forked from infra/ansible
nextcloud: adjust for debian bullseye, backport php settings
This commit is contained in:
parent
7bc18ea42f
commit
577706dbbe
@ -9,3 +9,4 @@ opcache.max_accelerated_files=10000
|
|||||||
opcache.memory_consumption=128
|
opcache.memory_consumption=128
|
||||||
opcache.save_comments=1
|
opcache.save_comments=1
|
||||||
opcache.revalidate_freq=1
|
opcache.revalidate_freq=1
|
||||||
|
opcache.jit_buffer_size=100M
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
; Start a new pool named 'www'.
|
; Start a new pool named 'www'.
|
||||||
; the variable $pool can we used in any directive and will be replaced by the
|
; the variable $pool can be used in any directive and will be replaced by the
|
||||||
; pool name ('www' here)
|
; pool name ('www' here)
|
||||||
[www]
|
[www]
|
||||||
|
|
||||||
@ -29,21 +29,20 @@ group = www-data
|
|||||||
; a specific port;
|
; a specific port;
|
||||||
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
|
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
|
||||||
; a specific port;
|
; a specific port;
|
||||||
; 'port' - to listen on a TCP socket to all IPv4 addresses on a
|
; 'port' - to listen on a TCP socket to all addresses
|
||||||
; specific port;
|
|
||||||
; '[::]:port' - to listen on a TCP socket to all addresses
|
|
||||||
; (IPv6 and IPv4-mapped) on a specific port;
|
; (IPv6 and IPv4-mapped) on a specific port;
|
||||||
; '/path/to/unix/socket' - to listen on a unix socket.
|
; '/path/to/unix/socket' - to listen on a unix socket.
|
||||||
; Note: This value is mandatory.
|
; Note: This value is mandatory.
|
||||||
listen = /var/run/php-fpm.sock
|
listen = /run/php/php-fpm.sock
|
||||||
|
|
||||||
; Set listen(2) backlog.
|
; Set listen(2) backlog.
|
||||||
; Default Value: 65535 (-1 on FreeBSD and OpenBSD)
|
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
|
||||||
;listen.backlog = 65535
|
;listen.backlog = 511
|
||||||
|
|
||||||
; Set permissions for unix socket, if one is used. In Linux, read/write
|
; Set permissions for unix socket, if one is used. In Linux, read/write
|
||||||
; permissions must be set in order to allow connections from a web server. Many
|
; permissions must be set in order to allow connections from a web server. Many
|
||||||
; BSD-derived systems allow connections regardless of permissions.
|
; BSD-derived systems allow connections regardless of permissions. The owner
|
||||||
|
; and group can be specified either by name or by their numeric IDs.
|
||||||
; Default Values: user and group are set as the running user
|
; Default Values: user and group are set as the running user
|
||||||
; mode is set to 0660
|
; mode is set to 0660
|
||||||
listen.owner = www-data
|
listen.owner = www-data
|
||||||
@ -54,7 +53,7 @@ listen.group = www-data
|
|||||||
; When set, listen.owner and listen.group are ignored
|
; When set, listen.owner and listen.group are ignored
|
||||||
;listen.acl_users =
|
;listen.acl_users =
|
||||||
;listen.acl_groups =
|
;listen.acl_groups =
|
||||||
|
|
||||||
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
|
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
|
||||||
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
|
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
|
||||||
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
|
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
|
||||||
@ -71,6 +70,12 @@ listen.group = www-data
|
|||||||
; Default Value: no set
|
; Default Value: no set
|
||||||
; process.priority = -19
|
; process.priority = -19
|
||||||
|
|
||||||
|
; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
|
||||||
|
; or group is different than the master process user. It allows to create process
|
||||||
|
; core dump and ptrace the process for the pool user.
|
||||||
|
; Default Value: no
|
||||||
|
; process.dumpable = yes
|
||||||
|
|
||||||
; Choose how the process manager will control the number of child processes.
|
; Choose how the process manager will control the number of child processes.
|
||||||
; Possible Values:
|
; Possible Values:
|
||||||
; static - a fixed number (pm.max_children) of child processes;
|
; static - a fixed number (pm.max_children) of child processes;
|
||||||
@ -106,28 +111,28 @@ pm = dynamic
|
|||||||
; forget to tweak pm.* to fit your needs.
|
; forget to tweak pm.* to fit your needs.
|
||||||
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
|
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
|
||||||
; Note: This value is mandatory.
|
; Note: This value is mandatory.
|
||||||
pm.max_children = 5
|
pm.max_children = 80
|
||||||
|
|
||||||
; The number of child processes created on startup.
|
; The number of child processes created on startup.
