出自 Arch Linux 中文维基

本文內容或本節內容已經過期。

原因: 請提供模板的第一個位置參數以概括原因。 (在Talk:Nextcloud討論)

本文或本節需要翻譯。要貢獻翻譯,請訪問簡體中文翻譯團隊

附註: A large portion of the article is not translated(在 Talk:Nextcloud# 中討論)

根據 Wikipedia:Nextcloud:

Nextcloud是一套客戶機——伺服器軟體(依賴被稱為apps的組件),能夠實現諸如共享,協作以及溝通的需要,比如:

Nextcloud是開源的,並且它基於開放標準。數據主權是Nextcloud的一大優勢,也就是說,你可以部署自己的Nextcloud實例來擺脫諸如Dropbox,Office365和Google Drive等專有(甚至不可信)的服務的束縛。

Nextcloud可以按照你的需求部署在小至單板計算機(比如樹莓派),大到有數百萬用戶的超大型數據中心中。Nextcloud具有一套精心設計的授權方案以及可選的聯邦方案(用於連接多個獨立的實例),所以Nextcloud同樣非常適合在企業環境下部署。

Nextcloud是ownCloud的分支,有關其歷史,請參看其Wikipedia頁面

安裝概覽

完全安裝的Nextcloud應當(至少)包含以下組件:

一個web伺服器;與之配套的應用伺服器,用來運行Nextcloud(即PHP代碼);一個供Nextcloud使用的資料庫

這篇文章將會講解使用MariaDB/MySQL或PostgreSQL作為資料庫和以下web伺服器與應用伺服器的組合:

  • Nginx->uWSGI(plus uwsgi-plugin-php)
  • Nginx->FPM
  • Apache HTTP server(using mod_proxy_usgi)->uWSGI(plus uwsgi-plugin-php)
  • Apache HTTP server(using mod_proxy_fcgi)->FPM

Nextcloud 包符合 Web 應用包指導規範。它要求 Web 應用程式應當由專門的用戶運行——在本例中為 nextcloud。這就是為什麼要使用應用伺服器。出於相同的理由,使用php-apache直接在Apache中執行Nextcloud的PHP代碼也是不可能的。

安裝

注意: nextcloud提供了基於php或基於php-legacy的安裝(依賴元軟體包php-interpreter)。本文強烈建議使用php-legacy包安裝以保證安全(也能讓你高枕無憂)。詳情請看遷移到php-legacy。本文假定您使用了php-legacy進行安裝。

安裝nextcloud。當被問及時,選擇php-legacy作為您的php版本,這會拉取相當多的依賴。大多數必要的PHP擴展都將以這種方式進行處理。此外,您必須安裝php-legacy-gd(最好是作為依賴包安裝,利用pacman的--asdeps選項實現)。

同時建議你安裝下面的軟體包(同樣使用--asdeps選項):

其他可選依賴將在後面介紹,具體內容取決於您的安裝配置(比如:您選擇了什麼樣的資料庫)。

請注意,php-legacy自帶一部分模塊(即bcmath、exif、gmp、intl和sysvsem),這些模塊不必顯式安裝。

配置

PHP

本指南不會修改PHP的主配置文件/etc/php-legacy/php.ini,Nextcloud的PHP配置會放在單獨的地方,不干擾其它使用PHP的應用程式。這些文件被放在:

  • 一份php.ini的副本,存放在/ext/webapps/nextcloud(用於occ命令行工具以及後台作業)。這是一份初始php.ini的完整複製,由php-legacy提供,Nextcloud將對其進行一些修改,以供使用。
  • 應用程式伺服器的相關配置。將在應用程式伺服器的部分介紹這些內容。

/etc/php-legacy/php.ini複製到/etc/webapps/nextcloud(當然,最好是從php-legacy的tarball中解壓一份php.ini,php-legacy包存放在/var/cache/pacman/pkg)。然後,雖然不是絕對必須的,但請紀律性修改文件的所有權:

# cp /etc/php-legacy/php.ini /etc/webapps/nextcloud
# chown nextcloud:nextcloud /etc/webapps/nextcloud/php.ini

Nextcloud文檔中列出的大部分所需的PHP模塊已經在剛剛複製的默認PHP配置文件中啟用。但還需手動啟用以下擴展:

/etc/webapps/nextcloud/php.ini
extension=exif
extension=gd
extension=iconv
extension=intl
extension=sysvsem
; bcmath and gmp for passwordless login
extension=bcmath
extension=gmp
; sodium for the argon2 hashing algorithm
extension=sodium
; in case you installed php-legacy-imagick (as recommended)
extension=imagick

根據你準備使用的資料庫,啟用相應的pdo_xxxx模塊。請參閱:資料庫

date.timezone設置為您的首選時區,例如:

/etc/webapps/nextcloud/php.ini
date.timezone = Asia/Shanghai

將PHP的內存限制放寬到至少512MiB:

/etc/webapps/nextcloud/php.ini
memory_limit = 512M

為了提高安全性,你也可以配置open_basedir,但這不是必要的。這限制了 Nextcloud 的 PHP 代碼可以讀取和寫入文件的位置。經過驗證的設置是:

/etc/webapps/nextcloud/php.ini
open_basedir=/var/lib/nextcloud:/tmp:/usr/share/webapps/nextcloud:/etc/webapps/nextcloud:/dev/urandom:/usr/lib/php-legacy/modules:/var/log/nextcloud:/proc/meminfo:/proc/cpuinfo

根據您安裝的其他擴展,您可能需要擴充此列表,例如,如果您選擇了Redis,則需要擴展 /run/redis

配置opcache是不必要的,因為這份php.ini只用於occ命令行工具和後台作業,這二者並不經常運行PHP進程。

Nextcloud

將以下條目加入nextcloud的配置文件中:

/etc/webapps/nextcloud/config/config.php
'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => 'cloud.mysite.com',
  ),    
'overwrite.cli.url' => 'https://cloud.mysite.com/',
'htaccess.RewriteBase' => '/',

將示例的主機名cloud.mysite.com修改成你的。如果你的Nextcloud需要通過子文件夾訪問(比如https://www.mysite.com/nextcloudoverwrite.cli.urlhtaccess.RewriteBase 必須做出相應更改。

系統和環境

確保Nextcloud使用剛剛編輯的php.ini作為occ工具的配置文件,設置NEXTCLOUD_PHP_CONFIG環境變量:

$ export NEXTCLOUD_PHP_CONFIG=/etc/webapps/nextcloud/php.ini

同時將其加入.bashrc(或.bash_profile)使其永久生效。 出於隱私和安全方面的考量,請為會話數據創建專用目錄:

# install --owner=nextcloud --group=nextcloud --mode=700 -d /var/lib/nextcloud/sessions


網頁應用的配置文件在 /etc/webapps/nextcloud/config/config.php

注意: Nextcloud 應當把用戶數據存放在 /var/lib/nextcloud/data/,因為該目錄只能被 root 和應用本身訪問。要安裝使用這個網頁應用的軟體,請使用 /var/lib/nextcloud/apps/

數據目錄

默認情況下,Nextcloud 將用戶數據存放在 /var/lib/nextcloud/data/,這個位置可以調節:

/etc/webapps/nextcloud/config/config.php
$CONFIG = [
/* [..] */
'datadirectory' => '/var/lib/nextcloud/data',
/* [..] */
]
注意: nextcloud 用戶需要有對 datadirectory 的寫入權限。

