Owncloud 安装实录(Apache2.4+PHP7+MariaDB10)

本来是用的 Homestead box 虚拟机环境,但是遇到些问题,看到官方例子是用 Apache,并且官方推荐是用Apache 的 mod_php 来解析PHP。这里记录下整个过程。So many chores beat me?No chores can beat me.

由于是打算用作运维的环境搭建,所以一切跟着官方文档做吧。
起始文档:
https://doc.owncloud.org/server/9.0/admin_manual/installation/source_installation.html

关于WebServer的选择,官方如是说:

Web server¶

Taking Apache and Nginx as the contenders, Apache with mod_php is currently the best option, as Nginx does not support all features necessary for enterprise deployments. Mod_php is recommended instead of PHP_FPM, because in scale-out deployments separate PHP pools are simply not necessary.

我是把 Nginx + php7 的环境都搭建差不多的时候看到的,我简直。。。

当然Nginx + php7的配置我也放博客了:http://huifeng.me/2016/05/18/LEMP-step-to-step/
差数据库没安装,当然,那个很简单了,这里无需赘述。

一. 操作系统

添加 puphpet/ubuntu box:

vagrant box add puphpet/ubuntu1404-x64

创建项目文件夹并初始化:

mkdir owncloud && cd owncloud && vagrant init puphpet/ubuntu1404-x64

编辑配置文件为(原 Vagrantfile 文件里,#表示注释):

# -*- mode: ruby -*-
# vi: set ft=ruby :

Vagrant.configure(2) do |config|

    config.vm.box = "puphpet/ubuntu1404-x64"

    config.vm.network "private_network", ip: "192.168.33.10"

    config.vm.provider "virtualbox" do |vb|
        vb.memory = "1024"
        vb.name = "puphpet-ubuntu-14.04-owncloud"
    end

end

启动虚拟机:vagrant up

进入虚拟机:vagrant ssh


二. 安装和配置(基于LAMP)

这里用 LAMP 是因为官方推荐,我个人更喜欢 Nginx+php-fpm ,如果强迫自己用 LEMP/LNMP 可以参考:http://huifeng.me/2016/05/18/LEMP-step-to-step/

1. 使用OwnCloud提供脚本来安装

这个好用,实现速度快,但求能用,不求更精准配置的可以用这个步骤:

  1. 根据这篇文档来安装。
  2. 访问 http://YourLampHost/owncloud 来完成安装。

2. 自己手动搭建环境,通过源码包安装

(1) 搭建 LAMP 环境

LAMP环境的搭建请参考这里:http://huifeng.me/2016/05/19/LAMP-StepByStep/

(2) OwnCloud 下载安装

Now download the archive of the latest ownCloud version:
https://owncloud.org/install
Go to **Download ownCloud Server > Download > Archive file for server owners ** and download either the tar.bz2 or .zip archive.

下载源码:

wget https://download.owncloud.org/community/owncloud-9.0.1.tar.bz2

下载 MD5 :

wget https://download.owncloud.org/community/owncloud-9.0.1.tar.bz2.md5

校验:

md5sum -c owncloud-9.0.1.tar.bz2.md5 < owncloud-9.0.1.tar.bz2

没问题则返回: owncloud-9.0.1.tar.bz2: OK.

解压:

tar xjf owncloud-9.0.1.tar.bz2

拷贝 owncloud 到 apache 的网站目录下

cp -r owncloud /path/to/webserver/document-root

安装有两条路:

  1. Installation Wizard
  2. Installing ownCloud From the Command Line

命令行安装也是蛮方便,在 /var/www/owncloud 目录下运行下面的代码即可(注意修改为你的用户名密码数据库等个性信息).

sudo -u www-data php occ  maintenance:install --database "mysql" --database-name "owncloud"  --database-user "owncloud" --database-pass "6Vh44YmKoOcR2NWo" --admin-user "admin" --admin-pass "admin123"

源码安装看这里:
https://doc.owncloud.org/server/9.0/admin_manual/installation/source_installation.html

这里,我修改hosts文件添加了一个域名 yun.app 隐射到本地的虚拟机.虚拟机里添加了vhost对应这个域名,具体设置参照
http://huifeng.me/2016/05/19/LAMP-StepByStep/

做完了上面的步骤,可以通过浏览器浏览了,我的: http://yun.app .这里遇到一个报错,意思是域名不被信任,可以修改 owncloud/config/config.php 来添加信任,我的配置文件:

<?php
$CONFIG = array (
  'instanceid' => 'ocnvlfoeu6cz',
  'passwordsalt' => 'hWm51195qEAe8qpdb4q5gXYQa4C/0h',
  'secret' => '23VzMrQWzz/kIkJaCr861C9jv5UFyZBUH7uSQnnh/Tw2M9oX',
  'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => 'yun.app',
  ),
  'datadirectory' => '/var/www/owncloud/data',
  'overwrite.cli.url' => 'http://yun.app',
  'dbtype' => 'mysql',
  'version' => '9.0.2.2',
  'dbname' => 'owncloud',
  'dbhost' => 'localhost',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'owncloud',
  'dbpassword' => '6Vh44YmKoOcR2NWo',
  'logtimezone' => 'UTC',
  'installed' => true,
);

至此,网站可以正常浏览和访问了,上传下载都没问题.

