diff --git a/manual/deploy/https_with_apache.md b/manual/deploy/https_with_apache.md index 51be2aca..43c05901 100644 --- a/manual/deploy/https_with_apache.md +++ b/manual/deploy/https_with_apache.md @@ -1,63 +1,119 @@ -# Enabling Https with Apache +# Enabling HTTPS with Apache -Here we suggest you use [Let’s Encrypt](https://letsencrypt.org/getting-started/) to get a certificate from a Certificate Authority (CA). If you use a paid ssl certificate from some authority, just skip the first step. +After completing the installation of [Seafile Server Community Edition](../deploy/using_mysql/) and [Seafile Server Professional Edition](https://manual.seafile.com/deploy_pro/download_and_setup_seafile_professional_server/), communication between the Seafile server and clients runs over (unencrypted) HTTP. While HTTP is ok for testing purposes, switching to HTTPS is imperative for production use. -### Generate SSL certificate +HTTPS requires a SSL certificate from a Certificate Authority (CA). Unless you already have a SSL certificate, we recommend that you get your SSL certificate from [Let’s Encrypt](https://letsencrypt.org/) using Certbot. If you have a SSL certificate from another CA, skip the section "Getting a Let's Encrypt certificate". -For users who use Let’s Encrypt, you can obtain a valid certificate via [Certbot ACME client](https://certbot.eff.org/) +A second requirement is a reverse proxy supporting SSL. [Apache](https://httpd.apache.org/), a popular web server and reverse proxy, is a good option. The full documentation of Apache is available at https://httpd.apache.org/docs/. -On Ubuntu systems, the Certbot team maintains a PPA. Once you add it to your list of repositories all you'll need to do is apt-get the following packages. +The recommended reverse proxy is Nginx. You find instructions for [enabling HTTPS with Nginx here](../deploy/deploy_with_nginx). + +## Setup + +The setup of Seafile using Apache as a reverse proxy with HTTPS is demonstrated using the sample host name `seafile.example.com`. + +This manual assumes the following requirements: + +* Seafile Server Community Edition/Professional Edition was set up according to the instructions in this manual +* A host name points at the IP address of the server and the server is available on port 80 and 443 + +If your setup differs from thes requirements, adjust the following instructions accordingly. + +The setup proceeds in two steps: First, Apache is installed. Second, a SSL certificate is integrated in the Apache configuration. + +### Installing Apache + +Install and enable apache modules: ```bash -sudo apt-get update -sudo apt-get install software-properties-common -sudo add-apt-repository ppa:certbot/certbot -sudo apt-get update -sudo apt-get install python-certbot-apache +# Ubuntu +$ sudo a2enmod rewrite +$ sudo a2enmod proxy_http ``` -Certbot has a fairly solid beta-quality Apache plugin, which is supported on many platforms, and automates both obtaining and installing certs: +**Important: Due to the [security advisory](https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/) published by Django team, we recommend to disable [GZip compression](http://httpd.apache.org/docs/2.2/mod/mod_deflate.html) to mitigate [BREACH attack](http://breachattack.com/). No version earlier than Apache 2.4 should be used.** -```bash -sudo certbot --apache +### Configuring Apache + +Modify Apache config file. For CentOS, this is `vhost.conf.` For Debian/Ubuntu, this is `sites-enabled/000-default`. + +```apache + + ServerName seafile.example.com + # Use "DocumentRoot /var/www/html" for CentOS + # Use "DocumentRoot /var/www" for Debian/Ubuntu + DocumentRoot /var/www + Alias /media /opt/seafile/seafile-server-latest/seahub/media + + AllowEncodedSlashes On + + RewriteEngine On + + + Require all granted + + + # + # seafile fileserver + # + ProxyPass /seafhttp http://127.0.0.1:8082 + ProxyPassReverse /seafhttp http://127.0.0.1:8082 + RewriteRule ^/seafhttp - [QSA,L] + + # + # seahub + # + SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 + ProxyPreserveHost On + ProxyPass / http://127.0.0.1:8000/ + ProxyPassReverse / http://127.0.0.1:8000/ + ``` -Running this command will get a certificate for you and have Certbot edit your Apache