) server, which is based on “lool” (LibreOffice OnLine).

Alter the /etc/loolwsd/loolwsd.xml file, so that:

  • config > server_name contains the host and port of the public Nextcloud address, separated by a colon (e.g. example.org:443),
  • config > ssl > enable is false (i.e. web browser —HTTPS→ proxy —HTTP→ loolwsd),
  • config > ssl > termination is true (I suppose you’ll manage TLS at the proxy level),
  • config > storage > wopi > host reflects the actual hostname (or pattern) of the proxy server (e.g. (?:.*\.)?example\.org),
  • config > admin_console > username and config > admin_console > password are set to values of your choice.

Then:

  • start and enable loolwsd.service;
  • configure Nginx by creating a server block including /etc/nginx/snippets/loolwsd.conf, and restart it. Example with SSL (change office.example.com and ssl_certificate to the right values):
/etc/nginx/conf.d/example.conf
server {
    listen 443 ssl;
    server_name office.example.com;

    ssl_certificate /etc/letsencrypt/live/office.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/office.example.com/privkey.pem;

    include snippets/loolwsd.conf;
}
  • in Nextcloud, install the "Collabora Online" app. In the admin panel select the Collabora Online tab and specify the server domain name you have just set up.

Disabling app recommendations

By default, nextcloud reccomends apps to new clients, which can result in a lot of notifications. To disable this, disable the recommendation app using occ.

Troubleshooting

本文内容或本节内容已经过期。

原因: A lot of references to OwnCloud, are these still valid with Nextcloud? (在Talk:Nextcloud讨论)

By default, the logs of the web application are available in /var/log/nextcloud/nextcloud.log.

Issues with permissions and setup after upgrade to >= 21.0.0

注意: Before nextcloud 21.0.0, the web application was run using the http user. This is a security concern in regards to cross-application access of this user (it has access to all data of all web applications).

Since version 21.0.0 nextcloud more closely follows the web application package guidelines. This introduces the separate user nextcloud, as which the web application is run.

After an upgrade from nextcloud < 21.0.0 make sure that

  • neither the data directory[损坏的链接:无效的章节] nor the writable apps directory[损坏的链接:无效的章节] is located below /usr/share/webapps/nextcloud/, as that directory is owned by root
  • both the data directory[损坏的链接:无效的章节] and the writable apps directory[损坏的链接:无效的章节], alongside all files beneath them are writable and owned by the nextcloud user
  • the web application configuration file resides in /etc/webapps/nextcloud/config/ and that that directory and its contents are writable and owned by the nextcloud user
  • an application server, such as php-fpm or UWSGI is configured to run the web application as the nextcloud user and not the http user
  • update the cron job/systemd timer to run with the new user

Environment variables not available

Uncomment the line in /etc/php/php-fpm.d/www.conf as per Nextcloud documentation:

 env[PATH] = /usr/local/bin:/usr/bin:/bin

Self-signed certificate not accepted

ownCloud uses Wikipedia:cURL and Wikipedia:SabreDAV to check if WebDAV is enabled. If you use SSL/TLS with a self-signed certificate, e.g. as shown in LAMP, and access ownCloud's admin panel, you will see the following error message:

Your web server is not yet properly setup to allow files synchronization because the WebDAV interface seems to be broken.

Assuming that you followed the LAMP tutorial, execute the following steps:

Create a local directory for non-distribution certificates and copy LAMPs certificate there. This will prevent ca-certificates-updates from overwriting it.

# cp /etc/httpd/conf/server.crt /usr/share/ca-certificates/WWW.EXAMPLE.COM.crt

Add WWW.EXAMPLE.COM.crt to /etc/ca-certificates.conf:

WWW.EXAMPLE.COM.crt

Now, regenerate your certificate store:

# update-ca-certificates

Restart the httpd service to activate your certificate.