可寫應用目錄

nextcloud 不可寫入默認應用目錄 /usr/share/webapps/nextcloud/apps/,因為它是軟體包的一部分。

要從應用商店安裝應用,使用一個獨立的、可寫的目錄是可以的。它默認指向 /var/lib/nextcloud/apps/,並可以通過一個在網頁應用根目錄下的符號連結 (/usr/share/webapps/nextcloud/wapps) 來訪問。

這個目錄是可調整的:

/etc/webapps/nextcloud/config/config.php
$CONFIG = [
/* [..] */
'apps_paths' => [
        [
                'path'=> '/usr/share/webapps/nextcloud/apps',
                'url' => '/apps',
                'writable' => false,
        ],
        [
                'path'=> '/var/lib/nextcloud/apps',
                'url' => '/wapps',
                'writable' => true,
        ],
],
/* [..] */
]
注意:
  • 聲明為 writableapps_paths 條目需要可由 nextcloud 用戶寫入。此外,需要在 /usr/share/webapps/nextcloud/ 中創建指向該目錄的符號連結。
  • 上面的語法使用 PHP 的短數組語法。這可以用大多數指南使用的語法編寫:
/etc/webapps/nextcloud/config/config.php
$CONFIG = (
/* [..] */
  'apps_paths' => array (
        0 => array (
                'path' => '/usr/share/webapps/nextcloud/apps',
                'url' => '/apps',
                'writable' => false,
        ),
        1 => array (
                'path' => '/var/lib/nextcloud/apps',
                'url' => '/wapps',
                'writable' => true,
        ),
  ),
/* [..] */
)

日誌目錄

默認情況下,日誌生成在 /var/log/nextcloud/nextcloud.log,這個位置是可以調整的:

/etc/webapps/nextcloud/config/config.php
$CONFIG = [
/* [..] */
'logfile' => '/var/log/nextcloud/nextcloud.log',
]
/* [..] */

資料庫

MariaDB/MySQL是Nextcloud的推薦選擇。

Nextcloud資料庫的相關資料大都與MariaDB / MySQL有關。Nextcloud開發人員承認,他們不太了解其它資料庫的專業知識

PostgreSQL據說可以提供比MariaDB/MySQL更好的性能,並且方言更少。SQLite主要支持測試/開發安裝,不建議用於生產環境。受支持的資料庫列表中還包括了Oracle database,但本指南不對其作介紹。

1.MariaDB / MySQL

自從2013年以來,MariaDB一直作為Arch Linux中的MySQL默認實現。

如果你想在安裝Nextcloud的主機上同時運行資料庫,請配置並啟動MariaDB(如果你尚未這樣做)。請查看此文檔獲得更多信息。不要忘記使用mariadb-install-db命令初始化MariaDB。為了提高安全性,建議將MariaDB配置為僅偵聽本地Unix套接字

/etc/my.cnf.d/server.cnf
[mysqld]
skip_networking

Nextcloud的官方文檔推薦將事務隔離級別設置為READ-COMMITTED。當你預計有大量並發事務從而造成負載過高時,這一點尤其重要。

/etc/my.cnf.d/server.cnf
[mysqld]
transaction_isolation=READ-COMMITTED

設置binlog_format=ROW的建議已經過時,MariaDB現行版本的默認設置「MIXED」的表現已經足夠好。

以資料庫用戶root身份啟動命令行工具mysql。(默認密碼為空,應當儘快修改)

$ mysql -u root -p

為Nextcloud創建用戶和與之配套的資料庫:

CREATE USER 'nextcloud'@'localhost' IDENTIFIED BY 'db-password';
CREATE DATABASE IF NOT EXISTS nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
GRANT ALL PRIVILEGES on nextcloud.* to 'nextcloud'@'localhost';
FLUSH privileges;

(用自行設置的Nextcloud資料庫用戶的密碼替換dp-password欄位。完成後使用\q命令退出。)

注意: MariaDB對於UTF8編碼的解釋存在缺陷,這導致了MariaDB無法存儲碼位在0x10000及以上的字符(比如emoji)。MariaDB在5.5版本引入了一種新的編碼來「修復」這個問題,它叫做utf8mb4.所以千萬不要使用MariaDB的utf8編碼,請使用utf8mb4。如果需要遷移,請參閱此文檔

在PHP中啟用相應擴展:

/etc/webapps/nextcloud/php.ini
extension=pdo_mysql

Nextcloud管理手冊中提供的信息不同,對MariaDB進行額外設置是不必要的。


使用以下命令完成對資料庫的安裝:

$ occ maintenance:install \
    --database=mysql \
    --database-name=nextcloud \
    --database-host=localhost:/run/mysqld/mysqld.sock \
    --database-user=nextcloud \
    --database-pass=db-password \
    --admin-pass=admin-password \
    --admin-email=admin-email \
    --data-dir=/var/lib/nextcloud/data

注意將db-passwordadmin-passwordadmin-email替換成自己設定的相對應的值。這個命令可以使Nextcloud與資料庫運行在同一台主機上。關於更多選項,請查看官方文檔(輸入occ help maintenance:install)。查看「occ」工具使用方法來了解此工具的詳細信息。

2.PostgreSQL

如果你想在安裝Nextcloud的主機上同時運行資料庫,請配置並啟動PostgreSQL(如果你尚未這樣做)。請查看此文檔獲得更多信息。為了提高安全性,建議將PostgreSQL配置為僅偵聽本地Unix套接字

/var/lib/postgres/data/postgresql.conf
listen_addresses = ''

特別的,請不要忘記使用initdb命令初始化資料庫。接下來使用PostgreSQL的命令行工具psql創建一個名為nextcloud的用戶,然後為其創建一個同樣名為nextcloud的資料庫:

[postgres]$ psql
CREATE USER nextcloud WITH PASSWORD 'db-password';
CREATE DATABASE nextcloud TEMPLATE template0 ENCODING 'UNICODE';
ALTER DATABASE nextcloud OWNER TO nextcloud;
GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud;
\q

(用自行設置的Nextcloud資料庫用戶的密碼替換dp-password欄位。)

下載PHP依賴包php-legacy-pgsql(使用pacman --asdpes選項),然後啟用相應的PHP擴展:

/etc/webapps/nextcloud/php.ini
extension=pdo_pgsql

使用以下命令完成對資料庫的安裝:

$ occ maintenance:install \
    --database=pgsql \
    --database-name=nextcloud \
    --database-host=/run/postgresql \
    --database-user=nextcloud \
    --database-pass=db-password \
    --admin-pass=admin-password \
    --admin-email=admin-email \
    --data-dir=/var/lib/nextcloud/data

注意將db-passwordadmin-passwordadmin-email替換成自己設定的相對應的值。這個命令可以使Nextcloud與資料庫運行在同一台主機上。關於更多選項,請查看官方文檔(輸入occ help maintenance:install)。查看「occ」工具使用方法來了解此工具的詳細信息。

應用伺服器

uwsgiFPM是兩種常用的應用伺服器,可用於處理PHP代碼。其中FPM專門用於PHP,FPM與web伺服器之間使用的通信協議是fastcgi。FPM的文檔仍有改進的空間。而uWSGI可以通過安裝插件來支持包含PHP在內的一部分語言,uWSGI與web伺服器之間使用的通信協議是uwsgi(小寫)。uWSGI有大量的文檔可供查看,雖然大量的文檔可能會導致閱讀困難以及混亂。

1. uWSGI

uWSGI有自己的文章。在那裡可以找到很多有用的信息。最好作為依賴安裝uwsgi和它的插件uwsgi-plugin-php-legacy,比如使用--asdpes選項。若要使用uWSGI運行Nextcloud代碼,你必須為uWSGI創建一個專門的配置文件(nextcloud.ini)並且定義一個systemd服務。