configuration automatically to serve it. If you're feeling more conservative and would like to make the changes to your Apache configuration by hand, you can use the certonly subcommand: +### Getting a Let's Encrypt certificate + +Getting a Let's Encrypt certificate is straightforward thanks to [Certbot](https://certbot.eff.org/). Certbot is a free, open source software tool for requesting, receiving, and renewing Let's Encrypt certificates. + +First, go to the [Certbot](https://certbot.eff.org/) website and choose your web server and OS. + +![grafik](../images/certbot.png) + +Second, follow the detailed instructions then shown. + +![grafik](../images/certbot-step2.png) + + + +We recommend that you get just a certificate and that you modify the Apache configuration yourself: ```bash sudo certbot --apache certonly ``` -To learn more about how to use Certbot you can read threir [documentation](https://certbot.eff.org/docs/). +Follow the instructions on the screen. -> If you're using a custom CA to sign your SSL certificate, you have to enable certificate revocation list (CRL) in your certificate. Otherwise http syncing on Windows client may not work. See [this thread](https://forum.seafile-server.org/t/https-syncing-on-windows-machine-using-custom-ca/898) for more information. +Upon successful verification, Certbot saves the certificate files in a directory named after the host name in ```/etc/letsencrypt/live```. For the host name seafile.example.com, the files are stored in `/etc/letsencrypt/live/seafile.example.com`. -## Enable https on Seahub +### Adjusting Apache configuration -Assume you have configured Apache as [Deploy Seafile with -Apache](deploy_with_apache.md). To use https, you need to enable mod_ssl +To use HTTPS, you need to enable mod_ssl: ```bash - sudo a2enmod ssl -``` - -On Windows, you have to add ssl module to httpd.conf -```apache -LoadModule ssl_module modules/mod_ssl.so +$ sudo a2enmod ssl ``` Then modify your Apache configuration file. Here is a sample: ```apache - ServerName www.myseafile.com + ServerName seafile.example.com DocumentRoot /var/www SSLEngine On - SSLCertificateFile /path/to/cacert.pem - SSLCertificateKeyFile /path/to/privkey.pem + SSLCertificateFile /etc/letsencrypt/live/seafile.example.com/fullchain.pem; # Path to your fullchain.pem + SSLCertificateKeyFile /etc/letsencrypt/live/seafile.example.com/privkey.pem; # Path to your privkey.pem - Alias /media /home/user/haiwen/seafile-server-latest/seahub/media + Alias /media /opt/seafile/seafile-server-latest/seahub/media Require all granted @@ -82,27 +138,62 @@ Then modify your Apache configuration file. Here is a sample: ``` -## Modify settings to use https - -### ccnet conf - -Since you change from http to https, you need to modify the value of "SERVICE_URL" in [ccnet.conf](../config/ccnet-conf.md). You can also modify SERVICE_URL via web UI in "System Admin->Settings". (**Warning**: if you set the value both via Web UI and ccnet.conf, the setting via Web UI will take precedence.) - -```python -SERVICE_URL = https://www.myseafile.com -``` - -### seahub_settings.py - -You need to add a line in seahub_settings.py to set the value of `FILE_SERVER_ROOT`. You can also modify `FILE_SERVER_ROOT` via web UI in "System Admin->Settings". (**Warning**: if you set the value both via Web UI and seahub_settings.py, the setting via Web UI will take precedence.) - -```python -FILE_SERVER_ROOT = 'https://www.myseafile.com/seafhttp' -``` - -## Start Seafile and Seahub +Finally, make sure the virtual host file does not contain syntax errors and restart Apache for the configuration changes to take effect: ```bash -./seafile.sh start -./seahub.sh start +sudo service apache2 restart ``` + +### Modifying ccnet.conf + +The `SERVICE_URL` in [ccnet.conf](../config/ccnet-conf.md) informs Seafile about the chosen domain, protocol and port. Change the `SERVICE_URL`so as to account for the switch from HTTP to HTTPS and to correspond to your host name (the `http://`must not be removed): + +```ini +SERVICE_URL = https://seafile.example.com +``` + +Note: The`SERVICE_URL` can also be modified in Seahub via System Admininstration > Settings. If `SERVICE_URL` is configured via System Admin and in ccnet.conf, the value in System Admin