# 12. 讓 php-fpm 跑的 owncloud 應用 docker 化 #### 1. 介紹 之前我們介紹過owncloud的部署([部署 owncloud 與 phpMyAdmin (十一)](https://www.rails365.net/articles/bu-shu-owncloud-yu-phpmyadmin-shi-yi))，不管是owncloud還是phpMyAdmin都是php語言寫的應用，owncloud這個容器默認是跑在apache下，我不太喜歡，想改成nginx+php-fpm來跑。 #### 2. 一個簡單的實例 我們先來嘗試一下用nginx結合php-fpm來跑php應用。 首先創建一個docker-compose.yml文件，內容如下： ``` version: '2' services: web: image: nginx:latest ports: - 8080:80 volumes: - ./code:/code - ./site.conf:/etc/nginx/conf.d/default.conf php: image: php:fpm volumes: - ./code:/code ``` 數據卷`./code`這個目錄是放php代碼的，還有一個文件`site.conf`放的是nginx的配置。 它的內容如下： ``` server { index index.php index.html; server_name localhost; error_log /var/log/nginx/error.log; access_log /var/log/nginx/access.log; root /code; location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass php:9000; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; } } ``` nginx中使用fastcgi這個模塊去連接php-fpm。這些是nginx中fastcgi的基本配置啦。 然后我們試著寫些php的代碼，讓它跑起來： 在當前目錄下的code目錄下新建`index.php`文件，內容如下: ``` <?php echo phpinfo(); ?> ``` 然后一行`docker-compose up`命令就可以跑起來，使用8080端口查看效果。  #### 3. 從apache遷移到php-fpm 現在嘗試把owncloud用php-fpm來跑。 之前我們的docker-compose.yml是這么寫的： ``` version: '2' services: owncloud: restart: always image: owncloud ports: - 18080:80 volumes: - /home/hfpp2012/owncloud/html:/var/www/html:Z depends_on: - db dns: - 10.202.72.118 - 10.202.72.116 - 8.8.8.8 db: restart: always image: mariadb environment: - MYSQL_ROOT_PASSWORD=my-secret-pw - MYSQL_DATABASE=owncloud_pro volumes: - /home/hfpp2012/owncloud/datadir:/var/lib/mysql ``` 需要改造一下，把`owncloud`中的`image`和`ports`部分變一下： ``` image: owncloud:9.1.4-fpm ports: - 9000:9000 ``` 只是給owncloud換個版本，而且php-fpm默認是使用9000端口的。 使用`docker-compose up`或`docker-compose restart`重新把owncloud這個應用跑起來。 #### 4. nginx配置 接下來，我們把nginx的配置加上。 我們不用上面的那個很普通的關于fastcgi的配置，而owncloud的官方提供了一套比較標準的。 官方提供的那套nginx配置的網址是[https://doc.owncloud.org/server/9.0/admin\_manual/installation/nginx\_examples.html](https://doc.owncloud.org/server/9.0/admin_manual/installation/nginx_examples.html) ``` upstream php-handler { server 127.0.0.1:9000; #server unix:/var/run/php5-fpm.sock; } server { listen 80; server_name file.rails365.net; # enforce https return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name file.rails365.net; ssl_certificate /home/hfpp2012/owncloud/ssl/file.rails365.net.key.pem; ssl_certificate_key /home/hfpp2012/owncloud/ssl/file.rails365.net.key; # ssl_dhparam ssl_dhparam /home/hfpp2012/owncloud/ssl/dhparam.pem; # Add headers to serve security related headers # Before enabling Strict-Transport-Security headers please read into this topic first. #add_header Strict-Transport-Security "max-age=15552000; includeSubDomains"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; # Path to the root of your installation root /home/hfpp2012/owncloud/html; location = /robots.txt { allow all; log_not_found off; access_log off; } # The following 2 rules are only needed for the user_webfinger app. # Uncomment it if you're planning to use this app. #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; location = /.well-known/carddav { return 301 $scheme://$host/remote.php/dav; } location = /.well-known/caldav { return 301 $scheme://$host/remote.php/dav; } location /.well-known/acme-challenge { } # set max upload size client_max_body_size 512M; fastcgi_buffers 64 4K; # Disable gzip to avoid the removal of the ETag header gzip off; # Uncomment if your server is build with the ngx_pagespeed module # This module is currently not supported. #pagespeed off; error_page 403 /core/templates/403.php; error_page 404 /core/templates/404.php; location / { rewrite ^ /index.php$uri; } location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { return 404; } location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) { fastcgi_split_path_info ^(.+\.php)(/.*)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param HTTPS on; fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice fastcgi_param front_controller_active true; fastcgi_pass php-handler; fastcgi_intercept_errors on; fastcgi_request_buffering off; #Available since nginx 1.7.11 } location ~ ^/(?:updater|ocs-provider)(?:$|/) { try_files $uri $uri/ =404; index index.php; } # Adding the cache control header for js and css files # Make sure it is BELOW the PHP block location ~* \.(?:css|js)$ { try_files $uri /index.php$uri$is_args$args; add_header Cache-Control "public, max-age=7200"; # Add headers to serve security related headers (It is intended to have those duplicated to the ones above) # Before enabling Strict-Transport-Security headers please read into this topic first. #add_header Strict-Transport-Security "max-age=15552000; includeSubDomains"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; # Optional: Don't log access to assets access_log off; } location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ { try_files $uri /index.php$uri$is_args$args; # Optional: Don't log access to other assets access_log off; } } ``` 在官方提供的配置的基礎上，我做出了一些改變，除了證書和域名部分是一定要跟你的實際情況一致之外，還有如下改變： - `root`這一行變成`root /home/hfpp2012/owncloud/html;` - `fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;`變成了`fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;` 最后一個改變是為了解決一個nginx的報錯問題而變的。我參考這篇文章進行了解決： <http://lovelace.blog.51cto.com/1028430/1314565> 除此之外，有一個地方值得注意，如果不使用https的話，除了改變433端口為80端口一些必要的改變，還需要把下面一行注釋掉： ``` fastcgi_param HTTPS on; ``` 完結。