CentOS 7 安装 NextCloud

笔者 NextCloud 使用的是 Nginx 环境. 其他环境请参考对应的官方文档.


  • CentOS 7 X64
  • NextCloud 14

CentOS 7 基本安装配置

本安装过程默认读者已经将 CentOS 7 环境完全准备好了. 如果你的系统是新安装的默认最小系统, 请参考这里: CentOS 7 网络配置CentOS 7 安装 SSH 服务器. 以上两项可以保证最后能够正常访问 NextCloud.

添加 epel 仓库

有很多软件位于 EPEL 仓库中, 而默认情况下安装的 CentOS 中没有该仓库, 因此需要自己手动添加.

$ sudo yum -y install epel-release

添加 Webtatic 仓库

php7-fpm 依赖需要

rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm

准备 NextCloud 运行环境



$ sudo yum -y install php70w-fpm php70w-cli php70w-gd php70w-mcrypt php70w-mysql php70w-pear php70w-xml php70w-mbstring php70w-pdo php70w-json php70w-pecl-apcu php70w-pecl-apcu-devel

安装完成后, 查看 php 版本 php -v

$ php -v
PHP 7.0.32 (cli) (built: Sep 15 2018 07:54:46) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies


  1. 配置 PHP7-FPM 使用 nginx 用户运行, 并监听 9000 端口

    用于配置 PHP-FPM 与 Nginx 协同运行.

    $ sudo vi /etc/php-fpm.d/www.conf
    • 修改 user 与 group 为 nginx.

      ; RPM: apache Choosed to be able to access some dir as httpd
      user = nginx
      ; RPM: Keep a group allowed to write in log dir.
      group = nginx
    • 确保 PHP-FPM 运行在指定端口

      ; Note: This value is mandatory.
      listen =
    • 启用 php-fpm 的系统环境变量

      ; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
      ; the current environment.
      ; Default Value: clean env
      env[PATH] = /usr/local/bin:/usr/bin:/bin
      env[TMP] = /tmp
      env[TMPDIR] = /tmp
      env[TEMP] = /tmp


  2. /var/lib/ 目录下新建文件夹 session, 拥有者改为 ngnix

    $ mkdir -p /var/lib/php/session
    $ chown nginx:nginx -R /var/lib/php/session/
  3. 启动 PHP-FPM 和 Nginx,并设置为随开机启动服务

    $ sudo systemctl start php-fpm
    $ sudo systemctl start nginx
    $ sudo systemctl enable php-fpm
    $ sudo systemctl enable nginx

安装/配置 MariaDB

MariaDB 安装与 Root 配置

$ sudo yum -y install mariadb mariadb-server
$ sudo systemctl start mariadb
$ sudo systemctl enable mariadb

配置 MariaDB 的 root 用户密码. 此处跟随着提示即可.

$ mysql_secure_installation

Set root password? [Y/n] Y
New password:
Re-enter new password:
Remove anonymous users? [Y/n] Y
Disallow root login remotely? [Y/n] Y
Remove test database and access to it? [Y/n] Y
Reload privilege tables now? [Y/n] Y

添加 nextcloud 的 user 与数据库

$ mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 2586
Server version: 5.5.60-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database nextcloud_db;
MariaDB [(none)]> create user nextclouduser@localhost identified by 'password!@#';
MariaDB [(none)]> grant all privileges on nextcloud_db.* to nextclouduser@localhost identified by 'password!@#';
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit;

生成 SSL 证书

我们使用的是 https 进行访问. 因此需要一个 SSL 证书. 当然这块的证书你可以选择免费的 SSL 证书, 也可以选择自签一个. 这里使用的是自签的 SSL 证书.

