diff --git a/manual/setup_binary/fail2ban.md b/manual/setup_binary/fail2ban.md deleted file mode 100644 index 2d89adbc..00000000 --- a/manual/setup_binary/fail2ban.md +++ /dev/null @@ -1,147 +0,0 @@ -# seafile-authentication-fail2ban - -#### What is fail2ban ? - -Fail2ban is an intrusion prevention software framework which protects computer servers from brute-force attacks. Written in the Python programming language, it is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, for example, iptables or TCP Wrapper. - -(Definition from wikipedia - https://en.wikipedia.org/wiki/Fail2ban) - -#### Why do I need to install this fail2ban's filter ? - -To protect your seafile website against brute force attemps. Each time a user/computer tries to connect and fails 3 times, a new line will be write in your seafile logs (`seahub.log`). - -Fail2ban will check this log file and will ban all failed authentications with a new rule in your firewall. - -## Installation - -#### Change to right Time Zone in seahub_settings.py - -!!! danger "Without this your Fail2Ban filter will not work" - -You need to add the following settings to seahub_settings.py but change it to your own time zone. -``` - # TimeZone - TIME_ZONE = 'Europe/Stockholm' - -``` - -#### Copy and edit jail.local file - -!!! warning "this file may override some parameters from your `jail.conf` file" - -Edit `jail.local` with : -* ports used by your seafile website (e.g. `http,https`) ; -* logpath (e.g. `/home/yourusername/logs/seahub.log`) ; -* maxretry (default to 3 is equivalent to 9 real attemps in seafile, because one line is written every 3 failed authentications into seafile logs). - -#### Create the file `jail.local` in `/etc/fail2ban` with the following content: - -``` -# All standard jails are in the file configuration located -# /etc/fail2ban/jail.conf - -# Warning you may override any other parameter (e.g. banaction, -# action, port, logpath, etc) in that section within jail.local - -# Change logpath with your file log used by seafile (e.g. seahub.log) -# Also you can change the max retry var (3 attemps = 1 line written in the -# seafile log) -# So with this maxrety to 1, the user can try 3 times before his IP is banned - -[seafile] - -enabled = true -port = http,https -filter = seafile-auth -logpath = /home/yourusername/logs/seahub.log -maxretry = 3 -``` - -#### Create the fail2ban filter file `seafile-auth.conf` in `/etc/fail2ban/filter.d` with the following content: - -``` -# Fail2Ban filter for seafile -# - -[INCLUDES] - -# Read common prefixes. If any customizations available -- read them from -# common.local -before = common.conf - -[Definition] - -_daemon = seaf-server - -failregex = Login attempt limit reached.*, ip: - -ignoreregex = - -# DEV Notes: -# -# pattern : 2015-10-20 15:20:32,402 [WARNING] seahub.auth.views:155 login Login attempt limit reached, username: , ip: 1.2.3.4, attemps: 3 -# 2015-10-20 17:04:32,235 [WARNING] seahub.auth.views:163 login Login attempt limit reached, ip: 1.2.3.4, attempts: 3 -``` - - -#### Restart fail2ban - -Finally, just restart fail2ban and check your firewall (iptables for me) : - -``` -sudo fail2ban-client reload -sudo iptables -S -``` - -Fail2ban will create a new chain for this jail. -So you should see these new lines : - -``` -... --N fail2ban-seafile -... --A fail2ban-seafile -j RETURN -``` - -## Tests - -To do a simple test (but you have to be an administrator on your seafile server) go to your seafile webserver URL and try 3 authentications with a wrong password. - -Actually, when you have done that, you are banned from http and https ports in iptables, thanks to fail2ban. - -To check that : - -on fail2ban - -``` -denis@myserver:~$ sudo fail2ban-client status seafile -Status for the jail: seafile -|- filter -| |- File list: /home//logs/seahub.log -| |- Currently failed: 0 -| `- Total failed: 1 -`- action - |- Currently banned: 1 - | `- IP list: 1.2.3.4 - `- Total banned: 1 -``` - -on iptables : - -``` -sudo iptables -S - -... --A fail2ban-seafile -s 1.2.3.4/32 -j REJECT --reject-with icmp-port-unreachable -... -``` - -To unban your IP address, just execute this command : - -``` -sudo fail2ban-client set seafile unbanip 1.2.3.4 -``` - -!!! tip - - As three (3) failed attempts to login will result in one line added in seahub.log a Fail2Ban jail with the settings maxretry = 3 is the same as nine (9) failed attempts to login. diff --git a/manual/setup_binary/https_with_nginx.md b/manual/setup_binary/https_with_nginx.md