Nextcloud是一套客户机——服务器软件(依赖被称为apps的组件),能够实现诸如共享,协作以及沟通的需要,比如:
Nextcloud是开源的,并且它基于开放标准。数据主权是Nextcloud的一大优势,也就是说,你可以部署自己的Nextcloud实例来摆脱诸如Dropbox,Office365和Google Drive等专有(甚至不可信)的服务的束缚。
Nextcloud可以按照你的需求部署在小至单板计算机(比如树莓派),大到有数百万用户的超大型数据中心中。Nextcloud具有一套精心设计的授权方案以及可选的联邦方案(用于连接多个独立的实例),所以Nextcloud同样非常适合在企业环境下部署。
Nextcloud是ownCloud的分支,有关其历史,请参看其Wikipedia页面。
安装概览
完全安装的Nextcloud应当(至少)包含以下组件:
一个web服务器;与之配套的应用服务器,用来运行Nextcloud(即PHP代码);一个供Nextcloud使用的数据库。
这篇文章将会讲解使用MariaDB/MySQL或PostgreSQL作为数据库和以下web服务器与应用服务器的组合:
- Nginx->uWSGI(plus uwsgi-plugin-php)
- Nginx->FPM
- Apache HTTP server(using mod_proxy_usgi)->uWSGI(plus uwsgi-plugin-php)
- Apache HTTP server(using mod_proxy_fcgi)->FPM
Nextcloud 包符合 Web 应用包指导规范。它要求 Web 应用程序应当由专门的用户运行——在本例中为 nextcloud
。这就是为什么要使用应用服务器。出于相同的理由,使用php-apache直接在Apache中执行Nextcloud的PHP代码也是不可能的。
安装
安装nextcloud包。当被问及时,选择php-legacy包作为您的php版本,这会拉取相当多的依赖。大多数必要的PHP扩展都将以这种方式进行处理。此外,您必须安装php-legacy-gd包(最好是作为依赖包安装,利用pacman的--asdeps
选项实现)。
同时建议你安装下面的软件包(同样使用--asdeps
选项):
- php-legacy-sodium包 用于argon2散列算法
- php-legacy-imagick包和librsvg包 用于生成预览
其他可选依赖将在后面介绍,具体内容取决于您的安装配置(比如:您选择了什么样的数据库)。
请注意,php-legacy包自带一部分模块(即bcmath、exif、gmp、intl和sysvsem),这些模块不必显式安装。
配置
PHP
本指南不会修改PHP的主配置文件/etc/php-legacy/php.ini
,Nextcloud的PHP配置会放在单独的地方,不干扰其它使用PHP的应用程序。这些文件被放在:
- 一份
php.ini
的副本,存放在/ext/webapps/nextcloud
(用于occ
命令行工具以及后台作业)。这是一份初始php.ini
的完整复制,由php-legacy包提供,Nextcloud将对其进行一些修改,以供使用。
- 应用程序服务器的相关配置。将在应用程序服务器的部分介绍这些内容。
将/etc/php-legacy/php.ini
复制到/etc/webapps/nextcloud
(当然,最好是从php-legacy的tarball中解压一份php.ini,php-legacy包存放在/var/cache/pacman/pkg
)。然后,虽然不是绝对必须的,但请纪律性修改文件的所有权:
# cp /etc/php-legacy/php.ini /etc/webapps/nextcloud
# chown nextcloud:nextcloud /etc/webapps/nextcloud/php.ini
Nextcloud文档中列出的大部分所需的PHP模块已经在刚刚复制的默认PHP配置文件中启用。但还需手动启用以下扩展:
/etc/webapps/nextcloud/php.ini
extension=exif extension=gd extension=iconv extension=intl extension=sysvsem ; bcmath and gmp for passwordless login extension=bcmath extension=gmp ; sodium for the argon2 hashing algorithm extension=sodium ; in case you installed php-legacy-imagick (as recommended) extension=imagick
根据你准备使用的数据库,启用相应的pdo_xxxx
模块。请参阅:数据库。
将date.timezone
设置为您的首选时区,例如:
/etc/webapps/nextcloud/php.ini
date.timezone = Asia/Shanghai
将PHP的内存限制放宽到至少512MiB:
/etc/webapps/nextcloud/php.ini
memory_limit = 512M
为了提高安全性,你也可以配置open_basedir
,但这不是必要的。这限制了 Nextcloud 的 PHP 代码可以读取和写入文件的位置。经过验证的设置是:
/etc/webapps/nextcloud/php.ini
open_basedir=/var/lib/nextcloud:/tmp:/usr/share/webapps/nextcloud:/etc/webapps/nextcloud:/dev/urandom:/usr/lib/php-legacy/modules:/var/log/nextcloud:/proc/meminfo:/proc/cpuinfo
根据您安装的其他扩展,您可能需要扩充此列表,例如,如果您选择了Redis,则需要扩展 /run/redis
。
配置opcache是不必要的,因为这份php.ini
只用于occ
命令行工具和后台作业,这二者并不经常运行PHP进程。
Nextcloud
将以下条目加入nextcloud的配置文件中:
/etc/webapps/nextcloud/config/config.php
'trusted_domains' => array ( 0 => 'localhost', 1 => 'cloud.mysite.com', ), 'overwrite.cli.url' => 'https://cloud.mysite.com/', 'htaccess.RewriteBase' => '/',
将示例的主机名cloud.mysite.com
修改成你的。如果你的Nextcloud需要通过子文件夹访问(比如https://www.mysite.com/nextcloud
)overwrite.cli.url
和 htaccess.RewriteBase
必须做出相应更改。
系统和环境
确保Nextcloud使用刚刚编辑的php.ini
作为occ
工具的配置文件,设置NEXTCLOUD_PHP_CONFIG
环境变量:
$ export NEXTCLOUD_PHP_CONFIG=/etc/webapps/nextcloud/php.ini
同时将其加入.bashrc
(或.bash_profile
)使其永久生效。
出于隐私和安全方面的考量,请为会话数据创建专用目录:
# install --owner=nextcloud --group=nextcloud --mode=700 -d /var/lib/nextcloud/sessions
网页应用的配置文件在 /etc/webapps/nextcloud/config/config.php
。
/var/lib/nextcloud/data/
,因为该目录只能被 root 和应用本身访问。要安装使用这个网页应用的软件,请使用 /var/lib/nextcloud/apps/
。数据目录
默认情况下,Nextcloud 将用户数据存放在 /var/lib/nextcloud/data/
,这个位置可以调节:
/etc/webapps/nextcloud/config/config.php
$CONFIG = [ /* [..] */ 'datadirectory' => '/var/lib/nextcloud/data', /* [..] */ ]
nextcloud
用户需要有对 datadirectory
的写入权限。可写应用目录
nextcloud
不可写入默认应用目录 /usr/share/webapps/nextcloud/apps/
,因为它是软件包的一部分。
要从应用商店安装应用,使用一个独立的、可写的目录是可以的。它默认指向 /var/lib/nextcloud/apps/
,并可以通过一个在网页应用根目录下的符号链接 (/usr/share/webapps/nextcloud/wapps
) 来访问。
这个目录是可调整的:
/etc/webapps/nextcloud/config/config.php
$CONFIG = [ /* [..] */ 'apps_paths' => [ [ 'path'=> '/usr/share/webapps/nextcloud/apps', 'url' => '/apps', 'writable' => false, ], [ 'path'=> '/var/lib/nextcloud/apps', 'url' => '/wapps', 'writable' => true, ], ], /* [..] */ ]
- 声明为
writable
的apps_paths
条目需要可由nextcloud
用户写入。此外,需要在/usr/share/webapps/nextcloud/
中创建指向该目录的符号链接。 - 上面的语法使用 PHP 的短数组语法。这可以用大多数指南使用的语法编写:
/etc/webapps/nextcloud/config/config.php
$CONFIG = ( /* [..] */ 'apps_paths' => array ( 0 => array ( 'path' => '/usr/share/webapps/nextcloud/apps', 'url' => '/apps', 'writable' => false, ), 1 => array ( 'path' => '/var/lib/nextcloud/apps', 'url' => '/wapps', 'writable' => true, ), ), /* [..] */ )