Self-signed certificate for Android devices

Once you have followed the setup for SSL, as on Apache HTTP Server#TLS for example, early versions of DAVdroid will reject the connection because the certificate is not trusted. A certificate can be made as follows on your server:

# openssl x509 -req -days 365 -in /etc/httpd/conf/server.csr -signkey /etc/httpd/conf/server.key -extfile android.txt -out CA.crt
# openssl x509 -inform PEM -outform DER -in CA.crt -out CA.der.crt 

The file android.txt should contain the following:

basicConstraints=CA:true

Then import CA.der.crt to your Android device:

Put the CA.der.crt file onto the sdcard of your Android device (usually to the internal one, e.g. save from a mail attachment). It should be in the root directory. Go to Settings > Security > Credential storage and select Install from device storage. The .crt file will be detected and you will be prompted to enter a certificate name. After importing the certificate, you will find it in Settings > Security > Credential storage > Trusted credentials > User.

Thanks to: [1]

Another way is to import the certificate directly from your server via CAdroid[失效链接 2020-04-01 ⓘ] and follow the instructions there.

Cannot write into config directory!

If you have set open_basedir in your PHP/web server configuration file (e.g. /etc/httpd/conf/extra/nextcloud.conf), make sure that it includes /etc/webapps.

Restart the web server to apply the change.

If you are getting this error after an upgrade from Nextcloud 17 to Nextcloud 18, also see #Explicitly permit Nextcloud directories for php-fpm[损坏的链接:无效的章节].

Cannot create data directory

If you have set open_basedir in your PHP/web server configuration file (e.g. /etc/httpd/conf/extra/nextcloud.conf), make sure that it includes the data directory.

Restart the web server to apply the change.

CSync failed to find a specific file.

This is most likely a certificate issue. Recreate it, and do not leave the common name empty or you will see the error again.

# openssl req -new -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt

Seeing white page after login

The cause is probably a new app that you installed. To fix that, you can use the occ command as described here. So with

sudo -u http php /usr/share/webapps/nextcloud/occ app:list

you can list all apps (if you installed nextcloud in the standard directory), and with

sudo -u http php /usr/share/webapps/nextcloud/occ app:disable <nameOfExtension>

you can disable the troubling app.

Alternatively, you can either use phpMyAdmin to edit the oc_appconfig table (if you got lucky and the table has an edit option), or do it by hand with mysql:

mysql -u root -p owncloud
MariaDB [owncloud]> delete from oc_appconfig where appid='<nameOfExtension>' and configkey='enabled' and configvalue='yes';
MariaDB [owncloud]> insert into oc_appconfig (appid,configkey,configvalue) values ('<nameOfExtension>','enabled','no');

This should delete the relevant configuration from the table and add it again.

GUI sync client fails to connect

If using HTTP basic authentication, make sure to exclude "status.php", which must be publicly accessible. [2]

GUI tray icon disappears, but client still running in the background

After waking up from a suspended state, the Nextcloud client tray icon may disappear from the system tray. A workaround is to delay the startup of the client, as noted here. This can be done with the .desktop file, for example:

.local/share/applications/nextcloud.desktop
...
Exec=bash -c 'sleep 5 && nextcloud'
...

Some files upload, but give an error 'Integrity constraint violation...'

You may see the following error in the ownCloud sync client:

   SQLSTATE[23000]: Integrity constraint violation: ... Duplicate entry '...' for key 'fs_storage_path_hash')...

This is caused by an issue with the File Locking app, which is often not sufficient to keep conflicts from occurring on some webserver configurations. A more complete Transactional File Locking is available that rids these errors, but you must be using the Redis php-caching method. Install redis and php-redis, comment out your current php-cache mechanism, and then in /etc/php/conf.d/redis.ini uncomment extension=redis. Then in config.php make the following changes:

   'memcache.local' => '\OC\Memcache\Redis',
   'filelocking.enabled' => 'true',
   'memcache.locking' => '\OC\Memcache\Redis',
   'redis' => array(
        'host' => 'localhost',
        'port' => 6379,
        'timeout' => 0.0,
         ),

and start/enable redis.service.

