centos 安装 owncloud+nginx+ssl 私有云

发表于 2019-05-19 11:05:36 by 月小升

原因：

近来笔记本进水了，我老担心这笔记本会挂，然后把图片和以前暂时不用的资料都传到百度云了，可是工作上的文件天天在变，代码在svn倒是不担心，不过日常的word，ppt，这些文档，不方便在svn，百度和qq的云调查了一番如果交费用了，也不支持mac电脑自动同步，于是想到自己弄个云好了。

优势：

owncloud 免费，开源，自带windows,mac,uninx，android,iphone,各种平台自动同步软件，适合自己服务器搭建。自己的云，听起来就牛。其实限制于流量，企业拿来做个私有云还是不错的。个人嘛，我家里有个破笔记本500G，安装了linux，可以架设一个，弄个花生壳，然后我在全世界就可以访问这台笔记本的电影了。

我的需求其实是平时工作的文件，需要自动同步，里面含有一部分密码文件，交给百度云，QQ云心里不踏实，于是自己搭建一个云

看成果

登录以后界面

配合同步软件可以自动同步文件夹

我的服务器是CentOS

划重点：owncloud搭建的过程如同安装一个wordpress那么简单，其实就是一个网站，不过多了一些奇怪的小配置

https://owncloud.org/download/#owncloud-server-tar-ball
玩这个吧，下载zip包，tar包没玩明白，总之选择熟悉的就好，我就玩zip玩的熟悉。
unzip

我的错误操作：
我按我以前的服务器配置出来的php结构经常出现。

Can't write into config directory!
This can usually be fixed by giving the webserver write access to the config directory.

config目录没有权限

chmod -R 777 config
mkdir data
chmod -R 777 data

各种无效，如果遇到这个问题，质疑一下nginx 下配置，可能不支持ssl是错误的。于是我转向SSL，最终成功了。

NGINX下官方文档用的SSL

最终我成功的nginx配置文件

配置要点1 .玩SSL，如果没有到我之前申请的Freessl博客里看一下，免费的ssl
配置要点2. 官方的文件用到了http2 我的服务器似乎不支持，删除掉。
配置要点3. ssl_dhparam /backup/www/cloudssl/dh4096.pem;

我去freessl搞得时候，只有一个full_chain_pem,和 private.key

搜索了一会才知道这个东西又是个新的玩意

服务器命令就可以创建这个文件了。

openssl dhparam -out dh4096.pem 4096

我的配置文件cloud.java-er.com.conf

  upstream php-handler {
      server 127.0.0.1:9000;
      # Depending on your used PHP version
      #server unix:/var/run/php5-fpm.sock;
      #server unix:/var/run/php7-fpm.sock;
  }

  server {
      listen 80;
      server_name cloud.java-er.com;

      # For SSL certificate verifications, this needs to be served via HTTP
      location /.well-known/(acme-challenge|pki-validation)/ {
          root /backup/www/owncloud; # Specify here where the challenge file is placed
      }

      # enforce https
      location / {
          return 301 https://$server_name$request_uri;
      }
  }

  server {
      listen 443 ssl;
      server_name cloud.java-er.com;

        ssl_certificate      /backup/www/cloudssl/full_chain.pem;
        ssl_certificate_key   /backup/www/cloudssl/private.key;

      # Example SSL/TLS configuration. Please read into the manual of NGINX before applying these.
      ssl_session_timeout 5m;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_ciphers "-ALL:EECDH+AES256:EDH+AES256:AES256-SHA:EECDH+AES:EDH+AES:!ADH:!NULL:!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!3DES:!PSK:!SRP:!DSS:!AESGCM:!RC4";
      ssl_dhparam  /backup/www/cloudssl/dh4096.pem;
      ssl_prefer_server_ciphers on;
      keepalive_timeout    70;
      ssl_stapling on;
      ssl_stapling_verify on;

      # Add headers to serve security related headers
      # The always parameter ensures that the header is set for all responses, including internally generated error responses.
      # Before enabling Strict-Transport-Security headers please read into this topic first.
      # https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/