|
||||||
; Note: Used only when pm is set to 'dynamic'
|
; Note: Used only when pm is set to 'dynamic'
|
||||||
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
|
; Default Value: (min_spare_servers + max_spare_servers) / 2
|
||||||
pm.start_servers = 2
|
pm.start_servers = 10
|
||||||
|
|
||||||
; The desired minimum number of idle server processes.
|
; The desired minimum number of idle server processes.
|
||||||
; Note: Used only when pm is set to 'dynamic'
|
; Note: Used only when pm is set to 'dynamic'
|
||||||
; Note: Mandatory when pm is set to 'dynamic'
|
; Note: Mandatory when pm is set to 'dynamic'
|
||||||
pm.min_spare_servers = 1
|
pm.min_spare_servers = 10
|
||||||
|
|
||||||
; The desired maximum number of idle server processes.
|
; The desired maximum number of idle server processes.
|
||||||
; Note: Used only when pm is set to 'dynamic'
|
; Note: Used only when pm is set to 'dynamic'
|
||||||
; Note: Mandatory when pm is set to 'dynamic'
|
; Note: Mandatory when pm is set to 'dynamic'
|
||||||
pm.max_spare_servers = 3
|
pm.max_spare_servers = 15
|
||||||
|
|
||||||
; The number of seconds after which an idle process will be killed.
|
; The number of seconds after which an idle process will be killed.
|
||||||
; Note: Used only when pm is set to 'ondemand'
|
; Note: Used only when pm is set to 'ondemand'
|
||||||
; Default Value: 10s
|
; Default Value: 10s
|
||||||
;pm.process_idle_timeout = 10s;
|
;pm.process_idle_timeout = 10s;
|
||||||
|
|
||||||
; The number of requests each child process should execute before respawning.
|
; The number of requests each child process should execute before respawning.
|
||||||
; This can be useful to work around memory leaks in 3rd party libraries. For
|
; This can be useful to work around memory leaks in 3rd party libraries. For
|
||||||
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
|
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
|
||||||
@ -135,7 +140,7 @@ pm.max_spare_servers = 3
|
|||||||
;pm.max_requests = 500
|
;pm.max_requests = 500
|
||||||
|
|
||||||
; The URI to view the FPM status page. If this value is not set, no URI will be
|
; The URI to view the FPM status page. If this value is not set, no URI will be
|
||||||
; recognized as a status page. It shows the following informations:
|
; recognized as a status page. It shows the following information:
|
||||||
; pool - the name of the pool;
|
; pool - the name of the pool;
|
||||||
; process manager - static, dynamic or ondemand;
|
; process manager - static, dynamic or ondemand;
|
||||||
; start time - the date and time FPM has started;
|
; start time - the date and time FPM has started;
|
||||||
@ -180,7 +185,7 @@ pm.max_spare_servers = 3
|
|||||||
;
|
;
|
||||||
; By default the status page only outputs short status. Passing 'full' in the
|
; By default the status page only outputs short status. Passing 'full' in the
|
||||||
; query string will also return status for each pool process.
|
; query string will also return status for each pool process.
|
||||||
; Example:
|
; Example:
|
||||||
; http://www.foo.bar/status?full
|
; http://www.foo.bar/status?full
|
||||||
; http://www.foo.bar/status?json&full
|
; http://www.foo.bar/status?json&full
|
||||||
; http://www.foo.bar/status?html&full
|
; http://www.foo.bar/status?html&full
|
||||||
@ -225,14 +230,30 @@ pm.max_spare_servers = 3
|
|||||||
; last request memory: 0
|
; last request memory: 0
|
||||||
;
|
;
|
||||||
; Note: There is a real-time FPM status monitoring sample web page available
|
; Note: There is a real-time FPM status monitoring sample web page available
|
||||||
; It's available in: /usr/share/php/7.0/fpm/status.html
|
; It's available in: /usr/share/php/8.0/fpm/status.html
|
||||||
;
|
;
|
||||||
; Note: The value must start with a leading slash (/). The value can be
|
; Note: The value must start with a leading slash (/). The value can be
|
||||||
; anything, but it may not be a good idea to use the .php extension or it
|
; anything, but it may not be a good idea to use the .php extension or it
|
||||||
; may conflict with a real PHP file.
|
; may conflict with a real PHP file.
|
||||||
; Default Value: not set
|
; Default Value: not set
|
||||||
;pm.status_path = /status
|
;pm.status_path = /status
|
||||||
|
|
||||||
|
; The address on which to accept FastCGI status request. This creates a new
|
||||||
|
; invisible pool that can handle requests independently. This is useful
|
||||||
|
; if the main pool is busy with long running requests because it is still possible
|
||||||
|
; to get the status before finishing the long running requests.
