Nextcloud
- Nextcloud 是一套用於創建和使用文件託管服務的客戶機——服務器軟件。它在功能上類似於 Dropbox,不過 Nextcloud 是免費、開源的,允許任何人在私有服務器上安裝和操作它。與 Dropbox 等專有服務不同,開放式體系結構允許以應用程序的形式向服務器添加附加功能。
Nextcloud 是 ownCloud 的一個分支,兩者的差異參見 wikipedia:Nextcloud#Differences from ownCloud。
預備條件[編輯 | 編輯原始碼]
Nextcould 需要幾個組件:[1]
- Web 服務器: Apache HTTP Server 或者 nginx
- 數據庫: MariaDB/MySQL, PostgreSQL, SQLite 或者 Oracle Database
- PHP 及其 額外模塊
將會在#設置 PHP中配置它們。
繼續之前,請確保安裝了所需的組件。
安裝[編輯 | 編輯原始碼]
配置[編輯 | 編輯原始碼]
網頁應用的配置文件在 /etc/webapps/nextcloud/config/config.php
。
/var/lib/nextcloud/data/
,因為該目錄只能被 root 和應用本身訪問。要安裝使用這個網頁應用的軟件,請使用 /var/lib/nextcloud/apps/
。數據目錄[編輯 | 編輯原始碼]
默認情況下,Nextcloud 將用戶數據存放在 /var/lib/nextcloud/data/
,這個位置可以調節:
/etc/webapps/nextcloud/config/config.php
$CONFIG = [ /* [..] */ 'datadirectory' => '/var/lib/nextcloud/data', /* [..] */ ]
nextcloud
用戶需要有對 datadirectory
的寫入權限。可寫應用目錄[編輯 | 編輯原始碼]
nextcloud
不可寫入默認應用目錄 /usr/share/webapps/nextcloud/apps/
,因為它是軟件包的一部分。
要從應用商店安裝應用,使用一個獨立的、可寫的目錄是可以的。它默認指向 /var/lib/nextcloud/apps/
,並可以通過一個在網頁應用根目錄下的符號鏈接 (/usr/share/webapps/nextcloud/wapps
) 來訪問。
這個目錄是可調整的:
/etc/webapps/nextcloud/config/config.php
$CONFIG = [ /* [..] */ 'apps_paths' => [ [ 'path'=> '/usr/share/webapps/nextcloud/apps', 'url' => '/apps', 'writable' => false, ], [ 'path'=> '/var/lib/nextcloud/apps', 'url' => '/wapps', 'writable' => true, ], ], /* [..] */ ]
- 聲明為
writable
的apps_paths
條目需要可由nextcloud
用戶寫入。此外,需要在/usr/share/webapps/nextcloud/
中創建指向該目錄的符號鏈接。 - 上面的語法使用 PHP 的短數組語法。這可以用大多數指南使用的語法編寫:
/etc/webapps/nextcloud/config/config.php
$CONFIG = ( /* [..] */ 'apps_paths' => array ( 0 => array ( 'path' => '/usr/share/webapps/nextcloud/apps', 'url' => '/apps', 'writable' => false, ), 1 => array ( 'path' => '/var/lib/nextcloud/apps', 'url' => '/wapps', 'writable' => true, ), ), /* [..] */ )
日誌目錄[編輯 | 編輯原始碼]
默認情況下,日誌生成在 /var/log/nextcloud/nextcloud.log
,這個位置是可以調整的:
/etc/webapps/nextcloud/config/config.php
$CONFIG = [ /* [..] */ 'logfile' => '/var/log/nextcloud/nextcloud.log', ] /* [..] */
建立數據庫[編輯 | 編輯原始碼]
必須設置 SQL 數據庫並將其用於 Nextcloud 安裝。在建立數據庫之後,首次創建管理員帳戶時,系統將提示您輸入其信息。
MariaDB[編輯 | 編輯原始碼]
如果你想要使用 Emoji, 用如下命令替換後面的 CREATE DATABASE... :
mysql> CREATE DATABASE nextcloud DEFAULT CHARACTER SET 'utf8mb4' COLLATE 'utf8mb4_general_ci';
使用 MariaDB 時,建議設置自己的數據庫和用戶:
$ mysql -u root -p
mysql> CREATE DATABASE nextcloud DEFAULT CHARACTER SET 'utf8' COLLATE 'utf8_unicode_ci'; mysql> GRANT ALL PRIVILEGES ON nextcloud.* TO 'nextcloud'@'localhost' IDENTIFIED BY 'password'; mysql> FLUSH PRIVILEGES; mysql> \q
PostgreSQL[編輯 | 編輯原始碼]
下面是一個設置 PostgreSQL 用戶和數據庫的示例:
[postgres]$ createuser -h localhost -P nextcloud
Enter password for new role: Enter it again:
[postgres]$ createdb -O nextcloud nextcloud
設置 PHP[編輯 | 編輯原始碼]
Make sure that session.save_path
is configured. Install PHP#gd and php-intl包 as additional modules. Configure OPcache as recommended by the documentation.
Some apps (e.g. News) require the iconv
extension. If you wish to use these apps, uncomment the extension in /etc/php/php.ini
.
Depending on which database backend will be used:
- For MySQL, see PHP#MySQL/MariaDB.
- For PostgreSQL, see PHP#PostgreSQL.
