使用 nextcloud + frp 搭建私有网盘
搭建 nextcloud 私有网盘+跨设备文件同步,并开启内网穿透+公网访问
流程图 #
haproxy #
global
log /dev/log local0 warning
user root
group root
daemon
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
########################################################
defaults
log global
timeout connect 10s
timeout client 30s
timeout server 30s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
########################################################
frontend ft_main
mode tcp
bind *:443
tcp-request inspect-delay 3s
tcp-request content accept if { req.ssl_hello_type 1 }
## frps代理
use_backend bk_frps if { req.ssl_sni -i nextcloud.exp.com }
## frps服务
use_backend frp.exp.com if { req.ssl_sni -i frp.exp.com }
########################################################
## --- frps代理 ---
backend bk_frps
mode tcp
server s1 127.0.0.1:4443
## --- frps服务 ---
backend frp.exp.com
mode tcp
server s1 127.0.0.1:7000
frps #
{
"auth": {
"method": "token",
"token": "passwd"
},
"bindAddr": "0.0.0.0",
"bindPort": 7000,
"vhostHTTPSPort": 4443,
"log": {
"to": "console",
"level": "info",
"disablePrintColor": true
},
"transport": {
"tcpMuxKeepaliveInterval": 25,
"tcpKeepalive": -1,
"maxPoolCount": 5,
"tls": {
"force": true,
"certFile": "/path/to/frp.exp.com/cert.pem",
"keyFile": "/path/to/frp.exp.com/key.pem"
}
}
}
frpc #
{
"auth": {
"method": "token",
"token": "passwd"
},
"user": "xx",
"serverAddr": "frp.exp.com",
"serverPort": 443,
"loginFailExit": false,
"log": {
"to": "console",
"level": "info",
"disablePrintColor": true
},
"transport": {
"protocol": "tcp",
"poolCount": 5,
"tcpMux": true,
"tcpMuxKeepaliveInterval": 25,
"heartbeatInterval": -1,
"tls": {
"enable": true,
"disableCustomTLSFirstByte": true,
"trustedCaFile": "/path/to/frp.exp.com/ca.cer"
}
},
"proxies": [
{
"name": "nextcloud.exp.com",
"type": "https",
"customDomains": ["nextcloud.exp.com"],
"plugin": {
"type": "tls2raw",
"localAddr": "127.0.0.1:11000",
"crtPath": "/path/to/nextcloud.exp.com/cert.pem",
"keyPath": "/path/to/nextcloud.exp.com/key.pem"
}
}
]
}
本配置使用的是 frpc 单向校验 frps 身份。
如果frp.exp.com使用的是常见公共CA签发的证书,比如 Let's Encrypt,则可以将 ca 文件指向系统默认的根证书集合,以 Debian 为例,将transport.tls.trustedCaFile设置为/etc/ssl/certs/ca-certificates.crt。
nextcloud #
创建 nextcloud 数据文件夹,并将以下NEXTCLOUD_DATADIR指向于此:
mkdir -p /path/to/ncdata/nextcloud
启动:
docker run \
--init \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 208:8080 \
--env APACHE_PORT=11000 \
--env APACHE_IP_BINDING=0.0.0.0 \
--env APACHE_ADDITIONAL_NETWORK="" \
--env SKIP_DOMAIN_VALIDATION=false \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
--env NEXTCLOUD_DATADIR="/path/to/ncdata/nextcloud" \
ghcr.io/nextcloud-releases/all-in-one:latest
从浏览器打开http://局域网IP:208进入AIO本地管理界面,验证nextcloud.exp.com公网访问域名,配置安装选项,点击安装。
本地直连 #
当 nextcloud 安装在局域网某个设备上时,其他设备如何绕过 vps 直连 nextcloud?
在局域网配置 nginx 反向代理到 nextcloud:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443 ssl;
http2 on;
server_name nextcloud.exp.com;
proxy_buffering off;
proxy_request_buffering off;
client_max_body_size 0;
client_body_buffer_size 512k;
proxy_read_timeout 86400s;
ssl_certificate /path/to/nextcloud.exp.com/cert.pem;
ssl_certificate_key /path/to/nextcloud.exp.com/key.pem;
# curl -L https://ssl-config.mozilla.org/ffdhe2048.txt -o /etc/dhparam
ssl_dhparam /etc/dhparam;
ssl_early_data on;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ecdh_curve x25519:x448:secp521r1:secp384r1:secp256r1;
ssl_prefer_server_ciphers on;
ssl_conf_command Options PrioritizeChaCha;
ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256;
location / {
# Adjust to match APACHE_PORT and APACHE_IP_BINDING. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#adapting-the-sample-web-server-configurations-below
proxy_pass http://127.0.0.1:11000$request_uri;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header Early-Data $ssl_early_data;
# Websocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
配置本机hosts文件,直接指定nextcloud.exp.com到 nginx 所在的局域网IP,以 windows 为例:
# C:\Windows\System32\drivers\etc\hosts
局域网IP nextcloud.exp.com
延伸阅读 #
- 相关 SSL 证书可以使用 acme 申请和自动续订
- HAProxy 的安装和使用
- frp 的安装和使用
- nextcloud/all-in-one