Finally, disable the File Locking App, as the Transational File Locking will take care of it (and would conflict).

If everything is working, you should see 'Transactional File Locking Enabled' under Server Status on the Admin page, and syncs should no longer cause issues.

"Cannot write into apps directory"

As mentioned in the official admin manual, either you need an apps directory that is writable by the http user, or you need to set appstoreenabled to false.

If you have set open_basedir in your PHP/web server configuration file (e.g. /etc/httpd/conf/extra/nextcloud.conf), it may be necessary to add your /path/to/data directory to the string on the line starting with php_admin_value open_basedir :

/etc/httpd/conf/extra/nextcloud.conf
php_admin_value open_basedir "/path/to/data/:/srv/http/:/dev/urandom:/tmp/:/usr/share/pear/:/usr/share/webapps/nextcloud/:/etc/webapps/nextcloud"

Installed apps get blocked because of MIME type error

If you are putting your apps folder outside of the nextcloud installation directory make sure your webserver serves it properly.

In nginx this is accomplished by adding a location block to the nginx configuration as the folder will not be included in it by default.

location ~ /apps2/(.*)$ {
    alias /var/www/nextcloud/apps/$1;
}

CSS and JS resources blocked due to MIME type error

If you load your Nextcloud web gui and it's missing styles etc. check the browser's console logs for lines like:

The resource from “https://example.com/core/css/guest.css?v=72c34c37-0” was blocked due to MIME type (“text/plain”) mismatch (X-Content-Type-Options: nosniff).

There are a few possible reasons, possibly you have not included any mime types in your nginx.conf add the following to nginx.conf

types_hash_max_size 2048;
types_hash_bucket_size 128;
include mime.types;

Here we use the mime.types provided by mailcap, due to the large number of types included we increase the allowed size of the types hash.

Other possible reasons for these errors are missing permissions on the files. Make sure the files are owned by http:http and can be read and written to by this user.

Security warnings even though the recommended settings have been included in nginx.conf

At the top of the admin page there might be a warning to set the Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection and X-Robots-Tag according to https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/harden_server.html[失效链接 2020-04-01 ⓘ] even though they are already set like that.

A possible cause could be that because owncloud sets those settings, uwsgi passed them along and nginx added them again:

$ curl -I https://domain.tld
...
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: Sameorigin
X-Robots-Tag: none
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload;
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none

While the fast_cgi sample config has a parameter to avoid that ( fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice ), when using uwsgi and nginx the following modification of the uwsgi part in nginx.conf could help:

 /etc/nginx/nginx.conf
...
        # pass all .php or .php/path urls to uWSGI
        location ~ ^(.+\.php)(.*)$ {
            include uwsgi_params;
            uwsgi_modifier1 14;
            # hode following headers received from uwsgi, because otherwise we would send them twice since we already add them in nginx itself
            uwsgi_hide_header X-Frame-Options;
            uwsgi_hide_header X-XSS-Protection;
            uwsgi_hide_header X-Content-Type-Options;
            uwsgi_hide_header X-Robots-Tag;
            uwsgi_hide_header X-Frame-Options;
            #Uncomment line below if you get connection refused error. Remember to commet out line with "uwsgi_pass 127.0.0.1:3001;" below
            uwsgi_pass unix:/run/uwsgi/owncloud.sock;
            #uwsgi_pass 127.0.0.1:3001;
        }
...

"Reading from keychain failed with error: 'No keychain service available'"

Can be fixed for Gnome by installing the following 2 packages, libgnome-keyring and gnome-keyring. Or the following for KDE, libgnome-keyring and qtkeychain-qt5.

FolderSync: "Method Not Allowed"

FolderSync needs access to /owncloud/remote.php/webdav, so you could create another alias for owncloud in your /etc/httpd/conf/extra/nextcloud.conf

  <IfModule mod_alias.c>
    Alias /nextcloud /usr/share/webapps/nextcloud/
    Alias /owncloud /usr/share/webapps/nextcloud/
  </IfModule>

See also