index ab20d71d..97210e00 100644 --- a/manual/setup_binary/https_with_nginx.md +++ b/manual/setup_binary/https_with_nginx.md @@ -25,61 +25,59 @@ The setup proceeds in two steps: First, Nginx is installed. Second, a SSL certif Install Nginx using the package repositories: +=== "Debian/Ubuntu" + ```sh + sudo apt install nginx -y + ``` === "CentOS" ```bash - $ sudo yum install nginx -y - ``` -=== "Debian" - ```sh - $ sudo apt install nginx -y + sudo yum install nginx -y ``` After the installation, start the server and enable it so that Nginx starts at system boot: ```bash -$ sudo systemctl start nginx -$ sudo systemctl enable nginx +sudo systemctl start nginx +sudo systemctl enable nginx ``` ### Preparing Nginx The configuration of a proxy server in Nginx differs slightly between CentOS and Debian/Ubuntu. Additionally, the restrictive default settings of SELinux's configuration on CentOS require a modification. -#### Preparing Nginx on CentOS +=== "Debian/Ubuntu" + Create a configuration file for seafile in `/etc/nginx/sites-available/`: -Switch SELinux into permissive mode and perpetuate the setting: + ```bash + touch /etc/nginx/sites-available/seafile.conf + ``` -``` bash -$ sudo setenforce permissive -$ sed -i 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config -``` + Delete the default files in `/etc/nginx/sites-enabled/` and `/etc/nginx/sites-available`: -Create a configuration file for seafile in `/etc/nginx/conf.d`: + ````bash + rm /etc/nginx/sites-enabled/default + rm /etc/nginx/sites-available/default + ```` -```bash -$ touch /etc/nginx/conf.d/seafile.conf -``` + Create a symbolic link: -#### Preparing Nginx on Debian/Ubuntu + ````bash + ln -s /etc/nginx/sites-available/seafile.conf /etc/nginx/sites-enabled/seafile.conf + ```` +=== "CentOS" -Create a configuration file for seafile in `/etc/nginx/sites-available/`: + Switch SELinux into permissive mode and perpetuate the setting: -```bash -$ touch /etc/nginx/sites-available/seafile.conf -``` + ``` bash + sudo setenforce permissive + sed -i 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config + ``` -Delete the default files in `/etc/nginx/sites-enabled/` and `/etc/nginx/sites-available`: + Create a configuration file for seafile in `/etc/nginx/conf.d`: -````bash -$ rm /etc/nginx/sites-enabled/default -$ rm /etc/nginx/sites-available/default -```` - -Create a symbolic link: - -````bash -$ ln -s /etc/nginx/sites-available/seafile.conf /etc/nginx/sites-enabled/seafile.conf -```` + ```bash + touch /etc/nginx/conf.d/seafile.conf + ``` ### Configuring Nginx @@ -145,8 +143,8 @@ The default value for `client_max_body_size` is 1M. Uploading larger files will Finally, make sure your seafile.conf does not contain syntax errors and restart Nginx for the configuration changes to take effect: ```bash -$ nginx -t -$ nginx -s reload +nginx -t +nginx -s reload ``` @@ -167,7 +165,7 @@ Second, follow the detailed instructions then shown. We recommend that you get just a certificate and that you modify the Nginx configuration yourself: ```bash -$ sudo certbot certonly --nginx +sudo certbot certonly --nginx ``` Follow the instructions on the screen. @@ -177,6 +175,9 @@ Upon successful verification, Certbot saves the certificate files in a directory ### Modifying Nginx configuration file +!!! tip + Normally, your nginx configuration can be automatically managed by a certificate manager (e.g., CertBot) after you install the certificate. If you find that your nginx is already listening on port 443 through the certificate manager after installing the certificate, you can skip this step. + Add an server block for port 443 and a http-to-https redirect to the `seafile.conf` configuration file in `/etc/nginx`. This is a (shortened) sample configuration for the host name seafile.example.com: @@ -257,7 +258,8 @@ The `FILE_SERVER_ROOT` in [seahub_settings.py](../config/seahub_settings_py.md) FILE_SERVER_ROOT = 'https://seafile.example.com/seafhttp' ``` -Note: The `SERVICE_URL` and `FILE_SERVER_ROOT` can also be modified in Seahub via System Admininstration > Settings. If they are configured via System Admin and in seahub_settings.py, the value in System Admin will take precedence. +!!! tip "More convenient" + The `SERVICE_URL` and `FILE_SERVER_ROOT` can also be modified in Seahub via **System Admininstration** > **Settings**. If they are configured via System Admin and in seahub_settings.py, the value in System Admin will take precedence. ### Modifying