ほほほのほ - tweet:2020

StationでMattermostに接続する

anonymous@undisclosed.example.com (Anonymous) — Tue, 04 Feb 2020 07:18:21 +0000

StationでMattermostに接続する

https://qiita.com/HideakiSaito/items/3e1727d9cf8c53f39b6d

ようするに、何か適当なアイコンをサービス追加から選ぶ
- 自分は今回はMediamを選んだ
メニュー「View」→「Developer」→「Toggle Page Developer Tools」
開発ツールの「Console」で以下のコマンドを打つ
- ```
location.href="MattermostのURL";
```
開発ツールをCloseする
Mattermostに接続し、認証処理をする
StationをCloseして起動する

これで、再起動してもMattermostを見てくれる（はず）

追記

https://webrandum.net/station-my-custom-apps/

この記事にあるように、Private Appとして登録する手があることが判明…

こっちのほうが取り扱いが楽だね。Iconも設定できるし。

FreeBSDでMultiFIBとNATでpolicy route

anonymous@undisclosed.example.com (Anonymous) — Fri, 27 Mar 2020 10:24:10 +0000

FreeBSDでMultiFIBとNATでpolicy route

とあるところでgre tunnelを使ってsource addressベースの経路制御をしなければならなくなった。

pfでroute-toを使う手もあるにはあったが、制御しくった時にかなり痛い思いをすることがわかっているので、物は試して。

これに関しては、最終的に１本の記事にするつもりなので、ここには簡単なメモ書きだけ。

構成

                     +---ProxyB---+
Dest ---(Internet)---+------------+---(ISP)---Router---Source
                     +---ProxyC---+

Router - ProxyB間はGRE Tunnel(gre0)で接続
Router - ProxyC間はGRE Tunnel(gre1)で接続
Sourceには、IP Addressが３つ付いている
- Src(A)は直接Destに接続する際に利用する
- Src(B)はProxyB経由でDestに接続する際に利用する
  - Routerを出ていく時に、source addressをgre0のlocal側のaddressにNATする
- Src(C)はProxyC経由でDestに接続する際に利用する
  - Routerを出ていく時に、source addressをgre1のlocal側のaddressにNATする
- Src(A),Src(B),Src(C)は、同一Segmentに属しているとする
  - そうしないと、Routerでstatic routeを切らなければならない

Sourceの設定

rc.confの設定

ifconfig_xn0="inet Src(A)/24"
ifconfig_xn0_alias0="inet Src(B)/24"
ifconfig_xn0_alias1="inet Src(C)/24"

Roouterの設定

loader.confの設定
- ```
if_gre_load="YES"
net.fibs=4
```

rc.confの設定

cloned_interfaces="gre0 gre1"
ifconfig_xn0="inet Addr(Global)/masklen"
ifconfig_xn1="inet Src(Router)/masklen"
ifconfig_gre0="inet tun(Router) tun(ProxyB) netmask 255.255.255.252 tunnel Addr(Global) Addr(ProxyB) mtu 1436 fib 1"
ifconfig_gre1="inet tun(Router) tun(ProxyC) netmask 255.255.255.252 tunnel Addr(Global) Addr(ProxyC) mtu 1436 fib 1"

route_0="-fib 0 default Addr(ISP)"
route_1="-fib 1 default tun(ProxyB)"
route_2="-fib 2 default tun(ProxyC)"
static_routes="0 1 2"

pf.confの設定

全部書くと細かすぎるので、必要部分のみ記載する

...(snip)...
nat pass on xn0  from Src(A) to any -> (xn0)
nat pass on gre0 from Src(B) to any -> tun(ProxyB)
nat pass on gre0 from Src(C) to any -> tun(ProxyC)
...(snip)...
pass in from any    to any rtable 0
pass in from Src(B) to any rtable 1
pass in from Src(C) to any rtable 2

Test

Sourceにloginして、

ping -S Src(A) Address(Dest)
traceroute -n -w 2 -s Src(A) Address(Dest)
ping -S Src(B) Address(Dest)
traceroute -n -w 2 -s Src(B) Address(Dest)
ping -S Src(C) Address(Dest)
traceroute -n -w 2 -s Src© Address(Dest)

で確認できるはず。

注意点

pass in from any to any rtable 0 を記載する場所に気をつけること
- pfは、何も設定しなければ、defaultで rtable 0 を利用するので、なくても良い。
- 複雑な設定をする場合、この部分だけは、Genericな部分から記載し、Specificなものほど後ろに書くこと
GRE tunnelを張る際に、ifconfigで必ずFIBを指定すること
- 指定しない場合、FIB 0のみにgreのlocal側Addressが載る。つまり、他のFIBを使わなくなる。
  - ここでどハマりぶっこいて、相当悩んだ。

