权威指南：构建个人私有云，拿回你的数据隐私的控制权！

使用Owncloud提供日历，联系人，文件服务并通过Roundcube配置网页邮件

既然我们已经拥有了一流的邮件服务器，让我们再为它增加在云上保存通讯录，日程表和文件的能力。这些是所提供的非常赞的服务。在这个弄好后，我们还会设置一个网页邮件，这样就算你没带任何电子设备出去旅行时，或者说在你的手机或笔记本没电的情况下，也可以通过网吧来检查邮件。

安装Owncloud非常直观，而且在有非常好的介绍。在Debian系统里，归根结底就是把owncloud的仓库添加到apt源里，下载Owncloud的发行密钥并安装到apt钥匙链中，然后通过apt-get安装Owncloud：

1. echo 'deb /'>>/etc/apt/sources.list.d/owncloud.list
2. wget http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_6.0/Release.key
3. apt-key add -<Release.key
4. apt-get update
5. apt-get install apache2 owncloud roundcube

在有提示的时候，选择dbconfig并设置roundcube使用mysql。然后，提供一下mysql的root密码并为roundcube的mysql用户设置一个漂亮的密码。然后，按如下方式编辑roundcube的配置文件/etc/roundcube/main.inc.php，这样登录roundcube默认会使用你的IMAP服务器：

1. $rcmail_config['default_host']='ssl://localhost';
2. $rcmail_config['default_port']=993;

现在我们来配置一下apache2网页服务器增加SSL支持，这样我们可以和Owncloud和Roundcube对话时使用加密的方式传输我们的密码和数据。让我们打开Apache的SSL模块：

1. a2enmod ssl

然后编辑文件/etc/apache2/ports.conf并设定以下参数：

1. NameVirtualHost*:80
   Listen80
   ServerName
   <IfModule mod_ssl.c>
2. # If you add NameVirtualHost *:443 here, you will also have to change
3. # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
4. # to
5. # Server Name Indication for SSL named virtual hosts is currently not
6. # supported by MSIE on Windows XP.
7. NameVirtualHost*:443
8. Listen443
9. IfModule>
10. <IfModule mod_gnutls.c>
11. Listen443
12. IfModule>

我们将在目录/var/www下为服务器加密连接设定一个默认网站。编辑文件/etc/apache2/sites-available/default-ssl：

1.  _default_:443>
2. ServerAdmin webmaster@localhost
3. DocumentRoot /var/www
4. ServerName
5. [...]
6. /var/www/owncloud>
7. Deny from all
9. [...]
10. SSLCertificateFile /etc/ssl/certs/cloud.crt
11. SSLCertificateKeyFile /etc/ssl/private/cloud.key
12. [...]

然后让我们同时也在目录/var/www下设定一个非加密连接的默认网站。编辑文件/etc/apache2/sites-available/default：

1.  _default_:443>
2. DocumentRoot /var/www
3. ServerName
4. [...]
5. /var/www/owncloud>
6. Deny from all

这样的话，我们通过把文件放到/var/www目录下让使用它们提供网站服务。名叫'Deny from all'的指令可以阻止通过访问Owncloud：我们将设定通过来正常访问。

现在我们将设定网页邮件（roundcube），让它可以通过网址来访问。编辑文件/etc/apache2/sites-available/roundcube并写入以下内容：

