Cannot delete or move files at web UI - 403 forbidden

Hey,

I set up Seafile 8 successfully. One strange thing is that I am not able to delete or move files to another folder in the web UI.
Moving and deleting on my machine is synced as expected.

My setup looks like the following:

seperate NGINX reverse proxy <----> (proxying https to https) Seafile NGINX Reverse proxy <–> seafile/seahub <–> mariadb/memcached

Seafile, Seafile NGINX, mariadb and memcached are running on the same host.

I tried to figure it out with the debugging console of chromium and saw there is a 403 error when I try to delete or move files:

{“detail”:“CSRF Failed: CSRF token missing or incorrect.”}

Here is my nginx config (the seperated one):

server {
listen 443 http2 ssl;
server_name seafile.myserver.de;
ssl on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_certificate /etc/letsencrypt/live/seafile.myserver.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/seafile.myserver.de/privkey.pem;
ssl_dhparam   /etc/nginx/dhparam.pem;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers  off;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "default-src 'none'; script-src http://seafile.com/ https://www.seafile.com/ https://seafile.myserver.de/ blob: 'self' 'unsafe-inline' 'unsafe-eval' ; img-src 'self'; font-src data: 'self'; connect-src 'self'; style-src 'self' 'unsafe-inline'; frame-src https://seafile.myserver.de; object-src 'none'; frame-ancestors https://seafile.myserver.de/; base-uri https://seafile.myserver.de/ 'self'; media-src 'self';";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Frame-Options sameorigin;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Permissions-Policy "geolocation=();midi=();notifications=();push=();sync-xhr=();microphone=();camera=();magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=();";
add_header Referrer-Policy strict-origin-when-cross-origin;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/ssl/letsencrypt_ocsp.pem;
server_tokens off;
resolver 213.133.98.98;


location / {
    proxy_pass              https://seafback.myserver.de;
    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Host $server_name;
    proxy_set_header        X-Forwarded-Proto https;
    access_log              /var/log/nginx/seahub.access.log;
    error_log               /var/log/nginx/seahub.error.log;
    proxy_read_timeout      1200s;
}


location /seafhttp {
    proxy_pass https://seafback.myserver.de;
    client_max_body_size 0;
    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Host $server_name;
    proxy_set_header        X-Forwarded-Proto https;
    proxy_connect_timeout  36000s;
    proxy_read_timeout  36000s;
    proxy_send_timeout  36000s;
    send_timeout  36000s;
}

location /media {
    proxy_pass https://seafback.myserver.de/media;

}

The NGINX server running at the seafile host is the default config:

erver {
    listen       80;
    server_name  seafback.myserver.de;
    rewrite ^ https://$http_host$request_uri? permanent;    # force redirect http to https
    server_tokens off;
}
server {
    listen 443 http2;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/seafback.myserver.de/fullchain.pem;        # path to your cacert.pem
    ssl_certificate_key /etc/letsencrypt/live/seafback.myserver.de/privkey.pem;   # path to your privkey.pem
    server_name seafback.myserver.de;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:5m;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/nginx/dhparam.pem;

    # secure settings (A+ at SSL Labs ssltest at time of writing)
    # see https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS';
    ssl_prefer_server_ciphers on;

    proxy_set_header X-Forwarded-For $remote_addr;

    server_tokens off;

    location / {
        proxy_pass         http://127.0.0.1:8000;
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Host $server_name;
        proxy_set_header   X-Forwarded-Proto https;

        access_log      /var/log/nginx/seahub.access.log;
        error_log       /var/log/nginx/seahub.error.log;
        proxy_read_timeout  1200s;
        client_max_body_size 0;
    }

    location /seafhttp {
        rewrite ^/seafhttp(.*)$ $1 break;
        proxy_pass http://127.0.0.1:8082;
        client_max_body_size 0;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_connect_timeout  36000s;
        proxy_read_timeout  36000s;
        proxy_send_timeout  36000s;
        send_timeout  36000s;
    }
    location /media {
        root /opt/seafile-server-latest/seahub;
  }

}

In seahub.log I can see those entries when I try to delete/move a file:

2021-01-04 21:44:08,554 [WARNING] django.request:228 log_response Forbidden: /api/v2.1/repos/9a3a0099-8338-4450-8cfb-aeea000da4a4/file/

I already removed all added headers to make sure that this is not the problem, no luck here.

Edit: When I connect directly to the seafile-nginx (the one where seafile is running) it works as expected, so I would say there is something wrong with my seperated nginx reverse proxy config for seafile.

Any suggestions?

best

1 Like

I fixed this.

proxy_set_header        Cookie $http_cookie;

on the seperated NGINX reverse proxy did the trick, I am now able to move and delete files in the web UI

Here is the stripped down reverse proxy config for further use (I just needed the / location block anyways)

server {
listen       80;
server_name  seafile.myserver.de;
rewrite ^ https://$http_host$request_uri? permanent;    # force redirect http to https

# Enables or disables emitting nginx version on error pages and in the "Server" response header field.
server_tokens off;
}



server {
listen 443 http2 ssl;
server_name seafile.myserver.de;
ssl on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_certificate /etc/letsencrypt/live/seafile.myserver.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/seafile.myserver.de/privkey.pem;
ssl_dhparam   /etc/nginx/dhparam.pem;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers  off;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "default-src 'none'; script-src http://seafile.com/ https://www.seafile.com/ https://seafile.myserver.de/ blob: 'self' 'unsafe-inline' 'unsafe-eval' ; img-src 'self'; font-src data: 'self'; connect-src 'self'; style-src 'self' 'unsafe-inline'; frame-src https://seafile.myserver.de; object-src 'none'; frame-ancestors https://seafile.myserver.de/; base-uri https://seafile.myserver.de/ 'self'; media-src 'self';";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Frame-Options sameorigin;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Permissions-Policy "geolocation=();midi=();notifications=();push=();sync-xhr=();microphone=();camera=();magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=();";
add_header Referrer-Policy strict-origin-when-cross-origin;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/ssl/letsencrypt_ocsp.pem;
server_tokens off;
resolver 213.133.98.98;


location / {
    proxy_pass              https://seafback.myserver.de;
    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Host $server_name;
    proxy_set_header        X-Forwarded-Proto https;
    proxy_set_header        Cookie $http_cookie;
    access_log              /var/log/nginx/seahub.access.log;
    error_log               /var/log/nginx/seahub.error.log;
    proxy_read_timeout      1200s;
}

if ($request_method !~ ^(GET|DELETE|HEAD|POST|PUT)$ )
{
    return 405;
}
}

And another final addition:

I set “proxy_cookie_path” in nginx.conf for security reasons.
To make it work the line needs to be set like this:

proxy_cookie_path   ~*^/.* "~*^/.* HTTPOnly; Secure";
1 Like

With the configuration shown in your post, can you email links to files from within Seafile (web interface)? I am getting a “Permission Denied” error when I try to email a link.

I think it might be

that’s getting in the way.

-Thanks

I do not use email at my server so I cant help you with that, as mentioned in the other thread the above solutions proxy_cookie_path leads to redirect errors, so simply comment it out. Permission denied comes from missing CSRF Token which is not correctly passed-through from my seafile-nginx backend to the frontend reverse proxy. I am not sure anymore what did the trick but I posted the solution the other thread you asked.

best