Hallo zusammen,
um den Nextcloud Server installieren zu können, benötigt es ein paar Vorbereitungen.
In diesen Beispiel verwende wir einen Ubuntu 16.04 LTS Server in einer Virtuellen Umgebung.
Nach der Grundinstallation des Ubuntu Servers, muss der Server auf den neusten Stand gebracht werden.
Nach dem Login, wechselt man zum root Benutzer mit:
|
1 2 3 |
sudo -i oder sudo su - apt install ssh vim apt update && apt upgrade -y |
nginx Webserver installieren und überprüfen
|
1 2 |
apt install nginx nginx-extras apache2-utils ssh dpkg -l | grep nginx |
MariaDB Server installieren & Konfigurieren
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
apt install mariadb-server dpkg -l | grep mariadb mysql_secure_installation cp /etc/mysql/my.cnf /etc/mysql/my.cnf.bak vim /etc/mysql/my.cnf [server] skip-name-resolve innodb_buffer_pool_size = 128M innodb_buffer_pool_instances = 1 innodb_flush_log_at_trx_commit = 2 innodb_log_buffer_size = 32M innodb_max_dirty_pages_pct = 90 query_cache_type = 1 query_cache_limit = 2M query_cache_min_res_unit = 2k query_cache_size = 64M tmp_table_size= 64M max_heap_table_size= 64M slow-query-log = 1 slow-query-log-file = /var/log/mysql/slow.log long_query_time = 1 # [client-server] # Import all .cnf files from configuration directory !includedir /etc/mysql/conf.d/ !includedir /etc/mysql/mariadb.conf.d/ [client] default-character-set = utf8mb4 [mysqld] character-set-server = utf8mb4 collation-server = utf8mb4_general_ci binlog_format = MIXED systemctl start mysql.service systemctl status mysql.service |
NextCloud Datenbank anlegen
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
mysql -u root -p CREATE DATABASE nextcloudDB; USE nextcloudDB; CREATE USER nextcloudDB@localhost IDENTIFIED BY 'nextcloudDB'; GRANT ALL PRIVILEGES ON nextcloudDB.* TO 'nextcloudDB'@'localhost' IDENTIFIED BY 'DeinPassword'; FLUSH PRIVILEGES; quit mysql -u nextcloudDB -p nextcloudDB DeinPassword quit |
PHP 7 installieren
|
1 |
apt install libxml2-dev php php-gettext php-pear php-dompdf php-sabre-xml php-apcu php-imagick php7.0-fpm php7.0-gd php7.0-mysql php7.0-curl php7.0-xml php7.0-zip php7.0-bz2 php7.0-intl php7.0-mcrypt php7.0-mbstring php7.0-json php7.0-xsl php7.0-bcmath php7.0-cgi php7.0-cli php7.0-common php7.0-imap |
php.ini Datei anpassen
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
cp /etc/php/7.0/fpm/php.ini /etc/php/7.0/fpm/php.old vim /etc/php/7.0/fpm/php.ini memory_limit = 512M post_max_size = 200M cgi.fix_pathinfo=1 upload_max_filesize = 200M date.timezone = Europe/Berlin oder egrep "memory_limit|date.timezone|cgi.fix_pathinfo|upload_max_filesize|post_max_size" /etc/php/7.0/fpm/php.ini sed -i "s/memory_limit = .*/memory_limit = 512M/" /etc/php/7.0/fpm/php.ini sed -i "s/;date.timezone.*/date.timezone = Europe\/\Berlin/" /etc/php/7.0/fpm/php.ini sed -i "s/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=1/" /etc/php/7.0/fpm/php.ini sed -i "s/upload_max_filesize = .*/upload_max_filesize = 200M/" /etc/php/7.0/fpm/php.ini sed -i "s/post_max_size = .*/post_max_size = 200M/" /etc/php/7.0/fpm/php.ini |
