宝塔+CloudFlare+Nextcould+GoogleDrive无限云盘

参考

• Caddy安装NextCloud – 本馆档案
• Docker安装NextCloud – 本馆档案
• Nextcloud：私有云同步网盘安装教程 | 自建网盘图文教程 – 外部参考

宝塔添加网站并配置SSL

并设置好CloudFlare

下载

去这里看看 https://nextcloud.com/install/#instructions-server

# ssh over to host
# 安装过程有可能会break，用screen
screen -d -R nc

cd /www/wwwroot/xx.ck.mk
# 删掉现有的文件
rm *
wget https://download.nextcloud.com/server/releases/nextcloud-19.0.1.zip
unzip nextcloud-19.0.1.zip
mv nextcloud/* .
rm -rf nextcloud

设置目录权限

安装

打开 xx.ck.mk

将来会把这里的Data Folder下面的nc子目录symlink到Google Drive对应的目录

很快就安装完成。

修改data/nc目录映射到Google Drive

加载Google Drive到本地请参考本馆档案

# 之前已经加载了google drive到/data/nextcloud/data
ll /data/nextcloud/data
# lrwxrwxrwx 1 root root 45 Aug  8 12:11 /data/nextcloud/data -> /data/gd_stanford/_host/bwh229/nextcloud_data

# 为了更好的访问速度，决定只重定向./data/nc
cd /www/wwwroot/xx.ck.mk/data
# 别删，改个名；如果出错可以马上改回来
mv nc nc_old
ln -s /data/nextcloud/data/nc ./nc
cp -R nc_old/* ./nc/

你还有可能看到“Open_basedir restriction in effect. File(…) is not within the allowed path(s)”之类的错误，那是因为这个/data/gd_stanford/_host/bwh229/nextcloud_data并没有在PHP允许访问的路径当中。修改如下：

cd /www/wwwroot/xx.ck.mk
# 允许.user.ini 可写
chattr -i .user.ini 
echo ":/data/gd_stanford/_host/bwh229/nextcloud_data/" >> .user.ini
# 恢复不可写
chattr +i .user.ini

替换nginx 配置文件

upstream php-handler {
    #server 127.0.0.1:9000;
    # 根据你自己的PHP的位置，可查看(/www/server/php/74/etc/php-fpm.conf)
    server unix:/tmp/php-cgi-74.sock;
}

server
{
    listen 80;
	listen 443 ssl http2;
    server_name xx.ck.mk;
    index index.php index.html index.htm default.php default.htm default.html;
    root /www/wwwroot/xx.ck.mk;
    
    #SSL-START SSL相关配置，请勿删除或修改下一行带注释的404规则
    #error_page 404/404.html;
    #HTTP_TO_HTTPS_START
    if ($server_port !~ 443){
        rewrite ^(/.*)$ https://$host$1 permanent;
    }
    #HTTP_TO_HTTPS_END
    ssl_certificate    /www/server/panel/vhost/cert/xx.ck.mk/fullchain.pem;
    ssl_certificate_key    /www/server/panel/vhost/cert/xx.ck.mk/privkey.pem;
    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    error_page 497  https://$host$request_uri;

    #SSL-END
    
    #ERROR-PAGE-START  错误页配置，可以注释、删除或修改
    #error_page 404 /404.html;
    #error_page 502 /502.html;
    #ERROR-PAGE-END
    
    #PHP-INFO-START  PHP引用配置，可以注释或修改
    include enable-php-74.conf;
    #PHP-INFO-END
    
    #REWRITE-START URL重写规则引用,修改后将导致面板设置的伪静态规则失效
    include /www/server/panel/vhost/rewrite/xx.ck.mk.conf;
    #REWRITE-END
    
    
    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    # add_header Strict-Transport-Security "max-age=15768000;
    # includeSubDomains; preload;";
    add_header Strict-Transport-Security max-age=15768000;
    add_header X-Frame-Options 'SAMEORIGIN';
    add_header Referrer-Policy "no-referrer";

    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    
    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
    # last;

    location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }
    
    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    location / {
        rewrite ^ /index.php$request_uri;
    }
    
    #一键申请SSL证书验证目录相关设置
    location ~ \.well-known{
        allow all;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }
    
    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        #Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;
    }
    
    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff|svg|gif)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
        #
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
    }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
        try_files $uri /index.php$request_uri;
        # Optional: Don't log access to other assets
        access_log off;
    }

    access_log  /www/wwwlogs/xx.ck.mk.log;
    error_log  /www/wwwlogs/xx.ck.mk.error.log;
}

设置NextCloud的Cron

crontab -u www -e
# 添加这一行；注意用你自己的路径
*/5  *  *  *  * */5  *  *  *  * php -f /www/wwwroot/xx.ck.mk/cron.php

记得把CloudFlare Proxy打开

保护源IP

这样就OK了。

（可选）额外的优化

设置环境变量

# 根据你自己的php-fpm.conf的位置来定
echo 'env[PATH] = /usr/local/bin:/usr/bin:/bin:/usr/local/php/bin' >> /www/server/php/73/etc/php-fpm.conf
service php-fpm-74 restart

修改opcache的配置

;opcache
[Zend Opcache]
zend_extension=/www/server/php/73/lib/php/extensions/no-debug-non-zts-20180731/opcache.so
opcache.enable = 1
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.revalidate_freq=60
opcache.fast_shutdown=1
opcache.enable_cli=1
opcache.save_comments=1
extension=memcached.so

修改一些PHP设置，尤其是memory_limit

安装一些PHP扩展

这个imagemagick是最难安装的

参考 https://linuxconfig.org/how-to-install-imagemagick-7-on-ubuntu-18-04-linux

# 先修改
vim /etc/apt/sources.list

apt update -y && apt build-dep imagemagick
wget https://www.imagemagick.org/download/ImageMagick.tar.gz
tar xf ImageMagick.tar.gz
cd ImageMagick-7*

# 这一步需要花蛮长时间，我的花了半个多小时
./configure && make && make install

# link static libraries
ldconfig /usr/local/lib
# confirm the installed version
identify -version
# more in-depth installation check
make check

# 这一步之后，采取宝塔里面安装PHP的“安装扩展”。

安装和配置APCU（本地数据缓存）在php.ini中

[apcu]
apc.enabled=1
apc.shm_size=128M
apc.enable_cli=1

安装Memcache

参考 https://docs.nextcloud.com/server/19/admin_manual/configuration_server/caching_configuration.html

vi /www/wwwroot/xx.ck.mk/config/config.php
# 添加下面的信息
'memcache.local' => '\OC\Memcache\APCu',
'memcache.distributed' => '\OC\Memcache\Memcached',
'memcached_servers' => [
     [ '127.0.0.1', 11211 ],
 ],

修改utf8 -> utf8mb4 （可以支持emoji）

先修改数据库

# 进入phpadmin
# database is set to use the Barracuda InnoDB file format:
SET GLOBAL innodb_file_format=Barracuda;
# check
show variables like 'innodb_file_format';
# 对于mysql 8.0之前的版本，在mysqld配置中加入
[mysqld]
innodb_large_prefix=true
innodb_file_format=barracuda
innodb_file_per_table=1

# 在terminal当中
cd /www/wwwroot/xx.ck.mk
www php occ maintenance:mode --on
# restart mysqld
# 在phpadmin中运行 ALTER DATABASE nc_ck_mk CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
sudo -u www php occ config:system:set mysql.utf8mb4 --type boolean --value="true"
sudo -u www php occ maintenance:repair
sudo -u www php occ maintenance:mode --off