- For SQLite, see PHP#Sqlite.
Performance may be improved through the implementation of caching, see Configuring Memory Caching on the official documentation for details.
Nextcloud setup[編輯 | 編輯原始碼]
occ
is a command-line tool that can be used to control Nextcloud. It is located in /usr/share/webapps/nextcloud/occ
and should be run as the nextcloud user
. A wrapper is provided in /usr/bin/occ
which will run the command using sudo.
To set up Nextcloud, you can use the $ occ maintenance:install
command. See Nextcloud documentation for more details. For example, to set up Nextcloud with PostgreSQL:
$ occ maintenance:install --database pgsql --database-name nextcloud --database-host localhost --database-user nextcloud --database-pass=<password> --data-dir /var/lib/nextcloud/data/
Alternatively, set up Nextcloud on a web server, then navigate to your Nextcloud instance in a web browser to access an installation wizard. Enter your database details and the location of the data directory.
Configure caching[編輯 | 編輯原始碼]
It is recommended to enable caching. The Nextcloud documentation provides instructions on Redis, Memcached and APCu.
Install notify_push[編輯 | 編輯原始碼]
To lower the impact of desktop and web clients on your server (polling for file activity and other notifications), you may want to install the notify_push app. You can do so via the web interface or with nextcloud-app-notify_pushAUR. More information can be found on the initial blog post.
Hosting[編輯 | 編輯原始碼]
nextcloud
). It is using /etc/webapps/nextcloud/
, /var/lib/nextcloud/
, /var/log/nextcloud/
and /run/nextcloud/
for configurations, state data (data and apps from the app store), logs and (potentially) sockets (respectively)!As stated above, in order to set up Nextcloud, you must set up the appropriate PHP requirements; additionally, you must configure a database and a webserver.
Web server setup[編輯 | 編輯原始碼]
Depending on which web server you are using, further setup is required, indicated below.
Apache[編輯 | 編輯原始碼]
If you have not already, install Apache HTTP Server and install and enable Apache's PHP module
Copy the Apache configuration file to the configuration directory:
# cp /usr/share/doc/nextcloud/apache.example.conf /etc/httpd/conf/extra/nextcloud.conf
Modify the file according to your preferences. By default it includes an alias for /nextcloud
pointing to /usr/share/webapps/nextcloud
.
And include it in /etc/httpd/conf/httpd.conf
:
Include conf/extra/nextcloud.conf
Ensure that the root location of your Nextcloud installation (e.g., /usr/share/webapps/nextcloud
) is accessible by the webserver's user http
.
Now restart Apache (httpd.service
).
If nextcloud keeps reporting an internal server error depending on your setup it might be needed to allow apache to access your files using nextcloud user permission. Install AUR: mod_itk包 and add this to your vhost setup:
/etc/httpd/conf/extra/nextcloud.conf
<IfModule mpm_itk_module> AssignUserId nextcloud nextcloud </IfModule>
/etc/httpd/conf/httpd.conf
LoadModule mpm_itk_module modules/mpm_itk.so
Be aware however that mpm_itk
is not compatible with threading, so the Apache server cannot use mpm_event_module
nor mpm_worker_module
. You will get an error message such as `mpm-itk cannot use threaded MPMs; please use prefork`. For a discussion of pros and cons of these see this Serverfault question (mpm_itk is derived from mpm_prefork). mod_php
is not compatible with threaded mpm's either, so unless you are using php-fpm you probably are already "stuck" on mpm_prefork_module
. However, note also that the http2_module
is not compatible with mpm_prefork_module
and hence with mpm_itk
…
WebDAV[編輯 | 編輯原始碼]
Nextcloud comes with its own WebDAV implementation enabled, which may conflict with the one shipped with Apache. If you have enabled WebDAV in Apache (not enabled by default), disable the modules mod_dav
and mod_dav_fs
in /etc/httpd/conf/httpd.conf
. See [3] for details.
With php-fpm[編輯 | 編輯原始碼]
Set up #php-fpm if you want to use it as a FastCGI handler with Apache. Then set it as the request handler for PHP files:
/etc/httpd/conf/extra/php-fpm.conf
DirectoryIndex index.php index.html <FilesMatch \.php$> SetHandler "proxy:unix:/run/nextcloud/nextcloud.sock|fcgi://localhost/" </FilesMatch>
Place <FilesMatch>
section directly in <VirtualHost>
if you use virtual hosts.
php-fpm[編輯 | 編輯原始碼]
php-fpm包 is PHP's FastCGI implementation. It can be used by web servers that support the protocol.
Add an additional pool that runs as the nextcloud
user/group:
/etc/php/php-fpm.d/nextcloud.conf
[nextcloud] user = nextcloud group = nextcloud listen = /run/nextcloud/nextcloud.sock env[PATH] = /usr/local/bin:/usr/bin:/bin env[TMP] = /tmp ; should be accessible by your web server listen.owner = http listen.group = http pm = dynamic pm.max_children = 15 pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 3
The php-fpm service runs with the system mounted as read-only for hardening purposes, so it is necessary to explicitly grant write permissions on the appropriate Nextcloud paths.
Create an override.conf
for php-fpm
:
# systemctl edit php-fpm.service
Add and save following content.