seafile.conf (optional) @@ -276,10 +278,10 @@ After his change, the file server only accepts requests from Nginx. Restart the seaf-server and Seahub for the config changes to take effect: ```bash -$ su seafile -$ cd /opt/seafile/seafile-server-latest -$ ./seafile.sh restart -$ ./seahub.sh restart # or "./seahub.sh start-fastcgi" if you're using fastcgi +su seafile +cd /opt/seafile/seafile-server-latest +./seafile.sh restart +./seahub.sh restart # or "./seahub.sh start-fastcgi" if you're using fastcgi ``` ## Additional modern settings for Nginx (optional) @@ -357,7 +359,7 @@ The following sample Nginx configuration file for the host name seafile.example. } location /seafhttp { - rewrite ^/seafhttp(.*)$ $1 break; + rewrite ^/seafhttp(.*)$1 break; proxy_pass http://127.0.0.1:8082; client_max_body_size 0; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -388,7 +390,7 @@ HSTS instructs web browsers to automatically use HTTPS. That means, after the fi Enable Diffie-Hellman (DH) key-exchange. Generate DH parameters and write them in a .pem file using the following command: ```bash -$ openssl dhparam 2048 > /etc/nginx/dhparam.pem # Generates DH parameter of length 2048 bits +openssl dhparam 2048 > /etc/nginx/dhparam.pem # Generates DH parameter of length 2048 bits ``` The generation of the the DH parameters may take some time depending on the server's processing power. diff --git a/manual/setup_binary/installation_pro.md b/manual/setup_binary/installation_pro.md index a10c6382..68bc4640 100644 --- a/manual/setup_binary/installation_pro.md +++ b/manual/setup_binary/installation_pro.md @@ -17,112 +17,73 @@ These instructions assume that MySQL/MariaDB server and client are installed and ### Installing prerequisites -=== "Seafile 9.0.x" - === "Ubuntu 20.04/Debian 10/Ubuntu 18.04" - ``` - apt-get update - apt-get install -y python3 python3-setuptools python3-pip python3-ldap libmysqlclient-dev - apt-get install -y memcached libmemcached-dev - apt-get install -y poppler-utils +!!! tip + The standard directory `/opt/seafile` is assumed for the rest of this manual. If you decide to put Seafile in another directory, some commands need to be modified accordingly - pip3 install --timeout=3600 django==3.2.* future mysqlclient pymysql Pillow pylibmc \ - captcha jinja2 sqlalchemy==1.4.3 psd-tools django-pylibmc django-simple-captcha pycryptodome==3.12.0 cffi==1.14.0 lxml - ``` - === "Centos 8" +=== "Debian 12" + !!! note + Debian 12 and Ubuntu 24.04 are now discouraging system-wide installation of python modules with pip. It is preferred now to install modules into a virtual environment which keeps them separate from the files installed by the system package manager, and enables different versions to be installed for different applications. With these python virtual environments (venv for short) to work, you have to activate the venv to make the packages installed in it available to the programs you run. That is done here with `source python-venv/bin/activate`. + ``` + sudo apt-get update + sudo apt-get install -y python3 python3-dev python3-setuptools python3-pip libmariadb-dev-compat ldap-utils libldap2-dev libsasl2-dev python3.11-venv + sudo apt-get install -y memcached libmemcached-dev - ``` - sudo yum install python3 python3-setuptools python3-pip python3-devel mysql-devel gcc -y - sudo yum install poppler-utils -y + # create the data directory + mkdir /opt/seafile + cd /opt/seafile - sudo pip3 install --timeout=3600 django==3.2.* Pillow==9.4.0 pylibmc captcha jinja2 sqlalchemy==1.4.3 \ - django-pylibmc django-simple-captcha python3-ldap mysqlclient pycryptodome==3.12.0 cffi==1.14.0 lxml - ``` -=== "Seafile 10.0.x" - === "Ubuntu 22.04/Ubuntu 20.04/Debian 11/Debian 10" - ``` - apt-get update - apt-get install -y python3 python3-setuptools python3-pip python3-ldap libmysqlclient-dev - apt-get install -y memcached libmemcached-dev - apt-get install -y poppler-utils + # create the vitual environment in the python-venv directory + python3 -m venv python-venv - sudo pip3 install --timeout=3600 django==3.2.* future==0.18.* mysqlclient==2.1.* \ - pymysql pillow==10.2.* pylibmc captcha==0.5.* markupsafe==2.0.1 jinja2 sqlalchemy==1.4.44 \ - psd-tools django-pylibmc django_simple_captcha==0.5.20 djangosaml2==1.5.* pysaml2==7.2.* pycryptodome==3.16.