|
||||||
|
;
|
||||||
|
; Valid syntaxes are:
|
||||||
|
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
|
||||||
|
; a specific port;
|
||||||
|
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
|
||||||
|
; a specific port;
|
||||||
|
; 'port' - to listen on a TCP socket to all addresses
|
||||||
|
; (IPv6 and IPv4-mapped) on a specific port;
|
||||||
|
; '/path/to/unix/socket' - to listen on a unix socket.
|
||||||
|
; Default Value: value of the listen option
|
||||||
|
;pm.status_listen = 127.0.0.1:9001
|
||||||
|
|
||||||
; The ping URI to call the monitoring page of FPM. If this value is not set, no
|
; The ping URI to call the monitoring page of FPM. If this value is not set, no
|
||||||
; URI will be recognized as a ping page. This could be used to test from outside
|
; URI will be recognized as a ping page. This could be used to test from outside
|
||||||
; that FPM is alive and responding, or to
|
; that FPM is alive and responding, or to
|
||||||
@ -265,13 +286,13 @@ pm.max_spare_servers = 3
|
|||||||
; %d: time taken to serve the request
|
; %d: time taken to serve the request
|
||||||
; it can accept the following format:
|
; it can accept the following format:
|
||||||
; - %{seconds}d (default)
|
; - %{seconds}d (default)
|
||||||
; - %{miliseconds}d
|
; - %{milliseconds}d
|
||||||
; - %{mili}d
|
; - %{mili}d
|
||||||
; - %{microseconds}d
|
; - %{microseconds}d
|
||||||
; - %{micro}d
|
; - %{micro}d
|
||||||
; %e: an environment variable (same as $_ENV or $_SERVER)
|
; %e: an environment variable (same as $_ENV or $_SERVER)
|
||||||
; it must be associated with embraces to specify the name of the env
|
; it must be associated with embraces to specify the name of the env
|
||||||
; variable. Some exemples:
|
; variable. Some examples:
|
||||||
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
|
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
|
||||||
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
|
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
|
||||||
; %f: script filename
|
; %f: script filename
|
||||||
@ -293,7 +314,7 @@ pm.max_spare_servers = 3
|
|||||||
; - ....
|
; - ....
|
||||||
; %p: PID of the child that serviced the request
|
; %p: PID of the child that serviced the request
|
||||||
; %P: PID of the parent of the child that serviced the request
|
; %P: PID of the parent of the child that serviced the request
|
||||||
; %q: the query string
|
; %q: the query string
|
||||||
; %Q: the '?' character if query string exists
|
; %Q: the '?' character if query string exists
|
||||||
; %r: the request URI (without the query string, see %q and %Q)
|
; %r: the request URI (without the query string, see %q and %Q)
|
||||||
; %R: remote IP address
|
; %R: remote IP address
|
||||||
@ -301,64 +322,87 @@ pm.max_spare_servers = 3
|
|||||||
; %t: server time the request was received
|
; %t: server time the request was received
|
||||||
; it can accept a strftime(3) format:
|
; it can accept a strftime(3) format:
|
||||||
; %d/%b/%Y:%H:%M:%S %z (default)
|
; %d/%b/%Y:%H:%M:%S %z (default)
|
||||||
|
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
|
||||||
|
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
|
||||||
; %T: time the log has been written (the request has finished)
|
; %T: time the log has been written (the request has finished)
|
||||||
; it can accept a strftime(3) format:
|
; it can accept a strftime(3) format:
|
||||||
; %d/%b/%Y:%H:%M:%S %z (default)
|
; %d/%b/%Y:%H:%M:%S %z (default)
|
||||||
|
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
|
||||||
|
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
|
||||||
; %u: remote user
|
; %u: remote user
|
||||||
;
|
;
|
||||||
; Default: "%R - %u %t \"%m %r\" %s"
|
; Default: "%R - %u %t \"%m %r\" %s"
|
||||||
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
|
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
|
||||||
|
|
||||||
; The log file for slow requests
|
; The log file for slow requests
|
||||||
; Default Value: not set
|
; Default Value: not set
|
||||||
; Note: slowlog is mandatory if request_slowlog_timeout is set
|
; Note: slowlog is mandatory if request_slowlog_timeout is set
|
||||||
;slowlog = log/$pool.log.slow
|
;slowlog = log/$pool.log.slow
|
||||||
|
|
||||||
; The timeout for serving a single request after which a PHP backtrace will be
|
; The timeout for serving a single request after which a PHP backtrace will be
|
||||||
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
|
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
|
||||||
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
|
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
|
||||||
; Default Value: 0
|
; Default Value: 0
|
||||||
;request_slowlog_timeout = 0
|
;request_slowlog_timeout = 0
|
||||||
|
|
||||||
|
; Depth of slow log stack trace.