日志目录
默认情况下,日志生成在 /var/log/nextcloud/nextcloud.log
,这个位置是可以调整的:
/etc/webapps/nextcloud/config/config.php
$CONFIG = [ /* [..] */ 'logfile' => '/var/log/nextcloud/nextcloud.log', ] /* [..] */
数据库
MariaDB/MySQL是Nextcloud的推荐选择。
Nextcloud数据库的相关资料大都与MariaDB / MySQL有关。Nextcloud开发人员承认,他们不太了解其它数据库的专业知识。
PostgreSQL据说可以提供比MariaDB/MySQL更好的性能,并且方言更少。SQLite主要支持测试/开发安装,不建议用于生产环境。受支持的数据库列表中还包括了Oracle database,但本指南不对其作介绍。
1.MariaDB / MySQL
自从2013年以来,MariaDB一直作为Arch Linux中的MySQL默认实现。
如果你想在安装Nextcloud的主机上同时运行数据库,请配置并启动MariaDB(如果你尚未这样做)。请查看此文档获得更多信息。不要忘记使用mariadb-install-db
命令初始化MariaDB。为了提高安全性,建议将MariaDB配置为仅侦听本地Unix套接字:
/etc/my.cnf.d/server.cnf
[mysqld] skip_networking
Nextcloud的官方文档推荐将事务隔离级别设置为READ-COMMITTED。当你预计有大量并发事务从而造成负载过高时,这一点尤其重要。
/etc/my.cnf.d/server.cnf
[mysqld] transaction_isolation=READ-COMMITTED
设置binlog_format=ROW
的建议已经过时,MariaDB现行版本的默认设置“MIXED
”的表现已经足够好。
以数据库用户root身份启动命令行工具mysql
。(默认密码为空,应当尽快修改)
$ mysql -u root -p
为Nextcloud创建用户和与之配套的数据库:
CREATE USER 'nextcloud'@'localhost' IDENTIFIED BY 'db-password';
CREATE DATABASE IF NOT EXISTS nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
GRANT ALL PRIVILEGES on nextcloud.* to 'nextcloud'@'localhost';
FLUSH privileges;
(用自行设置的Nextcloud数据库用户的密码替换dp-password字段。完成后使用\q命令退出。)
在PHP中启用相应扩展:
/etc/webapps/nextcloud/php.ini
extension=pdo_mysql
与Nextcloud管理手册中提供的信息不同,对MariaDB进行额外设置是不必要的。
使用以下命令完成对数据库的安装:
$ occ maintenance:install \ --database=mysql \ --database-name=nextcloud \ --database-host=localhost:/run/mysqld/mysqld.sock \ --database-user=nextcloud \ --database-pass=db-password \ --admin-pass=admin-password \ --admin-email=admin-email \ --data-dir=/var/lib/nextcloud/data
注意将db-password
,admin-password
,admin-email
替换成自己设定的相对应的值。这个命令可以使Nextcloud与数据库运行在同一台主机上。关于更多选项,请查看官方文档(输入occ help maintenance:install
)。查看“occ”工具使用方法来了解此工具的详细信息。
2.PostgreSQL
如果你想在安装Nextcloud的主机上同时运行数据库,请配置并启动PostgreSQL(如果你尚未这样做)。请查看此文档获得更多信息。为了提高安全性,建议将PostgreSQL配置为仅侦听本地Unix套接字:
/var/lib/postgres/data/postgresql.conf
listen_addresses = ''
特别的,请不要忘记使用initdb
命令初始化数据库。接下来使用PostgreSQL的命令行工具psql
创建一个名为nextcloud
的用户,然后为其创建一个同样名为nextcloud
的数据库:
[postgres]$ psql
CREATE USER nextcloud WITH PASSWORD 'db-password'; CREATE DATABASE nextcloud TEMPLATE template0 ENCODING 'UNICODE'; ALTER DATABASE nextcloud OWNER TO nextcloud; GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud; \q
(用自行设置的Nextcloud数据库用户的密码替换dp-password
字段。)
下载PHP依赖包php-legacy-pgsql包(使用pacman --asdpes选项),然后启用相应的PHP扩展:
/etc/webapps/nextcloud/php.ini
extension=pdo_pgsql
使用以下命令完成对数据库的安装:
$ occ maintenance:install \ --database=pgsql \ --database-name=nextcloud \ --database-host=/run/postgresql \ --database-user=nextcloud \ --database-pass=db-password \ --admin-pass=admin-password \ --admin-email=admin-email \ --data-dir=/var/lib/nextcloud/data
注意将db-password
,admin-password
,admin-email
替换成自己设定的相对应的值。这个命令可以使Nextcloud与数据库运行在同一台主机上。关于更多选项,请查看官方文档(输入occ help maintenance:install
)。查看“occ”工具使用方法来了解此工具的详细信息。
应用服务器
uwsgi包和FPM是两种常用的应用服务器,可用于处理PHP代码。其中FPM专门用于PHP,FPM与web服务器之间使用的通信协议是fastcgi。FPM的文档仍有改进的空间。而uWSGI可以通过安装插件来支持包含PHP在内的一部分语言,uWSGI与web服务器之间使用的通信协议是uwsgi(小写)。uWSGI有大量的文档可供查看,虽然大量的文档可能会导致阅读困难以及混乱。
1. uWSGI
uWSGI有自己的文章。在那里可以找到很多有用的信息。最好作为依赖安装uwsgi包和它的插件uwsgi-plugin-php-legacy包,比如使用--asdpes
选项。若要使用uWSGI运行Nextcloud代码,你必须为uWSGI创建一个专门的配置文件(nextcloud.ini
)并且定义一个systemd服务。
1.1 nextcloud.ini
Nextcloud包已经包含了一个示例文件,该文件已经位于正确的位置/etc/uwsgi/nextcloud.ini
。通常情况下你都必须根据你的需求调整此文件。你应该找到一份具有大量注释的修改版本(与nextcloud自带的相比)。它提供了一个简洁的Nextcloud配置供个人使用(中等负载)。
通常情况下,应当将启用的扩展,扩展的配置以及open_basedir
与/etc/webapps/nextcloud/php.ini
同步(opcache除外)。
/etc/uwsgi/nextcloud.ini
的更改应该会变得更广泛。在软件包更新期间,将创建一个名为nextcloud.ini.pacnew
的文件,以防止nextcloud包提供的原始文件发生更改。为了更好的检查新文件的更改情况并将其应用到/etc/uwsgi/nextcloud.ini
中去,可以采取以下方法:
获取软件包提供nextcloud.ini
的文件(例如直接从软件包中解压),存储一份它的副本,并将其命名为nextcloud.ini.package
。
如果因nextcloud包更新而产生了nextcloud.ini.pacnew
文件,你可以通过下面的命令比对新旧文件的差异:
diff nextcloud.ini.package nextcloud.ini.pacnew
有选择性的应用更改到你自己的nextcloud.ini,这具体取决于它们是否适用于你的版本
用nextcloud.ini.pacnew
替换nextcloud.ini.package
1.2 uWSGI服务
uwsgi包软件包提供了一个模板单元文件(uwsgi@.service
)。实例ID(此处为nextcloud)用于选择正确的配置文件。启用(enable)并启动(start)uwsgi@nextcloud.service
。
如果你有多个(比如2个)像这样运行,这时可以考虑使用emperor模式,这样更节约资源。
2. FPM
如果选择FPM作为你的应用服务器,下载php-legacy-fpm包(最好作为依赖包安装 --asdeps
)
FPM的配置包含一份与它提供的全部应用相关的php.ini
副本,一份专为每个应用(此处为Nextcloud)生成的pool file文件。最后,还需要调整systemd服务文件。
2.1 php-fpm.ini
如前文所述,本指南将不会修改PHP主配置文件/etc/php-legacy/php.ini
,而是创建并修改它的副本:
# cp /etc/php-legacy/php.ini /etc/php-legacy/php-fpm.ini
确保该文件由root所有且仅能被root修改。(-rw-r--r-- 1 root root ... php-fpm.ini
)。启用 op-cache(取消该行的注释)。
/etc/php-legacy/php-fpm.ini
zend_extension=opcache