will take precedence. + +### Modifying seahub_settings.py + +The `FILE_SERVER_ROOT` in [seahub_settings.py](../config/seahub_settings_py/) informs Seafile about the location of and the protocol used by the file server. Change the `FILE_SERVER_ROOT`so as to account for the switch from HTTP to HTTPS and to correspond to your host name (the trailing `/seafhttp` must not be removed): + +```python +FILE_SERVER_ROOT = 'https://seafile.example.com/seafhttp' +``` + +Note: The`FILE_SERVER_ROOT` can also be modified in Seahub via System Admininstration > Settings. If `FILE_SERVER_ROOT` is configured via System Admin and in seahub_settings.py, the value in System Admin will take precedence. + +### Modifying seafile.conf (optional) + +To improve security, the file server should only be accessible via Apache. + +Add the following line in the [fileserver] block on `seafile.conf` in `/opt/seafile/conf`: + +```ini +host = 127.0.0.1 ## default port 0.0.0.0 +``` + +After his change, the file server only accepts requests from Apache. + +### Starting Seafile and Seahub + +Restart the seaf-server and Seahub for the config changes to take effect: + +```bash +$ su seafile +$ cd /opt/seafile/seafile-server-latest +$ ./seafile.sh restart +$ ./seahub.sh restart +``` + +## Troubleshooting + +If there are problems with paths or files containing spaces, make sure to have at least Apache 2.4.12. + +References + + * https://github.com/haiwen/seafile/issues/1258#issuecomment-188866740 + * https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1284641 + * https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1284641/comments/5 + * https://svn.apache.org/viewvc/httpd/httpd/tags/2.4.12/CHANGES?view=markup#l45 diff --git a/manual/deploy/https_with_nginx.md b/manual/deploy/https_with_nginx.md index 2f3fc7d4..b37c92c2 100644 --- a/manual/deploy/https_with_nginx.md +++ b/manual/deploy/https_with_nginx.md @@ -1,22 +1,182 @@ -# Enabling Https with Nginx +# Enabling HTTPS with Nginx -When using HTTPS, traffic from and to Seafile Server is encrypted. HTTPS requires a SSL certificate from a Certificate Authority (CA). +After completing the installation of [Seafile Server Community Edition](../deploy/using_mysql/) and [Seafile Server Professional Edition](https://manual.seafile.com/deploy_pro/download_and_setup_seafile_professional_server/), communication between the Seafile server and clients runs over (unencrypted) HTTP. While HTTP is ok for testing purposes, switching to HTTPS is imperative for production use. -For production use, HTTPS is imperative. +HTTPS requires a SSL certificate from a Certificate Authority (CA). Unless you already have a SSL certificate, we recommend that you get your SSL certificate from [Let’s Encrypt](https://letsencrypt.org/) using Certbot. If you have a SSL certificate from another CA, skip the section "Getting a Let's Encrypt certificate". -Unless you already have a SSL certificate, we recommend that you get your SSL certificate from [Let’s Encrypt](https://letsencrypt.org/). If you have a SSL certificate from another CA, skip the section "Getting a Let's Encrypt certificate". +A second requirement is a reverse proxy supporting SSL. [Nginx](http://nginx.org/), a popular and resource-friendly web server and reverse proxy, is a good option. Nginx's documentation is available at http://nginx.org/en/docs/. + +If you prefer Apache, you find instructions for [enabling HTTPS with Apache here](../deploy/deploy_with_apache/). ## Setup -The configuration of Seafile behind Nginx as a reverse proxy is demonstrated using the sample host name `seafile.example.com`. +The setup of Seafile using Nginx as a reverse proxy with HTTPS is demonstrated using the sample host name `seafile.example.com`. -These instructions assume the following requirements: +This manual assumes the following requirements: -* Seafile Server Community Edition/Professional Edition and [Nginx](deploy_with_nginx.md) were set up according to the instructions in this manual +* Seafile Server Community Edition/Professional Edition was set up according to the instructions in this manual * A host name points at the IP address of the server and the server is available on port 80 and 443 If your setup differs from thes requirements, adjust