但是在管理页面我们会看到这样的提示:

  • 你的数据目录和你的文件可能从互联网被访问到。.htaccess 文件不工作。我们强烈建议你配置你的网页服务器,使数据目录不再可访问,或者将数据目录移动到网页服务器根文档目录之外。
  • 您正在通过 HTTP 访问该站点,我们强烈建议您按照安全提示配置服务器强制使用 HTTPS。
  • 内存缓存未配置。如果可用,请配置 memcache 来增强性能。更多信息请查看我们的文档 。

下面解决他们!


三. 推荐的设定(可选)

1. Operating system (非必须!先看完说明再设置)

**When having an open_basedir configured within your php.ini file, make sure to include /dev/urandom.
如果你的配置文件里的这项是注释掉的就忽略这一步!!

Give PHP read access to /dev/urandom :

$ sudo vim /etc/php/7.0/apache2/php.ini

Change line begin with ;open_basedir to:

open_basedir = /dev/urandom

Then:

$ sudo service apache2 restart

2. Use HTTPS

可能会用到的参考文档:

1. Redirect all unencrypted traffic to HTTPS

为了不影响原有的配置信息,我们先备份原有的配置文件,然后新建一个:

$ sudo mv /etc/apache2/sites-available/owncloud.conf /etc/apache2/sites-available/owncloud.conf.bak
$ sudo touch /etc/apache2/sites-available/owncloud-ssl.conf

这里新建的这个配置文件的内容可以参考该目录下系统自带的一个默认配置文件: default-ssl.conf.

然后编辑新添加的配置文件:

$ sudo vim /etc/apache2/sites-available/owncloud-ssl.conf

添加所有指向该域名的都转为 https :

<VirtualHost *:80>
   ServerName cloud.owncloud.com
   Redirect permanent / https://cloud.owncloud.com/
</VirtualHost>

这里的 cloud.owncloud.com 是你自己设定的.根据你的域名或本地hosts隐射决定.

2. Enable HTTP Strict Transport Security

再添加一段 443 端口的设置到这个文件里:

<VirtualHost *:443>
  ServerName cloud.owncloud.com
    <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    </IfModule>
</VirtualHost>

If you have subdomains not accessible via HTTPS, remove includeSubdomains; .

Owncloud 官方文档就指导到这里了.然后发现 apache2 服务根本起不来,虽然我知道日志在 /var/log/apache2/error_log, 但是我还是决定参考默认的 default-ssl.conf 文件配置一下,当然结果很理想,一些细节功能以及原因,原理,更多配置等,我还没着急研究,但是我这个配置成功启动了,只是https访问的时候会有不认可的网站红色标记.这个后面在解决.更多详细内容我想可以在这里得到答案:
https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html

我最终的配置文件如下:

<VirtualHost *:80>
  ServerAdmin wedojava@gmail.com
  ServerName  yun.app
  Redirect permanent / https://yun.app/
</VirtualHost>

<IfModule mod_ssl.c>
  <VirtualHost *:443>
    ServerAdmin wedojava@gmail.com
    ServerName yun.app
    DirectoryIndex index.html index.php
    DocumentRoot /var/www/owncloud
    SSLEngine on
    SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
       SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
       SSLOptions +StdEnvVars
    </Directory>

    BrowserMatch "MSIE [2-6]" \
                                nokeepalive ssl-unclean-shutdown \
                                downgrade-1.0 force-response-1.0
    # MSIE 7 and newer should be able to use keepalive
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

     <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
      </IfModule>
  </VirtualHost>
</IfModule>

3. Create SSL Certificate on Apache for Ubuntu 14

Step One — Activate the SSL Module

这一步应该在之前就已经做过了,如果没做过就执行一遍,然后会有若干的 true 的返回.
SSL support actually comes standard in the Ubuntu 14.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

$ sudo a2enmod ssl

After you have enabled SSL, you’ll have to restart the web server for the change to be recognized:

$ sudo service apache2 restart

With that, our web server is now able to handle SSL if we configure it to do so.