|
||||||
|
; Default Value: 20
|
||||||
|
;request_slowlog_trace_depth = 20
|
||||||
|
|
||||||
; The timeout for serving a single request after which the worker process will
|
; The timeout for serving a single request after which the worker process will
|
||||||
; be killed. This option should be used when the 'max_execution_time' ini option
|
; be killed. This option should be used when the 'max_execution_time' ini option
|
||||||
; does not stop script execution for some reason. A value of '0' means 'off'.
|
; does not stop script execution for some reason. A value of '0' means 'off'.
|
||||||
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
|
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
|
||||||
; Default Value: 0
|
; Default Value: 0
|
||||||
;request_terminate_timeout = 0
|
;request_terminate_timeout = 0
|
||||||
|
|
||||||
|
; The timeout set by 'request_terminate_timeout' ini option is not engaged after
|
||||||
|
; application calls 'fastcgi_finish_request' or when application has finished and
|
||||||
|
; shutdown functions are being called (registered via register_shutdown_function).
|
||||||
|
; This option will enable timeout limit to be applied unconditionally
|
||||||
|
; even in such cases.
|
||||||
|
; Default Value: no
|
||||||
|
;request_terminate_timeout_track_finished = no
|
||||||
|
|
||||||
; Set open file descriptor rlimit.
|
; Set open file descriptor rlimit.
|
||||||
; Default Value: system defined value
|
; Default Value: system defined value
|
||||||
;rlimit_files = 1024
|
;rlimit_files = 1024
|
||||||
|
|
||||||
; Set max core size rlimit.
|
; Set max core size rlimit.
|
||||||
; Possible Values: 'unlimited' or an integer greater or equal to 0
|
; Possible Values: 'unlimited' or an integer greater or equal to 0
|
||||||
; Default Value: system defined value
|
; Default Value: system defined value
|
||||||
;rlimit_core = 0
|
;rlimit_core = 0
|
||||||
|
|
||||||
; Chroot to this directory at the start. This value must be defined as an
|
; Chroot to this directory at the start. This value must be defined as an
|
||||||
; absolute path. When this value is not set, chroot is not used.
|
; absolute path. When this value is not set, chroot is not used.
|
||||||
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
|
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
|
||||||
; of its subdirectories. If the pool prefix is not set, the global prefix
|
; of its subdirectories. If the pool prefix is not set, the global prefix
|
||||||
; will be used instead.
|
; will be used instead.
|
||||||
; Note: chrooting is a great security feature and should be used whenever
|
; Note: chrooting is a great security feature and should be used whenever
|
||||||
; possible. However, all PHP paths will be relative to the chroot
|
; possible. However, all PHP paths will be relative to the chroot
|
||||||
; (error_log, sessions.save_path, ...).
|
; (error_log, sessions.save_path, ...).
|
||||||
; Default Value: not set
|
; Default Value: not set
|
||||||
;chroot =
|
;chroot =
|
||||||
|
|
||||||
; Chdir to this directory at the start.
|
; Chdir to this directory at the start.
|
||||||
; Note: relative path can be used.
|
; Note: relative path can be used.
|
||||||
; Default Value: current directory or / when chroot
|
; Default Value: current directory or / when chroot
|
||||||
chdir = /
|
;chdir = /var/www
|
||||||
|
|
||||||
; Redirect worker stdout and stderr into main error log. If not set, stdout and
|
; Redirect worker stdout and stderr into main error log. If not set, stdout and
|
||||||
; stderr will be redirected to /dev/null according to FastCGI specs.
|
; stderr will be redirected to /dev/null according to FastCGI specs.
|
||||||
; Note: on highloaded environement, this can cause some delay in the page
|
; Note: on highloaded environment, this can cause some delay in the page
|
||||||
; process time (several ms).
|
; process time (several ms).
|
||||||
; Default Value: no
|
; Default Value: no
|
||||||
;catch_workers_output = yes
|
;catch_workers_output = yes
|
||||||
|
|
||||||
|
; Decorate worker output with prefix and suffix containing information about
|
||||||
|
; the child that writes to the log and if stdout or stderr is used as well as
|
||||||
|
; log level and time. This options is used only if catch_workers_output is yes.
|
||||||
|
; Settings to "no" will output data as written to the stdout or stderr.
