• Nginx 下启用 Https
    • 在 Seahub 端启用 https
      • 通过 OpenSSL 生成 SSL 数字认证
      • 修改 Nginx 配置文件
      • 配置文件示例
      • 重新加载 Nginx
    • 修改 SERVICE_URL 和 FILE_SERVER_ROOT
    • 启动 Seafile 和 Seahub

    Nginx 下启用 Https

    在 Seahub 端启用 https

    免费 Self-Signed SSL 数字认证用户请看. 如果你是 SSL 付费认证用户可跳过此步.

    通过 OpenSSL 生成 SSL 数字认证

    1. openssl genrsa -out privkey.pem 2048
    2. openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095

    修改 Nginx 配置文件

    请修改 nginx 配置文件以使用 HTTPS:

    1. server {
    2. listen 80;
    3. server_name seafile.example.com;
    4. rewrite ^ https://$http_host$request_uri? permanent; # force redirect http to https
    5. # Enables or disables emitting nginx version on error pages and in the "Server" response header field.
    6. server_tokens off;
    7. }
    8. server {
    9. listen 443;
    10. ssl on;
    11. ssl_certificate /etc/ssl/cacert.pem; # path to your cacert.pem
    12. ssl_certificate_key /etc/ssl/privkey.pem; # path to your privkey.pem
    13. server_name seafile.example.com;
    14. server_tokens off;
    15. # ......
    16. proxy_pass http://127.0.0.1:8000;
    17. proxy_set_header Host $host;
    18. proxy_set_header X-Real-IP $remote_addr;
    19. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    20. proxy_set_header X-Forwarded-Host $server_name;
    21. proxy_set_header X-Forwarded-Proto https;
    22. proxy_read_timeout 1200s;
    23. }

    配置文件示例

    这里是配置文件示例:

    1. server {
    2. listen 80;
    3. server_name seafile.example.com;
    4. rewrite ^ https://$http_host$request_uri? permanent; #强制将http重定向到https
    5. server_tokens off;
    6. }
    7. server {
    8. listen 443;
    9. ssl on;
    10. ssl_certificate /etc/ssl/cacert.pem; #cacert.pem 文件路径
    11. ssl_certificate_key /etc/ssl/privkey.pem; #privkey.pem 文件路径
    12. server_name seafile.example.com;
    13. ssl_session_timeout 5m;
    14. ssl_session_cache shared:SSL:5m;
    15. # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    16. ssl_dhparam /etc/nginx/dhparam.pem;
    17. # secure settings (A+ at SSL Labs ssltest at time of writing)
    18. # see https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
    19. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    20. ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS';
    21. ssl_prefer_server_ciphers on;
    22. proxy_set_header X-Forwarded-For $remote_addr;
    23. add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
    24. server_tokens off;
    25. location / {
    26. proxy_pass http://127.0.0.1:8000;
    27. proxy_set_header Host $host;
    28. proxy_set_header X-Real-IP $remote_addr;
    29. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    30. proxy_set_header X-Forwarded-Host $server_name;
    31. proxy_set_header X-Forwarded-Proto https;
    32. access_log /var/log/nginx/seahub.access.log;
    33. error_log /var/log/nginx/seahub.error.log;
    34. proxy_read_timeout 1200s;
    35. client_max_body_size 0;
    36. }
    37. # 如果你使用 fastcgi 请使用此配置
    38. #
    39. # location / {
    40. # fastcgi_pass 127.0.0.1:8000;
    41. # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    42. # fastcgi_param PATH_INFO $fastcgi_script_name;
    43. #
    44. # fastcgi_param SERVER_PROTOCOL $server_protocol;
    45. # fastcgi_param QUERY_STRING $query_string;
    46. # fastcgi_param REQUEST_METHOD $request_method;
    47. # fastcgi_param CONTENT_TYPE $content_type;
    48. # fastcgi_param CONTENT_LENGTH $content_length;
    49. # fastcgi_param SERVER_ADDR $server_addr;
    50. # fastcgi_param SERVER_PORT $server_port;
    51. # fastcgi_param SERVER_NAME $server_name;
    52. # fastcgi_param REMOTE_ADDR $remote_addr;
    53. # fastcgi_read_timeout 36000;
    54. #
    55. # client_max_body_size 0;
    56. #
    57. # access_log /var/log/nginx/seahub.access.log;
    58. # error_log /var/log/nginx/seahub.error.log;
    59. # }
    60. location /seafhttp {
    61. rewrite ^/seafhttp(.*)$ $1 break;
    62. proxy_pass http://127.0.0.1:8082;
    63. client_max_body_size 0;
    64. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    65. proxy_connect_timeout 36000s;
    66. proxy_read_timeout 36000s;
    67. proxy_send_timeout 36000s;
    68. send_timeout 36000s;
    69. }
    70. location /media {
    71. root /home/user/haiwen/seafile-server-latest/seahub;
    72. }
    73. }

    重新加载 Nginx

    1. nginx -s reload

    修改 SERVICE_URL 和 FILE_SERVER_ROOT

    下面还需要更新 SERVICE_URL 和 FILE_SERVER_ROOT 这两个配置项。否则无法通过 Web 正常的上传和下载文件。

    5.0 版本开始,您可以直接通过管理员 Web 界面来设置这两个值 (注意,如果同时在 Web 界面和配置文件中设置了这个值,以 Web 界面的配置为准。):

    1. SERVICE_URL: https://www.myseafile.com
    2. FILE_SERVER_ROOT: https://www.myseafile.com/seafhttp

    启动 Seafile 和 Seahub

    1. ./seafile.sh start
    2. ./seahub.sh start # 如果你使用 fastcgi 请使用此命令`./seahub.sh start-fastcgi`

    原文: https://manual-cn.seafile.com/deploy/https_with_nginx.html