Nextcloud 建置，使用 Docker Compose

安裝 Docker 與 Docker Compose

Docker

新增 docker repo

1
2


yum install -y yum-utils
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

安裝 docker-ce

1

yum install docker-ce docker-ce-cli containerd.io -y

enable/start docker

1

systemctl enable --now  docker.service

跑個 docker hello world 確認 docker 安裝成功

1

docker run hello-world

Docker Compose

Install Compose on Linux systems

1
2


sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

docker-compose.yml

GitHub-nextcloud/docker

目前公司習慣都是將 YAML 檔放置在 /root/yml/<service_name>/ 下面

1. 因為 nextcloud:latest 目前有 PDF 無法開啟的 bug，所以指定使用 19 版
Nextcloud 21.0.2 Error: Missing PDF-view for default PDFs

2. extra_hosts 的部分是因為 Nextcloud 去連結 ONLYOFFICE 的程式碼貌似沒辦法支援 DNS multi A record
所以強制指定使用 192.168.x.x 連線!!
會什麼不能修改 docker container 裡面的 /etc/hosts 之前筆記有貼過，再貼一次 [簡體中文]Docker修改hosts 實際做一次實驗也可以知道~

docker-compose 啟動

1

docker-compose up -d

-d 參數告訴 docker 幫我在背景執行就好

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35


version: '2'

volumes:
  nextcloud:
  db:

services:
  db:
    image: mariadb
    restart: always
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    volumes:
      - db:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=
      - MYSQL_PASSWORD=
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud

  app:
    image: nextcloud
    restart: always
    ports:
      - 80:80
    links:
      - db
    volumes:
      - nextcloud:/var/www/html
    environment:
      - MYSQL_PASSWORD=
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_HOST=db
    extra_hosts:
      - "x-tech.com:192.168.x.x"

重灌 reset

資料刪除警告!!
資料刪除警告!!
資料刪除警告!!

1
2


## CLEAN ALL THE VOLUME (DATA) THAT NOT USING
docker-compose down && echo 'y' | docker volume prune

資料刪除警告!!
資料刪除警告!!
資料刪除警告!!

Nextcloud config/config.php

這些設定是當初 debug 時候用上的，就順便記錄起來~ 交出去的機器 onlyoffice trusted_proxies 都沒有設定也能正常運作!
'allow_local_remote_servers' => true, 讓 (Nextcloud 設定內) ONLYOFFICE 可以使用 IP address 設定 (沒有加這行的話會跳錯誤 xxxx rules 之類的)\

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


'allow_local_remote_servers' => true,
'onlyoffice' =>
      array (
      'verify_peer_off' => true,
      'allow_local_remote_servers' => true,
    ),
'trusted_proxies' =>
    array (
        0=> '<IP/DOMAIN HERE>',
    ),

(如果登入有問題的話。EX: 使用 IP 登入) 另外還有 trusted_domains 需要調整

Nginx reverse proxy

nextcloud_reverse_proxy_nginx.conf

Reverse proxy

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54


upstream nextcloud {
    server 192.168.x.x:80;
}

server {
    listen 80;
    server_name "x-tech.com";

    return https://x-tech.com$request_uri;
}

server {
    listen 443 ssl;
    server_name "x-tech.com";

    client_max_body_size 0;
    access_log /var/log/nginx/nextcloud_access.log;
    error_log /var/log/nginx/nextcloud_error.log;

    ssl_certificate /etc/nginx/ssl/ca_bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/x-tech.com.key;

    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_prefer_server_ciphers on;
    ssl_protocols SSLv2  TLSv1.2 TLSv1.3;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_stapling               off;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

    location / {
        proxy_pass http://nextcloud;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forward-Proto http;
        proxy_set_header X-Nginx-Proxy true;
        proxy_redirect off;

    }

    location /.well-known/carddav {
    return 301 $scheme://$host/remote.php/dav;
    }

    location /.well-known/caldav {
    return 301 $scheme://$host/remote.php/dav;
    }

}

onlyoffice.conf

[官方文件] Using ONLYOFFICE Docs behind the proxy

> 使用 sudo openssl dhparam -out dhparam.pem 4096 產生保護 key exchage 過程，產生時間大約需要 15 分鐘
[骏马金龙 cnblogs] openssl dhparam (密钥交换)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93


# Use this example for proxy HTTPS traffic to the document server running at 'backendserver-address'.
# Replace {{SSL_CERTIFICATE_PATH}} with the path to the ssl certificate file
# Replace {{SSL_KEY_PATH}} with the path to the ssl private key file

upstream docservice {
  server 192.168.x.x:80;
}

map $http_host $this_host {
    "" $host;
    default $http_host;
}

map $http_x_forwarded_proto $the_scheme {
     default $http_x_forwarded_proto;
     "" $scheme;
}

map $http_x_forwarded_host $the_host {
    default $http_x_forwarded_host;
    "" $this_host;
}

map $http_upgrade $proxy_connection {
  default upgrade;
  "" close;
}

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Forwarded-Host $the_host;
proxy_set_header X-Forwarded-Proto $the_scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

## Normal HTTP host
server {
  listen 80;
  server_name "x-tech.com";
  server_tokens off;

  ## Redirects all traffic to the HTTPS host
  root /nowhere; ## root doesn't have to be a valid path since we are redirecting
  rewrite ^ https://$host$request_uri? permanent;
}

server {
  listen 443 ssl;
  server_name "x-tech.com";
  server_tokens off;

  access_log /var/log/nginx/onlyoffice_access.log;
  error_log /var/log/nginx/onlyoffice_error.log;

  ## Strong SSL Security
  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
  #ssl on;
  ssl_certificate /etc/nginx/ssl/mca_bundle.crt;
  ssl_certificate_key /etc/nginx/ssl/x.com.key;
  ssl_verify_client off;

  ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
  #ssl_session_cache  builtin:1000  shared:SSL:10m;

  ssl_prefer_server_ciphers   on;

  #add_header Strict-Transport-Security max-age=31536000;
  # add_header X-Frame-Options SAMEORIGIN;
  add_header X-Content-Type-Options nosniff;

  ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
  ## Replace with your ssl_trusted_certificate. For more info see:
  ## - https://medium.com/devops-programming/4445f4862461
  ## - https://www.ruby-forum.com/topic/4419319
  ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
  # ssl_stapling on;
  # ssl_stapling_verify on;
  # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
  # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
  # resolver_timeout 10s;

  ## [Optional] Generate a stronger DHE parameter:
  ##   cd /etc/ssl/certs
  ##   sudo openssl dhparam -out dhparam.pem 4096
  ##
  ssl_dhparam /etc/nginx/ssl/dhparam.pem;

  location / {
    proxy_pass http://docservice;
    proxy_http_version 1.1;
  }
}

Contents