基于centos8部署nextcloud+onlyoffice----2021-07-16_centos8部署nextcloud+onlyoffice笔记

建议使用centos8部署(因为centos7的php7.4有问题)如果担心centos后期问题
可以使用rocky os 8.4

#修改镜像源（仓库—中科大的）
#centos8+ 源
sed -e 's|^mirrorlist=|#mirrorlist=|g' \
         -e 's|^#baseurl=http://mirror.centos.org/$contentdir|baseurl=https://mirrors.ustc.edu.cn/centos|g' \
         -i.bak \
         /etc/yum.repos.d/CentOS-Linux-AppStream.repo \
         /etc/yum.repos.d/CentOS-Linux-BaseOS.repo \
         /etc/yum.repos.d/CentOS-Linux-Extras.repo \
         /etc/yum.repos.d/CentOS-Linux-PowerTools.repo \
         /etc/yum.repos.d/CentOS-Linux-Plus.repo
		 
#rocky os8.3+源 (交通大学源不要搞错咯,当前国内rocky的源比较少)
sed -e 's|^mirrorlist=|#mirrorlist=|g' \
    -e 's|^#baseurl=http://dl.rockylinux.org/$contentdir|baseurl=https://mirrors.sjtug.sjtu.edu.cn/rocky|g' \
    -i.bak \
    /etc/yum.repos.d/Rocky-*.repo

dnf makecache

#更新当前已有的组件（不要使用update会导致系统更新到最新版本，造成软件不兼容）
dnf upgrade -y

#安装必要组件
dnf install -y epel-release yum-utils unzip curl wget \
bash-completion policycoreutils-python-utils mlocate bzip2

#安装php源 重置php 指定安装7.4版本
dnf install -y https://rpms.remirepo.net/enterprise/remi-release-8.rpm
dnf install -y yum-utils
dnf module reset php
dnf module install php:remi-7.4 -y

#安装数据库/php/nginx并启动
dnf install -y php php-gd php-mbstring php-intl php-pecl-apcu\
     php-mysqlnd php-opcache php-json php-zip nginx mariadb mariadb-server
	 
#设置开机启动，并启动
systemctl enable mariadb nginx php-fpm
systemctl start mariadb nginx php-fpm

#配置php-fpm
vi /etc/php-fpm.d/www.conf
.....
user = nginx                                   //将用户和组都改为nginx
group = nginx
.....
#listen = 127.0.0.1:9000                       //php-fpm所监听的端口为9000 (centos8.0以上不需要配置默认80直接代理出去)
......
env[HOSTNAME] = $HOSTNAME                     //去掉下面几行注释
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

systemctl restart php-fpm

#在/var/lib目录下为session路径创建一个新的文件夹，并将用户名和组设为nginx
mkdir -p /var/lib/php/session
chown nginx:nginx -R /var/lib/php/session/

#数据库定义设置root密码ldkj@123  创建数据库名称  ，新建并授权新用户到新数据库
mysql -uroot -p

set password =password('nextcloud');

create database nextcloud_db;          
create user nextcloud@localhost identified by 'nextcloud';
grant all privileges on nextcloud_db.* to nextcloud@localhost identified by 'nextcloud';
flush privileges;

#下载nas安装包（官方一般就是直接最新版本的包，如果你的系统不支持，建议使用老的安装包）下载好了就解压
https://nextcloud.com/install/
wget https://download.nextcloud.com/server/releases/nextcloud-21.0.3.zip && unzip nextcloud-*.zip

#由于我使用的不是apache而是nginx，所以权限设置上有点不一样
cp -a ~/nextcloud /usr/share/nginx/html/
cd /usr/share/nginx/html/
mkdir -p nextcloud/data/
chown -R nginx:nginx nextcloud/

#分两种（一种是简单代理，没有安全性，另一种是有证书）
1.
vi /etc/nginx/nging.conf
#将/usr/share/nginx/html/改成
/usr/share/nginx/html/nextcloud/

nginx -t
systemctl restart nginx

2.
mkdir -p /etc/nginx/cert/
cd /etc/nginx/cert/
openssl req -new -x509 -days 365 -nodes -out /etc/nginx/cert/nextcloud.crt -keyout /etc/nginx/cert/nextcloud.key
#.....
#Country Name (2 letter code) [XX]:cn                                           //国家
#State or Province Name (full name) []:zhejiang                                 //省份
#Locality Name (eg, city) [Default City]:wenzhou                                //地区名字
#Organization Name (eg, company) [Default Company Ltd]:lidig                    //公司名
#Organizational Unit Name (eg, section) []:Technology                           //部门
#Common Name (eg, your name or your server's hostname) []:nas                   //CA主机名
#Email Address []:panyifang@lidig.com                                           //邮箱

#将证书的权限设置成系统权限可读写
chmod 700 /etc/nginx/cert
chmod 600 /etc/nginx/cert/*
#记录以下这两个证书的内容,等下后面要建立onlyoffice的证书时需要使用(如果不需要在线编辑功能则不需要)
cat /etc/nginx/cert/nextcloud.key
cat /etc/nginx/cert/nextcloud.crt

vi /etc/nginx/conf.d/nextcloud.conf
#.........(其中server_name可以改成你现在有的域名,如果没有,那么将直改成本地IP地址)

upstream php-handler {
    server unix:/run/php-fpm/www.sock;
	#server 127.0.0.1:9000;
    #server unix:/var/run/php-fpm.sock;
}
     
server {
    listen 80;
    server_name 192.168.254.51;
    # enforce https
    return 301 https://$server_name$request_uri;
}
     
server {
    listen 443 ssl;
    server_name 192.168.254.51;	  	#域名等于防盗链,所以这里务必写好,避免无法打开
     
    ssl_certificate /etc/nginx/cert/nextcloud.crt;
    ssl_certificate_key /etc/nginx/cert/nextcloud.key;
     
