Enabling Https with Nginx

Here we use self-signed SSL certificate. If you use a paid ssl certificate from some authority, just skip the first step.

Generate SSL certificate with OpenSSL

    openssl genrsa -out privkey.pem 2048
    openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095

If you're using a custom CA to sign your SSL certificate, you have to enable certificate revocation list (CRL) in your certificate. Otherwise http syncing on Windows client may not work. See this thread for more information.

Enable SSL module of Nginx (optional)

If your Nginx does not support SSL, you need to recompile it, the commands are as follows:

    ./configure --with-http_stub_status_module --with-http_ssl_module
    make && make install

Modify Nginx configuration file

Assume you have configured nginx as Deploy-Seafile-with-nginx. To use https, you need to modify your nginx configuration file.

    server {
        listen       80;
        server_name  seafile.example.com;
        rewrite ^ https://$http_host$request_uri? permanent;    # force redirect http to https
        server_tokens off;
    }

    server {
        listen 443;
        ssl on;
        ssl_certificate /etc/ssl/cacert.pem;        # path to your cacert.pem
        ssl_certificate_key /etc/ssl/privkey.pem;    # path to your privkey.pem
        server_name seafile.example.com;
        server_tokens off;
        # ......
        fastcgi_param   HTTPS               on;
        fastcgi_param   HTTP_SCHEME         https;
    }

Sample configuration file

Generate DH params

(this takes some time)

    openssl dhparam 2048 > /etc/nginx/dhparam.pem

Here is the sample configuration file:

    server {
        listen       80;
        server_name  seafile.example.com;
        rewrite ^ https://$http_host$request_uri? permanent;    # force redirect http to https
        server_tokens off;
    }
    server {
        listen 443;
        ssl on;
        ssl_certificate /etc/ssl/cacert.pem;        # path to your cacert.pem
        ssl_certificate_key /etc/ssl/privkey.pem;    # path to your privkey.pem
        server_name seafile.example.com;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:5m;

        # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
        ssl_dhparam /etc/nginx/dhparam.pem;

        # secure settings (A+ at SSL Labs ssltest at time of writing)
        # see https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS';
        ssl_prefer_server_ciphers on;

        proxy_set_header X-Forwarded-For $remote_addr;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
        server_tokens off;

        location / {
            fastcgi_pass    127.0.0.1:8000;
            fastcgi_param   SCRIPT_FILENAME     $document_root$fastcgi_script_name;
            fastcgi_param   PATH_INFO           $fastcgi_script_name;

            fastcgi_param   SERVER_PROTOCOL        $server_protocol;
            fastcgi_param   QUERY_STRING        $query_string;
            fastcgi_param   REQUEST_METHOD      $request_method;
            fastcgi_param   CONTENT_TYPE        $content_type;
            fastcgi_param   CONTENT_LENGTH      $content_length;
            fastcgi_param   SERVER_ADDR         $server_addr;
            fastcgi_param   SERVER_PORT         $server_port;
            fastcgi_param   SERVER_NAME         $server_name;
            fastcgi_param   REMOTE_ADDR         $remote_addr;
            fastcgi_param   HTTPS               on;
            fastcgi_param   HTTP_SCHEME         https;

            access_log      /var/log/nginx/seahub.access.log;
            error_log       /var/log/nginx/seahub.error.log;
            fastcgi_read_timeout 36000;
            client_max_body_size 0;
        }
        location /seafhttp {
            rewrite ^/seafhttp(.*)$ $1 break;
            proxy_pass http://127.0.0.1:8082;
            client_max_body_size 0;
            proxy_connect_timeout  36000s;
            proxy_read_timeout  36000s;
            proxy_send_timeout  36000s;
            send_timeout  36000s;
        }
        location /media {
            root /home/user/haiwen/seafile-server-latest/seahub;
        }
    }

Large file uploads

Tip for uploading very large files (> 4GB): By default Nginx will buffer large request body in temp file. After the body is completely received, Nginx will send the body to the upstream server (seaf-server in our case). But it seems when file size is very large, the buffering mechanism dosen't work well. It may stop proxying the body in the middle. So if you want to support file upload larger for 4GB, we suggest you install Nginx version >= 1.8.0 and add the following options to Nginx config file:

    location /seafhttp {
        ... ...
        proxy_request_buffering off;
    }

If you have WebDAV enabled it is recommended to add the same:

    location /seafdav {
        ... ...
        proxy_request_buffering off;
    }

Reload Nginx

    nginx -s reload

Modify settings to use https

ccnet conf

Since you changed from http to https, you need to modify the value of SERVICE_URL in ccnet.conf. You can also modify SERVICE_URL via web UI in "System Admin->Settings". (Warning: If you set the value both via Web UI and ccnet.conf, the setting via Web UI will take precedence.)

SERVICE_URL = https://seafile.example.com

seahub_settings.py

You need to add a line in seahub_settings.py to set the value of FILE_SERVER_ROOT. You can also modify FILE_SERVER_ROOT via web UI in "System Admin->Settings". (Warning: If you set the value both via Web UI and seahub_settings.py, the setting via Web UI will take precedence.)

FILE_SERVER_ROOT = 'https://seafile.example.com/seafhttp'

Start Seafile and Seahub

./seafile.sh start
./seahub.sh start-fastcgi

Additional modern settings for nginx (optional)

Activate IPv6

Require IPv6 on server otherwise the server will not start! Also the AAAA dns record is required for IPv6 usage.

listen 443;
listen [::]:443;

Activate HTTP2

Activate HTTP2 for more performance. Only available for SSL and nginx version>=1.9.5. Simply add http2.

listen 443 http2;
listen [::]:443 http2;

Additional security settings for nginx (optional)

Add the HSTS header. If you already visited the https version the next time your browser will directly visit the https site and not the http one. Prevent man-in-the-middle-attacks:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

Disable exact server version in header. Prevent scans for vulnerable server. This should be added to every server block, as it shall obfuscate the version of nginx.

server_tokens off;

results matching ""

    No results matching ""