|
||||||
|
; Default value: yes
|
||||||
|
;decorate_workers_output = no
|
||||||
|
|
||||||
; Clear environment in FPM workers
|
; Clear environment in FPM workers
|
||||||
; Prevents arbitrary environment variables from reaching FPM worker processes
|
; Prevents arbitrary environment variables from reaching FPM worker processes
|
||||||
; by clearing the environment in workers before env vars specified in this
|
; by clearing the environment in workers before env vars specified in this
|
||||||
@ -371,25 +415,26 @@ chdir = /
|
|||||||
; Limits the extensions of the main script FPM will allow to parse. This can
|
; Limits the extensions of the main script FPM will allow to parse. This can
|
||||||
; prevent configuration mistakes on the web server side. You should only limit
|
; prevent configuration mistakes on the web server side. You should only limit
|
||||||
; FPM to .php extensions to prevent malicious users to use other extensions to
|
; FPM to .php extensions to prevent malicious users to use other extensions to
|
||||||
; exectute php code.
|
; execute php code.
|
||||||
; Note: set an empty value to allow all extensions.
|
; Note: set an empty value to allow all extensions.
|
||||||
; Default Value: .php
|
; Default Value: .php
|
||||||
;security.limit_extensions = .php .php3 .php4 .php5
|
;security.limit_extensions = .php .php3 .php4 .php5 .php7
|
||||||
|
|
||||||
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
|
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
|
||||||
; the current environment.
|
; the current environment.
|
||||||
; Default Value: clean env
|
; Default Value: clean env
|
||||||
env[HOSTNAME] = $HOSTNAME
|
;env[HOSTNAME] = $HOSTNAME
|
||||||
|
;env[PATH] = /usr/local/bin:/usr/bin:/bin
|
||||||
|
;env[TMP] = /tmp
|
||||||
|
;env[TMPDIR] = /tmp
|
||||||
|
;env[TEMP] = /tmp
|
||||||
env[PATH] = /usr/local/bin:/usr/bin:/bin
|
env[PATH] = /usr/local/bin:/usr/bin:/bin
|
||||||
env[TMP] = /tmp
|
|
||||||
env[TMPDIR] = /tmp
|
|
||||||
env[TEMP] = /tmp
|
|
||||||
|
|
||||||
; Additional php.ini defines, specific to this pool of workers. These settings
|
; Additional php.ini defines, specific to this pool of workers. These settings
|
||||||
; overwrite the values previously defined in the php.ini. The directives are the
|
; overwrite the values previously defined in the php.ini. The directives are the
|
||||||
; same as the PHP SAPI:
|
; same as the PHP SAPI:
|
||||||
; php_value/php_flag - you can set classic ini defines which can
|
; php_value/php_flag - you can set classic ini defines which can
|
||||||
; be overwritten from PHP call 'ini_set'.
|
; be overwritten from PHP call 'ini_set'.
|
||||||
; php_admin_value/php_admin_flag - these directives won't be overwritten by
|
; php_admin_value/php_admin_flag - these directives won't be overwritten by
|
||||||
; PHP call 'ini_set'
|
; PHP call 'ini_set'
|
||||||
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
|
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
|
||||||
@ -409,3 +454,5 @@ env[TEMP] = /tmp
|
|||||||
;php_admin_value[error_log] = /var/log/fpm-php.www.log
|
;php_admin_value[error_log] = /var/log/fpm-php.www.log
|
||||||
;php_admin_flag[log_errors] = on
|
;php_admin_flag[log_errors] = on
|
||||||
;php_admin_value[memory_limit] = 32M
|
;php_admin_value[memory_limit] = 32M
|
||||||
|
php_admin_value[memory_limit] = 512M
|
||||||
|
|
||||||
|
@ -3,5 +3,5 @@
|
|||||||
- name: Restart nginx
|
- name: Restart nginx
|
||||||
service: name=nginx state=restarted
|
service: name=nginx state=restarted
|
||||||
|
|
||||||
- name: Restart php7.4-fpm
|
- name: Restart php8.0-fpm
|
||||||
service: name=php7.4-fpm state=restarted
|
service: name=php8.0-fpm state=restarted
|
||||||
|
@ -4,47 +4,53 @@
|
|||||||
apt_key: url="https://packages.sury.org/php/apt.gpg"
|
apt_key: url="https://packages.sury.org/php/apt.gpg"
|
||||||
|
|
||||||
- name: Enable sury php repository
|
- name: Enable sury php repository
|
||||||
apt_repository: repo="deb https://packages.sury.org/php/ stretch main"
