initial commit (untested)

seafile.nginx.conf.template

@@ -0,0 +1,113 @@
+# -*- mode: nginx -*-
+# Auto generated at {{ current_timestr }}
+{% if https -%}
+server {
+    listen 80;
+    server_name _ default_server;
+
+    # allow certbot to connect to challenge location via HTTP Port 80
+    # otherwise renewal request will fail
+    location /.well-known/acme-challenge/ {
+        alias /var/www/challenges/;
+        try_files $uri =404;
+    }
+
+    location / {
+        rewrite ^ https://{{ domain }}$request_uri? permanent;
+    }
+}
+{% endif -%}
+
+server {
+{% if https -%}
+    listen 443 ssl;
+    ssl_certificate      /shared/ssl/{{ domain }}.crt;
+    ssl_certificate_key  /shared/ssl/{{ domain }}.key;
+
+    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
+
+    # TODO: More SSL security hardening: ssl_session_tickets & ssl_dhparam
+    # ssl_session_tickets on;
+    # ssl_session_ticket_key /etc/nginx/sessionticket.key;
+    # ssl_session_cache shared:SSL:10m;
+    # ssl_session_timeout 10m;
+{% else -%}
+    listen 80;
+{% endif -%}
+
+    server_name {{ domain }};
+
+    client_max_body_size 10m;
+
+    location / {
+        proxy_pass http://127.0.0.1:8000/;
+        proxy_read_timeout 310s;
+        proxy_set_header Host $host;
+        #proxy_set_header Forwarded "for=$remote_addr;proto=$scheme";
+        proxy_set_header Forwarded "for=$proxy_add_x_forwarded_for;proto=$http_x_forwarded_proto";
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        #proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+        #proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Real-IP $proxy_add_x_forwarded_for;
+        proxy_set_header Connection "";
+        proxy_http_version 1.1;
+
+        client_max_body_size 0;
+        access_log      /var/log/nginx/seahub.access.log seafileformat;
+        error_log       /var/log/nginx/seahub.error.log;
+    }
+
+    location /seafhttp {
+        rewrite ^/seafhttp(.*)$ $1 break;
+        proxy_pass http://127.0.0.1:8082;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        client_max_body_size 0;
+        proxy_connect_timeout  36000s;
+        proxy_read_timeout  36000s;
+        proxy_request_buffering off;
+        access_log      /var/log/nginx/seafhttp.access.log seafileformat;
+        error_log       /var/log/nginx/seafhttp.error.log;
+    }
+
+    location /notification/ping {
+        proxy_pass http://127.0.0.1:8083/ping;
+        access_log      /var/log/nginx/notification.access.log seafileformat;
+        error_log       /var/log/nginx/notification.error.log;
+    }
+
+    location /notification {
+        proxy_pass http://127.0.0.1:8083/;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        access_log      /var/log/nginx/notification.access.log seafileformat;
+        error_log       /var/log/nginx/notification.error.log;
+    }
+
+    location /seafdav {
+        proxy_pass         http://127.0.0.1:8080;
+        proxy_set_header   Host $host;
+        proxy_set_header   X-Real-IP $remote_addr;
+        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Host $server_name;
+        proxy_set_header   X-Forwarded-Proto $scheme;
+        proxy_read_timeout  1200s;
+        client_max_body_size 0;
+
+        access_log      /var/log/nginx/seafdav.access.log seafileformat;
+        error_log       /var/log/nginx/seafdav.error.log;
+    }
+
+    location /media {
+        root /opt/seafile/seafile-server-latest/seahub;
+    }
+
+{% if https -%}
+    # For letsencrypt
+    location /.well-known/acme-challenge/ {
+        alias /var/www/challenges/;
+        try_files $uri =404;
+    }
+{% endif -%}
+}