然后将下面的内容放到[opcache]
行下面
/etc/php-legacy/php-fpm.ini
opcache.enable = 1 opcache.interned_strings_buffer = 16 opcache.max_accelerated_files = 10000 opcache.memory_consumption = 128 opcache.save_comments = 1 opcache.revalidate_freq = 1
2.2 nextcloud.conf
下一步是创建pool file。它负责为Nextcloud应用程序生成专用的FPM进程。创建文件/etc/php-legacy/php-fpm.d/nextcloud.conf
,你也许可以借鉴这个预先配置好的版本。
确保pool file由root所有且仅能被root修改。(-rw-r--r-- 1 root root ... nextcloud.conf
)。取决于是否开启访问记录(预配置版本中已开启),应当为日志文件创建相应的目录(预配置版本中是/var/log/php-fpm-legacy/access
)。按你的想法修改配置(特别是pm...
,php_value[...]
以及php_flag[...]
)。php_value[...]
和php_flag[...]
应当与文件/etc/webapps/nextcloud/php.ini
中的相一致(而不是/etc/php-legacy/php-fpm.ini
)。
也可以通过修改php-fpm.ini
文件来达到同样的目的,但是对php-fpm.ini
的修改将对所有由FPM提供服务的应用生效。
www.conf
的pool file的文件,但是在本指南中不发挥任何作用。一个防止其生效的好方法是将其重命名为www.conf.package
并创建一个仅包含注释行(以分号开头的行)的文件www.conf
。使用这种方法可以将www.conf
变成空操作文件。该文件同样不会因php-legacy-fpm包的更新而被覆盖。在更新中,新文件被命名为www.conf.pacnew
,你通过可以对比www.conf.package
与www.conf.pacnew
来检查新文件中是否有重大更改。如果发现了需要重新生成nextcloud.conf
的更改,请在对nextcloud.conf
操作完成后,将www.conf.pacnew
重命名为www.conf.package
。2.3 systemd服务
FPM作为systemd的一个服务运行。你应该修改服务的配置来使其能够运行Nextcloud。最好的方法是通过drop-in文件(:
/etc/systemd/system/php-fpm-legacy.service.d/override.conf
[Service] ExecStart= ExecStart=/usr/bin/php-fpm-legacy --nodaemonize --fpm-config /etc/php-legacy/php-fpm.conf --php-ini /etc/php-legacy/php-fpm.ini ReadWritePaths=/var/lib/nextcloud ReadWritePaths=/etc/webapps/nextcloud/config
- 它将ExecStart行替换为上一节中提到的php-fpm.ini的启动命令。
- 它将/var/lib/nextcloud和/etc/webapps/nextcloud/config目录(及其下所有内容全部置为可写。原始服务定义的ProtectSystem=full会默认将/usr,/boot和/etc作为只读目录对FPM进程开放。
2.4 保持/etc目录整洁
Nextcloud会默认创建uWSGI的配置文件/etc/uwsgi/nextcloud.ini
.该文件对你没有任何作用(虽然也没有任何危害)如果你无论如何都不想它出现在你的目录中。将以下代码添加到/etc/pacman.conf
中:
/etc/pacman.conf
# uWSGI configuration that comes with Nextcloud is not needed NoExtract = etc/uwsgi/nextcloud.ini
Web服务器
有相当数量的web服务器可供选择。但你无论作何选择都要记住,Nextcloud应用必须用其自己的系统用户nextcloud运行。所以才需要将请求转发到上文提到的应用服务器中。
1. nginx
有关nginx的配置,显然已经超过了本文的覆盖范围。可以查看相关文章了解更多信息。Nextcloud的官方文档中也提供了详细配置文件可供参考。你可以自行决定如何将这些代码引入到你的nginx配置文件中。一种常见的方法是使用/etc/nginx/sites-available
和/etc/nginx/sites-enabled
目录来单独配置不同的服务器(也被称作虚拟主机)。请参看:Nginx#管理服务器入口。
如果使用了nextcloud文档中提供的nginx配置,应将根目录更改为:
cloud.mysite.com.conf
root /usr/share/webapps/nextcloud;
upstream php-handler { ... }
的部分是不必要的。只需要在location
中指定fastcgi_pass unix:/run/php-fpm-legacy/nextcloud.sock;
当使用uWSGI替代FPM时,应将location
替换成:
cloud.mysite.com.conf
location ~ \.php(?:$|/) { include uwsgi_params; uwsgi_modifier1 14; # Avoid duplicate headers confusing OC checks uwsgi_hide_header X-Frame-Options; uwsgi_hide_header X-XSS-Protection; uwsgi_hide_header X-Content-Type-Options; uwsgi_hide_header X-Robots-Tag; uwsgi_hide_header X-Download-Options; uwsgi_hide_header X-Permitted-Cross-Domain-Policies; uwsgi_pass unix:/run/uwsgi/nextcloud.sock;
}
你可能需要解决以下问题(部分):
- 你的服务器名称,即你的Nextcloud能够访问的服务器部分的URL。
- 用于签名的名称和用于SSL/TLS的密钥。
- 访问记录存放的位置。
-
Certbot(或其他ACME客户端)用于存放域验证质询的位置。在这里,
alias
可能比try_files
更合适。 - 用于访问Nextcloud的路径(访问URL中服务器名称和端口的权限)。
- 你正在使用的应用服务器(uWSGI或FPM),即nginx将以何种方式、向何处传递触发的PHP代码(见上文)。
- 配置OCSP装订。
Nginx无需安装任何其他模块,因为其本就支持这两种协议:FastCGI和uwsgi。
2.Apache HTTP服务器
apache HTTP服务器中有许多有用的信息。Nextcloud的文档中同样有一些配置样例,你也可以从/usr/share/doc/nextcloud/apache.example.conf
中找到它们。对mod_php的隐性依赖将不再可用,需要使用mod_proxy_fcgi或mod_proxy_uwsgi。
你可以在本站中找到使apache与FPM协同工作的方法。uWSGI的文档中有使apache与uWSGI和mod_proxy_uwsgi协同工作以处理PHP代码的方法。注意apache包含了mod_proxy_fcgi
以及mod_proxy_uswgi
两个插件。它们应按需开启。
下面是运行Nextcloud所需的模块:
/etc/httpd/conf/httpd.conf
# these are already loaded in a standard Apache installation LoadModule headers_module modules/mod_headers.so LoadModule env_module modules/mod_env.so LoadModule dir_module modules/mod_dir.so LoadModule mime_module modules/mod_mime.so LoadModule setenvif_module modules/mod_setenvif.so # these need to be uncommented explicitly LoadModule rewrite_module modules/mod_rewrite.so LoadModule ssl_module modules/mod_ssl.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so LoadModule proxy_module modules/mod_proxy.so # either this one in case you use FPM LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so # or this one in case you opt for uWSGI LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so
取消注释下面的代码来引入TLS配置参数:
/etc/httpd/conf/httpd.conf
Include conf/extra/httpd-ssl.conf
有关如何优化TLS配置的详细信息,参看Mozilla SSL配置工具。
请参阅以下两个示例配置文件,具体取决于你希望如何访问Nextcloud:
- 通过主机名访问(例:
https://cloud.mysite.com/
),把这段代码放入/etc/httpd/conf/extra/httpd-vhosts.conf
中。 - 通过子文件夹访问(例:
https://www.mysite.com/nextcloud/
),把这段代码放入/etc/httpd/conf/httpd.conf
中。
当然,你应该按照自己的实际情况来修改示例的配置文件。当你使用uWSGI时,用SetHandler "proxy:unix:/run/uwsgi/nextcloud.sock|uwsgi://nextcloud/"