FreeBSDでWireGuard

anonymous@undisclosed.example.com (Anonymous) — Thu, 11 Jun 2020 10:29:11 +0000

FreeBSDでWireGuard

OpenVPNも悪くないのだが、やっぱり「証明書の更新」がなかなかに厳しい。というわけで、WireGuardを試してみる。

WireGuardとOpenVPNの比較

TBD

Network構造(Site-to-Site VPN)

           |        (192.0.2.1)   (198.51.100.1)        |
 [NodeA]---+---[VPNR-A]------(Internet)------[VPNR-B]---+---[NodeB]
     (10)  |  (1)     \(1)                (2)/     (2)  |   (20)
10.1.1.0/24|           +--------------------+           |10.2.2.0/24
                          10.255.255.0/24

Site A <------------->|<-------Internet------>|<----------> Site B

Site A と Site B をVPNで結ぶ
Site AのNetworkは10.1.1.0/24、Site BのNetworkは10.2.2.0/24
VPNR-AのGlobal Addressは 192.0.2.1、VPNR-BのGlobal Addressは 198.51.100.1
Tunnel Networkは、10.255.255.0/24
VPNR-AのTunnel IP Addressは10.255.255.1、VPNR-BのTunnel IP Addressは10.255.255.2
WireGuardの待ち受けポートをUDP/65534とする

とする。

WireGuardのInstall

FreeBSD以外へのInstallは、いくらでも記事があるので、ここでは割愛。

FreeBSDをRouterにする
- (CMD) sysctl -w net.inet.ip.forwarding=1
- (rc.conf) gateway_enable=“YES”
Packet filterを利用している場合、適当にUDP/65534を開ける
Wireguardをinstallする
- pkg install wireguard
起動時にWireguardが動作するようにrc.confに以下を追記
- wireguard_enable=“YES”
- wireguard_interfaces=“wg0”

これで、Install完了

WireGuardのconfiguration

鍵を作成

VPNR-A

# cd /usr/local/etc/wireguard
# wg genkey | tee A.private.key | wg pubkey > A.public.key
# cat A.private.key
1StlE/SHru2lOOoU+SLaA+SPLAYC+SCLOGUC0A+WaIMM=
# cat A.public.key
wla6Straum0tHReu+woMm/4gruyscrOMaa+thrai/kro=

VPNR-B

# cd /usr/local/etc/wireguard
# wg genkey | tee B.private.key | wg pubkey > B.public.key
# cat B.private.key
Xy8vOTORR2TrAAS3STRAY+TYVrAi+ROOTruId2tHlIPA=
# cat B.public.key
7CYhEISH9She0WRUo0WrA+1tRAY/BLu8XoT/UL+SHLAY=

設定ファイルを作成

VPNR-A:/usr/local/etc/wireguard/wg0.conf

# Wireguard configuration.
[Interface]
Privatekey = 1StlE/SHru2lOOoU+SLaA+SPLAYC+SCLOGUC0A+WaIMM=
Address = 10.255.255.1/24
ListenPort = 65534

[Peer]
PublicKey = 7CYhEISH9She0WRUo0WrA+1tRAY/BLu8XoT/UL+SHLAY=
AllowedIPs = 10.255,255,2/32, 10.2.2.0/24
Endpoint = 192.0.2.1:65534

VPNR-B:/usr/local/etc/wireguard/wg0.conf

# Wireguard configuration.
[Interface]
Privatekey = Xy8vOTORR2TrAAS3STRAY+TYVrAi+ROOTruId2tHlIPA=
Address = 10.255.255.2/24
ListenPort = 65534

[Peer]
PublicKey = wla6Straum0tHReu+woMm/4gruyscrOMaa+thrai/kro=
AllowedIPs = 10.255.255.1/32, 10.1.1.0/24
Endpoint = 198.51.100.1:65534

Wireguardの起動他

Wireguardの起動
- service wireguard start
Wireguardの状態確認
- wg show
  - Interfaceの状態、peerの状態などが出力される
wireguardのversion確認
- wireguard-go help
他に、wg-quickコマンドもあるが、今回は割愛
Wireguardの停止
- service wireguard stop

注意

[Node A]のdefault routeがVPNR-Aを向いているかつ [Node B]のdefault routeがVPNR-Bを向いている(もしくはstatic routeが切られている）場合に、[Node A]と[Node B]がVPNトンネル経由で通信できる。
WireGuardは、L3 Tunnelを掘るためのApplicationなので、OpenVPNやSoftEtherのようなL2 VPNを掘ることはできない。
WireGuardは通信にUDPを利用するので、PacketFilter Firewallの設定が難しいことがある。

