This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
virtualisation:nextcloud [2018/02/27 14:16] buettner |
virtualisation:nextcloud [2018/03/01 09:19] (current) buettner |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====How to setup Nextcloud on a NB2800 router==== | + | ======How to setup Nextcloud on a NB2800 router====== |
This article describes how to setup a Nextcloud server on your NB2800 router. | This article describes how to setup a Nextcloud server on your NB2800 router. | ||
- | [[https://nextcloud.com/|Nextcloud]] is a free and open source cloud hosting software. It lets you easily provide files for and share them with others, and lets you customize your cloud with a lot of tools and additional apps. | + | [[https://nextcloud.com/|Nextcloud]] is a free and open source cloud hosting software. It lets you easily share your files with others, hosts your own calenders and contact lists and lets you customize your cloud with a lot of tools and additional apps. |
===Preparations=== | ===Preparations=== | ||
- | |||
- | All basic preparations made are described in this article: [[http://wiki.netmodule.com/virtualisation/file-server | How to set up a NB2800 File Server ]] | ||
If you need instructions on how to set up a LXC Container on NB2800 Routers, you can refer to this page: http://wiki.netmodule.com/app-notes/virtualisation. | If you need instructions on how to set up a LXC Container on NB2800 Routers, you can refer to this page: http://wiki.netmodule.com/app-notes/virtualisation. | ||
+ | |||
+ | The first step you should take is to give your router a static IP adress. For this, use | ||
+ | <code> | ||
+ | nano /etc/network/interfaces | ||
+ | </code> | ||
+ | and set up a static IP configuration for your primary interface. In this example, the configuration for the eth0 interface looks like this: | ||
+ | <konsole> | ||
+ | auto eth0 | ||
+ | iface eth0 inet static | ||
+ | address 192.168.1.50 | ||
+ | netmask 255.255.255.0 | ||
+ | network 192.168.1.0 | ||
+ | broadcast 192.168.1.255 | ||
+ | gateway 192.168.1.105 | ||
+ | dns-nameservers 192.168.1.105 | ||
+ | </konsole> | ||
+ | |||
+ | After that, use | ||
+ | <code> | ||
+ | apt-get update | ||
+ | apt-get upgrade | ||
+ | </code> | ||
+ | to bring your system up to date. | ||
+ | |||
+ | If your network setup doesn't include a domain you could use on your router, you can easily create one you can use to access your file server. | ||
+ | |||
+ | For this, get access to the routers web interface and go to Services -> DNS Server. Under "Static Hosts" , click on the plus symbol to add a new domain name. | ||
+ | |||
+ | Now enter the IP address and the domain name you want it linked to and click "Apply" | ||
+ | {{ :virtualisation:local_domain_lxc2.png?nolink&600 |}} | ||
+ | |||
+ | |||
+ | After this, your configuration should look like this: | ||
+ | |||
+ | {{ :virtualisation:local_domain_lxc.png?nolink&600 |}} | ||
+ | |||
+ | Now you can access the file server with both its IP address a its local domain name. | ||
+ | |||
===Installations=== | ===Installations=== | ||
- | Before Nextcloud can be installed, some other programs need to be installed and set up. In the first step, enter | + | Before Nextcloud can be installed, a web server (here: Nginx), a SQL program (here: MariaDB) and PHP need to be installed and set up. In the first step, install these programs by entering |
<code> | <code> | ||
+ | apt-get update | ||
apt-get install nginx mariadb-client mariadb-server php7.0-common php7.0-fpm php7.0-cli php7.0-json php7.0-mysql php7.0-curl php7.0-intl php7.0-mcrypt php-pear php7.0-gd php7.0-zip php7.0-xml php7.0-mbstring php7.0-apcu | apt-get install nginx mariadb-client mariadb-server php7.0-common php7.0-fpm php7.0-cli php7.0-json php7.0-mysql php7.0-curl php7.0-intl php7.0-mcrypt php-pear php7.0-gd php7.0-zip php7.0-xml php7.0-mbstring php7.0-apcu | ||
</code> | </code> | ||
Line 25: | Line 62: | ||
===Configuring PHP=== | ===Configuring PHP=== | ||
- | For setting up PHP, several values in three files have to be edited. First, go to /etc/php/7.0/fpm/pool.d/www.conf and edit the following values (Note: all values described here have to be edited, decommented or added): | + | For setting up PHP, several values in three files have to be edited. First, go to /etc/php/7.0/fpm/pool.d/www.conf and edit the following values (Note: all values described here have to be edited, decommented, or added): |
