搭建 nextcloud 私有网盘+跨设备文件同步,并开启内网穿透+公网访问

流程图 #

flowchart

haproxy #

global
    log /dev/log local0 warning
    user root
    group root
    daemon

    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

########################################################

defaults
    log global
    timeout connect 10s
    timeout client 30s
    timeout server 30s

    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

########################################################

frontend ft_main
    mode tcp
    bind *:443

    tcp-request inspect-delay 3s
    tcp-request content accept if { req.ssl_hello_type 1 }

    ## frps代理
    use_backend bk_frps if { req.ssl_sni -i nextcloud.exp.com }

    ## frps服务
    use_backend frp.exp.com if { req.ssl_sni -i frp.exp.com }


########################################################

## --- frps代理 ---
backend bk_frps
    mode tcp
    server s1 127.0.0.1:4443

## --- frps服务 ---
backend frp.exp.com
    mode tcp
    server s1 127.0.0.1:7000

frps #

{
    "auth": {
        "method": "token",
        "token": "passwd"
    },
    "bindAddr": "0.0.0.0",
    "bindPort": 7000,
    "vhostHTTPSPort": 4443,
    "log": {
        "to": "console",
        "level": "info",
        "disablePrintColor": true
    },
    "transport": {
        "tcpMuxKeepaliveInterval": 25,
        "tcpKeepalive": -1,
        "maxPoolCount": 5,
        "tls": {
            "force": true,
            "certFile": "/path/to/frp.exp.com/cert.pem",
            "keyFile": "/path/to/frp.exp.com/key.pem"
        }
    }
}

frpc #

{
    "auth": {
        "method": "token",
        "token": "passwd"
    },
    "user": "xx",
    "serverAddr": "frp.exp.com",
    "serverPort": 443,
    "loginFailExit": false,
    "log": {
        "to": "console",
        "level": "info",
        "disablePrintColor": true
    },
    "transport": {
        "protocol": "tcp",
        "poolCount": 5,
        "tcpMux": true,
        "tcpMuxKeepaliveInterval": 25,
        "heartbeatInterval": -1,
        "tls": {
            "enable": true,
            "disableCustomTLSFirstByte": true,
            "trustedCaFile": "/path/to/frp.exp.com/ca.cer"
        }
    },
    "proxies": [
        {
            "name": "nextcloud.exp.com",
            "type": "https",
            "customDomains": ["nextcloud.exp.com"],
            "plugin": {
                "type": "tls2raw",
                "localAddr": "127.0.0.1:11000",
                "crtPath": "/path/to/nextcloud.exp.com/cert.pem",
                "keyPath": "/path/to/nextcloud.exp.com/key.pem"
            }
        }
    ]
}

本配置使用的是 frpc 单向校验 frps 身份

如果frp.exp.com使用的是常见公共CA签发的证书,比如 Let's Encrypt,则可以将 ca 文件指向系统默认的根证书集合,以 Debian 为例,将transport.tls.trustedCaFile设置为/etc/ssl/certs/ca-certificates.crt

nextcloud #

创建 nextcloud 数据文件夹,并将以下NEXTCLOUD_DATADIR指向于此:

mkdir -p /path/to/ncdata/nextcloud

启动:

docker run \
    --init \
    --sig-proxy=false \
    --name nextcloud-aio-mastercontainer \
    --restart always \
    --publish 208:8080 \
    --env APACHE_PORT=11000 \
    --env APACHE_IP_BINDING=0.0.0.0 \
    --env APACHE_ADDITIONAL_NETWORK="" \
    --env SKIP_DOMAIN_VALIDATION=false \
    --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
    --volume /var/run/docker.sock:/var/run/docker.sock:ro \
    --env NEXTCLOUD_DATADIR="/path/to/ncdata/nextcloud" \
    ghcr.io/nextcloud-releases/all-in-one:latest

从浏览器打开http://局域网IP:208进入AIO本地管理界面,验证nextcloud.exp.com公网访问域名,配置安装选项,点击安装。

本地直连 #

当 nextcloud 安装在局域网某个设备上时,其他设备如何绕过 vps 直连 nextcloud?

在局域网配置 nginx 反向代理到 nextcloud:

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

server {
    listen 443 ssl;
    http2 on;
    server_name nextcloud.exp.com;

    proxy_buffering off;
    proxy_request_buffering off;

    client_max_body_size 0;
    client_body_buffer_size 512k;
    proxy_read_timeout 86400s;

    ssl_certificate /path/to/nextcloud.exp.com/cert.pem;
    ssl_certificate_key /path/to/nextcloud.exp.com/key.pem;

    # curl -L https://ssl-config.mozilla.org/ffdhe2048.txt -o /etc/dhparam
    ssl_dhparam /etc/dhparam; 

    ssl_early_data on;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ecdh_curve x25519:x448:secp521r1:secp384r1:secp256r1;

    ssl_prefer_server_ciphers on;
    ssl_conf_command Options PrioritizeChaCha;
    ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256;

    location / {
        # Adjust to match APACHE_PORT and APACHE_IP_BINDING. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#adapting-the-sample-web-server-configurations-below
        proxy_pass http://127.0.0.1:11000$request_uri; 

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header Early-Data $ssl_early_data;

        # Websocket
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

配置本机hosts文件,直接指定nextcloud.exp.com到 nginx 所在的局域网IP,以 windows 为例:

# C:\Windows\System32\drivers\etc\hosts
局域网IP nextcloud.exp.com

延伸阅读 #