/etc/systemd/system/php-fpm.service.d/override.conf
[Service] # Your data directory ReadWritePaths=/var/lib/nextcloud/data # Optional: add if you've set the default apps directory to be writable in config.php ReadWritePaths=/usr/share/webapps/nextcloud/apps # Optional: unnecessary if you've set 'config_is_read_only' => true in your config.php ReadWritePaths=/usr/share/webapps/nextcloud/config ReadWritePaths=/etc/webapps/nextcloud/config # Optional: add if you want to use Nextcloud's internal update process # ReadWritePaths=/usr/share/webapps/nextcloud
Enable and start the php-fpm
service.
Nginx[編輯 | 編輯原始碼]
Make sure #php-fpm has been configured correctly.
Create a server block and add the content according to the Nextcloud documentation.
Use unix:/run/nextcloud/nextcloud.sock
as server
in the upstream php-handler
block and /usr/share/webapps/nextcloud
as root
location:
/etc/nginx/sites-enabled/nextcloud
upstream php-handler { server unix:/run/nextcloud/nextcloud.sock; } # ... server { listen 443 ssl http2; listen [::]:443 ssl http2; # ... root /usr/share/webapps/nextcloud; # ... }
See nginx#FastCGI for more information on using FastCGI with nginx.
lighttpd[編輯 | 編輯原始碼]
Enable lighttpd#FastCGI, e.g. by adding server.modules += ( "mod_fastcgi" )
to /etc/lighttpd/lighttpd.conf
.
Create a link to /usr/share/webapps/nextcloud
in your /srv/http/
directory (or configured root).
Security Hardening[編輯 | 編輯原始碼]
See the Nextcloud documentation and Security. Nextcloud additionally provides a Security scanner.
uWSGI[編輯 | 編輯原始碼]
You can run Nextcloud in its own process and service by using the uWSGI application server with uwsgi-plugin-php包. This allows you to define a PHP configuration only for this instance of PHP, without the need to edit the global php.ini
and thus keeping your web application configurations compartmentalized. uWSGI itself has a wealth of features to limit the resource use and to harden the security of the application, and by being a separate process it can run under its own user.
The only part that differs from #Nginx is the location ~ \.php(?:$|/) {}
block:
location ~ \.php(?:$|/) { include uwsgi_params; uwsgi_modifier1 14; # Avoid duplicate headers confusing OC checks uwsgi_hide_header X-Frame-Options; uwsgi_hide_header X-XSS-Protection; uwsgi_hide_header X-Content-Type-Options; uwsgi_hide_header X-Robots-Tag; uwsgi_pass unix:/run/uwsgi/nextcloud.sock; }
Then create a config file for uWSGI:
/etc/uwsgi/nextcloud.ini
[uwsgi] ; load the required plugins plugins = php ; force the sapi name to 'apache', this will enable the opcode cache php-sapi-name = apache ; set master process name and socket ; '%n' refers to the name of this configuration file without extension procname-master = uwsgi %n master = true socket = /run/uwsgi/%n.sock ; drop privileges uid = nextcloud gid = nextcloud umask = 027 ; run with at least 1 process but increase up to 4 when needed processes = 4 cheaper = 1 ; reload whenever this config file changes ; %p is the full path of the current config file touch-reload = %p ; disable uWSGI request logging ;disable-logging = true ; enforce a DOCUMENT_ROOT php-docroot = /usr/share/webapps/%n ; limit allowed extensions php-allowed-ext = .php ; and search for index.php if required php-index = index.php ; set php configuration for this instance of php, no need to edit global php.ini php-set = date.timezone=Etc/UTC ;php-set = open_basedir=/tmp/:/usr/share/webapps/nextcloud:/etc/webapps/nextcloud:/dev/urandom php-set = expose_php=false ; avoid security risk of leaving sessions in world-readable /tmp php-set = session.save_path=/usr/share/webapps/nextcloud/data ; port of php directives set upstream in /usr/share/webapps/nextcloud/.user.ini for use with PHP-FPM php-set = upload_max_filesize=513M php-set = post_max_size=513M php-set = memory_limit=512M php-set = output_buffering=off ; load all extensions only in this instance of php, no need to edit global php.ini ;; required core modules php-set = extension=gd php-set = extension=iconv ;php-set = extension=zip # enabled by default in global php.ini ;; database connectors ;; uncomment your selected driver ;php-set = extension=pdo_sqlite ;php-set = extension=pdo_mysql ;php-set = extension=pdo_pgsql ;; recommended extensions ;php-set = extension=curl # enabled by default in global php.ini php-set = extension=bz2 php-set = extension=intl ;; required for specific apps ;php-set = extension=ldap # for LDAP integration ;php-set = extension=ftp # for FTP storage / external user authentication ;php-set = extension=imap # for external user authentication, requires php-imap ;; recommended for specific apps ;php-set = extension=exif # for image rotation in pictures app, requires exiv2 ;php-set = extension=gmp # for SFTP storage ;; for preview generation ;; provided by packages in AUR ; php-set = extension=imagick ; opcache php-set = zend_extension=opcache ; user cache ; provided by php-acpu, to be enabled **either** here **or** in /etc/php/conf.d/apcu.ini php-set = extension=apcu ; per https://github.com/krakjoe/apcu/blob/simplify/INSTALL php-set = apc.ttl=7200 php-set = apc.enable_cli=1 ; web server is already handling URL rewriting, so tell NextCloud not to repeat this env = front_controller_active=true cron2 = minute=-15,unique=1 /usr/bin/php -f /usr/share/webapps/nextcloud/cron.php 1>/dev/null
- The open_basedir directive is optional and commented out. You can uncomment to harden security. Be aware that it may occasionally break things.