the following instructions accordingly. +The setup proceeds in two steps: First, Nginx is installed. Second, a SSL certificate is integrated in the Nginx configuration. + +### Installing Nginx + +Install Nginx using the package repositories: + +```bash +# CentOS +$ sudo yum install nginx -y + +# Debian/Ubuntu +$ sudo apt install nginx -y +``` + +After the installation, start the server and enable it so that Nginx starts at system boot: + +```bash +# CentOS/Debian/Ubuntu +$ sudo systemctl start nginx +$ sudo systemctl enable nginx +``` + +### Preparing Nginx + +The configuration of a proxy server in Nginx differs slightly between CentOS and Debian/Ubuntu. Additionally, the restrictive default settings of SELinux's configuration on CentOS require a modification. + +#### Preparing Nginx on CentOS + +Switch SELinux into permissive mode and perpetuate the setting: + +``` bash +$ sudo setenforce permissive +$ sed -i 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config +``` + +Create a configuration file for seafile in `/etc/nginx/conf.d`: + +```bash +$ touch /etc/nginx/conf.d/seafile.conf +``` + +#### Preparing Nginx on Debian/Ubuntu + +Create a configuration file for seafile in `/etc/nginx/sites-available/`: + +```bash +$ touch /etc/nginx/sites-available/seafile.conf +``` + +Delete the default files in `/etc/nginx/sites-enabled/` and `/etc/nginx/sites-available`: + +````bash +$ rm /etc/nginx/sites-enabled/default +$ rm /etc/nginx/sites-available/default +```` + +Create a symbolic link: + +````bash +$ ln -s /etc/nginx/sites-available/seafile.conf /etc/nginx/sites-enabled/seafile.conf +```` + +### Configuring Nginx + +Copy the following sample Nginx config file into the just created `seafile.conf` and modify the content to fit your needs: + +```nginx +log_format seafileformat '$http_x_forwarded_for $remote_addr [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $upstream_response_time'; + +server { + listen 80; + server_name seafile.example.com; + + proxy_set_header X-Forwarded-For $remote_addr; + + location / { + proxy_pass http://127.0.0.1:8000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + proxy_read_timeout 1200s; + + # used for view/edit office file via Office Online Server + client_max_body_size 0; + + access_log /var/log/nginx/seahub.access.log seafileformat; + error_log /var/log/nginx/seahub.error.log; + } + +# If you are using [FastCGI](http://en.wikipedia.org/wiki/FastCGI), +# which is not recommended, you should use the following config for location `/`. +# +# location / { +# fastcgi_pass 127.0.0.1:8000; +# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +# fastcgi_param PATH_INFO $fastcgi_script_name; +# +# fastcgi_param SERVER_PROTOCOL $server_protocol; +# fastcgi_param QUERY_STRING $query_string; +# fastcgi_param REQUEST_METHOD $request_method; +# fastcgi_param CONTENT_TYPE $content_type; +# fastcgi_param CONTENT_LENGTH $content_length; +# fastcgi_param SERVER_ADDR $server_addr; +# fastcgi_param SERVER_PORT $server_port; +# fastcgi_param SERVER_NAME $server_name; +# fastcgi_param REMOTE_ADDR $remote_addr; +# fastcgi_read_timeout 36000; +# +# client_max_body_size 0; +# +# access_log /var/log/nginx/seahub.access.log; +# error_log /var/log/nginx/seahub.error.log; +# } + + location /seafhttp { + rewrite ^/seafhttp(.*)$ $1 break; + proxy_pass http://127.0.0.1:8082; + client_max_body_size 0; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_connect_timeout 36000s; + proxy_read_timeout 36000s; + proxy_send_timeout 36000s; + + send_timeout 36000s; + + access_log /var/log/nginx/seafhttp.access.log seafileformat; + error_log /var/log/nginx/seafhttp.error.log; + } + location /media { + root /opt/seafile/seafile-server-latest/seahub; + } +} +``` + +The following options must be modified in the CONF file: + +* Server name (server_name) + +Optional customizable options in the seafile.conf are: + +* Server listening port (listen) - if Seafile server should be available on a non-standard port +* Proxy pass for location / - if Seahub is configured to start on a different port than 8000 +* Proxy pass for location /seafhttp - if seaf-server is configured to start on a different port than 8082 +* Maximum allowed size of the client request body (client_max_body_size) + +The