一、为Seafile 配置HTTPS访问
第一步,域名解析
将域名解析到服务器。
第二步,通过 OpenSSL 生成 SSL 数字认证
免费 Self-Signed SSL 数字证书用户请看. 如果你是 SSL 付费证书用户可跳过此步.
首先进入OpenSSL目录,cd /etc/ssl ,之后运行如下命令。
1
2
| openssl genrsa -out privkey.pem 2048
openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
|
第三步,修改 Nginx 配置文件
请修改 nginx 配置文件以使用 HTTPS,首先进入脚本自动配置的 Nginx 为 Seafile 反代的配置文件目录:cd /etc/nginx/sites-enabled
主要修改两个部分:
首先添加一个 server 用来将 http 重定向到 https:
1
2
3
4
5
6
| server {
listen 80;
server_name cfile.frytea.com;
rewrite ^ https://$http_host$request_uri? permanent;#强制将http重定向到https
server_tokens off;
}
|
之后在原有监听 80 端口为 http://127.0.0.1:8000/ 服务代理的服务上进行修改,将 80 改为 443,将域名改为您的域名,之后添加以下部分:
1
2
3
4
5
6
7
8
| ssl on;
ssl_certificate /etc/ssl/cacert.pem;#cacert.pem 文件路径
ssl_certificate_key /etc/ssl/privkey.pem; #privkey.pem 文件路径
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
server_tokens off;
|
用来制定证书路径并配置一些必要的信息。
第四步,重新加载 Nginx
下面贴上本人的配置文件:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
| log_format seafileformat '$http_x_forwarded_for $remote_addr [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $upstream_response_time';
server {
listen 80;
server_name cfile.frytea.com;
rewrite ^ https://$http_host$request_uri? permanent;#强制将http重定向到https
server_tokens off;
}
server {
listen 443;
server_name cfile.frytea.com;
proxy_set_header X-Forwarded-For $remote_addr;
ssl on;
ssl_certificate /etc/ssl/cacert.pem;#cacert.pem 文件路径
ssl_certificate_key /etc/ssl/privkey.pem; #privkey.pem 文件路径
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
server_tokens off;
location / {
proxy_passhttp://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 1200s;
# used for view/edit office file via Office Online Server
client_max_body_size 0;
access_log /var/log/nginx/seahub.access.log seafileformat;
error_log/var/log/nginx/seahub.error.log;
}
location /seafhttp {
rewrite ^/seafhttp(.*)$ $1 break;
proxy_pass http://127.0.0.1:8082;
client_max_body_size 0;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 36000s;
proxy_read_timeout 36000s;
access_log /var/log/nginx/seafhttp.access.log seafileformat;
error_log/var/log/nginx/seafhttp.error.log;
}
location /media {
root /opt/seafile/seafile-server-latest/seahub;
}
location /seafdav {
proxy_passhttp://127.0.0.1:8080/seafdav;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 1200s;
client_max_body_size 0;
access_log /var/log/nginx/seafdav.access.log seafileformat;
error_log/var/log/nginx/seafdav.error.log;
}
}
|
二、修改 Seafile 配置文件
现在 nginx 部分已经完成,但是 Seafile 并不知道,此时已经可以通过 https://your domain 访问,下面还需要配置 Seafile 的默认域名:
修改 Seafile 配置文件:
1
| vim /opt/seafile/conf/seahub_settings.py
|
在以下位置修改:
1
2
| SERVICE_URL: https://www.myseafile.com
FILE_SERVER_ROOT: https://www.myseafile.com/seafhttp
|
最后重启 Seafile 和 Seahub
1
2
3
| cd /opt/seafile/seafile-server-latest
./seafile.sh restart
./seahub.sh restart
|
完成!最后记得管理员登入管理中心,在设置里配置一下新的地址。
三、Seafile如何绑定域名?
假设您已经成功解析域名,接下来需要到服务器中做一个Seafile域名绑定操作:
修改配置文件/opt/seafile/conf/seahub_settings.py,安装如下建议进行3处修改
1
2
| SITE_BASE = 'http://127.0.0.1' //127.0.0.1修改成域名
FILE_SERVER_ROOT = 'http://127.0.0.1/seafhttp' //127.0.0.1修改成域名
|
四、宝塔开启Seafile HTTPS(端口8888)
申请 ssl 证书
可以使用宝塔证书或其他证书
此篇中使用的是宝塔证书
注册宝塔账号
注册完成后登陆,申请 ssl 证书需要实名认证
认证后选择 ssl 管理 → 申请证书
我选用的是 TrustAsia 免费证书
![1.png]()
选择 DNS 验证
申请完成后需验证域名
点击详情
复制记录值
![2.png]()
登陆你的域名控制台
我使用的是万网域名
添加解析记录
记录类型选择 TXT
主机记录填你申请证书的域名前缀,我的域名是 cloud.****.com.cn 所以此处填 cloud
记录值按照宝塔要求填写
![3.png]()
在宝塔中点击 验证域名
若验证失败等待几分钟再尝试
![4.png]()
开启 HTTPS
创建站点
浏览器访问宝塔面板
我的面板地址是 cloud..com.cn:/*****
点击 网站→添加站点
输入你的域名后提交
![5.png]()
配置 Nginx
点击 设置
![6.png]()
点击 反向代理→添加反向代理
代理名称任意
目标 URL:http:127.0.0.1:8000
发送域名:你的域名地址
![7.png]()
点击 SSL 绑定宝塔账号后即可看见刚才申请的 ssl 证书,点击 部署 并开启 强制 HTTPS
![8.png]()
在配置文件中添加以下内容(注意添加位置)
1
2
3
4
5
6
7
8
9
10
| location /seafhttp {
rewrite ^/seafhttp(.*)$ $1 break;
proxy_pass http://127.0.0.1:8082;
client_max_body_size 0;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 36000s;
proxy_read_timeout 36000s;
proxy_send_timeout 36000s;
send_timeout 36000s;
}
|
![9.png]()
修改 HTTPS 端口