FreeBSD 12.1-RELEASE and NextCloud

anonymous@undisclosed.example.com (Anonymous) — Fri, 28 Jul 2023 10:48:20 +0000

FreeBSD 12.1-RELEASE and NextCloud

NextCloudを利用してファイル共有サービスを建てる。

例によってFreeBSDで実装するが、今回は DB に PostgreSQL 13を利用することにする。

Installに関しては https://vermaden.wordpress.com/2020/01/04/nextcloud-17-on-freebsd-12-1/ を参考にしたが、ZFS関連などでいろいろ「本質的には不要」なファイルもあるので、その辺を省く。

NextCloudは更新が早いので、最新版に追従することを考えて、NextCloud自身はportsを利用しないでInstallすることにする。

FreeBSDの設定

以下、FreeBSDの設定を行う。

Binary PackageのInstall

標準状態で ZFS を root にして Install する
必要最小限のPackageを投入
- OLD: ~~<code> # pkg install sudo postgresql12-client postgresql12-server nginx-devel memcached php74 php74-pecl-memcached php74-pdo_pgsql php74-pgsql </code>~~
- Current:
```
# pkg install sudo postgresql13-client postgresql13-server nginx-devel memcached php80 php80-pecl-memcached php80-pdo_pgsql php80-pgsql
```
- 本当はpostgresql13を利用したかったが、pkgでpdo-pgsqlを利用する関係で、postgresql12を利用することにした。将来更新で面倒なことになる可能性があるので悩ましいが、とりあえず現時点ではどうなるかの確認を兼ねてPGSQL12で試してみる。
  - FreeBSDのportsやNetBSDのpkgsrc、RHE系のyum等、Binary Package管理システムはこういうときに融通が効きにくいという辛みがある。しかし、こうしないと派生のBinary Packageが大量に発生するという問題もあるので痛し痒しというところか…
    
    まぁ、そのために、portsでCompileする部分が残っているというのはあるが…
NextCloud用の追加Packageを投入
- OLD: <code> # pkg install php74-extensions php74-zip php74-mbstring php74-gd php74-curl php74-openssl php74-fileinfo php74-bz2 php74-intl php74-bcmath php74-ftp php74-gmp php74-exif php74-pecl-memcache php74-pecl-memcached php74-pecl-imagick-im7 php74-pecl-APCu </code>
- ```
# pkg install php80-extensions php80-zip php80-mbstring php80-gd php80-curl php80-fileinfo php80-bz2 php80-intl php80-bcmath php80-ftp php80-gmp php80-exif php80-pecl-memcache php80-pecl-memcached php80-pecl-imagick-im7 php80-pecl-APCu
```

次に、PGSQLおよび格納ファイル用のzpoolを作成する

# zpool create -m none zdata /dev/ada1
# zfs create zdata/pgsql
# zfs set mountpoint=/var/db/postgres zdata/pgsql
# zfs set recordsize=8k zdata/pgsql
# chown -R postgres:postgres /var/db/postgres
# zfs create zdata/www
# zfs set mountpoint=/home/www zdata/www
# chown www:www /home/www
# chown -R www:www /home/www

PostgreSQLに関する設定

/etc/login.confでpostgresユーザーの各種LOCALE設定を投入する

# cat /etc/login.conf
postgres:\
        :lang=en_US.UTF-8:\
        :setenv=LC_COLLATE=C:\
        :tc=default:

# cap_mkdb /etc/login.conf

PostgreSQLに関する起動時設定を行う。
- 好みもあるが、/etc/rc.conf.localに記述する。/etc/rc.confに記述しても良い。
- ```
postgresql_enable=YES
postgresql_class=postgres
postgresql_data=/var/db/postgres/data13
```
PostgreSQLの初期化を行う
- ```
# /usr/local/etc/rc.d/postgresql initdb
```
PostgrSQLを起動
- ```
# service postgresql start
```

NextCloud用設定を投入

# psql -h localhost -U postgres
psql (12.5)
Type "help" for help.

postgres=# CREATE USER ncadm WITH PASSWORD 'NC_DB_PASSWORD';
CREATE ROLE
postgres=# CREATE DATABASE nc TEMPLATE template0 ENCODING 'UNICODE';
CREATE DATABASE
postgres=# ALTER DATABASE nc OWNER TO ncadm;
ALTER DATABASE
postgres=# \q

