2017年6月22日 星期四

CentOS 7 安裝 Nextcloud + Collabora Office

參考來源  https://kknews.cc/zh-tw/news/92jelv5.html

# 更新並安裝 Nginx + PHP 7
yum update
yum -y install epel-release
yum -y install nginx
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum -y install php70w-fpm php70w-cli php70w-gd php70w-mcrypt php70w-mysql \
 php70w-pear php70w-xml php70w-mbstring php70w-pdo php70w-json \
 php70w-pecl-apcu php70w-pecl-apcu-devel php70w-pecl-memcached \
 php70w-opcache php70w-ldap


# 編輯 php-fpm 設定檔
vi /etc/php-fpm.d/www.conf
# 修改下面內容
user = nginx
group = nginx
listen = 127.0.0.1:9000
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

# 建立 session 目錄
mkdir -p /var/lib/php/session
chown nginx:nginx -R /var/lib/php/session/

# 啟動服務並設定開機自動啟動
sudo systemctl start php-fpm
sudo systemctl enable php-fpm

# 安裝 mariadb
yum -y install mariadb mariadb-server

# 啟動服務並設定開機自動啟動
systemctl start mariadb
systemctl enable mariadb

# 設定 mysql 的 root 密碼
mysql_secure_installation

# 建立資料庫
mysql -u root -p

create database nextcloud_db;
create user ncuser@localhost identified by 'password';
grant all privileges on nextcloud_db.* to ncuser@localhost identified by 'password';
flush privileges;
quit


# 建立憑證檔
mkdir -p /etc/nginx/cert/
openssl req -new -x509 -days 365 -nodes -out /etc/nginx/cert/nc.crt -keyout /etc/nginx/cert/nc.key

# 安裝 nextcloud
yum -y install wget unzip
cd
wget https://download.nextcloud.com/server/releases/nextcloud-12.0.0.zip
unzip nextcloud-12.0.0.zip
mv nextcloud/ /usr/share/nginx/html/
cd /usr/share/nginx/html/
mkdir -p nextcloud/data/
chown nginx:nginx -R nextcloud/


# 在 nginx 設定 nextcloud
vi /etc/nginx/conf.d/nextcloud.conf
#### nextcloud.conf start ####
server {
        listen 80;
server_name nc.test;
        return 301 https://$http_host$request_uri;
}

server {
        listen 443 ssl;
        server_name nc.test;
        ssl_certificate /etc/nginx/cert/nc.crt;
        ssl_certificate_key /etc/nginx/cert/nc.key;
        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;

        root /usr/share/nginx/html/nextcloud/;

        location = /.well-known/carddav {
                return 301 $scheme://$host/remote.php/dav;
        }

        location = /.well-known/caldav {
                return 301 $scheme://$host/remote.php/dav;
        }

        client_max_body_size 512M;
        fastcgi_buffers 64 4K;
        gzip off;
        error_page 403 /core/templates/403.php;
        error_page 404 /core/templates/404.php;

        location / {
                rewrite ^ /index.php$uri;
        }

        location /updater/ {
                rewrite ^ /updater/index.php;
        }

        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
                deny all;
        }

        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {

                deny all;
        }

        location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
                include fastcgi_params;
                fastcgi_split_path_info ^(.+\.php)(/.*)$;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param PATH_INFO $fastcgi_path_info;
                fastcgi_param HTTPS on;
                fastcgi_param modHeadersAvailable true;
                fastcgi_param front_controller_active true;
                fastcgi_pass 127.0.0.1:9000;
                fastcgi_intercept_errors on;
                fastcgi_request_buffering off;
                fastcgi_read_timeout 120;
        }

        location ~* \.(?:css|js)$ {
                try_files $uri /index.php$uri$is_args$args;
                add_header Cache-Control "public, max-age=7200";
                access_log off;
        }

        location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
                try_files $uri /index.php$uri$is_args$args;
                access_log off;
        }
}
#### nextcloud.conf end ####