default value for `client_max_body_size` is 1M. Uploading larger files will result in an error message HTTP error code 413 ("Request Entity Too Large"). It is recommended to syncronize the value of client_max_body_size with the parameter `max_upload_size` in section `[fileserver]` of [seafile.conf](../config/seafile-conf.md). Optionally, the value can also be set to 0 to disable this feature. Client uploads are only partly effected by this limit. With a limit of 100 MiB they can safely upload files of any size. + +Finally, make sure your seafile.conf does not contain syntax errors and restart Nginx for the configuration changes to take effect: + +```bash +$ nginx -t +$ nginx -s reload +``` + + + ### Getting a Let's Encrypt certificate Getting a Let's Encrypt certificate is straightforward thanks to [Certbot](https://certbot.eff.org/). Certbot is a free, open source software tool for requesting, receiving, and renewing Let's Encrypt certificates. @@ -33,7 +193,7 @@ Second, follow the detailed instructions then shown. We recommend that you get just a certificate and that you modify the Nginx configuration yourself: ```bash -sudo certbot certonly --nginx +$ sudo certbot certonly --nginx ``` Follow the instructions on the screen. @@ -45,7 +205,7 @@ Upon successful verification, Certbot saves the certificate files in a directory If your Nginx does not support SSL, you need to recompile it. Use the following command: ```bash - ./configure --with-http_stub_status_module --with-http_ssl_module +$ ./configure --with-http_stub_status_module --with-http_ssl_module make && make install ``` @@ -118,9 +278,9 @@ If you have WebDAV enabled it is recommended to add the same: ### Modifying ccnet.conf -Modify the `SERVICE_URL` in [ccnet.conf](../config/ccnet-conf.md) to account for the switch from HTTP to HTTPS. +The `SERVICE_URL` in [ccnet.conf](../config/ccnet-conf.md) informs Seafile about the chosen domain, protocol and port. Change the `SERVICE_URL`so as to account for the switch from HTTP to HTTPS and to correspond to your host name (the `http://`must not be removed): -```bash +```ini SERVICE_URL = https://seafile.example.com ``` @@ -128,7 +288,7 @@ Note: The`SERVICE_URL` can also be modified in Seahub via System Admininstration ### Modifying seahub_settings.py -Modify the `FILE_SERVER_ROOT` in [seahub_settings.py](../config/seahub_settings_py/) to account for the switch from HTTP to HTTPS. +The `FILE_SERVER_ROOT` in [seahub_settings.py](../config/seahub_settings_py/) informs Seafile about the location of and the protocol used by the file server. Change the `FILE_SERVER_ROOT`so as to account for the switch from HTTP to HTTPS and to correspond to your host name (the trailing `/seafhttp` must not be removed): ```python FILE_SERVER_ROOT = 'https://seafile.example.com/seafhttp' @@ -136,15 +296,27 @@ FILE_SERVER_ROOT = 'https://seafile.example.com/seafhttp' Note: The`FILE_SERVER_ROOT` can also be modified in Seahub via System Admininstration > Settings. If `FILE_SERVER_ROOT` is configured via System Admin and in seahub_settings.py, the value in System Admin will take precedence. +### Modifying seafile.conf (optional) + +To improve security, the file server should only be accessible via Nginx. + +Add the following line in the [fileserver] block on `seafile.conf` in `/opt/seafile/conf`: + +```ini +host = 127.0.0.1 ## default port 0.0.0.0 +``` + +After his change, the file server only accepts requests from Nginx. + ### Starting Seafile and Seahub Restart the seaf-server and Seahub for the config changes to take effect: ```bash -su seafile -cd /opt/seafile/seafile-server-latest -./seafile.sh restart -./seahub.sh restart # or "./seahub.sh start-fastcgi" if you're using fastcgi +$ su seafile +$ cd /opt/seafile/seafile-server-latest +$ ./seafile.sh restart +$ ./seahub.sh restart # or "./seahub.sh start-fastcgi" if you're using fastcgi ``` ## Additional modern settings for Nginx (optional) @@ -254,14 +426,14 @@ HSTS instructs web browsers to automatically use HTTPS. That means, after the fi Enable Diffie-Hellman (DH) key-exchange. Generate DH parameters and write them in a .pem file using the following command: ```bash -openssl dhparam 2048 > /etc/nginx/dhparam.pem # Generates DH parameter of length 