<code c /etc/php/7.0/fpm/pool.d/www.conf> | <code c /etc/php/7.0/fpm/pool.d/www.conf> | ||
user = www-data | user = www-data | ||
Line 63: | Line 100: | ||
===Configuring MariaDB=== | ===Configuring MariaDB=== | ||
- | First, you have to finish the MariDB installation: | + | First, you have to finish the MariaDB installation: |
<code> | <code> | ||
mysql_secure_installation | mysql_secure_installation | ||
Line 73: | Line 110: | ||
service mysql restart | service mysql restart | ||
</code> | </code> | ||
- | Now you have to create a new MariaDB user which is only needed for Nextcloud access. To enter the MariaDB editing shell, enter | + | Now you have to create a new MariaDB database and an user which is only needed for Nextcloud access. To enter the MariaDB shell, enter |
<code> | <code> | ||
mysql -u root -p | mysql -u root -p | ||
Line 81: | Line 118: | ||
create database nextcloud_db; | create database nextcloud_db; | ||
</code> | </code> | ||
- | Now create a new MariaDB-user with a password which can access the "nextcloud_db": | + | Now create a new MariaDB user with a password which can access the "nextcloud_db": |
<code> | <code> | ||
create user 'user'@localhost identified by 'password'; | create user 'user'@localhost identified by 'password'; | ||
Line 87: | Line 124: | ||
Note that you have to enter your own credentials for 'user' and 'password'. | Note that you have to enter your own credentials for 'user' and 'password'. | ||
- | Now all necessary right have to be granted to this new user: | + | Now all necessary rights have to be granted to this new user: |
<code> | <code> | ||
grant all privileges on nextcloud_db.* to 'user'@localhost; | grant all privileges on nextcloud_db.* to 'user'@localhost; | ||
Line 114: | Line 151: | ||
First, go to /etc/nginx/nginx.conf and edit the following three lines: | First, go to /etc/nginx/nginx.conf and edit the following three lines: | ||
<code c /etc/nginx/nginx.conf> | <code c /etc/nginx/nginx.conf> | ||
- | überprüfen ob user = www-data | + | user = www-data |
- | überprüfen ob worker_process = auto | + | worker_process = auto |
- | in html-Block: server_tokens off | + | server_tokens off |
</code> | </code> | ||
Line 127: | Line 164: | ||
nano /etc/nginx/sites-available/default | nano /etc/nginx/sites-available/default | ||
</code> | </code> | ||
- | This new file has to be filled with this code: | + | This new file has to be filled with this code (All passages that need to be edited are marked in the code): |
<code c /etc/nginx/sites-available/default> | <code c /etc/nginx/sites-available/default> | ||
upstream php-handler { | upstream php-handler { | ||
Line 135: | Line 172: | ||
server { | server { | ||
listen 80; | listen 80; | ||
- | server_name mediacontainer.local; //an aktuellen Domainnamen anpassen | + | server_name mediacontainer.local; //* edit to own domain name *// |
# enforce https | # enforce https | ||
return 301 https://$server_name$request_uri; | return 301 https://$server_name$request_uri; | ||
Line 142: | Line 179: | ||
server { | server { | ||
listen 443 ssl http2; | listen 443 ssl http2; | ||
- | server_name mediacontainer.local; //an aktuellen Domainnamen anpassen | + | server_name mediacontainer.local; //* edit to own domain name *// |
- | ssl_certificate /home/User/CA/cert.pem; c und Dateinamen anpassen | + | ssl_certificate /home/NCUser/CA/cacert.pem; //* edit to own files and directorys *// |
- | ssl_certificate_key /home/User/CA/private/cakey.pem; //an aktuellen Pfad und Dateinamen anpassen | + | ssl_certificate_key /home/NCUser/CA/private/cakey.pem; //* edit to own files and directorys *// |
# Add headers to serve security related headers | # Add headers to serve security related headers | ||
Line 165: | Line 202: | ||
# Path to the root of your installation | # Path to the root of your installation | ||
- | root /var/www/nextcloud/; upstream php-handler { | + | root /var/www/nextcloud/; //* edit to own directory *// |
- | server unix:/run/php/php7.0-fpm.sock; | + | |
- | } | + | |
- | + | ||
- | server { | + | |
- | listen 80; | + | |
- | server_name mediacontainer.local; //an aktuellen Domainnamen anpassen | + | |
- | # enforce https | + | |