# 啟動服務
systemctl start nginx
systemctl enable nginx

# 瀏覽 https://nc.test 看看是否正常

# 安裝 memcached 並啟動服務
yum -y install memcached
systemctl start memcached
systemctl enable memcached

vi /usr/share/nginx/html/nextcloud/config/config.php
# 加入下面這行
'memcache.local' => '\OC\Memcache\APCu',

# 設定 opcache
vi /etc/php.d/opcache.ini
# 加入下列內容
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1

# 重啟 php-fpm
systemctl restart php-fpm


# 安裝 CODE
rpm --import https://collaboraoffice.com/repos/CollaboraOnline/CODE-centos7/repodata/repomd.xml.key
yum-config-manager --add-repo https://collaboraoffice.com/repos/CollaboraOnline/CODE-centos7
yum -y --nogpgcheck install loolwsd CODE-brand


# 依照 https://nextcloud.com/collaboraonline/ 的官方說明
# 設定 loolwsd 所使用的憑證必須要有效的,不能使用自己簽發的憑證
# 因為除了自己的瀏覽器會去連 loolwsd,NextCloud也會在背後自己去連 loolwsd
# 若使用無效的憑證就會出錯  Internal Server Error


vi /etc/loolwsd/loolwsd.xml
# 修改下列內容 (其中的 code.crt & code.key 請自行換成有效的憑證檔)
<cert_file_path desc="Path to the cert file" relative="false">/etc/nginx/cert/code.crt</cert_file_path>
<key_file_path desc="Path to the key file" relative="false">/etc/nginx/cert/code.key</key_file_path>
<ca_file_path desc="Path to the ca file" relative="false"></ca_file_path>

# 啟動服務
systemctl restart loolwsd
systemctl enable loolwsd


進 NextCloud Admin 安裝 APP (Collabora Online)
Collabora Online 設定伺服器 https://nc.test:9980
測試是否可編輯 Office 檔案

vi /etc/nginx/conf.d/nextcloud.conf
# 加入下列內容
server {
        listen 443 ssl;
        server_name code.test;
        ssl_certificate /etc/nginx/cert/code.crt;
        ssl_certificate_key /etc/nginx/cert/code.key;
        location / {
                proxy_pass https://localhost:9980;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "Upgrade";
                proxy_set_header Host $http_host;
                proxy_read_timeout 36000s;
        }
}

# 重啟服務
systemctl restart nginx


進 NextCloud Admin
Collabora Online 設定伺服器 https://code.test
測試是否可編輯 Office 檔案



2017/08/11 補充

# 手動升級 NextCloud 至 12.0.1
cd /usr/share/nginx/html/
wget https://download.nextcloud.com/server/releases/nextcloud-12.0.1.zip
mv nextcloud nextcloud.old
unzip nextcloud-12.0.1.zip
cp nextcloud.old/config/config.php nextcloud/config/
mv nextcloud.old/data/ nextcloud/ #若 data 有另外指定路徑則不需要搬移
chown -R nginx:nginx nextcloud
cd nextcloud
sudo -u nginx php occ upgrade


# 為了使用 External storage support 支援 SMB, 變更 PHP 安裝來源
yum install -y http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
yum install -y php70-php-fpm php70-php-cli php70-php-gd php70-php-mcrypt php70-php-mysql php70-php-pear php70-php-xml php70-php-mbstring php70-php-pdo php70-php-json php70-php-pecl-apcu php70-php-pecl-apcu-devel php70-php-pecl-memcached php70-php-opcache php70-php-ldap php70-php-pecl-zip php70-php-smbclient
systemctl stop php-fpm
systemctl disable php-fpm
vi /etc/opt/remi/php70/php.d/10-opcache.ini      #內容請參考上面
vi /etc/opt/remi/php70/php-fpm.d/www.conf        #內容請參考上面
systemctl stop php-fpm
systemctl disable php-fpm
systemctl start php70-php-fpm
systemctl enable php70-php-fpm



