Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- wiki:seafile [2022/08/21 01:08] – Externe Bearbeitung 127.0.0.1
+++ wiki:seafile [2022/08/22 18:10] (aktuell) – mho
@@ Zeile 1: / Zeile 1: @@
+<code>
 apt update && apt install mariadb-server mariadb-client
+</code>
 mysql_secure_installation
@@ Zeile 10: / Zeile 11: @@
 Reload privilege tables now? [Y/n] y
+<code>
 mysql -u root -p
-CREATE USER 'mycloud'@'localhost' IDENTIFIED BY 'afsd12a--a';
+CREATE USER 'seafile'@'localhost' IDENTIFIED BY 'mein_Passwort';
 CREATE DATABASE ccnet_server;
 CREATE DATABASE seafile_server;
 CREATE DATABASE seahub_server;
-GRANT ALL ON seafile_server.* TO 'mycloud'@'localhost';
+GRANT ALL ON seafile_server.* TO 'seafile'@'localhost';
-GRANT ALL ON ccnet_server.* TO 'mycloud'@'localhost';
+GRANT ALL ON ccnet_server.* TO 'seafile'@'localhost';
-GRANT ALL ON seahub_server.* TO 'mycloud'@'localhost';
+GRANT ALL ON seahub_server.* TO 'seafile'@'localhost';
 quit;
@@ Zeile 41: / Zeile 42: @@
 bash setup-seafile-mysql.sh
+</code>
 [ server name ] Seafile
-[ This server's ip or domain ] your_domain oder 192.168.178.102
+[ This server's ip or domain ] your_domain oder 192.168.178.x
-[ default "/home/sammy/seafile/seafile-data" ] /srv/seafile/seafile-data
+[ default "/home/<username>/seafile/seafile-data" ] /srv/seafile/seafile-data
 [ default "8082" ]
 [2] Use existing ccnet/seafile/seahub databases
-[ mysql user for seafile ] mycloud
+[ mysql user for seafile ] seafile
 [ ccnet database ] ccnet_server
@@ Zeile 56: / Zeile 57: @@
 [ seahub database ] seahub_server
+<code>
 echo "export LC_ALL=de_DE.UTF-8" >>~/.bashrc
 echo "export LANG=de_DE.UTF-8" >>~/.bashrc
 echo "export LANGUAGE=de_DE.UTF-8" >>~/.bashrc
 source ~/.bashrc
+</code>
 Configuring the Apache Web Server
@@ Zeile 67: / Zeile 68: @@
 To begin forwarding requests, you will need to enable the proxy_http module in the Apache configuration. This module provides features for proxying HTTP and HTTPS requests. The following command will enable the module:
+<code>
     sudo a2enmod proxy_http
+</code>
 Note: The Apache rewrite and ssl modules are also required for this setup. You have already enabled these modules as part of configuring Let’s Encrypt in the second Apache tutorial listed in the prerequisites section.
@@ Zeile 75: / Zeile 76: @@
 Open the configuration file in a text editor:
+<code>
     sudo nano /etc/apache2/sites-enabled/your_domain-le-ssl.conf
+</code>
 The lines from ServerAdmin to SSLCertificateKeyFile are part of the initial Apache and Let’s Encrypt configuration that you set up in the prerequisite tutorials. Add the highlighted content, beginning at Alias and ending with the ProxyPassReverse directive:
 /etc/apache2/sites-enabled/your_domain-le-ssl.conf
+<code>
 <IfModule mod_ssl.c>
 <VirtualHost *:443>
@@ Zeile 95: / Zeile 96: @@
 	SSLCertificateKeyFile /etc/letsencrypt/live/your_domain/privkey.pem
-	Alias /media  /home/sammy/seafile/seafile-server-latest/seahub/media
+	Alias /media  /home/<username>/seafile/seafile-server-latest/seahub/media
 	<Location /media>
 		Require all granted
@@ Zeile 112: / Zeile 113: @@
 </VirtualHost>
 </IfModule>
+</code>
 The Alias directive maps the URL path your_domain/media to a local path in the file system that Seafile uses. The following Location directive enables access to content in this directory. The ProxyPass and ProxyPassReverse directives make Apache act as a reverse proxy for this host, forwarding requests to / and /seafhttp to the Seafile web interface and file server running on local host ports 8000 and 8082 respectively. The RewriteRule directive passes all requests to /seafhttp unchanged and stops processing further rules ([QSA,L]).
@@ Zeile 132: / Zeile 133: @@
 Open ccnet.conf in a text editor:
-    nano /home/sammy/seafile/conf/ccnet.conf
+    nano /home/<username>/seafile/conf/ccnet.conf
 Near the top of the file, within the [General] block, is the SERVICE_URL directive. It will look like this:
-Update /home/sammy/seafile/conf/ccnet.conf
+Update /home/<username/seafile/conf/ccnet.conf
 . . .
