Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

Les deux révisions précédentes Révision précédente
Prochaine révision		 Révision précédente
infrastructure:services:cloud:nextcloud:installation [27/04/2023 06:35] Stéphane Pailletinfrastructure:services:cloud:nextcloud:installation [27/04/2023 09:47] (Version actuelle) Stéphane Paillet
Ligne 1: Ligne 1:
 ===== Installation Nextcloud ====== ===== Installation Nextcloud ======
 {{tag>cloud Nextcloud}} {{tag>cloud Nextcloud}}
 +
 +<WRAP center round important 60%>
 +Ce mode opératoire est en cours de rédaction et n'est pas finalisé.
 +</WRAP>
 +
 +
 Nextcloud est une application de stockage de fichiers en ligne. Nextcloud est une application de stockage de fichiers en ligne.
  
Ligne 18: Ligne 24:
 Nous le décompressons Nous le décompressons
 <code> <code>
-unzip nextcloud-16.0.4.zip+unzip latest.zip
 </code> </code>
  
Ligne 31: Ligne 37:
 Nous créons le fichier vHost Nous créons le fichier vHost
 <code> <code>
-sudo vi /etc/nginx/sites-available/cloud.grohub.org+sudo vi /etc/nginx/sites-available/cloud.grohub.org.conf
 </code> </code>
  
Ligne 39: Ligne 45:
     server unix:/var/run/php/nextcloud.sock;     server unix:/var/run/php/nextcloud.sock;
 } }
 +
 +# Set the `immutable` cache control options only for assets with a cache busting `v` argument
 +map $arg_v $asset_immutable {
 +    "" "";
 +    default "immutable";
 +}
 +
  
 server { server {
     listen 80;     listen 80;
-    server_name cloud.grohub.org+    server_name cloud.example.com
-  enforce https + 
-    return 301 https://$host$request_uri;+    Prevent nginx HTTP Server Detection 
 +    server_tokens off; 
 + 
 +    # Enforce HTTPS 
 +    return 301 https://$server_name$request_uri;
 } }
  
Ligne 50: Ligne 67:
     listen 443 ssl http2;     listen 443 ssl http2;
     server_name cloud.grohub.org;     server_name cloud.grohub.org;
-     + 
-      # Path to the root of your installation+    # Path to the root of your installation
     root /var/www/cloud.grohub.org;     root /var/www/cloud.grohub.org;
  
-  # Logs+    # Logs
     access_log  /var/log/nginx/cloud.grohub.org.access.log;     access_log  /var/log/nginx/cloud.grohub.org.access.log;
     error_log  /var/log/nginx/cloud.grohub.org.error.log;     error_log  /var/log/nginx/cloud.grohub.org.error.log;
-    +
     # Use Mozilla's guidelines for SSL/TLS settings     # Use Mozilla's guidelines for SSL/TLS settings
     # https://mozilla.github.io/server-side-tls/ssl-config-generator/     # https://mozilla.github.io/server-side-tls/ssl-config-generator/
-    # NOTE: some settings below might be redundant +    ssl_certificate     /etc/nginx/ssl/cloud.grohub.org.crt
-    ssl_certificate /etc/ssl/certs/cloud.grohub.org.pem+    ssl_certificate_key /etc/nginx/ssl/cloud.grohub.org.key;
-    ssl_certificate_key /etc/ssl/private/cloud.grohub.org.key;+
  
-    # Add headers to serve security related headers +    # Prevent nginx HTTP Server Detection 
-    # Before enabling Strict-Transport-Security headers please read into this +    server_tokens off; 
-    # topic first. + 
-    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; +    # HSTS settings
-    #+
     # WARNING: Only add the preload option once you read about     # WARNING: Only add the preload option once you read about
     # the consequences in https://hstspreload.org/. This option     # the consequences in https://hstspreload.org/. This option
Ligne 74: Ligne 89:
     # in all major browsers and getting removed from this list     # in all major browsers and getting removed from this list
     # could take several months.     # could take several months.
-    add_header X-Content-Type-Options nosniff; +    #add_header Strict-Transport-Security "max-age=15768000includeSubDomainspreloadalways;
-    add_header X-XSS-Protection "1mode=block"+
-    add_header X-Robots-Tag none; +
-    add_header X-Download-Options noopen; +
-    add_header X-Permitted-Cross-Domain-Policies none; +
-    add_header Referrer-Policy no-referrer;+
  