- Use
php-docroot = /usr/share/webapps
if placing nextcloud in /nextcloud subdirectory.
/etc/php/php.ini
. This means that none of the specific parameters defined (e.g. required modules) will be enabled, leading to various issues. One solution is to copy /etc/php/php.ini
to e.g. /etc/uwsgi/cron-php.ini
, make the required modifications there (mirroring /etc/uwsgi/nextcloud.ini
parameters) and referencing it in the cron directive by adding the -c /etc/uwsgi/cron-php.ini
option to php invocation.Activation[編輯 | 編輯原始碼]
uWSGI provides a template unit that allows to start and enable application using their configuration file name as instance identifier. For example, starting uwsgi@nextcloud.socket
would start it on demand referencing the configuration file /etc/uwsgi/nextcloud.ini
.
To enable the uwsgi service by default at start-up, enable uwsgi@nextcloud.socket
.
.socket
part to start and enable the service instead.See also UWSGI#Running uWSGI.
Synchronization[編輯 | 編輯原始碼]
Desktop[編輯 | 編輯原始碼]
The official client can be installed with the owncloud-client包 or nextcloud-client包 package. Alternative versions are available in the AUR: owncloud-client-gitAUR. Additional packages are needed for some features:
- Auto-login: All of them use qtkeychain-qt5包 to store and retrieve account-specific access tokens. To achieve auto-login when the client starts, one of optional dependencies of qtkeychain should be installed as well. Moreover, if you choose libsecret包 as the backend for qtkeychain, a service that provides org.freedesktop.secrets should be running when the client starts.
- File manager integration: for nextcloud-client包, integration with file managers (e.g., show Nextcloud folders in GTK+ file dialogs) requires another package nextcloud-client-cloudproviders包. owncloud-client包 already includes cloudproviders supports by default.
Calendar[編輯 | 編輯原始碼]
To access your Nextcloud calendars using Mozilla Thunderbird's Lightning calendar you would use the following URL:
https://ADDRESS/remote.php/caldav/calendars/USERNAME/CALENDARNAME
To access your Nextcloud calendars using CalDAV-compatible programs like Kontact or Evolution, you would use the following URL:
https://ADDRESS/remote.php/caldav
For details see the official documentation.
Contacts[編輯 | 編輯原始碼]
To sync contacts with Thunderbird, see these instructions[失效鏈接 2021-05-17 ⓘ] from the official doc.
Mounting files with davfs2[編輯 | 編輯原始碼]
If you want to mount your Nextcloud using WebDAV, install davfs2包 (as described in davfs2).
To mount your Nextcloud, use:
# mount -t davfs https://your_domain/nextcloud/remote.php/dav/files/username/ /path/to/mount
You can also create an entry for this in /etc/fstab
/etc/fstab
https://your_domain/nextcloud/remote.php/dav/files/username/ /path/to/mount davfs rw,user,noauto 0 0
Mounting files in GNOME Files (Nautilus)[編輯 | 編輯原始碼]
You can access the files directly in Nautilus ('+ Other Locations') through WebDAV protocol - use the link as shown in your Nextcloud installation Web GUI (typically: https://example.org/remote.php/webdav/[失效鏈接 2021-05-17 ⓘ]) but replace the protocol name from 'https' to 'davs'. Nautilus will ask for user name and password when trying to connect.
Android[編輯 | 編輯原始碼]
Download the official Nextcloud app from Google Play or F-Droid.
To enable contacts and calendar sync (Android 4+):
- download DAVx5 (Play Store, F-Droid)
- Enable mod_rewrite.so in httpd.conf
- create a new DAVdroid account in the Account settings, and specify your "short" server address and login/password couple, e.g.
https://cloud.example.com
(there is no need for the/remote.php/{carddav,webdav}
part if you configured your web server with the proper redirections, as illustrated previously in the article; DAVdroid will find itself the right URLs)
iOS[編輯 | 編輯原始碼]
Download the official Nextcloud app from the App Store.
Tips and tricks[編輯 | 編輯原始碼]
Using the ownCloud console[編輯 | 編輯原始碼]
A useful tool for server administration is occ
, documented here. You can perform many common server operations with occ, such as managing users and configuring apps.
/usr/share/webapps/nextcloud/occ
is provided with /usr/bin/occ
, which automatically runs as the default user (nextcloud
), using the default PHP and PHP configuration file.
The environment variables NEXTCLOUD_USER
, NEXTCLOUD_PHP
and NEXTCLOUD_PHP_CONFIG
can be used to specify a non-default user, PHP executable and PHP configuration file (respectively).apc.enable_cli=1
in /etc/php/conf.d/apcu.ini
, as the occ
command will otherwise run out of memory (FS#69726).Pacman hook[編輯 | 編輯原始碼]
To automatically upgrade the Nextcloud database on package update, you can make use of the included pacman hook:
# mkdir -vp /etc/pacman.d/hooks # ln -sv /usr/share/doc/nextcloud/nextcloud.hook /etc/pacman.d/hooks/
php.ini
is used for the application.Running Nextcloud in a subdirectory[編輯 | 編輯原始碼]
By including the default nextcloud.conf
in httpd.conf
, Nextcloud will take control of port 80 and your localhost domain.
