mirror of
https://github.com/AlexBocken/mykb.git
synced 2024-11-14 02:06:17 +01:00
Compare commits
5 Commits
48ad81b8d0
...
ca8519bfac
Author | SHA1 | Date | |
---|---|---|---|
ca8519bfac | |||
c7c1dfd44e | |||
2182cbabd6 | |||
207b443898 | |||
a83af847be |
80
docs/dnsmasq.md
Normal file
80
docs/dnsmasq.md
Normal file
@ -0,0 +1,80 @@
|
|||||||
|
# DNSMasq
|
||||||
|
A simple and lightweight DNS and DHCP server for local development.
|
||||||
|
|
||||||
|
Personally I have only yet used this to circumvent NAT Loopback issues with my router, but it can be used for much more.
|
||||||
|
|
||||||
|
## Installation
|
||||||
|
It's a simple
|
||||||
|
```sh
|
||||||
|
pacman -S dnsmasq
|
||||||
|
```
|
||||||
|
|
||||||
|
### Configuration
|
||||||
|
|
||||||
|
We need to disable the systemd-resolved service, as it will conflict with DNSMasq.
|
||||||
|
Afterwards we can start the DNSMasq service.
|
||||||
|
```sh
|
||||||
|
systemctl disable systemd-resolved.service
|
||||||
|
systemctl stop systemd-resolved.service
|
||||||
|
systemctl enable --now dnsmasq.service
|
||||||
|
```
|
||||||
|
|
||||||
|
We can now look into the configuration file at `/etc/dnsmasq.conf` and make changes to our liking.
|
||||||
|
|
||||||
|
```conf
|
||||||
|
listen-address=::1,127.0.0.1,192.168.1.1
|
||||||
|
```
|
||||||
|
|
||||||
|
More cached DNS queries:
|
||||||
|
```conf
|
||||||
|
cache-size=1000
|
||||||
|
```
|
||||||
|
(max 10000)
|
||||||
|
|
||||||
|
|
||||||
|
DNSSec validation:
|
||||||
|
```conf
|
||||||
|
conf-file=/usr/share/dnsmasq/trust-anchors.conf
|
||||||
|
dnssec
|
||||||
|
```
|
||||||
|
|
||||||
|
## DNS Forwarding
|
||||||
|
We will most likely not have all wanted DNS entries ourselves and should look these up on a different server.
|
||||||
|
We can do this by chaning `/etc/resolv.conf` to the following:
|
||||||
|
```conf
|
||||||
|
nameserver ::1
|
||||||
|
nameserver 127.0.0.1
|
||||||
|
options trust-ad
|
||||||
|
```
|
||||||
|
If we want Networkmanager to not overwrite this file, we can set it to immutable:
|
||||||
|
```sh
|
||||||
|
chattr +i /etc/resolv.conf
|
||||||
|
```
|
||||||
|
then restart Networkmanager:
|
||||||
|
```sh
|
||||||
|
systemctl restart NetworkManager.service
|
||||||
|
```
|
||||||
|
|
||||||
|
Now add your upstream DNS servers to `/etc/dnsmasq.conf`:
|
||||||
|
```conf
|
||||||
|
no-resolv
|
||||||
|
|
||||||
|
# Google's nameservers, for example
|
||||||
|
server=8.8.8.8
|
||||||
|
server=8.8.4.4
|
||||||
|
```
|
||||||
|
|
||||||
|
## Address Overrides
|
||||||
|
For NAT Loopback we need to override the DNS entries for our local network.
|
||||||
|
For example if we want to direct `cloud.example.com` to our server directly, we can add the following to `/etc/dnsmasq.conf`:
|
||||||
|
```conf
|
||||||
|
address=/cloud.example.com/192.168.1.2
|
||||||
|
```
|
||||||
|
adjust the IP address to your setup.
|
||||||
|
|
||||||
|
After restarting the dnsmasq service, we can check if the DNS entry is correct:
|
||||||
|
```sh
|
||||||
|
drill cloud.example.com
|
||||||
|
```
|
||||||
|
|
||||||
|
You can now set this DNS server as your primary DNS server in your router or on your local machine.
|
@ -4,7 +4,260 @@ We're assuming an Arch Linux installation, but the steps should be similar for o
|
|||||||
There are two possible ways to serve Nextclouds PHP code: uWSGI and PHP-FPM.
|
There are two possible ways to serve Nextclouds PHP code: uWSGI and PHP-FPM.
|
||||||
We'll be using PHP-FPM as this is the recommended way and nginx is easier to setup with it, especially if you wish to enable additional plugins such as LDAP.
|
We'll be using PHP-FPM as this is the recommended way and nginx is easier to setup with it, especially if you wish to enable additional plugins such as LDAP.
|
||||||
|
|
||||||
TODO
|
Be prepared for quite a bit of work, with too many files which look identical, but it's worth it.
|
||||||
|
This instal guide is based on the [Arch Wiki](https://wiki.archlinux.org/index.php/Nextcloud) and the [Nextcloud documentation](https://docs.nextcloud.com/server/20/admin_manual/installation/source_installation.html). It mainly emphasizes some points which go under in the Arch Wiki article.
|
||||||
|
|
||||||
|
We assume postgresql as the database backend, but you can also use mysql/mariadb (which is also the recommended way by Nextcloud). I do this because I run a lot of other stuff on postgresql already and like it :).
|
||||||
|
PostgreSQL is said to deliver better performance and overall has fewer quirks compared to MariaDB/MySQL but expect less support from Nextcloud devs and community.
|
||||||
|
Nginx is already assumed to be set up and you have a certbot certificate for your domain.
|
||||||
|
In these instructions we will use `cloud.example.com` as the domain name, but you should of course replace it with your own.
|
||||||
|
|
||||||
|
First, install the required packages:
|
||||||
|
```sh
|
||||||
|
pacman -S nextcloud
|
||||||
|
```
|
||||||
|
When asked, choose `php-legacy` as your PHP version.