替换SetHandler
行。
Nextcloud包自带一个.htaccess
文件,它已经处理了很多重写和标题内容。运行 occ maintenance:update:htaccess
以适配此文件。/etc/webapps/nextcloud/config/config.php
中的htaccess.RewriteBase
参数对此至关重要。
Background jobs
Nextcloud requires certain tasks to be run on a scheduled basis. See Nextcloud's documentation for some details. The easiest (and most reliable) way to set up these background jobs is to use the systemd service and timer units that are already installed by nextcloud包. The service unit needs some tweaking so that the job uses the correct PHP ini-file (and not the global php.ini
). Create a drop-in file and add:
/etc/systemd/system/nextcloud-cron.service.d/override.conf
[Service] ExecStart= ExecStart=/usr/bin/php-legacy -c /etc/webapps/nextcloud/php.ini -f /usr/share/webapps/nextcloud/cron.php
After that enable and start nextcloud-cron.timer
(not the service).
As recommended by the documentation add the parameter
/etc/webapps/nextcloud/config/config.php
.... 'maintenance_window_start' => 0, ....
to Nextcloud's configuration file. The value is the hour of the day in UTC defining the start of a 4 hours window. Time consuming jobs that need to be run only once a day will be scheduled in this time frame, i.e. outside working hours.
In-memory caching
Nextcloud's documentation recommends to apply some kind of in-memory object cache to significantly improve performance.
APCu
Install php-legacy-apcu包 (as dependency --asdeps
). Enable the extension in the relevant configuration files. These are
-
/etc/webapps/nextcloud/php.ini
used by theocc
command and the background jobs and - depending on the application server you use either
-
/etc/uwsgi/nextcloud.ini
in case of uWSGI or -
/etc/php-legacy/php-fpm.d/nextcloud.conf
in case of FPM.
-
In /etc/webapps/nextcloud/php.ini
add the lines
/etc/webapps/nextcloud/php.ini
extension=apcu apc.ttl=7200 apc.enable_cli = 1
(preferably somewhere below Module Settings
).
For the other two files the setting to activate APCu is already in place and only needs to be uncommented. Two other configuration parameters related to APCu are also already there. No need to touch /etc/php-legacy/php.ini
or /etc/php-legacy/conf.d/apcu.ini
.
Restart your application server (not the web server as Nextcloud's documentation claims). Add the following line to your Nextcloud configuration file:
/etc/webapps/nextcloud/config/config.php
'memcache.local' => '\OC\Memcache\APCu',
Redis
Install php-legacy-igbinary包 and php-legacy-redis包 (as dependency --asdeps
) in case you run this component locally (i.e. on the same host as Nextcloud). Alternatively the Redis server can be run on a different machine. For more information see Nextcloud's documentation.
Enable the required extensions igbinary
and redis
in the relevant configuration files. These are:
-
/etc/webapps/nextcloud/php.ini
used by theocc
command and the background jobs and - depending on the application server you use either
-
/etc/uwsgi/nextcloud.ini
in case of uWSGI or -
/etc/php-legacy/php-fpm.d/nextcloud.conf
in case of FPM.
-
Locate the existing sections where other extensions are enabled and add two additional lines corresponding to igbinary
and redis
.
extension=igbinary
before extension=redis
. Otherwise occ
will report an error (/usr/lib/php-legacy/modules/redis.so: undefined symbol: igbinary_serialize).In case you have specified the open_basedir
option in the above configuration files and use Redis locally with a local Unix socket, you have to extend the list of directories where PHP is allowed to read and write files. Locate the relevant lines in the files specified above and add the directory containing the local Unix socket created by Redis, e.g. /run/redis
.
open_basedir
enabled. So in case you use a copy of one of these files you have to adapt it.Extend your Nextcloud configuration as follows:
/etc/webapps/nextcloud/config/config.php
'memcache.local' => '\OC\Memcache\APCu', 'memcache.distributed' => '\OC\Memcache\Redis', 'memcache.locking' => '\OC\Memcache\Redis', 'redis' => [ 'host' => '/run/redis/redis.sock', 'port' => 0, 'dbindex' => 0, 'password' => '', 'timeout' => 1.5, ],
Again, adapt /run/redis/redis.sock
as required. dbindex
, password
and timeout
are optional.
In case Redis runs on a different machine:
/etc/webapps/nextcloud/config/config.php
'memcache.local' => '\OC\Memcache\APCu', 'memcache.distributed' => '\OC\Memcache\Redis', 'memcache.locking' => '\OC\Memcache\Redis', 'redis' => [ 'host' => 'redis-host.mysite.com', 'port' => 6379, ],
redis-host.mysite.com
is just a placeholder. Adapt to your actual setup.
