nginx与apache的强强结合,前者处理高并发和静态页面并反向代理包括apache之类的服务,后者对动态页面的兼容性更好。另外有的应用官方只支持nginx,所以需要一个让两者共存的方案。本身设置并不难,就是由于nextcloud官方并没有二者结合的配置所以踩了些坑。

注意中转影响效率,并不适合单机,适合多对多服务器。但由于第二点的需求故仍然采用了这个方案。

安装配置apache

安装依赖。

1
2
sudo apt-get install apache2 libapache2-mod-php7.2
sudo apt-get install php7.2-gd php7.2-json php7.2-curl php7.2-mbstring php7.2-intl php-imagick php7.2-xml php7.2-zip libapache2-mod-scgi

启用.htaccess。修改/etc/apache2/apache2.conf

1
2
<Directory /var/www/>
  AllowOverride All

修改/etc/apache2/ports.conf。将默认的80443端口改成其他以免和nginx冲突。 

1
2
3
4
5
Listen 7080
# 此项可选,若没有就不添加
<IfModule ssl_module>
        Listen 7443
</IfModule>

新建http站点配置文件/etc/apache2/sites-available/example.com.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# 限制vhost仅监听本地7080端口
<VirtualHost 127.0.0.1:7080>
    Alias / "/var/www/example.com/"

    <Directory /var/www/example.com/>
        Options +FollowSymlinks
        AllowOverride All

        <IfModule mod_dav.c>
            Dav off
        </IfModule>

        SetEnv HOME /var/www/example.com
        SetEnv HTTP_HOME /var/www/example.com

        #此项可选,为nextcloud专用301跳转,没装不用加。
        Redirect 301 /.well-known/carddav https://example.com/nextcloud/remote.php/dav
        Redirect 301 /.well-known/caldav  https://example.com/nextcloud/remote.php/dav
        Redirect 301 /.well-known/webdav  https://example.com/nextcloud/remote.php/dav
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

开启apache相关模块。 

1
sudo a2enmod rewrite headers env dir mime

禁用默认站点,启用本站配置。

1
2
sudo a2ensite example.com.conf
sudo a2dissite 000-default.conf

修改php上传文件大小上限

以apache为例,修改/etc/php/7.2/apache2/php.ini

1
2
3
upload_max_filesize = 64M
max_file_uploads = 200
post_max_size = 128M

重启apache服务。

1
sudo systemctl reload apache2

安装配置nginx

安装。 

1
sudo apt install nginx

编辑/etc/nginx/nginx.conf。这里只将用户和用户组改为和apache一致的www-data。其他设置可以参考这里

1
user www-data www-data;

新建ssl站点配置文件/etc/nginx/sites-available/example.com。这个配置中80端口通过301跳转强制https访问,8443端口为https监听端口,若公网的443端口没封则可用443。然后将请求通过proxy_pass转给apache的7080
关于ssl证书的签发见部署Let’s Encrypt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
server {
    listen 80;
    listen [::]:80;
    return 301 https://$host$request_uri;
}

server {
    listen 8443 http2;
    listen [::]:8443 http2;
    server_name example.com;

    client_max_body_size 0;
    underscores_in_headers on;

    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

    ssl on;
    ssl_certificate /etc/apache2/ssl/fullchain.cer;
    ssl_certificate_key /etc/apache2/ssl/private/example.com.key;

    location / {
        proxy_set_header Host $host:$server_port;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header  X-Forwarded-Proto   $scheme;
        add_header Front-End-Https on;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

        proxy_headers_hash_max_size 512;
        proxy_headers_hash_bucket_size 64;

        proxy_buffering off;
        proxy_redirect off;
        proxy_max_temp_file_size 0;
        proxy_pass http://127.0.0.1:7080;
    }
}

启用站点。

1
2
sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
sudo systemctl reload nginx

nextcloud相关设置

编辑config.php

1
2
3
4
'overwritehost' => 'example.com:8443',
'overwriteprotocol' => 'https',
'overwrite.cli.url' => 'https://example.com:8443/nextcloud/',
'trusted_proxies' => ['127.0.0.1'],

参考资料

Nextcloud configuration » Reverse proxy
Nginx Full Example Configuration
Nginx开发从入门到精通