警告: 必須說明的一點:uWSGI最近維護得很少,其PHP插件更是維護甚少。這已經引發了一些問題,現在只能通過Arch Linux軟體包的維護者修補uWSGI代碼解決問題,即不能在上游解決。

1.1 nextcloud.ini

Nextcloud已經包含了一個示例文件,該文件已經位於正確的位置/etc/uwsgi/nextcloud.ini。通常情況下你都必須根據你的需求調整此文件。你應該找到一份具有大量注釋的修改版本(與nextcloud自帶的相比)。它提供了一個簡潔的Nextcloud配置供個人使用(中等負載)。

通常情況下,應當將啟用的擴展,擴展的配置以及open_basedir/etc/webapps/nextcloud/php.ini同步(opcache除外)。

提示:/etc/uwsgi/nextcloud.ini的更改應該會變得更廣泛。在軟體包更新期間,將創建一個名為nextcloud.ini.pacnew的文件,以防止nextcloud提供的原始文件發生更改。為了更好的檢查新文件的更改情況並將其應用到/etc/uwsgi/nextcloud.ini中去,可以採取以下方法:

獲取軟體包提供nextcloud.ini的文件(例如直接從軟體包中解壓),存儲一份它的副本,並將其命名為nextcloud.ini.package。 如果因nextcloud更新而產生了nextcloud.ini.pacnew文件,你可以通過下面的命令比對新舊文件的差異:

diff nextcloud.ini.package nextcloud.ini.pacnew

有選擇性的應用更改到你自己的nextcloud.ini,這具體取決於它們是否適用於你的版本

nextcloud.ini.pacnew替換nextcloud.ini.package

1.2 uWSGI服務

uwsgi軟體包提供了一個模板單元文件(uwsgi@.service)。實例ID(此處為nextcloud)用於選擇正確的配置文件。啟用(enable)啟動(start)uwsgi@nextcloud.service

如果你有多個(比如2個)像這樣運行,這時可以考慮使用emperor模式,這樣更節約資源。

2. FPM

如果選擇FPM作為你的應用伺服器,下載php-legacy-fpm(最好作為依賴包安裝 --asdeps

FPM的配置包含一份與它提供的全部應用相關的php.ini副本,一份專為每個應用(此處為Nextcloud)生成的pool file文件。最後,還需要調整systemd服務文件。

2.1 php-fpm.ini

如前文所述,本指南將不會修改PHP主配置文件/etc/php-legacy/php.ini,而是創建並修改它的副本:

# cp /etc/php-legacy/php.ini /etc/php-legacy/php-fpm.ini

確保該文件由root所有且僅能被root修改。(-rw-r--r-- 1 root root ... php-fpm.ini)。啟用 op-cache(取消該行的注釋)。

/etc/php-legacy/php-fpm.ini
zend_extension=opcache

然後將下面的內容放到[opcache]行下面

/etc/php-legacy/php-fpm.ini
opcache.enable = 1
opcache.interned_strings_buffer = 16
opcache.max_accelerated_files = 10000
opcache.memory_consumption = 128
opcache.save_comments = 1
opcache.revalidate_freq = 1
警告: 不要嘗試通過php_value[...]和php_flag[...]來把上面這些設置放到pool file中。否則FPM進程會在第一個請求處崩潰。

2.2 nextcloud.conf

下一步是創建pool file。它負責為Nextcloud應用程式生成專用的FPM進程。創建文件/etc/php-legacy/php-fpm.d/nextcloud.conf,你也許可以借鑑這個預先配置好的版本

確保pool file由root所有且僅能被root修改。(-rw-r--r-- 1 root root ... nextcloud.conf)。取決於是否開啟訪問記錄(預配置版本中已開啟),應當為日誌文件創建相應的目錄(預配置版本中是/var/log/php-fpm-legacy/access)。按你的想法修改配置(特別是pm...php_value[...]以及php_flag[...])。php_value[...]php_flag[...]應當與文件/etc/webapps/nextcloud/php.ini中的相一致(而不是/etc/php-legacy/php-fpm.ini)。

也可以通過修改php-fpm.ini文件來達到同樣的目的,但是對php-fpm.ini的修改將對所有由FPM提供服務的應用生效。

提示:php-legacy-fpm自帶一個名為www.conf的pool file的文件,但是在本指南中不發揮任何作用。一個防止其生效的好方法是將其重命名為www.conf.package並創建一個僅包含注釋行(以分號開頭的行)的文件www.conf。使用這種方法可以將www.conf變成空操作文件。該文件同樣不會因php-legacy-fpm的更新而被覆蓋。在更新中,新文件被命名為www.conf.pacnew,你通過可以對比www.conf.packagewww.conf.pacnew來檢查新文件中是否有重大更改。如果發現了需要重新生成nextcloud.conf的更改,請在對nextcloud.conf操作完成後,將www.conf.pacnew重命名為www.conf.package

2.3 systemd服務

FPM作為systemd的一個服務運行。你應該修改服務的配置來使其能夠運行Nextcloud。最好的方法是通過drop-in文件(:

/etc/systemd/system/php-fpm-legacy.service.d/override.conf
[Service]
ExecStart=
ExecStart=/usr/bin/php-fpm-legacy --nodaemonize --fpm-config /etc/php-legacy/php-fpm.conf --php-ini /etc/php-legacy/php-fpm.ini
ReadWritePaths=/var/lib/nextcloud
ReadWritePaths=/etc/webapps/nextcloud/config
  • 它將ExecStart行替換為上一節中提到的php-fpm.ini的啟動命令。
  • 它將/var/lib/nextcloud和/etc/webapps/nextcloud/config目錄(及其下所有內容全部置為可寫。原始服務定義的ProtectSystem=full會默認將/usr,/boot和/etc作為只讀目錄對FPM進程開放。

不要忘記啟用啟動php-fpm-legacy服務。

2.4 保持/etc目錄整潔

Nextcloud會默認創建uWSGI的配置文件/etc/uwsgi/nextcloud.ini.該文件對你沒有任何作用(雖然也沒有任何危害)如果你無論如何都不想它出現在你的目錄中。將以下代碼添加到/etc/pacman.conf中:

/etc/pacman.conf
# uWSGI configuration that comes with Nextcloud is not needed
NoExtract = etc/uwsgi/nextcloud.ini

Web伺服器

有相當數量的web伺服器可供選擇。但你無論作何選擇都要記住,Nextcloud應用必須用其自己的系統用戶nextcloud運行。所以才需要將請求轉發到上文提到的應用伺服器中。

1. nginx

有關nginx的配置,顯然已經超過了本文的覆蓋範圍。可以查看相關文章了解更多信息。Nextcloud的官方文檔中也提供了詳細配置文件可供參考。你可以自行決定如何將這些代碼引入到你的nginx配置文件中。一種常見的方法是使用/etc/nginx/sites-available/etc/nginx/sites-enabled目錄來單獨配置不同的伺服器(也被稱作虛擬主機)。請參看:Nginx#管理伺服器入口