Security Hardening
See the Nextcloud documentation and Security. Nextcloud additionally provides a Security scanner.
uWSGI
You can run Nextcloud in its own process and service by using the uWSGI application server with uwsgi-plugin-php包. This allows you to define a PHP configuration only for this instance of PHP, without the need to edit the global php.ini
and thus keeping your web application configurations compartmentalized. uWSGI itself has a wealth of features to limit the resource use and to harden the security of the application, and by being a separate process it can run under its own user.
The only part that differs from #Nginx is the location ~ \.php(?:$|/) {}
block:
location ~ \.php(?:$|/) { include uwsgi_params; uwsgi_modifier1 14; # Avoid duplicate headers confusing OC checks uwsgi_hide_header X-Frame-Options; uwsgi_hide_header X-XSS-Protection; uwsgi_hide_header X-Content-Type-Options; uwsgi_hide_header X-Robots-Tag; uwsgi_pass unix:/run/uwsgi/nextcloud.sock; }
Then create a config file for uWSGI:
/etc/uwsgi/nextcloud.ini
[uwsgi] ; load the required plugins plugins = php ; force the sapi name to 'apache', this will enable the opcode cache php-sapi-name = apache ; set master process name and socket ; '%n' refers to the name of this configuration file without extension procname-master = uwsgi %n master = true socket = /run/uwsgi/%n.sock ; drop privileges uid = nextcloud gid = nextcloud umask = 027 ; run with at least 1 process but increase up to 4 when needed processes = 4 cheaper = 1 ; reload whenever this config file changes ; %p is the full path of the current config file touch-reload = %p ; disable uWSGI request logging ;disable-logging = true ; enforce a DOCUMENT_ROOT php-docroot = /usr/share/webapps/%n ; limit allowed extensions php-allowed-ext = .php ; and search for index.php if required php-index = index.php ; set php configuration for this instance of php, no need to edit global php.ini php-set = date.timezone=Etc/UTC ;php-set = open_basedir=/tmp/:/usr/share/webapps/nextcloud:/etc/webapps/nextcloud:/dev/urandom php-set = expose_php=false ; avoid security risk of leaving sessions in world-readable /tmp php-set = session.save_path=/usr/share/webapps/nextcloud/data ; port of php directives set upstream in /usr/share/webapps/nextcloud/.user.ini for use with PHP-FPM php-set = upload_max_filesize=513M php-set = post_max_size=513M php-set = memory_limit=512M php-set = output_buffering=off ; load all extensions only in this instance of php, no need to edit global php.ini ;; required core modules php-set = extension=gd php-set = extension=iconv ;php-set = extension=zip # enabled by default in global php.ini ;; database connectors ;; uncomment your selected driver ;php-set = extension=pdo_sqlite ;php-set = extension=pdo_mysql ;php-set = extension=pdo_pgsql ;; recommended extensions ;php-set = extension=curl # enabled by default in global php.ini php-set = extension=bz2 php-set = extension=intl ;; required for specific apps ;php-set = extension=ldap # for LDAP integration ;php-set = extension=ftp # for FTP storage / external user authentication ;php-set = extension=imap # for external user authentication, requires php-imap ;; recommended for specific apps ;php-set = extension=exif # for image rotation in pictures app, requires exiv2 ;php-set = extension=gmp # for SFTP storage ;; for preview generation ;; provided by packages in AUR ; php-set = extension=imagick ; opcache php-set = zend_extension=opcache ; user cache ; provided by php-acpu, to be enabled **either** here **or** in /etc/php/conf.d/apcu.ini php-set = extension=apcu ; per https://github.com/krakjoe/apcu/blob/simplify/INSTALL php-set = apc.ttl=7200 php-set = apc.enable_cli=1 ; web server is already handling URL rewriting, so tell NextCloud not to repeat this env = front_controller_active=true cron2 = minute=-15,unique=1 /usr/bin/php -f /usr/share/webapps/nextcloud/cron.php 1>/dev/null
- The open_basedir directive is optional and commented out. You can uncomment to harden security. Be aware that it may occasionally break things.
- Use
php-docroot = /usr/share/webapps
if placing nextcloud in /nextcloud subdirectory.
/etc/php/php.ini
. This means that none of the specific parameters defined (e.g. required modules) will be enabled, leading to various issues. One solution is to copy /etc/php/php.ini
to e.g. /etc/uwsgi/cron-php.ini
, make the required modifications there (mirroring /etc/uwsgi/nextcloud.ini
parameters) and referencing it in the cron directive by adding the -c /etc/uwsgi/cron-php.ini
option to php invocation.Activation
uWSGI provides a template unit that allows to start and enable application using their configuration file name as instance identifier. For example, starting uwsgi@nextcloud.socket
would start it on demand referencing the configuration file /etc/uwsgi/nextcloud.ini
.
To enable the uwsgi service by default at start-up, enable uwsgi@nextcloud.socket
.
.socket
part to start and enable the service instead.See also UWSGI#Running uWSGI.
Synchronization
Desktop
The official client can be installed with the owncloud-client包 or nextcloud-client包 package. Alternative versions are available in the AUR: owncloud-client-gitAUR. Additional packages are needed for some features:
- Auto-login: All of them use qtkeychain-qt5包 to store and retrieve account-specific access tokens. To achieve auto-login when the client starts, one of optional dependencies of qtkeychain should be installed as well. Moreover, if you choose libsecret包 as the backend for qtkeychain, a service that provides org.freedesktop.secrets should be running when the client starts.
- File manager integration: for nextcloud-client包, integration with file managers (e.g., show Nextcloud folders in GTK+ file dialogs) requires another package nextcloud-client-cloudproviders包. owncloud-client包 already includes cloudproviders supports by default.
Calendar
To access your Nextcloud calendars using Mozilla Thunderbird's Lightning calendar you would use the following URL:
https://ADDRESS/remote.php/caldav/calendars/USERNAME/CALENDARNAME
To access your Nextcloud calendars using CalDAV-compatible programs like Kontact or Evolution, you would use the following URL:
https://ADDRESS/remote.php/caldav
For details see the official documentation.
Contacts
To sync contacts with Thunderbird, see these instructions[失效链接 2021-05-17 ⓘ] from the official doc.
Mounting files with davfs2
If you want to mount your Nextcloud using WebDAV, install davfs2包 (as described in davfs2).
To mount your Nextcloud, use:
# mount -t davfs https://your_domain/nextcloud/remote.php/dav/files/username/ /path/to/mount
You can also create an entry for this in /etc/fstab
/etc/fstab
https://your_domain/nextcloud/remote.php/dav/files/username/ /path/to/mount davfs rw,user,noauto 0 0
Mounting files in GNOME Files (Nautilus)
You can access the files directly in Nautilus ('+ Other Locations') through WebDAV protocol - use the link as shown in your Nextcloud installation Web GUI (typically: https://example.org/remote.php/webdav/[失效链接 2021-05-17 ⓘ]) but replace the protocol name from 'https' to 'davs'. Nautilus will ask for user name and password when trying to connect.