      #add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload" always;
      add_header X-Content-Type-Options nosniff always;
      add_header X-Frame-Options "SAMEORIGIN" always;
      add_header X-XSS-Protection "1; mode=block" always;
      add_header X-Robots-Tag none always;
      add_header X-Download-Options noopen always;
      add_header X-Permitted-Cross-Domain-Policies none always;

      # Path to the root of your installation
      root /backup/www/owncloud/;

      location = /robots.txt {
          allow all;
          log_not_found off;
          access_log off;
      }

      # The following 2 rules are only needed for the user_webfinger app.
      # Uncomment it if you're planning to use this app.

      #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
      #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

      location = /.well-known/carddav {
          return 301 $scheme://$host/remote.php/dav;
      }
      location = /.well-known/caldav {
          return 301 $scheme://$host/remote.php/dav;
      }

      # set max upload size
      client_max_body_size 512M;
      fastcgi_buffers 8 4K;                     # Please see note 1
      fastcgi_ignore_headers X-Accel-Buffering; # Please see note 2

      # Disable gzip to avoid the removal of the ETag header
      # Enabling gzip would also make your server vulnerable to BREACH
      # if no additional measures are done. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773332
      gzip off;

      # Uncomment if your server is build with the ngx_pagespeed module
      # This module is currently not supported.
      #pagespeed off;

      error_page 403 /core/templates/403.php;
      error_page 404 /core/templates/404.php;

      location / {
          rewrite ^ /index.php$uri;
      }

      location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
          return 404;
      }
      location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
          return 404;
      }

      location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|ocm-provider/.+|core/templates/40[34])\.php(?:$|/) {
          fastcgi_split_path_info ^(.+\.php)(/.*)$;
          include fastcgi_params;
          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
          fastcgi_param SCRIPT_NAME $fastcgi_script_name; # necessary for owncloud to detect the contextroot https://github.com/owncloud/core/blob/v10.0.0/lib/private/AppFramework/Http/Request.php#L603
          fastcgi_param PATH_INFO $fastcgi_path_info;
          fastcgi_param HTTPS on;
          fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
          fastcgi_param front_controller_active true;
          fastcgi_read_timeout 180; # increase default timeout e.g. for long running carddav/ caldav syncs with 1000+ entries
          fastcgi_pass php-handler;
          fastcgi_intercept_errors on;
          fastcgi_request_buffering off; #Available since NGINX 1.7.11
      }

      location ~ ^/(?:updater|ocs-provider|ocm-provider)(?:$|/) {
          try_files $uri $uri/ =404;
          index index.php;
      }

      # Adding the cache control header for js and css files
      # Make sure it is BELOW the PHP block
      location ~ \.(?:css|js)$ {
          try_files $uri /index.php$uri$is_args$args;
          add_header Cache-Control "max-age=15778463" always;

          # Add headers to serve security related headers (It is intended to have those duplicated to the ones above)
          # The always parameter ensures that the header is set for all responses, including internally generated error responses.
          # Before enabling Strict-Transport-Security headers please read into this topic first.
          # https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/

          #add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload" always;
          add_header X-Content-Type-Options nosniff always;
          add_header X-Frame-Options "SAMEORIGIN" always;
          add_header X-XSS-Protection "1; mode=block" always;
          add_header X-Robots-Tag none always;
          add_header X-Download-Options noopen always;
          add_header X-Permitted-Cross-Domain-Policies none always;
          # Optional: Don't log access to assets
          access_log off;
      }

      location ~ \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg|map|json)$ {
          add_header Cache-Control "public, max-age=7200" always;
          try_files $uri /index.php$uri$is_args$args;
          # Optional: Don't log access to other assets
          access_log off;
      }
  }

参考文档
https://doc.owncloud.com/server/admin_manual/installation/nginx_configuration.html

---

首发地址：月小升博客 – https://java-er.com/blog/centos-install-owncloud-nginx-ssl/
无特殊说明，文章均为月小升原创，欢迎转载，转载请注明本文地址，谢谢