* cffi==1.15.1 lxml - ``` -=== "Seafile 11.0.x" - === "Ubuntu 22.04/Ubuntu 20.04/Debian 11/Debian 10" - ``` - # on (on , it is almost the same) - apt-get update - apt-get install -y python3 python3-dev python3-setuptools python3-pip python3-ldap libmysqlclient-dev ldap-utils libldap2-dev dnsutils - apt-get install -y memcached libmemcached-dev - apt-get install -y poppler-utils + # activate the venv + source python-venv/bin/activate + # Notice that this will usually change your prompt so you know the venv is active - sudo pip3 install --timeout=3600 django==4.2.* future==0.18.* mysqlclient==2.1.* \ - pymysql pillow==10.2.* pylibmc captcha==0.5.* markupsafe==2.0.1 jinja2 sqlalchemy==2.0.18 \ - psd-tools django-pylibmc django_simple_captcha==0.6.* djangosaml2==1.5.* pysaml2==7.2.* pycryptodome==3.16.* cffi==1.15.1 python-ldap==3.4.3 lxml - ``` - === "Debian 12" - !!! note - Debian 12 and Ubuntu 24.04 are now discouraging system-wide installation of python modules with pip. It is preferred now to install modules into a virtual environment which keeps them separate from the files installed by the system package manager, and enables different versions to be installed for different applications. With these python virtual environments (venv for short) to work, you have to activate the venv to make the packages installed in it available to the programs you run. That is done here with `source python-venv/bin/activate`. - ``` - sudo apt-get update - sudo apt-get install -y python3 python3-dev python3-setuptools python3-pip libmariadb-dev-compat ldap-utils libldap2-dev libsasl2-dev python3.11-venv - sudo apt-get install -y memcached libmemcached-dev + # install packages into the active venv with pip (sudo isn't needed because this is installing in the venv, not system-wide). + pip3 install --timeout=3600 django==4.2.* future==0.18.* mysqlclient==2.1.* pymysql pillow==10.0.* pylibmc captcha==0.4 markupsafe==2.0.1 jinja2 sqlalchemy==2.0.18 psd-tools django-pylibmc django_simple_captcha==0.5.* djangosaml2==1.5.* pysaml2==7.2.* pycryptodome==3.16.* cffi==1.15.1 lxml python-ldap==3.4.3 + ``` +=== "Ubuntu 24.04" + !!! note + Debian 12 and Ubuntu 24.04 are now discouraging system-wide installation of python modules with pip. It is preferred now to install modules into a virtual environment which keeps them separate from the files installed by the system package manager, and enables different versions to be installed for different applications. With these python virtual environments (venv for short) to work, you have to activate the venv to make the packages installed in it available to the programs you run. That is done here with `source python-venv/bin/activate`. - mkdir /opt/seafile - cd /opt/seafile + ``` + # Ubuntu 24.04 + sudo apt-get update + sudo apt-get install -y python3 python3-dev python3-setuptools python3-pip libmysqlclient-dev ldap-utils libldap2-dev python3.12-venv + sudo apt-get install -y memcached libmemcached-dev - # create the vitual environment in the python-venv directory - python3 -m venv python-venv + # create the data directory + mkdir /opt/seafile + cd /opt/seafile - # activate the venv - source python-venv/bin/activate - # Notice that this will usually change your prompt so you know the venv is active + # create the vitual environment in the python-venv directory + python3 -m venv python-venv - # install packages into the active venv with pip (sudo isn't needed because this is installing in the venv, not system-wide). - pip3 install --timeout=3600 django==4.2.* future==0.18.* mysqlclient==2.1.* pymysql pillow==10.0.* pylibmc captcha==0.4 markupsafe==2.0.1 jinja2 sqlalchemy==2.0.18 psd-tools django-pylibmc django_simple_captcha==0.5.* djangosaml2==1.5.* pysaml2==7.2.* pycryptodome==3.16.* cffi==1.15.1 lxml python-ldap==3.4.3 - ``` - === "Ubuntu 24.04 with virtual env" - !!! note - Debian 12 and Ubuntu 24.04 are now discouraging system-wide installation of python modules with pip. It is preferred now to install modules into a virtual environment which keeps them separate from the files installed by the system package manager, and enables different versions to be installed for different applications. With these python virtual environments (venv for short) to work, you have to activate the venv to make the packages installed in it available to the programs you run. That is done here with `source python-venv/bin/activate`. + # activate the venv + source python-venv/bin/activate + # Notice that this will usually change your prompt so you know the venv is active - ``` - # Ubuntu 24.04 - sudo apt-get update - sudo apt-get install -y python3 python3-dev python3-setuptools python3-pip libmysqlclient-dev ldap-utils libldap2-dev python3.12-venv - sudo apt-get install -y memcached libmemcached-dev + # install packages into the active venv with pip (sudo isn't needed because this is installing in the venv, not system-wide). + pip3 install --timeout=3600 django==4.2.* future==0.18.* mysqlclient==2.1.* \ + pymysql pillow==10.2.* pylibmc captcha==0.5.* markupsafe==2.0.1 jinja2 sqlalchemy==2.0.18 \ + psd-tools django-pylibmc django_simple_captcha==0.6.* djangosaml2==1.5.* pysaml2==7.2.* pycryptodome==3.16.* cffi==1.16.0 lxml python-ldap==3.4.3 + ``` +=== "Ubuntu 22.04/Ubuntu 20.04/Debian 11/Debian 10" + ``` + # on (on , it is almost the same) + apt-get update + apt-get install -y python3 python3-dev python3-setuptools python3-pip python3-ldap libmysqlclient-dev ldap-utils libldap2-dev dnsutils + apt-get install -y memcached libmemcached-dev + apt-get install -y poppler-utils - mkdir /opt/seafile - cd /opt/seafile + # create the data directory + mkdir /opt/seafile + cd /opt/seafile - # create the vitual environment in the python-venv directory - python3 -m venv python-venv - - # activate the venv - source python-venv/bin/activate - # Notice that this will usually change your prompt so you know the venv is active - - # install packages into the active venv with pip (sudo isn't needed because this is installing in the venv, not system-wide). - pip3 install --timeout=3600 django==4.2.* future==0.18.* mysqlclient==2.1.* \ - pymysql pillow==10.2.* pylibmc captcha==0.5.* markupsafe==2.0.1 jinja2 sqlalchemy==2.0.18 \ - psd-tools django-pylibmc django_simple_captcha==0.6.* djangosaml2==1.5.* pysaml2==7.2.* pycryptodome==3.16.* cffi==1.16.0 lxml python-ldap==3.4.3 - ``` - -### Installing Java Runtime Environment - -Java Runtime Environment (JRE) is no longer needed in Seafile version 12.0. - -### Creating the programm directory - -The standard directory for Seafile's program files is `/opt/seafile`. Create this directory and change into it: - -``` -mkdir /opt/seafile -cd /opt/seafile -``` - -The program directory can be changed. The standard directory `/opt/seafile` is assumed for the rest of this manual. If you decide to put Seafile in another directory, some commands need to be modified accordingly. + sudo pip3 install --timeout=3600 django==4.2.* future==0.18.* mysqlclient==2.1.* \ + pymysql pillow==10.2.* pylibmc captcha==0.5.* markupsafe==2.0.1 jinja2 sqlalchemy==2.0.18 \ + psd-tools django-pylibmc django_simple_captcha==0.6.* djangosaml2==1.5.* pysaml2==7.2.* pycryptodome==3.16.* cffi==1.15.1 python-ldap==3.4.3 lxml + ``` ### Creating user seafile @@ -156,9 +117,9 @@ Save the license file in Seafile's programm directory `/opt/seafile`. Make sure The install packages for Seafile PE are available for download in the the [Seafile Customer Center](https://customer.seafile.com). To access the Customer Center, a user account is necessary. The registration is free. -Beginning with Seafile PE 7.0.17, the Seafile Customer Center provides two install packages for every version (using Seafile PE 8.0.4 as an example): +Beginning with Seafile PE 7.0.17, the Seafile Customer Center provides two install packages for every version (using Seafile PE 12.0.6 as an example): -* _seafile-pro-server_8.0.4_x86-64_Ubuntu.tar.gz_, compiled in Ubuntu environment +* _seafile-pro-server_12.0.6_x86-64_Ubuntu.tar.gz_, compiled in Ubuntu environment The former is suitable for installation on Ubuntu/Debian servers, the latter for CentOS servers. @@ -170,7 +131,7 @@ Download the install package using wget (replace the x.x.x with the version you wget -O 'seafile-pro-server_x.x.x_x86-64_Ubuntu.tar.gz' 'VERSION_SPECIFIC_LINK_FROM_SEAFILE_CUSTOMER_CENTER' ``` -We use Seafile version 8.0.4 as an example in the remainder of these instructions. +We use Seafile version 12.0.6 as an example in the remainder of these instructions. ### Uncompressing the package @@ -180,7 +141,7 @@ Uncompress the package using tar: ``` # Debian/Ubuntu -tar xf seafile-pro-server_8.0.4_x86-64_Ubuntu.tar.gz +tar xf seafile-pro-server_12.0.6_x86-64_Ubuntu.tar.gz ``` Now you have: @@ -189,15 +150,21 @@ Now you have: $ tree -L 2 /opt/seafile . ├── seafile-license.txt -└── seafile-pro-server-8.0.4 -│   ├── check-db-type.py +├── python-venv # this section only exists in Debian 12 and Ubuntu 24.04 +│   ├── bin +│   ├── include +│   ├── lib +│   ├── lib64 -> lib +│   └── pyvenv.cfg +├── seafile-pro-server-12.0.6 │   ├── check_init_admin.py -│   ├── create-db │   ├── index_op.py -│   ├── migrate.py │   ├── migrate-repo.py │   ├── migrate-repo.sh +│   ├── migrate.py │   ├── migrate.sh +│   ├── migrate_ldapusers.py +│   ├── parse_seahub_db.py │   ├── pro │   ├── remove-objs.py │   ├── remove-objs.sh @@ -211,64 +178,147 @@ $ tree -L 2 /opt/seafile │   ├── seaf-fsck.sh │   ├── seaf-fuse.sh │   ├── seaf-gc.sh -│   ├── seaf-gen-key.sh +│   ├── seaf-import.sh │   ├── seafile │   ├── seafile-background-tasks.sh +│   ├── seafile-monitor.sh │   ├── seafile.sh -│   ├── seaf-import.sh │   ├── seahub -│   ├── seahub-extra │   ├── seahub.sh │   ├── setup-seafile-mysql.py │   ├── setup-seafile-mysql.sh │   ├── setup-seafile.sh │   ├── sql │   └── upgrade -└── seafile-pro-server_8.0.4_x86-64.tar.gz +└── seafile-pro-server_12.0.6_x86-64_Ubuntu.tar.gz ``` !!! tip - The names of the install packages differ for Seafile CE and Seafile PE. Using Seafile CE and Seafile PE 8.0.4 as an example, the names are as follows: + The names of the install packages differ for Seafile CE and Seafile PE. Using Seafile CE and Seafile PE 12.0.6 as an example, the names are as follows: - * Seafile CE: `seafile-server_8.0.4_x86-86.tar.gz`; uncompressing into folder `seafile-server-8.0.4` - * Seafile PE: `seafile-pro-server_8.0.4_x86-86.tar.gz`; uncompressing into folder `seafile-pro-server-8.0.4` + * Seafile CE: `seafile-server_12.0.6_x86-86.tar.gz`; uncompressing into folder `seafile-server-12.0.6` + * Seafile PE: `seafile-pro-server_12.0.6_x86-86.tar.gz`; uncompressing into folder `seafile-pro-server-12.0.6` -### Run the setup script +### Setting up Seafile Pro -The setup process of Seafile PE is the same as the Seafile CE. See [Installation of Seafile Server Community Edition with MySQL/MariaDB](./installation_ce.md). +The install package comes with a script that sets Seafile up for you. Specifically, the script creates the required directories and extracts all files in the right place. It can also create a MySQL user and the three databases that [Seafile's components](../introduction/components.md) require: -After the successful completition of the setup script, the directory layout of Seafile PE looks as follows (some folders only get created after the first start, e.g. `logs`): +* ccnet server +* seafile server +* seahub -**For Seafile 7.1.x and later** +!!! note "While ccnet server was merged into the seafile-server in Seafile 8.0, the corresponding database is still required for the time being" + +Run the script as user seafile: + +!!! note + For installations using python virtual environment, activate it if it isn't already active + + ```sh + source python-venv/bin/activate + ``` ``` -$ tree -L 2 /opt/seafile -. -├── seafile-license.txt # license file -├── ccnet -├── conf # configuration files -│ └── ccnet.conf -│ └── gunicorn.conf.py -│ └── __pycache__ -│ └── seafdav.conf -│ └── seafevents.conf -│ └── seafile.conf -│ └── seahub_settings.py -├── logs # log files -├── pids # process id files -├── pro-data # data specific for Seafile PE -├── seafile-data # object database -├── seafile-pro-server-8.0.4 -│   ├── check-db-type.py +cd seafile-pro-server-12.0.6 +./setup-seafile-mysql.sh + +``` + +Configure your Seafile Server by specifying the following three parameters: + +| Option | Description | Note | +| --------------------- | ---------------------------------------------------- | ------------------------------------------------------------ | +| server name | Name of the Seafile Server | 3-15 characters, only English letters, digits and underscore ('\_') are allowed | +| server's ip or domain | IP address or domain name used by the Seafile Server | Seafile client program will access the server using this address | +| fileserver port | TCP port used by the Seafile fileserver | Default port is 8082, it is recommended to use this port and to only change it if is used by other service | + + + +In the next step, choose whether to create new databases for Seafile or to use existing databases. The creation of new databases requires the root password for the SQL server. + +![grafik](../images/seafile-setup-database.png) + +!!! note + If you don't have the root password, you need someone who has the privileges, e.g., the database admin, to create the three databases required by Seafile, as well as a MySQL user who can access the databases. For example, to create three databases `ccnet_db` / `seafile_db` / `seahub_db` for ccnet/seafile/seahub respectively, and a MySQL user "seafile" to access these databases run the following SQL queries: + + ``` + create database `ccnet_db` character set = 'utf8'; + create database `seafile_db` character set = 'utf8'; + create database `seahub_db` character set = 'utf8'; + + create user 'seafile'@'localhost' identified by 'seafile'; + + GRANT ALL PRIVILEGES ON `ccnet_db`.