If you would like to have Nextcloud run in a subdirectory, then
For apache, edit the /etc/httpd/conf/extra/nextcloud.conf
you included and comment out the <VirtualHost *:80> ... </VirtualHost>
part of the include file.
For nginx, you can use the following config when using Nextcloud with uwsgi:
/etc/nginx/conf.d/nextcloud.conf
location = /.well-known/carddav { return 301 $scheme://$host/nextcloud/remote.php/dav; } location = /.well-known/caldav { return 301 $scheme://$host/nextcloud/remote.php/dav; } location /.well-known/acme-challenge { } location ^~ /nextcloud { root /usr/share/webapps; # set max upload size client_max_body_size 512M; fastcgi_buffers 64 4K; # Disable gzip to avoid the removal of the ETag header gzip off; # Uncomment if your server is build with the ngx_pagespeed module # This module is currently not supported. #pagespeed off; location /nextcloud { rewrite ^ /nextcloud/index.php$uri; } location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/ { deny all; } location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } location ~ ^/nextcloud/(?:updater|ocs-provider)(?:$|/) { try_files $uri/ =404; index index.php; } location ~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) { include uwsgi_params; uwsgi_modifier1 14; # Avoid duplicate headers confusing OC checks uwsgi_hide_header X-Frame-Options; uwsgi_hide_header X-XSS-Protection; uwsgi_hide_header X-Content-Type-Options; uwsgi_hide_header X-Robots-Tag; uwsgi_pass unix:/run/uwsgi/owncloud.sock; } # Adding the cache control header for js and css files # Make sure it is BELOW the PHP block location ~* \.(?:css|js) { try_files $uri /nextcloud/index.php$uri$is_args$args; add_header Cache-Control "public, max-age=7200"; # Add headers to serve security related headers (It is intended # to have those duplicated to the ones above) # Before enabling Strict-Transport-Security headers please read # into this topic first. # add_header Strict-Transport-Security "max-age=15768000; # includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; # Optional: Do not log access to assets access_log off; } location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg) { try_files $uri /nextcloud/index.php$uri$is_args$args; # Optional: Do not log access to other assets access_log off; } }
.well-known
URLs for service discovery. For more information please see General troubleshooting and service discovery section of Nextcloud documentation. Docker[編輯 | 編輯原始碼]
See the ownCloud or Nextcloud repository for Docker.
[編輯 | 編輯原始碼]
shareLinkCreator provides the ability to upload a file to OwnCloud via a supported file manager and receive a link to the uploaded file which can then be emailed or shared in another way.
Defining Background Jobs[編輯 | 編輯原始碼]
Nextcloud requires scheduled execution of some tasks, and by default it achieves this by using AJAX, however AJAX is the least reliable method, and it is recommended to use Cron instead. However, Arch Linux ships with systemd包, so the preferred way of executing scheduled tasks is a systemd timer.
Manual install[編輯 | 編輯原始碼]
First create a service:
/etc/systemd/system/nextcloudcron.service
[Unit] Description=Nextcloud cron.php job [Service] User=nextcloud ExecStart=/usr/bin/php -f /usr/share/webapps/nextcloud/cron.php [Install] WantedBy=basic.target
Then create a timer for that service:
/etc/systemd/system/nextcloudcron.timer
[Unit] Description=Run Nextcloud cron.php every 5 minutes [Timer] OnBootSec=5min OnUnitActiveSec=5min Unit=nextcloudcron.service [Install] WantedBy=timers.target
Activate timer[編輯 | 編輯原始碼]
Start/enable nextcloudcron.timer
.
Confirm that it is running by running
# systemctl list-timers
AUR package[編輯 | 編輯原始碼]
Install nextcloud-systemd-timersAUR.
Provided services can be checked with:
$ pacman -Ql nextcloud-systemd-timers
For instance, to run the cron.php
script every 5 minutes:
# systemctl start nextcloud-cron.timer # systemctl enable nextcloud-cron.timer
Collabora Online Office integration[編輯 | 編輯原始碼]
Solution with Docker[編輯 | 編輯原始碼]
The first, install a docker包 package to provide collabora files and setup a Collabora server.
Start/enable docker.service
.
Then, download the official Docker image:
# docker pull collabora/code
And, installing a Collabora server. Make sure cloud//.example//.com
is your nextcloud's domain, not a collabora :
# docker run -t -d -p 127.0.0.1:9980:9980 -e "domain=cloud\\.example\\.com" --restart always --cap-add MKNOD collabora/code
Also make sure to escape all dots with double backslashes (\), since this string will be evaluated as a regular expression (and your bash 'eats' the first backslash.) If you want to use the docker container with more than one Nextcloud, you will need to use 'domain=cloud\\.example\\.com\|second\\.example\\.com' instead. (All hosts are separated by \|.) When using `localhost` as domain for testing you need to add --net host
to ensure the docker container can access your Nextcloud server.