@@ Zeile 166: / Zeile 167: @@
 Now you can start the Seafile service and the Seahub interface:
-    cd /home/sammy/seafile/seafile-server-7.0.4
+    cd /home/sammy/seafile/seafile-server-8.0.7
     ./seafile.sh start
     ./seahub.sh start
@@ Zeile 193: / Zeile 194: @@
 Login screen of the Seafile web interface
-Once logged in successfully, you can access the admin interface or create new users.
+Once logged in successfully, you can access the admin interface or create new users (<username>).
 Now that you have verified the web interface is working correctly, you can enable these services to start automatically at system boot in the next step.
@@ Zeile 211: / Zeile 212: @@
 After=network.target mysql.service
+<code>
 [Service]
 Type=forking
-ExecStart=/home/sammy/seafile/seafile-server-latest/seafile.sh start
+ExecStart=/home/<username/seafile/seafile-server-latest/seafile.sh start
-ExecStop=/home/sammy/seafile/seafile-server-latest/seafile.sh stop
+ExecStop=/home/<username/seafile/seafile-server-latest/seafile.sh stop
-User=sammy
+User=<username>
-Group=sammy
+Group=<username>
 [Install]
 WantedBy=multi-user.target
+</code>
 Here, the ExectStart and ExecStop lines indicate the commands that run to start and stop the Seafile service. The service will run with sammy as the User and Group. The After line specifies that the Seafile service will start after the networking and MariaDB service has started.
@@ Zeile 226: / Zeile 228: @@
 Create a systemd service file for the Seahub web interface:
+<code>
     sudo nano /etc/systemd/system/seahub.service
+</code>
 This is similar to the Seafile service. The only difference is that the web interface is started after the Seafile service. Add the following content to this file:
+<code>
 Create /etc/systemd/system/seahub.service
@@ Zeile 238: / Zeile 241: @@
 [Service]
 Type=forking
-ExecStart=/home/sammy/seafile/seafile-server-latest/seahub.sh start
+ExecStart=/home/<username>/seafile/seafile-server-latest/seahub.sh start
-ExecStop=/home/sammy/seafile/seafile-server-latest/seahub.sh stop
+ExecStop=/home/<username>/seafile/seafile-server-latest/seahub.sh stop
-User=sammy
+User=<username>
-Group=sammy
+Group=<username>
 [Install]
 WantedBy=multi-user.target
+</code>
 Save seahub.service and exit.
@@ Zeile 251: / Zeile 254: @@
 Finally, to enable both the Seafile and Seahub services to start automatically at boot, run the following commands:
+<code>
     sudo systemctl enable seafile.service
     sudo systemctl enable seahub.service
+</code>
 When the server is rebooted, Seafile will start automatically.
 At this point, you have completed setting up the server, and can now test each of the services.
-Step 7 — Testing File Syncing and Sharing Functionality
+***** Testing File Syncing and Sharing Functionality *****
 In this step, you will test the file synchronization and sharing functionality of the server you have set up and ensure they are working correctly. To do this, you will need to install the Seafile client program on a separate computer and/or a mobile device.
@@ Zeile 284: / Zeile 288: @@
 Click on Share next to the file to generate a download link for this file that you can share.
-You have verified that the file synchronization is working correctly and that you can use Seafile to sync and share files and folders from multiple devices.
+Enabling HTTPS with Apache¶
-Conclusion
-In this tutorial you set up a private instance of a Seafile server. Now you can start using the server to synchronize files, add users and groups, and share files between them or with the public without relying on an external service.
+After completing the installation of Seafile Server Community Edition and Seafile Server Professional Edition, communication between the Seafile server and clients runs over (unencrypted) HTTP. While HTTP is ok for testing purposes, switching to HTTPS is imperative for production use.
-When a new release of the server is available, please consult the upgrade section of the manual for steps to perform an upgrade.
+HTTPS requires a SSL certificate from a Certificate Authority (CA). Unless you already have a SSL certificate, we recommend that you get your SSL certificate from Let’s Encrypt using Certbot. If you have a SSL certificate from another CA, skip the section "Getting a Let's Encrypt certificate".
+A second requirement is a reverse proxy supporting SSL. Apache, a popular web server and reverse proxy, is a good option. The full documentation of Apache is available at https://httpd.apache.org/docs/.
+The recommended reverse proxy is Nginx. You find instructions for enabling HTTPS with Nginx here.
+Setup¶
+The setup of Seafile using Apache as a reverse proxy with HTTPS is demonstrated using the sample host name seafile.example.com.
+This manual assumes the following requirements:
+    Seafile Server Community Edition/Professional Edition was set up according to the instructions in this manual
+    A host name points at the IP address of the server and the server is available on port 80 and 443
+If your setup differs from thes requirements, adjust the following instructions accordingly.
+The setup proceeds in two steps: First, Apache is installed. Second, a SSL certificate is integrated in the Apache configuration.
+Installing Apache¶
+Install and enable apache modules:
+<code>
+sudo a2enmod rewrite
+sudo a2enmod proxy_http
+</code>
+Important: Due to the security advisory published by Django team, we recommend to disable GZip compression to mitigate BREACH attack. No version earlier than Apache 2.4 should be used.