fpm www.conf Datei anpassen
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
nano /etc/php/7.0/fpm/pool.d/www.conf ... ;listen = /run/php/php7.0-fpm.sock listen = 127.0.0.1:9000 env[HOSTNAME] = $HOSTNAME env[PATH] = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin env[TMP] = /tmp env[TMPDIR] = /tmp env[TEMP] = /tmp service php7.0-fpm restart service php7.0-fpm status |
NextCloud 11 installieren
|
1 2 3 4 5 |
cd /tmp wget https://download.nextcloud.com/server/releases/nextcloud-11.0.1.zip unzip nextcloud-11.0.1.zip mv nextcloud /var/www/ chown -R www-data: /var/www/nextcloud |
SSL Zertifikat über eigene CA erstellen
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 |
cd /opt/ca/IssuingCA openssl genrsa -aes256 -out private/nextcloud_htdom_local_without_pwd.key 2048 -rand private/.randIssuingCA chmod 0400 private/nextcloud_htdom_local_without_pwd.key openssl req -new -key private/nextcloud_htdom_local_without_pwd.key -out newcerts/nextcloud.htdom.local.csr -config ca-config.cnf Enter pass phrase for private/nextcloud_htdom_local_without_pwd.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (Bayern) [Bayern]: Locality Name (Muenchen) [Muenchen]: Organization Name (Company name or your Name) [Helmut Thurnhofer]: Organizational Unit Name (Department) [IT]: Common Name (Server FQDN or your Name) []:nextcloud.htdom.local ... openssl ca -name IssuingCA -in newcerts/nextcloud.htdom.local.csr -out certs/nextcloud.htdom.local.crt -extensions server_cert -config ca-config.cnf Using configuration from ca-config.cnf Enter pass phrase for /opt/ca/IssuingCA/private/IssuingCA.key: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Feb 7 20:10:54 2017 GMT Not After : Feb 5 20:10:54 2027 GMT Subject: countryName = DE stateOrProvinceName = Bayern organizationName = Helmut Thurnhofer organizationalUnitName = IT commonName = nextcloud.htdom.local X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication Authority Information Access: CA Issuers - URI:http://nextcloud.htdom.local/cert/IssuingCA.html X509v3 CRL Distribution Points: Full Name: URI:http://nextcloud.htdom.local/cert/IssuingCA.crl Certificate is to be certified until Feb 5 20:10:54 2027 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated ## Keydatei erstellen mit Passwort (Ansonsten muss bei jeden Neustart des Servers die Passphrase eingegeben werden) ## openssl rsa -in private/nextcloud_htdom_local_without_pwd.key | cat -----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEArbdXG8+BUxm0NvO2pWXdx/0L3z/Nb+enAWqL59PzOuL63vXv ... WyYHO6o4iUROOuJ9I0t0KsEDqkgh+VEOtcVfh8/gZ9IXyfXFyRhu09Q= -----END RSA PRIVATE KEY----- vim private/nextcloud.htdom.local.key chmod 0400 private/nextcloud.htdom.local.key |
oder man erstellt sich ein.