-    # Remove X-Powered-By, which is an information leak +    # set max upload size and increase upload timeout:
-    fastcgi_hide_header X-Powered-By; +
- +
-    location = /robots.txt { +
-        allow all; +
-        log_not_found off; +
-        access_log off; +
-    } +
- +
-    # The following 2 rules are only needed for the user_webfinger app. +
-    # Uncomment it if you're planning to use this app. +
-    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; +
-    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; +
- +
-    # The following rule is only needed for the Social app. +
-    # Uncomment it if you're planning to use this app. +
-    #rewrite ^/.well-known/webfinger /public.php?service=webfinger last; +
- +
-    location = /.well-known/carddav { +
-      return 301 $scheme://$host:$server_port/remote.php/dav; +
-    } +
-    location = /.well-known/caldav { +
-      return 301 $scheme://$host:$server_port/remote.php/dav; +
-    } +
- +
-    # set max upload size+
     client_max_body_size 512M;     client_max_body_size 512M;
 +    client_body_timeout 300s;
     fastcgi_buffers 64 4K;     fastcgi_buffers 64 4K;
  
Ligne 116: Ligne 102:
     gzip_min_length 256;     gzip_min_length 256;
     gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;     gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;+    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
  
-    # Uncomment if your server is build with the ngx_pagespeed module +    # Pagespeed is not supported by Nextcloud, so if your server is built 
-    # This module is currently not supported.+    # with the `ngx_pagespeedmodule, uncomment this line to disable it.
     #pagespeed off;     #pagespeed off;
  
-    location / { +    # The settings allows you to optimize the HTTP2 bandwitdth. 
-        rewrite ^ /index.php$request_uri;+    # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/ 
 +    # for tunning hints 
 +    client_body_buffer_size 512k; 
 + 
 +    # HTTP response headers borrowed from Nextcloud `.htaccess` 
 +    add_header Referrer-Policy                   "no-referrer"       always; 
 +    add_header X-Content-Type-Options            "nosniff"           always; 
 +    add_header X-Download-Options                "noopen"            always; 
 +    add_header X-Frame-Options                   "SAMEORIGIN"        always; 
 +    add_header X-Permitted-Cross-Domain-Policies "none"              always; 
 +    add_header X-Robots-Tag                      "noindex, nofollow" always; 
 +    add_header X-XSS-Protection                  "1; mode=block"     always; 
 + 
 +    # Remove X-Powered-By, which is an information leak 
 +    fastcgi_hide_header X-Powered-By; 
 + 
 +    # Add .mjs as a file extension for javascript 
 +    # Either include it in the default mime.types list 
 +    # or include you can include that list explicitly and add the file extension 
 +    # only for Nextcloud like below: 
 +    #include mime.types; 
 +    #types { 
 +    #    application/javascript js mjs; 
 +    #} 
 + 
 +    # Specify how to handle directories -- specifying `/index.php$request_uri` 
 +    # here as the fallback means that Nginx always exhibits the desired behaviour 
 +    # when a client requests a path that corresponds to a directory that exists 
 +    # on the server. In particular, if that directory contains an index.php file, 
 +    # that file is correctly served; if it doesn't, then the request is passed to 
 +    # the front-end controller. This consistent behaviour means that we don't need 
 +    # to specify custom rules for certain paths (e.g. images and other assets, 
 +    # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus 
 +    # `try_files $uri $uri/ /index.php$request_uri` 
 +    # always provides the desired behaviour. 
 +    index index.php index.html /index.php$request_uri; 
 + 
 +    # Rule borrowed from `.htaccess` to handle Microsoft DAV clients 
 +    location / { 
 +        if ( $http_user_agent ~ ^DavClnt ) { 
 +            return 302 /remote.php/webdav/$is_args$args; 
 +        }
     }     }
  
-    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { +    location /robots.txt 
-        deny all;+        allow all
 +        log_not_found off; 
 +        access_log off;
     }     }
-    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { + 
-        deny all;+    # Make a regex exception for `/.well-known` so that clients can still 
 +    # access it despite the existence of the regex rule 
 +    # `location ~ /(\.|autotest|...)` which would otherwise handle requests 
 +    # for `/.well-known`. 
 +    location ^~ /.well-known 
 +        # The rules in this block are an adaptation of the rules 
 +        # in `.htaccess` that concern `/.well-known`. 
 + 
 +        location = /.well-known/carddav { return 301 /remote.php/dav/;
 +        location = /.well-known/caldav  { return 301 /remote.php/dav/;
 + 
 +        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; } 
 +        location /.well-known/pki-validation    { try_files $uri $uri/ =404; } 
 + 
 +        # Let Nextcloud's API for `/.well-known` URIs handle all other 
 +        # requests by passing them to the front-end controller. 
 +        return 301 /index.php$request_uri;
     }     }
  