+Configuring Apache¶
+Modify Apache config file. For CentOS, this is vhost.conf. For Debian/Ubuntu, this is sites-enabled/000-default.
+<code>
+<VirtualHost *:80>
+    ServerName seafile.example.com
+    # Use "DocumentRoot /var/www/html" for CentOS
+    # Use "DocumentRoot /var/www" for Debian/Ubuntu
+    DocumentRoot /var/www
+    Alias /media  /opt/seafile/seafile-server-latest/seahub/media
+    AllowEncodedSlashes On
+    RewriteEngine On
+    <Location /media>
+        Require all granted
+    </Location>
+    #
+    # seafile fileserver
+    #
+    ProxyPass /seafhttp http://127.0.0.1:8082
+    ProxyPassReverse /seafhttp http://127.0.0.1:8082
+    RewriteRule ^/seafhttp - [QSA,L]
+    #
+    # seahub
+    #
+    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
+    ProxyPreserveHost On
+    ProxyPass / http://127.0.0.1:8000/
+    ProxyPassReverse / http://127.0.0.1:8000/
+</VirtualHost>
+</code>
+Getting a Let's Encrypt certificate¶
+Getting a Let's Encrypt certificate is straightforward thanks to Certbot. Certbot is a free, open source software tool for requesting, receiving, and renewing Let's Encrypt certificates.
+First, go to the Certbot website and choose your web server and OS.
+Second, follow the detailed instructions then shown.
+We recommend that you get just a certificate and that you modify the Apache configuration yourself:
+<code>
+sudo certbot --apache certonly
+</code>
+Follow the instructions on the screen.
+Upon successful verification, Certbot saves the certificate files in a directory named after the host name in /etc/letsencrypt/live. For the host name seafile.example.com, the files are stored in /etc/letsencrypt/live/seafile.example.com.
+Adjusting Apache configuration¶
+To use HTTPS, you need to enable mod_ssl:
+<code>
+sudo a2enmod ssl
+</code>
+Then modify your Apache configuration file. Here is a sample:
+<code>
+<VirtualHost *:443>
+  ServerName seafile.example.com
+  DocumentRoot /var/www
+  SSLEngine On
+  SSLCertificateFile /etc/letsencrypt/live/seafile.example.com/fullchain.pem;    # Path to your fullchain.pem
+  SSLCertificateKeyFile /etc/letsencrypt/live/seafile.example.com/privkey.pem;  # Path to your privkey.pem
+  Alias /media  /opt/seafile/seafile-server-latest/seahub/media
+  <Location /media>
+    Require all granted
+  </Location>
+  RewriteEngine On
+  #
+  # seafile fileserver
+  #
+  ProxyPass /seafhttp http://127.0.0.1:8082
+  ProxyPassReverse /seafhttp http://127.0.0.1:8082
+  RewriteRule ^/seafhttp - [QSA,L]
+  #
+  # seahub
+  #
+  SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
+  ProxyPreserveHost On
+  ProxyPass / http://127.0.0.1:8000/
+  ProxyPassReverse / http://127.0.0.1:8000/
+</VirtualHost>
+</code>
+Finally, make sure the virtual host file does not contain syntax errors and restart Apache for the configuration changes to take effect:
+<code>
+sudo service apache2 restart
+</code>
+Modifying ccnet.conf¶
+The SERVICE_URL in ccnet.conf informs Seafile about the chosen domain, protocol and port. Change the SERVICE_URLso as to account for the switch from HTTP to HTTPS and to correspond to your host name (the http://must not be removed):
+SERVICE_URL = https://seafile.example.com
+Note: TheSERVICE_URL can also be modified in Seahub via System Admininstration > Settings. If SERVICE_URL is configured via System Admin and in ccnet.conf, the value in System Admin will take precedence.
+Modifying seahub_settings.py¶
+The FILE_SERVER_ROOT in seahub_settings.py informs Seafile about the location of and the protocol used by the file server. Change the FILE_SERVER_ROOTso as to account for the switch from HTTP to HTTPS and to correspond to your host name (the trailing /seafhttp must not be removed):
+FILE_SERVER_ROOT = 'https://seafile.example.com/seafhttp'
+Note: TheFILE_SERVER_ROOT can also be modified in Seahub via System Admininstration > Settings. If FILE_SERVER_ROOT is configured via System Admin and in seahub_settings.py, the value in System Admin will take precedence.
+Modifying seafile.conf (optional)¶
+To improve security, the file server should only be accessible via Apache.
+Add the following line in the [fileserver] block on seafile.conf in /opt/seafile/conf:
+<code>
+host = 127.0.0.1  ## default port 0.0.0.0
+</code>
+After his change, the file server only accepts requests from Apache.
+Starting Seafile and Seahub¶
+Restart the seaf-server and Seahub for the config changes to take effect:
+<code>
+su seafile
+cd /opt/seafile/seafile-server-latest
+./seafile.sh restart
+./seahub.sh restart
+</code>