nginx配置owncloud记录。

Posted 2020-12-29

开始配置时忘看php-fpm配置

结果这里 server unix:/dev/shm/php-cgi.sock; 一直502，后面加上了错误日志输出，才发现问题。

upstream php-handler {
      server unix:/dev/shm/php-cgi.sock;  ##开始没注意这里，一直502
      # Depending on your used PHP version

  }

  server {
      listen 80;
      server_name cloud.yun.cn;

      # For Lets Encrypt, this needs to be served via HTTP
#      location /.well-known/acme-challenge/ {
     root /data/wwwroot/owncloud; # Specify here where the challenge file is placed
  #    }

      # enforce https
      location / {
          return 301 https://$server_name$request_uri;
      }
  }

  server {
     listen 443 ssl http2;
     server_name cloud.yun.cn;
     ssl_certificate /usr/local/nginx/conf/ssl/yun.cn.crt;
     ssl_certificate_key /usr/local/nginx/conf/ssl/yun.cn.key;
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
         ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
     ssl_prefer_server_ciphers on;
     ssl_session_timeout 10m;
     ssl_session_cache builtin:1000 shared:SSL:10m;
     ssl_buffer_size 1400;
     add_header Strict-Transport-Security max-age=15768000;
     ssl_stapling on;
     ssl_stapling_verify on;
     access_log /data/wwwlogs/cloud.yun.cn_nginx.log combined;
     error_log /data/wwwlogs/cloud.yun.cn_error.log;
     root /data/wwwroot/owncloud;
     index index.php index.html;
     if ($ssl_protocol = "") { return 301 https://$host$request_uri; }

      # Add headers to serve security related headers
      # Before enabling Strict-Transport-Security headers please read into this topic first.
      #add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
      add_header X-Content-Type-Options nosniff;
      add_header X-Frame-Options "SAMEORIGIN";
      add_header X-XSS-Protection "1; mode=block";
      add_header X-Robots-Tag none;
      add_header X-Download-Options noopen;
      add_header X-Permitted-Cross-Domain-Policies none;

      # Path to the root of your installation

      location = /robots.txt {
          allow all;
          log_not_found off;
          access_log off;
      }

      # The following 2 rules are only needed for the user_webfinger app.
      # Uncomment it if you‘re planning to use this app.
      rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
      rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

      location = /.well-known/carddav {
          return 301 $scheme://$host/remote.php/dav;
      }
      location = /.well-known/caldav {
          return 301 $scheme://$host/remote.php/dav;
      }

      # set max upload size
      client_max_body_size 512M;
      fastcgi_buffers 4 64K;                     # Please see note 1
      fastcgi_ignore_headers X-Accel-Buffering; # Please see note 2

      # Disable gzip to avoid the removal of the ETag header
      # Enabling gzip would also make your server vulnerable to BREACH
      # if no additional measures are done. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773332
      gzip off;

      # Uncomment if your server is build with the ngx_pagespeed module
      # This module is currently not supported.
      #pagespeed off;

      error_page 403 /core/templates/403.php;
      error_page 404 /core/templates/404.php;

      location / {
          rewrite ^ /index.php$uri;
      }

      location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
          return 404;
      }
      location ~ ^/(?:.|autotest|occ|issue|indie|db_|console) {
          return 404;
      }

      location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34]).php(?:$|/) {
          fastcgi_split_path_info ^(.+.php)(/.*)$;
          include fastcgi_params;
          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
          fastcgi_param SCRIPT_NAME $fastcgi_script_name; # necessary for owncloud to detect the contextroot https://github.com/owncloud/core/blob/v10.0.0/lib/private/AppFramework/Http/Request.php#L603
          fastcgi_param PATH_INFO $fastcgi_path_info;
          fastcgi_param HTTPS on;
          fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
          fastcgi_param front_controller_active true;
          fastcgi_read_timeout 180; # increase default timeout e.g. for long running carddav/ caldav syncs with 1000+ entries
          fastcgi_pass php-handler;
          fastcgi_intercept_errors on;
          fastcgi_request_buffering off; #Available since NGINX 1.7.11
      }

      location ~ ^/(?:updater|ocs-provider)(?:$|/) {
          try_files $uri $uri/ =404;
          index index.php;
      }

      # Adding the cache control header for js and css files
      # Make sure it is BELOW the PHP block
      location ~ .(?:css|js)$ {
          try_files $uri /index.php$uri$is_args$args;
          add_header Cache-Control "max-age=15778463";
          # Add headers to serve security related headers (It is intended to have those duplicated to the ones above)
          # Before enabling Strict-Transport-Security headers please read into this topic first.
          #add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
          add_header X-Content-Type-Options nosniff;
          add_header X-Frame-Options "SAMEORIGIN";
          add_header X-XSS-Protection "1; mode=block";
          add_header X-Robots-Tag none;
          add_header X-Download-Options noopen;
          add_header X-Permitted-Cross-Domain-Policies none;
          # Optional: Don‘t log access to assets
          access_log off;
      }

      location ~ .(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg|map)$ {
          add_header Cache-Control "public, max-age=7200";
          try_files $uri /index.php$uri$is_args$args;
          # Optional: Don‘t log access to other assets
          access_log off;
      }
  }