If you need to delete or reinstall Collabora server use:
For recognition CONTAINER_ID of server
# docker ps
Stop and delete
# docker stop CONTAINER_ID # docker rm CONTAINER_ID
Futher, follow the instruction of webserver you are using:
Nginx setup example:
Add following to your nextcloud domain config or add new config file in /etc/nginx/conf.d/ directory, (Do not forget to change office.example.com
and ssl_certificate
to the right values. If you are using docker image, change http
to https
.)
/etc/nginx/conf.d/example.conf
upstream office.example.com { server 127.0.0.1:9980; } server { listen 443 ssl; server_name office.example.com; ssl_certificate /etc/letsencrypt/live/office.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/office.example.com/privkey.pem; # static files location ^~ /loleaflet { proxy_pass http://127.0.0.1:9980; proxy_set_header Host $host; } # WOPI discovery URL location ^~ /hosting/discovery { proxy_pass http://127.0.0.1:9980; proxy_set_header Host $host; } # Main websocket location ~ /lool/(.*)/ws$ { proxy_pass http://127.0.0.1:9980; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $host; proxy_read_timeout 36000s; } # Admin Console websocket location ^~ /lool/adminws { proxy_buffering off; proxy_pass http://127.0.0.1:9980; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $host; proxy_read_timeout 36000s; } # download, presentation and image upload location ~ /lool { proxy_pass http://127.0.0.1:9980; proxy_set_header Host $host; } location ^~ /hosting/capabilities { proxy_pass http://localhost:9980; proxy_set_header Host $http_host; } }
Restart a nginx:
# nginx -s reload
or restart nginx.service
.
Apache setup example:
Add following to nextcloud config file. Do not forget to change to the right values
/etc/httpd/conf/extra/nextcloud.conf
<VirtualHost *:443> ServerName office.nextcloud.com:443 # SSL configuration, you may want to take the easy route instead and use Lets Encrypt! SSLEngine on SSLCertificateFile /path/to/signed_certificate SSLCertificateChainFile /path/to/intermediate_certificate SSLCertificateKeyFile /path/to/private/key SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLHonorCipherOrder on # Encoded slashes need to be allowed AllowEncodedSlashes NoDecode # Container uses a unique non-signed certificate SSLProxyEngine On SSLProxyVerify None SSLProxyCheckPeerCN Off SSLProxyCheckPeerName Off # keep the host ProxyPreserveHost On # static html, js, images, etc. served from loolwsd # loleaflet is the client part of LibreOffice Online ProxyPass /loleaflet https://127.0.0.1:9980/loleaflet retry=0 ProxyPassReverse /loleaflet https://127.0.0.1:9980/loleaflet # WOPI discovery URL ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0 ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discovery # Main websocket ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon # Admin Console websocket ProxyPass /lool/adminws wss://127.0.0.1:9980/lool/adminws # Download as, Fullscreen presentation and Image upload operations ProxyPass /lool https://127.0.0.1:9980/lool ProxyPassReverse /lool https://127.0.0.1:9980/lool </VirtualHost>
After configuring these do restart your apache by restarting httpd.service
.
Install the Nextcloud app
Go to the Apps section and choose 「Office & Text」, install the 「Collabora Online」 app. In admin panel select Collabora Online tab and specific the server's domain you have setup before.
Solution without Docker[編輯 | 編輯原始碼]
The collabora-online-server-nodockerAUR package provides the Collabora Office (the desktop suite) and the 「CODE」 (Collabora Online Development Edition) server, which is based on 「lool」 (LibreOffice OnLine).
Alter the /etc/loolwsd/loolwsd.xml
file, so that:
config > server_name
contains the host and port of the public Nextcloud address, separated by a colon (e.g.example.org:443
),config > ssl > enable
is false (i.e. web browser —HTTPS→ proxy —HTTP→ loolwsd),config > ssl > termination
is true (I suppose you’ll manage TLS at the proxy level),config > storage > wopi > host
reflects the actual hostname (or pattern) of the proxy server (e.g.(?:.*\.)?example\.org
),config > admin_console > username
andconfig > admin_console > password
are set to values of your choice.
Then:
- start and enable
loolwsd.service
; - configure Nginx by creating a server block including
/etc/nginx/snippets/loolwsd.conf
, and restart it. Example with SSL (changeoffice.example.com
andssl_certificate
to the right values):
/etc/nginx/conf.d/example.conf
server { listen 443 ssl; server_name office.example.com; ssl_certificate /etc/letsencrypt/live/office.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/office.example.com/privkey.pem; include snippets/loolwsd.conf; }
- in Nextcloud, install the "Collabora Online" app. In the admin panel select the Collabora Online tab and specify the server domain name you have just set up.
Disabling app recommendations[編輯 | 編輯原始碼]
By default, nextcloud reccomends apps to new clients, which can result in a lot of notifications. To disable this, disable the recommendation app using occ
.
Troubleshooting[編輯 | 編輯原始碼]
By default, the logs of the web application are available in /var/log/nextcloud/nextcloud.log
.
Issues with permissions and setup after upgrade to >= 21.0.0[編輯 | 編輯原始碼]
http
user. This is a security concern in regards to cross-application access of this user (it has access to all data of all web applications).Since version 21.0.0 nextcloud more closely follows the web application package guidelines. This introduces the separate user nextcloud
, as which the web application is run.