SelfSign SSL Zertifikat
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
openssl rand -out /etc/ssl/private/.randServer 8192 chmod 0400 /etc/ssl/private/.randServer openssl genrsa -aes256 -out /etc/ssl/private/nextcloud_htdom_local_without_pwd.key 4096 -rand /etc/ssl/private/.randServer chmod 0400 /etc/ssl/private/nextcloud_htdom_local_without_pwd.key openssl rsa -in /etc/ssl/private/nextcloud_htdom_local_without_pwd.key | cat -----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEArbdXG8+BUxm0NvO2pWXdx/0L3z/Nb+enAWqL59PzOuL63vXv ... WyYHO6o4iUROOuJ9I0t0KsEDqkgh+VEOtcVfh8/gZ9IXyfXFyRhu09Q= -----END RSA PRIVATE KEY----- vim /etc/ssl/private/nextcloud.htdom.local.key chmod 0400 /etc/ssl/private/nextcloud.htdom.local.key openssl req -new -key /etc/ssl/private/nextcloud.htdom.local.key -sha256 -out /etc/ssl/certs/nextcloud.htdom.local.csr openssl x509 -req -days 365 -in /etc/ssl/certs/nextcloud.htdom.local.csr -signkey /etc/ssl/private/nextcloud.htdom.local.key -out /etc/ssl/certs/nextcloud.htdom.local.crt |
nginx Webserver Konfiguration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 |
vim /etc/nginx/sites-available/nextcloud.conf upstream php-handler { server 127.0.0.1:9000; } server { listen 80 default_server; listen [::]:80 default_server; # enforce https return 301 https://$host$request_uri; access_log /var/log/nginx/access_nextcloud_htdom_local.log; error_log /var/log/nginx/error_nextcloud_htdom_local.log; } server { listen 443 ssl http2; listen [::]:443 ssl http2; ssl_certificate /etc/ssl/certs/nextcloud.htdom.local.crt; ssl_certificate_key /etc/ssl/private/nextcloud_htdom_local.key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ## modern configuration. tweak to your needs. ssl_protocols TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; ## HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; # Add headers to serve security related headers # Before enabling Strict-Transport-Security headers please read into this # topic first. # add_header Strict-Transport-Security "max-age=15768000; # includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; # Path to the root of your installation root /var/www/nextcloud/; location = /robots.txt { allow all; log_not_found off; access_log off; } # The following 2 rules are only needed for the user_webfinger app. # Uncomment it if you're planning to use this app. #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json # last; location = /.well-known/carddav { return 301 $scheme://$host/remote.php/dav; } location = /.well-known/caldav { return 301 $scheme://$host/remote.php/dav; } # set max upload size client_max_body_size 512M; fastcgi_buffers 64 4K; # Disable gzip to avoid the removal of the ETag header gzip off; # Uncomment if your server is build with the ngx_pagespeed module # This module is currently not supported. #pagespeed off; error_page 403 /core/templates/403.php; error_page 404 /core/templates/404.php; location / { rewrite ^ /index.php$uri; } location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { deny all; } location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) { include fastcgi_params; fastcgi_split_path_info ^(.+\.php)(/.*)$; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param HTTPS on; #Avoid sending the security headers twice fastcgi_param modHeadersAvailable true; fastcgi_param front_controller_active true; fastcgi_pass php-handler; fastcgi_intercept_errors on; fastcgi_request_buffering off; } location ~ ^/(?:updater|ocs-provider)(?:$|/) { try_files $uri/ =404; index index.php; } # Adding the cache control header for js and css files # Make sure it is BELOW the PHP block location ~* \.(?:css|js|woff|svg|gif)$ { try_files $uri /index.php$uri$is_args$args; add_header Cache-Control "public, max-age=7200"; # Add headers to serve security related headers (It is intended to # have those duplicated to the ones above) # Before enabling Strict-Transport-Security headers please read into # this topic first. # add_header Strict-Transport-Security "max-age=15768000; # includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; # Optional: Don't log access to assets access_log off; } location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ { try_files $uri /index.php$uri$is_args$args; # Optional: Don't log access to other assets access_log off; } } |
nginx überprüfen und restliche Konfiguration vornehmen
|
1 2 3 4 5 6 7 8 |
nginx -t unlink /etc/nginx/sites-enabled/default mv /etc/nginx/sites-available/default{,.old} ln -s /etc/nginx/sites-available/nextcloud.conf /etc/nginx/sites-enabled/ systemctl restart nginx.service systemctl status nginx.service |
Memory Cache konfigurieren
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
apt-cache policy php-apcu apt install php-apcu systemctl restart nginx.service nano /var/www/nextcloud/config/config.php <?php $CONFIG = array ( 'memcache.local' => '\OC\Memcache\APCu', ... 'trusted_domains' => array ( 0 => '192.168.178.2', 1 => 'nextcloud.htdom.local', ), systemctl restart nginx.service systemctl status nginx.service |
Viel Spaß beim konfigurieren
Gruß Helmut