Allow only file download and upload links from internet

Is it possible with nginx or haproxy allow only file download/upload from Internet, deny testi like logon and library view, etc.?

We wan’t to put seafile server inside of company network and only allow file download/upload request links from Internet. Those link starts and /u, but looks like the seafile server redirects those url to /lib.

Does any one tried this kind of setup?

Files can only be downloaded with access to /seafhttp/*.

Yes, I know that.

But from seafile if get download link you get link like so I thinking is it possible to allow access from internet if user comes to this link first, after that seafile redirect browser to But if user tries to access directly to it would be denied.

I don’t know if its doable with nginx or haproxy… Just thinkink it would be nice setup, because you can share files to outside and no need to use 2FA because server is inside company network.

seafhttp links are usually one time access only with a max valid time of one hour. So simply requesting something from seafhttp would hardly work as one cannot get tokens without having access to the seahub api. So only allowing requests to /f/.* (download link file), /d/.* (download link directory), /u/.* (upload link) and /seafhttp/.* would already be quite secure. in addition you could apply strict rate limiting.

I will setup this tomorrow.

I was following line in haproxy.cfg
acl url_seafile path_beg /u /f /d /seafhttp /media

I could download file from link, but not upload. I also checked SERVICE_URL and FILE_SERVER_ROOT and those was matching when coming from internet throught haproxy.

When I tried to upload, it just do nothing. I try upload 8KB file and after 3min it looks like this

So I check haproxy logs and there was that it tried to access also to /ajax/upload-file-done/?fn=… so I added that and now it works.

So when you wan’t to allow file download/upload from internet and nothing else, you need to allow following urls in haproxy to get it working.
acl url_seafile path_beg /u /f /d /seafhttp /media /ajax

1 Like

I’d recheckt the /ajax path, that could allow calling many more APIs. If it only calls /ajax/upload-file-done I’d add that instead of /ajax as an exception.

Thanks, you are correct.
I tested again and it required /ajax/upload-file-done</code and /ajax/u/d

So, now I have
acl url_seafile path_beg /u /f /d /seafhttp /media /ajax/upload-file-done /ajax/u/d