leoatchina的博客

用ubuntu+owncloud+nginx+php-fpm+mysql+aria2打造私有云+远程下载器

发表于

起由

  • 由于最近的“净网”行动,很多网盘包括我一直在使用的快盘关停,仍然存活的百度云、360云等又没有linux客户端,用Dropbox等国外网盘受空间和墙的限制比较大。
  • 同时又有一定的收集高清电影在局域网里共享播放的需要。家里是百兆电信宽带,平时空时可以用来下载,所以有了自建以私有云为基础的服务器的想法。
  • 私有云方案有多种方案,出于可扩展功能的需要,选择了Ubuntu14.04+Owncloud的方案,使用者要有一点的linux操作和vi编辑经验。
  • 顺带要把mysql和phpmyadmin也配置好

主机配置

  • 主机放于家庭电视机柜中,24小时开机,乔思伯V3 ITX HTPC机箱
    乔思伯V3机箱
  • 内存2G x 2,系统装在一块64Gssd上,另外有一块4T的硬盘作主力盘
  • 主板集成J1800 CPU,无风扇,TDP 15w,足够放1080p X264编码的高清电影,不过现在建议用更高级的J3455主板,能放4k的高清。
    J1800主板
  • 不算硬盘,HTPC的资金投入是 主板250+内存100+机箱200+电源150=700

带端口映射的智能路由器

  • 一般情况下,家庭局域网出口在公网环境下是没有固定ip,所以路由要有动态域名解析功能,能从公网环境中反向通过家庭路由访问到局域网
  • 由于电信封了80和8080端口,同时又要把对路由公网ip的访问转到HTPC上,所以要有端口映射功能
  • 又有其他翻墙、路由分离功能
  • openwrt是一个比较好的方案,我的方案是淘宝上这一款 841N 五口 OpenWrt 无线路由器 16M 64M 双天线,体积小,拆掉天线后放入弱电箱,无线功能靠二级路由实现,要注意要把二级跟帖的ip段设置的和主路由一样。
    841N 五口 OpenWrt 无线路由器
  • 现在换成了斐讯k2 k2路由器 请去刷入 padavan系统

开启路由器的端口映射

  • 首先要确定你的机器(下面统称HTPC)的静态IP

  • 在web界面,网络-防火墙-端口转发里,增加以下几条转发到此静态IP的规则

    1
    2
    3
    4
    5
    6
    21->21:#For FTP
    20->20:#For FTP
    22->22:#For SSH remote login 
    443->443:#For Https
    6800->6800:#For Aria2
    6801->6801:#For Aria2

  • 你们可以注意到没有规则对80转发或者转发到80端口

开启动态域名

  • 可以在 changeip.com去申请,比如我申请了一个 testdomain.changeip.com,这样在外网环境中结合上述端口映射,可以直接对内网中的HTPC进行操作,安装软件、修改服务。

出人意料的NTFS权限问题

  • 这个是历史遗留问题:
    曾经我的三块硬盘在放到htpc里时全是ntfs格式,上面都有数据,不能无损转成EXT4
  • owncloud的存贮路径是在其中一块硬盘上,原来是直接mount到/mnt目录下,在后面配置owncloud时指定存贮目录时,出现权限770问题
  • 数据太多,不能格盘,在owncloud的官方网站上找了好久,找出是mount时出的 用户权限分配问题,后来通过修改 /etc/fstab 指定 mount时的uid等来解决
    /dev/sdb5 /mnt/disk1 ntfs locale=zh_CN.UTF-8,uid=33,gid=33,dmask=007,windows_names 0 0
  • 上面的uid=33,gid=33分别对应远行nginx的用户 www-data 和用户组 www-data

安装samba和vsftp

  • ssh到HTPC后自行安装,并设置好目录

安装mysql

  • sudo apt-get install mysql-server mysql-client

安装nginx和php-fpm

  • 请给你的mysql设置一个比较强的root密码,并且为owncloud创建专有用户

    sudo apt-get install nginx
    sudo add-apt-repository ppa:ondrej/php
    sudo apt-get update
    sudo apt-get install php7.0 php-fpm php-mysql php-mbstring

安装phpmyadmin和owncloud

  • 直接从网上下载,解压到web服务目录
  • 我的web服务根目录是 /home/test/www
  • 改变目录拥有者 sudo chown www-data -R /home/test/www
  • 改变权限 sudo chmod 755 -R /home/test/www
配置phpmyadmin
  • 备份原始配置文件

    cd /home/test/www/phpmyadmin
    cp config.sample.inc.php config.inc.php

  • 修改phpmyadmin的配置文件

    vi /home/test/www/phpmyadmin/config.inc.php
    配置 $cfg['blowfish_secret'] = '$#%#$%#$%#$^#^ETETR'; 就是一个加密信息,越乱越好

  • 配置另一个config文件

    cd /home/test/www/phpmyadmin/libraries
    vi config.default.php
    同样配置$cfg['blowfish_secret']