~~PostgreSQLのCleanup(Vacuum)とIndex作成を自動で行うようにする~~比較的街の方が大きいので削除
- Vacuumは自動で実施される。Vacuumのタイミングを制御したい場合以外は入れる必要はない
- reindexは壊れた時にのみ行えば良いものなので、cronで定期実行するのは害が大きい模様（壊れるわけではないが、無駄に負荷をかける）
  - reindexによってメモリキャッシュが消えてしまい、indexを再度読み込む負荷がかかる可能性が高い
- ```
# mkdir -p /var/db/postgres/bin
# chown postgres /var/db/postgres/bin
# vi /var/db/postgres/bin/vacuum.sh

#! /bin/sh

/usr/local/bin/vacuumdb -az 1> /dev/null 2> /dev/null
/usr/local/bin/reindexdb -a 1> /dev/null 2> /dev/null
/usr/local/bin/reindexdb -s 1> /dev/null 2> /dev/null

# chown postgres /var/db/postgres/bin/vacuum.sh
# chmod +x /var/db/postgres/bin/vacuum.sh

# su - postgres -c 'crontab -e'
0 0 * * * /var/db/postgres/bin/vacuum.sh

# su - postgres -c '/var/db/postgres/bin/vacuum.sh'
```

NGINX

NGINXのlogファイルを格納するDirectoryのOwner/Groupをwww:wwwに変更
- ```
# chown www:www /var/log/nginx
```

/usr/local/etc/nginx/nginx.confを作成

nginx.conf

user www;
worker_processes 4;
worker_rlimit_nofile 51200;
error_log /var/log/nginx/error.log;

events {
  worker_connections 1024;
}

http {
  include mime.types;
  default_type application/octet-stream;
  log_format main '$remote_addr - $remote_user [$time_local] "$request" ';
  access_log /var/log/nginx/access.log main;
  sendfile on;
  keepalive_timeout 65;

  upstream php-handler {
    server 127.0.0.1:9000;
  }

  server {
    # ENFORCE HTTPS
    listen 80;
    server_name nextcloud.domain.com;
    return 301 https://$server_name$request_uri;
  }

  server {
    listen 443 ssl http2;
    server_name nextcloud.domain.com;
    ssl_certificate /usr/local/etc/nginx/ssl/ssl-bundle.crt;
    ssl_certificate_key /usr/local/etc/nginx/ssl/server.key;

    # HEADERS SECURITY RELATED
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
    add_header Referrer-Policy "no-referrer";

    # HEADERS
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    # PATH TO THE ROOT OF YOUR INSTALLATION
    root /usr/local/www/nextcloud/;

    location = /robots.txt {
      allow all;
      log_not_found off;
      access_log off;
    }

    location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }

    location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }

    # BUFFERS TIMEOUTS UPLOAD SIZES
    client_max_body_size 16400M;
    client_body_buffer_size 1048576k;
    send_timeout 3000;

    # ENABLE GZIP BUT DO NOT REMOVE ETag HEADERS
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
      rewrite ^ /index.php$request_uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
      deny all;
    }

    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
      deny all;
    }

    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
      fastcgi_split_path_info ^(.+\.php)(/.*)$;
      include fastcgi_params;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      fastcgi_param PATH_INFO $fastcgi_path_info;
      fastcgi_param HTTPS on;
      fastcgi_param modHeadersAvailable true;
      fastcgi_param front_controller_active true;
      fastcgi_pass php-handler;
      fastcgi_intercept_errors on;
      fastcgi_request_buffering off;
      fastcgi_keep_conn off;
      fastcgi_buffers 16 256K;
      fastcgi_buffer_size 256k;
      fastcgi_busy_buffers_size 256k;
      fastcgi_temp_file_write_size 256k;
      fastcgi_send_timeout 3000s;
      fastcgi_read_timeout 3000s;
      fastcgi_connect_timeout 3000s;
    }

    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
      try_files $uri/ =404;
      index index.php;
    }

    # ADDING THE CACHE CONTROL HEADER FOR JS AND CSS FILES
    # MAKE SURE IT IS BELOW PHP BLOCK
    location ~ \.(?:css|js|woff2?|svg|gif)$ {
      try_files $uri /index.php$uri$is_args$args;
      add_header Cache-Control "public, max-age=15778463";
      # HEADERS SECURITY RELATED
      # IT IS INTENDED TO HAVE THOSE DUPLICATED TO ONES ABOVE
      add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
      # HEADERS
      add_header X-Content-Type-Options nosniff;
      add_header X-XSS-Protection "1; mode=block";
      add_header X-Robots-Tag none;
      add_header X-Download-Options noopen;
      add_header X-Permitted-Cross-Domain-Policies none;
      # OPTIONAL: DONT LOG ACCESS TO ASSETS
      access_log off;
    }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
      try_files $uri /index.php$uri$is_args$args;
      # OPTIONAL: DONT LOG ACCESS TO OTHER ASSETS
      access_log off;
    }
  }
}