$ mkdir -p /etc/nginx/cert/
$ openssl req -new -x509 -days 365 -nodes -out /etc/nginx/cert/nextcloud.crt -keyout /etc/nginx/cert/nextcloud.key
$ sudo chmod 700 /etc/nginx/cert
$ sudo chmod 600 /etc/nginx/cert/nextcloud.key /etc/nginx/cert/nextcloud.crt

下载 NextCloud

  1. 安装 wgetunzip

    $ yum -y install wget unzip
  2. 下载与验证 NextCloud

    $ cd ~/
    $ wget https://download.nextcloud.com/server/releases/nextcloud-14.0.4.zip
    $ wget https://download.nextcloud.com/server/releases/nextcloud-14.0.4.zip.sha256
    $ sha256sum -c nextcloud-14.0.4.zip.sha256 < nextcloud-14.0.4.zip
  3. 解压并将 NextCloud 剪切到 /usr/share/nginx/html/ 目录下

    $ unzip nextcloud-10.0.2.zip
    $ sudo cp -R nextcloud/ /usr/share/nginx/html/
  4. 新建 data 文件夹, 并变更 nextcloud 所有者为 nginx

    $ cd /usr/share/nginx/html/
    $ sudo mkdir -p nextcloud/data/
    $ chown nginx:nginx -R nextcloud/

配置 NextCloud

在 Nginx 中为 Nextcloud 配置虚拟主机

$ sudo vi /etc/nginx/conf.d/nextcloud.conf

upstream php-handler {
    #server unix:/var/run/php/php7.0-fpm.sock;

server {
    listen 80;
    listen [::]:80;
    server_name 你的地址;
    # enforce https
    return 301 https://$server_name$request_uri;

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name 你的地址;

    # Use Mozilla's guidelines for SSL/TLS settings
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
    # NOTE: some settings below might be redundant
    ssl_certificate /etc/nginx/cert/nextcloud.crt.crt;
    ssl_certificate_key /etc/nginx/cert/nextcloud.crt.key;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    # add_header Strict-Transport-Security "max-age=15768000;
    # includeSubDomains; preload;";
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header Referrer-Policy no-referrer;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # Path to the root of your installation
    root /var/www/nextcloud/;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
    # last;

    location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;

    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    location / {
        rewrite ^ /index.php$request_uri;

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        #Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff2?|svg|gif)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        add_header Referrer-Policy no-referrer;

        # Optional: Don't log access to assets
        access_log off;

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
        try_files $uri /index.php$request_uri;
        # Optional: Don't log access to other assets
        access_log off;

保存文件, 并测试 nginx -t. 如果测试结果通过, 重启服务. sudo systemctl restart nginx

配置 SELinux 和 FirewallD 规则

首先, 安装一个管理软件配置 SELinux

$ yum -y install policycoreutils-python

运行一下命令配置 SELinux 规则:

$ sudo semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/data(/.*)?'
$ sudo semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/config(/.*)?'
$ sudo semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/apps(/.*)?'
$ sudo semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/assets(/.*)?'
$ sudo semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/.htaccess'
$ sudo semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/.user.ini'
$ sudo restorecon -Rv '/usr/share/nginx/html/nextcloud/'

启用 firewalld 服务并设置随系统启动, 。

$ sudo systemctl start firewalld
$ sudo systemctl enable firewalld

开启 http 和 https 端口,然后重新加载防火墙。

$ sudo firewall-cmd --permanent --add-service=http
$ sudo firewall-cmd --permanent --add-service=https
$ sudo firewall-cmd --reload

至此, 所有的安装工作全部完成(除了最后一步的 NextCloud 配置).

打开浏览器,输入你的 NextCloud 域名,根据页面提示进行配置即可. 完成后, 你就可以享用 NextCloud 带来的便捷了.


百度出来的资料有一些细节方面的问题. 单在官方文档中, 这些问题统统不存在. 所以, 安装过程中, 如果出现问题, 重新按照官方文档来一遍, 一般就没问题了.

另外笔者下载的是 NextCloud 14 版本的, 该版本少了一些插件, 如果下载管理的 ocDownloader 目前只支持到 13.


