-
Notifications
You must be signed in to change notification settings - Fork 179
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
2609813
commit 6dd2698
Showing
5 changed files
with
196 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
# See https://hub.docker.com/r/phusion/baseimage/tags/ | ||
FROM phusion/baseimage:0.11 | ||
ENV SEAFILE_SERVER=seafile-server SEAFILE_VERSION= | ||
|
||
RUN apt-get update --fix-missing | ||
|
||
# Utility tools | ||
RUN apt-get install -y vim htop net-tools psmisc wget curl git | ||
|
||
# For suport set local time zone. | ||
RUN export DEBIAN_FRONTEND=noninteractive && apt-get install tzdata -y | ||
|
||
# Nginx | ||
RUN apt-get install -y nginx | ||
|
||
# | ||
RUN apt-get install -y libmysqlclient-dev | ||
|
||
# Python3 | ||
RUN apt-get install -y python3 python3-pip python3-setuptools | ||
RUN python3.6 -m pip install --upgrade pip && rm -r /root/.cache/pip | ||
|
||
RUN pip3 install --timeout=3600 click termcolor colorlog pymysql \ | ||
django==2.2.* && rm -r /root/.cache/pip | ||
|
||
RUN pip3 install --timeout=3600 future mysqlclient Pillow pylibmc captcha jinja2 \ | ||
sqlalchemy django-pylibmc django-simple-captcha pyjwt && \ | ||
rm -r /root/.cache/pip | ||
|
||
|
||
# Scripts | ||
COPY scripts_7.1 /scripts | ||
COPY templates /templates | ||
COPY services /services | ||
RUN chmod u+x /scripts/* | ||
|
||
RUN mkdir -p /etc/my_init.d && \ | ||
rm -f /etc/my_init.d/* && \ | ||
cp /scripts/create_data_links.sh /etc/my_init.d/01_create_data_links.sh | ||
|
||
RUN mkdir -p /etc/service/nginx && \ | ||
rm -f /etc/nginx/sites-enabled/* /etc/nginx/conf.d/* && \ | ||
mv /services/nginx.conf /etc/nginx/nginx.conf && \ | ||
mv /services/nginx.sh /etc/service/nginx/run | ||
|
||
|
||
# Seafile | ||
WORKDIR /opt/seafile | ||
|
||
RUN mkdir -p /opt/seafile/ && cd /opt/seafile/ && \ | ||
wget https://download.seadrive.org/seafile-server_${SEAFILE_VERSION}_x86-64.tar.gz && \ | ||
tar -zxvf seafile-server_${SEAFILE_VERSION}_x86-64.tar.gz && \ | ||
rm -f seafile-server_${SEAFILE_VERSION}_x86-64.tar.gz | ||
|
||
# For using TLS connection to LDAP/AD server with docker-ce. | ||
RUN find /opt/seafile/ \( -name "liblber-*" -o -name "libldap-*" -o -name "libldap_r*" -o -name "libsasl2.so*" \) -delete | ||
|
||
|
||
EXPOSE 80 | ||
|
||
|
||
CMD ["/sbin/my_init", "--", "/scripts/start.py"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
daemon off; | ||
user www-data; | ||
worker_processes auto; | ||
|
||
events { | ||
worker_connections 768; | ||
} | ||
|
||
http { | ||
include /etc/nginx/mime.types; | ||
server_names_hash_bucket_size 256; | ||
server_names_hash_max_size 1024; | ||
tcp_nopush on; | ||
tcp_nodelay on; | ||
keepalive_timeout 65; | ||
types_hash_max_size 2048; | ||
log_format seafileformat '$http_x_forwarded_for $remote_addr [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $upstream_response_time'; | ||
|
||
access_log /var/log/nginx/access.log seafileformat; | ||
error_log /var/log/nginx/error.log info; | ||
|
||
gzip on; | ||
gzip_types text/plain text/css application/javascript application/json text/javascript; | ||
|
||
include /etc/nginx/conf.d/*.conf; | ||
include /etc/nginx/sites-enabled/*; | ||
|
||
server { | ||
listen 80; | ||
location / { | ||
return 444; | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
#!/bin/bash | ||
exec 2>&1 | ||
exec /usr/sbin/nginx |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin | ||
# min hour dayofmonth month dayofweek command | ||
0 0 1 * * root /scripts/ssl.sh {{ ssl_dir }} {{ domain }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
# -*- mode: nginx -*- | ||
# Auto generated at {{ current_timestr }} | ||
{% if https -%} | ||
server { | ||
listen 80; | ||
server_name _ default_server; | ||
|
||
# allow certbot to connect to challenge location via HTTP Port 80 | ||
# otherwise renewal request will fail | ||
location /.well-known/acme-challenge/ { | ||
alias /var/www/challenges/; | ||
try_files $uri =404; | ||
} | ||
|
||
location / { | ||
rewrite ^ https://{{ domain }}$request_uri? permanent; | ||
} | ||
} | ||
{% endif -%} | ||
|
||
server { | ||
{% if https -%} | ||
listen 443; | ||
ssl on; | ||
ssl_certificate /shared/ssl/{{ domain }}.crt; | ||
ssl_certificate_key /shared/ssl/{{ domain }}.key; | ||
|
||
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; | ||
|
||
# TODO: More SSL security hardening: ssl_session_tickets & ssl_dhparam | ||
# ssl_session_tickets on; | ||
# ssl_session_ticket_key /etc/nginx/sessionticket.key; | ||
# ssl_session_cache shared:SSL:10m; | ||
# ssl_session_timeout 10m; | ||
{% else -%} | ||
listen 80; | ||
{% endif -%} | ||
|
||
server_name {{ domain }}; | ||
|
||
client_max_body_size 10m; | ||
|
||
location / { | ||
proxy_pass http://127.0.0.1:8000/; | ||
proxy_read_timeout 310s; | ||
proxy_set_header Host $host; | ||
proxy_set_header Forwarded "for=$remote_addr;proto=$scheme"; | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Forwarded-Proto $scheme; | ||
proxy_set_header X-Real-IP $remote_addr; | ||
proxy_set_header Connection ""; | ||
proxy_http_version 1.1; | ||
|
||
client_max_body_size 0; | ||
access_log /var/log/nginx/seahub.access.log seafileformat; | ||
error_log /var/log/nginx/seahub.error.log; | ||
} | ||
|
||
location /seafhttp { | ||
rewrite ^/seafhttp(.*)$ $1 break; | ||
proxy_pass http://127.0.0.1:8082; | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
client_max_body_size 0; | ||
proxy_connect_timeout 36000s; | ||
proxy_read_timeout 36000s; | ||
proxy_request_buffering off; | ||
access_log /var/log/nginx/seafhttp.access.log seafileformat; | ||
error_log /var/log/nginx/seafhttp.error.log; | ||
} | ||
|
||
location /seafdav { | ||
proxy_pass http://127.0.0.1:8080; | ||
proxy_set_header Host $host; | ||
proxy_set_header X-Real-IP $remote_addr; | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Forwarded-Host $server_name; | ||
proxy_set_header X-Forwarded-Proto $scheme; | ||
proxy_read_timeout 1200s; | ||
client_max_body_size 0; | ||
|
||
access_log /var/log/nginx/seafdav.access.log seafileformat; | ||
error_log /var/log/nginx/seafdav.error.log; | ||
} | ||
|
||
location /media { | ||
root /opt/seafile/seafile-server-latest/seahub; | ||
} | ||
|
||
# For letsencrypt | ||
location /.well-known/acme-challenge/ { | ||
alias /var/www/challenges/; | ||
try_files $uri =404; | ||
} | ||
} |