|
apt_repository: repo="deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main"
|
||||||
|
|
||||||
|
- name: Enable collaboraoffice apt-key
|
||||||
|
apt_key: url="https://collaboraoffice.com/downloads/gpg/collaboraonline-release-keyring.gpg"
|
||||||
|
|
||||||
|
- name: Enable collaboraoffice repository
|
||||||
|
apt_repository: repo="deb https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-debian11 ./"
|
||||||
|
|
||||||
- name: Install packages
|
- name: Install packages
|
||||||
apt:
|
apt:
|
||||||
name:
|
name:
|
||||||
- php-redis
|
- php-redis
|
||||||
- php7.4
|
- php8.0
|
||||||
- php7.4-bcmath
|
- php8.0-apcu
|
||||||
- php7.4-bz2
|
- php8.0-bcmath
|
||||||
- php7.4-cli
|
- php8.0-bz2
|
||||||
- php7.4-common
|
- php8.0-cli
|
||||||
- php7.4-curl
|
- php8.0-common
|
||||||
- php7.4-dev
|
- php8.0-curl
|
||||||
- php7.4-fpm
|
- php8.0-dev
|
||||||
- php7.4-gd
|
- php8.0-fpm
|
||||||
- php7.4-gmp
|
- php8.0-gd
|
||||||
- php7.4-imap
|
- php8.0-gmp
|
||||||
- php7.4-intl
|
- php8.0-imap
|
||||||
- php7.4-json
|
- php8.0-intl
|
||||||
- php7.4-ldap
|
- php8.0-ldap
|
||||||
- php7.4-mbstring
|
- php8.0-mbstring
|
||||||
- php7.4-mysql
|
- php8.0-mysql
|
||||||
- php7.4-opcache
|
- php8.0-opcache
|
||||||
- php7.4-pgsql
|
- php8.0-pgsql
|
||||||
- php7.4-readline
|
- php8.0-readline
|
||||||
- php7.4-soap
|
- php8.0-soap
|
||||||
- php7.4-sqlite3
|
- php8.0-sqlite3
|
||||||
- php7.4-tidy
|
- php8.0-tidy
|
||||||
- php7.4-xml
|
- php8.0-xml
|
||||||
- php7.4-xmlrpc
|
- php8.0-xmlrpc
|
||||||
- php7.4-zip
|
- php8.0-zip
|
||||||
- postgresql
|
- postgresql
|
||||||
- python3-psycopg2
|
- python3-psycopg2
|
||||||
|
|
||||||
- name: Configure PostgreSQL database
|
- name: Configure PostgreSQL database
|
||||||
postgresql_db: name={{ owncloud_dbname }}
|
postgresql_db: name={{ nextcloud_dbname }}
|
||||||
become: true
|
become: true
|
||||||
become_user: postgres
|
become_user: postgres
|
||||||
|
|
||||||
- name: Configure PostgreSQL user
|
- name: Configure PostgreSQL user
|
||||||
postgresql_user: db={{ owncloud_dbname }} name={{ owncloud_dbuser }} password={{ owncloud_dbpass }} priv=ALL state=present
|
postgresql_user: db={{ nextcloud_dbname }} name={{ nextcloud_dbuser }} password={{ nextcloud_dbpass }} priv=ALL state=present
|
||||||
become: true
|
become: true
|
||||||
become_user: postgres
|
become_user: postgres
|
||||||
|
|
||||||
@ -63,22 +69,20 @@
|
|||||||
template: src=vhost.j2 dest=/etc/nginx/sites-available/nextcloud
|
template: src=vhost.j2 dest=/etc/nginx/sites-available/nextcloud
|
||||||
notify: Restart nginx
|
notify: Restart nginx
|
||||||
|
|
||||||
# FIXME currently PHP handled out of ansible
|
- name: Configure php8.0-fpm
|
||||||
#- name: Configure php7.4-fpm
|
copy: src=www.conf dest=/etc/php/8.0/fpm/pool.d/www.conf
|
||||||
# copy: src=www.conf dest=/etc/php/7.4/fpm/pool.d/www.conf
|
notify: Restart php8.0-fpm
|
||||||
# notify: Restart php7.4-fpm
|
|
||||||
|
|
||||||
# FIXME currently PHP handled out of ansible
|
- name: Configure php8.0 opcache
|
||||||
#- name: Configure php7.4 opcache
|
copy: src=opcache.ini dest=/etc/php/8.0/mods-available/opcache.ini
|
||||||
# copy: src=opcache.ini dest=/etc/php/7.4/mods-available/opcache.ini
|
notify: Restart php8.0-fpm
|
||||||
# notify: Restart php7.4-fpm
|
|
||||||
|
|
||||||
- name: Enable vhost
|
- name: Enable vhost
|
||||||
file: src=/etc/nginx/sites-available/nextcloud dest=/etc/nginx/sites-enabled/nextcloud state=link
|
file: src=/etc/nginx/sites-available/nextcloud dest=/etc/nginx/sites-enabled/nextcloud state=link
|
||||||
notify: Restart nginx
|
notify: Restart nginx
|
||||||
|
|
||||||
- name: Start php7.4-fpm
|
- name: Start php8.0-fpm
|
||||||
service: name=php7.4-fpm state=started enabled=yes
|
service: name=php8.0-fpm state=started enabled=yes
|
||||||
|
|
||||||
- name: Start PostgreSQL
|
- name: Start PostgreSQL
|
||||||
service: name=postgresql state=started enabled=yes
|
service: name=postgresql state=started enabled=yes
|
||||||
|
@ -1,3 +1,7 @@
|
|||||||
|