|
||||||
|
```sh
|
||||||
|
pacman -S php-legacy-imagick lbrsvg --asdeps
|
||||||
|
```
|
||||||
|
### Configuration
|
||||||
|
#### PHP
|
||||||
|
```sh
|
||||||
|
cp /etc/php-legacy/php.ini /etc/webapps/nextcloud
|
||||||
|
chown nextcloud:nextcloud /etc/webapps/nextcloud/php.ini
|
||||||
|
```
|
||||||
|
enable the following extensions in `/etc/webapps/nextcloud/php.ini`:
|
||||||
|
```ini
|
||||||
|
extension=bcmath
|
||||||
|
extension=bz2
|
||||||
|
extension=exif
|
||||||
|
extension=gd
|
||||||
|
extension=iconv
|
||||||
|
extension=intl
|
||||||
|
extension=sysvsem
|
||||||
|
; in case you installed php-legacy-imagick (as recommended)
|
||||||
|
extension=imagick
|
||||||
|
```
|
||||||
|
Set date.timezone. For example:
|
||||||
|
```ini
|
||||||
|
date.timezone = Europe/Zurich
|
||||||
|
```
|
||||||
|
Raise PHP memory limit to at least 512MB:
|
||||||
|
```ini
|
||||||
|
memory_limit = 512M
|
||||||
|
```
|
||||||
|
Limit Nextcloud's access to the filesystem:
|
||||||
|
```ini
|
||||||
|
open_basedir=/var/lib/nextcloud:/tmp:/usr/share/webapps/nextcloud:/etc/webapps/nextcloud:/dev/urandom:/usr/lib/php-legacy/modules:/var/log/nextcloud:/proc/meminfo:/proc/cpuinfo
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Nextcloud
|
||||||
|
In `/etc/webapps/nextcloud/config/config.php` add:
|
||||||
|
|
||||||
|
```php
|
||||||
|
'trusted_domains' =>
|
||||||
|
array (
|
||||||
|
0 => 'localhost',
|
||||||
|
1 => 'cloud.example.com',
|
||||||
|
),
|
||||||
|
'overwrite.cli.url' => 'https://cloud.example.com/',
|
||||||
|
'htaccess.RewriteBase' => '/',
|
||||||
|
```
|
||||||
|
|
||||||
|
#### System and environment
|
||||||
|
|
||||||
|
To make sure the Nextcloud specific `php.ini` is used by the `occ` tool set the environment variable `NEXTCLOUD_PHP_CONFIG`:
|
||||||
|
```sh
|
||||||
|
export NEXTCLOUD_PHP_CONFIG=/etc/webapps/nextcloud/php.ini
|
||||||
|
```
|
||||||
|
And also add this to your `.bashrc` or `.zshrc` (whichever is your shell) to make it permanent.
|
||||||
|
|
||||||
|
As a privacy and security precaution create the dedicated directory for session data:
|
||||||
|
```sh
|
||||||
|
install --owner=nextcloud --group=nextcloud --mode=700 -d /var/lib/nextcloud/sessions
|
||||||
|
```
|
||||||
|
|
||||||
|
#### PostgreSQL
|
||||||
|
I'm assuming you already have postgres installed and running. (Till feel free to improve this section)
|
||||||
|
For additional security in this scenario it is recommended to configure PostgreSQL to only listen on a local UNIX socket:
|
||||||
|
In `/var/lib/postgres/data/postgresql.conf`:
|
||||||
|
```
|
||||||
|
listen_addresses = ''
|
||||||
|
```
|
||||||
|
|
||||||
|
Especially do not forget to initialize your database with `initdb` if you have not setup postgresql yet.
|
||||||
|
|
||||||
|
Now create a database and user for Nextcloud:
|
||||||
|
```sh
|
||||||
|
su - postgres
|
||||||
|
psql
|
||||||
|
CREATE USER nextcloud WITH PASSWORD 'db-password';
|
||||||
|
CREATE DATABASE nextcloud TEMPLATE template0 ENCODING 'UNICODE';
|
||||||
|
ALTER DATABASE nextcloud OWNER TO nextcloud;
|
||||||
|
GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud;
|
||||||
|
\q
|
||||||
|
```
|
||||||
|
and of course replace `db-password` with a strong password of your choice.
|
||||||
|
|
||||||
|
Additionally install `php-legacy-pgsql`:
|
||||||
|
```sh
|
||||||
|
pacman -S php-legacy-pgsql --asdeps
|
||||||
|
```
|
||||||
|
and enable this in /etc/webapps/nextcloud/php.ini:
|
||||||
|
```ini
|
||||||
|
extension=pdo_pgsql
|
||||||
|
```
|
||||||
|
|
||||||
|
Now setup Nextcloud's database schema with:
|
||||||
|
```sh
|
||||||
|
occ maintenance:install \
|
||||||
|
--database=pgsql \
|
||||||
|
--database-name=nextcloud \
|
||||||
|
--database-host=/run/postgresql \
|
||||||
|
--database-user=nextcloud \
|
||||||
|
--database-pass=<db-password> \
|
||||||
|
--admin-pass=<admin-password> \
|
||||||
|
--admin-email=<admin-email> \
|
||||||
|
--data-dir=/var/lib/nextcloud/data
|
||||||
|
```
|
||||||
|
and adjust the appropriate values in `<>` to your specific setup.
|
||||||
|
|
||||||
|
Congrats, you now have nextcloud setup. Currently it is not yet being served, for this we need to continue with our fpm and nginx setup.
|
||||||
|
|
||||||
|
#### FPM
|
||||||
|
Install `php-legacy-fpm`:
|
||||||
|
```sh
|
||||||
|
pacman -S php-legacy-fpm --asdeps
|
||||||
|
```
|
||||||
|
##### php-fpm.ini
|
||||||
|
We don't want to use the default php.ini for php-fpm, but a dedicated one. Hence we first copy the default php.ini to a dedicated one:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
cp /etc/php-legacy/php.ini /etc/php-legacy/php-fpm.ini
|
||||||
|
```
|
||||||
|
|
||||||
|
Enable opcache in `/etc/php-legacy/php-fpm.ini`:
|
||||||
|
```ini
|
||||||
|
zend_extension=opcache
|
||||||
|
```
|
||||||
|
And set the following parameters under `[opcache]` in `/etc/php-legacy/php-fpm.ini`:
|
||||||
|
```ini
|
||||||
|
[opcache]
|
||||||
|
opcache.enable = 1
|
||||||
|
opcache.interned_strings_buffer = 8
|
||||||
|
opcache.max_accelerated_files = 10000
|
||||||
|
opcache.memory_consumption = 128
|
||||||
|
opcache.save_comments = 1
|
||||||
|
opcache.revalidate_freq = 1
|
||||||
|
```
|
||||||
|
This should differ from the default only in `opcache.revalidate_freq` but be sure to uncomment all of them anyways.
|
||||||
|
|
||||||
|
#### nextcloud.conf
|
||||||
|
Next you have to create a so called pool file for FPM. It is responsible for spawning dedicated FPM processes for the Nextcloud application. Create a file `/etc/php-legacy/php-fpm.d/nextcloud.conf`.
|
||||||
|
You can use the file in this repository as a template [Here a link](../static/nextcloud/nextcloud.conf). It should work out of the box without any modifications.
|
||||||
|
|
||||||
|
Create the access log directory:
|
||||||
|
```sh
|
||||||
|
mkdir -p /var/log/php-fpm-legacy/access
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Systemd service
|
||||||
|
To overwrite the default php-fpm-legacy service create a file in `/etc/systemd/system/php-fpm-legacy.service.d/override.conf` with the following content:
|
||||||
|
```ini
|
||||||
|
[Service]
|
||||||
|
ExecStart=
|
||||||
|
ExecStart=/usr/bin/php-fpm-legacy --nodaemonize --fpm-config /etc/php-legacy/php-fpm.conf --php-ini /etc/php-legacy/php-fpm.ini
|
||||||
|
ReadWritePaths=/var/lib/nextcloud
|
||||||
|
ReadWritePaths=/etc/webapps/nextcloud/config
|
||||||
|
```
|
||||||
|
|
||||||
|
Now you can `systemctl enable --now php-fpm-legacy`.
