Hi,
I’m thinking of putting up a NGINX server that will direct everything as I need to use other sites over the port 80 and 443 port.
I have some subdomains that I’ll use, one for every service that I got.
Everything is on different VM’s.
So as I understands it I just forward things from the NGINX server to the Seafile server.
And the configuration file should look something like this, just replace the 127.0.0.1 with the correct IP to the Seafile server.
Should I use the SSL (Let’s encrypt) in the NGINX server or in the Seafile server?
My guess is that I’ll use it in the NGINX server only, is that correct?
Should I uninstall NGINX on the Seafile server?
My guess is that I’ll uninstall NGINX in the Seafile server, is that correct?
BUT
Here is one question that I can’t figure out, on the NGINX server how should I write the root line?
It looks like this now.
Ok,
So the only thing is that you have this:
location /media {
root /mnt/cloud_seahub;
that means that you have shared the the folder over the network is that correct?
I thought it was a other way to do it on without sharing the folder trough the network?
I recommend to have all services in the DMZ do their config locally and just expose there service via 80/443. Way easier to handle.
For the front-end reverse proxy have a look at haproxy. There you can then provide your validated certificate to the clients.
Internal clients should also callout to the central reverse proxy (local DNS server or entries in hosts file).
That’s not secure, I have found a other way to do it and I recommend you to do so also.
First, install NGINX on Seafile server and set it up as always, then install NGINX on the NGINX reverse proxy server.
Here is a correct and secure configuration for NGINX front.end server (proxy / reverese)
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/ssl/private/dhparam_dav.pem;
# secure settings (A+ at SSL Labs ssltest at time of writing)
# see https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256$
ssl_prefer_server_ciphers on;
I’ll google it, what I have found out is that with NGINX you can just use the http configuration at the Seaflie server and in the NGINX server you can have the SSL and Let’s encrypt etc.
That takes some load of from the Seafile server but also it’s putting all in a other server so if your Seafile server is down everything stil get’s updated etc.
But I’m new to this so I’m not sure, we did not have this in school nor do I have been using it before in my work.