未备案的云主机 80 端口和 443 端口可能封闭
此处我将 HTTPS 端口改为 8888
![10.png]()
宝塔面板默认端口也是 8888,我已将宝塔设置了其他端口访问
设置其他端口需放行端口
例如:
- 设置 444 端口,则需在宝塔面板端口放行处放行 444 端口
- 设置 8888 端口则需先修改宝塔面板默认端口(8888 端口默认放行)
通过外网对 端口情况测试
注:若 443 端口可正常访问则可跳过此步骤
修改 Seafile URL
登陆 Seafile 点击右上角系统管理
![11.png]()
在设置中修改 SERVICE_URL 和 FILE_SERVER_ROOT
SERVICE_URL:[https:// 域名 ](https://xn-- -t33er8o/): 端口
FILE_SERVER_ROOT:[https:// 域名](https://xn-- -t33er8o/): 端口 /seafhttp
![12.png]()
修改 gunicorn.conf
上篇中我们未使用 Nginx 反向代理所以修改了gunicorn.conf后直接访问,本篇中我们使用了反向代理所以把绑定地址改回来
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| import os
daemon = True
workers = 5
bind = "0.0.0.0:8000"
pids_dir = '/home/seafile/pids'
pidfile = os.path.join(pids_dir, 'seahub.pid')
timeout = 1200
limit_request_line = 8190
~
~
~
"../conf/gunicorn.conf" 17L, 300C
|
i 键 或 INSERT 键 修改(出现-- INSERT --标志)
将bind = "0.0.0.0:8000"改为bind = "127.0.0.1:8000"
修改完成后 Esc 键 退出修改(-- INSERT --标志消失)
输入:wq保存
重启
Xshell 连接云主机重启 Seafile
1
| [root@ecs-a869 seafile-server-7.0.4]
|
1
2
3
4
5
6
7
8
| Stopping seafile server ...
[07/27/19 18:15:53] ../common/session.c(132): using config file /home/seafile/conf/ccnet.conf
Starting seafile server, please wait ...
** Message: seafile-controller.c(718): No seafevents.
Seafile server started
Done.
|
[root@ecs-a869 seafile-server-7.0.4]# ./seahub.sh restart
1
2
3
4
5
6
7
| Stopping seahub ...
LC_ALL is not set in ENV, set to en_US.UTF-8
Starting seahub at port 8000 ...
Seahub is started
Done.
|
[root@ecs-a869 seafile-server-7.0.4]# service nginx restart
1
2
| Stoping nginx... done
Starting nginx... done
|
测试
现在你可以通过 HTTPS 访问 Seafile 了
![13.png]()
OK!
我的配置:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
| log_format seafileformat '$http_x_forwarded_for $remote_addr [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $upstream_response_time';
# Required for only office document server
map $http_x_forwarded_proto $the_scheme {
default $http_x_forwarded_proto;
"" $scheme;
}
map $http_x_forwarded_host $the_host {
default $http_x_forwarded_host;
"" $host;
}
map $http_upgrade $proxy_connection {
default upgrade;
"" close;
}
# 服务器配置开始
server {
listen 80;
listen 443 ssl http2;
listen 8888 ssl http2;
server_name yun.cyida.com yun.rexau.com 192.168.199.218;
#SSL-START SSL相关配置,请勿删除或修改下一行带注释的404规则
#error_page 404/404.html;
#HTTP_TO_HTTPS_START
if ($server_port !~ 443){
rewrite ^(/.*)$ https://$host:8888$1 permanent;
}
server_tokens off;
# ssl配置
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_session_tickets off;
ssl_certificate /root/ssl/yun.cyida.com.pem;
ssl_certificate_key /root/ssl/privkey.pem;
proxy_set_header X-Forwarded-For $remote_addr;
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_max_temp_file_size 0;
proxy_redirect off;
proxy_read_timeout 1200s;
# used for view/edit office file via Office Online Server
client_max_body_size 0;
access_log /var/log/nginx/seahub.access.log seafileformat;
error_log /var/log/nginx/seahub.error.log;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location /seafhttp {
rewrite ^/seafhttp(.*)$ $1 break;
proxy_pass http://127.0.0.1:8082;
client_max_body_size 0;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 36000s;
proxy_read_timeout 36000s;
access_log /var/log/nginx/seafhttp.access.log seafileformat;
error_log /var/log/nginx/seafhttp.error.log;
}
location /media {
root /opt/seafile/seafile-server-latest/seahub;
}
location /seafdav {
fastcgi_pass 127.0.0.1:8080;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param REMOTE_ADDR $remote_addr;
client_max_body_size 0;
access_log /var/log/nginx/seafdav.access.log seafileformat;
error_log /var/log/nginx/seafdav.error.log;
}
location /onlyofficeds/ {
proxy_pass http://127.0.0.1:6433/;
proxy_http_version 1.1;
client_max_body_size 100M; # Limit Document size to 100MB
proxy_read_timeout 3600s;
proxy_connect_timeout 3600s;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Forwarded-Host $the_host/onlyofficeds;
proxy_set_header X-Forwarded-Proto $the_scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
|