-    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { +    # Rules borrowed from `.htaccess` to hide certain paths from clients 
-        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;+    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/ { return 404; } 
 +    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; } 
 + 
 +    # Ensure this block, which passes PHP files to the PHP process, is above the blocks 
 +    # which handle static assets (as seen below). If this block is not declared first, 
 +    # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` 
 +    # to the URI, resulting in a HTTP 500 error response. 
 +    location ~ \.php(?:$|/) { 
 +        # Required for legacy support 
 +        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy/index.php$request_uri; 
 + 
 +        fastcgi_split_path_info ^(.+?\.php)(/.*)$; 
 +        set $path_info $fastcgi_path_info; 
 + 
 +        try_files $fastcgi_script_name =404; 
         include fastcgi_params;         include fastcgi_params;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-        fastcgi_param PATH_INFO $fastcgi_path_info;+        fastcgi_param PATH_INFO $path_info;
         fastcgi_param HTTPS on;         fastcgi_param HTTPS on;
-        # Avoid sending the security headers twice + 
-        fastcgi_param modHeadersAvailable true; +        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice 
-        # Enable pretty urls +        fastcgi_param front_controller_active true;     # Enable pretty urls
-        fastcgi_param front_controller_active true;+
         fastcgi_pass php-handler;         fastcgi_pass php-handler;
 +
         fastcgi_intercept_errors on;         fastcgi_intercept_errors on;
         fastcgi_request_buffering off;         fastcgi_request_buffering off;
-    } 
  
-    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { +        fastcgi_max_temp_file_size 0;
-        try_files $uri/ =404; +
-        index index.php;+
     }     }
  
-    # Adding the cache control header for js, css and map files +    location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
-    # Make sure it is BELOW the PHP block +
-    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {+
         try_files $uri /index.php$request_uri;         try_files $uri /index.php$request_uri;
-        add_header Cache-Control "public, max-age=15778463"; +        add_header Cache-Control "public, max-age=15778463, $asset_immutable"; 
-        # Add headers to serve security related headers (It is intended to +        access_log off    OptionalDon't log access to assets
-        # have those duplicated to the ones above) +
-        # Before enabling Strict-Transport-Security headers please read into +
-        # this topic first. +
-        #add_header Strict-Transport-Security "max-age=15768000includeSubDomains; preload;"; +
-        # +
-        # WARNINGOnly add the preload option once you read about +
-        # the consequences in https://hstspreload.org/. This option +
-        # will add the domain to a hardcoded list that is shipped +
-        # in all major browsers and getting removed from this list +
-        # could take several months. +
-        add_header X-Content-Type-Options nosniff; +
-        add_header X-XSS-Protection "1; mode=block"; +
-        add_header X-Robots-Tag none; +
-        add_header X-Download-Options noopen; +
-        add_header X-Permitted-Cross-Domain-Policies none; +
-        add_header Referrer-Policy no-referrer;+
  
-        # Optional: Don't log access to assets +        location ~ \.wasm$ { 
-        access_log off;+            default_type application/wasm; 
 +        }
     }     }
  
-    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {+    location ~ \.woff2?$ {
         try_files $uri /index.php$request_uri;         try_files $uri /index.php$request_uri;
-        # Optional: Don't log access to other assets +        expires 7d;         # Cache-Control policy borrowed from `.htaccess` 
-        access_log off;+        access_log off;     # Optional: Don't log access to assets 
 +    } 
 + 
 +    # Rule borrowed from `.htaccess` 
 +    location /remote { 
 +        return 301 /remote.php$request_uri; 
 +    } 
 + 
 +    location / { 
 +        try_files $uri $uri/ /index.php$request_uri;
     }     }
 } }
Ligne 191: Ligne 240:
 <code> <code>
 cd /etc/nginx/sites-enabled cd /etc/nginx/sites-enabled
-sudo ln -s /etc/nginx/sites-available/cloud.grohub.org+sudo ln -s /etc/nginx/sites-available/cloud.grohub.org.conf
 </code> </code>
  
-===== Installation PHP =====+Nous testons et rechargeons la configuration 
 +<code> 
 +sudo nginx -t 
 +sudo systemctl reload nginx 
 +</code> 
 + 
 +===== Install / conf PHP ===== 
 + 
 +==== Installation PHP ==== 
 Nous installon PHP-fpm et les différents modules dont nous aurons besoin Nous installon PHP-fpm et les différents modules dont nous aurons besoin
 <code> <code>
-sudo aptitude install php7.3-fpm php-apcu php-apcu-bc php7.3-mysql php7.3-zip php7.3-dom php7.3-xml php7.3-ldap php7.3-curl php7.3-mbstring php7.3-gd php7.3-intl php7.3-imagick+sudo apt install php-common php-imagick php8.2-apcu php8.2-bcmath php8.2-bz2 php8.2-cli php8.2-common php8.2-curl php8.2-fpm php8.2-gd php8.2-gmp php8.2-igbinary php8.2-imagick php8.2-imap php8.2-intl php8.2-mbstring php8.2-opcache php8.2-readline php8.2-xml php8.2-zip
 </code> </code>
  