|
||||||
|
|
||||||
|
##### Keep /etc tidy
|
||||||
|
As a small bonus you can remove the unnecessary uwsgi config files by adding this to `/etc/pacman.conf`:
|
||||||
|
|
||||||
|
```
|
||||||
|
# uWSGI configuration that comes with Nextcloud is not needed
|
||||||
|
NoExtract = etc/uwsgi/nextcloud.ini
|
||||||
|
```
|
||||||
|
#### Nginx
|
||||||
|
Finally we're at the nginx part and are almost ready to test our setup.
|
||||||
|
We're assuming you have a working nginx setup with a certbot certificate for your domain and possible domains are in `/etc/nginx/sites-available/` and symlinked to `/etc/nginx/sites-enabled/` to enable them (like Debian).
|
||||||
|
|
||||||
|
The nextcloud documentation has a great [example nginx configuration](https://docs.nextcloud.com/server/20/admin_manual/installation/source_installation.html#example-nginx-configuration) which we will use as a base.
|
||||||
|
You can find the modified version in this repository [here](../static/nextcloud/nextcloud_nginx).
|
||||||
|
Simply copy this file into `/etc/nginx/sites-available/nextcloud`, replace `cloud.example.com` with your domain, and symlink it to `/etc/nginx/sites-enabled/nextcloud`.
|
||||||
|
|
||||||
|
You should now be able to restart nginx and access your nextcloud instance at https://cloud.example.com.
|
||||||
|
|
||||||
|
##### Strict Transport Security
|
||||||
|
For additional security, if everything works fine and you're happy with your domain you can uncomment the HSTS section in the nginx setup.
|
||||||
|
```nginx
|
||||||
|
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Background jobs
|
||||||
|
Nextcloud requires certain tasks to be run on a scheduled basis. See Nextcloud's documentation for some details. The easiest (and most reliable) way to set up these background jobs is to use the systemd service and timer units that are already installed by nextcloud.
|
||||||
|
|
||||||
|
Override to the correct php version by adding the file `/etc/systemd/system/nextcloud-cron.service.d/override.conf` with the following content:
|
||||||
|
```ini
|
||||||
|
[Service]
|
||||||
|
ExecStart=
|
||||||
|
ExecStart=/usr/bin/php-legacy -c /etc/webapps/nextcloud/php.ini -f /usr/share/webapps/nextcloud/cron.php
|
||||||
|
```
|
||||||
|
|
||||||
|
After that enable and start nextcloud-cron.timer (not the service).
|
||||||
|
```sh
|
||||||
|
systemctl enable --now nextcloud-cron.timer
|
||||||
|
```
|
||||||
|
|
||||||
|
### Performance Improvements by in-memory caching
|
||||||
|
Nextcloud's documentation recommends to apply some kind of in-memory object cache to significantly improve performance.
|
||||||
|
|
||||||
|
#### APCu
|
||||||
|
Install `php-legacy-apcu`:
|
||||||
|
```sh
|
||||||
|
pacman -S php-legacy-apcu --asdeps
|
||||||
|
```
|
||||||
|
In `/etc/webapps/nextcloud/php.ini` enable the following extensions by uncommenting this:
|
||||||
|
```ini
|
||||||
|
extension=apcu
|
||||||
|
apc.ttl=7200
|
||||||
|
apc.enable_cli = 1
|
||||||
|
```
|
||||||
|
Order is relevant so uncomment, don't add.
|
||||||
|
|
||||||
|
in `/etc/php-legacy/php-fpm.d/nextcloud.conf` uncomment the following under `[nextcloud]`:
|
||||||
|
```ini
|
||||||
|
php_value[extension] = apcu
|
||||||
|
php_admin_value[apc.ttl] = 7200
|
||||||
|
```
|
||||||
|
Restart your application server:
|
||||||
|
```sh
|
||||||
|
systemctl restart php-fpm-legacy
|
||||||
|
```
|
||||||
|
Add to `/etc/webapps/nextcloud/config/config.php `:
|
||||||
|
```php
|
||||||
|
'memcache.local' => '\OC\Memcache\APCu',
|
||||||
|
```
|
||||||
|
to the `CONFIG` array. (So `);` should be after this)
|
||||||
|
A second application server retart is required and everything should be working.
|
||||||
|
```sh
|
||||||
|
systemctl restart php-fpm-legacy
|
||||||
|
```
|
||||||
|
|
||||||
|
### Do not bruteforce throttle local connections
|
||||||
|
You might see in your admin overview (https://cloud.example.com/settings/admin/overview) an error message like this:
|
||||||
|
|
||||||
|
Your remote address was identified as "192.168.1.1" and is bruteforce throttled at the moment slowing down the performance of various requests. If the remote address is not your address this can be an indication that a proxy is not configured correctly. Further information can be found in the documentation ↗.
|
||||||
|
|
||||||
|
This is because Nextcloud is not able to detect the specific local machine you're connecting from and hence throttles all local connections.
|
||||||
|
The underlying issue is not Nextcloud but your Network setup, specifically your router not allowing for the disabling of NAT Loopback.
|
||||||
|
Discussion of this problem can be found here: https://help.nextcloud.com/t/all-lan-ips-are-shown-as-the-router-gateway-how-can-i-get-the-actual-ip-address/134872
|
||||||
|
|
||||||
|
Your solution: Set up a local DNS server and resolve your domain to your local IP address, not the public one.
|
||||||
|
A simple appraoch would be to use dnsmasq for this.
|
||||||
|
See [my dnsmasq.md](./dnsmasq.md) for more details on how to set this up.
|
||||||
|
|
||||||
## Syncing files with Nextcloud
|
## Syncing files with Nextcloud
|
||||||
They GUI for syncing is surprisingly unusable, luckily the CLI is much better.
|
They GUI for syncing is surprisingly unusable, luckily the CLI is much better.
|
||||||
|
3
index.md
3
index.md
@ -28,7 +28,8 @@ Happy to accept pull requests for new topics!
|
|||||||
- [anki sync server](docs/anki_sync_server.md) personal sync server for anki, a spaced repetition learning program
|
- [anki sync server](docs/anki_sync_server.md) personal sync server for anki, a spaced repetition learning program
|
||||||
- [docker](docs/docker.md) General tips and tricks around the container manager
|
- [docker](docs/docker.md) General tips and tricks around the container manager
|
||||||
- [Searx](docs/Searx.md) A meta searchengine which respects privacy. Arch setup guide.
|
- [Searx](docs/Searx.md) A meta searchengine which respects privacy. Arch setup guide.
|
||||||
- [Nextcloud](docs/Nextcloud.md) A self-hosted cloud solution. Installation (on Arch), configuration, and usage tips.
|
- [Nextcloud](docs/nextcloud.md) A self-hosted cloud solution. Installation (on Arch), configuration, and usage tips.
|
||||||
|
- [dnsmasq](docs/dnsmasq.md) A lightweight DNS server with DHCP and TFTP support.
|
||||||
|
|
||||||
=======
|
=======
|
||||||
- [calcurse sync](docs/calDAV.md) Sync calcurse with you phone etc.
|
- [calcurse sync](docs/calDAV.md) Sync calcurse with you phone etc.