サーバ証明書の入手

今時はいろいろな方法があるが、今回はLet's Encryptで取得した。
詳細は割愛

PHP configuration

php.ini

php.ini.diff

# diff -c php.ini-production php.ini
*** php.ini-production  Tue Dec  8 10:31:04 2020
--- php.ini     Wed Dec 16 00:49:45 2020
***************
*** 212,218 ****
  ; Development Value: 4096
  ; Production Value: 4096
  ; http://php.net/output-buffering
! output_buffering = 4096
 
  ; You can redirect all of the output of your scripts to a function.  For
  ; example, if you set output_handler to "mb_output_handler", character
--- 212,219 ----
  ; Development Value: 4096
  ; Production Value: 4096
  ; http://php.net/output-buffering
! ;output_buffering = 4096
! output_buffering = Off
 
  ; You can redirect all of the output of your scripts to a function.  For
  ; example, if you set output_handler to "mb_output_handler", character
***************
*** 297,303 ****
  ; The value is also used for json_encode when encoding double values.
  ; If -1 is used, then dtoa mode 0 is used which automatically select the best
  ; precision.
! serialize_precision = -1
 
  ; open_basedir, if set, limits all file operations to the defined directory
  ; and below.  This directive makes most sense if used in a per-directory
--- 298,305 ----
  ; The value is also used for json_encode when encoding double values.
  ; If -1 is used, then dtoa mode 0 is used which automatically select the best
  ; precision.
! ;serialize_precision = -1
! serialize_precision = 17
 
  ; open_basedir, if set, limits all file operations to the defined directory
  ; and below.  This directive makes most sense if used in a per-directory
***************
*** 385,391 ****
  ; Maximum execution time of each script, in seconds
  ; http://php.net/max-execution-time
  ; Note: This directive is hardcoded to 0 for the CLI SAPI
! max_execution_time = 30
 
  ; Maximum amount of time each script may spend parsing request data. It's a good
  ; idea to limit this time on productions servers in order to eliminate unexpectedly
--- 387,394 ----
  ; Maximum execution time of each script, in seconds
  ; http://php.net/max-execution-time
  ; Note: This directive is hardcoded to 0 for the CLI SAPI
! ;max_execution_time = 60
! max_execution_time = 3600
 
  ; Maximum amount of time each script may spend parsing request data. It's a good
  ; idea to limit this time on productions servers in order to eliminate unexpectedly
***************
*** 395,401 ****
  ; Development Value: 60 (60 seconds)
  ; Production Value: 60 (60 seconds)
  ; http://php.net/max-input-time
! max_input_time = 60
 
  ; Maximum input variable nesting level
  ; http://php.net/max-input-nesting-level
--- 398,405 ----
  ; Development Value: 60 (60 seconds)
  ; Production Value: 60 (60 seconds)
  ; http://php.net/max-input-time
! ;max_input_time = 60
! max_input_time = 30000
 
  ; Maximum input variable nesting level
  ; http://php.net/max-input-nesting-level
***************
*** 406,412 ****
 
  ; Maximum amount of memory a script may consume
  ; http://php.net/memory-limit
! memory_limit = 128M
 
  ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
  ; Error handling and logging ;
--- 410,417 ----
 
  ; Maximum amount of memory a script may consume
  ; http://php.net/memory-limit
! ;memory_limit = 128M
! memory_limit = 1024M
 
  ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
  ; Error handling and logging ;
***************
*** 536,541 ****
--- 541,547 ----
  ; Production Value: Off
  ; http://php.net/track-errors
  ;track_errors = Off
+ track_errors = Off
 
  ; Turn off normal error reporting and emit XML-RPC error XML
  ; http://php.net/xmlrpc-errors
***************
*** 550,555 ****
--- 556,562 ----
  ; Note: This directive is hardcoded to Off for the CLI SAPI
  ; http://php.net/html-errors
  ;html_errors = On
+ html_errors = On
 
  ; If html_errors is set to On *and* docref_root is not empty, then PHP
  ; produces clickable error messages that direct to a page describing the error
***************
*** 584,589 ****
--- 591,597 ----
  ; http://php.net/error-log
  ; Example:
  ;error_log = php_errors.log
+ error_log = /var/log/php.log
  ; Log errors to syslog (Event Log on Windows).
  ;error_log = syslog
 
***************
*** 691,697 ****
  ; Its value may be 0 to disable the limit. It is ignored if POST data reading
  ; is disabled through enable_post_data_reading.
  ; http://php.net/post-max-size
! post_max_size = 8M
 