如果使用了nextcloud文檔中提供的nginx配置,應將根目錄更改為:

cloud.mysite.com.conf
root /usr/share/webapps/nextcloud;

upstream php-handler { ... }的部分是不必要的。只需要在location中指定fastcgi_pass unix:/run/php-fpm-legacy/nextcloud.sock;當使用uWSGI替代FPM時,應將location替換成:

cloud.mysite.com.conf
location ~ \.php(?:$|/) {
    include uwsgi_params;
    uwsgi_modifier1 14;
    # Avoid duplicate headers confusing OC checks
    uwsgi_hide_header X-Frame-Options;
    uwsgi_hide_header X-XSS-Protection;
    uwsgi_hide_header X-Content-Type-Options;
    uwsgi_hide_header X-Robots-Tag;
    uwsgi_hide_header X-Download-Options;
    uwsgi_hide_header X-Permitted-Cross-Domain-Policies;
    uwsgi_pass unix:/run/uwsgi/nextcloud.sock;

}

你可能需要解決以下問題(部分):

  • 你的伺服器名稱,即你的Nextcloud能夠訪問的伺服器部分的URL。
  • 用於簽名的名稱和用於SSL/TLS的密鑰。
  • 訪問記錄存放的位置。
  • Certbot(或其他ACME客戶端)用於存放域驗證質詢的位置。在這裡,alias可能比try_files更合適。
  • 用於訪問Nextcloud的路徑(訪問URL中伺服器名稱和埠的權限)。
  • 你正在使用的應用伺服器(uWSGI或FPM),即nginx將以何種方式、向何處傳遞觸發的PHP代碼(見上文)。
  • 配置OCSP裝訂

Nginx無需安裝任何其他模塊,因為其本就支持這兩種協議:FastCGI和uwsgi。

2.Apache HTTP伺服器

apache HTTP伺服器中有許多有用的信息。Nextcloud的文檔中同樣有一些配置樣例,你也可以從/usr/share/doc/nextcloud/apache.example.conf中找到它們。對mod_php的隱性依賴將不再可用,需要使用mod_proxy_fcgi或mod_proxy_uwsgi。

你可以在本站中找到使apache與FPM協同工作的方法。uWSGI的文檔中有使apache與uWSGI和mod_proxy_uwsgi協同工作以處理PHP代碼的方法。注意apache包含了mod_proxy_fcgi以及mod_proxy_uswgi兩個插件。它們應按需開啟。

下面是運行Nextcloud所需的模塊:

/etc/httpd/conf/httpd.conf
# these are already loaded in a standard Apache installation
LoadModule headers_module modules/mod_headers.so
LoadModule env_module modules/mod_env.so
LoadModule dir_module modules/mod_dir.so
LoadModule mime_module modules/mod_mime.so
LoadModule setenvif_module modules/mod_setenvif.so

# these need to be uncommented explicitly
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule proxy_module modules/mod_proxy.so

# either this one in case you use FPM
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
# or this one in case you opt for uWSGI
LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so

取消注釋下面的代碼來引入TLS配置參數:

/etc/httpd/conf/httpd.conf
Include conf/extra/httpd-ssl.conf

有關如何優化TLS配置的詳細信息,參看Mozilla SSL配置工具

請參閱以下兩個示例配置文件,具體取決於你希望如何訪問Nextcloud:

  • 通過主機名訪問(例:https://cloud.mysite.com/),把這段代碼放入/etc/httpd/conf/extra/httpd-vhosts.conf中。
  • 通過子文件夾訪問(例:https://www.mysite.com/nextcloud/),把這段代碼放入/etc/httpd/conf/httpd.conf中。

當然,你應該按照自己的實際情況來修改示例的配置文件。當你使用uWSGI時,用SetHandler "proxy:unix:/run/uwsgi/nextcloud.sock|uwsgi://nextcloud/"替換SetHandler行。

Nextcloud包自帶一個.htaccess文件,它已經處理了很多重寫和標題內容。運行 occ maintenance:update:htaccess 以適配此文件。/etc/webapps/nextcloud/config/config.php中的htaccess.RewriteBase參數對此至關重要。

Background jobs

Nextcloud requires certain tasks to be run on a scheduled basis. See Nextcloud's documentation for some details. The easiest (and most reliable) way to set up these background jobs is to use the systemd service and timer units that are already installed by nextcloud. The service unit needs some tweaking so that the job uses the correct PHP ini-file (and not the global php.ini). Create a drop-in file and add:

/etc/systemd/system/nextcloud-cron.service.d/override.conf
[Service]
ExecStart=
ExecStart=/usr/bin/php-legacy -c /etc/webapps/nextcloud/php.ini -f /usr/share/webapps/nextcloud/cron.php

After that enable and start nextcloud-cron.timer (not the service).

As recommended by the documentation add the parameter

/etc/webapps/nextcloud/config/config.php
....
'maintenance_window_start' => 0,
....

to Nextcloud's configuration file. The value is the hour of the day in UTC defining the start of a 4 hours window. Time consuming jobs that need to be run only once a day will be scheduled in this time frame, i.e. outside working hours.

警告: Do not try to install and use nextcloud-systemd-timersAUR. It is outdated and unmaintained.

In-memory caching

Nextcloud's documentation recommends to apply some kind of in-memory object cache to significantly improve performance.

注意: Mind that push notify (the Nextcloud service that replaces client polling by notification by the server thus drastically reducing sync latency) depends on Redis.

APCu

Install php-legacy-apcu (as dependency --asdeps). Enable the extension in the relevant configuration files. These are

  • /etc/webapps/nextcloud/php.ini used by the occ command and the background jobs and
  • depending on the application server you use either
    • /etc/uwsgi/nextcloud.ini in case of uWSGI or
    • /etc/php-legacy/php-fpm.d/nextcloud.conf in case of FPM.

In /etc/webapps/nextcloud/php.ini add the lines

/etc/webapps/nextcloud/php.ini
extension=apcu
apc.ttl=7200
apc.enable_cli = 1

(preferably somewhere below Module Settings).

For the other two files the setting to activate APCu is already in place and only needs to be uncommented. Two other configuration parameters related to APCu are also already there. No need to touch /etc/php-legacy/php.ini or /etc/php-legacy/conf.d/apcu.ini.

Restart your application server (not the web server as Nextcloud's documentation claims). Add the following line to your Nextcloud configuration file:

/etc/webapps/nextcloud/config/config.php
'memcache.local' => '\OC\Memcache\APCu',

Redis

Install php-legacy-igbinary and php-legacy-redis (as dependency --asdeps) in case you run this component locally (i.e. on the same host as Nextcloud). Alternatively the Redis server can be run on a different machine. For more information see Nextcloud's documentation.

注意: Using Redis does not exclude using APCu in parallel as a local cache. In fact, Nextcloud's documentation recommends this setup.

Enable the required extensions igbinary and redis in the relevant configuration files. These are:

  • /etc/webapps/nextcloud/php.ini used by the occ command and the background jobs and
  • depending on the application server you use either
    • /etc/uwsgi/nextcloud.ini in case of uWSGI or
    • /etc/php-legacy/php-fpm.d/nextcloud.conf in case of FPM.

Locate the existing sections where other extensions are enabled and add two additional lines corresponding to igbinary and redis.

注意: It is important to load extension=igbinary before extension=redis. Otherwise occ will report an error (/usr/lib/php-legacy/modules/redis.so: undefined symbol: igbinary_serialize).

In case you have specified the open_basedir option in the above configuration files and use Redis locally with a local Unix socket, you have to extend the list of directories where PHP is allowed to read and write files. Locate the relevant lines in the files specified above and add the directory containing the local Unix socket created by Redis, e.g. /run/redis.

注意: The sample configuration files nextcloud.ini and nextcloud.conf mentionend in the #Application server section already have open_basedir enabled. So in case you use a copy of one of these files you have to adapt it.