Android
Download the official Nextcloud app from Google Play or F-Droid.
To enable contacts and calendar sync (Android 4+):
- download DAVx5 (Play Store, F-Droid)
- Enable mod_rewrite.so in httpd.conf
- create a new DAVdroid account in the Account settings, and specify your "short" server address and login/password couple, e.g.
https://cloud.example.com
(there is no need for the/remote.php/{carddav,webdav}
part if you configured your web server with the proper redirections, as illustrated previously in the article; DAVdroid will find itself the right URLs)
iOS
Download the official Nextcloud app from the App Store.
Tips and tricks
Using the ownCloud console
A useful tool for server administration is occ
, documented here. You can perform many common server operations with occ, such as managing users and configuring apps.
/usr/share/webapps/nextcloud/occ
is provided with /usr/bin/occ
, which automatically runs as the default user (nextcloud
), using the default PHP and PHP configuration file.
The environment variables NEXTCLOUD_USER
, NEXTCLOUD_PHP
and NEXTCLOUD_PHP_CONFIG
can be used to specify a non-default user, PHP executable and PHP configuration file (respectively).apc.enable_cli=1
in /etc/php/conf.d/apcu.ini
, as the occ
command will otherwise run out of memory (FS#69726).Pacman hook
To automatically upgrade the Nextcloud database on package update, you can make use of the included pacman hook:
# mkdir -vp /etc/pacman.d/hooks # ln -sv /usr/share/doc/nextcloud/nextcloud.hook /etc/pacman.d/hooks/
php.ini
is used for the application.Running Nextcloud in a subdirectory
By including the default nextcloud.conf
in httpd.conf
, Nextcloud will take control of port 80 and your localhost domain.
If you would like to have Nextcloud run in a subdirectory, then
For apache, edit the /etc/httpd/conf/extra/nextcloud.conf
you included and comment out the <VirtualHost *:80> ... </VirtualHost>
part of the include file.
For nginx, you can use the following config when using Nextcloud with uwsgi:
/etc/nginx/conf.d/nextcloud.conf
location = /.well-known/carddav { return 301 $scheme://$host/nextcloud/remote.php/dav; } location = /.well-known/caldav { return 301 $scheme://$host/nextcloud/remote.php/dav; } location /.well-known/acme-challenge { } location ^~ /nextcloud { root /usr/share/webapps; # set max upload size client_max_body_size 512M; fastcgi_buffers 64 4K; # Disable gzip to avoid the removal of the ETag header gzip off; # Uncomment if your server is build with the ngx_pagespeed module # This module is currently not supported. #pagespeed off; location /nextcloud { rewrite ^ /nextcloud/index.php$uri; } location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/ { deny all; } location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } location ~ ^/nextcloud/(?:updater|ocs-provider)(?:$|/) { try_files $uri/ =404; index index.php; } location ~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) { include uwsgi_params; uwsgi_modifier1 14; # Avoid duplicate headers confusing OC checks uwsgi_hide_header X-Frame-Options; uwsgi_hide_header X-XSS-Protection; uwsgi_hide_header X-Content-Type-Options; uwsgi_hide_header X-Robots-Tag; uwsgi_pass unix:/run/uwsgi/owncloud.sock; } # Adding the cache control header for js and css files # Make sure it is BELOW the PHP block location ~* \.(?:css|js) { try_files $uri /nextcloud/index.php$uri$is_args$args; add_header Cache-Control "public, max-age=7200"; # Add headers to serve security related headers (It is intended # to have those duplicated to the ones above) # Before enabling Strict-Transport-Security headers please read # into this topic first. # add_header Strict-Transport-Security "max-age=15768000; # includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; # Optional: Do not log access to assets access_log off; } location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg) { try_files $uri /nextcloud/index.php$uri$is_args$args; # Optional: Do not log access to other assets access_log off; } }
.well-known
URLs for service discovery. For more information please see General troubleshooting and service discovery section of Nextcloud documentation. Docker
See the ownCloud or Nextcloud repository for Docker.
shareLinkCreator provides the ability to upload a file to OwnCloud via a supported file manager and receive a link to the uploaded file which can then be emailed or shared in another way.
Defining Background Jobs
Nextcloud requires scheduled execution of some tasks, and by default it achieves this by using AJAX, however AJAX is the least reliable method, and it is recommended to use Cron instead. However, Arch Linux ships with systemd包, so the preferred way of executing scheduled tasks is a systemd timer.
Manual install
First create a service:
/etc/systemd/system/nextcloudcron.service
[Unit] Description=Nextcloud cron.php job [Service] User=nextcloud ExecStart=/usr/bin/php -f /usr/share/webapps/nextcloud/cron.php [Install] WantedBy=basic.target
Then create a timer for that service:
/etc/systemd/system/nextcloudcron.timer
[Unit] Description=Run Nextcloud cron.php every 5 minutes [Timer] OnBootSec=5min OnUnitActiveSec=5min Unit=nextcloudcron.service [Install] WantedBy=timers.target
Activate timer
Start/enable nextcloudcron.timer
.
Confirm that it is running by running
# systemctl list-timers
AUR package
Install nextcloud-systemd-timersAUR.
Provided services can be checked with:
$ pacman -Ql nextcloud-systemd-timers
For instance, to run the cron.php
script every 5 minutes:
# systemctl start nextcloud-cron.timer # systemctl enable nextcloud-cron.timer
Collabora Online Office integration
Solution with Docker
The first, install a docker包 package to provide collabora files and setup a Collabora server.
Start/enable docker.service
.
Then, download the official Docker image:
# docker pull collabora/code
And, installing a Collabora server. Make sure cloud//.example//.com
is your nextcloud's domain, not a collabora :
# docker run -t -d -p 127.0.0.1:9980:9980 -e "domain=cloud\\.example\\.com" --restart always --cap-add MKNOD collabora/code
Also make sure to escape all dots with double backslashes (\), since this string will be evaluated as a regular expression (and your bash 'eats' the first backslash.) If you want to use the docker container with more than one Nextcloud, you will need to use 'domain=cloud\\.example\\.com\|second\\.example\\.com' instead. (All hosts are separated by \|.) When using `localhost` as domain for testing you need to add --net host
to ensure the docker container can access your Nextcloud server.
If you need to delete or reinstall Collabora server use:
For recognition CONTAINER_ID of server
# docker ps
Stop and delete
# docker stop CONTAINER_ID # docker rm CONTAINER_ID
Futher, follow the instruction of webserver you are using:
Nginx setup example:
Add following to your nextcloud domain config or add new config file in /etc/nginx/conf.d/ directory, (Do not forget to change office.example.com
and ssl_certificate
to the right values. If you are using docker image, change http
to https
.)