  ; Automatically add files before PHP document.
  ; http://php.net/auto-prepend-file
--- 699,706 ----
  ; Its value may be 0 to disable the limit. It is ignored if POST data reading
  ; is disabled through enable_post_data_reading.
  ; http://php.net/post-max-size
! ;post_max_size = 8M
! post_max_size = 16400M
 
  ; Automatically add files before PHP document.
  ; http://php.net/auto-prepend-file
***************
*** 843,852 ****
 
  ; Maximum allowed size for uploaded files.
  ; http://php.net/upload-max-filesize
! upload_max_filesize = 2M
 
  ; Maximum number of files that can be uploaded via a single request
! max_file_uploads = 20
 
  ;;;;;;;;;;;;;;;;;;
  ; Fopen wrappers ;
--- 852,863 ----
 
  ; Maximum allowed size for uploaded files.
  ; http://php.net/upload-max-filesize
! ;upload_max_filesize = 2M
! upload_max_filesize = 16400M
 
  ; Maximum number of files that can be uploaded via a single request
! ;max_file_uploads = 20
! max_file_uploads = 64
 
  ;;;;;;;;;;;;;;;;;;
  ; Fopen wrappers ;
***************
*** 871,877 ****
 
  ; Default timeout for socket based streams (seconds)
  ; http://php.net/default-socket-timeout
! default_socket_timeout = 60
 
  ; If your scripts have to deal with files from Macintosh systems,
  ; or you are running on a Mac and need to deal with files from
--- 882,889 ----
 
  ; Default timeout for socket based streams (seconds)
  ; http://php.net/default-socket-timeout
! ;default_socket_timeout = 60
! default_socket_timeout = 300
 
  ; If your scripts have to deal with files from Macintosh systems,
  ; or you are running on a Mac and need to deal with files from
***************
*** 960,965 ****
--- 972,978 ----
  ; Defines the default timezone used by the date functions
  ; http://php.net/date.timezone
  ;date.timezone =
+ date.timezone = Asia/Tokyo
 
  ; http://php.net/date.default-latitude
  ;date.default_latitude = 31.7667
***************
*** 1053,1058 ****
--- 1066,1072 ----
  [Pdo_mysql]
  ; Default socket name for local MySQL connects.  If empty, uses the built-in
  ; MySQL defaults.
+ pdo_mysql.cache_size = 2000
  pdo_mysql.default_socket=
 
  [Phar]
***************
*** 1085,1091 ****
  ;mail.force_extra_parameters =
 
  ; Add X-PHP-Originating-Script: that will include uid of the script followed by the filename
! mail.add_x_header = Off
 
  ; The path to a log file that will log all mail() calls. Log entries include
  ; the full path of the script, line number, To address and headers.
--- 1099,1106 ----
  ;mail.force_extra_parameters =
 
  ; Add X-PHP-Originating-Script: that will include uid of the script followed by the filename
! ;mail.add_x_header = Off
! mail.add_x_header = On
 
  ; The path to a log file that will log all mail() calls. Log entries include
  ; the full path of the script, line number, To address and headers.
***************
*** 1340,1345 ****
--- 1355,1361 ----
  ; does not overwrite the process's umask.
  ; http://php.net/session.save-path
  ;session.save_path = "/tmp"
+ session.save_path = "/tmp"
 
  ; Whether to use strict session mode.
  ; Strict session mode does not accept an uninitialized session ID, and
***************
*** 1767,1785 ****
--- 1783,1806 ----
  [opcache]
  ; Determines if Zend OPCache is enabled
  ;opcache.enable=1
+ opcache.enable=1
 
  ; Determines if Zend OPCache is enabled for the CLI version of PHP
  ;opcache.enable_cli=0
+ opcache.enable_cli=1
 
  ; The OPcache shared memory storage size.
  ;opcache.memory_consumption=128
+ opcache.memory_consumption=128
 
  ; The amount of memory for interned strings in Mbytes.
  ;opcache.interned_strings_buffer=8
+ opcache.interned_strings_buffer=8
 
  ; The maximum number of keys (scripts) in the OPcache hash table.
  ; Only numbers between 200 and 1000000 are allowed.
  ;opcache.max_accelerated_files=10000
+ opcache.max_accelerated_files=10000
 
  ; The maximum percentage of "wasted" memory until a restart is scheduled.
  ;opcache.max_wasted_percentage=5
***************
*** 1798,1803 ****
--- 1819,1825 ----
  ; memory storage allocation. ("1" means validate once per second, but only
  ; once per request. "0" means always validate)
  ;opcache.revalidate_freq=2
+ opcache.revalidate_freq=1
 
