hi all,
I have read all the forum posts and fixed regarding the csrf error on seafile CE 11 but somehow none of the fixes helped getting rid of the issue. I still get the error whenever I try to login into the web interface. Any help is much appreciated. My configs are below. I am running the docker installation behind a dockerized nginx reverse proxy
seahub_settings.py:
# -*- coding: utf-8 -*-
SECRET_KEY = "secret"
FILE_SERVER_ROOT = "https://seafile.mydomain.com/seafhttp"
LOGIN_ATTEMPT_LIMIT = 3
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
CSRF_TRUSTED_ORIGINS = ['https://seafile.mydomain.com']
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.mysql',
'NAME': 'seahub_db',
'USER': 'seafile',
'PASSWORD': 'password',
'HOST': 'seafile-db',
'PORT': '3306'
}
}
ENABLE_THUMBNAIL = True
SITE_NAME = 'Seafile Server'
SITE_TITLE = 'Seafile'
TIME_ZONE = 'Europe/Berlin'
EMAIL_USE_SSL= True
EMAIL_HOST = 'smtp.mail.com'
EMAIL_HOST_USER = 'mail@mydomain.com'
EMAIL_HOST_PASSWORD = 'password'
EMAIL_PORT = 465
DEFAULT_FROM_EMAIL = 'webmaster+seafile@mydomain.com'
SERVER_EMAIL = 'webmaster+seafile@mydomain.com'
# enable webdav secrets
ENABLE_WEBDAV_SECRET = True
# Preview file settings
TEXT_PREVIEW_EXT = """ac, am, bat, c, cc, cmake, cpp, cs, css, csv, diff, el, h, html, htm, java, js, json, less, make, org, php, pl, properties, py, rb, scala, script, sh, sql, txt, text, tex, vi, vim, xhtml, xml, log, groovy, rst, patch, go"""
# Enable Only Office
ENABLE_ONLYOFFICE = True
VERIFY_ONLYOFFICE_CERTIFICATE = True
ONLYOFFICE_JWT_SECRET = 'myjwtsecret'
ONLYOFFICE_APIJS_URL = 'https://seafile.mydomain.com/ds-vpath/web-apps/apps/api/documents/api.js'
ONLYOFFICE_FILE_EXTENSION = ('doc', 'docx', 'ppt', 'pptx', 'xls', 'xlsx', 'odt', 'fodt', 'odp', 'fodp', 'ods', 'fods')
ONLYOFFICE_EDIT_FILE_EXTENSION = ('docx', 'pptx', 'xlsx')
SERVICE_URL = 'https://seafile.mydomain.com'
nginx site conf:
log_format seafileformat '$http_x_forwarded_for $remote_addr [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $upstream_response_time';
# for notification server
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
server_name seafile.mydomain.com;
rewrite ^ https://$http_host$request_uri? permanent; # Forced redirect from HTTP to HTTPS
server_tokens off;
}
# main server section
server {
server_name seafile.mydomain.com www.seafile.mydomain.com;
listen 443 ssl;
http2 on;
server_tokens off;
include /etc/nginx/ssl.conf; # set ssl parameters
include /etc/nginx/default_headers.conf;
proxy_cookie_path / "/; Secure; SameSite=strict"; # HTTPOnly removed due to incompatibility
location / {
resolver 127.0.0.11 valid=10s ipv6=off;
set $seafile http://seafile-server:80;
proxy_pass $seafile;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_read_timeout 1200s;
proxy_set_header X-Forwarded-Proto https;
proxy_request_buffering off;
# used for view/edit office file via Office Online Server
client_max_body_size 0;
access_log /var/log/nginx/seahub.access.log seafileformat;
error_log /var/log/nginx/seahub.error.log;
}
location /dav {
resolver 127.0.0.11 valid=10s ipv6=off;
proxy_pass http://seafile-server/dav;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_read_timeout 1200s;
proxy_request_buffering off;
client_max_body_size 0;
# webdav move issue fix:
proxy_set_header Destination "http:$nossl_destination";
access_log /var/log/nginx/seadav.access.log seafileformat;
error_log /var/log/nginx/seadav.error.log;
}
location /notification/ping {
proxy_pass http://seafile-server:8083/ping;
access_log /var/log/nginx/seafile-notif.access.log;
error_log /var/log/nginx/seafile-notif.error.log;
}
location /notification {
proxy_pass http://seafile-server:8083/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
access_log /var/log/nginx/seafile-notif.access.log;
error_log /var/log/nginx/seafile-notif.error.log;
}
location /ds-vpath/ {
resolver 127.0.0.11 valid=10s ipv6=off;
set $onlyoffice http://seafile-documentserver:80;
rewrite ^/ds-vpath/(.*) /$1 break;
proxy_pass $onlyoffice;
add_header X-Frame-Options SAMEORIGIN;
client_max_body_size 500M; # Limit Document size to 100MB
proxy_read_timeout 3600s;
proxy_connect_timeout 3600s;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;´
proxy_set_header X-Forwarded-Host $the_host/ds-vpath;
proxy_set_header X-Forwarded-Proto $the_scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
# Required for only office document server
map $http_x_forwarded_proto $the_scheme {
default $http_x_forwarded_proto;
"" $scheme;
}
map $http_x_forwarded_host $the_host {
default $http_x_forwarded_host;
"" $host;
}
map $http_upgrade $proxy_connection {
default upgrade;
"" close;
}
# webdav move fix
map $http_destination $nossl_destination {
"~^https:(.+)$" $1;
"~^http:(.+)$" $1;
/etc/nginx/default_headers.conf:
# Default Headers
add_header Allow "GET, POST, HEAD" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "0" always;
add_header X-Robots-Tag none always;
add_header Referrer-Policy "no-referrer" always;
add_header Permissions-Policy "geolocation=();midi=();notifications=(self);push=(self);sync-xhr=();microphone=();camera=(self);magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=();";
add_header X-Download-Options noopen;
/etc/nginx/ssl.conf:
# SSL Settings
ssl_certificate /etc/nginx/ssl/mydomain.com_ecc/mydomain.com.fullchain;
ssl_certificate_key /etc/nginx/ssl/mydomain.com_ecc/mydomain.com.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# modern configuration
ssl_protocols TLSv1.2 TLSv1.3;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000 ; includeSubDomains" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/nginx/ssl/mydomain.com_ecc/mydomain.com.ca;
# Load DH / curve parameters - any benefit with TLSv1.3?
ssl_dhparam /etc/nginx/ssl/mydomain.com_ecc/dhparams4096.pem;
ssl_ecdh_curve X448:secp384r1;
# SSL cipher suites
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;