403 Forbidden on New 9.0.2 CE Install

I have a fresh install of 9.0.2 CE, and syncing is working with Seafile clients. One issue I haven’t been able to figure out is getting 403 Forbidden responses on anything coming from the /media path. It mostly works correctly if I access the UI through the IP and port instead of the domain (the avatars aren’t loading even this way though, I did double-check the symlink). I suspect the referrer policy might be to blame (strict-origin-when-cross-origin), and I’ve been messing with my nginx and Seafile/Seahub configs but as far as I can tell they are configured correctly. Any ideas?


Nginx Config:

# Seafile configuration

log_format seafileformat '$http_x_forwarded_for $remote_addr [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $upstream_response_time';

server {
        server_name mysubdomain.mydomain.com;
        proxy_set_header X-Forwarded-For $remote_addr;

        location / {
                proxy_pass http://localhost:8000;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Host $server_name;
                proxy_read_timeout 1200s;
                client_max_body_size 0;
                access_log /var/log/nginx/seahub.access.log seafileformat;
                error_log /var/log/nginx/seahub.error.log;

        location /seafhttp {
                rewrite ^/seafhttp(.*)$ $1 break;
                client_max_body_size 0;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_connect_timeout 36000s;
                proxy_read_timeout 36000s;
                proxy_send_timeout 36000s;
                proxy_request_buffering off;
                send_timeout 36000s;

                access_log /var/log/nginx/seafhttp.access.log seafileformat;
                error_log /var/log/nginx/seafhttp.error.log;

        location /media {
                root /home/myusername/seafile/seafile-server-latest/seahub;

                access_log /var/log/nginx/media.access.log seafileformat;
                error_log /var/log/nginx/media.error.log;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mysubdomain.mydomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mysubdomain.mydomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


server {
    if ($host = mysubdomain.mydomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

        server_name mysubdomain.mydomain.com;
    listen 80;
    return 404; # managed by Certbot




For what it’s worth, the solution ended up being a simple filesystem permissions issue. :unamused: :sweat_smile:

Do you maybe remember what permission exactly? I have the same problem and no clue :slight_smile:

If I remember correctly, either the owner or permissions for seafile-server-latest/seahub were not correct. I either changed the owner to the Seafile user/group or made sure the permissions there were 644.

1 Like

Hm, I chowned everything, but obviously I’m still missing something. Anyway, thanks for your fast response! :slight_smile:

1 Like

Got it! If sometimes someone else browses by with that problem… For me it was that I created the user via adduser --disabled-login --gecos "Seafile" seafile --home /srv/seafile and that /srv/seafile had 770 permissions instead of 755 :upside_down_face:

1 Like

Awesome! Glad you got it figured out!

1 Like