Extend your Nextcloud configuration as follows:

/etc/webapps/nextcloud/config/config.php
'memcache.local' => '\OC\Memcache\APCu',
'memcache.distributed' => '\OC\Memcache\Redis',
'memcache.locking' => '\OC\Memcache\Redis',
'redis' => [
     'host'     => '/run/redis/redis.sock',
     'port'     => 0,
     'dbindex'  => 0,
     'password' => '',
     'timeout'  => 1.5,
],

Again, adapt /run/redis/redis.sock as required. dbindex, password and timeout are optional.

In case Redis runs on a different machine:

/etc/webapps/nextcloud/config/config.php
'memcache.local' => '\OC\Memcache\APCu',
'memcache.distributed' => '\OC\Memcache\Redis',
'memcache.locking' => '\OC\Memcache\Redis',
'redis' => [
     'host' => 'redis-host.mysite.com',
     'port' => 6379,
],

redis-host.mysite.com is just a placeholder. Adapt to your actual setup.

Security Hardening

See the Nextcloud documentation and Security. Nextcloud additionally provides a Security scanner.

uWSGI

You can run Nextcloud in its own process and service by using the uWSGI application server with uwsgi-plugin-php. This allows you to define a PHP configuration only for this instance of PHP, without the need to edit the global php.ini and thus keeping your web application configurations compartmentalized. uWSGI itself has a wealth of features to limit the resource use and to harden the security of the application, and by being a separate process it can run under its own user.

The only part that differs from #Nginx is the location ~ \.php(?:$|/) {} block:

  location ~ \.php(?:$|/) {
    include uwsgi_params;
    uwsgi_modifier1 14;
    # Avoid duplicate headers confusing OC checks
    uwsgi_hide_header X-Frame-Options;
    uwsgi_hide_header X-XSS-Protection;
    uwsgi_hide_header X-Content-Type-Options;
    uwsgi_hide_header X-Robots-Tag;
    uwsgi_pass unix:/run/uwsgi/nextcloud.sock;
    }

Then create a config file for uWSGI:

/etc/uwsgi/nextcloud.ini
[uwsgi]
; load the required plugins
plugins = php
; force the sapi name to 'apache', this will enable the opcode cache  
php-sapi-name = apache

; set master process name and socket
; '%n' refers to the name of this configuration file without extension
procname-master = uwsgi %n
master = true
socket = /run/uwsgi/%n.sock

; drop privileges
uid    = nextcloud
gid    = nextcloud
umask  = 027

; run with at least 1 process but increase up to 4 when needed
processes = 4
cheaper = 1

; reload whenever this config file changes
; %p is the full path of the current config file
touch-reload = %p

; disable uWSGI request logging
;disable-logging = true

; enforce a DOCUMENT_ROOT
php-docroot     = /usr/share/webapps/%n
; limit allowed extensions
php-allowed-ext = .php
; and search for index.php if required
php-index = index.php

; set php configuration for this instance of php, no need to edit global php.ini
php-set = date.timezone=Etc/UTC
;php-set = open_basedir=/tmp/:/usr/share/webapps/nextcloud:/etc/webapps/nextcloud:/dev/urandom
php-set = expose_php=false
; avoid security risk of leaving sessions in world-readable /tmp
php-set = session.save_path=/usr/share/webapps/nextcloud/data

; port of php directives set upstream in /usr/share/webapps/nextcloud/.user.ini for use with PHP-FPM
php-set = upload_max_filesize=513M
php-set = post_max_size=513M
php-set = memory_limit=512M
php-set = output_buffering=off

; load all extensions only in this instance of php, no need to edit global php.ini
;; required core modules
php-set = extension=gd
php-set = extension=iconv
;php-set = extension=zip     # enabled by default in global php.ini

;; database connectors
;; uncomment your selected driver
;php-set = extension=pdo_sqlite
;php-set = extension=pdo_mysql
;php-set = extension=pdo_pgsql

;; recommended extensions
;php-set = extension=curl    # enabled by default in global php.ini
php-set = extension=bz2
php-set = extension=intl

;; required for specific apps
;php-set = extension=ldap    # for LDAP integration
;php-set = extension=ftp     # for FTP storage / external user authentication
;php-set = extension=imap    # for external user authentication, requires php-imap

;; recommended for specific apps
;php-set = extension=exif    # for image rotation in pictures app, requires exiv2
;php-set = extension=gmp     # for SFTP storage

;; for preview generation
;; provided by packages in AUR
; php-set = extension=imagick

; opcache
php-set = zend_extension=opcache

; user cache
; provided by php-acpu, to be enabled **either** here **or** in /etc/php/conf.d/apcu.ini
php-set = extension=apcu
; per https://github.com/krakjoe/apcu/blob/simplify/INSTALL
php-set = apc.ttl=7200
php-set = apc.enable_cli=1

; web server is already handling URL rewriting, so tell NextCloud not to repeat this
env = front_controller_active=true

cron2 = minute=-15,unique=1 /usr/bin/php -f /usr/share/webapps/nextcloud/cron.php 1>/dev/null
注意: * Do not forget to set your timezone and uncomment the required database connector in the uWSGI config file
  • The open_basedir directive is optional and commented out. You can uncomment to harden security. Be aware that it may occasionally break things.
  • Use php-docroot = /usr/share/webapps if placing nextcloud in /nextcloud subdirectory.
警告: The way the Nextcloud background job is currently set up with uWSGI cron will make use of the default global configuration from /etc/php/php.ini. This means that none of the specific parameters defined (e.g. required modules) will be enabled, leading to various issues. One solution is to copy /etc/php/php.ini to e.g. /etc/uwsgi/cron-php.ini, make the required modifications there (mirroring /etc/uwsgi/nextcloud.ini parameters) and referencing it in the cron directive by adding the -c /etc/uwsgi/cron-php.ini option to php invocation.

Activation

uWSGI provides a template unit that allows to start and enable application using their configuration file name as instance identifier. For example, starting uwsgi@nextcloud.socket would start it on demand referencing the configuration file /etc/uwsgi/nextcloud.ini.

To enable the uwsgi service by default at start-up, enable uwsgi@nextcloud.socket.

注意: Here we make use of systemd socket activation to prevent unnecessary resources consumption when no connections are made to the instance. If you would rather have it constantly active, simply remove the .socket part to start and enable the service instead.

See also UWSGI#Running uWSGI.

Synchronization

Desktop

The official client can be installed with the owncloud-client or nextcloud-client package. Alternative versions are available in the AUR: owncloud-client-gitAUR. Additional packages are needed for some features:

  • Auto-login: All of them use qtkeychain-qt5 to store and retrieve account-specific access tokens. To achieve auto-login when the client starts, one of optional dependencies of qtkeychain should be installed as well. Moreover, if you choose libsecret as the backend for qtkeychain, a service that provides org.freedesktop.secrets should be running when the client starts.
  • File manager integration: for nextcloud-client, integration with file managers (e.g., show Nextcloud folders in GTK+ file dialogs) requires another package nextcloud-client-cloudproviders. owncloud-client already includes cloudproviders supports by default.

Calendar

To access your Nextcloud calendars using Mozilla Thunderbird's Lightning calendar you would use the following URL:

https://ADDRESS/remote.php/caldav/calendars/USERNAME/CALENDARNAME

To access your Nextcloud calendars using CalDAV-compatible programs like Kontact or Evolution, you would use the following URL:

https://ADDRESS/remote.php/caldav

For details see the official documentation.

Contacts

To sync contacts with Thunderbird, see these instructions[失效連結 2021-05-17 ⓘ] from the official doc.

Mounting files with davfs2

If you want to mount your Nextcloud using WebDAV, install davfs2 (as described in davfs2).

