Bad gateway 502 after migrating to nginx/https

nkduufk · August 13, 2020, 9:56pm

Hi. I had a running configuration on raspbian. Version 6.3.4. It worked fine with http. However, I need to migrate to https.
So I installed nginx, added the nginx seafile configuration file, modified ccnet.conf, modified seahub_settings.py. Now I get “bad gateway” which is probably the most ambiguous message on Earth.
Where could I start looking to find the root cause? I start seafile with fastcgi.

ccnet.conf:

[General]
USER_NAME = XXXX
ID = XXXX
NAME = XXX
SERVICE_URL = https://192.168.1.110:8001

[Client]
PORT = 13419

seafile.conf:

[fileserver]
port=8082

seahub_settings.py:

# -*- coding: utf-8 -*-
SECRET_KEY = XXXX
FILE_SERVER_ROOT = 'https://192.168.1.110:8001/seafhttp'

nginx-config file:

server {
    listen 8001;
    ssl on;
    ssl_certificate /etc/nginx/ssl/seahub.crt;
    ssl_certificate_key /etc/nginx/ssl/seahub.key;
    server_name 192.168.1.110;
    error_page 497  https://$host:$server_port$request_uri;

    client_max_body_size 10G; # set max upload size

    location / {
        fastcgi_pass    127.0.0.1:8000;
        fastcgi_param   SCRIPT_FILENAME     $document_root$fastcgi_script_name;
        fastcgi_param   PATH_INFO           $fastcgi_script_name;

        fastcgi_param   SERVER_PROTOCOL $server_protocol;
        fastcgi_param   QUERY_STRING        $query_string;
        fastcgi_param   REQUEST_METHOD      $request_method;
        fastcgi_param   CONTENT_TYPE        $content_type;
        fastcgi_param   CONTENT_LENGTH      $content_length;
        fastcgi_param   SERVER_ADDR         $server_addr;
        fastcgi_param   SERVER_PORT         $server_port;
        fastcgi_param   SERVER_NAME         $server_name;
        fastcgi_param   HTTPS   on;
        fastcgi_param HTTP_SCHEME https;

        access_log      /var/log/nginx/seahub.access.log;
        error_log       /var/log/nginx/seahub.error.log;
    }
    location /seafhttp {
        rewrite ^/seafhttp(.*)$ $1 break;
        proxy_pass http://127.0.0.1:8082;
        client_max_body_size 0;
    }
}

ccnet.log:

[08/13/20 23:42:00] ../common/session.c(132): using config file /home/seafile/conf/ccnet.conf
[08/13/20 23:42:00] ../common/session.c(455): socket file exists, delete it anyway
[08/13/20 23:42:00] ../common/session.c(484): Listen on /home/seafile/ccnet/ccnet.sock for local clients
[08/13/20 23:42:00] ../common/session.c(290): Update pubinfo file
[08/13/20 23:42:01] ../common/session.c(398): Accepted a local client
[08/13/20 23:42:01] ../common/session.c(398): Accepted a local client
[08/13/20 23:42:01] ../common/session.c(398): Accepted a local client
[08/13/20 23:42:01] ../common/session.c(398): Accepted a local client
[08/13/20 23:42:03] ../common/session.c(398): Accepted a local client
[08/13/20 23:42:03] ../common/peer.c(943): Local peer down

seafile.log;

[08/13/20 23:42:01] http-server.c(173): fileserver: worker_threads = 10
[08/13/20 23:42:01] http-server.c(188): fileserver: fixed_block_size = 8388608
[08/13/20 23:42:01] http-server.c(203): fileserver: web_token_expire_time = 3600
[08/13/20 23:42:01] http-server.c(218): fileserver: max_indexing_threads = 1
[08/13/20 23:42:01] http-server.c(233): fileserver: max_index_processing_threads= 3
[08/13/20 23:42:01] ../common/mq-mgr.c(54): [mq client] mq cilent is started
[08/13/20 23:42:02] size-sched.c(96): Repo size compute queue size is 0
[08/13/20 23:47:02] size-sched.c(96): Repo size compute queue size is 0
[08/13/20 23:52:02] size-sched.c(96): Repo size compute queue size is 0

nkduufk · August 18, 2020, 9:14pm

Alright, I found some more hints. Fast-cgi does not work so I altered my seahub config file. Then I receive the request dependency warning when starting seahub. So I did:

sudo pip install -Iv urllib3==1.22

However, my client log gives:

libcurl failed to GET 192.168.1.110/seafhttp/protocol-version: Couldn't connect to server.

and my client GUI shows “waiting for synchronization”…

Cisco · August 19, 2020, 5:01am

here is my nginx configuration

server {

    listen 80;
    server_name  cloud.XXX.me www.cloud.XXX.me;
    rewrite ^ https://$http_host$request_uri? permanent;    # force redirect http to https
server_tokens off;
}
server {
    listen 443 http2;
server_name cloud.XXX.me www.cloud.XXX.me;

location /stub_status {
stub_status on;
access_log off;
# Security: Only allow access from the IP below.
#allow 127.0.0.1;
# Deny anyone else
#deny all;
}

    ssl_certificate /etc/letsencrypt/live/cloud.XXX.me/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/cloud.XXX.me/privkey.pem;


ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_ecdh_curve secp384r1;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;




add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
    proxy_set_header X-Forwarded-For $remote_addr;


add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
    server_tokens off;

location / {
     proxy_pass         http://127.0.0.1:8000;
     proxy_set_header   Host $host;
     proxy_set_header   X-Real-IP $remote_addr;
     proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header   X-Forwarded-Host $server_name;
 proxy_set_header   X-Forwarded-Proto https;
     proxy_read_timeout  1200s;

     client_max_body_size 0;

     access_log      /var/log/nginx/seahub.access.log;
     error_log       /var/log/nginx/seahub.error.log;
}

    location /seafhttp {
        rewrite ^/seafhttp(.*)$ $1 break;
        proxy_pass http://127.0.0.1:8082;
        client_max_body_size 0;
    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_connect_timeout  36000s;
        proxy_read_timeout  36000s;
        proxy_send_timeout  36000s;
        send_timeout  36000s;
    proxy_request_buffering off;
    }
    location /media {
        root /home/boubou/cloud/seafile/seafile-server-latest/seahub;
    }

nkduufk · August 19, 2020, 5:14pm

Mine does not look too different except for a missing location /media:
nginx config:

server {
    listen 8001;
    ssl on;
    ssl_certificate /etc/nginx/ssl/seahub.crt;
    ssl_certificate_key /etc/nginx/ssl/seahub.key;
    server_name 192.168.1.110;
    error_page 497  https://$host:$server_port$request_uri;

    client_max_body_size 10G; # set max upload size

    location / {
         proxy_pass         http://127.0.0.1:8000;
         proxy_set_header   Host $host;
         proxy_set_header   X-Real-IP $remote_addr;
         proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header   X-Forwarded-Host $server_name;
         proxy_read_timeout  1200s;

         # used for view/edit office file via Office Online Server
         client_max_body_size 0;

         access_log      /var/log/nginx/seahub.access.log;
         error_log       /var/log/nginx/seahub.error.log;
    }

    location /seafhttp {
        rewrite ^/seafhttp(.*)$ $1 break;
        proxy_pass http://127.0.0.1:8082;
        client_max_body_size 0;
    }
}

axstet · August 19, 2020, 5:29pm

Isn’t the port missing? Listening on 8001 is not really default.

nkduufk · August 19, 2020, 6:35pm

Additional info: client on Android seems to work fine. Also reaching the library through the seahub browser interface works. Just my desktop client is stuck.

axstet · August 19, 2020, 6:38pm

Did you switch it to https?

nkduufk · August 19, 2020, 6:41pm

Yes. And I see the library, but the client icon still shows “waiting for synchronization”

squirrel · August 19, 2020, 8:59pm

Do you have several Desktops which don’t work or is it just the one?
If not, maybe the problem is on the machine, e.g. some problem with old cache files or something? Have you tried reinstalling the client?

nkduufk · August 19, 2020, 9:07pm

Just this one desktop. Reinstalling the client made no difference.

nkduufk · August 29, 2020, 9:32pm

So, to give it another try, I used the standard ports, but now I get “Unhandled http redirect from server. Please check server cofiguration” from my client
This is my nginx:

server {
    listen       80;
    server_name  192.168.1.110;
    server_tokens off;
    rewrite ^ https://$http_host$request_uri? permanent;    # force redirect http to https
}


server {
    listen 443 http2; # former 8001
    ssl on;
    ssl_certificate /etc/nginx/ssl/seahub.crt;
    ssl_certificate_key /etc/nginx/ssl/seahub.key;
    server_name 192.168.1.110;
    server_tokens off;  # Nginx does not reveal its version number to make life more difficult for attackers
    error_page 497  https://$host:$server_port$request_uri;
    # ssl_protocols TLSv1.2 TLSv1.3;

    client_max_body_size 10G; # set max upload size

# proxy for seahub:
    location / {
         proxy_pass         http://127.0.0.1:8000;
         # proxy_set_header   Host $host;
         proxy_set_header   Host $host:$server_port;
         proxy_set_header   X-Real-IP $remote_addr;
         proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header   X-Forwarded-Host $server_name;
         proxy_set_header   X-Forwarded-Proto https; # was commented
         proxy_read_timeout  1200s;

         # used for view/edit office file via Office Online Server
         client_max_body_size 0;

         access_log      /var/log/nginx/seahub.access.log;
         error_log       /var/log/nginx/seahub.error.log;
    }

# proxy for seafile:
    location /seafhttp {
        rewrite ^/seafhttp(.*)$ $1 break;
        proxy_pass http://127.0.0.1:8082;
        client_max_body_size 0;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
    }
}

nkduufk · August 30, 2020, 4:26pm

Alright, after some trial and error, I solved the “redirect” issue by deleting the complete configuration folder on my client. You will find the folder when looking at the entry in ~/.ccnet/seafile.ini (on Kubuntu).

Another finding: if i activate “proxy_set_header X-Forwarded-Proto https;” in the nginx file, I get an 403 CSRF error in the web interface. After commenting the line, the error is gone.

Final finding: After changing port 443 to another port and deleting the client folder again, it keeps working