After an upgrade from nextcloud < 21.0.0 make sure that
- neither the data directory[損壞的鏈接:無效的章節] nor the writable apps directory[損壞的鏈接:無效的章節] is located below
/usr/share/webapps/nextcloud/
, as that directory is owned byroot
- both the data directory[損壞的鏈接:無效的章節] and the writable apps directory[損壞的鏈接:無效的章節], alongside all files beneath them are writable and owned by the
nextcloud
user - the web application configuration file resides in
/etc/webapps/nextcloud/config/
and that that directory and its contents are writable and owned by thenextcloud
user - an application server, such as php-fpm包 or UWSGI is configured to run the web application as the
nextcloud
user and not thehttp
user - update the cron job/systemd timer to run with the new user
Environment variables not available[編輯 | 編輯原始碼]
Uncomment the line in /etc/php/php-fpm.d/www.conf
as per Nextcloud documentation:
env[PATH] = /usr/local/bin:/usr/bin:/bin
Self-signed certificate not accepted[編輯 | 編輯原始碼]
ownCloud uses Wikipedia:cURL and Wikipedia:SabreDAV to check if WebDAV is enabled. If you use SSL/TLS with a self-signed certificate, e.g. as shown in LAMP, and access ownCloud's admin panel, you will see the following error message:
Your web server is not yet properly setup to allow files synchronization because the WebDAV interface seems to be broken.
Assuming that you followed the LAMP tutorial, execute the following steps:
Create a local directory for non-distribution certificates and copy LAMPs certificate there. This will prevent ca-certificates
-updates from overwriting it.
# cp /etc/httpd/conf/server.crt /usr/share/ca-certificates/WWW.EXAMPLE.COM.crt
Add WWW.EXAMPLE.COM.crt to /etc/ca-certificates.conf
:
WWW.EXAMPLE.COM.crt
Now, regenerate your certificate store:
# update-ca-certificates
Restart the httpd service to activate your certificate.
Self-signed certificate for Android devices[編輯 | 編輯原始碼]
Once you have followed the setup for SSL, as on Apache HTTP Server#TLS for example, early versions of DAVdroid will reject the connection because the certificate is not trusted. A certificate can be made as follows on your server:
# openssl x509 -req -days 365 -in /etc/httpd/conf/server.csr -signkey /etc/httpd/conf/server.key -extfile android.txt -out CA.crt # openssl x509 -inform PEM -outform DER -in CA.crt -out CA.der.crt
The file android.txt
should contain the following:
basicConstraints=CA:true
Then import CA.der.crt
to your Android device:
Put the CA.der.crt
file onto the sdcard of your Android device (usually to the internal one, e.g. save from a mail attachment).
It should be in the root directory. Go to Settings > Security > Credential storage and select Install from device storage.
The .crt
file will be detected and you will be prompted to enter a certificate name. After importing the certificate,
you will find it in Settings > Security > Credential storage > Trusted credentials > User.
Thanks to: [4]
Another way is to import the certificate directly from your server via CAdroid[失效鏈接 2020-04-01 ⓘ] and follow the instructions there.
Cannot write into config directory![編輯 | 編輯原始碼]
If you have set open_basedir
in your PHP/web server configuration file (e.g. /etc/httpd/conf/extra/nextcloud.conf
), make sure that it includes /etc/webapps
.
Restart the web server to apply the change.
If you are getting this error after an upgrade from Nextcloud 17 to Nextcloud 18, also see #Explicitly permit Nextcloud directories for php-fpm[損壞的鏈接:無效的章節].
Cannot create data directory[編輯 | 編輯原始碼]
If you have set open_basedir
in your PHP/web server configuration file (e.g. /etc/httpd/conf/extra/nextcloud.conf
), make sure that it includes the data directory.
Restart the web server to apply the change.
CSync failed to find a specific file.[編輯 | 編輯原始碼]
This is most likely a certificate issue. Recreate it, and do not leave the common name empty or you will see the error again.
# openssl req -new -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt
Seeing white page after login[編輯 | 編輯原始碼]
The cause is probably a new app that you installed. To fix that, you can use the occ command as described here. So with
sudo -u http php /usr/share/webapps/nextcloud/occ app:list
you can list all apps (if you installed nextcloud in the standard directory), and with
sudo -u http php /usr/share/webapps/nextcloud/occ app:disable <nameOfExtension>
you can disable the troubling app.
Alternatively, you can either use phpMyAdmin to edit the oc_appconfig
table (if you got lucky and the table has an edit option), or do it by hand with mysql:
mysql -u root -p owncloud MariaDB [owncloud]> delete from oc_appconfig where appid='<nameOfExtension>' and configkey='enabled' and configvalue='yes'; MariaDB [owncloud]> insert into oc_appconfig (appid,configkey,configvalue) values ('<nameOfExtension>','enabled','no');
This should delete the relevant configuration from the table and add it again.
GUI sync client fails to connect[編輯 | 編輯原始碼]
If using HTTP basic authentication, make sure to exclude "status.php", which must be publicly accessible. [5]
GUI tray icon disappears, but client still running in the background[編輯 | 編輯原始碼]
After waking up from a suspended state, the Nextcloud client tray icon may disappear from the system tray. A workaround is to delay the startup of the client, as noted here. This can be done with the .desktop file, for example:
.local/share/applications/nextcloud.desktop
... Exec=bash -c 'sleep 5 && nextcloud' ...
