Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- wiki:seafile [2022/08/21 15:27] – mho
+++ wiki:seafile [2022/08/22 18:10] (aktuell) – mho
@@ Zeile 1: / Zeile 1: @@
+<code>
 apt update && apt install mariadb-server mariadb-client
+</code>
 mysql_secure_installation
@@ Zeile 9: / Zeile 11: @@
 Reload privilege tables now? [Y/n] y
+<code>
 mysql -u root -p
@@ Zeile 40: / Zeile 42: @@
 bash setup-seafile-mysql.sh
+</code>
 [ server name ] Seafile
 [ This server's ip or domain ] your_domain oder 192.168.178.x
@@ Zeile 55: / Zeile 57: @@
 [ seahub database ] seahub_server
+<code>
 echo "export LC_ALL=de_DE.UTF-8" >>~/.bashrc
 echo "export LANG=de_DE.UTF-8" >>~/.bashrc
 echo "export LANGUAGE=de_DE.UTF-8" >>~/.bashrc
 source ~/.bashrc
+</code>
 Configuring the Apache Web Server
@@ Zeile 66: / Zeile 68: @@
 To begin forwarding requests, you will need to enable the proxy_http module in the Apache configuration. This module provides features for proxying HTTP and HTTPS requests. The following command will enable the module:
+<code>
     sudo a2enmod proxy_http
+</code>
 Note: The Apache rewrite and ssl modules are also required for this setup. You have already enabled these modules as part of configuring Let’s Encrypt in the second Apache tutorial listed in the prerequisites section.
@@ Zeile 74: / Zeile 76: @@
 Open the configuration file in a text editor:
+<code>
     sudo nano /etc/apache2/sites-enabled/your_domain-le-ssl.conf
+</code>
 The lines from ServerAdmin to SSLCertificateKeyFile are part of the initial Apache and Let’s Encrypt configuration that you set up in the prerequisite tutorials. Add the highlighted content, beginning at Alias and ending with the ProxyPassReverse directive:
 /etc/apache2/sites-enabled/your_domain-le-ssl.conf
@@ Zeile 226: / Zeile 228: @@
 Create a systemd service file for the Seahub web interface:
+<code>
     sudo nano /etc/systemd/system/seahub.service
+</code>
 This is similar to the Seafile service. The only difference is that the web interface is started after the Seafile service. Add the following content to this file:
+<code>
 Create /etc/systemd/system/seahub.service
-<code>
 [Unit]
 Description=Seafile hub
@@ Zeile 252: / Zeile 254: @@
 Finally, to enable both the Seafile and Seahub services to start automatically at boot, run the following commands:
+<code>
     sudo systemctl enable seafile.service
     sudo systemctl enable seahub.service
+</code>
 When the server is rebooted, Seafile will start automatically.
 At this point, you have completed setting up the server, and can now test each of the services.
-Step 7 — Testing File Syncing and Sharing Functionality
+***** Testing File Syncing and Sharing Functionality *****
 In this step, you will test the file synchronization and sharing functionality of the server you have set up and ensure they are working correctly. To do this, you will need to install the Seafile client program on a separate computer and/or a mobile device.
@@ Zeile 285: / Zeile 288: @@
 Click on Share next to the file to generate a download link for this file that you can share.
-You have verified that the file synchronization is working correctly and that you can use Seafile to sync and share files and folders from multiple devices.
+Enabling HTTPS with Apache¶
-Conclusion
-In this tutorial you set up a private instance of a Seafile server. Now you can start using the server to synchronize files, add users and groups, and share files between them or with the public without relying on an external service.
+After completing the installation of Seafile Server Community Edition and Seafile Server Professional Edition, communication between the Seafile server and clients runs over (unencrypted) HTTP. While HTTP is ok for testing purposes, switching to HTTPS is imperative for production use.
-When a new release of the server is available, please consult the upgrade section of the manual for steps to perform an upgrade.
+HTTPS requires a SSL certificate from a Certificate Authority (CA). Unless you already have a SSL certificate, we recommend that you get your SSL certificate from Let’s Encrypt using Certbot. If you have a SSL certificate from another CA, skip the section "Getting a Let's Encrypt certificate".
+A second requirement is a reverse proxy supporting SSL. Apache, a popular web server and reverse proxy, is a good option. The full documentation of Apache is available at https://httpd.apache.org/docs/.
+The recommended reverse proxy is Nginx. You find instructions for enabling HTTPS with Nginx here.
+Setup¶
+The setup of Seafile using Apache as a reverse proxy with HTTPS is demonstrated using the sample host name seafile.example.com.
+This manual assumes the following requirements:
+    Seafile Server Community Edition/Professional Edition was set up according to the instructions in this manual
+    A host name points at the IP address of the server and the server is available on port 80 and 443
+If your setup differs from thes requirements, adjust the following instructions accordingly.
+The setup proceeds in two steps: First, Apache is installed. Second, a SSL certificate is integrated in the Apache configuration.