To mount your Nextcloud, use:

# mount -t davfs https://your_domain/nextcloud/remote.php/dav/files/username/ /path/to/mount

You can also create an entry for this in /etc/fstab

/etc/fstab
https://your_domain/nextcloud/remote.php/dav/files/username/ /path/to/mount davfs rw,user,noauto 0 0
提示:In order to allow automount you can also store your username (and password if you like) in a file as described in davfs2#Storing credentials.
注意: If creating/copying files is not possible, while the same operations work on directories, see davfs2#Creating/copying files not possible and/or freezes.

Mounting files in GNOME Files (Nautilus)

You can access the files directly in Nautilus ('+ Other Locations') through WebDAV protocol - use the link as shown in your Nextcloud installation Web GUI (typically: https://example.org/remote.php/webdav/[失效連結 2021-05-17 ⓘ]) but replace the protocol name from 'https' to 'davs'. Nautilus will ask for user name and password when trying to connect.

Android

Download the official Nextcloud app from Google Play or F-Droid.

To enable contacts and calendar sync (Android 4+):

  1. download DAVx5 (Play Store, F-Droid)
  2. Enable mod_rewrite.so in httpd.conf
  3. create a new DAVdroid account in the Account settings, and specify your "short" server address and login/password couple, e.g. https://cloud.example.com (there is no need for the /remote.php/{carddav,webdav} part if you configured your web server with the proper redirections, as illustrated previously in the article; DAVdroid will find itself the right URLs)

iOS

Download the official Nextcloud app from the App Store.

Tips and tricks

Using the ownCloud console

A useful tool for server administration is occ, documented here. You can perform many common server operations with occ, such as managing users and configuring apps.

提示: A convenience wrapper around /usr/share/webapps/nextcloud/occ is provided with /usr/bin/occ, which automatically runs as the default user (nextcloud), using the default PHP and PHP configuration file. The environment variables NEXTCLOUD_USER, NEXTCLOUD_PHP and NEXTCLOUD_PHP_CONFIG can be used to specify a non-default user, PHP executable and PHP configuration file (respectively).
警告: When using php-apcu for caching, make sure to set apc.enable_cli=1 in /etc/php/conf.d/apcu.ini, as the occ command will otherwise run out of memory (FS#69726).

Pacman hook

To automatically upgrade the Nextcloud database on package update, you can make use of the included pacman hook:

 # mkdir -vp /etc/pacman.d/hooks
 # ln -sv /usr/share/doc/nextcloud/nextcloud.hook /etc/pacman.d/hooks/
注意: The packaged pacman hook implies, that the global php.ini is used for the application.

Running Nextcloud in a subdirectory

By including the default nextcloud.conf in httpd.conf, Nextcloud will take control of port 80 and your localhost domain.

If you would like to have Nextcloud run in a subdirectory, then

For apache, edit the /etc/httpd/conf/extra/nextcloud.conf you included and comment out the <VirtualHost *:80> ... </VirtualHost> part of the include file.

For nginx, you can use the following config when using Nextcloud with uwsgi:

/etc/nginx/conf.d/nextcloud.conf
location = /.well-known/carddav {
  return 301 $scheme://$host/nextcloud/remote.php/dav;
}

location = /.well-known/caldav {
  return 301 $scheme://$host/nextcloud/remote.php/dav;
}

location /.well-known/acme-challenge { }

location ^~ /nextcloud {

  root /usr/share/webapps;

  # set max upload size
  client_max_body_size 512M;
  fastcgi_buffers 64 4K;

  # Disable gzip to avoid the removal of the ETag header
  gzip off;

  # Uncomment if your server is build with the ngx_pagespeed module
  # This module is currently not supported.
  #pagespeed off;

  location /nextcloud {
    rewrite ^ /nextcloud/index.php$uri;
  }

  location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
    deny all;
  }

  location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) {
    deny all;
  }

  location ~ ^/nextcloud/(?:updater|ocs-provider)(?:$|/) {
    try_files $uri/ =404;
    index index.php;
  }

  location ~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
    include uwsgi_params;
    uwsgi_modifier1 14;
    # Avoid duplicate headers confusing OC checks
    uwsgi_hide_header X-Frame-Options;
    uwsgi_hide_header X-XSS-Protection;
    uwsgi_hide_header X-Content-Type-Options;
    uwsgi_hide_header X-Robots-Tag;
    uwsgi_pass unix:/run/uwsgi/owncloud.sock;
  }

  # Adding the cache control header for js and css files
  # Make sure it is BELOW the PHP block
  location ~* \.(?:css|js) {
    try_files $uri /nextcloud/index.php$uri$is_args$args;
    add_header Cache-Control "public, max-age=7200";
    # Add headers to serve security related headers  (It is intended
    # to have those duplicated to the ones above)
    # Before enabling Strict-Transport-Security headers please read
    # into this topic first.
    # add_header Strict-Transport-Security "max-age=15768000;
    # includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    # Optional: Do not log access to assets
    access_log off;
  }

  location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg) {
    try_files $uri /nextcloud/index.php$uri$is_args$args;
    # Optional: Do not log access to other assets
    access_log off;
  }
}
注意: Do not forget to configure the .well-known URLs for service discovery. For more information please see General troubleshooting and service discovery section of Nextcloud documentation.

Docker

See the ownCloud or Nextcloud repository for Docker.

Upload and share from File Manager

shareLinkCreator provides the ability to upload a file to OwnCloud via a supported file manager and receive a link to the uploaded file which can then be emailed or shared in another way.

Defining Background Jobs

Nextcloud requires scheduled execution of some tasks, and by default it achieves this by using AJAX, however AJAX is the least reliable method, and it is recommended to use Cron instead. However, Arch Linux ships with systemd, so the preferred way of executing scheduled tasks is a systemd timer.

Manual install

First create a service:

/etc/systemd/system/nextcloudcron.service
[Unit]
Description=Nextcloud cron.php job

[Service]
User=nextcloud
ExecStart=/usr/bin/php -f /usr/share/webapps/nextcloud/cron.php

[Install]
WantedBy=basic.target

Then create a timer for that service:

/etc/systemd/system/nextcloudcron.timer
[Unit]
Description=Run Nextcloud cron.php every 5 minutes

[Timer]
OnBootSec=5min
OnUnitActiveSec=5min
Unit=nextcloudcron.service

[Install]
WantedBy=timers.target

Activate timer

Start/enable nextcloudcron.timer.

Confirm that it is running by running

# systemctl list-timers

AUR package

Install nextcloud-systemd-timersAUR.

Provided services can be checked with:

$ pacman -Ql nextcloud-systemd-timers

For instance, to run the cron.php script every 5 minutes:

# systemctl start nextcloud-cron.timer
# systemctl enable nextcloud-cron.timer

Collabora Online Office integration

這篇文章的某些內容需要擴充。

原因: What is the correct domain (or server_name in the config) when Nextcloud runs in a subdirectory? (在 Talk:Nextcloud 中討論)

Solution with Docker

The first, install a docker package to provide collabora files and setup a Collabora server.

Start/enable docker.service.

Then, download the official Docker image:

# docker pull collabora/code

And, installing a Collabora server. Make sure cloud//.example//.com is your nextcloud's domain, not a collabora :

# docker run -t -d -p 127.0.0.1:9980:9980 -e "domain=cloud\\.example\\.com" --restart always --cap-add MKNOD collabora/code

Also make sure to escape all dots with double backslashes (\), since this string will be evaluated as a regular expression (and your bash 'eats' the first backslash.) If you want to use the docker container with more than one Nextcloud, you will need to use 'domain=cloud\\.example\\.com\|second\\.example\\.com' instead. (All hosts are separated by \|.) When using `localhost` as domain for testing you need to add --net host to ensure the docker container can access your Nextcloud server.