|
||||||
|
518
static/nextcloud/nextcloud.conf
Normal file
518
static/nextcloud/nextcloud.conf
Normal file
@ -0,0 +1,518 @@
|
|||||||
|
; Start a new pool named 'nextcloud'.
|
||||||
|
; the variable $pool can be used in any directive and will be replaced by the
|
||||||
|
; pool name ('nextcloud' here)
|
||||||
|
[nextcloud]
|
||||||
|
|
||||||
|
; Per pool prefix
|
||||||
|
; It only applies on the following directives:
|
||||||
|
; - 'access.log'
|
||||||
|
; - 'slowlog'
|
||||||
|
; - 'listen' (unixsocket)
|
||||||
|
; - 'chroot'
|
||||||
|
; - 'chdir'
|
||||||
|
; - 'php_values'
|
||||||
|
; - 'php_admin_values'
|
||||||
|
; When not set, the global prefix (or /usr) applies instead.
|
||||||
|
; Note: This directive can also be relative to the global prefix.
|
||||||
|
; Default Value: none
|
||||||
|
;prefix = /path/to/pools/$pool
|
||||||
|
|
||||||
|
; Unix user/group of processes
|
||||||
|
; Note: The user is mandatory. If the group is not set, the default user's group
|
||||||
|
; will be used.
|
||||||
|
user = nextcloud
|
||||||
|
group = nextcloud
|
||||||
|
|
||||||
|
; The address on which to accept FastCGI requests.
|
||||||
|
; Valid syntaxes are:
|
||||||
|
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
|
||||||
|
; a specific port;
|
||||||
|
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
|
||||||
|
; a specific port;
|
||||||
|
; 'port' - to listen on a TCP socket to all addresses
|
||||||
|
; (IPv6 and IPv4-mapped) on a specific port;
|
||||||
|
; '/path/to/unix/socket' - to listen on a unix socket.
|
||||||
|
; Note: This value is mandatory.
|
||||||
|
listen = /run/php-fpm-legacy/nextcloud.sock
|
||||||
|
|
||||||
|
; Set listen(2) backlog.
|
||||||
|
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
|
||||||
|
;listen.backlog = 511
|
||||||
|
|
||||||
|
; Set permissions for unix socket, if one is used. In Linux, read/write
|
||||||
|
; permissions must be set in order to allow connections from a web server. Many
|
||||||
|
; BSD-derived systems allow connections regardless of permissions. The owner
|
||||||
|
; and group can be specified either by name or by their numeric IDs.
|
||||||
|
; Default Values: user and group are set as the running user
|
||||||
|
; mode is set to 0660
|
||||||
|
listen.owner = nextcloud
|
||||||
|
listen.group = http
|
||||||
|
listen.mode = 0660
|
||||||
|
; When POSIX Access Control Lists are supported you can set them using
|
||||||
|
; these options, value is a comma separated list of user/group names.
|
||||||
|
; When set, listen.owner and listen.group are ignored
|
||||||
|
;listen.acl_users =
|
||||||
|
;listen.acl_groups =
|
||||||
|
|
||||||
|
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
|
||||||
|
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
|
||||||
|
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
|
||||||
|
; must be separated by a comma. If this value is left blank, connections will be
|
||||||
|
; accepted from any ip address.
|
||||||
|
; Default Value: any
|
||||||
|
listen.allowed_clients = 127.0.0.1
|
||||||
|
|
||||||
|
; Specify the nice(2) priority to apply to the pool processes (only if set)
|
||||||
|
; The value can vary from -19 (highest priority) to 20 (lower priority)
|
||||||
|
; Note: - It will only work if the FPM master process is launched as root
|
||||||
|
; - The pool processes will inherit the master process priority
|
||||||
|
; unless it specified otherwise
|
||||||
|
; Default Value: no set
|
||||||
|
; process.priority = -19
|
||||||
|
|
||||||
|
; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
|
||||||
|
; or group is different than the master process user. It allows to create process
|
||||||
|
; core dump and ptrace the process for the pool user.
|
||||||
|
; Default Value: no
|
||||||
|
; process.dumpable = yes
|
||||||
|
|
||||||
|
; Choose how the process manager will control the number of child processes.
|
||||||
|
; Possible Values:
|
||||||
|
; static - a fixed number (pm.max_children) of child processes;
|
||||||
|
; dynamic - the number of child processes are set dynamically based on the
|
||||||
|
; following directives. With this process management, there will be
|
||||||
|
; always at least 1 children.
|
||||||
|
; pm.max_children - the maximum number of children that can
|
||||||
|
; be alive at the same time.
|
||||||
|
; pm.start_servers - the number of children created on startup.
|
||||||
|
; pm.min_spare_servers - the minimum number of children in 'idle'
|
||||||
|
; state (waiting to process). If the number
|
||||||
|
; of 'idle' processes is less than this
|
||||||
|
; number then some children will be created.
|
||||||
|
; pm.max_spare_servers - the maximum number of children in 'idle'
|
||||||
|
; state (waiting to process). If the number
|
||||||
|
; of 'idle' processes is greater than this
|
||||||
|
; number then some children will be killed.
|
||||||
|
; pm.max_spawn_rate - the maximum number of rate to spawn child
|
||||||
|
; processes at once.
|
||||||
|
; ondemand - no children are created at startup. Children will be forked when
|
||||||
|
; new requests will connect. The following parameter are used:
|
||||||
|
; pm.max_children - the maximum number of children that
|
||||||
|
; can be alive at the same time.
|
||||||
|
; pm.process_idle_timeout - The number of seconds after which
|
||||||
|
; an idle process will be killed.
|
||||||
|
; Note: This value is mandatory.
|
||||||
|
pm = dynamic
|
||||||
|
|
||||||
|
; The number of child processes to be created when pm is set to 'static' and the
|
||||||
|
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
|
||||||
|
; This value sets the limit on the number of simultaneous requests that will be
|
||||||
|
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
|
||||||
|
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
|
||||||
|
; CGI. The below defaults are based on a server without much resources. Don't
|
||||||
|
; forget to tweak pm.* to fit your needs.
|
||||||
|
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
|
||||||
|
; Note: This value is mandatory.
|
||||||
|
pm.max_children = 5
|
||||||
|
|
||||||
|
; The number of child processes created on startup.
|
||||||
|
; Note: Used only when pm is set to 'dynamic'
|
||||||
|
; Default Value: (min_spare_servers + max_spare_servers) / 2
|
||||||
|
pm.start_servers = 2
|
||||||
|
|
||||||
|
; The desired minimum number of idle server processes.
|
||||||
|
; Note: Used only when pm is set to 'dynamic'
|
||||||
|
; Note: Mandatory when pm is set to 'dynamic'
|
||||||
|
pm.min_spare_servers = 1
|
||||||
|
|
||||||
|
; The desired maximum number of idle server processes.
|
||||||
|
; Note: Used only when pm is set to 'dynamic'
|
||||||
|
; Note: Mandatory when pm is set to 'dynamic'
|
||||||
|
pm.max_spare_servers = 3
|
||||||
|
|
||||||
|
; The number of rate to spawn child processes at once.