* to `seafile`@localhost; + GRANT ALL PRIVILEGES ON `seafile_db`.* to `seafile`@localhost; + GRANT ALL PRIVILEGES ON `seahub_db`.* to `seafile`@localhost; + + ``` + +=== "\[1] Create new ccnet/seafile/seahub databases" + The script creates these databases and a MySQL user that Seafile Server will use to access them. To this effect, you need to answer these questions: + + | Question | Description | Note | + | ------------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ | + | mysql server host | Host address of the MySQL server | Default is localhost | + | mysql server port | TCP port used by the MySQL server | Default port is 3306; almost every MySQL server uses this port | + | mysql root password | Password of the MySQL root account | The root password is required to create new databases and a MySQL user | + | mysql user for Seafile | MySQL user created by the script, used by Seafile's components to access the databases | Default is seafile; the user is created unless it exists | + | mysql password for Seafile user | Password for the user above, written in Seafile's config files | Percent sign ('%') is not allowed | + | database name | Name of the database used by ccnet | Default is "ccnet_db", the database is created if it does not exist | + | seafile database name | Name of the database used by Seafile | Default is "seafile_db", the database is created if it does not exist | + | seahub database name | Name of the database used by seahub | Default is "seahub_db", the database is created if it does not exist | + +=== "\[2] Use existing ccnet/seafile/seahub databases" + The prompts you need to answer: + + | Question | Description | Note | + | ------------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ | + | mysql server host | Host address of the MySQL server | Default is localhost | + | mysql server port | TCP port used by MySQL server | Default port is 3306; almost every MySQL server uses this port | + | mysql user for Seafile | User used by Seafile's components to access the databases | The user must exists | + | mysql password for Seafile user | Password for the user above | | + | ccnet database name | Name of the database used by ccnet, default is "ccnet_db" | The database must exist | + | seafile database name | Name of the database used by Seafile, default is "seafile_db" | The database must exist | + | seahub dabase name | Name of the database used by Seahub, default is "seahub_db" | The database must exist | + +If the setup is successful, you see the following output: + +![grafik](../images/seafile-setup-output.png) + +The directory layout then looks as follows: + +``` +/opt/seafile +├── seafile-license.txt +├── ccnet +├── conf +│   ├── gunicorn.conf.py +│   ├── seafdav.conf +│   ├── seafevents.conf +│   ├── seafile.conf +│   └── seahub_settings.py +├── pro-data +├── python-venv +│   ├── bin +│   ├── include +│   ├── lib +│   ├── lib64 -> lib +│   └── pyvenv.cfg +├── seafile-data +│   └── library-template +├── seafile-pro-server-12.0.6 │   ├── check_init_admin.py -│   ├── create-db │   ├── index_op.py -│   ├── migrate.py │   ├── migrate-repo.py │   ├── migrate-repo.sh +│   ├── migrate.py │   ├── migrate.sh +│   ├── migrate_ldapusers.py +│   ├── parse_seahub_db.py │   ├── pro +│   ├── remove-objs.py +│   ├── remove-objs.sh │   ├── reset-admin.sh │   ├── run_index_master.sh │   ├── run_index_worker.sh @@ -279,24 +329,26 @@ $ tree -L 2 /opt/seafile │   ├── seaf-fsck.sh │   ├── seaf-fuse.sh │   ├── seaf-gc.sh -│   ├── seaf-gen-key.sh +│   ├── seaf-import.sh │   ├── seafile │   ├── seafile-background-tasks.sh +│   ├── seafile-monitor.sh │   ├── seafile.sh -│   ├── seaf-import.sh │   ├── seahub -│   ├── seahub-extra │   ├── seahub.sh │   ├── setup-seafile-mysql.py │   ├── setup-seafile-mysql.sh │   ├── setup-seafile.sh │   ├── sql │   └── upgrade -├── seafile-server-latest -> seafile-pro-server-8.0.4 -├── seahub-data - └── avatars # user avatars +├── seafile-pro-server_12.0.6_x86-64_Ubuntu.tar.gz +├── seafile-server-latest -> seafile-pro-server-12.0.6 +└── seahub-data + └── avatars ``` +The folder `seafile-server-latest` is a symbolic link to the current Seafile Server