1. mod_ssl.c>
2.  *:443>
3. ServerAdmin webmaster@localhost
4. DocumentRoot /var/lib/roundcube
5. # The host name under which you'd like to access the webmail
6. ServerName webmail.linuxidc.net
7. />
8. Options FollowSymLinks
9. AllowOverride None
11. ErrorLog ${APACHE_LOG_DIR}/error.log
12. # Possible values include: debug, info, notice, warn, error, crit,
13. # alert, emerg.
14. LogLevel warn
15. CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
16. # SSL Engine Switch:
17. # Enable/Disable SSL for this virtual host.
18. SSLEngine on
19. # do not allow unsecured connections
20. # SSLRequireSSL
21. SSLCipherSuite HIGH:MEDIUM
22. # A self-signed (snakeoil) certificate can be created by installing
23. # the ssl-cert package. See
24. # /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
25. # If both key and certificate are stored in the same file, only the
26. # SSLCertificateFile directive is needed.
27. SSLCertificateFile /etc/ssl/certs/cloud.crt
28. SSLCertificateKeyFile /etc/ssl/private/cloud.key
29. # Those aliases do not work properly with several hosts on your apache server
30. # Uncomment them to use it or adapt them to your configuration
31. Alias /program/js/tiny_mce/ /usr/share/tinymce/www/
32. # Access to tinymce files
33. "/usr/share/tinymce/www/">
34. Options Indexes MultiViews FollowSymLinks
35. AllowOverride None
36. Order allow,deny
37. allow from all
39. /var/lib/roundcube/>
40. Options +FollowSymLinks
41. # This is needed to parse /var/lib/roundcube/.htaccess. See its
42. # content before setting AllowOverride to None.
43. AllowOverride All
44. order allow,deny
45. allow from all
47. # Protecting basic directories:
48. /var/lib/roundcube/config>
49. Options -FollowSymLinks
50. AllowOverride None
52. /var/lib/roundcube/temp>
53. Options -FollowSymLinks
54. AllowOverride None
55. Order allow,deny
56. Deny from all
58. /var/lib/roundcube/logs>
59. Options -FollowSymLinks
60. AllowOverride None
61. Order allow,deny
62. Deny from all
64. "\.(cgi|shtml|phtml|php)$">
65. SSLOptions +StdEnvVars
67. /usr/lib/cgi-bin>
68. SSLOptions +StdEnvVars
70. # SSL Protocol Adjustments:
71. # The safe and default but still SSL/TLS standard compliant shutdown
72. # approach is that mod_ssl sends the close notify alert but doesn't wait for
73. # the close notify alert from client. When you need a different shutdown
74. # approach you can use one of the following variables:
75. # o ssl-unclean-shutdown:
76. # This forces an unclean shutdown when the connection is closed, i.e. no
77. # SSL close notify alert is send or allowed to received. This violates
78. # the SSL/TLS standard but is needed for some brain-dead browsers. Use
79. # this when you receive I/O errors because of the standard approach where
80. # mod_ssl sends the close notify alert.
81. # o ssl-accurate-shutdown:
82. # This forces an accurate shutdown when the connection is closed, i.e. a
83. # SSL close notify alert is send and mod_ssl waits for the close notify
84. # alert of the client. This is 100% SSL/TLS standard compliant, but in
85. # practice often causes hanging connections with brain-dead browsers. Use
86. # this only for browsers where you know that their SSL implementation
87. # works correctly.
88. # Notice: Most problems of broken clients are also related to the HTTP
89. # keep-alive facility, so you usually additionally want to disable
90. # keep-alive for those clients, too. Use variable "nokeepalive" for this.
91. # Similarly, one has to force some clients to use HTTP/1.0 to workaround
92. # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
93. # "force-response-1.0" for this.
94. BrowserMatch "MSIE [2-6]" \
95. nokeepalive ssl-unclean-shutdown \
96. downgrade-1.0 force-response-1.0
97. # MSIE 7 and newer should be able to use keepalive
98. BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

然后在你的DNS服务商那里声明一下服务器，例如：

1. webmail.linuxidc.net.300 IN CNAME cloud.linuxidc.net.

现在让我激活这三个网站：

1. a2ensite defaultdefault-ssl roundcube
2. service apache2 restart

关于网页邮件，可以通过网址来访问，基本上能工作。之后使用邮箱全名（例如）和在本文一开始在邮件服务器数据库里设定的密码登录。第一次连接成功，浏览器会警告说证书没有可靠机构的签名。这个没什么关系，只要添加一个例外即可。

最后但很重要的是，我们将通过把以下内容写入到/etc/apache2/sites-available/owncloud来为Owncloud创建一个虚拟主机。

1. mod_ssl.c>
2.  *:443>
3. ServerAdmin webmaster@localhost
4. DocumentRoot /var/www/owncloud
5. ServerName cloud.linuxidc.net
6. />
7. Options FollowSymLinks
8. AllowOverride None
10. /var/www/owncloud>
11. Options Indexes FollowSymLinks MultiViews
12. AllowOverride All
13. Order allow,deny
14. allow from all
16. ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
17. "/usr/lib/cgi-bin">
18. AllowOverride None
19. Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
20. Order allow,deny
21. Allow from all
23. ErrorLog ${APACHE_LOG_DIR}/error.log
24. # Possible values include: debug, info, notice, warn, error, crit,
25. # alert, emerg.
26. LogLevel warn
27. CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
28. # SSL Engine Switch:
29. # Enable/Disable SSL for this virtual host.
30. SSLEngine on
31. # do not allow unsecured connections
32. # SSLRequireSSL
33. SSLCipherSuite HIGH:MEDIUM
34. SSLCertificateFile /etc/ssl/certs/cloud.crt
35. SSLCertificateKeyFile /etc/ssl/private/cloud.key
36. "\.(cgi|shtml|phtml|php)$">
37. SSLOptions +StdEnvVars
39. /usr/lib/cgi-bin>
40. SSLOptions +StdEnvVars
42. BrowserMatch "MSIE [2-6]" \
43. nokeepalive ssl-unclean-shutdown \
44. downgrade-1.0 force-response-1.0
45. # MSIE 7 and newer should be able to use keepalive
46. BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

然后通过执行以下命令激活Owncloud：

1. a2ensite owncloud
2. service apache2 reload

之后通过在浏览器里打开链接配置一下Owncloud。

就这些了！现在你已经拥有自己的Google Drive，日程表，联系人，Dropbox，以及Gmail！好好享受下新鲜恢复保护的隐私吧！:-)