    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    add_header Strict-Transport-Security "max-age=15768000;
    includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
     
    # Path to the root of your installation
    root /usr/share/nginx/html/nextcloud/;
     
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
     
    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
    # last;
     
    location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }
     
    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;
     
    # Disable gzip to avoid the removal of the ETag header
    gzip off;
     
    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;
     
    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;
     
    location / {
        rewrite ^ /index.php$uri;
    }
     
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }
     
    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
        include fastcgi_params;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        #Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }
     
    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;
    }
     
    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~* \.(?:css|js)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=7200";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        add_header Strict-Transport-Security "max-age=15768000;includeSubDomains; preload;";
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
    }
     
    location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

#(防盗链)由于跳转地址,需要修改默认配置 trusted_domains 允许访问的本地地址
vi /usr/share/nginx/html/nextcloud/config/config.php
#...............
  array (
    0 => '192.168.254.51',
    1 => '127.0.0.1',		#根据你自己的实际情况增加地址,包含外网映射地址. 
    2 => 'xxx.xxx.com',

#overwrite.cli.url  表示你现在使用的域名,视情况修改
#修改完成后重启nginx\php  即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248

#在线文档编辑ONLYOFFICE安装

第一件事情肯定是安装docker拉,这个在centos8上有点不一样,好在执行代码都一毛一样
dnf install -y podman    //你也可以执行dnf install -y docker  其实下载下来都是一样的

//登录nextcloud后右上角点击头像-左边精品应用下面office&text找到ONLYOFFICE点击下载启用
//由于docker默认使用的是国外源,我们将其改成中科大的万兆源(以前都是用阿里的.但是自从它维护已经接近一年了)
vi /etc/containers/registries.conf
---------------------------------------------------------------------------------
[registries.search]
registries = ['docker.mirrors.ustc.edu.cn', 'registry.redhat.io', 'docker.io']
---------------------------------------------------------------------------------
#官方给的下载容器并运行命令(由于系统本身没有容器则从服务器端主动下载)
#docker run -i -t -d -p 8080:80  --restart=always onlyoffice/documentserver

#下载镜像(提前下载好,避免多次下载镜像)
docker pull onlyoffice/documentserver

#由于我们需要https所以使用(如果不需要http下面可以直接去掉-p 8080:80)
docker run --name -i -t -d -p 8080:80 -p 8443:443 onlyoffice/documentserver

#登录docker内进行设置
docker exec -it onlyoffice /bin/bash
root@8c28f537acec:/#		//你会发现你的root右边多了一串dockerID说明你进入docker了

#下面这一步可以略过,因为上面我们已经创建过证书,直接复制上面的证书赋予权限即可(这样打开office文件时不需要重复验证,也可以避免打开失败)
-----------------------------------------------------------------------------------------------
#创建本机证书
#openssl genrsa -out onlyoffice.key 2048
#创建CSR
#openssl req -new -key onlyoffice.key -out onlyoffice.csr
#用私枂和CSR签发证书
#openssl x509 -req -days 365 -in onlyoffice.csr -signkey onlyoffice.key -out onlyoffice.crt
#用dhparam加密服务器密钥
#openssl dhparam -out dhparam.pem 2048
-----------------------------------------------------------------------------------------------

//由于docker内没有vi命令,所以我们使用nano编辑(不会的同学自己百度下教程)最后按ctrl+x退出选y回车保存
//将之前保存的key值复制到以下两个文件中,别搞错了名称是不一样的
nano /etc/nginx/cert/onlyoffice.key
nano /etc/nginx/cert/onlyoffice.crt
#降权
chmod 400 /etc/nginx/cert/onlyoffice.key

#修改https
cd /etc/onlyoffice/documentserver/nginx/
cp -a ds-ssl.conf.tmpl ds-ssl.conf.tmpl.bak
nano ds-ssl.conf.tmpl   #将ssl on;注释并补充证书路径(这里说明下,由于这个docker不支持ssl on;)
.................................................
  ssl on;
  ssl_certificate {{SSL_CERTIFICATE_PATH}};
  ssl_certificate_key {{SSL_KEY_PATH}};
.................................................
  #ssl on;
  ssl_certificate /etc/nginx/cert/onlyoffice.crt;
  ssl_certificate_key /etc/nginx/cert/onlyoffice.key;
.................................................
cd /etc/nginx/conf.d/
#删除旧的配置软连接
rm -rf ds.conf
#创建新的软连接
ln -s /etc/onlyoffice/documentserver/nginx/ds-ssl.conf.tmpl ./ds.conf
#由于默认需要验证,会导致nextcloud无法加载
nano /etc/onlyoffice/documentserver/default.json
#找到rejectUnauthorized将后面的true改成false
............................................
"requestDefaults": {
        "headers": {
            "User-Agent": "Node.js/6.13",
            "Connection": "Keep-Alive"
        },
        "gzip": true,
        "rejectUnauthorized": false
............................................
#以上是docker要操作的内容.


#完成配置后退出docker并重启docker(不要问为什么这样操作,因为实测restart会导致nginx起不来,不知道为啥)
docker stop onlyoffice &&docker start onlyoffice

#设置防火墙,并关闭selinux
firewall-cmd --permanent --add-service=https
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-port=8443/tcp
firewall-cmd --permanent --add-port=8080/tcp
firewall-cmd --rel
vi /etc/selinux/config
#将 SELINUX=enforcing  改成SELINUX=disabled  
setenforce 0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

以上是我根据各种官方文档实验整合出来的,系统基于centos8.3 本来是在博客园发布的,但是那个页面输入代码时直接操作懵逼,故来此发布,转载请注明出处,谢谢.