2015年6月29日 星期一

ownCloud 8.x 在 R-Proxy 後方啟用 Fail2Ban 功能

本文是參考  Secure Owncloud Server
http://www.rojtberg.net/711/secure-owncloud-server/

但由於我的 ownCloud 是在 R-Proxy 之後,所以無法使用 iptables 來阻擋,所以只能從程式下手


我的 R-Proxy 是使用 Nginx,所以必須要加入 X-Forwarded-For 才能讓後方的網站取得實際的IP
proxy_set_header X-Forwarded-For $remote_addr;



ownCloud 必須要先安裝 Extra Security 0.2.0 這個套件

https://apps.owncloud.com/content/show.php/ExtraSecurity?content=168084&PHPSESSID=mcuc695bok6ptj576kt2k4dbu7

套件中的說明有一句話:
    Some built-in attack blocking functions, like fail2ban, will be enabled in upcoming releases.

原本期待作者作者什麼時候更新版本,但好像等很久沒下文,所以乾脆自己弄了


安裝後,系統有提示要修改 remote.php ,所以開頭修改成如下

<?php
require_once 'apps/extrasecurity/lib/intercept.php';



要先啟用登入失敗的 Log 紀錄功能,修改 config/config.php,將檔案後面加入4行設定如下

  'logtimezone' => 'Asia/Taipei',
  'logfile' => '/var/log/owncloud.log',
  'loglevel' => '2',
  'log_authfailip' => true,
);



修改 Extra Security 套件,檔名為  apps/extrasecurity/hooks/userhooks.php ,修改成如下
目前的寫法是只要一小時整點內錯三次就會擋起來,這是我偷懶的寫法

        public function invalidUserAccess( $user, $ip, $time ){
                $invalidAccess = false;
                $rules = \OCA\extrasecurity\extrasecurity::getRules();

                for($i = 0; $i < sizeof($rules); $i++){
                        if( $invalidAccess === false ){
                                $invalidAccess = $this->checkRule( $rules[$i], $user, $ip, $time );
                        }
                }

                // add by garry start
                exec("/bin/grep \"X-Forwarded-For: '$ip'\" /var/log/owncloud.log | /bin/grep `date +%Y-%m-%dT%H` | /usr/bin/wc -l",$n);
                if ($n[0] > 2) {
                        $invalidAccess = true;
                }
                // add by garry end

                 return $invalidAccess;



這樣就大功告成了,可以試試看是否錯三次就無法登入。



但是為了效能,我不想讓 owncloud.log 太大,所以我會設定 crontab 排程將檔案改名,並保留三天

0 0 * * * /bin/cp /var/log/owncloud.log.2 /var/log/owncloud.log.3 ; /bin/cp /var/log/owncloud.log.1 /var/log/owncloud.log.2 ; /bin/cp /var/log/owncloud.log /var/log/owncloud.log.1 ; echo > /var/log/owncloud.log




2013年12月16日 星期一

CentOS 6 安裝 ClipBucket 2.6


安裝必要套件
yum install httpd httpd-devel mysql-server php php-mysql ffmpeg flvtool2 zlib-devel zlib mplayer mod_flvx


# 安裝MP4Box
wget http://downloads.sourceforge.net/gpac/gpac_extra_libs-0.4.5.tar.gz
wget http://downloads.sourceforge.net/gpac/gpac-0.4.5.tar.gz
tar -zxvf gpac-0.4.5.tar.gz
tar -zxvf gpac_extra_libs-0.4.5.tar.gz
cd gpac
cp -r ../gpac_extra_libs/* extra_lib/
./configure
make lib
make apps
make install
cp bin/gcc/libgpac.so /usr/lib
ldconfig
cp /usr/local/bin/MP4* /usr/bin/





# vi /etc/init.d/php.ini
max_execution_time = 300
max_input_time = 600
memory_limit = 512M
post_max_size =1024M
upload_max_filesize=1024M
short_open_tag = On #開啟這項才能看到 ClipBucket安裝畫面
date.timezone = "Asia/Taipei"


