我的书签
添加书签
移除书签Enabling Https with Nginx
For users who use Let’s Encrypt, you can obtain a valid certificate via Certbot ACME client
On Ubuntu systems, the Certbot team maintains a PPA. Once you add it to your list of repositories all you’ll need to do is apt-get the following packages.
Certbot has an Nginx plugin, which is supported on many platforms, and automates both obtaining and installing certs:
Running this command will get a certificate for you and have Certbot edit your Nginx configuration automatically to serve it. If you’re feeling more conservative and would like to make the changes to your Nginx configuration by hand, you can use the certonly subcommand:
sudo certbot --nginx certonly
To learn more about how to use Certbot you can read threir .
Enable SSL module of Nginx (optional)
./configure --with-http_stub_status_module --with-http_ssl_module
Modify Nginx configuration file
Assume you have configured nginx as Deploy-Seafile-with-nginx. To use https, you need to modify your nginx configuration file.
server {listen 80;server_name seafile.example.com;rewrite ^ https://$http_host$request_uri? permanent; # force redirect http to https# Enables or disables emitting nginx version on error pages and in the "Server" response header field.server_tokens off;}server {listen 443;ssl on;ssl_certificate /etc/ssl/cacert.pem; # path to your cacert.pemssl_certificate_key /etc/ssl/privkey.pem; # path to your privkey.pemserver_name seafile.example.com;# ......proxy_pass http://127.0.0.1:8000;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Host $server_name;proxy_read_timeout 1200s;}
Sample configuration file
Generate DH params
(this takes some time)
openssl dhparam 2048 > /etc/nginx/dhparam.pem
Here is the sample configuration file:
Tip for uploading very large files (> 4GB): By default Nginx will buffer large request body in temp file. After the body is completely received, Nginx will send the body to the upstream server (seaf-server in our case). But it seems when file size is very large, the buffering mechanism dosen’t work well. It may stop proxying the body in the middle. So if you want to support file upload larger for 4GB, we suggest you install Nginx version >= 1.8.0 and add the following options to Nginx config file:
location /seafhttp {... ...proxy_request_buffering off;}
If you have WebDAV enabled it is recommended to add the same:
location /seafdav {... ...proxy_request_buffering off;
Reload Nginx
nginx -s reload
ccnet conf
Since you changed from http to https, you need to modify the value of SERVICE_URL in . You can also modify SERVICE_URL via web UI in “System Admin->Settings”. (Warning: If you set the value both via Web UI and ccnet.conf, the setting via Web UI will take precedence.)
SERVICE_URL = https://seafile.example.com
seahub_settings.py
FILE_SERVER_ROOT = 'https://seafile.example.com/seafhttp'
Update the of seafile fileserver is in the [fileserver] section of the file seafile.conf to local ip 127.0.0.1
./seafile.sh start./seahub.sh start # or "./seahub.sh start-fastcgi" if you're using fastcgi
Activate IPv6
Require IPv6 on server otherwise the server will not start! Also the AAAA dns record is required for IPv6 usage.
listen 443;listen [::]:443;
Activate HTTP2
Activate HTTP2 for more performance. Only available for SSL and nginx version>=1.9.5. Simply add http2.
listen 443 http2;listen [::]:443 http2;
Force https on next visit
Add the HSTS header. If you already visited the https version the next time your browser will directly visit the https site and not the http one. Prevent man-in-the-middle-attacks:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
Disable exact server version in header. Prevent scans for vulnerable server.
This should be added to every server block, as it shall obfuscate the version of nginx.
To check your configuration you can use the service from ssllabs: .