- | return 301 https://$server_name$request_uri; | + | |
- | } | + | |
- | + | ||
- | server { | + | |
- | listen 443 ssl http2; | + | |
- | server_name mediacontainer.local; //an aktuellen Domainnamen anpassen | + | |
- | + | ||
- | ssl_certificate /home/User/CA/cacert.pem; //an aktuellen Pfad und Dateinamen anpassen | + | |
- | ssl_certificate_key /home/User/CA/private/cakey.pem; //an aktuellen Pfad und Dateinamen anpassen | + | |
- | + | ||
- | # Add headers to serve security related headers | + | |
- | # Before enabling Strict-Transport-Security headers please read into this | + | |
- | # topic first. | + | |
- | add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always; | + | |
- | # includeSubDomains; preload;"; | + | |
- | # | + | |
- | # WARNING: Only add the preload option once you read about | + | |
- | # the consequences in https://hstspreload.org/. This option | + | |
- | # will add the domain to a hardcoded list that is shipped | + | |
- | # in all major browsers and getting removed from this list | + | |
- | # could take several months. | + | |
- | add_header X-Content-Type-Options nosniff; | + | |
- | add_header X-XSS-Protection "1; mode=block"; | + | |
- | add_header X-Robots-Tag none; | + | |
- | add_header X-Download-Options noopen; | + | |
- | add_header X-Permitted-Cross-Domain-Policies none; | + | |
- | + | ||
- | # Path to the root of your installation | + | |
- | root /var/www/nextcloud/; upstream php-handler { | + | |
- | server unix:/run/php/php7.0-fpm.sock; | + | |
- | } | + | |
- | + | ||
- | server { | + | |
- | listen 80; | + | |
- | server_name mediacontainer.local; //an aktuellen Domainnamen anpassen | + | |
- | # enforce https | + | |
- | return 301 https://$server_name$request_uri; | + | |
- | } | + | |
- | + | ||
- | server { | + | |
- | listen 443 ssl http2; | + | |
- | server_name mediacontainer.local; //an aktuellen Domainnamen anpassen | + | |
- | + | ||
- | ssl_certificate /home/User/CA/cacert.pem; //an aktuellen Pfad und Dateinamen anpassen | + | |
- | ssl_certificate_key /home/User/CA/private/cakey.pem; //an aktuellen Pfad und Dateinamen anpassen | + | |
- | + | ||
- | # Add headers to serve security related headers | + | |
- | # Before enabling Strict-Transport-Security headers please read into this | + | |
- | # topic first. | + | |
- | add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always; | + | |
- | # includeSubDomains; preload;"; | + | |
- | # | + | |
- | # WARNING: Only add the preload option once you read about | + | |
- | # the consequences in https://hstspreload.org/. This option | + | |
- | # will add the domain to a hardcoded list that is shipped | + | |
- | # in all major browsers and getting removed from this list | + | |
- | # could take several months. | + | |
- | add_header X-Content-Type-Options nosniff; | + | |
- | add_header X-XSS-Protection "1; mode=block"; | + | |
- | add_header X-Robots-Tag none; | + | |
- | add_header X-Download-Options noopen; | + | |
- | add_header X-Permitted-Cross-Domain-Policies none; | + | |
- | + | ||
- | # Path to the root of your installation | + | |
- | root /var/www/nextcloud/; //an aktuellen Pfad anpassen | + | |
location = /robots.txt { | location = /robots.txt { | ||
Line 336: | Line 301: | ||
} | } | ||
} | } | ||
+ | </code> | ||
- | location = /robots.txt { | + | Now you can test your Nginx configuration by entering |
- | allow all; | + | <code> |
- | log_not_found off; | + | nginx -t |
- | access_log off; | + | </code> |
- | } | + | |
- | # The following 2 rules are only needed for the user_webfinger app. | + | <konsole> |
- | # Uncomment it if you're planning to use this app. | + | root@LXC_MEDIA:/# nginx -t |
- | #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; | + | nginx: the configuration file /etc/nginx/nginx.conf syntax is ok |
- | #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json | + | nginx: configuration file /etc/nginx/nginx.conf test is successful |
- | # last; | + | </konsole> |
- | location = /.well-known/carddav { | + | If no error occurs, restart Nginx with |
- | return 301 $scheme://$host/remote.php/dav; | + | <code> |
- | } | + | service nginx restart |
- | location = /.well-known/caldav { | + | </code> |
- | return 301 $scheme://$host/remote.php/dav; | + | |
- | } | + | |
- | # set max upload size | ||
- | client_max_body_size 512M; | ||
