在 Debian10 上使用 Nextcloud 搭建个人云盘

因为 Microsoft365 到期了,也不想继续为了 1T 的 Onedrive 续费了,所以就准备拿自己的云服务器搭建一个个人云盘系统。经过调研,觉得 Nextcloud 最符合自己的需求,能够完全代替 Onedrive。

系统介绍

环境 版本
系统 Debian 10
NextCloud 24.0.2
宝塔面板 7.9.2
PHP 7.4.30
Niginx 1.21.4
MariaDB 10.2
Redis 7.0.0

准备工作

  • 准备一台云服务器
  • 安装宝塔面板,安装 LNMP
  • 准备最新版 Nextcloud 安装包,并通过宝塔面板上传到服务器,解压到对应目录

Nginx 配置

MariaDB 配置

PHP 配置

安装扩展

ionCube			脚本解密		用于解密ionCube Encoder加密脚本!
fileinfo 通用扩展 若可用内存小于1G,可能会安装不上
opcache 缓存器 用于加速PHP脚本!
redis 缓存器 基于内存亦可持久化的Key-Value数据库
mcrypt 通用扩展 mcrypt加密/解密
apcu 缓存器 脚本缓存器
imagemagick 通用扩展 Imagick高性能图形库
sg11 脚本加密 php代码混淆加密
ldap 通用扩展 php官方扩展
gmp 通用扩展 php官方扩展

gmp 无法直接安装,需要先使用 apt 安装 libgmp-dev:apt-get install libgmp-dev

修改配置

修改 php.ini,即配置文件:

...
[Zend Opcache]
opcache.revalidate_freq=60
opcache.save_comments=1
...
[apcu]
apc.shm_size = 128M
apc.enable_cli = 1

修改 FPM 配置文件,启动用户为默认的 www 不用改,监听的 sock 文件权限修改为 0777,然后添加 env 的配置。

[www]
...
listen.owner = www
listen.group = www
listen.mode = 0777
user = www
group = www
...
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

然后在 “禁用函数” 中取消对 shell_exec 函数的禁用,并根据实际情况进行性能调整。

Redis 配置

新增密码。

配置 PHP 的 session。

修改 Redis 的配置文件,取消以下两行的注释。

网站配置

使用宝塔面板新建网站,并添加新的数据库。

伪静态配置

# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}

location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}

# Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`.
location ^~ /.well-known {
# The rules in this block are an adaptation of the rules
# in `.htaccess` that concern `/.well-known`.

location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }

location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }

# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /index.php$request_uri;
}

# Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }


location ~* \.(?:css|js)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=7200";
add_header Strict-Transport-Security "max-age=15768000;includeSubDomains; preload;";
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag "none";
add_header X-Download-Options "noopen";
add_header X-Permitted-Cross-Domain-Policies "none";
access_log off;
}

location ~ \.(?:svg|gif|png|jpg|ico|wasm|tflite)$ {
try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets

location ~ \.wasm$ {
default_type application/wasm;
}
}

location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}

# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}

location / {
try_files $uri $uri/ /index.php$request_uri;
}

开启 SSL

使用宝塔自带的即可,或者在其他方面申请或购买,导入宝塔面板。

修改配置文件

将 SSL 相关内容单独复制出来保存,删除配置文件的内容,然后填入以下内容:

server
{
listen 80;
listen 443 ssl http2;
server_name test.litcu.cn;
index index.php index.html /index.php$request_uri;
root /www/wwwroot/test.litcu.cn/;

#SSL-START SSL相关配置,请勿删除或修改下一行带注释的404规则
#error_page 404/404.html;
#HTTP_TO_HTTPS_START

将刚才复制的东西填入这里

#SSL-END

#ERROR-PAGE-START 错误页配置,可以注释、删除或修改
#error_page 404 /404.html;
#error_page 502 /502.html;
#ERROR-PAGE-END

#PHP-INFO-START PHP引用配置,可以注释或修改
include enable-php-74.conf;
#PHP-INFO-END

#REWRITE-START URL重写规则引用,修改后将导致面板设置的伪静态规则失效
include /www/server/panel/vhost/rewrite/test.litcu.cn.conf;
#REWRITE-END

# HSTS settings
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;

# set max upload size and increase upload timeout:
client_max_body_size 5G;
client_body_timeout 300s;
fastcgi_buffers 64 4K;

gzip off;

# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;

# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;

#禁止访问的文件或目录
location ~ ^/(\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md)
{
return 404;
}

#一键申请SSL证书验证目录相关设置
location ~ \.well-known{
allow all;
}

access_log /www/wwwlogs/test.litcu.cn.log;
error_log /www/wwwlogs/test.litcu.cn.error.log;
}