Some files upload, but give an error 'Integrity constraint violation...'[編輯 | 編輯原始碼]
You may see the following error in the ownCloud sync client:
SQLSTATE[23000]: Integrity constraint violation: ... Duplicate entry '...' for key 'fs_storage_path_hash')...
This is caused by an issue with the File Locking app, which is often not sufficient to keep conflicts from occurring on some webserver configurations.
A more complete Transactional File Locking
is available that rids these errors, but you must be using the Redis php-caching method. Install redis包 and php-redis包, comment out
your current php-cache mechanism, and then in /etc/php/conf.d/redis.ini
uncomment extension=redis
.
Then in config.php
make the following changes:
'memcache.local' => '\OC\Memcache\Redis', 'filelocking.enabled' => 'true', 'memcache.locking' => '\OC\Memcache\Redis', 'redis' => array( 'host' => 'localhost', 'port' => 6379, 'timeout' => 0.0, ),
and start/enable redis.service
.
Finally, disable the File Locking App, as the Transational File Locking will take care of it (and would conflict).
If everything is working, you should see 'Transactional File Locking Enabled' under Server Status on the Admin page, and syncs should no longer cause issues.
"Cannot write into apps directory"[編輯 | 編輯原始碼]
As mentioned in the official admin manual,
either you need an apps directory that is writable by the http user, or you need to set appstoreenabled
to false
.
If you have set open_basedir
in your PHP/web server configuration file (e.g. /etc/httpd/conf/extra/nextcloud.conf
), it may be necessary to add your /path/to/data directory to the string on the line starting with php_admin_value open_basedir
:
/etc/httpd/conf/extra/nextcloud.conf
php_admin_value open_basedir "/path/to/data/:/srv/http/:/dev/urandom:/tmp/:/usr/share/pear/:/usr/share/webapps/nextcloud/:/etc/webapps/nextcloud"
Installed apps get blocked because of MIME type error[編輯 | 編輯原始碼]
If you are putting your apps folder outside of the nextcloud installation directory make sure your webserver serves it properly.
In nginx this is accomplished by adding a location block to the nginx configuration as the folder will not be included in it by default.
location ~ /apps2/(.*)$ { alias /var/www/nextcloud/apps/$1; }
CSS and JS resources blocked due to MIME type error[編輯 | 編輯原始碼]
If you load your Nextcloud web gui and it's missing styles etc. check the browser's console logs for lines like:
The resource from “https://example.com/core/css/guest.css?v=72c34c37-0” was blocked due to MIME type (“text/plain”) mismatch (X-Content-Type-Options: nosniff).
There are a few possible reasons, possibly you have not included any mime types in your nginx.conf
add the following to nginx.conf
types_hash_max_size 2048; types_hash_bucket_size 128; include mime.types;
Here we use the mime.types
provided by mailcap包, due to the large number of types included we increase the allowed size of the types hash.
Other possible reasons for these errors are missing permissions on the files. Make sure the files are owned by http:http
and can be read and written to by this user.
Security warnings even though the recommended settings have been included in nginx.conf[編輯 | 編輯原始碼]
At the top of the admin page there might be a warning to set the Strict-Transport-Security
, X-Content-Type-Options
,
X-Frame-Options
, X-XSS-Protection
and X-Robots-Tag
according to https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/harden_server.html[失效鏈接 2020-04-01 ⓘ]
even though they are already set like that.
A possible cause could be that because owncloud sets those settings, uwsgi passed them along and nginx added them again:
$ curl -I https://domain.tld
... X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Frame-Options: Sameorigin X-Robots-Tag: none Strict-Transport-Security: max-age=15768000; includeSubDomains; preload; X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Robots-Tag: none
While the fast_cgi sample config has a parameter to avoid that ( fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
), when using uwsgi and nginx the following modification of the uwsgi part in nginx.conf could help:
/etc/nginx/nginx.conf
... # pass all .php or .php/path urls to uWSGI location ~ ^(.+\.php)(.*)$ { include uwsgi_params; uwsgi_modifier1 14; # hode following headers received from uwsgi, because otherwise we would send them twice since we already add them in nginx itself uwsgi_hide_header X-Frame-Options; uwsgi_hide_header X-XSS-Protection; uwsgi_hide_header X-Content-Type-Options; uwsgi_hide_header X-Robots-Tag; uwsgi_hide_header X-Frame-Options; #Uncomment line below if you get connection refused error. Remember to commet out line with "uwsgi_pass 127.0.0.1:3001;" below uwsgi_pass unix:/run/uwsgi/owncloud.sock; #uwsgi_pass 127.0.0.1:3001; } ...
"Reading from keychain failed with error: 'No keychain service available'"[編輯 | 編輯原始碼]
Can be fixed for Gnome by installing the following 2 packages, libgnome-keyring包 and gnome-keyring包. Or the following for KDE, libgnome-keyring包 and qtkeychain-qt5包.
FolderSync: "Method Not Allowed"[編輯 | 編輯原始碼]
FolderSync needs access to /owncloud/remote.php/webdav
, so you could create another alias for owncloud in your /etc/httpd/conf/extra/nextcloud.conf
<IfModule mod_alias.c> Alias /nextcloud /usr/share/webapps/nextcloud/ Alias /owncloud /usr/share/webapps/nextcloud/ </IfModule>