Seafile docker running alongside system nginx

I think this has been asked before here but I’m new to all of this and need to clarify a few things.

I have a VPS with nginx serving my website at let’s say

I was thinking of running seafile on this server via the docker container and access it via the subdomain I guess this means I’d have to run an nginx reverse proxy so that I can reuse ports 80/443 but but I have never configured one of those so have some basic questions:

  • Do I need to change the nginx configuration for my current website to put under an umbrella reverse proxy? Or perhaps I can configure everything I need in a new server section in my nginx conf file?
  • Who has to deal with SSL certificates? I know seafile docker can automatically get them through its internal nginx. Does this mean my system-level nginx should only proxy port 80? or just 443? Or both? Or perhaps I should let the system-level nginx get certicates and disable SSL in seafile docker-compose?
  • Do I need any changes in the docker container or seafile config files so that it can make this setup work?
  • Are there any good guides to follow to do this? I think this is not an uncommon setup and it’d be great if it was covered in the documentation.

Update: So I tested things with the vanilla docker compose from seafile (i.e. let’s encrypt disable) and instead used certbot to get a certificate directly for the reverse proxy. Things seem to mostly work fine. I couldn’t upload or download anything until I changed SERVICE_URL and FILE_SERVER_URL in the settings GUI (I’m surprised these are not expose in the docker compose file).

However, my browser only marks the website as secure on the login page but not when I actually log in and use things. Could this be related to the fact that I use cloudflare for my dns? I think cloudflare also has a certificate? My nginx config is below. Have I missed something?

server {
  listen 443 ssl http2;
  #listen 80;

  proxy_set_header X-Real-IP $remote_addr;

  location / {
    proxy_read_timeout 310s;
    proxy_set_header Host $host;
    proxy_set_header Forwarded "for=$remote_addr;proto=$scheme";
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Connection "";
    proxy_http_version 1.1;
    proxy_pass http://localhost:3001;

  ssl_certificate /etc/letsencrypt/live/; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/; # managed by Certbot