# 讓 Apache支援mp4串流
wget http://h264.code-shop.com/download/apache_mod_h264_streaming-2.2.7.tar.gz
tar -zxvf apache_mod_h264_streaming-*.tar.gz
cd mod_h264_streaming-*
./configure --with-apxs=/usr/local/apache/bin/apxs
make
make install

# vi /etc/httpd/conf/httpd.conf
LoadModule h264_streaming_module modules/mod_h264_streaming.so
AddHandler h264-streaming.extensions .mp4



# 安裝 ClipBucke
wget http://downloads.sourceforge.net/project/clipbucket/ClipBucket%20v2/clipbucket-2.6-r738-security-fixed.zip
unzip clipbucket-2.6-r738-security-fixed.zip
mv clipbucket-2.6-r738-security-fixed/upload/* /var/www/html

# 修改目錄權限
cd /var/www/html
chmod 777 includes
chmod 777 files
chmod 777 files/conversion_queue
chmod 777 files/logs
chmod 777 files/original
chmod 777 files/temp
chmod 777 files/thumbs
chmod 777 files/photos
chmod 777 files/videos
chmod 777 files/mass_uploads
chmod 777 files/temp/install.me
chmod 777 images
chmod 777 images/avatars
chmod 777 images/backgrounds
chmod 777 images/collection_thumbs
chmod 777 images/category_thumbs
chmod 777 images/groups_thumbs
chmod 777 includes/langs/
chmod 777 includes/langs/en.lang
chmod 777 cache
chmod 777 cache/comments
chmod 777 cache/userfeeds





低畫質轉檔時也使用多執行緒
# vi includes/classes/conversion/ffmpeg.class.php
$opt_av .= " -s {$width}x{$height} -aspect $ratio -padcolor 000000 -padtop $pad_top -padbottom $pad_bottom -padleft $pad_left -padright $pad_right -threads 0 ";


下載中文語系檔,來源為 系統很茫
http://dinno.blog.phc.edu.tw/50/clipbucket-%E7%B9%81%E9%AB%94%E4%B8%AD%E6%96%87%E8%AA%9E%E8%A8%80%E4%B8%8B%E8%BC%89/


設定 ClipBucket

Stats And Configurations
> Website Configurations
> Uploading and Conversion Settings
> FFMPEG Path:/usr/bin/ffmpeg
> MP4Box Path:/usr/bin/MP4Box
> Flvtool2 Path:/usr/bin/flvtool2
> Mplayer Path:/usr/bin/mplayer

> Server Friendly Conversion:打勾
> Max Video Processes at once:1
> Max time wait after max processes:

> Allowed extensions:若有上傳的影片附檔名不在此列,在此加入

> Language Settings
> Browse ClipBucket Language File:上傳語系檔,然後將語系選為繁體中文

Templates And Players
> Player Settings
> Use PseudoStreaming:Yes #開啟後可從尚未下載到的部分開始觀看



常見問題
Q:上傳影片後,一直沒有轉換完成?
A:檢查 FFMPEG、MP4Box、Flvtool2、Mplayer 的程式路徑是否正確。

Q:轉檔工作已經設定一次只轉一個檔,上傳幾個小時後看卻同時都在轉檔了?
A:修改 Max time wait after max processes,此參數為影片上傳後的等待時間。

Q:上傳中文語系檔並選擇繁體中文後,畫面就亂掉了?
A:檢查 includes/langs 目錄是否開放寫入權限,然後將中文語系檔重新上傳一次。

Q:上傳 2G 的影片,明明已修改過 php.ini 卻還顯示,The uploaded file exceeds the upload_max_filesize directive in php.ini
A:建議用 FTP 或 Samba 上傳至 mass_uploads 目錄後再用從 Web 加入影片,因為 php 預設無法處理超過2G以上的檔案,除非重新編譯 php 並加上 -D_FILE_OFFSET_BITS=64 的參數。