2048 bits +$ openssl dhparam 2048 > /etc/nginx/dhparam.pem # Generates DH parameter of length 2048 bits ``` The generation of the the DH parameters may take some time depending on the server's processing power. Add the following directive in the HTTPS server block: -``` +```nginx ssl_dhparam /etc/nginx/dhparam.pem; ``` diff --git a/manual/deploy/using_mysql.md b/manual/deploy/using_mysql.md index 216e68f6..3ed887a1 100644 --- a/manual/deploy/using_mysql.md +++ b/manual/deploy/using_mysql.md @@ -1,18 +1,17 @@ -# Deployment of Seafile Server Community Edition with MySQL/MariaDB +# Installation of Seafile Server Community Edition with MySQL/MariaDB -This manual explains how to deploy and run Seafile server on a Linux server from a pre-built package using MySQL/MariaDB as database. The deployment has been tested for Debian/Ubuntu and CentOS, but Seafile should also work on other Linux distributions. +This manual explains how to deploy and run Seafile Server Community Edition (Seafile CE) on a Linux server from a pre-built package using MySQL/MariaDB as database. The deployment has been tested for Debian/Ubuntu and CentOS, but Seafile should also work on other Linux distributions. **Tip:** If you have little experience with Seafile Server, we recommend that you use an [installation script](https://github.com/haiwen/seafile-server-installer) for deploying Seafile. ## Requirements -Seafile Server Community Edition (Seafile CE) for x86 architecture requires a minimum of 2 cores and 2GB RAM. +Seafile CE for x86 architecture requires a minimum of 2 cores and 2GB RAM. There is a community-supported package for the installation on Raspberry Pi. ## Setup -Seafile prior to and including Seafile 7.0 use Python 2. More recent versions rely on Python 3. ### Installing and preparing the SQL database @@ -27,6 +26,8 @@ Seafile uses the mysql_native_password plugin for authentication. The versions o ### Installing prerequisites +Seafile prior to and including Seafile 7.0 use Python 2. More recent versions rely on Python 3. + **For Seafile 7.0.x** ``` @@ -385,7 +386,20 @@ pkill -f "seahub" ``` -## Performance turning +## Enabling HTTPS + +It is strongly recommended to switch from unencrypted HTTP (via port 8000) to encrypted HTTPS (via port 443). + +This manual provides instructions for enabling HTTPS for the two most popular web servers and reverse proxies: + +* [Nginx](https://manual.seafile.com/deploy/https_with_nginx/) +* [Apache](https://manual.seafile.com/deploy/https_with_apache/) + +## Managing a NAT + +If you run your Seafile Server in a LAN behind a NAT (i.e., a router provided by your ISP), consult [Installation behind NAT](../deploy/deploy_seafile_behind_nat/) to make your Seafile Server accessible over the internet. + +## Performance tuning If you have more than 50 users, we highly recommand you to [add memcached](../deploy/add_memcached.md). This is going to greatly speed up Seahub (the web frontend). @@ -419,13 +433,3 @@ Related parameters as follow: | seahub dabase name | \-b | SEAHUB_DB | seahub-db | **Note: If both script parameter and environment variable assigned, script parameter has higher priority. If neither script parameter nor environment variable assigned, default value will be used.** - -## That's it! - -That's it! Now you may want read more about Seafile. - -* [Deploy Seafile with Nginx](deploy_with_nginx.md) / [Deploy Seafile with Apache](deploy_with_apache.md) -* [Enable Https on Seafile Web with Nginx](https_with_nginx.md) / [Enable Https on Seafile Web with Apache](https_with_apache.md) -* [Configure Seafile to use LDAP](using_ldap.md) -* [How to manage the server](../maintain/README.md) - diff --git a/manual/deploy_pro/download_and_setup_seafile_professional_server.md b/manual/deploy_pro/download_and_setup_seafile_professional_server.md index 016511df..c54c5ffd 100644 --- a/manual/deploy_pro/download_and_setup_seafile_professional_server.md +++ b/manual/deploy_pro/download_and_setup_seafile_professional_server.md @@ -1,21 +1,25 @@ -# Deployment of Seafile Server Professional Edition +# Installation of Seafile Server Professional Edition + +This manual explains how to deploy and run Seafile Server Professional Edition (Seafile PE) on a Linux server from a pre-built package