Table des matières

NextCloud

Présentation d'installation d'un serveur NextCloud sur debian 10.
Dans cette présentation, nous allons configurer un site https://cloud.sleto.net.

Nous utiliserons les variables DBNAME, DBUSER et DBPASSWD respectivement pour le nom, l'utilisateur et le mot de passe de base de données.
NextCloud sera installé dans /var/www/nextcloud et les fichiers partagés seront stockés dans /var/nc_data/

Dépendances

Utilise PHP 7.3 via fpm ainsi qu'un Serveur web sécurisé (Nginx / Let's Encrypt).
Nécessite également les outils :

sudo apt-get install -y mariadb-server redis-server php-redis

Vous devrez également ajouter le domaine cloud.sleto.net dans le Serveur DNS (bind9)

Base de données

Nous allons créé une base de donnée MariaDB:

mariadb  -h localhost -u root -e "
CREATE DATABASE $DBNAME CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
CREATE USER $DBUSER@localhost identified by '$DBPASSWD';
GRANT ALL PRIVILEGES on $DBNAME.* to $DBUSER@localhost;
FLUSH privileges;
"

Pré-configuration des outils

sed -i "s/port 6379/port 0/" /etc/redis/redis.conf
sed -i s/\#\ unixsocket/\unixsocket/g /etc/redis/redis.conf
sed -i "s/unixsocketperm 700/unixsocketperm 770/" /etc/redis/redis.conf
sed -i "s/# maxclients 10000/maxclients 512/" /etc/redis/redis.conf
usermod -aG redis www-data
sed -i '$avm.overcommit_memory = 1' /etc/sysctl.conf

Installation

Installation des outils:

cd /tmp
curl https://download.nextcloud.com/server/releases/latest-22.tar.bz2 -o latest.tar.bz2
tar -xjf latest.tar.bz2 -C /var/www && chown -R www-data:www-data /var/www/ && rm -f latest.tar.bz2
mkdir -p /var/nc_data/ && chown -R www-data:www-data /var/nc_data/

Configuration

Lancer ces instructions pour installer NextCloud dans la base de donnée.

sudo -u www-data php /var/www/nextcloud/occ maintenance:install --database "mysql" --database-name $DBNAME --database-user $DBUSER --database-pass "$DBPASSWD" --admin-user "admin" --admin-pass "admin" --data-dir "/var/nc_data"
sudo -u www-data php /var/www/nextcloud/occ config:system:set trusted_domains 0 --value=cloud.sleto.net
sudo -u www-data php /var/www/nextcloud/occ config:system:set overwrite.cli.url --value=https://cloud.sleto.net

Ajouter également ces configuration à la fin du fichier /var/www/nextcloud/config/config.php (avant le ');' final):

    'activity_expire_days' => 14,
    'auth.bruteforce.protection.enabled' => true,
    'blacklisted_files' => 
    array (
        0 => '.htaccess',
        1 => 'Thumbs.db',
        2 => 'thumbs.db',
    ),
    'cron_log' => true,
    'enable_previews' => true,
    'enabledPreviewProviders' => 
    array (
        0 => 'OC\Preview\PNG',
        1 => 'OC\Preview\JPEG',
        2 => 'OC\Preview\GIF',
        3 => 'OC\Preview\BMP',
        4 => 'OC\Preview\XBitmap',
        5 => 'OC\Preview\Movie',
        6 => 'OC\Preview\PDF',
        7 => 'OC\Preview\MP3',
        8 => 'OC\Preview\TXT',
        9 => 'OC\Preview\MarkDown',
    ),
    'filesystem_check_changes' => 0,
    'filelocking.enabled' => 'true',
    'htaccess.RewriteBase' => '/',
    'integrity.check.disabled' => false,
    'knowledgebaseenabled' => false,
    'logfile' => '/var/nc_data/nextcloud.log',
    'loglevel' => 2,
    'logtimezone' => 'Europe/Berlin',
    'log_rotate_size' => 104857600,
    'maintenance' => false,
    'memcache.local' => '\OC\Memcache\APCu',
    'memcache.locking' => '\OC\Memcache\Redis',
    'overwriteprotocol' => 'https',
    'preview_max_x' => 1024,
    'preview_max_y' => 768,
    'preview_max_scale_factor' => 1,
    'redis' => 
    array (
        'host' => '/var/run/redis/redis-server.sock',
        'port' => 0,
        'timeout' => 0.0,
    ),
    'quota_include_external_storage' => false,
    'share_folder' => '/Shares',
    'skeletondirectory' => '',
    'theme' => '',
    'trashbin_retention_obligation' => 'auto, 7',
    'updater.release.channel' => 'stable',

Et finaliser la configuration par:

sudo chown www-data:www-data /var/www/nextcloud/config/config.php
sudo -u www-data sed -i "s/.*dbhost.*/\'dbhost\' \=\>\ \'localhost\:\/var\/run\/mysqld\/mysqld\.sock\'\,/g" /var/www/nextcloud/config/config.php
sudo -u www-data sed -i "s/output_buffering=.*/output_buffering='Off'/" /var/www/nextcloud/.user.ini

Configuration web

Créer un fichier /etc/nginx/php_optimization.conf:

    fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
    fastcgi_param SCRIPT_FILENAME $request_filename;
    fastcgi_param PATH_INFO $path_info;
    fastcgi_param HTTPS on;
    fastcgi_param modHeadersAvailable true;
    fastcgi_param front_controller_active true;
    fastcgi_intercept_errors on;
    fastcgi_request_buffering off;
    fastcgi_cache_valid 404 1m;
    fastcgi_cache_valid any 1h;
    fastcgi_cache_methods GET HEAD;    

Et un fichier /var/www/nextcloud/nginx-cloud:

server {
    listen 80;
    server_name cloud.sleto.net;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name cloud.sleto.net;
    access_log /var/log/nginx/cloud.sleto.net.access.log;
    error_log  /var/log/nginx/cloud.sleto.net.error.log;

    include /opt/ssl/cloud.sleto.net.conf;
    
    proxy_set_header        Upgrade           $http_upgrade;
    proxy_set_header        Connection        "upgrade";
    proxy_set_header        Host              $host;
    proxy_set_header        X-Real-IP         $remote_addr;
    proxy_set_header        X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto https;
    proxy_http_version      1.1;
    proxy_connect_timeout   90;
    proxy_send_timeout      90;
    proxy_read_timeout      90;
    proxy_buffers           32 4k;
    proxy_intercept_errors  on;
    add_header              Strict-Transport-Security         "max-age=15768000; includeSubDomains; preload;";
    add_header              X-Robots-Tag none always; 
    add_header              X-Download-Options                noopen always;
    add_header              X-Permitted-Cross-Domain-Policies none always;
    add_header              X-Content-Type-Options            "nosniff" always;
    add_header              X-XSS-Protection                  "1; mode=block" always;
    add_header              Referrer-Policy                   "no-referrer" always;
    add_header              X-Frame-Options                   "SAMEORIGIN" always;
    fastcgi_hide_header     X-Powered-By;
    fastcgi_read_timeout    3600;
    fastcgi_send_timeout    3600;
    fastcgi_connect_timeout 3600;
    fastcgi_buffers         64 64K;
    fastcgi_buffer_size     256k;
    fastcgi_busy_buffers_size 3840K;
    fastcgi_cache_key       $http_cookie$request_method$host$request_uri;
    fastcgi_cache_use_stale error timeout invalid_header http_500;
    fastcgi_ignore_headers  Cache-Control Expires Set-Cookie;
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
    gzip_disable "MSIE [1-6]\.";
    
    root /var/www/nextcloud/;
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
        return 301 $scheme://$host/remote.php/dav;
    }
    client_max_body_size 10240M;
    location / {
        rewrite ^ /index.php;        
    }
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }
    location ^~ /apps/rainloop/app/data {
        deny all;
    }
    location ~ \.(?:flv|mp4|mov|m4a)$ {
        mp4;
        mp4_buffer_size 100M;
        mp4_max_buffer_size 1024M;
        fastcgi_split_path_info ^(.+?.php)(\/.*|)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;
        include fastcgi_params;
        include php_optimization.conf;
    }
    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+).php(?:$|\/) {
        fastcgi_split_path_info ^(.+?.php)(\/.*|)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;
        include fastcgi.conf;       
        include fastcgi_params;
        include php_optimization.conf;
    }
    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
        try_files $uri/ =404;
        index index.php;
    }
    location ~ \.(?:css|js|woff2?|svg|gif|map|png|html|ttf|ico|jpg|jpeg)$ {
        try_files $uri /index.php$request_uri;
        access_log off;
        expires 360d;
    }    
}    

Notons que /opt/ssl/cloud.sleto.net.conf contiendra les informations relatives aux clefs privé et public HTTPS/SSL (voir Serveur web sécurisé (Nginx / Let's Encrypt)).

Activer la configuration web par:

ln -sf /var/www/nextcloud/nginx-cloud /etc/nginx/sites-enabled

Rechargement

Pour rafraîchir les services fpm, mariadb et nginx

service nginx stop
service php7.4-fpm stop
service mariadb restart
service php7.4-fpm restart
service redis-server restart
service nginx restart