- | fastcgi_buffers 64 4K; | ||
- | # Enable gzip but do not remove ETag headers | + | ===Nextcloud Download and Installation=== |
- | gzip on; | + | |
- | gzip_vary on; | + | |
- | gzip_comp_level 4; | + | |
- | gzip_min_length 256; | + | |
- | gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; | + | |
- | gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; | + | |
- | # Uncomment if your server is build with the ngx_pagespeed module | + | First, download the Nextcloud installation file from the Nextcloud homepage. Before downloading the file, you should visit the [[https://nextcloud.com/install/#instructions-server|Nextcloud download page]] to check for the newest version. |
- | # This module is currently not supported. | + | <code> |
- | #pagespeed off; | + | wget https://download.nextcloud.com/server/releases/nextcloud-13.0.0.tar.bz2 |
+ | </code> | ||
+ | After the download finished, extract the file to its directory: | ||
+ | <code> | ||
+ | tar -xjf nextcloud-13.0.0.tar.bz2 -C /var/www | ||
+ | </code> | ||
+ | If you want to, you can now delete the installation file: | ||
+ | <code> | ||
+ | rm nextcloud-13.0.0.tar.bz2 | ||
+ | </code> | ||
+ | Now you have to set the correct user and group to the Nextcloud folder: | ||
+ | <code> | ||
+ | chown -R www-data:www-data /var/www/nextcloud | ||
+ | </code> | ||
- | location / { | + | Now open your web browser and go to http://Ip-address-or-domain to enter the Nextcloud installation screen. |
- | rewrite ^ /index.php$uri; | + | |
- | } | + | |
- | location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { | + | Here you have to set credentials for an administrator and enter the MariaDB user credentials you set earlier. |
- | deny all; | + | |
- | } | + | |
- | location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { | + | |
- | deny all; | + | |
- | } | + | |
- | location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { | + | {{ :virtualisation:nc-setup.jpg?nolink&600 |}} |
- | fastcgi_split_path_info ^(.+\.php)(/.*)$; | + | |
- | include fastcgi_params; | + | |
- | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | + | |
- | fastcgi_param PATH_INFO $fastcgi_path_info; | + | |
- | fastcgi_param HTTPS on; | + | |
- | #Avoid sending the security headers twice | + | |
- | fastcgi_param modHeadersAvailable true; | + | |
- | fastcgi_param front_controller_active true; | + | |
- | fastcgi_pass php-handler; | + | |
- | fastcgi_intercept_errors on; | + | |
- | fastcgi_request_buffering off; | + | |
- | } | + | |
- | location ~ ^/(?:updater|ocs-provider)(?:$|/) { | ||
- | try_files $uri/ =404; | ||
- | index index.php; | ||
- | } | ||
- | # Adding the cache control header for js and css files | + | ===Configuration Nextcloud=== |
- | # Make sure it is BELOW the PHP block | + | |
- | location ~ \.(?:css|js|woff|svg|gif)$ { | + | |
- | try_files $uri /index.php$uri$is_args$args; | + | |
- | add_header Cache-Control "public, max-age=15778463"; | + | |
- | # Add headers to serve security related headers (It is intended to | + | |
- | # have those duplicated to the ones above) | + | |
- | # Before enabling Strict-Transport-Security headers please read into | + | |
- | # this topic first. | + | |
- | # add_header Strict-Transport-Security "max-age=15768000; | + | |
- | # includeSubDomains; preload;"; | + | |
- | # | + | |
- | # WARNING: Only add the preload option once you read about | + | |
- | # the consequences in https://hstspreload.org/. This option | + | |
- | # will add the domain to a hardcoded list that is shipped | + | |
- | # in all major browsers and getting removed from this list | + | |
- | # could take several months. | + | |
- | add_header X-Content-Type-Options nosniff; | + | |
- | add_header X-XSS-Protection "1; mode=block"; | + | |
- | add_header X-Robots-Tag none; | + | |
- | add_header X-Download-Options noopen; | + | |
- | add_header X-Permitted-Cross-Domain-Policies none; | + | |
- | # Optional: Don't log access to assets | + | |
- | access_log off; | + | |
- | } | + | |
- | location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { | + | After Nextcloud was installed succesfully, go to /var/www/nextcloud/config/config.php and add or edit the following lines: |
- | try_files $uri /index.php$uri$is_args$args; | + | <code c /var/www/nextcloud/config/config.php> |