-===== Tuning =====+==== php.ini ==== 
 Nous réglons le temps maximal d'exécution pour éviter les timeout dans le fichier /etc/php/7.3/fpm/php.ini Nous réglons le temps maximal d'exécution pour éviter les timeout dans le fichier /etc/php/7.3/fpm/php.ini
 <code> <code>
Ligne 206: Ligne 265:
 </code> </code>
  
-Dans le fichier /etc/php/7.3/fpm/pool.d/nextcloud.conf nous saisissons ces éléments+Nous activons opcode. Toujours dans le fichier /etc/php/7.3/fpm/php.ini, nous recherchons ces clés et enlevons les commentaires our les activer 
 +<code> 
 +opcache.enable=1 
 +opcache.interned_strings_buffer=8 
 +opcache.max_accelerated_files=10000 
 +opcache.memory_consumption=128 
 +opcache.save_comments=1 
 +opcache.revalidate_freq=1 
 +</code> 
 + 
 +==== PHP pool ==== 
 + 
 +Dans le fichier /etc/php/8.2/fpm/pool.d/nextcloud.conf nous saisissons ces éléments
 <code> <code>
 [nextcloud] [nextcloud]
Ligne 230: Ligne 301:
 </code> </code>
  
-Nous activons opcode. Toujours dans le fichier /etc/php/7.3/fpm/php.ini, nous recherchons ces clés et enlevons les commentaires our les activer+===== Postgresql ===== 
 + 
 +==== Installation Postgresql ==== 
 <code> <code>
-opcache.enable=1 +sudo apt install postgresql php8.2-pgsql 
-opcache.interned_strings_buffer=8 +</code> 
-opcache.max_accelerated_files=10000 + 
-opcache.memory_consumption=128 +==== Création base / utilisateur ===
-opcache.save_comments=1 + 
-opcache.revalidate_freq=1+<code> 
 +create database nextcloud; 
 +create user nextcloud with encrypted password 'monmotdepasse'; 
 +grant all privileges on database nextcloud to nextcloud; 
 +</code> 
 + 
 +===== Redis ===== 
 + 
 +==== Installation Redis ==== 
 + 
 +<code> 
 +sudo apt install redis-server php8.2-redis 
 +</code> 
 + 
 +==== Configuration Nextcloud ==== 
 + 
 +Nous éditons le ficher de configuration Nextcloud pour ajouter la configuration de Redis 
 +<code> 
 +sudo vi /var/www/cloud.grohub.org/config/config.php 
 +</code> 
 + 
 +<code> 
 +  'filelocking.enabled' => true, 
 +  'memcache.locking' => '\\OC\\Memcache\\Redis', 
 +  'memcache.local' => '\\OC\\Memcache\\Redis', 
 +  'memcache.distributed' => '\\OC\\Memcache\\Redis', 
 +  'redis' =>  
 +  array ( 
 +    'host' => 'localhost', 
 +    'port' => 6379, 
 +    'timeout' => 0.0, 
 +    'password' => '', 
 +  ), 
 +</code> 
 + 
 +===== Tuning ===== 
 + 
 +==== Tâches cron ==== 
 + 
 +Nous configurons cron 
 + 
 +<code> 
 +sudo -u www-data crontab -e 
 +</code> 
 + 
 +Nous ajoutons ceci à la fin du fichier 
 + 
 +<code> 
 +# Add the following line to the end of the file: (will call the cron script every 5 minutes) 
 +*/5  *  *  *  * /usr/bin/php -f /var/www/cloud.grohub.org/cron.php 
 +</code> 
 + 
 +==== Pour gérer les thèmes ==== 
 + 
 +Si la gestion des thèmes est configurée, nous aurons besoin de manipuler des images 
 + 
 +<code> 
 +sudo apt install libmagickcore-6.q16-6 libmagickcore-6.q16-6-extra
 </code> </code>
  
 ===== Liens ===== ===== Liens =====
   * [[https://docs.nextcloud.com/server/latest/admin_manual/|documentation Nextcloud]]   * [[https://docs.nextcloud.com/server/latest/admin_manual/|documentation Nextcloud]]
 +  * [[https://nextcloud.com/|site de l'éditeur]]
  • infrastructure/services/cloud/nextcloud/installation.1682577345.txt.gz
  • Dernière modification : 27/04/2023 06:35
  • de Stéphane Paillet