Is it possible with nginx or haproxy allow only file download/upload from Internet, deny testi like logon and library view, etc.?
We wan’t to put seafile server inside of company network and only allow file download/upload request links from Internet. Those link starts https://seafileserver.domain.com/f and /u, but looks like the seafile server redirects those url to /lib.
I don’t know if its doable with nginx or haproxy… Just thinkink it would be nice setup, because you can share files to outside and no need to use 2FA because server is inside company network.
seafhttp links are usually one time access only with a max valid time of one hour. So simply requesting something from seafhttp would hardly work as one cannot get tokens without having access to the seahub api. So only allowing requests to /f/.* (download link file), /d/.* (download link directory), /u/.* (upload link) and /seafhttp/.* would already be quite secure. in addition you could apply strict rate limiting.
I was following line in haproxy.cfg acl url_seafile path_beg /u /f /d /seafhttp /media
I could download file from link, but not upload. I also checked SERVICE_URL and FILE_SERVER_ROOT and those was matching when coming from internet throught haproxy.
When I tried to upload, it just do nothing. I try upload 8KB file and after 3min it looks like this
So I check haproxy logs and there was that it tried to access also to /ajax/upload-file-done/?fn=… so I added that and now it works.
So when you wan’t to allow file download/upload from internet and nothing else, you need to allow following urls in haproxy to get it working. acl url_seafile path_beg /u /f /d /seafhttp /media /ajax
I’d recheckt the /ajax path, that could allow calling many more APIs. If it only calls /ajax/upload-file-done I’d add that instead of /ajax as an exception.