upstream php-handler {
|
||||||
|
server unix:/run/php/php-fpm.sock;
|
||||||
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
listen [::]:80;
|
listen [::]:80;
|
||||||
@ -23,10 +27,13 @@ server {
|
|||||||
ssl_certificate_key /etc/nginx/ssl/{{ nextcloud_domain }}.key;
|
ssl_certificate_key /etc/nginx/ssl/{{ nextcloud_domain }}.key;
|
||||||
ssl_certificate /etc/nginx/ssl/{{ nextcloud_domain }}.crt;
|
ssl_certificate /etc/nginx/ssl/{{ nextcloud_domain }}.crt;
|
||||||
|
|
||||||
|
# TODO enable anonymized in global config
|
||||||
|
#access_log /var/log/nginx/access.log anonymized;
|
||||||
|
|
||||||
# Add headers to serve security related headers
|
# Add headers to serve security related headers
|
||||||
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
|
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff;
|
||||||
#add_header X-Frame-Options "SAMEORIGIN";
|
add_header X-Frame-Options "SAMEORIGIN";
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
add_header X-Robots-Tag none;
|
add_header X-Robots-Tag none;
|
||||||
add_header X-Download-Options noopen;
|
add_header X-Download-Options noopen;
|
||||||
@ -42,9 +49,52 @@ server {
|
|||||||
client_max_body_size 1G;
|
client_max_body_size 1G;
|
||||||
fastcgi_buffers 64 4K;
|
fastcgi_buffers 64 4K;
|
||||||
|
|
||||||
index index.php;
|
index index.php index.html /index.php$request_uri;
|
||||||
error_page 403 /core/templates/403.php;
|
|
||||||
error_page 404 /core/templates/404.php;
|
|
||||||
|
location ^~ /loleaflet {
|
||||||
|
proxy_pass http://localhost:9980;
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ^~ /hosting/discovery {
|
||||||
|
proxy_pass http://localhost:9980;
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ^~ /hosting/capabilities {
|
||||||
|
proxy_pass http://localhost:9980;
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ ^/lool/(.*)/ws$ {
|
||||||
|
proxy_pass http://localhost:9980;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection "Upgrade";
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_read_timeout 36000s;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ ^/lool {
|
||||||
|
proxy_pass http://localhost:9980;
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ^~ /lool/adminws {
|
||||||
|
proxy_pass http://localhost:9980;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection "Upgrade";
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_read_timeout 36000s;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
|
||||||
|
location = / {
|
||||||
|
if ( $http_user_agent ~ ^DavClnt ) {
|
||||||
|
return 302 /remote.php/webdav/$is_args$args;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
location = /robots.txt {
|
location = /robots.txt {
|
||||||
allow all;
|
allow all;
|
||||||
@ -52,96 +102,65 @@ server {
|
|||||||
access_log off;
|
access_log off;
|
||||||
}
|
}
|
||||||
|
|
||||||
location = /.well-known/carddav {
|
# Make a regex exception for `/.well-known` so that clients can still
|
||||||
return 301 $scheme://$host/remote.php/dav;
|
# access it despite the existence of the regex rule
|
||||||
}
|
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
|
||||||
location = /.well-known/caldav {
|
# for `/.well-known`.
|
||||||
return 301 $scheme://$host/remote.php/dav;
|
location ^~ /.well-known {
|
||||||
|
# The following 6 rules are borrowed from `.htaccess`
|
||||||
|
|
||||||
|
location = /.well-known/carddav { return 301 /remote.php/dav/; }
|
||||||
|
location = /.well-known/caldav { return 301 /remote.php/dav/; }
|
||||||
|
# Anything else is dynamically handled by Nextcloud
|
||||||
|
location ^~ /.well-known { return 301 /index.php$uri; }
|
||||||
|
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Rules borrowed from `.htaccess` to hide certain paths from clients
|
||||||
|
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
|
||||||
|
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
|
||||||
|
|
||||||
location / {
|
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
|
||||||
rewrite ^ /index.php$request_uri;