|
||||||
|
; Note: Used only when pm is set to 'dynamic'
|
||||||
|
; Note: Mandatory when pm is set to 'dynamic'
|
||||||
|
; Default Value: 32
|
||||||
|
;pm.max_spawn_rate = 32
|
||||||
|
|
||||||
|
; The number of seconds after which an idle process will be killed.
|
||||||
|
; Note: Used only when pm is set to 'ondemand'
|
||||||
|
; Default Value: 10s
|
||||||
|
;pm.process_idle_timeout = 10s;
|
||||||
|
|
||||||
|
; The number of requests each child process should execute before respawning.
|
||||||
|
; This can be useful to work around memory leaks in 3rd party libraries. For
|
||||||
|
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
|
||||||
|
; Default Value: 0
|
||||||
|
;pm.max_requests = 500
|
||||||
|
|
||||||
|
; The URI to view the FPM status page. If this value is not set, no URI will be
|
||||||
|
; recognized as a status page. It shows the following information:
|
||||||
|
; pool - the name of the pool;
|
||||||
|
; process manager - static, dynamic or ondemand;
|
||||||
|
; start time - the date and time FPM has started;
|
||||||
|
; start since - number of seconds since FPM has started;
|
||||||
|
; accepted conn - the number of request accepted by the pool;
|
||||||
|
; listen queue - the number of request in the queue of pending
|
||||||
|
; connections (see backlog in listen(2));
|
||||||
|
; max listen queue - the maximum number of requests in the queue
|
||||||
|
; of pending connections since FPM has started;
|
||||||
|
; listen queue len - the size of the socket queue of pending connections;
|
||||||
|
; idle processes - the number of idle processes;
|
||||||
|
; active processes - the number of active processes;
|
||||||
|
; total processes - the number of idle + active processes;
|
||||||
|
; max active processes - the maximum number of active processes since FPM
|
||||||
|
; has started;
|
||||||
|
; max children reached - number of times, the process limit has been reached,
|
||||||
|
; when pm tries to start more children (works only for
|
||||||
|
; pm 'dynamic' and 'ondemand');
|
||||||
|
; Value are updated in real time.
|
||||||
|
; Example output:
|
||||||
|
; pool: www
|
||||||
|
; process manager: static
|
||||||
|
; start time: 01/Jul/2011:17:53:49 +0200
|
||||||
|
; start since: 62636
|
||||||
|
; accepted conn: 190460
|
||||||
|
; listen queue: 0
|
||||||
|
; max listen queue: 1
|
||||||
|
; listen queue len: 42
|
||||||
|
; idle processes: 4
|
||||||
|
; active processes: 11
|
||||||
|
; total processes: 15
|
||||||
|
; max active processes: 12
|
||||||
|
; max children reached: 0
|
||||||
|
;
|
||||||
|
; By default the status page output is formatted as text/plain. Passing either
|
||||||
|
; 'html', 'xml' or 'json' in the query string will return the corresponding
|
||||||
|
; output syntax. Example:
|
||||||
|
; http://www.foo.bar/status
|
||||||
|
; http://www.foo.bar/status?json
|
||||||
|
; http://www.foo.bar/status?html
|
||||||
|
; http://www.foo.bar/status?xml
|
||||||
|
;
|
||||||
|
; By default the status page only outputs short status. Passing 'full' in the
|
||||||
|
; query string will also return status for each pool process.
|
||||||
|
; Example:
|
||||||
|
; http://www.foo.bar/status?full
|
||||||
|
; http://www.foo.bar/status?json&full
|
||||||
|
; http://www.foo.bar/status?html&full
|
||||||
|
; http://www.foo.bar/status?xml&full
|
||||||
|
; The Full status returns for each process:
|
||||||
|
; pid - the PID of the process;
|
||||||
|
; state - the state of the process (Idle, Running, ...);
|
||||||
|
; start time - the date and time the process has started;
|
||||||
|
; start since - the number of seconds since the process has started;
|
||||||
|
; requests - the number of requests the process has served;
|
||||||
|
; request duration - the duration in µs of the requests;
|
||||||
|
; request method - the request method (GET, POST, ...);
|
||||||
|
; request URI - the request URI with the query string;
|
||||||
|
; content length - the content length of the request (only with POST);
|
||||||
|
; user - the user (PHP_AUTH_USER) (or '-' if not set);
|
||||||
|
; script - the main script called (or '-' if not set);
|
||||||
|
; last request cpu - the %cpu the last request consumed
|
||||||
|
; it's always 0 if the process is not in Idle state
|
||||||
|
; because CPU calculation is done when the request
|
||||||
|
; processing has terminated;
|
||||||
|
; last request memory - the max amount of memory the last request consumed
|
||||||
|
; it's always 0 if the process is not in Idle state
|
||||||
|
; because memory calculation is done when the request
|
||||||
|
; processing has terminated;
|
||||||
|
; If the process is in Idle state, then informations are related to the
|
||||||
|
; last request the process has served. Otherwise informations are related to
|
||||||
|
; the current request being served.
|
||||||
|
; Example output:
|
||||||
|
; ************************
|
||||||
|
; pid: 31330
|
||||||
|
; state: Running
|
||||||
|
; start time: 01/Jul/2011:17:53:49 +0200
|
||||||
|
; start since: 63087
|
||||||
|
; requests: 12808
|
||||||
|
; request duration: 1250261
|
||||||
|
; request method: GET
|
||||||
|
; request URI: /test_mem.php?N=10000
|
||||||
|
; content length: 0
|
||||||
|
; user: -
|
||||||
|
; script: /home/fat/web/docs/php/test_mem.php
|
||||||
|
; last request cpu: 0.00
|
||||||
|
; last request memory: 0
|
||||||
|
;
|
||||||
|
; Note: There is a real-time FPM status monitoring sample web page available
|
||||||
|
; It's available in: /usr/share/php-legacy/fpm/status.html
|
||||||
|
;
|
||||||
|
; Note: The value must start with a leading slash (/). The value can be
|
||||||
|
; anything, but it may not be a good idea to use the .php extension or it
|
||||||
|
; may conflict with a real PHP file.
|
||||||
|
; Default Value: not set
|
||||||
|
;pm.status_path = /status
|
||||||
|
|
||||||
|
; The address on which to accept FastCGI status request. This creates a new
|
||||||
|
; invisible pool that can handle requests independently. This is useful
|
||||||
|
; if the main pool is busy with long running requests because it is still possible
|
||||||
|
; to get the status before finishing the long running requests.
|
||||||
|
;
|
||||||
|
; Valid syntaxes are:
|
||||||
|
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
|
||||||
|
; a specific port;
|
||||||
|
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
|
||||||
|
; a specific port;
|
||||||
|
; 'port' - to listen on a TCP socket to all addresses
|
||||||
|
; (IPv6 and IPv4-mapped) on a specific port;
|
||||||
|
; '/path/to/unix/socket' - to listen on a unix socket.
|
||||||
|
; Default Value: value of the listen option
|
||||||
|
;pm.status_listen = 127.0.0.1:9001
|
||||||
|
|
||||||
|
; The ping URI to call the monitoring page of FPM. If this value is not set, no
|
||||||
|
; URI will be recognized as a ping page. This could be used to test from outside
|
||||||
|
; that FPM is alive and responding, or to
|
||||||
|
; - create a graph of FPM availability (rrd or such);
|
||||||
|
; - remove a server from a group if it is not responding (load balancing);
|
||||||
|
; - trigger alerts for the operating team (24/7).