/etc/nginx/conf.d/example.conf
upstream office.example.com { server 127.0.0.1:9980; } server { listen 443 ssl; server_name office.example.com; ssl_certificate /etc/letsencrypt/live/office.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/office.example.com/privkey.pem; # static files location ^~ /loleaflet { proxy_pass http://127.0.0.1:9980; proxy_set_header Host $host; } # WOPI discovery URL location ^~ /hosting/discovery { proxy_pass http://127.0.0.1:9980; proxy_set_header Host $host; } # Main websocket location ~ /lool/(.*)/ws$ { proxy_pass http://127.0.0.1:9980; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $host; proxy_read_timeout 36000s; } # Admin Console websocket location ^~ /lool/adminws { proxy_buffering off; proxy_pass http://127.0.0.1:9980; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $host; proxy_read_timeout 36000s; } # download, presentation and image upload location ~ /lool { proxy_pass http://127.0.0.1:9980; proxy_set_header Host $host; } location ^~ /hosting/capabilities { proxy_pass http://localhost:9980; proxy_set_header Host $http_host; } }
Restart a nginx:
# nginx -s reload
or restart nginx.service
.
Apache setup example:
Add following to nextcloud config file. Do not forget to change to the right values
/etc/httpd/conf/extra/nextcloud.conf
<VirtualHost *:443> ServerName office.nextcloud.com:443 # SSL configuration, you may want to take the easy route instead and use Lets Encrypt! SSLEngine on SSLCertificateFile /path/to/signed_certificate SSLCertificateChainFile /path/to/intermediate_certificate SSLCertificateKeyFile /path/to/private/key SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLHonorCipherOrder on # Encoded slashes need to be allowed AllowEncodedSlashes NoDecode # Container uses a unique non-signed certificate SSLProxyEngine On SSLProxyVerify None SSLProxyCheckPeerCN Off SSLProxyCheckPeerName Off # keep the host ProxyPreserveHost On # static html, js, images, etc. served from loolwsd # loleaflet is the client part of LibreOffice Online ProxyPass /loleaflet https://127.0.0.1:9980/loleaflet retry=0 ProxyPassReverse /loleaflet https://127.0.0.1:9980/loleaflet # WOPI discovery URL ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0 ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discovery # Main websocket ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon # Admin Console websocket ProxyPass /lool/adminws wss://127.0.0.1:9980/lool/adminws # Download as, Fullscreen presentation and Image upload operations ProxyPass /lool https://127.0.0.1:9980/lool ProxyPassReverse /lool https://127.0.0.1:9980/lool </VirtualHost>
After configuring these do restart your apache by restarting httpd.service
.
Install the Nextcloud app
Go to the Apps section and choose “Office & Text”, install the “Collabora Online” app. In admin panel select Collabora Online tab and specific the server's domain you have setup before.
Solution without Docker
The collabora-online-server-nodockerAUR package provides the Collabora Office (the desktop suite) and the “CODE” (Collabora Online Development Edition) server, which is based on “lool” (LibreOffice OnLine).
Alter the /etc/loolwsd/loolwsd.xml
file, so that:
-
config > server_name
contains the host and port of the public Nextcloud address, separated by a colon (e.g.example.org:443
), -
config > ssl > enable
is false (i.e. web browser —HTTPS→ proxy —HTTP→ loolwsd), -
config > ssl > termination
is true (I suppose you’ll manage TLS at the proxy level), -
config > storage > wopi > host
reflects the actual hostname (or pattern) of the proxy server (e.g.(?:.*\.)?example\.org
), -
config > admin_console > username
andconfig > admin_console > password
are set to values of your choice.
Then:
-
start and enable
loolwsd.service
; - configure Nginx by creating a server block including
/etc/nginx/snippets/loolwsd.conf
, and restart it. Example with SSL (changeoffice.example.com
andssl_certificate
to the right values):
/etc/nginx/conf.d/example.conf
server { listen 443 ssl; server_name office.example.com; ssl_certificate /etc/letsencrypt/live/office.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/office.example.com/privkey.pem; include snippets/loolwsd.conf; }
- in Nextcloud, install the "Collabora Online" app. In the admin panel select the Collabora Online tab and specify the server domain name you have just set up.
Disabling app recommendations
By default, nextcloud reccomends apps to new clients, which can result in a lot of notifications. To disable this, disable the recommendation app using occ
.
Troubleshooting
By default, the logs of the web application are available in /var/log/nextcloud/nextcloud.log
.
Issues with permissions and setup after upgrade to >= 21.0.0
http
user. This is a security concern in regards to cross-application access of this user (it has access to all data of all web applications).Since version 21.0.0 nextcloud more closely follows the web application package guidelines. This introduces the separate user nextcloud
, as which the web application is run.
After an upgrade from nextcloud < 21.0.0 make sure that
- neither the data directory[损坏的链接:无效的章节] nor the writable apps directory[损坏的链接:无效的章节] is located below
/usr/share/webapps/nextcloud/
, as that directory is owned byroot
- both the data directory[损坏的链接:无效的章节] and the writable apps directory[损坏的链接:无效的章节], alongside all files beneath them are writable and owned by the
nextcloud
user - the web application configuration file resides in
/etc/webapps/nextcloud/config/
and that that directory and its contents are writable and owned by thenextcloud
user - an application server, such as php-fpm包 or UWSGI is configured to run the web application as the
nextcloud
user and not thehttp
user - update the cron job/systemd timer to run with the new user
Environment variables not available
Uncomment the line in /etc/php/php-fpm.d/www.conf
as per Nextcloud documentation:
env[PATH] = /usr/local/bin:/usr/bin:/bin
Self-signed certificate not accepted
ownCloud uses Wikipedia:cURL and Wikipedia:SabreDAV to check if WebDAV is enabled. If you use SSL/TLS with a self-signed certificate, e.g. as shown in LAMP, and access ownCloud's admin panel, you will see the following error message:
Your web server is not yet properly setup to allow files synchronization because the WebDAV interface seems to be broken.
Assuming that you followed the LAMP tutorial, execute the following steps:
Create a local directory for non-distribution certificates and copy LAMPs certificate there. This will prevent ca-certificates
-updates from overwriting it.
# cp /etc/httpd/conf/server.crt /usr/share/ca-certificates/WWW.EXAMPLE.COM.crt
Add WWW.EXAMPLE.COM.crt to /etc/ca-certificates.conf
:
WWW.EXAMPLE.COM.crt
Now, regenerate your certificate store:
# update-ca-certificates
Restart the httpd service to activate your certificate.
Self-signed certificate for Android devices
Once you have followed the setup for SSL, as on Apache HTTP Server#TLS for example, early versions of DAVdroid will reject the connection because the certificate is not trusted. A certificate can be made as follows on your server:
# openssl x509 -req -days 365 -in /etc/httpd/conf/server.csr -signkey /etc/httpd/conf/server.key -extfile android.txt -out CA.crt # openssl x509 -inform PEM -outform DER -in CA.crt -out CA.der.crt
The file android.txt
should contain the following:
basicConstraints=CA:true
Then import CA.der.crt
to your Android device:
Put the CA.der.crt
file onto the sdcard of your Android device (usually to the internal one, e.g. save from a mail attachment).
It should be in the root directory. Go to Settings > Security > Credential storage and select Install from device storage.
The .crt
file will be detected and you will be prompted to enter a certificate name. After importing the certificate,
you will find it in Settings > Security > Credential storage > Trusted credentials > User.
Thanks to: [1]
Another way is to import the certificate directly from your server via CAdroid[失效链接 2020-04-01 ⓘ] and follow the instructions there.