using MySQL/MariaDB as database. The deployment has been tested for Debian/Ubuntu and CentOS, but Seafile PE should also work on other Linux distributions. + +**Tip:** If you have little experience with Seafile Server, we recommend that you use an installation script for deploying Seafile Server. ## Requirements -Seafile Server Professional Edition (Seafile PE) requires a minimum of 2 cores and 2GB RAM. If elasticsearch is installed on the same server, the minimum requirements are 4 cores and 4 GB RAM. +Seafile PE requires a minimum of 2 cores and 2GB RAM. If elasticsearch is installed on the same server, the minimum requirements are 4 cores and 4 GB RAM. Seafile PE can be used without a paid license with up to three users. Licenses for more user can be purchased in the [Seafile Customer Center](https://customer.seafile.com) or contact Seafile Sales at sales@seafile.com or one of [our partners](https://www.seafile.com/en/partner/). - - ## Setup -These instructions assume that MySQL/MariaDB server and client are installed and a MySQL/MariaDB root user can authenticate using the mysql_native_password plugin. (For more information, see [Download and Setup Seafile Server With MySQL](../deploy/using_mysql.md).) +### Installing and preparing the SQL database -Seafile prior to and including Seafile 7.0 use Python 2. More recent versions rely on Python 3. +These instructions assume that MySQL/MariaDB server and client are installed and a MySQL/MariaDB root user can authenticate using the mysql_native_password plugin. (For more information, see [Installation of Seafile Server Community Edition with MySQL/MariaDBL](../deploy/using_mysql.md).) ### Installing prerequisites +Seafile prior to and including Seafile 7.0 use Python 2. More recent versions rely on Python 3. + **For Seafile 7.0.x** ``` @@ -173,13 +177,13 @@ cd /opt/seafile ``` -The program directory can be changed. The standard directory `/opt/seafile` is assumed for the remainder of these instructions. If you decide to put Seafile in another directory, some commands need to be modified accordingly. +The program directory can be changed. The standard directory `/opt/seafile` is assumed for the rest of this manual. If you decide to put Seafile in another directory, some commands need to be modified accordingly. ### Creating user seafile -Elasticsearch, the indexing server, cannot be run as root. More generally, it is good practice to avoid running applications as root. +Elasticsearch, the indexing server, cannot be run as root. More generally, it is good practice not to run applications as root. Create a new user and follow the instructions on the screen: @@ -203,7 +207,7 @@ su seafile -### Activating Seafile PE license +### Placing the Seafile PE license Save the license file in Seafile's programm directory `/opt/seafile`. Make sure that the name is `seafile-license.txt`. (If the file has a different name or cannot be read, Seafile PE will not start.) @@ -220,7 +224,7 @@ Beginning with Seafile PE 7.0.17, the Seafile Customer Center provides two insta The former is suitable for installation on Ubuntu/Debian servers, the latter for CentOS servers. -Download the install package using wget (replace the x.x.x with the downloaded version): +Download the install package using wget (replace the x.x.x with the version you wish to download): ``` # Debian/Ubuntu @@ -255,10 +259,44 @@ tar xf seafile-pro-server_8.0.4_x86-64_CentOS.tar.gz Now you have: ``` -#tree -L 1 +$ tree -L 2 /opt/seafile . ├── seafile-license.txt └── seafile-pro-server-8.0.4 +│   ├── check-db-type.py +│   ├── check_init_admin.py +│   ├── create-db +│   ├── index_op.py +│   ├── migrate.py +│   ├── migrate-repo.py +│   ├── migrate-repo.sh +│   ├── migrate.sh +│   ├── pro +│   ├── remove-objs.py +│   ├── remove-objs.sh +│   ├── reset-admin.sh +│   ├── run_index_master.sh +│   ├── run_index_worker.sh +│   ├── runtime +│   ├── seaf-backup-cmd.py +│   ├── seaf-backup-cmd.sh +│   ├── seaf-encrypt.sh +│   ├── seaf-fsck.sh +│   ├── seaf-fuse.sh +│   ├── seaf-gc.sh +│   ├── seaf-gen-key.sh +│   ├── seafile +│   ├── seafile-background-tasks.sh +│   ├── seafile.sh +│   ├── seaf-import.sh +│   ├── seahub +│   ├── seahub-extra +│   ├── seahub.sh +│   ├── setup-seafile-mysql.py +│   ├── setup-seafile-mysql.sh +│   ├── setup-seafile.sh +│   ├── sql +│   └── upgrade └── seafile-pro-server_8.0.4_x86-64.tar.gz ``` @@ -272,7 +310,7 @@ Note: The names of the install packages differ for Seafile CE and Seafile PE. Us ### Setting up Seafile PE -The setup process of Seafile Professional Server is the same as the Seafile Community Server. See [Download and Setup Seafile Server With MySQL](../deploy/using_mysql.md). +The setup process of Seafile PE is the same as the Seafile CE. See [Installation of Seafile Server Community Edition with MySQL/MariaDB](../deploy/using_mysql.md). If you have any problem during the setup up, check [Common problems in setting up Seafile server](../deploy/common_problems_for_setting_up_server.md). @@ -281,7 +319,7 @@ After the successful completition of the setup script, the directory layout of S **For Seafile 7.0.x** ``` -#tree -L 2 +$ tree -L 2 /opt/seafile . ├── seafile-license.txt # license file ├── ccnet # configuration files @@ -319,7 +357,7 @@ After the successful completition of the setup script, the directory layout of S **For Seafile 7.1.x and younger** ``` -#tree -L 2 +$ tree -L 2 /opt/seafile . ├── seafile-license.txt # license file ├── ccnet @@ -392,16 +430,16 @@ After the successful completition of the setup script, the directory layout of S ├── seahub-data │ └── avatars # for user avatars - ``` ### Tweaking conf files -Unless you proceed immediately with the installation of a reverse proxy, you need to modify two configuration files: ccnet.conf and gunicorn.conf.py +Seafile's config files as created by the setup script are prepared for Seafile running behind a reverse proxy. -In ccnet.conf, add the port 8000 to the `SERVICE_URL` (i.e., SERVICE_URL = http://1.2.3.4:8000/) +To access Seafile's web interface and to create working sharing links without a reverse proxy, you need to modify two configuration files in `/opt/seafile/conf`: -In gunicorn.conf.py, change the bind to "0.0.0.0:8000" (i.e., bind = "0.0.0.0:8000") +* ccnet.conf: Add port 8000 to the `SERVICE_URL` (i.e., SERVICE_URL = http://1.2.3.4:8000/) +* gunicorn.conf.py: Change the bind to "0.0.0.0:8000" (i.e., bind = "0.0.0.0:8000") @@ -417,19 +455,20 @@ Run the following commands in `/opt/seafile-server-latest`: The first time you start Seahub, the script prompts you to create an admin account for your Seafile Server. Enter the email address of the admin user followed by the password. -Now you can access Seafile via the web interface at the host address and port 8000 (e.g., http://1.2.3.4:8000) +Now you can access Seafile via the web interface at the host address and port 8000 (e.g., http://1.2.3.4:8000). -## Enabling access per HTTPS +## Enabling HTTPS It is strongly recommended to switch from unencrypted HTTP (via port 8000) to encrypted HTTPS (via port 443). -This manual provides instructions for enabling HTTPS for +This manual provides instructions for enabling HTTPS for the two most popular web servers and reverse proxies: * [Nginx](https://manual.seafile.com/deploy/https_with_nginx/) * [Apache](https://manual.seafile.com/deploy/https_with_apache/) -Before enable HTTPS, install and configure [Nginx](https://manual.seafile.com/deploy/deploy_with_nginx/) and [Apache](https://manual.seafile.com/deploy/deploy_with_apache/) first. +## Managing a NAT +If you run your Seafile Server in a LAN behind a NAT (i.e., a router provided by your ISP), consult [Installation behind NAT](../deploy/deploy_seafile_behind_nat/) to make your Seafile Server accessible over the internet. ## Performance tuning diff --git a/mkdocs.yml b/mkdocs.yml index 6c11634d..badb0408 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -55,10 +55,8 @@ nav: - Outline: deploy/README.md - Installation with SQLite: deploy/using_sqlite.md - Installation with MySQL: deploy/using_mysql.md - - Config Seahub with Nginx: deploy/deploy_with_nginx.md - - Enabling Https with Nginx: deploy/https_with_nginx.md - - Config Seahub with Apache: deploy/deploy_with_apache.md - - Enabling Https with Apache: deploy/https_with_apache.md + - HTTPS with Nginx: deploy/https_with_nginx.md + - HTTPS with Apache: deploy/https_with_apache.md - LDAP/AD Integration: deploy/using_ldap.md - Single Sign On: - Outline: deploy/single_sign_on.md