Step Two — Create a Self-Signed SSL Certificate

Let’s start off by creating a subdirectory within Apache’s configuration hierarchy to place the certificate files that we will be making:

$ sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing:

$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

Let’s go over exactly what this means.

  • openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
  • req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
  • -x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
  • -nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
  • -days 365: This specifies that the certificate we are creating will be valid for one year.
  • -newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn’t create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
  • -keyout: This parameter names the output file for the private key file that is being created.
  • -out: This option names the output file for the certificate that we are generating.

When you hit “ENTER”, you will be asked a number of questions.

The questions portion looks something like this:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company
Organizational Unit Name (eg, section) []:Department of Kittens
Common Name (e.g. server FQDN or YOUR name) []:your_domain.com
Email Address []:your_email@domain.com

The key and certificate will be created and placed in your /etc/apache2/ssl directory.

Step Three — Configure Apache to Use SSL

之前我们已经配置好了 -ssl 的配置文件,但证书指向的不是我们指定的,而是默认的,既然我们已经生成了证书,应用它,并重启服务器.

$ sudo vim /etc/apache2/sites-available/owncloud-ssl.conf

修改:

SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

为:

SSLCertificateFile      /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile   /etc/apache2/ssl/apache.key

重启看看效果: sudo service apache2 restart

一些不好解决但也不要紧的问题(对我而言)

点击浏览器的https的按钮可以看到我们刚才填写的证书信息.但是浏览器地址栏的 https 是红色表示不可信,怎么办呢?从服务器上把证书考到本地,然后运行安装为可信,可以参考这个帖子:
http://superuser.com/questions/632059/how-to-add-a-self-signed-certificate-as-an-exception-in-chrome#
Export the certificate from Chrome, and then import the certificate into your trusted root certification authority store. Unfortunately Microsoft made this difficult to do.

Go to Start | and run the command certmgr.msc.

Expand the tree to get to Trusted Root Certification Authorities | Certificates. Go to All Tasks, choose Import and import the certificate in question.

To export the certificate from Chrome:

Click on the Certificate icon in the address bar. Click on Certificate Information | Details and then Copy to File.

下面这一步我不明白它具体的作用和意义,但我还是做了一下,该命令的执行需要在 owncloud 的目录下运行 /var/www/owncloud :

$ sudo -u www-data php occ security:certificates:import /etc/apache2/ssl/apache.crt

官方是这么说的:

Use these commands to manage server-wide SSL certificates. These are useful when you create federation shares with other ownCloud servers that use self-signed certificates

更多occ命令在:
https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/occ_command.html

3. Setting Strong Directory Permissions

https://doc.owncloud.org/server/9.0/admin_manual/installation/installation_wizard.html#strong-perms-label
Your HTTP user must own the config/, data/ and apps/ directories so that you can configure ownCloud, create, modify and delete your data files, and install apps via the ownCloud Web interface.

You can find your HTTP user in your HTTP server configuration files.

  • The HTTP user and group in Debian/Ubuntu is www-data.
  • The HTTP user and group in Fedora/CentOS is apache.
  • The HTTP user and group in Arch Linux is http.
  • The HTTP user in openSUSE is wwwrun, and the HTTP group is www.

The easy way to set the correct permissions is to copy and run this script. Replace the ocpath variable with the path to your ownCloud directory, and replace the htuser and htgroup variables with your HTTP user and group:

#!/bin/bash
ocpath='/var/www/owncloud'
htuser='www-data'
htgroup='www-data'
rootuser='root'

printf "Creating possible missing Directories\n"
mkdir -p $ocpath/data
mkdir -p $ocpath/assets
mkdir -p $ocpath/updater

printf "chmod Files and Directories\n"
find ${ocpath}/ -type f -print0 | xargs -0 chmod 0640
find ${ocpath}/ -type d -print0 | xargs -0 chmod 0750

printf "chown Directories\n"
chown -R ${rootuser}:${htgroup} ${ocpath}/
chown -R ${htuser}:${htgroup} ${ocpath}/apps/
chown -R ${htuser}:${htgroup} ${ocpath}/assets/
chown -R ${htuser}:${htgroup} ${ocpath}/config/
chown -R ${htuser}:${htgroup} ${ocpath}/data/
chown -R ${htuser}:${htgroup} ${ocpath}/themes/
chown -R ${htuser}:${htgroup} ${ocpath}/updater/

chmod +x ${ocpath}/occ

printf "chmod/chown .htaccess\n"
if [ -f ${ocpath}/.htaccess ]
 then
  chmod 0644 ${ocpath}/.htaccess
  chown ${rootuser}:${htgroup} ${ocpath}/.htaccess
fi
if [ -f ${ocpath}/data/.htaccess ]
 then
  chmod 0644 ${ocpath}/data/.htaccess
  chown ${rootuser}:${htgroup} ${ocpath}/data/.htaccess
fi

If you have customized your ownCloud installation and your filepaths are different than the standard installation, then modify this script accordingly.