  • 其他用默认
配置php7-fpm

php7.0的 配置环境在 /etc/php/7.0/fpm里,有php-fpm.confphp.ini两个重要的配置文件

php.ini
  • 设置
    = On```
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    - ```extension_dir = "/usr/lib/php/20151012"```,目录通过``catfish``搜索``mysql.so``找到,用于安装各种扩展,应该是``apt-get install``时自动放入。
    - 开启对mysql的支持:``extension=mysqli.so``,``extension=pdo_mysql.so``
    - 设置``cgi.fix_pathinfo=0``
    ###### **php-fpm.conf:**
    可以看到 ``include=/etc/php/7.0/fpm/pool.d/*.conf``,里面有``www.conf``文件
    > - 配置``listen``: ``listen = /run/php/php7.0-fpm.sock``,配置nginx时会用到
    - 重启php-fpm:``sudo service php7-fpm restart``
    #### nginx开启https,两种方案
    owncloud9.0强制要求https服务,需要对自己web站进行认证,实际中我试过两种方案,最后用的是第一种方案
    ##### 用自签名的SSL证书
    > - 采用自验证方案,借用廖雪峰大神的脚本[给Nginx配置一个自签名的SSL证书](http://www.liaoxuefeng.com/article/0014189023237367e8d42829de24b6eaf893ca47df4fb5e000)
    > - 运行这个脚本后,把生成的key文件和crt文件复制到``/etc/nginx/ssl/``目录
    如``/etc/nginx/ssl/testdomain.changeip.com.crt``
    和``/etc/nginx/ssl/testdomain.changeip.com.key``
    配置nginx时要用到,或者你直接在后面写nginx文件时指向这两个文件
    ##### 用letsencypt加密自己的服务器
    > - 被大牛吐槽自授权是错误的价值观,在他的建议下换成 [Let’s Encrypt](https://letsencrypt.org/)(是一个免费、自动化、开放的证书颁发机构,由网络安全研究小组运作)的免费授权系统,主要参考了[Let's Encrypt SSL证书配置](http://www.jianshu.com/p/eaac0d082ba2)和[折腾Let‘s Encrypt免费SSL证书](https://xiaoai.me/?p=223)
    - 下载安装

git clone https://github.com/certbot/certbot.git
cd certbot
./letsencrypt-auto –help