- | # Optional: Don't log access to other assets | + | 'memcache.local' => '\OC\Memcache\APCu', |
- | access_log off; | + | 'trusted_domains' => |
- | } | + | array ( |
- | } | + | 0 => 'mediacontainer.local', |
- | + | 1 => '192.168.1.50', | |
- | location = /robots.txt { | + | ), |
- | allow all; | + | 'overwriteprotocol' => 'https', |
- | log_not_found off; | + | 'logtimezone' => 'Europe/Berlin', |
- | access_log off; | + | |
- | } | + | |
- | + | ||
- | # The following 2 rules are only needed for the user_webfinger app. | + | |
- | # Uncomment it if you're planning to use this app. | + | |
- | #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; | + | |
- | #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json | + | |
- | # last; | + | |
- | + | ||
- | location = /.well-known/carddav { | + | |
- | return 301 $scheme://$host/remote.php/dav; | + | |
- | } | + | |
- | location = /.well-known/caldav { | + | |
- | return 301 $scheme://$host/remote.php/dav; | + | |
- | } | + | |
- | + | ||
- | # set max upload size | + | |
- | client_max_body_size 512M; | + | |
- | fastcgi_buffers 64 4K; | + | |
- | + | ||
- | # Enable gzip but do not remove ETag headers | + | |
- | gzip on; | + | |
- | gzip_vary on; | + | |
- | gzip_comp_level 4; | + | |
- | gzip_min_length 256; | + | |
- | gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; | + | |
- | gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; | + | |
- | + | ||
- | # Uncomment if your server is build with the ngx_pagespeed module | + | |
- | # This module is currently not supported. | + | |
- | #pagespeed off; | + | |
- | + | ||
- | location / { | + | |
- | rewrite ^ /index.php$uri; | + | |
- | } | + | |
- | + | ||
- | location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { | + | |
- | deny all; | + | |
- | } | + | |
- | location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { | + | |
- | deny all; | + | |
- | } | + | |
- | + | ||
- | location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { | + | |
- | fastcgi_split_path_info ^(.+\.php)(/.*)$; | + | |
- | include fastcgi_params; | + | |
- | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | + | |
- | fastcgi_param PATH_INFO $fastcgi_path_info; | + | |
- | fastcgi_param HTTPS on; | + | |
- | #Avoid sending the security headers twice | + | |
- | fastcgi_param modHeadersAvailable true; | + | |
- | fastcgi_param front_controller_active true; | + | |
- | fastcgi_pass php-handler; | + | |
- | fastcgi_intercept_errors on; | + | |
- | fastcgi_request_buffering off; | + | |
- | } | + | |
- | + | ||
- | location ~ ^/(?:updater|ocs-provider)(?:$|/) { | + | |
- | try_files $uri/ =404; | + | |
- | index index.php; | + | |
- | } | + | |
- | + | ||
- | # Adding the cache control header for js and css files | + | |
- | # Make sure it is BELOW the PHP block | + | |
- | location ~ \.(?:css|js|woff|svg|gif)$ { | + | |
- | try_files $uri /index.php$uri$is_args$args; | + | |
- | add_header Cache-Control "public, max-age=15778463"; | + | |
- | # Add headers to serve security related headers (It is intended to | + | |
- | # have those duplicated to the ones above) | + | |
- | # Before enabling Strict-Transport-Security headers please read into | + | |
- | # this topic first. | + | |
- | # add_header Strict-Transport-Security "max-age=15768000; | + | |
- | # includeSubDomains; preload;"; | + | |
- | # | + | |
- | # WARNING: Only add the preload option once you read about | + | |
- | # the consequences in https://hstspreload.org/. This option | + | |
- | # will add the domain to a hardcoded list that is shipped | + | |
- | # in all major browsers and getting removed from this list | + | |
- | # could take several months. | + | |
- | add_header X-Content-Type-Options nosniff; | + | |
- | add_header X-XSS-Protection "1; mode=block"; | + | |
- | add_header X-Robots-Tag none; | + | |
- | add_header X-Download-Options noopen; | + | |
- | add_header X-Permitted-Cross-Domain-Policies none; | + | |
- | # Optional: Don't log access to assets | + | |
- | access_log off; | + | |
- | } | + | |
- | + | ||
- | location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { | + | |
- | try_files $uri /index.php$uri$is_args$args; | + | |
- | # Optional: Don't log access to other assets | + | |
- | access_log off; | + | |
- | } | + | |
- | } | + | |
</code> | </code> |