修改 nginx 对应 php 版本的模板文件

使用 SSH 或其他方式连接云服务器,修改 /www/server/nginx/conf/enable-php-74.conf 文件。具体请参考您的 PHP 版本。

# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
# Required for legacy support
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;

fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;

try_files $fastcgi_script_name =404;

include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;

fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass unix:/tmp/php-cgi-74.sock;

fastcgi_intercept_errors on;
fastcgi_request_buffering off;

fastcgi_max_temp_file_size 0;
}

修改 /www/server/nginx/conf/enable-php.conf 文件:

# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
# Required for legacy support
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;

fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;

try_files $fastcgi_script_name =404;

include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;

fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass unix:/tmp/php-cgi-74.sock;

fastcgi_intercept_errors on;
fastcgi_request_buffering off;

fastcgi_max_temp_file_size 0;
}

修改 proxy 代理的超时时间

文件位于 /www/server/nginx/conf/proxy.conf。

proxy_connect_timeout 600;
proxy_read_timeout 600;

Nextcloud 配置

安装 Nextcloud

使用宝塔面板创建网站后,将 Nextcloud 的解压文件复制到网站根目录。注意修改.htaccess 文件和.user.ini 文件,使其与 Nextcloud 解压出来的文件保持一致,因为宝塔面板会自动创建这两个文件,内容与原文件不一致。

然后浏览器访问域名,正常情况下可以看到 Nextcloud 的图标了,然后按照提示输入新用户的用户名和密码,将数据库修改了 MySQL/MariaDB,并将之前随网站一同创建的数据库信息填入其中。

配置 redis 及时区

打开 Nextcloud 根目录中的 config/config.php 文件,加入以下内容:

'default_language' => 'zh_CN',
'default_locale' => 'zh',
'default_phone_region' => 'CN',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'memcache.local' => '\\OC\\Memcache\\APCu',
'memcache.distributed' => '\\OC\\Memcache\\Redis',
'redis' =>
array (
'host' => '/tmp/redis.sock',
'port' => 0,
'dbindex' => 0,
'password' => 'redis密码',
'timeout' => 1.5,
),

配置后台任务

进入网站后,点击头像进入设置界面,配置好邮箱等个人信息,然后在 “管理” 的 “基本设置” 中配置邮件服务器,并将后台任务更改为 “Cron” 模式。

然后创建 /etc/systemd/system/nextcloudcron.service 文件,写入以下内容:

[Unit]
Description=Nextcloud cron.php job

[Service]
User=www
ExecStart=/usr/bin/php -f /www/wwwroot/test.litcu.cn/cron.php
KillMode=process

创建 /etc/systemd/system/nextcloudcron.timer 文件,写入以下内容:

[Unit]
Description=Run Nextcloud cron.php every 5 minutes

[Timer]
OnBootSec=5min
OnUnitActiveSec=5min
Unit=nextcloudcron.service

[Install]
WantedBy=timers.target

该系统服务会每 5 分钟执行一次 Nextcloud 的后台任务,以优化 Nextcloud 的访问速度与性能。当然,该服务需要开机自启动并立即启动:systemctl enable --now nextcloudcron.timer

但此时去看后台任务界面,会提示有错误:OCP\HintException: [0]: Memcache \OC\Memcache\APCu not available for local cache (Is the matching PHP module installed and enabled?)。这里我在 Nextcloud 的 Github Issue 上找了很久,都是说需要在配置文件中加入 apc.enable_cli=1,但这一步在上面已经做过了,并不起作用。后来终于找到了可行的解决方法:

  1. 终端输入 php --ini 命令,找到输出中的 Loaded Configuration File 文件,如果是宝塔面板,则一般为 /www/server/php/74/etc/php-cli.ini
  2. 删除上面提到的 php-cli.ini 文件
  3. 重启 PHP
  4. 手动输入 /usr/bin/php -f /www/wwwroot/test.litcu.cn/cron.php 命令验证后台任务是否能够正确执行

自动化检查

进入设置页面的 “管理”、“概览”,然后会自动检查系统和安全问题。如果在相同环境下严格按照以上步骤进行,理论上不会有任何问题。如果有问题,可自行利用搜索引擎解决,网上关于 Nextcloud 的资料很多。

其他个人配置

开启服务端加密

点击左上角头像,进入应用,在 “已禁用应用” 中找到 Default encryption module,开启。然后进入设置的 “管理”->“安全”,开启服务端加密。

代替 Onedrive 成为个人同步盘

手机和 PC 端均有 APP,下载后根据提示连接服务器,然后就可以备份手机的图片、同步电脑的文档,和 Onedrive 差不多。

参考链接