If you need to delete or reinstall Collabora server use:

For recognition CONTAINER_ID of server

# docker ps

Stop and delete

# docker stop CONTAINER_ID
# docker rm CONTAINER_ID

Futher, follow the instruction of webserver you are using:

Nginx setup example:

Add following to your nextcloud domain config or add new config file in /etc/nginx/conf.d/ directory, (Do not forget to change office.example.com and ssl_certificate to the right values. If you are using docker image, change http to https.)

/etc/nginx/conf.d/example.conf
 upstream office.example.com {
    server 127.0.0.1:9980;
}

server {
    listen 443 ssl;
    server_name office.example.com;
 
    ssl_certificate /etc/letsencrypt/live/office.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/office.example.com/privkey.pem;

    # static files
    location ^~ /loleaflet {
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Host $host;
    }

    # WOPI discovery URL
    location ^~ /hosting/discovery {
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Host $host;
    }

    # Main websocket
    location ~ /lool/(.*)/ws$ {
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        proxy_read_timeout 36000s;
    }

    # Admin Console websocket
    location ^~ /lool/adminws {
	proxy_buffering off;
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        proxy_read_timeout 36000s;
    }

    # download, presentation and image upload
    location ~ /lool {
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Host $host;
    }

    location ^~ /hosting/capabilities {
        proxy_pass http://localhost:9980;
        proxy_set_header Host $http_host;
    }

}

Restart a nginx:

# nginx -s reload

or restart nginx.service.

Apache setup example:

Add following to nextcloud config file. Do not forget to change to the right values

/etc/httpd/conf/extra/nextcloud.conf
<VirtualHost *:443>
ServerName office.nextcloud.com:443

# SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
SSLEngine on
SSLCertificateFile /path/to/signed_certificate
SSLCertificateChainFile /path/to/intermediate_certificate
SSLCertificateKeyFile /path/to/private/key
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on

# Encoded slashes need to be allowed
AllowEncodedSlashes NoDecode

# Container uses a unique non-signed certificate
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off

# keep the host
ProxyPreserveHost On

# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of LibreOffice Online
ProxyPass           /loleaflet https://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse    /loleaflet https://127.0.0.1:9980/loleaflet

# WOPI discovery URL
ProxyPass           /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse    /hosting/discovery https://127.0.0.1:9980/hosting/discovery

# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon

# Admin Console websocket
ProxyPass   /lool/adminws wss://127.0.0.1:9980/lool/adminws

# Download as, Fullscreen presentation and Image upload operations
ProxyPass           /lool https://127.0.0.1:9980/lool
ProxyPassReverse    /lool https://127.0.0.1:9980/lool
</VirtualHost>

After configuring these do restart your apache by restarting httpd.service.

Install the Nextcloud app

Go to the Apps section and choose 「Office & Text」, install the 「Collabora Online」 app. In admin panel select Collabora Online tab and specific the server's domain you have setup before.

Solution without Docker

The collabora-online-server-nodockerAUR package provides the Collabora Office (the desktop suite) and the 「CODE」 (Collabora Online Development Edition) server, which is based on 「lool」 (LibreOffice OnLine).

Alter the /etc/loolwsd/loolwsd.xml file, so that:

  • config > server_name contains the host and port of the public Nextcloud address, separated by a colon (e.g. example.org:443),
  • config > ssl > enable is false (i.e. web browser —HTTPS→ proxy —HTTP→ loolwsd),
  • config > ssl > termination is true (I suppose you’ll manage TLS at the proxy level),
  • config > storage > wopi > host reflects the actual hostname (or pattern) of the proxy server (e.g. (?:.*\.)?example\.org),
  • config > admin_console > username and config > admin_console > password are set to values of your choice.

Then:

  • start and enable loolwsd.service;
  • configure Nginx by creating a server block including /etc/nginx/snippets/loolwsd.conf, and restart it. Example with SSL (change office.example.com and ssl_certificate to the right values):
/etc/nginx/conf.d/example.conf
server {
    listen 443 ssl;
    server_name office.example.com;

    ssl_certificate /etc/letsencrypt/live/office.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/office.example.com/privkey.pem;

    include snippets/loolwsd.conf;
}
  • in Nextcloud, install the "Collabora Online" app. In the admin panel select the Collabora Online tab and specify the server domain name you have just set up.

Disabling app recommendations

By default, nextcloud reccomends apps to new clients, which can result in a lot of notifications. To disable this, disable the recommendation app using occ.

Troubleshooting

本文內容或本節內容已經過期。

原因: A lot of references to OwnCloud, are these still valid with Nextcloud? (在Talk:Nextcloud討論)

By default, the logs of the web application are available in /var/log/nextcloud/nextcloud.log.

Issues with permissions and setup after upgrade to >= 21.0.0

注意: Before nextcloud 21.0.0, the web application was run using the http user. This is a security concern in regards to cross-application access of this user (it has access to all data of all web applications).

Since version 21.0.0 nextcloud more closely follows the web application package guidelines. This introduces the separate user nextcloud, as which the web application is run.

After an upgrade from nextcloud < 21.0.0 make sure that

  • neither the data directory[損壞的連結:無效的章節] nor the writable apps directory[損壞的連結:無效的章節] is located below /usr/share/webapps/nextcloud/, as that directory is owned by root
  • both the data directory[損壞的連結:無效的章節] and the writable apps directory[損壞的連結:無效的章節], alongside all files beneath them are writable and owned by the nextcloud user
  • the web application configuration file resides in /etc/webapps/nextcloud/config/ and that that directory and its contents are writable and owned by the nextcloud user
  • an application server, such as php-fpm or UWSGI is configured to run the web application as the nextcloud user and not the http user
  • update the cron job/systemd timer to run with the new user

Environment variables not available

Uncomment the line in /etc/php/php-fpm.d/www.conf as per Nextcloud documentation:

 env[PATH] = /usr/local/bin:/usr/bin:/bin

Self-signed certificate not accepted

ownCloud uses Wikipedia:cURL and Wikipedia:SabreDAV to check if WebDAV is enabled. If you use SSL/TLS with a self-signed certificate, e.g. as shown in LAMP, and access ownCloud's admin panel, you will see the following error message:

Your web server is not yet properly setup to allow files synchronization because the WebDAV interface seems to be broken.

Assuming that you followed the LAMP tutorial, execute the following steps:

Create a local directory for non-distribution certificates and copy LAMPs certificate there. This will prevent ca-certificates-updates from overwriting it.

# cp /etc/httpd/conf/server.crt /usr/share/ca-certificates/WWW.EXAMPLE.COM.crt

Add WWW.EXAMPLE.COM.crt to /etc/ca-certificates.conf:

WWW.EXAMPLE.COM.crt

Now, regenerate your certificate store:

# update-ca-certificates

Restart the httpd service to activate your certificate.

Self-signed certificate for Android devices

Once you have followed the setup for SSL, as on Apache HTTP Server#TLS for example, early versions of DAVdroid will reject the connection because the certificate is not trusted. A certificate can be made as follows on your server:

# openssl x509 -req -days 365 -in /etc/httpd/conf/server.csr -signkey /etc/httpd/conf/server.key -extfile android.txt -out CA.crt
# openssl x509 -inform PEM -outform DER -in CA.crt -out CA.der.crt 

The file android.txt should contain the following:

basicConstraints=CA:true

Then import CA.der.crt to your Android device:

Put the CA.der.crt file onto the sdcard of your Android device (usually to the internal one, e.g. save from a mail attachment). It should be in the root directory. Go to Settings > Security > Credential storage and select Install from device storage. The .crt file will be detected and you will be prompted to enter a certificate name. After importing the certificate, you will find it in Settings > Security > Credential storage > Trusted credentials > User.

