Nginx https

最新推荐文章于 2025-04-13 13:34:07 发布

转载最新推荐文章于 2025-04-13 13:34:07 发布 · 416 阅读

鸡肋专栏收录该内容

30 篇文章

订阅专栏

本文介绍如何使用Nginx配置HTTPS，包括生成SSL证书、启用Nginx SSL模块、修改Nginx配置文件等步骤，并提供了一个示例配置文件。此外还提供了关于大文件上传的建议以及额外的安全设置。

Nginx https

Enabling Https with Nginx

Here we use self-signed SSL certificate. If you use apaid ssl certificate from some authority, just skip the first step.

Generate SSL certificate with OpenSSL

    openssl genrsa -out privkey.pem 2048

    openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095

If you're using a custom CA to sign your SSL certificate,you have to enable certificate revocation list (CRL) in your certificate.Otherwise http syncing on Windows client may not work. See this thread for more information.

Enable SSL module of Nginx (optional)

If your Nginx does not support SSL, you need to recompileit, the commands are as follows:

    ./configure --with-http_stub_status_module --with-http_ssl_module

    make && make install

Modify Nginx configuration file

Assume you have configured nginx as Deploy-Seafile-with-nginx. To use https, you need to modify yournginx configuration file.

    server {

        listen       80;

        server_name  seafile.example.com;

        rewrite ^ https://$http_host$request_uri? permanent;    # force redirect http to https

    server {

        listen443;

        sslon;

        ssl_certificate /etc/ssl/cacert.pem;        # path to your cacert.pem

        ssl_certificate_key /etc/ssl/privkey.pem;    # path to your privkey.pem

        server_name seafile.example.com;

        # ......

        fastcgi_param   HTTPS               on;

        fastcgi_param   HTTP_SCHEME         https;

Sample configuration file

Here is the sample configuration file:

    server {

        listen       80;

        server_name  seafile.example.com;

        rewrite ^ https://$http_host$request_uri? permanent;    # force redirect http to https

    server {

        listen443;

        sslon;

        ssl_certificate /etc/ssl/cacert.pem;        # path to your cacert.pem

        ssl_certificate_key /etc/ssl/privkey.pem;    # path to your privkey.pem

        server_name seafile.example.com;

        proxy_set_header X-Forwarded-For $remote_addr;

        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

        server_tokensoff;

        location / {

            fastcgi_pass    127.0.0.1:8000;

            fastcgi_param   SCRIPT_FILENAME     $document_root$fastcgi_script_name;

            fastcgi_param   PATH_INFO           $fastcgi_script_name;

            fastcgi_param   SERVER_PROTOCOL        $server_protocol;

            fastcgi_param   QUERY_STRING        $query_string;

            fastcgi_param   REQUEST_METHOD      $request_method;

            fastcgi_param   CONTENT_TYPE        $content_type;

            fastcgi_param   CONTENT_LENGTH      $content_length;

            fastcgi_param   SERVER_ADDR         $server_addr;

            fastcgi_param   SERVER_PORT         $server_port;

            fastcgi_param   SERVER_NAME         $server_name;

            fastcgi_param   HTTPS               on;

            fastcgi_param   HTTP_SCHEME         https;

            access_log      /var/log/nginx/seahub.access.log;

            error_log       /var/log/nginx/seahub.error.log;

            fastcgi_read_timeout36000;

        location /seafhttp {

            rewrite ^/seafhttp(.*)$$1break;

            proxy_pass http://127.0.0.1:8082;

            client_max_body_size0;

            proxy_connect_timeout  36000s;

            proxy_read_timeout  36000s;

            proxy_send_timeout  36000s;

            send_timeout  36000s;

        location /media {

            root /home/user/haiwen/seafile-server-latest/seahub;

Large file uploads

Tip for uploading very large files (> 4GB): By defaultNginx will buffer large request body in temp file. After the body is completelyreceived, Nginx will send the body to the upstream server (seaf-server in ourcase). But it seems when file size is very large, the buffering mechanismdosen't work well. It may stop proxying the body in the middle. So if you wantto support file upload larger for 4GB, we suggest you install Nginx version>= 1.8.0 and add the following options to Nginx config file:

    location /seafhttp {

        ... ...

        proxy_request_buffering off;

If you have WebDAV enabled it is recommended to add thesame:

    location /seafdav {

        ... ...

        proxy_request_buffering off;

Reload Nginx

    nginx -s reload

Modify settings to use https

ccnet conf

Since you changedfrom http to https, you need to modify the value of SERVICE_URL in ccnet.conf. You can also modify SERVICE_URL via web UI in "SystemAdmin->Settings". (Warning: If you set the value both viaWeb UI and ccnet.conf, the setting via Web UI will take precedence.)

SERVICE_URL = https://seafile.example.com

seahub_settings.py

You need to add aline in seahub_settings.py to set the value of FILE_SERVER_ROOT. You can also modifyFILE_SERVER_ROOT via web UI in "System Admin->Settings".(Warning: If you set the value both via Web UI andseahub_settings.py, the setting via Web UI will take precedence.)

FILE_SERVER_ROOT = 'https://seafile.example.com/seafhttp'

Start Seafile and Seahub

./seafile.sh start

./seahub.sh start-fastcgi

Additional security settings for nginx (optional)

Add the HSTS header. If you already visited the httpsversion the next time your browser will directly visit the https site and notthe http one. Prevent man-in-the-middle-attacks:

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

Disable exact server version in header. Prevent scans forvulnerable server.

server_tokensoff;