|
||||||
|
; Note: The value must start with a leading slash (/). The value can be
|
||||||
|
; anything, but it may not be a good idea to use the .php extension or it
|
||||||
|
; may conflict with a real PHP file.
|
||||||
|
; Default Value: not set
|
||||||
|
;ping.path = /ping
|
||||||
|
|
||||||
|
; This directive may be used to customize the response of a ping request. The
|
||||||
|
; response is formatted as text/plain with a 200 response code.
|
||||||
|
; Default Value: pong
|
||||||
|
;ping.response = pong
|
||||||
|
|
||||||
|
; The access log file
|
||||||
|
; Default: not set
|
||||||
|
;access.log = log/$pool.access.log
|
||||||
|
access.log = /var/log/php-fpm-legacy/access/$pool.log
|
||||||
|
|
||||||
|
; The access log format.
|
||||||
|
; The following syntax is allowed
|
||||||
|
; %%: the '%' character
|
||||||
|
; %C: %CPU used by the request
|
||||||
|
; it can accept the following format:
|
||||||
|
; - %{user}C for user CPU only
|
||||||
|
; - %{system}C for system CPU only
|
||||||
|
; - %{total}C for user + system CPU (default)
|
||||||
|
; %d: time taken to serve the request
|
||||||
|
; it can accept the following format:
|
||||||
|
; - %{seconds}d (default)
|
||||||
|
; - %{milliseconds}d
|
||||||
|
; - %{milli}d
|
||||||
|
; - %{microseconds}d
|
||||||
|
; - %{micro}d
|
||||||
|
; %e: an environment variable (same as $_ENV or $_SERVER)
|
||||||
|
; it must be associated with embraces to specify the name of the env
|
||||||
|
; variable. Some examples:
|
||||||
|
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
|
||||||
|
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
|
||||||
|
; %f: script filename
|
||||||
|
; %l: content-length of the request (for POST request only)
|
||||||
|
; %m: request method
|
||||||
|
; %M: peak of memory allocated by PHP
|
||||||
|
; it can accept the following format:
|
||||||
|
; - %{bytes}M (default)
|
||||||
|
; - %{kilobytes}M
|
||||||
|
; - %{kilo}M
|
||||||
|
; - %{megabytes}M
|
||||||
|
; - %{mega}M
|
||||||
|
; %n: pool name
|
||||||
|
; %o: output header
|
||||||
|
; it must be associated with embraces to specify the name of the header:
|
||||||
|
; - %{Content-Type}o
|
||||||
|
; - %{X-Powered-By}o
|
||||||
|
; - %{Transfert-Encoding}o
|
||||||
|
; - ....
|
||||||
|
; %p: PID of the child that serviced the request
|
||||||
|
; %P: PID of the parent of the child that serviced the request
|
||||||
|
; %q: the query string
|
||||||
|
; %Q: the '?' character if query string exists
|
||||||
|
; %r: the request URI (without the query string, see %q and %Q)
|
||||||
|
; %R: remote IP address
|
||||||
|
; %s: status (response code)
|
||||||
|
; %t: server time the request was received
|
||||||
|
; it can accept a strftime(3) format:
|
||||||
|
; %d/%b/%Y:%H:%M:%S %z (default)
|
||||||
|
; The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
|
||||||
|
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
|
||||||
|
; %T: time the log has been written (the request has finished)
|
||||||
|
; it can accept a strftime(3) format:
|
||||||
|
; %d/%b/%Y:%H:%M:%S %z (default)
|
||||||
|
; The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
|
||||||
|
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
|
||||||
|
; %u: remote user
|
||||||
|
;
|
||||||
|
; Default: "%R - %u %t \"%m %r\" %s"
|
||||||
|
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
|
||||||
|
access.format = "%{%Y-%m-%dT%H:%M:%S%z}t %R: \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
|
||||||
|
|
||||||
|
; The log file for slow requests
|
||||||
|
; Default Value: not set
|
||||||
|
; Note: slowlog is mandatory if request_slowlog_timeout is set
|
||||||
|
;slowlog = log/$pool.log.slow
|
||||||
|
|
||||||
|
; The timeout for serving a single request after which a PHP backtrace will be
|
||||||
|
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
|
||||||
|
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
|
||||||
|
; Default Value: 0
|
||||||
|
;request_slowlog_timeout = 0
|
||||||
|
|
||||||
|
; Depth of slow log stack trace.
|
||||||
|
; Default Value: 20
|
||||||
|
;request_slowlog_trace_depth = 20
|
||||||
|
|
||||||
|
; The timeout for serving a single request after which the worker process will
|
||||||
|
; be killed. This option should be used when the 'max_execution_time' ini option
|
||||||
|
; does not stop script execution for some reason. A value of '0' means 'off'.
|
||||||
|
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
|
||||||
|
; Default Value: 0
|
||||||
|
;request_terminate_timeout = 0
|
||||||
|
|
||||||
|
; The timeout set by 'request_terminate_timeout' ini option is not engaged after
|
||||||
|
; application calls 'fastcgi_finish_request' or when application has finished and
|
||||||
|
; shutdown functions are being called (registered via register_shutdown_function).
|
||||||
|
; This option will enable timeout limit to be applied unconditionally
|
||||||
|
; even in such cases.
|
||||||
|
; Default Value: no
|
||||||
|
;request_terminate_timeout_track_finished = no
|
||||||
|
|
||||||
|
; Set open file descriptor rlimit.
|
||||||
|
; Default Value: system defined value
|
||||||
|
;rlimit_files = 1024
|
||||||
|
|
||||||
|
; Set max core size rlimit.
|
||||||
|
; Possible Values: 'unlimited' or an integer greater or equal to 0
|
||||||
|
; Default Value: system defined value
|
||||||
|
;rlimit_core = 0
|
||||||
|
|
||||||
|
; Chroot to this directory at the start. This value must be defined as an
|
||||||
|
; absolute path. When this value is not set, chroot is not used.
|
||||||
|
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
|
||||||
|
; of its subdirectories. If the pool prefix is not set, the global prefix
|
||||||
|
; will be used instead.
|
||||||
|
; Note: chrooting is a great security feature and should be used whenever
|
||||||
|
; possible. However, all PHP paths will be relative to the chroot
|
||||||
|
; (error_log, sessions.save_path, ...).
|
||||||
|
; Default Value: not set
|
||||||
|
;chroot =
|
||||||
|
|
||||||
|
; Chdir to this directory at the start.
|
||||||
|
; Note: relative path can be used.
|
||||||
|
; Default Value: current directory or / when chroot
|
||||||
|
;chdir = /srv/http
|
||||||
|
chdir = /usr/share/webapps/$pool
|
||||||
|
|
||||||
|
; Redirect worker stdout and stderr into main error log. If not set, stdout and
|
||||||
|
; stderr will be redirected to /dev/null according to FastCGI specs.
|
||||||
|
; Note: on highloaded environment, this can cause some delay in the page
|
||||||
|
; process time (several ms).
|
||||||
|
; Default Value: no
|
||||||
|
;catch_workers_output = yes
|
||||||
|
|
||||||
|
; Decorate worker output with prefix and suffix containing information about
|
||||||
|
; the child that writes to the log and if stdout or stderr is used as well as
|
||||||
|
; log level and time. This options is used only if catch_workers_output is yes.
|
||||||
|
; Settings to "no" will output data as written to the stdout or stderr.
|
||||||
|
; Default value: yes
|
||||||
|
;decorate_workers_output = no
|
||||||
|
|
||||||
|
; Clear environment in FPM workers
|
||||||
|
; Prevents arbitrary environment variables from reaching FPM worker processes
|
||||||
|
; by clearing the environment in workers before env vars specified in this
|
||||||
|
; pool configuration are added.
|
||||||
|
; Setting to "no" will make all environment variables available to PHP code
|
||||||
|
; via getenv(), $_ENV and $_SERVER.
|
||||||
|
; Default Value: yes
|
||||||
|
;clear_env = no
|
||||||
|
|
||||||
|
; Limits the extensions of the main script FPM will allow to parse. This can
|
||||||
|
; prevent configuration mistakes on the web server side. You should only limit
|
||||||
|
; FPM to .php extensions to prevent malicious users to use other extensions to
|
||||||
|
; execute php code.
|
||||||
|
; Note: set an empty value to allow all extensions.
|
||||||
|
; Default Value: .php
|
||||||
|
;security.limit_extensions = .php .php3 .php4 .php5 .php7
|
||||||
|
|
||||||
|
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
|
||||||
|
; the current environment.
|
||||||
|
; Default Value: clean env
|
||||||
|
env[HOSTNAME] = $HOSTNAME
|
||||||
|
env[PATH] = /usr/local/bin:/usr/bin
|
||||||
|
env[TMP] = /tmp
|
||||||
|
env[TMPDIR] = /tmp
|
||||||
|
env[TEMP] = /tmp
|
||||||
|
|
||||||
|
; Additional php.ini defines, specific to this pool of workers. These settings
|
||||||
|
; overwrite the values previously defined in the php.ini. The directives are the
|
||||||
|
; same as the PHP SAPI:
|
||||||
|
; php_value/php_flag - you can set classic ini defines which can
|
||||||
|
; be overwritten from PHP call 'ini_set'.
|
||||||
|
; php_admin_value/php_admin_flag - these directives won't be overwritten by
|
||||||
|
; PHP call 'ini_set'
|
||||||
|
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
|
||||||
|
|
||||||
|
; Defining 'extension' will load the corresponding shared extension from
|
||||||
|
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
|
||||||
|
; overwrite previously defined php.ini values, but will append the new value
|
||||||
|
; instead.
|
||||||
|
|
||||||
|
; Note: path INI options can be relative and will be expanded with the prefix
|
||||||
|
; (pool, global or /usr)
|
||||||
|
|
||||||
|
; Default Value: nothing is defined by default except the values in php.ini and
|
||||||
|
; specified at startup with the -d argument
|
||||||
|
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
|
||||||
|
;php_flag[display_errors] = off
|
||||||
|
;php_admin_value[error_log] = /var/log/fpm-$pool-error.log
|
||||||
|
;php_admin_flag[log_errors] = on
|
||||||
|
;php_admin_value[memory_limit] = 32M
|
||||||
|
|
||||||
|
php_value[date.timezone] = Europe/Zurich
|
||||||
|
|
||||||
|
php_value[open_basedir] = /var/lib/$pool:/tmp:/usr/share/webapps/$pool:/etc/webapps/$pool:/dev/urandom:/usr/lib/php-legacy/modules:/var/log/$pool:/proc/meminfo:/proc/cpuinfo
|
||||||
|
|
||||||
|
; put session data in dedicated directory
|
||||||
|
php_value[session.save_path] = /var/lib/$pool/sessions
|
||||||
|
php_value[session.gc_maxlifetime] = 21600
|
||||||
|
php_value[session.gc_divisor] = 500
|
||||||
|
php_value[session.gc_probability] = 1
|
||||||
|
|
||||||
|
php_flag[expose_php] = false
|
||||||
|
php_value[post_max_size] = 1000M
|
||||||
|
php_value[upload_max_filesize] = 1000M
|
||||||
|
|
||||||
|
; as recommended in admin manual (avoids related warning in admin GUI later)
|
||||||
|
php_flag[output_buffering] = off
|
||||||
|
php_value[max_input_time] = 120
|
||||||
|
php_value[max_execution_time] = 60
|
||||||
|
|
||||||
|
php_value[memory_limit] = 512M
|
||||||
|
|
||||||
|
; opcache settings must be defined in php-fpm.ini. otherwise (i.e. when defined here)
|
||||||
|
; this causes segmentation faults in php-fpm worker processes
|
||||||
|
|
||||||
|
; uncomment if php-apcu is installed and used
|
||||||
|
; php_value[extension] = apcu
|
||||||
|
php_admin_value[apc.ttl] = 7200
|
||||||
|
|
||||||
|
php_value[extension] = bcmath
|
||||||
|
php_value[extension] = bz2
|
||||||
|
php_value[extension] = exif
|
||||||
|
php_value[extension] = gd
|
||||||
|
php_value[extension] = gmp
|
||||||
|
php_value[extension] = iconv
|
||||||
|
; uncomment if php-imagick is installed and used
|
||||||
|
php_value[extension] = imagick
|
||||||
|
php_value[extension] = intl
|
||||||
|
; uncomment if php-memcached is installed and used
|
||||||
|
; php_value[extension] = memcached
|
||||||
|
; uncomment exactly one of the pdo extensions depending on what database is used
|
||||||
|
; php_value[extension] = pdo_mysql
|
||||||
|
php_value[extension] = pdo_pgsql
|
||||||
|
; php_value[extension] = pdo_sqlite
|
||||||
|
; uncomment if php-igbinary is installed and used (e.g. required by redis)
|
||||||
|
; php_value[extension] = igbinary
|
||||||
|
; uncomment if php-redis is installed and used (requires php-igbinary)
|
||||||
|
; php_value[extension] = redis
|
||||||
|
; sysvsem required since nextcloud 26
|
||||||
|
php_value[extension] = sysvsem
|
||||||
|
; uncomment if php-xsl is installed and used
|
||||||
|
; php_value[extension] = xsl
|
195
static/nextcloud/nextcloud_nginx
Normal file
195
static/nextcloud/nextcloud_nginx
Normal file
@ -0,0 +1,195 @@
|
|||||||
|
upstream php-handler {
|
||||||
|
#server 127.0.0.1:9000;
|
||||||
|
server unix:/run/php-fpm-legacy/nextcloud.sock;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Set the `immutable` cache control options only for assets with a cache busting `v` argument
|
||||||
|
map $arg_v $asset_immutable {
|
||||||
|
"" "";
|
||||||
|
default "immutable";
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
server_name cloud.example.com;
|
||||||
|
|
||||||
|
# Prevent nginx HTTP Server Detection
|
||||||
|
server_tokens off;
|
||||||
|
|
||||||
|
# Enforce HTTPS
|
||||||
|
return 301 https://$server_name$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
server_name cloud.example.com;
|
||||||
|
|
||||||
|
# Path to the root of your installation
|
||||||
|
root /usr/share/webapps/nextcloud;
|
||||||
|
|
||||||
|
|
||||||
|
# Use Mozilla's guidelines for SSL/TLS settings
|
||||||
|
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
||||||
|
ssl_certificate /etc/letsencrypt/live/cloud.example.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/cloud.example.com/privkey.pem;
|
||||||
|
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||||
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||||
|
|
||||||
|
# Prevent nginx HTTP Server Detection
|
||||||
|
server_tokens off;
