Skip to content

Instantly share code, notes, and snippets.

@Ardakilic
Created April 29, 2017 10:03
Show Gist options
  • Save Ardakilic/d9ec2c70b95d72083442687cdb348533 to your computer and use it in GitHub Desktop.
Save Ardakilic/d9ec2c70b95d72083442687cdb348533 to your computer and use it in GitHub Desktop.
nextcloud manuel kurulum.md

Paketler (debian)

Paketler (Ubuntu)

APT

apt-get install nginx mariadb-server mariadb-client
apt-get install php7.1-fpm php7.1-cli php7.1-mysql php7.1-gd php7.1-json php7.1-iconv php7.1-xml php7.1-simplexml php7.1-zip php7.1-xmlwriter php7.1-mbstring php7.1-pdo php7.1-curl php7.1-fileinfo php7.1-bz2 php7.1-intl php7.1-mcrypt php7.1-exif php7.1-imagick
apt-get install redis-server
apt-get install php7.1-redis

MariaDB kurulunca

/etc/mysql/my.cnf dosyasına

[mysqld]

İçine

binlog_format = MIXED

eklenecek

PHP kurulunca

FPM pool'larda oynama var, bu link takip edilecek:

https://docs.nextcloud.com/server/11/admin_manual/installation/source_installation.html#php-fpm-tips-label

Redis socket sorun yaşarsa

Redis::connect(): connect() failed: Permission denied

https://central.owncloud.org/t/problems-using-redis-with-socket-for-filelocking/967

owncloud/core#16216 (comment)

Yani redisi gruba ekliyoruz:

usermod -a -G redis www-data

Sonra daemonlara restart (komple reboot gerekebilir)?

Güncelleme

böyle

cd /home/web/nextcloud
sudo -u www-data php occ maintenance:mode --on
cd ..
service nginx stop
/etc/init.d/nginx stop
mv nextcloud nextcloud-old
wget https://download.nextcloud.com/server/releases/nextcloud-11.0.3.zip
unzip nextcloud-11.0.3.zip
cp nextcloud-old/config/config.php nextcloud/config/config.php
mv nextcloud-old/data nextcloud/
chown -R www-data:www-data nextcloud
find nextcloud/ -type d -exec chmod 750 {} \;
find nextcloud/ -type f -exec chmod 640 {} \;
cd nextcloud
sudo -u www-data php occ upgrade
sudo -u www-data php occ maintenance:mode --off
cd ..
service nginx start
/etc/init.d/nginx start
rm -rf nextcloud-old nextcloud-11.0.3.zip

https://docs.nextcloud.com/server/11/admin_manual/maintenance/manual_upgrade.html

Nginx

upstream php-handler {
  #server 127.0.0.1:9000;
  server unix:/var/run/php/php7.1-fpm.sock;
}

server {
  listen 80;
  server_name nexcloud.domain.ssl.com;

  access_log off;
  error_log off;

  # enforce https
  return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  ssl_certificate /etc/letsencrypt/live/nexcloud.domain.ssl.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/nexcloud.domain.ssl.com/privkey.pem;
  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;

  # openssl dhparam -out dhparam.pem 2048
  ssl_dhparam /etc/nginx/dhparam.pem;

  ssl_protocols TLSv1.1 TLSv1.2;
  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
  ssl_prefer_server_ciphers on;

  #add_header Strict-Transport-Security max-age=15768000;

  ##Added once to prevent multiple additions
  add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";

  ssl_stapling on;
  ssl_stapling_verify on;

  ## verify chain of trust of OCSP response using Root CA and Intermediate certs
  #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
  ssl_trusted_certificate /etc/letsencrypt/live/nexcloud.domain.ssl.com/chain.pem;
  resolver 8.8.8.8 8.8.4.4 valid=86400;
  resolver_timeout 10;


  server_name nexcloud.domain.ssl.com;

  # Here we define the web-root for our SSL proof
  location /.well-known {
    root /home/web/certbot/nexcloud/;
  }

  access_log off;
  #access_log /var/log/nginx/ncd.access_log;
  error_log /var/log/nginx/ncd.error.log;

  # Add headers to serve security related headers
  #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
  add_header X-Content-Type-Options nosniff;
  add_header X-Frame-Options "SAMEORIGIN";
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Robots-Tag none;
  add_header X-Download-Options noopen;
  add_header X-Permitted-Cross-Domain-Policies none;

  # Path to the root of your installation
  root /home/web/nextcloud/;

  location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
  }


  # The following 2 rules are only needed for the user_webfinger app.
  # Uncomment it if you're planning to use this app.
  #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
  #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

  location = /.well-known/carddav { return 301 $scheme://$host/remote.php/dav; }
  location = /.well-known/caldav { return 301 $scheme://$host/remote.php/dav; }

  location /.well-known/acme-challenge { }

  # set max upload size
  client_max_body_size 512M;
  fastcgi_buffers 64 4K;

  # Disable gzip to avoid the removal of the ETag header
  gzip off;

  # Uncomment if your server is build with the ngx_pagespeed module
  # This module is currently not supported.
  #pagespeed off;

  error_page 403 /core/templates/403.php;
  error_page 404 /core/templates/404.php;

  location / {
      rewrite ^ /index.php$uri;
  }

  location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
      deny all;
  }
  location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
      deny all;
  }

  location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
      fastcgi_split_path_info ^(.+\.php)(/.+)$;
      include fastcgi_params;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      fastcgi_param PATH_INFO $fastcgi_path_info;
      fastcgi_param HTTPS on;
      fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
      fastcgi_param front_controller_active true;
      fastcgi_pass php-handler;
      fastcgi_intercept_errors on;
      fastcgi_param HTTP_PROXY ""; # https://httpoxy.org vulnerability fix
  }

  location ~ ^/(?:updater|ocs-provider)(?:$|/) {
      try_files $uri/ =404;
      index index.php;
  }

  # Adding the cache control header for js and css files
  # Make sure it is BELOW the PHP block
  location ~* \.(?:css|js)$ {
      try_files $uri /index.php$uri$is_args$args;
      add_header Cache-Control "public, max-age=7200";
      # Add headers to serve security related headers
      # Before enabling Strict-Transport-Security headers please read into this topic first.
      #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
      add_header X-Content-Type-Options nosniff;
      add_header X-Frame-Options "SAMEORIGIN";
      add_header X-XSS-Protection "1; mode=block";
      add_header X-Robots-Tag none;
      add_header X-Download-Options noopen;
      add_header X-Permitted-Cross-Domain-Policies none;
      # Optional: Don't log access to assets
      access_log off;
  }

  location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
      try_files $uri /index.php$uri$is_args$args;
      # Optional: Don't log access to other assets
      access_log off;
  }

}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment