Инструменты пользователя
Боковая панель
Содержание
Seafile собственное облако.
Seafile - это облачная система хранения данных с открытым исходным кодом с функциями конфиденциальности
защиты и командной работы. Коллекции файлов называются библиотеками, и
каждая библиотека может быть синхронизирована отдельно. Библиотека также может быть зашифрована
с выбранным пользователем паролем. Seafile также позволяет пользователям создавать группы
и легко делиться файлами в группах.
Установка SeaFile
cd /usr/ports/net-mgmt/seafile-server/ && make install clean cd /usr/ports/www/seahub/ && make install clean
При сборке libiconv стал ругаться на отсутствие .la фалов. Набираю команду и всё на, что нашлось пересобираю
find /usr/local/lib -name '*.la' | xargs grep -l 'libiconv\.la' | xargs pkg which
(http://forum.lissyara.su/viewtopic.php?t=42757)
portmaster -L | grep fusefs-lib portmaster -o sysutils/fusefs-libs fusefs-libs-2.9.3_2
Настройка SeaFile
Настраиваю SeaFile с поддержкой MySQL У меня MySQL и SeaFile находятся на разных серверах. На сервере с MySQL создаю три базы данных ccnet-db, seafile-db, seahub-db. Создаю пользователя seafile и разрешаю ему управлять созданными базами данных. Настраиваю удалённый доступ к MySQL.
mysql -uroot -p Enter password: show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | sys | +--------------------+ 4 rows in set (0.03 sec) create database `ccnet-db` character set = 'utf8'; Query OK, 1 row affected (0.07 sec) create database `seafile-db` character set = 'utf8'; Query OK, 1 row affected (0.01 sec) create database `seahub-db` character set = 'utf8'; Query OK, 1 row affected (0.02 sec) show databases; +--------------------+ | Database | +--------------------+ | information_schema | | ccnet-db | | mysql | | performance_schema | | seafile-db | | seahub-db | | sys | +--------------------+ 7 rows in set (0.03 sec) select user,host from mysql.user; +---------------+-----------+ | user | host | +---------------+-----------+ | mysql.session | localhost | | mysql.sys | localhost | | root | localhost | +---------------+-----------+ 3 rows in set (0.00 sec) create user 'seafile'@'10.215.130.22' identified by 'Kl0T1k#$ea'; GRANT ALL PRIVILEGES ON `ccnet-db`.* to `seafile`@10.215.130.22; GRANT ALL PRIVILEGES ON `seafile-db`.* to `seafile`@10.215.130.22; GRANT ALL PRIVILEGES ON `seahub-db`.* to `seafile`@10.215.130.22; CREATE USER 'root'@'10.215.130.22' IDENTIFIED BY 'Ce,,0nf#'; GRANT ALL PRIVILEGES ON *.* TO 'root'@'10.215.130.22'; FLUSH PRIVILEGES; select user,host from mysql.user; +---------------+---------------+ | user | host | +---------------+---------------+ | root | 10.215.130.22 | | seafile | 10.215.130.22 | | mysql.session | localhost | | mysql.sys | localhost | | root | localhost | +---------------+---------------+ 5 rows in set (0.00 sec)
На сервере с SeaFile запускаю скрипт setup-seafile-mysql.sh. Если при запуске скрипта получаю ошибку «python-mysqldb is not installed, Please install it first», то нужно проверить установку seahub
cd /usr/local/www/haiwen/seafile-server
./setup-seafile-mysql.sh
Checking python on this machine ...
Checking python module: python-mysqldb ... Done.
-----------------------------------------------------------------
This script will guide you to setup your seafile server using MySQL.
Make sure you have read seafile server manual at
https://github.com/haiwen/seafile/wiki
Press ENTER to continue
-----------------------------------------------------------------
What is the name of the server? It will be displayed on the client.
3 - 15 letters or digits
[ server name ] sea-klotik
What is the ip or domain of the server?
For example: www.mycompany.com, 192.168.1.101
[ This server's ip or domain ] 10.215.130.22
Where do you want to put your seafile data?
Please use a volume with enough free space
[ default "/usr/local/www/haiwen/seafile-data" ] /mnt/seafile-data
Which port do you want to use for the seafile fileserver?
[ default "8082" ]
-------------------------------------------------------
Please choose a way to initialize seafile databases:
-------------------------------------------------------
[1] Create new ccnet/seafile/seahub databases
[2] Use existing ccnet/seafile/seahub databases
[ 1 or 2 ] 2
What is the host of mysql server?
[ default "localhost" ] 10.215.130.20
From which hosts could the mysql account be used?
[ default "%" ]
What is the port of mysql server?
[ default "3306" ]
Which mysql user to use for seafile?
[ mysql user for seafile ] seafile
What is the password for mysql user "seafile"?
[ password for seafile ]
verifying password of user seafile ... done
Enter the existing database name for ccnet:
[ ccnet database ] ccnet-db
verifying user "seafile" access to database ccnet-db ... done
Enter the existing database name for seafile:
[ seafile database ] seafile-db
verifying user "seafile" access to database seafile-db ... done
Enter the existing database name for seahub:
[ seahub database ] seahub-db
verifying user "seafile" access to database seahub-db ... done
---------------------------------
This is your configuration
---------------------------------
server name: sea-klotik
server ip/domain: 10.215.130.22
seafile data dir: /mnt/seafile-data
fileserver port: 8082
database: use existing
ccnet database: ccnet-db
seafile database: seafile-db
seahub database: seahub-db
database user: seafile
---------------------------------
Press ENTER to continue, or Ctrl-C to abort
---------------------------------
Generating ccnet configuration ...
done
Successly create configuration dir /usr/local/www/haiwen/ccnet.
Generating seafile configuration ...
Done.
done
Generating seahub configuration ...
----------------------------------------
Now creating ccnet database tables ...
----------------------------------------
----------------------------------------
Now creating seafile database tables ...
----------------------------------------
----------------------------------------
Now creating seahub database tables ...
----------------------------------------
creating seafile-server-latest symbolic link ... done
-----------------------------------------------------------------
Your seafile server configuration has been finished successfully.
-----------------------------------------------------------------
run seafile server: sysrc seafile_enable=YES
service seafile { start | stop | restart }
run seahub server: sysrc seahub_enable=YES
service seahub { start | stop | restart }
run reset-admin: ./reset-admin.sh
-----------------------------------------------------------------
If you are behind a firewall, remember to allow input/output of these tcp ports:
-----------------------------------------------------------------
port of seafile fileserver: 8082
port of seahub: 8000
When problems occur, Refer to
https://github.com/haiwen/seafile/wiki
for information.
cd /usr/local/www/haiwen/seafile-server
./setup-seafile-mysql.sh
Checking python on this machine ...
Checking python module: python-mysqldb ... Done.
-----------------------------------------------------------------
This script will guide you to setup your seafile server using MySQL.
Make sure you have read seafile server manual at
https://github.com/haiwen/seafile/wiki
Press ENTER to continue
-----------------------------------------------------------------
What is the name of the server? It will be displayed on the client.
3 - 15 letters or digits
[ server name ] sea-klotik
What is the ip or domain of the server?
For example: www.mycompany.com, 192.168.1.101
[ This server's ip or domain ] 10.215.130.23
Where do you want to put your seafile data?
Please use a volume with enough free space
[ default "/usr/local/www/haiwen/seafile-data" ] /mnt/sea/seafile-data
Which port do you want to use for the seafile fileserver?
[ default "8082" ]
-------------------------------------------------------
Please choose a way to initialize seafile databases:
-------------------------------------------------------
[1] Create new ccnet/seafile/seahub databases
[2] Use existing ccnet/seafile/seahub databases
[ 1 or 2 ] 1
What is the host of mysql server?
[ default "localhost" ] 10.215.130.20
From which hosts could the mysql account be used?
[ default "%" ]
What is the port of mysql server?
[ default "3306" ]
What is the password of the mysql root user?
[ root password ]
Failed to connect to mysql server using user "root" and password "***": Host '10.215.130.23' is not allowed to connect to this MySQL server
MySQL сервер находится на другом компьютере, проверяю его доступность
mysql -h 10.215.130.20 -u root -p Enter password: ERROR 1045 (28000): Access denied for user 'root'@'10.215.130.23' (using password: YES)
Был закрыт доступ к MySQL по сети, открыл.
What is the password of the mysql root user? [ root password ] verifying password of user root ... done Enter the name for mysql user of seafile. It would be created if not exists. [ default "seafile" ] Enter the password for mysql user "seafile": [ password for seafile ] Enter the database name for ccnet-server: [ default "ccnet-db" ] Enter the database name for seafile-server: [ default "seafile-db" ] Enter the database name for seahub: [ default "seahub-db" ] --------------------------------- This is your configuration --------------------------------- server name: sea-klotik server ip/domain: 10.215.130.23 seafile data dir: /mnt/sea/seafile-data fileserver port: 8082 database: create new ccnet database: ccnet-db seafile database: seafile-db seahub database: seahub-db database user: seafile --------------------------------- Press ENTER to continue, or Ctrl-C to abort --------------------------------- Error: Failed to grant permission of database ccnet-db: Access denied for user 'root'@'%' to database 'ccnet-db'
Выполнение скрипта завершилось ошибкой. Подключаюсь к MySQL
mysql -h 10.215.130.20 -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 287971 Server version: 5.7.25-log Source distribution Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> status -------------- mysql Ver 14.14 Distrib 5.7.26, for FreeBSD11.2 (amd64) using EditLine wrapper Connection id: 287971 Current database: Current user: root@10.215.130.23 SSL: Cipher in use is DHE-RSA-AES128-GCM-SHA256 Current pager: more Using outfile: '' Using delimiter: ; Server version: 5.7.25-log Source distribution Protocol version: 10 Connection: 10.215.130.20 via TCP/IP Server characterset: utf8mb4 Db characterset: utf8mb4 Client characterset: utf8 Conn. characterset: utf8 TCP port: 3306 Uptime: 142 days 1 hour 53 min 30 sec Threads: 8 Questions: 32713604 Slow queries: 11311 Opens: 2272 Flush tables: 1 Open tables: 1512 Queries per second avg: 2.664 --------------
Проверяю как я вошел в систему
mysql> SELECT USER(),CURRENT_USER(); +--------------------+----------------+ | USER() | CURRENT_USER() | +--------------------+----------------+ | root@10.215.130.23 | root@% | +--------------------+----------------+ 1 row in set (0.00 sec)
- USER () сообщает, как вы пытались пройти аутентификацию в MySQL
- CURRENT_USER () сообщает, как вам разрешили проходить аутентификацию в MySQL
Проверяю привилегии после входа в систему
mysql> SHOW GRANTS; +-------------------------------------------+ | Grants for root@% | +-------------------------------------------+ | GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' | +-------------------------------------------+ 1 row in set (0.00 sec) mysql> SELECT `User`, `Grant_priv` FROM `mysql`.`user` WHERE `User` = 'root'; +------+------------+ | User | Grant_priv | +------+------------+ | root | Y | | root | N | +------+------------+ 2 rows in set (0.00 sec)
В какой то момент в MySQL появился второй root пониженными правами. Делаю.
UPDATE `mysql`.`user` SET `Grant_priv` = 'Y' WHERE `User` = 'root'; Query OK, 1 row affected (0.03 sec) Rows matched: 2 Changed: 1 Warnings: 0 FLUSH PRIVILEGES; Query OK, 0 rows affected (0.05 sec) mysql> SELECT `User`, `Grant_priv` FROM `mysql`.`user` WHERE `User` = 'root'; +------+------------+ | User | Grant_priv | +------+------------+ | root | Y | | root | Y | +------+------------+ 2 rows in set (0.00 sec) quit
Запускаю скрипт повторно
./setup-seafile-mysql.sh
...
---------------------------------
Press ENTER to continue, or Ctrl-C to abort
---------------------------------
Generating ccnet configuration ...
done
Successly create configuration dir /usr/local/www/haiwen/ccnet.
Generating seafile configuration ...
Done.
done
Generating seahub configuration ...
----------------------------------------
Now creating ccnet database tables ...
----------------------------------------
----------------------------------------
Now creating seafile database tables ...
----------------------------------------
----------------------------------------
Now creating seahub database tables ...
----------------------------------------
creating seafile-server-latest symbolic link ... done
-----------------------------------------------------------------
Your seafile server configuration has been finished successfully.
-----------------------------------------------------------------
run seafile server: sysrc seafile_enable=YES
service seafile { start | stop | restart }
run seahub server: sysrc seahub_enable=YES
service seahub { start | stop | restart }
run reset-admin: ./reset-admin.sh
-----------------------------------------------------------------
If you are behind a firewall, remember to allow input/output of these tcp ports:
-----------------------------------------------------------------
port of seafile fileserver: 8082
port of seahub: 8000
When problems occur, Refer to
https://github.com/haiwen/seafile/wiki
for information.
Запуск сервера
В /etc/rc.conf добавляю строки
sysrc seafile_enable=YES sysrc seahub_enable=YES
Запускаю сервер
service seafile start [08/19/19 01:48:16] ../common/session.c(132): using config file /usr/local/www/haiwen/conf/ccnet.conf Starting seafile server, please wait ... ** Message: 01:48:16.751: seafile-controller.c(775): No seafevents. Seafile server started service seahub start LANG is not set in ENV, set to en_US.UTF-8 LC_ALL is not set in ENV, set to en_US.UTF-8 Starting seahub at port 8000 ... Seahub is started
Создаю административный аккаунт. В папке /usr/local/www/haiwen/seafile-server запускаю скрипт
./reset-admin.sh E-mail address: alex@klotik.ru Password: Password (again): Superuser created successfully.
Проверяю работу
pgrep -f seafile-controller 11451 pgrep -f seahub 26308 26253 25676 25359 25121 22270
Сервер доступен по адресу 10.215.130.22:8000
Перенос SeaFile на новый сервер
После всего проделанного останавливаю SeaFile сервер.
service seafile stop service seahub stop
На старых серверах делаю дампы баз данных SeaFile
# mysqldump -u seafile -p ccnet-db > ccnet-db.sql Enter password: mysqldump: Got error: 1045: Access denied for user 'seafile'@'localhost' (using password: YES) when trying to connect root@jail_1:/ # root@jail_1:/ # mysql -uroot -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 8 Server version: 5.7.29-log Source distribution
Copyright © 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
root@localhost [(none)]> select user,host from mysql.user; +—————+————-+
| user | host |
+—————+————-+
| root | 192.168.0.3 |
| seafile | 192.168.0.3 |
| mysql.session | localhost |
| mysql.sys | localhost |
| root | localhost |
+—————+————-+ 5 rows in set (0.19 sec)
root@localhost [(none)]> create user 'seafile'@'localhost' identified by 'Kl0T1k#$ea'; Query OK, 0 rows affected (0.28 sec)
root@localhost [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'seafile'@'localhost'; Query OK, 0 rows affected (0.03 sec)
root@localhost [(none)]> FLUSH PRIVILEGES; Query OK, 0 rows affected (0.09 sec)
root@localhost [(none)]> select user,host from mysql.user; +—————+————-+
| user | host |
+—————+————-+
| root | 192.168.0.3 |
| seafile | 192.168.0.3 |
| mysql.session | localhost |
| mysql.sys | localhost |
| root | localhost |
| seafile | localhost |
+—————+————-+ 6 rows in set (0.00 sec)
root@localhost [(none)]> quit
mysqldump -u seafile -p ccnet-db > ccnet-db.sql mysqldump -u seafile -p seafile-db > seafile-db.sql mysqldump -u seafile -p seahub-db > seahub-db.sql
На новом MySQL сервере делаю
mysql -uroot -p DROP DATABASE `ccnet-db`; DROP DATABASE `seafile-db`; DROP DATABASE `seahub-db`;
Проверяю удаление баз
SHOW DATABASES;
Удаляю пользователя
DROP USER 'seafile'@'10.215.130.22';
Проверяю удаление
SELECT User FROM mysql.user; +---------------+ | User | +---------------+ | root | | mysql.session | | mysql.sys | | root | +---------------+ 4 rows in set (0.00 sec)
Создаю новые базы данных и пользователя
create database `ccnet-db` character set = 'utf8'; create database `seafile-db` character set = 'utf8'; create database `seahub-db` character set = 'utf8'; create user 'seafile'@'10.215.130.22' identified by 'пароль'; RESET MASTER;
Восстанавливаю базу данных из дампа из другого терминала
mysql -h 10.215.130.20 -u root -p seahub-db < seahub-db.sql
В первом терминале
RESET MASTER;
Восстанавливаю базу данных из дампа из другого терминала
mysql -h 10.215.130.20 -u root -p'Ce,,0nf#' seafile-db < seafile-db.sql
В первом терминале
RESET MASTER;
Восстанавливаю базу данных из дампа из другого терминала
mysql -h 10.215.130.20 -u root -p'Ce,,0nf#' ccnet-db < ccnet-db.sql
Можно проверить создание таблиц в БД
USE seafile-db SHOW TABLES;
После восстановления данных из дампа даю права пользователю seafile на базы данных
GRANT ALL PRIVILEGES ON `ccnet-db`.* to `seafile`@10.215.130.22; GRANT ALL PRIVILEGES ON `seafile-db`.* to `seafile`@10.215.130.22; GRANT ALL PRIVILEGES ON `seahub-db`.* to `seafile`@10.215.130.22; FLUSH PRIVILEGES;
В файле /usr/local/www/haiwen/ccnet/seafile.ini указываю путь до данных со старого сервера
Запускаю SeaFile
service seafile start service seahub start
Seahub с Nginx
Seahub - это веб-интерфейс сервера Seafile. FileServer используется для обработки загрузки/выгрузки необработанных файлов через браузеры. По умолчанию он прослушивает порт 8082 для HTTP-запросов.
Настройка Seahub и FileServer с обратным прокси с использованием Nginx.
cat nginx.conf
#user nobody;
worker_processes 1;
# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
#error_log /var/log/nginx/error.log;
#
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name klotik.ru;
proxy_set_header X-Forwarded-For $remote_addr;
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_read_timeout 1200s;
# used for view/edit office file via Office Online Server
client_max_body_size 0;
access_log /var/log/nginx/seahub.access.log;
error_log /var/log/nginx/seahub.error.log;
}
location /seafhttp {
rewrite ^/seafhttp(.*)$ $1 break;
proxy_pass http://127.0.0.1:8082;
client_max_body_size 0;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 36000s;
proxy_read_timeout 36000s;
proxy_send_timeout 36000s;
send_timeout 36000s;
access_log /var/log/nginx/seafhttp.access.log;
error_log /var/log/nginx/seafhttp.error.log;
}
location /media {
root /usr/local/www/haiwen/seafile-server-latest/seahub;
}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}
Включение Https с Nginx
Для получения действительного сертификата от Let's Encrypt можно использовать клиент Certbot ACME.
Для установки Certbot из портов, выполняю команды
cd /usr/ports/security/py-certbot && make install clean cd /usr/ports/security/py-certbot-nginx && make install clean
Для получения сертификата
certbot --nginx -d seafile.klotik.ru -d www.seafile.klotik.ru Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Obtaining a new certificate Performing the following challenges: http-01 challenge for www.seafile.klotik.ru Using default address 80 for authentication. Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /usr/local/etc/nginx/nginx.conf Could not automatically find a matching server block for www.seafile.klotik.ru. Set the `server_name` directive to use the Nginx installer. IMPORTANT NOTES: - Unable to install the certificate - Congratulations! Your certificate and chain have been saved at: /usr/local/etc/letsencrypt/live/seafile.klotik.ru/fullchain.pem Your key file has been saved at: /usr/local/etc/letsencrypt/live/seafile.klotik.ru/privkey.pem Your cert will expire on 2019-11-19. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew"
Изменяю файл конфигурации Nginx /usr/local/etc/nginx/nginx.conf
cat nginx.conf
#user nobody;
worker_processes 1;
# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
#error_log /var/log/nginx/error.log;
#
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name seafile.klotik.ru;
rewrite ^ https://$http_host$request_uri? permanent; # force redirect http to https
# Enables or disables emitting nginx version on error pages and in the "Server" response header field.
server_tokens off;
}
server {
listen 443 ssl;
ssl_certificate /usr/local/etc/letsencrypt/live/klotik.ru/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/klotik.ru/privkey.pem;
server_name seafile.klotik.ru;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /usr/local/etc/nginx/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS';
ssl_prefer_server_ciphers on;
proxy_set_header X-Forwarded-For $remote_addr;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
server_tokens off;
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto https;
access_log /var/log/nginx/seahub.access.log;
error_log /var/log/nginx/seahub.error.log;
proxy_read_timeout 1200s;
client_max_body_size 0;
}
location /seafhttp {
rewrite ^/seafhttp(.*)$ $1 break;
proxy_pass http://127.0.0.1:8082;
client_max_body_size 0;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 36000s;
proxy_read_timeout 36000s;
proxy_send_timeout 36000s;
send_timeout 36000s;
}
location /media {
root /usr/local/www/haiwen/seafile-server-latest/seahub;
}
}
}
Для получения файла dhparam.pem выполняю
openssl dhparam -out /usr/local/etc/nginx/dhparam.pem 2048
Перезапускаю сервер
service nginx restart
Поскольку я изменил с http на https, нужно изменить настройки Seafile
service seafile stop service seahub stop
ccnet conf
Нужно изменить значение SERVICE_URL в ccnet.conf. Можно изменить SERVICE_URL через веб-интерфейс в «Системный администратор→ Настройки». ( Настройка через веб-интерфейс имеет приоритет.)
SERVICE_URL = https://seafile.example.com
seahub_settings.py
В seahub_settings.py, нужно добавить строку чтобы установить значение FILE_SERVER_ROOT. Можно изменить FILE_SERVER_ROOT через веб-интерфейс в «Системный администратор→ Настройки». ( Настройка через веб-интерфейс имеет приоритет.)
FILE_SERVER_ROOT = 'https://seafile.example.com/seafhttp'
Конфигурацию Seafile
Нужно обновить конфигурацию файлового сервера seafile, в [fileserver] разделе файла seafile.conf на локальный ip 127.0.0.1
[fileserver] # bind address for fileserver # default to 0.0.0.0, if deployed without proxy: no access restriction # set to 127.0.0.1, if used with local proxy: only access by local host = 127.0.0.1
Стартую Seafile
service seafile start service seahub start
Для проверки сайта можно воспользоваться https://www.ssllabs.com
Проверка и настройка автообновления Certbot
Сертификаты Let's Encrypt действительны только в течение девяноста дней. Обновлять сертификаты удобно с помощью cronзадач. Перед настройкой автоматического обновления проверяю продление сертификата.
certbot renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /usr/local/etc/letsencrypt/renewal/klotik.ru.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator nginx, Installer nginx Renewing an existing certificate Performing the following challenges: http-01 challenge for klotik.ru http-01 challenge for www.klotik.ru Using default address 80 for authentication. Using default address 80 for authentication. Waiting for verification... Cleaning up challenges - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed with reload of nginx server; fullchain is /usr/local/etc/letsencrypt/live/klotik.ru/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /usr/local/etc/letsencrypt/renewal/seafile.klotik.ru.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator nginx, Installer nginx Renewing an existing certificate Performing the following challenges: http-01 challenge for seafile.klotik.ru http-01 challenge for www.seafile.klotik.ru Using default address 80 for authentication. Waiting for verification... Cleaning up challenges - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed with reload of nginx server; fullchain is /usr/local/etc/letsencrypt/live/seafile.klotik.ru/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /usr/local/etc/letsencrypt/live/klotik.ru/fullchain.pem (success) /usr/local/etc/letsencrypt/live/seafile.klotik.ru/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Your account credentials have been saved in your Certbot configuration directory at /usr/local/etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
Если нет ошибок, в crontab добавляю строку
0 0,12 * * * root /usr/local/bin/certbot renew
и добавляю путь
:/usr/local/bin/
Если процесс автоматического обновления когда-нибудь не удастся, Let's Encrypt отправит сообщение на указанный адрес электронной почты, предупреждая, когда срок действия вашего сертификата истекает.
Ссылки:
https://manual.seafile.com/deploy/using_mysql.html
https://manual.seafile.com/deploy/https_with_nginx.html
https://manual.seafile.com/deploy/deploy_with_apache.html
https://xakep.ru/2014/10/08/own-dropbox
https://books.google.ru/books?id=pKDKCQAAQBAJ&pg=PA121&lpg=PA121&dq=%D0%BE%D1%82%D1%81%D1%83%D1%82%D1%81%D1%82%D0%B2%D1%83%D0%B5%D1%82+setup-seafile.sh&source=bl&ots=bwTpVEDhz9&sig=KlbAcu2hMaHSlfdhwGlUDYLWocY&hl=ru&sa=X&ved=0ahUKEwiO4pmnyZHQAhXE3iwKHSKdCycQ6AEIKTAC#v=onepage&q=%D0%BE%D1%82%D1%81%D1%83%D1%82%D1%81%D1%82%D0%B2%D1%83%D0%B5%D1%82%20setup-seafile.sh&f=false
https://www.freshports.org/net-mgmt/seafile-server
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-letsencrypt-freebsd
https://zen.yandex.ru/media/id/5cd02303ac1ad900b3c6a564/seafile-server-702-dlia-linux-5d0e300bdc3c7c00b0d62ee5
https://www.8host.com/blog/sinxronizaciya-i-sovmestnoe-ispolzovanie-fajlov-s-pomoshhyu-seafile-v-debian-9
https://zaraev.blogspot.com/2015/12/seafile-debian-dropbox.html
https://forum.seafile.com/t/tutorial-for-server-migration-importing-mysql-mariadb-databases-and-seafile-data/132
https://gist.github.com/plentz/6737338
https://myhosti.pro/faq/adminos/web/nginx/pri-vkliuchenii-u-www-domena-oshibka-dhparampem
Инструменты страницы