|
||||||
|
|
||||||
|
# HSTS settings
|
||||||
|
# WARNING: Only add the preload option once you read about
|
||||||
|
# the consequences in https://hstspreload.org/. This option
|
||||||
|
# will add the domain to a hardcoded list that is shipped
|
||||||
|
# in all major browsers and getting removed from this list
|
||||||
|
# could take several months.
|
||||||
|
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
|
||||||
|
|
||||||
|
# set max upload size and increase upload timeout:
|
||||||
|
client_max_body_size 512M;
|
||||||
|
client_body_timeout 300s;
|
||||||
|
fastcgi_buffers 64 4K;
|
||||||
|
|
||||||
|
# Enable gzip but do not remove ETag headers
|
||||||
|
gzip on;
|
||||||
|
gzip_vary on;
|
||||||
|
gzip_comp_level 4;
|
||||||
|
gzip_min_length 256;
|
||||||
|
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
|
||||||
|
gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
|
||||||
|
|
||||||
|
# Pagespeed is not supported by Nextcloud, so if your server is built
|
||||||
|
# with the `ngx_pagespeed` module, uncomment this line to disable it.
|
||||||
|
#pagespeed off;
|
||||||
|
|
||||||
|
# The settings allows you to optimize the HTTP2 bandwidth.
|
||||||
|
# See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
|
||||||
|
# for tuning hints
|
||||||
|
client_body_buffer_size 512k;
|
||||||
|
|
||||||
|
# HTTP response headers borrowed from Nextcloud `.htaccess`
|
||||||
|
add_header Referrer-Policy "no-referrer" always;
|
||||||
|
add_header X-Content-Type-Options "nosniff" always;
|
||||||
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||||
|
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
||||||
|
add_header X-Robots-Tag "noindex, nofollow" always;
|
||||||
|
add_header X-XSS-Protection "1; mode=block" always;
|
||||||
|
|
||||||
|
# Remove X-Powered-By, which is an information leak
|
||||||
|
fastcgi_hide_header X-Powered-By;
|
||||||
|
|
||||||
|
# Add .mjs as a file extension for javascript
|
||||||
|
# Either include it in the default mime.types list
|
||||||
|
# or include you can include that list explicitly and add the file extension
|
||||||
|
# only for Nextcloud like below:
|
||||||
|
include mime.types;
|
||||||
|
types {
|
||||||
|
text/javascript js mjs;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Specify how to handle directories -- specifying `/index.php$request_uri`
|
||||||
|
# here as the fallback means that Nginx always exhibits the desired behaviour
|
||||||
|
# when a client requests a path that corresponds to a directory that exists
|
||||||
|
# on the server. In particular, if that directory contains an index.php file,
|
||||||
|
# that file is correctly served; if it doesn't, then the request is passed to
|
||||||
|
# the front-end controller. This consistent behaviour means that we don't need
|
||||||
|
# to specify custom rules for certain paths (e.g. images and other assets,
|
||||||
|
# `/updater`, `/ocs-provider`), and thus
|
||||||
|
# `try_files $uri $uri/ /index.php$request_uri`
|
||||||
|
# always provides the desired behaviour.
|
||||||
|
index index.php index.html /index.php$request_uri;
|
||||||
|
|
||||||
|
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
|
||||||
|
location = / {
|
||||||
|
if ( $http_user_agent ~ ^DavClnt ) {
|
||||||
|
return 302 /remote.php/webdav/$is_args$args;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
location = /robots.txt {
|
||||||
|
allow all;
|
||||||
|
log_not_found off;
|
||||||
|
access_log off;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Make a regex exception for `/.well-known` so that clients can still
|
||||||
|
# access it despite the existence of the regex rule
|
||||||
|
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
|
||||||
|
# for `/.well-known`.
|
||||||
|
location ^~ /.well-known {
|
||||||
|
# The rules in this block are an adaptation of the rules
|
||||||
|
# in `.htaccess` that concern `/.well-known`.
|
||||||
|
|
||||||
|
location = /.well-known/carddav { return 301 /remote.php/dav/; }
|
||||||
|
location = /.well-known/caldav { return 301 /remote.php/dav/; }
|
||||||
|
|
||||||
|
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
|
||||||
|
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
|
||||||
|
|
||||||
|
# Let Nextcloud's API for `/.well-known` URIs handle all other
|
||||||
|
# requests by passing them to the front-end controller.
|
||||||
|
return 301 /index.php$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Rules borrowed from `.htaccess` to hide certain paths from clients
|
||||||
|
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
|
||||||
|
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
|
||||||
|
|
||||||
|
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
|
||||||
|
# which handle static assets (as seen below). If this block is not declared first,
|
||||||
|
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
|
||||||
|
# to the URI, resulting in a HTTP 500 error response.
|
||||||
|
location ~ \.php(?:$|/) {
|
||||||
|
# Required for legacy support
|
||||||
|
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
|
||||||
|
|
||||||
|
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
|
||||||
|
set $path_info $fastcgi_path_info;
|
||||||
|
|
||||||
|
try_files $fastcgi_script_name =404;
|
||||||
|
|
||||||
|
include fastcgi_params;
|
||||||
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||||
|
fastcgi_param PATH_INFO $path_info;
|
||||||
|
fastcgi_param HTTPS on;
|
||||||
|
|
||||||
|
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
|
||||||
|
fastcgi_param front_controller_active true; # Enable pretty urls
|
||||||
|
fastcgi_pass php-handler;
|
||||||
|
|
||||||
|
fastcgi_intercept_errors on;
|
||||||
|
fastcgi_request_buffering off;
|
||||||
|
|
||||||
|
fastcgi_max_temp_file_size 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Serve static files
|
||||||
|
location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
|
||||||
|
try_files $uri /index.php$request_uri;
|
||||||
|
add_header Cache-Control "public, max-age=15778463, $asset_immutable";
|
||||||
|
access_log off; # Optional: Don't log access to assets
|
||||||
|
|
||||||
|
location ~ \.wasm$ {
|
||||||
|
default_type application/wasm;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ \.woff2?$ {
|
||||||
|
try_files $uri /index.php$request_uri;
|
||||||
|
expires 7d; # Cache-Control policy borrowed from `.htaccess`
|
||||||
|
access_log off; # Optional: Don't log access to assets
|
||||||
|
}
|
||||||
|
|
||||||
|
# Rule borrowed from `.htaccess`
|
||||||
|
location /remote {
|
||||||
|
return 301 /remote.php$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ /index.php$request_uri;
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user