1
- 生成密钥,在这之前要**停止nginx**

./letsencrypt-auto certonly -d testdomain.changip.com -m testdomain@gmail.com

1
2
3
4
5
- 这样,会生成
/etc/letsencrypt/live/testdomain.changeip.com/fullchain.pem     /etc/letsencrypt/live/testdomain.changeip.com/privkey.pem   
两个文件,不用移动位置
- 生成2048位 DH parameters:
```sudo openssl dhparam -out /etc/nginx/ssl/dhparams.pem 2048

  • 美中不足的是,这种方案只有90天的有效期,要到时候运行脚本renew

owncloud

  • 前面已经提到了很多owncloud的配置,都为实践中一一摸索得来,主要有
    1. 专用mysql用户
    • https证书
    • php.ini配置
    • 文件夹权限
    • 端口映射
    • 特别要强调,要把owncloud的数据文件目录的用户改成 www-data,权限也要改770

aria2和yaaw

  • aria2可以apt-get安装或者编译安装,参考网上教程,至少能安装到1.19版本
  • yaaw下载后直接解压缩到/home/kodi/yaaw下

  • aria2的教程网上很多,我这里贴出我的配置,放在~/.aria2/aria2.conf里

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    rpc-secret=secret #token加密方式
    enable-rpc=true
    rpc-allow-origin-all=true
    rpc-listen-all=true
    rpc-listen-port=6800#nginx里有个转发到这个端口的设置
    rpc-secure=true
    rpc-certificate=/etc/letsencrypt/live/testdomain.changeip.com/fullchain.pem
    rpc-private-key=/etc/letsencrypt/live/testdomain.changeip.com/privkey.pem
    max-concurrent-downloads=5
    continue=true
    max-connection-per-server=5
    min-split-size=10M
    split=10
    max-overall-download-limit=3M
    max-download-limit=0
    max-overall-upload-limit=256K
    max-upload-limit=0
    dir=/mnt/disk2/Downloads
    disk-cache=32M
    file-allocation=prealloc
    input-file=/home/kodi/.aria2/aria2.session
    save-session=/home/kodi/.aria2/aria2.session

  • 在配置yaaw是关键一步,在setting后,要把JSON-RPC Path设置成

    1
    https://token:secret@testdomain.changeip.com:6801/jsonrpc #请注意https和6801

nginx配置

  • 这一步配的头大,后来参考了owncloud官方配置文件才写出来
  • 实际使用过程中又进行了不断的调整
  • 你们可以注意到有个对 6801进行ssl加密又转发到6800端口的配置 ,这是为了让yaaw在全站加密的情况下,突破aria2c的server对https的兼容性问题
  • 要解释的东西太多了,有些我还看不懂,以后一一写来
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126
    127
    128
    129
    130
    131
    132
    133
    134
    135
    136
    137
    138
    139
    140
    141
    142
    143
    144
    145
    146
    upstream php5-handler {
        server unix:/var/run/php5-fpm.sock;
    }
    upstream php7-handler {
        server unix:/run/php/php7.0-fpm.sock;
    }
    server{
        listen 6801 ssl;
        server_name testdomain.changeip.com;
        ssl_certificate /etc/letsencrypt/live/testdomain.changeip.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/testdomain.changeip.com/privkey.pem;
        ssl_dhparam /etc/nginx/ssl/dhparams.pem;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_prefer_server_ciphers  on;
        location / {
            proxy_redirect off;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://127.0.0.1:6800;
        }
    }
    server {
        listen 443 ssl;
        server_name testdomain.changeip.com 192.168.10.150;
        ssl_certificate /etc/letsencrypt/live/testdomain.changeip.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/testdomain.changeip.com/privkey.pem;
        ssl_dhparam /etc/nginx/ssl/dhparams.pem;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_prefer_server_ciphers  on; 
        # Add headers to serve security related headers
        # Before enabling Strict-Transport-Security headers please read into this topic first.
        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
        # Path to the root of your installation
        root /home/kodi/www/;
        location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }
        location /luci{
    	proxy_redirect off;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass https://192.168.10.1;
        } 
        # The following 2 rules are only needed for the user_webfinger app.
        # Uncomment it if you're planning to use this app.
        #rewrite ^/.well-known/host-meta /owncloud/public.php?service=host-meta last;
        #rewrite ^/.well-known/host-meta.json /owncloud/public.php?service=host-meta-json last;
        location = /.well-known/carddav { return 301 $scheme://$host/owncloud/remote.php/dav; }
        location = /.well-known/caldav { return 301 $scheme://$host/owncloud/remote.php/dav; }
        location /.well-known/acme-challenge { }
        location ^~ /phpmyadmin{
            location /phpmyadmin{
        		server_name_in_redirect off;
        		index index.php;
            }
            location ~ ^/phpmyadmin/(?:build|tests|config|lib|3rdparty|templates|data)/ {
                deny all;
            }
            location ~ ^/phpmyadmin/(?:\.|autotest|occ|issue|indie|console) {
                deny all;
            }
            location ~ "^\/phpmyadmin\/.*\.php$" {
         	    include fastcgi_params;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param PATH_INFO $fastcgi_path_info;
                fastcgi_param HTTPS on;
                fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
                fastcgi_param front_controller_active true;
                fastcgi_pass php5-handler;
                fastcgi_intercept_errors on;
               # fastcgi_request_buffering off;
            }
            location ~ "^\/phpmyadmin\/.*\.\(htm|html|gif|jpg|png|js|css\)$" {
                root /home/kodi/www;
            }     
        }
        location ^~ /owncloud {
            # set max upload size
            client_max_body_size 51200M;
            fastcgi_buffers 64 4K;
            # Disable gzip to avoid the removal of the ETag header
            gzip off;
            # Uncomment if your server is build with the ngx_pagespeed module
            # This module is currently not supported.
            #pagespeed off;
            location /owncloud {
                rewrite ^ /owncloud/index.php$uri;
            }
            location ~ ^/owncloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
                deny all;
            }
            location ~ ^/owncloud/(?:\.|autotest|occ|issue|indie|db_|console) {
                deny all;
            }
            location ~ ^/owncloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
                include fastcgi_params;
    	    fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;Gggg
                fastcgi_param PATH_INFO $fastcgi_path_info;
                fastcgi_param HTTPS on;
                fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
                fastcgi_param front_controller_active true;
                fastcgi_pass php5-handler;
                fastcgi_intercept_errors on;
               # fastcgi_request_buffering off;
            }
            location ~ ^/owncloud/(?:updater|ocs-provider)(?:$|/) {
                try_files $uri/ =404;
                index index.php;
            }
            # Adding the cache control header for js and css files
            # Make sure it is BELOW the PHP block
            location ~* \.(?:css|js)$ {
                try_files $uri /owncloud/index.php$uri$is_args$args;
                add_header Cache-Control "public, max-age=7200";
                # Add headers to serve security related headers  (It is intended to have those duplicated to the ones above)
                # Before enabling Strict-Transport-Security headers please read into this topic first.
                #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
                add_header X-Content-Type-Options nosniff;
                add_header X-Frame-Options "SAMEORIGIN";
                add_header X-XSS-Protection "1; mode=block";
                add_header X-Robots-Tag none;
                add_header X-Download-Options noopen;
                add_header X-Permitted-Cross-Domain-Policies none;
                # Optional: Don't log access to assets
                access_log off;
            }
            location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
                try_files $uri /owncloud/index.php$uri$is_args$args;
                # Optional: Don't log access to other assets
                access_log off;
            }
        }
    }