folder. When later you upgrade to a new version, the upgrade scripts update this link to point to the latest Seafile Server folder. + ### Setup Memory Cache Memory cache is mandatory for pro edition. You may use Memcached or Reids as cache server. @@ -334,29 +386,70 @@ Memory cache is mandatory for pro edition. You may use Memcached or Reids as cac 2. refer to [Django's documentation about using Redis cache](https://docs.djangoproject.com/en/4.2/topics/cache/#redis) to add Redis configurations to `seahub_settings.py`. -### Enabling HTTP/HTTPS +### Enabling HTTP/HTTPS (Optional but Recommended) You need at least setup HTTP to make Seafile's web interface work. This manual provides instructions for enabling HTTP/HTTPS for the two most popular web servers and reverse proxies: * [Nginx](./https_with_nginx.md) * [Apache](./https_with_apache.md) +### Create the `.env` file in conf/ directory + +!!! tip + `JWT_PRIVATE_KEY`, A random string with a length of no less than 32 characters can be generated from: + ```sh + pwgen -s 40 1 + ``` + +```sh +nano /opt/seafile/conf/.env +``` + +```env +JWT_PRIVATE_KEY= +SEAFILE_SERVER_PROTOCOL=https +SEAFILE_SERVER_HOSTNAME=seafile.example.com +SEAFILE_MYSQL_DB_HOST= +SEAFILE_MYSQL_DB_PORT=3306 +SEAFILE_MYSQL_DB_USER=seafile +SEAFILE_MYSQL_DB_PASSWORD= +SEAFILE_MYSQL_DB_CCNET_DB_NAME=ccnet_db +SEAFILE_MYSQL_DB_SEAFILE_DB_NAME=seafile_db +SEAFILE_MYSQL_DB_SEAHUB_DB_NAME=seahub_db +``` + ## Starting Seafile Server Run the following commands in `/opt/seafile/seafile-server-latest`: -``` -# For installations using python virtual environment, activate it if it isn't already active -source python-venv/bin/activate +!!! note + For installations using python virtual environment, activate it if it isn't already active + ```sh + source python-venv/bin/activate + ``` + +``` +su seafile ./seafile.sh start # Start Seafile service ./seahub.sh start # Start seahub website, port defaults to 127.0.0.1:8000 ``` !!! success - The first time you start Seahub, the script prompts you to create an admin account for your Seafile Server. Enter the email address of the admin user followed by the password. + The first time you start Seahub, the script prompts you to create an admin account for your Seafile Server. Enter the email address of the admin user followed by the password, i.e.: -Now you can access Seafile via the web interface at the host address (e.g., http://1.2.3.4:80). + ``` + What is the email for the admin account? + [ admin email ] + + What is the password for the admin account? + [ admin password ] + + Enter the password again: + [ admin password again ] + ``` + +Now you can access Seafile via the web interface at the host address (e.g., https://seafile.example.com). ## Enabling full text search @@ -370,12 +463,12 @@ Our recommendation for deploying ElasticSearch is using Docker. Detailed informa Seafile PE 9.0 only supports ElasticSearch 7.x. Seafile PE 10.0, 11.0, 12.0 only supports ElasticSearch 8.x. -We use ElasticSearch version 7.16.2 as an example in this section. Version 7.16.2 and newer version have been successfully tested with Seafile. +We use ElasticSearch version 8.15.0 as an example in this section. Version 8.15.0 and newer version have been successfully tested with Seafile. Pull the Docker image: ``` -sudo docker pull elasticsearch:7.16.2 +sudo docker pull elasticsearch:8.15.0 ``` Create a folder for persistent data created by ElasticSearch and change its permission: @@ -413,15 +506,13 @@ Add the following configuration to `seafevents.conf`: ``` [INDEX FILES] -es_host = your elasticsearch server's IP # IP address of ElasticSearch host - # use 127.0.0.1 if deployed on the same server -es_port = 9200 # port of ElasticSearch host -interval = 10m # frequency of index updates in minutes -highlight = fvh # parameter for improving the search performance +es_host = # IP address of ElasticSearch host +es_port = 9200 # port of ElasticSearch host ``` Finally, restart Seafile: ``` +su seafile ./seafile.sh restart && ./seahub.sh restart ``` diff --git a/mkdocs.yml b/mkdocs.yml index 4228745d..3c3113ed 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -122,7 +122,6 @@ nav: - Other deployment notes: - Start Seafile at System Bootup: setup_binary/start_seafile_at_system_bootup.md - Logrotate: setup_binary/using_logrotate.md - - Config fail2ban: setup_binary/fail2ban.md - Migrate From SQLite to MySQL: setup_binary/migrate_from_sqlite_to_mysql.md - Extensions: - Extra Seafile components: