[NGINX] Cài đặt Nextcloud trên CentOS 7

8

Trước tiên để cái đặt Nextcloud chúng ta phải cài đặt các thành phần LEMP Stack

Cài đặt NGINX

Trước tiên để cài đặt NGINX bản mới nhất các bạn cần thêm repository như sau:

root@systuts
root@systuts:~# vi /etc/yum.repo.d/nginx.repo

Copy đoạn sau vào file nginx.repo và Save lại

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

Sau đó tiến hành cài đặt NGINX

root@systuts
root@systuts:~# yum install nginx -y

Sau khi cài đặt xong chúng ta tiến hành khởi động NGINX:

root@systuts
root@systuts:~# systemctl enable nginx
root@systuts:~# systemctl start nginx

Mở port web 80 và 443 trên firewalld để có thể truy cập được Website từ Inetrnet:

root@systuts
root@systuts:~# firewall-cmd --permanent --add-service=http
root@systuts:~# firewall-cmd --permanent --add-service=https
# Reload lại firewalld 
root@systuts:~# firewall-cmd --reload

Cài đặt MariaDB Server

Tương tự như cài NGINX, chúng ta cần tạo và thêm repository MariaDB

root@systuts
root@systuts:~# vi /etc/yum.repo.d/mariadb.repo
# MariaDB 10.5 CentOS repository list - created 2021-05-30 03:23 UTC
# http://downloads.mariadb.org/mariadb/repositories/
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.5/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

Sau đó tiến hành cài đặt và khởi động MariaDB Server:

root@systuts
root@systuts:~# yum install MariaDB-server MariaDB-client
Khởi động MariaDB Server
root@systuts:~# systemctl enable mariadb
root@systuts:~# systemctl start mariadb

Thiết lập bảo mật MariaDB Server:

root@systuts
root@systuts:~# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on…
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] Y
New password:            #Enter your password
Re-enter new password:             #Re-enter password
Password updated successfully!
Reloading privilege tables..
… Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] Y
… Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] Y
… Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] Y
Dropping test database…
… Success!
Removing privileges on test database…
… Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] Y
… Success!
Cleaning up…
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!

Cài đặt PHP-FPM

root@systuts
root@systuts:~# yum install unzip epel-release https://rpms.remirepo.net/enterprise/remi-release-7.rpm yum-utils -y
Khởi động MariaDB Server
root@systuts:~# systemctl enable mariadb
root@systuts:~# systemctl start mariadb

Giả sử chúng ta cần cài đặt php 7.4 chúng ta cần bật repo như sau:

root@systuts
root@systuts:~# yum-config-manager --enable remi-php74
Cài đặt PHP 7.4
root@systuts:~# yum install php php-fpm php-curl php-common php-gd php-json php-mbstring php-mysqlnd php-xml php-xmlrpc php-opcache php-mysql php-cli php-mcrypt php-zip -y

Cấu hình PHP-FPM

root@systuts
root@systuts:~# vi /etc/php-fpm.d/www.conf

Tìm các giá trị sau và sửa:

user = apache         		      user = nginx
group = apache         		      group = nginx
listen = 127.0.0.1:9000    =====>     listen = /var/run/php_fpm.sock
;listen.owner = nobody         	      listen.owner = nginx
;listen.group = nobody        	      listen.group = nginx
;listen.mode = 0660        	      listen.mode = 0660

Khởi động PHP-FPM

root@systuts
root@systuts:~# systemctl enable php-fpm
root@systuts:~# systemctl start php-fpm

Cài đặt Nextcloud

Tải và giải nén phiên bản mới nhất của NextCloud Server

root@systuts
root@systuts:~# wget https://download.nextcloud.com/server/releases/nextcloud-20.0.2.zip
root@systuts:~# unzip nextcloud-20.0.2.zip
root@systuts:~# mv nextcloud /var/www/html/nextcloud
root@systuts:~# chown -R nginx.nginx /var/www/html/nextcloud

Tạo virtual host trên NGINX

root@systuts
root@systuts:~# vi /etc/nginx/conf.d/nextcloud.conf
Nhấp để hiển thị nội dung ẩn
upstream php-handler {
    server unix:/var/run/php_fpm.sock;
}

server {
    listen 80;
    server_name [yourdomain or IP address];
    
    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header Referrer-Policy no-referrer;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # Path to the root of your installation
    root /usr/local/nginx/html/nextcloud;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

    # The following rule is only needed for the Social app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;

    location = /.well-known/carddav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }

    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    location / {
        rewrite ^ /index.php;
    }

    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
        deny all;
    }
    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        #fastcgi_param HTTPS on;
        # Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        # Enable pretty urls
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
        try_files $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js, css and map files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
        #
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        add_header Referrer-Policy no-referrer;

        # Optional: Don't log access to assets
        access_log off;
    }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
        try_files $uri /index.php$request_uri;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

Khởi động lại dịch vụ NGINX:

root@systuts
root@systuts:~# systemctl restart nginx

Tạo database cho Nextcloud

Login vào MariaDB Server

root@systuts
root@systuts:~# mysql -u -root -p
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 198580
Server version: 10.5.9-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> 

Chạy các lệnh sau để tạo database, chú ý thiết lập username và password của bạn.

CREATE USER 'username'@'localhost' IDENTIFIED BY 'password'; 
CREATE DATABASE IF NOT EXISTS nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci; 
GRANT ALL PRIVILEGES on nextcloud.* to 'username'@'localhost'; FLUSH privileges;
exit;

Thiếp lập Nextcloud

Mở trình duyệt và nhập vào địa chỉ IP hoặc tên miền của bạn, hiển thị ra trình cài đặt Nextcloud các bạn cần điền các thông tin để thiết lập.

Cài đặt Nextcloud trên CentOS 7
Cài đặt Nextcloud trên CentOS 7

Chúc các bạn thành công.

Leave A Reply

Your email address will not be published.