LNMP 环境配置 Nextcloud 自建网盘

Nextcloud 是一款类 Dropbox 的开源免费私有云存储网盘项目，可以让你快速便捷地搭建一套属于自己或团队的云同步网盘，从而实现跨平台跨设备文件同步、共享、版本控制、团队协作等功能。Nextcloud 的客户端覆盖了 Windows、Mac、Android、iOS、Linux 等各种平台，同时也提供网页端和 WebDAV 接口，国内外拥趸众多。从 2020 年开始，Nextcloud 官方发布了一个里程碑式的更新，Nextcloud 更名为 Nextcloud Hub，实现了从网盘系统到个人/团队工作台的转变。本文介绍了 LNMP 环境下 Nextcloud Hub 的安装部署方法，相关程序部署在局域网的虚拟机内。

从官方下载 Nextcloud Hub

为了不引入过多概念，降低新手入门成本，本文不采用 Docker 方式部署，而是采用传统的部署方式，这种部署方式要求具备 LNMP 运行环境，如果没有，请先行配置 LNMP 。

Install – Nextcloud

Nextcloud is the most deployed on-premises file share and collaboration platform. Access & collaborate across your devices. Your data remains under your control.

在虚拟机上创建运行目录，通过上面这个官方链接下载 Nextcloud Hub 源代码，解压并修复运行权限：

mkdir -p /home/wwwroot/nextcloud
cd /home/wwwroot/nextcloud
wget https://download.nextcloud.com/server/releases/nextcloud-23.0.0.zip
unzip nextcloud-23.0.0.zip
chown -R www:www /home/wwwroot/nextcloud

创建 nginx 配置文件

军哥 LNMP 的用户可以通过命令创建配置文件：

# 考虑到内网环境，使用 dns challenge 的方式验证域名所有权
# 这里默认使用 CloudFlare
# 详见：https://lnmp.org/faq/letsencrypt-wildcard-ssl.html

export CF_Key="123456"
export CF_Email="abc@example.com"
lnmp dnsssl cf

# 也可以用 acme.sh 脚本来生成，请根据个人喜好决定，详见：https://acme.sh

创建配置文件后按照以下形式修改配置：

upstream php-handler {
    server unix:/tmp/php-cgi.sock;
}
server
    {
        listen 80;
        server_name cloud.xxxx.local;
        return 301 https://$host$request_uri;
    }
server
    {
        listen 443 ssl http2;
        #listen [::]:443 ssl http2;
        server_name cloud.xxxx.local;
        root  /home/wwwroot/nextcloud;

        ssl_certificate /usr/local/nginx/conf/ssl/cloud.xxxx.local/fullchain.cer;
        ssl_certificate_key /usr/local/nginx/conf/ssl/cloud.xxxx.local/cloud.xxxx.local.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
        ssl_session_cache builtin:1000 shared:SSL:10m;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
        # openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
        ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;

        include rewrite/none.conf;
        #error_page   404   /404.html;

        #include enable-php-pathinfo.conf;
        include enable-nc.conf;

        access_log  /home/wwwlogs/cloud.xxxx.local.log;
    }

在 nginx.conf 配置文件跟目录生成一个 enable-nc.conf （LNMP 环境的地址是 /usr/local/nginx/conf/enable-nc.conf）：

 # HTTP response headers borrowed from Nextcloud `.htaccess`
    add_header Referrer-Policy                      "no-referrer"   always;
    add_header X-Content-Type-Options               "nosniff"       always;
    add_header X-Download-Options                   "noopen"        always;
    add_header X-Frame-Options                      "SAMEORIGIN"    always;
    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
    add_header X-Robots-Tag                         "none"          always;
    add_header X-XSS-Protection                     "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    index index.php index.html /index.php$request_uri;

    # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
    location = / {
        if ( $http_user_agent ~ ^DavClnt ) {
            return 302 /remote.php/webdav/$is_args$args;
        }
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # Make a regex exception for `/.well-known` so that clients can still
    # access it despite the existence of the regex rule
    # `location ~ /(\.|autotest|...)` which would otherwise handle requests
    # for `/.well-known`.
    location ^~ /.well-known {
        # The rules in this block are an adaptation of the rules
        # in `.htaccess` that concern `/.well-known`.

        location = /.well-known/carddav { return 301 /remote.php/dav/; }
        location = /.well-known/caldav  { return 301 /remote.php/dav/; }

        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

        # Let Nextcloud's API for `/.well-known` URIs handle all other
        # requests by passing them to the front-end controller.
        return 301 /index.php$request_uri;
    }

    # Rules borrowed from `.htaccess` to hide certain paths from clients
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }

    # Ensure this block, which passes PHP files to the PHP process, is above the blocks
    # which handle static assets (as seen below). If this block is not declared first,
    # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
    # to the URI, resulting in a HTTP 500 error response.
    location ~ \.php(?:$|/) {
        # Required for legacy support
        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;

        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;

        try_files $fastcgi_script_name =404;

        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;

        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
        fastcgi_param front_controller_active true;     # Enable pretty urls
        fastcgi_pass php-handler;

        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite)$ {
        try_files $uri /index.php$request_uri;
        expires 6M;         # Cache-Control policy borrowed from `.htaccess`
        access_log off;     # Optional: Don't log access to assets

        location ~ \.wasm$ {
            default_type application/wasm;
        }
    }

    location ~ \.woff2?$ {
        try_files $uri /index.php$request_uri;
        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
        access_log off;     # Optional: Don't log access to assets
    }

    # Rule borrowed from `.htaccess`
    location /remote {
        return 301 /remote.php$request_uri;
    }

    location / {
        try_files $uri $uri/ /index.php$request_uri;
    }

重启 LNMP：

lnmp reload

接下来则用配置文件中的域名进行访问：

设置部分，官方文档十分详细，建议参考：

Installation wizard

When Nextcloud prerequisites are fulfilled and all Nextcloud files are installed,
the last step to completing the installation is running the Installation Wizard.