  ; Enables or disables file search in include_path optimization
  ;opcache.revalidate_path=0
***************
*** 1805,1810 ****
--- 1827,1833 ----
  ; If disabled, all PHPDoc comments are dropped from the code to reduce the
  ; size of the optimized code.
  ;opcache.save_comments=1
+ opcache.save_comments=1
 
  ; Allow file existence override (file_exists, etc.) performance feature.
  ;opcache.enable_file_override=0

PHP FPM

php-fpm.confの修正

php-fpm.conf.diff

*** php-fpm.conf.default        Tue Dec  8 10:30:57 2020
--- php-fpm.conf        Wed Dec 16 00:59:40 2020
***************
*** 22,27 ****
--- 22,28 ----
  ; Note: the default prefix is /var
  ; Default Value: log/php-fpm.log
  ;error_log = log/php-fpm.log
+ error_log = log/php-fpm.log
 
  ; syslog_facility is used to specify what type of program is logging the
  ; message. This lets syslogd specify that messages from different facilities
***************
*** 29,34 ****
--- 30,36 ----
  ; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON)
  ; Default Value: daemon
  ;syslog.facility = daemon
+ syslog.facility = daemon
 
  ; syslog_ident is prepended to every message. If you have multiple FPM
  ; instances running on the same server, you can change the default value

以下を実行

# touch /var/log/php-fpm.log
# chown www:www /var/log/php-fpm.log

php-fpm.d/www.confを変更

php-fpm.d/www.conf.diff

# diff -c www.conf www.conf.default
*** www.conf    Wed Dec 16 01:05:44 2020
--- www.conf.default    Tue Dec  8 10:30:57 2020
***************
*** 42,48 ****
  ; Set listen(2) backlog.
  ; Default Value: 511 (-1 on FreeBSD and OpenBSD)
  ;listen.backlog = 511
- listen.backlog = -1
 
  ; Set permissions for unix socket, if one is used. In Linux, read/write
  ; permissions must be set in order to allow connections from a web server. Many
--- 42,47 ----
***************
*** 51,61 ****
  ; Default Values: user and group are set as the running user
  ;                 mode is set to 0660
  ;listen.owner = www
- listen.owner = www
  ;listen.group = www
- listen.group = www
  ;listen.mode = 0660
- listen.mode = 0660
  ; When POSIX Access Control Lists are supported you can set them using
  ; these options, value is a comma separated list of user/group names.
  ; When set, listen.owner and listen.group are ignored
--- 50,57 ----
***************
*** 69,75 ****
  ; accepted from any ip address.
  ; Default Value: any
  ;listen.allowed_clients = 127.0.0.1
- listen.allowed_clients = 127.0.0.1
 
  ; Specify the nice(2) priority to apply to the pool processes (only if set)
  ; The value can vary from -19 (highest priority) to 20 (lower priority)
--- 65,70 ----
***************
*** 109,116 ****
  ;             pm.process_idle_timeout   - The number of seconds after which
  ;                                         an idle process will be killed.
  ; Note: This value is mandatory.
! ;pm = dynamic
! pm = static
 
  ; The number of child processes to be created when pm is set to 'static' and the
  ; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
--- 104,110 ----
  ;             pm.process_idle_timeout   - The number of seconds after which
  ;                                         an idle process will be killed.
  ; Note: This value is mandatory.
! pm = dynamic
 
  ; The number of child processes to be created when pm is set to 'static' and the
  ; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
***************
*** 121,159 ****
  ; forget to tweak pm.* to fit your needs.
  ; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
  ; Note: This value is mandatory.
! ;pm.max_children = 5
! pm.max_children = 8
 
  ; The number of child processes created on startup.
  ; Note: Used only when pm is set to 'dynamic'
  ; Default Value: (min_spare_servers + max_spare_servers) / 2
! ;pm.start_servers = 2
! pm.start_servers = 4
 
  ; The desired minimum number of idle server processes.
  ; Note: Used only when pm is set to 'dynamic'
  ; Note: Mandatory when pm is set to 'dynamic'
! ;pm.min_spare_servers = 1
! pm.min_spare_servers = 4
 
  ; The desired maximum number of idle server processes.
  ; Note: Used only when pm is set to 'dynamic'
  ; Note: Mandatory when pm is set to 'dynamic'
! ;pm.max_spare_servers = 3
! pm.max_spare_servers = 32
 
  ; The number of seconds after which an idle process will be killed.
  ; Note: Used only when pm is set to 'ondemand'
  ; Default Value: 10s
  ;pm.process_idle_timeout = 10s;
- pm.process_idle_timeout = 1000s;
 