Thanks to: [1]

Another way is to import the certificate directly from your server via CAdroid[失效連結 2020-04-01 ⓘ] and follow the instructions there.

Cannot write into config directory!

If you have set open_basedir in your PHP/web server configuration file (e.g. /etc/httpd/conf/extra/nextcloud.conf), make sure that it includes /etc/webapps.

Restart the web server to apply the change.

If you are getting this error after an upgrade from Nextcloud 17 to Nextcloud 18, also see #Explicitly permit Nextcloud directories for php-fpm[損壞的連結:無效的章節].

Cannot create data directory

If you have set open_basedir in your PHP/web server configuration file (e.g. /etc/httpd/conf/extra/nextcloud.conf), make sure that it includes the data directory.

Restart the web server to apply the change.

CSync failed to find a specific file.

This is most likely a certificate issue. Recreate it, and do not leave the common name empty or you will see the error again.

# openssl req -new -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt

Seeing white page after login

The cause is probably a new app that you installed. To fix that, you can use the occ command as described here. So with

sudo -u http php /usr/share/webapps/nextcloud/occ app:list

you can list all apps (if you installed nextcloud in the standard directory), and with

sudo -u http php /usr/share/webapps/nextcloud/occ app:disable <nameOfExtension>

you can disable the troubling app.

Alternatively, you can either use phpMyAdmin to edit the oc_appconfig table (if you got lucky and the table has an edit option), or do it by hand with mysql:

mysql -u root -p owncloud
MariaDB [owncloud]> delete from oc_appconfig where appid='<nameOfExtension>' and configkey='enabled' and configvalue='yes';
MariaDB [owncloud]> insert into oc_appconfig (appid,configkey,configvalue) values ('<nameOfExtension>','enabled','no');

This should delete the relevant configuration from the table and add it again.

GUI sync client fails to connect

If using HTTP basic authentication, make sure to exclude "status.php", which must be publicly accessible. [2]

GUI tray icon disappears, but client still running in the background

After waking up from a suspended state, the Nextcloud client tray icon may disappear from the system tray. A workaround is to delay the startup of the client, as noted here. This can be done with the .desktop file, for example:

.local/share/applications/nextcloud.desktop
...
Exec=bash -c 'sleep 5 && nextcloud'
...

Some files upload, but give an error 'Integrity constraint violation...'

You may see the following error in the ownCloud sync client:

   SQLSTATE[23000]: Integrity constraint violation: ... Duplicate entry '...' for key 'fs_storage_path_hash')...

This is caused by an issue with the File Locking app, which is often not sufficient to keep conflicts from occurring on some webserver configurations. A more complete Transactional File Locking is available that rids these errors, but you must be using the Redis php-caching method. Install redis and php-redis, comment out your current php-cache mechanism, and then in /etc/php/conf.d/redis.ini uncomment extension=redis. Then in config.php make the following changes:

   'memcache.local' => '\OC\Memcache\Redis',
   'filelocking.enabled' => 'true',
   'memcache.locking' => '\OC\Memcache\Redis',
   'redis' => array(
        'host' => 'localhost',
        'port' => 6379,
        'timeout' => 0.0,
         ),

and start/enable redis.service.

Finally, disable the File Locking App, as the Transational File Locking will take care of it (and would conflict).

If everything is working, you should see 'Transactional File Locking Enabled' under Server Status on the Admin page, and syncs should no longer cause issues.

"Cannot write into apps directory"

As mentioned in the official admin manual, either you need an apps directory that is writable by the http user, or you need to set appstoreenabled to false.

If you have set open_basedir in your PHP/web server configuration file (e.g. /etc/httpd/conf/extra/nextcloud.conf), it may be necessary to add your /path/to/data directory to the string on the line starting with php_admin_value open_basedir :

/etc/httpd/conf/extra/nextcloud.conf
php_admin_value open_basedir "/path/to/data/:/srv/http/:/dev/urandom:/tmp/:/usr/share/pear/:/usr/share/webapps/nextcloud/:/etc/webapps/nextcloud"

Installed apps get blocked because of MIME type error

If you are putting your apps folder outside of the nextcloud installation directory make sure your webserver serves it properly.

In nginx this is accomplished by adding a location block to the nginx configuration as the folder will not be included in it by default.

location ~ /apps2/(.*)$ {
    alias /var/www/nextcloud/apps/$1;
}

CSS and JS resources blocked due to MIME type error

If you load your Nextcloud web gui and it's missing styles etc. check the browser's console logs for lines like:

The resource from “https://example.com/core/css/guest.css?v=72c34c37-0” was blocked due to MIME type (“text/plain”) mismatch (X-Content-Type-Options: nosniff).

There are a few possible reasons, possibly you have not included any mime types in your nginx.conf add the following to nginx.conf

types_hash_max_size 2048;
types_hash_bucket_size 128;
include mime.types;

Here we use the mime.types provided by mailcap, due to the large number of types included we increase the allowed size of the types hash.

Other possible reasons for these errors are missing permissions on the files. Make sure the files are owned by http:http and can be read and written to by this user.

Security warnings even though the recommended settings have been included in nginx.conf

At the top of the admin page there might be a warning to set the Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection and X-Robots-Tag according to https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/harden_server.html[失效連結 2020-04-01 ⓘ] even though they are already set like that.

A possible cause could be that because owncloud sets those settings, uwsgi passed them along and nginx added them again:

$ curl -I https://domain.tld
...
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: Sameorigin
X-Robots-Tag: none
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload;
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none

While the fast_cgi sample config has a parameter to avoid that ( fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice ), when using uwsgi and nginx the following modification of the uwsgi part in nginx.conf could help:

 /etc/nginx/nginx.conf
...
        # pass all .php or .php/path urls to uWSGI
        location ~ ^(.+\.php)(.*)$ {
            include uwsgi_params;
            uwsgi_modifier1 14;
            # hode following headers received from uwsgi, because otherwise we would send them twice since we already add them in nginx itself
            uwsgi_hide_header X-Frame-Options;
            uwsgi_hide_header X-XSS-Protection;
            uwsgi_hide_header X-Content-Type-Options;
            uwsgi_hide_header X-Robots-Tag;
            uwsgi_hide_header X-Frame-Options;
            #Uncomment line below if you get connection refused error. Remember to commet out line with "uwsgi_pass 127.0.0.1:3001;" below
            uwsgi_pass unix:/run/uwsgi/owncloud.sock;
            #uwsgi_pass 127.0.0.1:3001;
        }
...

"Reading from keychain failed with error: 'No keychain service available'"

Can be fixed for Gnome by installing the following 2 packages, libgnome-keyring and gnome-keyring. Or the following for KDE, libgnome-keyring and qtkeychain-qt5.

FolderSync: "Method Not Allowed"

FolderSync needs access to /owncloud/remote.php/webdav, so you could create another alias for owncloud in your /etc/httpd/conf/extra/nextcloud.conf

  <IfModule mod_alias.c>
    Alias /nextcloud /usr/share/webapps/nextcloud/
    Alias /owncloud /usr/share/webapps/nextcloud/
  </IfModule>

See also