This lists the recommended modes and ownership for your ownCloud directories and files:

All files should be read-write for the file owner, read-only for the group owner, and zero for the world
All directories should be executable (because directories always need the executable bit set), read-write for the directory owner, and read-only for the group owner

  • The apps/ directory should be owned by [HTTP user]:[HTTP group]
  • The config/ directory should be owned by [HTTP user]:[HTTP group]
  • The themes/ directory should be owned by [HTTP user]:[HTTP group]
  • The assets/ directory should be owned by [HTTP user]:[HTTP group]
  • The data/ directory should be owned by [HTTP user]:[HTTP group]
  • The [ocpath]/.htaccess file should be owned by root:[HTTP group]
  • The data/.htaccess file should be owned by root:[HTTP group]
    Both .htaccess files are read-write file owner, read-only group and world

需要注意的是,这个脚本的运行的确令owncloud更安全,但是同时页阻碍了版本的升级,如果运行了该脚本,要升级的时候请移步这里: Setting Permissions for Updating

4. 缓存

Memory cache configuration for the ownCloud server is no longer automatic in ownCloud 8.1 and up, but must be installed and configured.
https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/caching_configuration.html

Recommended caches are APCu and Redis.
因为我们用的是 PHP7, Redis好像更好用一些,关于Redis的安装,过程比较长,我新开页面了.

参考:

https://www.techandme.se/install-redis-cache-on-ubuntu-server-with-php-7-and-owncloud/
http://thereluctantdeveloper.com/2015/12/quick-and-dirty-php-70-set-up-on-ubuntu-1404-with-apcu

这里我用的是redis来处理缓存,一切正常.
因为本文篇幅也太长了,所以,新开一页,其他内容以后有时间再抽象出来:
http://huifeng.me/2016/06/08/install-redis-cache-on-ubuntu-server-with-php-7-and-owncloud/

至此,主要内容都完了,就差数据存放目录了,应有附加新磁盘的动作,后续在写.

5. 改变数据目录

你的数据目录和你的文件可能从互联网被访问到。.htaccess 文件不工作。我们强烈建议你配置你的网页服务器,使数据目录不再可访问,或者将数据目录移动到网页服务器根文档目录之外。

注意,它说的是数据目录会被访问到,让你移动网页目录的外面,那么就这么整吧.当然,还有个问题也要注意到:.htaccess 文件不工作。
这应该是 Apache 的设置缺少: AllowOverride All
查阅官方文档的 Apache Web Server Configuration 可以发现这里的主要配置是:

<Directory /var/www/owncloud/>
  Options +FollowSymlinks
  AllowOverride All

 <IfModule mod_dav.c>
  Dav off
 </IfModule>

 SetEnv HOME /var/www/owncloud
 SetEnv HTTP_HOME /var/www/owncloud

</Directory>

我们把这段拷贝到 我们自己添加好的那个 owncloud-ssl.conf 文件里去,最终:
/etc/apache2/sites-available/owncloud-ssl.conf :

<VirtualHost *:80>
  ServerAdmin wedojava@gmail.com
  ServerName  yun.app
  Redirect permanent / https://yun.app/
</VirtualHost>

<IfModule mod_ssl.c>
  <VirtualHost *:443>
    ServerAdmin wedojava@gmail.com
    ServerName yun.app
    DirectoryIndex index.html index.php
    DocumentRoot /var/www/owncloud
    SSLEngine on
    SSLCertificateFile      /etc/apache2/ssl/apache.crt
    SSLCertificateKeyFile   /etc/apache2/ssl/apache.key
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
       SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /var/www/owncloud/>
       Options +FollowSymlinks
       AllowOverride All

      <IfModule mod_dav.c>
        Dav off
      </IfModule>

      SetEnv HOME /var/www/owncloud
      SetEnv HTTP_HOME /var/www/owncloud

    </Directory>
    <Directory /usr/lib/cgi-bin>
       SSLOptions +StdEnvVars
    </Directory>

    BrowserMatch "MSIE [2-6]" \
                                nokeepalive ssl-unclean-shutdown \
                                downgrade-1.0 force-response-1.0
    # MSIE 7 and newer should be able to use keepalive
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

     <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
      </IfModule>
  </VirtualHost>
</IfModule>

后续我会把数据放的单独的虚拟硬盘上,所以移动数据目录位置后面到那步了我再继续写.