使用docker结合阿里云oss部署nextcloud，并使用s

写在前面的话

国内网盘变化太快，存点东西要东挪西动的，实在是心烦。
最主要的是，存点电影总是被很友好的和谐。
所有的服务组件都是放到了docker里面，因为涉及到了有状态的服务和后期的迁移方便。

环境：

ECS：CentOS Linux release 7.3.1611 (Core) 
OSS: 1T的三年包 99块钱
容器：docker
目录：我的配置文件相关目录是在/usr/local/docker_nextcloud/下面，配置文件内都是这个目录。
nextcloud的数据目录是挂载oss的目录，即/data_oss/nextcloud_data
直接使用oss的主目录应该会报错，但是忘记报啥错了。
DB的数据目录放外面，是因为穷，oss的调用次数也要收钱的。

搭建ossfs

文档地址：https://help.aliyun.com/document_detail/32196.html?spm=a2c4g.11174283.6.1245.4c027da27H8AG0 

挂载完成后，要把命令写进开机启动

[root@satools-002 ~]# vim /etc/fstab 

#
# /etc/fstab
# Created by anaconda on Fri Aug 18 03:51:14 2017
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=59d9ca7b-4f39-4c0c-9334-c56c182076b5 /                       ext4    defaults        1 1

/usr/local/bin/ossfs nextcloud-kernycai /data_oss/ -ourl=https://oss-cn-shanghai-internal.aliyuncs.com -o allow_other

安装docker

yum install docker-io -y
docker -v  #查看版本
systemctl start docker ; systemctl enable docker  # 启动并且设置为开机启动
docker info // 如果已经启动 docker，会输出全局信息

配置docker镜像

echo "OPTIONS='--registry-mirror=https://docker.mirrors.ustc.edu.cn'" >> /etc/sysconfig/docker
systemctl daemon-reload
service docker restart

可以使用docker相关命令了

docker search mysql
docker pull 镜像
docker images // 已安装镜像
docker ps -a // 已启动容器

安装 docker-compose

yum -y install epel-release
yum -y install python-pip
pip install --upgrade --force-reinstall pip==9.0.3 // 这里如果升级最新的，比如 10.0 以上的，下面安装 docker-compose 会报错
pip install docker-compose
docker-compose --version

编写nginx的配置文件

upstream php-handler {
server app:9000;
#server unix:/var/run/php5-fpm.sock;
}
server {
    listen 80;
    server_name 域名/ip地址;
    # enforce https
    return 301 https://$server_name$request_uri;
}
server {
    listen 443 ssl;
    server_name 域名/IP地址;
    ssl_certificate /etc/nginx/cert/servhostname.local.crt;
    ssl_certificate_key /etc/nginx/cert/servhostname.local.key;
    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    add_header Strict-Transport-Security "max-age=15768000;
    includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    # Path to the root of your installation
    root /var/www/html/;
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
    # last;
    location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }
    # set max upload size
    client_max_body_size 10G;
    fastcgi_buffers 64 4K;
    # Disable gzip to avoid the removal of the ETag header
    gzip off;
    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;
    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;
    location / {
        rewrite ^ /index.php$uri;
    }
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }
    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
        include fastcgi_params;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        #Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }
    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;
    }
    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~* \.(?:css|js)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=7200";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        add_header Strict-Transport-Security "max-age=15768000;
        includeSubDomains; preload;";
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
    }
    location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

编辑compose文件

version: '2'

volumes:
  app:
  db:
  nginx:
  omgwtfssl:

networks:
  proxy-tier:

services:
  db:
    container_name: cloud_db
    image: mariadb
    restart: always
    volumes:
      - /usr/local/docker_nextcloud/db:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=nextcloud
      - MYSQL_DATABASE=nextcloud

  app:
    container_name: cloud_app
    image: nextcloud:fpm
    links:
      - db
    volumes:
      - /usr/local/docker_nextcloud/nextcloud:/var/www/html/
      - /data_oss/nextcloud_data:/var/www/html/data/
    restart: always
   
  nginx:
    container_name: cloud_web
    image: nginx
    ports:
      - 80:80
      - 443:443
    links:
      - app
    volumes:
      - /usr/local/docker_nextcloud/nextcloud:/var/www/html/
      - /usr/local/docker_nextcloud/nginx/conf.d:/etc/nginx/conf.d/
      - /usr/local/docker_nextcloud/nginx/cert:/etc/nginx/cert/
    restart: always

  omgwtfssl:
    image: paulczar/omgwtfssl
    restart: "no"
    volumes:
      - /usr/local/docker_nextcloud/nginx/cert:/certs
    environment:
      - SSL_SUBJECT=servhostname.local
      - CA_SUBJECT=my@example.com
      - SSL_KEY=/certs/servhostname.local.key
      - SSL_CSR=/certs/servhostname.local.csr
      - SSL_CERT=/certs/servhostname.local.crt
    networks:
      - proxy-tier

注意事项：

nextcloud页面初次打开进行配置的时候，数据库的主机名称填写的是compose文件内的配置，是db。基本了解点docker的人都清楚这点，这里记录下，免得大意给忘掉。
ssl是自建的证书，所以会有提示证书不安全。
如果自己拿域名去申请正式证书的话，就不会有这种问题。
嗯，我是因为懒。

插个图吧，我知道很多人看下来一定要有图才会莫名心安。

图片.png

转载请注明：
来源于kernycai，https://www.jianshu.com/p/94890cfa6240
github：https://github.com/kerncai