  ; The number of requests each child process should execute before respawning.
  ; This can be useful to work around memory leaks in 3rd party libraries. For
  ; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
  ; Default Value: 0
  ;pm.max_requests = 500
- pm.max_requests = 500
 
  ; The URI to view the FPM status page. If this value is not set, no URI will be
  ; recognized as a status page. It shows the following informations:
--- 115,147 ----
  ; forget to tweak pm.* to fit your needs.
  ; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
  ; Note: This value is mandatory.
! pm.max_children = 5
 
  ; The number of child processes created on startup.
  ; Note: Used only when pm is set to 'dynamic'
  ; Default Value: (min_spare_servers + max_spare_servers) / 2
! pm.start_servers = 2
 
  ; The desired minimum number of idle server processes.
  ; Note: Used only when pm is set to 'dynamic'
  ; Note: Mandatory when pm is set to 'dynamic'
! pm.min_spare_servers = 1
 
  ; The desired maximum number of idle server processes.
  ; Note: Used only when pm is set to 'dynamic'
  ; Note: Mandatory when pm is set to 'dynamic'
! pm.max_spare_servers = 3
 
  ; The number of seconds after which an idle process will be killed.
  ; Note: Used only when pm is set to 'ondemand'
  ; Default Value: 10s
  ;pm.process_idle_timeout = 10s;
 
  ; The number of requests each child process should execute before respawning.
  ; This can be useful to work around memory leaks in 3rd party libraries. For
  ; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
  ; Default Value: 0
  ;pm.max_requests = 500
 
  ; The URI to view the FPM status page. If this value is not set, no URI will be
  ; recognized as a status page. It shows the following informations:
***************
*** 355,361 ****
  ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
  ; Default Value: 0
  ;request_terminate_timeout = 0
- request_terminate_timeout = 0
 
  ; The timeout set by 'request_terminate_timeout' ini option is not engaged after
  ; application calls 'fastcgi_finish_request' or when application has finished and
--- 343,348 ----
***************
*** 368,374 ****
  ; Set open file descriptor rlimit.
  ; Default Value: system defined value
  ;rlimit_files = 1024
- rlimit_files = 51200
 
  ; Set max core size rlimit.
  ; Possible Values: 'unlimited' or an integer greater or equal to 0
--- 355,360 ----
***************
*** 426,440 ****
  ; the current environment.
  ; Default Value: clean env
  ;env[HOSTNAME] = $HOSTNAME
- env[HOSTNAME] = $HOSTNAME
  ;env[PATH] = /usr/local/bin:/usr/bin:/bin
- env[PATH] = /usr/local/bin:/usr/bin:/bin
  ;env[TMP] = /tmp
- env[TMP] = /tmp
  ;env[TMPDIR] = /tmp
- env[TMPDIR] = /tmp
  ;env[TEMP] = /tmp
- env[TEMP] = /tmp
 
  ; Additional php.ini defines, specific to this pool of workers. These settings
  ; overwrite the values previously defined in the php.ini. The directives are the
--- 412,421 ----

Start Backend service

Backend Service を開始する

# service postgresql start
# service postgresql status
# service php-fpm start
# service php-fpm status
# service memcached start
# service memcached status
# service nginx start

Nextcloud Configuration

nextcloud/config/config.phpを編集(以下を追加)

  'trusted_proxies'   => ['10.1.201.128','10.1.201.129','10.1.201.130'],
  'overwriteprotocol' => 'https',
  'overwritehost'     => 'hostname',
  'memcache.local'       => '\OC\Memcache\APCu',
  'memcache.distributed' => '\OC\Memcache\Memcached',
  'memcached_servers'    => [
       [ '127.0.0.1', 11211 ],
  ],

BrowserからNextCloudにアクセスする
Top Pageに初期設定の画面が出力される
- DB設定をPgSQLに変更する
- Administrator Accountを作成する
loginしたら、設定から各種設定を確認し、挙動確認を行う

Log rotation

newsyslogでlogをRotationする設定を投入

# mkdir /usr/local/etc/newsyslog.conf.d
# cd /usr/local/etc/newsyslog.conf.d
# vi nextcloud.conf nginx.conf php-fpm.conf

nextcloud.conf

/some/where/nextcloud/data/nextcloud.log www:www 640 7 * @T00  JC

nginx.conf

/var/log/nginx/error.log          www:www     640  7     *    @T00  JC
/var/log/nginx/access.log         www:www     640  7     *    @T00  JC

/var/log/nginx/nextcloud.err      www:www     640  7     *    @T00  JC
/var/log/nginx/nextcloud.acc      www:www     640  7     *    @T00  JC

php-fpm.conf

/var/log/php-fpm.log                         www:www     640  7     *    @T00  JC