+Installing Apache¶
+Install and enable apache modules:
+<code>
+sudo a2enmod rewrite
+sudo a2enmod proxy_http
+</code>
+Important: Due to the security advisory published by Django team, we recommend to disable GZip compression to mitigate BREACH attack. No version earlier than Apache 2.4 should be used.
+Configuring Apache¶
+Modify Apache config file. For CentOS, this is vhost.conf. For Debian/Ubuntu, this is sites-enabled/000-default.
+<code>
+<VirtualHost *:80>
+    ServerName seafile.example.com
+    # Use "DocumentRoot /var/www/html" for CentOS
+    # Use "DocumentRoot /var/www" for Debian/Ubuntu
+    DocumentRoot /var/www
+    Alias /media  /opt/seafile/seafile-server-latest/seahub/media
+    AllowEncodedSlashes On
+    RewriteEngine On
+    <Location /media>
+        Require all granted
+    </Location>
+    #
+    # seafile fileserver
+    #
+    ProxyPass /seafhttp http://127.0.0.1:8082
+    ProxyPassReverse /seafhttp http://127.0.0.1:8082
+    RewriteRule ^/seafhttp - [QSA,L]
+    #
+    # seahub
+    #
+    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
+    ProxyPreserveHost On
+    ProxyPass / http://127.0.0.1:8000/
+    ProxyPassReverse / http://127.0.0.1:8000/
+</VirtualHost>
+</code>
+Getting a Let's Encrypt certificate¶
+Getting a Let's Encrypt certificate is straightforward thanks to Certbot. Certbot is a free, open source software tool for requesting, receiving, and renewing Let's Encrypt certificates.
+First, go to the Certbot website and choose your web server and OS.
+Second, follow the detailed instructions then shown.
+We recommend that you get just a certificate and that you modify the Apache configuration yourself:
+<code>
+sudo certbot --apache certonly
+</code>
+Follow the instructions on the screen.
+Upon successful verification, Certbot saves the certificate files in a directory named after the host name in /etc/letsencrypt/live. For the host name seafile.example.com, the files are stored in /etc/letsencrypt/live/seafile.example.com.
+Adjusting Apache configuration¶
+To use HTTPS, you need to enable mod_ssl:
+<code>
+sudo a2enmod ssl
+</code>
+Then modify your Apache configuration file. Here is a sample:
+<code>
+<VirtualHost *:443>
+  ServerName seafile.example.com
+  DocumentRoot /var/www
+  SSLEngine On
+  SSLCertificateFile /etc/letsencrypt/live/seafile.example.com/fullchain.pem;    # Path to your fullchain.pem
+  SSLCertificateKeyFile /etc/letsencrypt/live/seafile.example.com/privkey.pem;  # Path to your privkey.pem
+  Alias /media  /opt/seafile/seafile-server-latest/seahub/media
+  <Location /media>
+    Require all granted
+  </Location>
+  RewriteEngine On
+  #
+  # seafile fileserver
+  #
+  ProxyPass /seafhttp http://127.0.0.1:8082
+  ProxyPassReverse /seafhttp http://127.0.0.1:8082
+  RewriteRule ^/seafhttp - [QSA,L]
+  #
+  # seahub
+  #
+  SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
+  ProxyPreserveHost On
+  ProxyPass / http://127.0.0.1:8000/
+  ProxyPassReverse / http://127.0.0.1:8000/
+</VirtualHost>
+</code>
+Finally, make sure the virtual host file does not contain syntax errors and restart Apache for the configuration changes to take effect:
+<code>
+sudo service apache2 restart
+</code>
+Modifying ccnet.conf¶
+The SERVICE_URL in ccnet.conf informs Seafile about the chosen domain, protocol and port. Change the SERVICE_URLso as to account for the switch from HTTP to HTTPS and to correspond to your host name (the http://must not be removed):
+SERVICE_URL = https://seafile.example.com
+Note: TheSERVICE_URL can also be modified in Seahub via System Admininstration > Settings. If SERVICE_URL is configured via System Admin and in ccnet.conf, the value in System Admin will take precedence.
+Modifying seahub_settings.py¶
+The FILE_SERVER_ROOT in seahub_settings.py informs Seafile about the location of and the protocol used by the file server. Change the FILE_SERVER_ROOTso as to account for the switch from HTTP to HTTPS and to correspond to your host name (the trailing /seafhttp must not be removed):
+FILE_SERVER_ROOT = 'https://seafile.example.com/seafhttp'
+Note: TheFILE_SERVER_ROOT can also be modified in Seahub via System Admininstration > Settings. If FILE_SERVER_ROOT is configured via System Admin and in seahub_settings.py, the value in System Admin will take precedence.
+Modifying seafile.conf (optional)¶
+To improve security, the file server should only be accessible via Apache.
+Add the following line in the [fileserver] block on seafile.conf in /opt/seafile/conf:
+<code>
+host = 127.0.0.1  ## default port 0.0.0.0
+</code>
+After his change, the file server only accepts requests from Apache.
+Starting Seafile and Seahub¶
+Restart the seaf-server and Seahub for the config changes to take effect:
+<code>
+su seafile
+cd /opt/seafile/seafile-server-latest
+./seafile.sh restart
+./seahub.sh restart
+</code>