|
# which handle static assets (as seen below). If this block is not declared first,
|
||||||
}
|
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
|
||||||
|
# to the URI, resulting in a HTTP 500 error response.
|
||||||
|
location ~ \.php(?:$|/) {
|
||||||
|
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
|
||||||
|
set $path_info $fastcgi_path_info;
|
||||||
|
|
||||||
location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
|
try_files $fastcgi_script_name =404;
|
||||||
deny all;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
|
|
||||||
deny all;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|ocm-provider\/.+)\.php(?:$|\/) {
|
|
||||||
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
|
|
||||||
include fastcgi_params;
|
include fastcgi_params;
|
||||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
fastcgi_param PATH_INFO $path_info;
|
||||||
fastcgi_pass unix:/run/php/php-fpm.sock;
|
|
||||||
fastcgi_param HTTPS on;
|
fastcgi_param HTTPS on;
|
||||||
#Avoid sending the security headers twice
|
|
||||||
fastcgi_param modHeadersAvailable true;
|
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
|
||||||
fastcgi_param front_controller_active true;
|
fastcgi_param front_controller_active true; # Enable pretty urls
|
||||||
|
fastcgi_pass php-handler;
|
||||||
|
|
||||||
fastcgi_intercept_errors on;
|
fastcgi_intercept_errors on;
|
||||||
fastcgi_request_buffering off;
|
fastcgi_request_buffering off;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ ^\/(?:updater|ocs-provider|ocm-provider)(?:$|\/) {
|
location ~ \.(?:css|js|svg|gif)$ {
|
||||||
try_files $uri/ =404;
|
|
||||||
index index.php;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Adding the cache control header for js and css files
|
|
||||||
# Make sure it is BELOW the PHP block
|
|
||||||
location ~ \.(?:css|js|woff2?|svg|gif)$ {
|
|
||||||
try_files $uri /index.php$request_uri;
|
try_files $uri /index.php$request_uri;
|
||||||
add_header Cache-Control "public, max-age=15778463";
|
expires 6M; # Cache-Control policy borrowed from `.htaccess`
|
||||||
# Add headers to serve security related headers (It is intended to
|
access_log off; # Optional: Don't log access to assets
|
||||||
# have those duplicated to the ones above)
|
|
||||||
# Before enabling Strict-Transport-Security headers please read into
|
|
||||||
# this topic first.
|
|
||||||
# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
|
|
||||||
#
|
|
||||||
# WARNING: Only add the preload option once you read about
|
|
||||||
# the consequences in https://hstspreload.org/. This option
|
|
||||||
# will add the domain to a hardcoded list that is shipped
|
|
||||||
# in all major browsers and getting removed from this list
|
|
||||||
# could take several months.
|
|
||||||
add_header X-Content-Type-Options nosniff;
|
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
|
||||||
add_header X-Robots-Tag none;
|
|
||||||
add_header X-Download-Options noopen;
|
|
||||||
add_header X-Permitted-Cross-Domain-Policies none;
|
|
||||||
add_header Referrer-Policy no-referrer;
|
|
||||||
# Optional: Don't log access to assets
|
|
||||||
access_log off;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
|
location ~ \.woff2?$ {
|
||||||
try_files $uri /index.php$request_uri;
|
try_files $uri /index.php$request_uri;
|
||||||
# Optional: Don't log access to other assets
|
expires 7d; # Cache-Control policy borrowed from `.htaccess`
|
||||||
access_log off;
|
access_log off; # Optional: Don't log access to assets
|
||||||
}
|
}
|
||||||
|
|
||||||
# collabora static files
|
|
||||||
location ^~ /loleaflet {
|
location / {
|
||||||
proxy_pass http://localhost:9980;
|
try_files $uri $uri/ /index.php$request_uri;
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# collabora WOPI discovery URL
|
|
||||||
location ^~ /hosting/discovery {
|
|
||||||
proxy_pass http://localhost:9980;
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
}
|
|
||||||
|
|
||||||
# collabora websockets, download, presentation and image upload
|
|
||||||
location ^~ /lool {
|
|
||||||
proxy_pass http://localhost:9980;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "upgrade";
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
}
|
|
||||||
|
|
||||||
# collabora static files
|
# collabora static files
|
||||||
location /drawio {
|
location /drawio {
|
||||||
|
Loading…
Reference in New Issue
Block a user