Cannot write into config directory!
If you have set open_basedir
in your PHP/web server configuration file (e.g. /etc/httpd/conf/extra/nextcloud.conf
), make sure that it includes /etc/webapps
.
Restart the web server to apply the change.
If you are getting this error after an upgrade from Nextcloud 17 to Nextcloud 18, also see #Explicitly permit Nextcloud directories for php-fpm[损坏的链接:无效的章节].
Cannot create data directory
If you have set open_basedir
in your PHP/web server configuration file (e.g. /etc/httpd/conf/extra/nextcloud.conf
), make sure that it includes the data directory.
Restart the web server to apply the change.
CSync failed to find a specific file.
This is most likely a certificate issue. Recreate it, and do not leave the common name empty or you will see the error again.
# openssl req -new -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt
Seeing white page after login
The cause is probably a new app that you installed. To fix that, you can use the occ command as described here. So with
sudo -u http php /usr/share/webapps/nextcloud/occ app:list
you can list all apps (if you installed nextcloud in the standard directory), and with
sudo -u http php /usr/share/webapps/nextcloud/occ app:disable <nameOfExtension>
you can disable the troubling app.
Alternatively, you can either use phpMyAdmin to edit the oc_appconfig
table (if you got lucky and the table has an edit option), or do it by hand with mysql:
mysql -u root -p owncloud MariaDB [owncloud]> delete from oc_appconfig where appid='<nameOfExtension>' and configkey='enabled' and configvalue='yes'; MariaDB [owncloud]> insert into oc_appconfig (appid,configkey,configvalue) values ('<nameOfExtension>','enabled','no');
This should delete the relevant configuration from the table and add it again.
GUI sync client fails to connect
If using HTTP basic authentication, make sure to exclude "status.php", which must be publicly accessible. [2]
GUI tray icon disappears, but client still running in the background
After waking up from a suspended state, the Nextcloud client tray icon may disappear from the system tray. A workaround is to delay the startup of the client, as noted here. This can be done with the .desktop file, for example:
.local/share/applications/nextcloud.desktop
... Exec=bash -c 'sleep 5 && nextcloud' ...
Some files upload, but give an error 'Integrity constraint violation...'
You may see the following error in the ownCloud sync client:
SQLSTATE[23000]: Integrity constraint violation: ... Duplicate entry '...' for key 'fs_storage_path_hash')...
This is caused by an issue with the File Locking app, which is often not sufficient to keep conflicts from occurring on some webserver configurations.
A more complete Transactional File Locking
is available that rids these errors, but you must be using the Redis php-caching method. Install redis包 and php-redis包, comment out
your current php-cache mechanism, and then in /etc/php/conf.d/redis.ini
uncomment extension=redis
.
Then in config.php
make the following changes:
'memcache.local' => '\OC\Memcache\Redis', 'filelocking.enabled' => 'true', 'memcache.locking' => '\OC\Memcache\Redis', 'redis' => array( 'host' => 'localhost', 'port' => 6379, 'timeout' => 0.0, ),
and start/enable redis.service
.
Finally, disable the File Locking App, as the Transational File Locking will take care of it (and would conflict).
If everything is working, you should see 'Transactional File Locking Enabled' under Server Status on the Admin page, and syncs should no longer cause issues.
"Cannot write into apps directory"
As mentioned in the official admin manual,
either you need an apps directory that is writable by the http user, or you need to set appstoreenabled
to false
.
If you have set open_basedir
in your PHP/web server configuration file (e.g. /etc/httpd/conf/extra/nextcloud.conf
), it may be necessary to add your /path/to/data directory to the string on the line starting with php_admin_value open_basedir
:
/etc/httpd/conf/extra/nextcloud.conf
php_admin_value open_basedir "/path/to/data/:/srv/http/:/dev/urandom:/tmp/:/usr/share/pear/:/usr/share/webapps/nextcloud/:/etc/webapps/nextcloud"
Installed apps get blocked because of MIME type error
If you are putting your apps folder outside of the nextcloud installation directory make sure your webserver serves it properly.
In nginx this is accomplished by adding a location block to the nginx configuration as the folder will not be included in it by default.
location ~ /apps2/(.*)$ { alias /var/www/nextcloud/apps/$1; }
CSS and JS resources blocked due to MIME type error
If you load your Nextcloud web gui and it's missing styles etc. check the browser's console logs for lines like:
The resource from “https://example.com/core/css/guest.css?v=72c34c37-0” was blocked due to MIME type (“text/plain”) mismatch (X-Content-Type-Options: nosniff).
There are a few possible reasons, possibly you have not included any mime types in your nginx.conf
add the following to nginx.conf
types_hash_max_size 2048; types_hash_bucket_size 128; include mime.types;
Here we use the mime.types
provided by mailcap包, due to the large number of types included we increase the allowed size of the types hash.
Other possible reasons for these errors are missing permissions on the files. Make sure the files are owned by http:http
and can be read and written to by this user.
Security warnings even though the recommended settings have been included in nginx.conf
At the top of the admin page there might be a warning to set the Strict-Transport-Security
, X-Content-Type-Options
,
X-Frame-Options
, X-XSS-Protection
and X-Robots-Tag
according to https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/harden_server.html[失效链接 2020-04-01 ⓘ]
even though they are already set like that.
A possible cause could be that because owncloud sets those settings, uwsgi passed them along and nginx added them again:
$ curl -I https://domain.tld
... X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Frame-Options: Sameorigin X-Robots-Tag: none Strict-Transport-Security: max-age=15768000; includeSubDomains; preload; X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Robots-Tag: none
While the fast_cgi sample config has a parameter to avoid that ( fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
), when using uwsgi and nginx the following modification of the uwsgi part in nginx.conf could help:
/etc/nginx/nginx.conf
... # pass all .php or .php/path urls to uWSGI location ~ ^(.+\.php)(.*)$ { include uwsgi_params; uwsgi_modifier1 14; # hode following headers received from uwsgi, because otherwise we would send them twice since we already add them in nginx itself uwsgi_hide_header X-Frame-Options; uwsgi_hide_header X-XSS-Protection; uwsgi_hide_header X-Content-Type-Options; uwsgi_hide_header X-Robots-Tag; uwsgi_hide_header X-Frame-Options; #Uncomment line below if you get connection refused error. Remember to commet out line with "uwsgi_pass 127.0.0.1:3001;" below uwsgi_pass unix:/run/uwsgi/owncloud.sock; #uwsgi_pass 127.0.0.1:3001; } ...
"Reading from keychain failed with error: 'No keychain service available'"
Can be fixed for Gnome by installing the following 2 packages, libgnome-keyring包 and gnome-keyring包. Or the following for KDE, libgnome-keyring包 and qtkeychain-qt5包.
FolderSync: "Method Not Allowed"
FolderSync needs access to /owncloud/remote.php/webdav
, so you could create another alias for owncloud in your /etc/httpd/conf/extra/nextcloud.conf
<IfModule mod_alias.c> Alias /nextcloud /usr/share/webapps/nextcloud/ Alias /owncloud /usr/share/webapps/nextcloud/ </IfModule>