Nginx Configuration with Certbot

Goldrush12 · April 16, 2019, 12:50am

Hello,

I have been using Certbot for all of my SSL certificates so far. Unfortunately, I can’t make the Nginx configuration for Seafile work. I would really appreciate if somebody could help me with the edits I need to make to my Nginx configuration.

server {
    server_name cloud.example.com www.cloud.example.com;

    location / {
            proxy_pass         http://127.0.0.1:8000;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Host $server_name;
            proxy_set_header   X-Forwarded-Proto https;

            access_log      /var/log/nginx/seahub.access.log;
            error_log       /var/log/nginx/seahub.error.log;

            proxy_read_timeout  1200s;
            client_max_body_size 0;
    }

    location /seafhttp {
            rewrite ^/seafhttp(.*)$ $1 break;
            proxy_pass http://127.0.0.1:8082;
            client_max_body_size 0;
            proxy_request_buffering off;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_connect_timeout  36000s;
            proxy_read_timeout  36000s;
            proxy_send_timeout  36000s;
            send_timeout  36000s;
    }

    location /media {
            root /home/seafile/seafile-server-latest/seahub;
    }

  listen [::]:443 ssl; # managed by Certbot
  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/cloud.benedikt.world/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/cloud.benedikt.world/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; #managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = www.cloud.example.com) {
          return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = cloud.example.com) {
         return 301 https://$host$request_uri;
    } # managed by Certbot


            listen 80;
            listen [::]:80;
            server_name cloud.example.com www.cloud.example.com;
     return 404; # managed by Certbot

}

rdb · April 16, 2019, 3:08pm

I am no Nginx hero, rather an educated novice, but I am pretty sure your Nginx listens on port 443 only to IPv6:

On purpose?

Have a look at the manual: https://manual.seafile.com/deploy/https_with_nginx.html You find more info on what the config should look like.

Goldrush12 · April 16, 2019, 6:45pm

Thank you!

No, it’s not on purpose. Certbot added these lines. Since listen 443 ssl; is mentioned in the next line, I would assume Nginx listens to IPv6 and IPv4?

I adjusted my config file according to the manual (using my old Certbot certificate if that matters), but it’s still not working. Whenever I try to make an upload, I get a network error.

log_format seafileformat '$http_x_forwarded_for $remote_addr [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $upstream_response_time';

server {
        listen       80;
        server_name  seafile.example.com;
        rewrite ^ https://$http_host$request_uri? permanent;    # force redirect http to https
        server_tokens off;
    }


server {
        listen 443;
        ssl on;
        ssl_certificate /etc/letsencrypt/live/cloud.benedikt.world/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/cloud.benedikt.world/privkey.pem; # managed by Certbot
        server_name cloud.benedikt.world www.cloud.benedikt.world;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:5m;

        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS';

        ssl_prefer_server_ciphers on;

        proxy_set_header X-Forwarded-For $remote_addr;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

        server_tokens off;

        location / {
                proxy_pass         http://127.0.0.1:8000;
                proxy_set_header   Host $host;
                proxy_set_header   X-Real-IP $remote_addr;
                proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header   X-Forwarded-Host $server_name;
                proxy_set_header   X-Forwarded-Proto https;

                proxy_read_timeout 1200s;

                  client_max_body_size 0;

                access_log      /var/log/nginx/seahub.access.log;
                error_log       /var/log/nginx/seahub.error.log;
        }

        location /seafhttp {
                rewrite ^/seafhttp(.*)$ $1 break;
                proxy_pass http://127.0.0.1:8082;
                client_max_body_size 0;
                proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;

                proxy_connect_timeout  36000s;
                proxy_read_timeout  36000s;
                proxy_send_timeout  36000s;
                send_timeout  36000s;

                access_log      /var/log/nginx/seafhttp.access.log seafileformat;
                error_log       /var/log/nginx/seafhttp.error.log;
        }

         location /media {
                root /home/seafile/seafile-server-latest/seahub;
        }

    #listen [::]:443 ssl; # managed by Certbot
    #listen 443 ssl; # managed by Certbot
    #ssl_certificate /etc/letsencrypt/live/cloud.benedikt.world/fullchain.pem; # managed by Certbot
    #ssl_certificate_key /etc/letsencrypt/live/cloud.benedikt.world/privkey.pem; # managed by Certbot
    #include /etc/letsencrypt/options-ssl-nginx.conf; #managed by Certbot
    #ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

rdb · April 16, 2019, 7:01pm

As I said, I am no Nginx expert. And quite obviously I was wrong. You are absolutely right. “listen 443 ssl” is all you need. (Not sure why I didn’t see this in the first place.)

But you said something very interesting:

Only when uploading? The browser shows the green lock?

Please check your ccnet.conf, your seafile.conf and your seahub_settings.py.

Did you add the “s” to “http” in the ccnet.conf and the seahub_settings.py?
Did you add the line “host = 127.0.0.1” in the seafile.conf?

Goldrush12 · April 16, 2019, 8:47pm

No worries at all! I really appreciate your help. Yes, SSL is enabled and the green lock is present. Whenever I upload or download sth. in my browser (haven’t tried the client yet) I get a network error.

Also do I need to open any firewall ports besides 443 and 80 if using Nginx?

ccnet.conf:

[General]
USER_NAME = Me
ID = b6708019b7fa97939f8bec639ce4faf059cd8a91
NAME = Me
SERVICE_URL = https://www.cloud.example.com:8000

[Client]
PORT = 13419

[Database]
ENGINE = mysql
HOST = 127.0.0.1
PORT = 3306
USER = seafile
PASSWD = XXXXXXXXXX
DB = ccnet-db
CONNECTION_CHARSET = utf8

Is the port needed if I’m using Nginx? I tried it with or without it. Neither works.

seafile.conf

[fileserver]
port = 8082

[database]
type = mysql
host = 127.0.0.1
port = 3306
user = seafile
password = yadayada
db_name = seafile-db
connection_charset = utf8

seahub_settings.py

SECRET_KEY = "thisisasecret"

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql',
        'NAME': 'seahub-db',
        'USER': 'seafile',
        'PASSWORD': 'yadayada',
        'HOST': '127.0.0.1',
        'PORT': '3306'
    }
}

Pazzoide · April 17, 2019, 9:00am

If the website works and shows https but you have troubles when you upload, the problem could be the database. Maybe seafile doesn’t have the permission to write on sql?

Post the error you face.

Goldrush12 · April 17, 2019, 10:58am

The error is just “upload failed - network error”.

The seahub.log file lists one error. However, I have restarted seafile.sh and seahub.sh multiple times since the error occured without triggering another Traceback Error (according to the log). I can’t identify any abnormalities in the other log files.

I had issues with preparing MySQL initially (the Seafile MySQL script couldn’t access the database) and had to follow the instructions of user mulmer to make it work.

MYSQL Preparation:
I was not able to login to MySQL as root via seafile-setup (even with sudo mysql_secure_installation done before setup). This Link shows more why is: Had to remove link Essentially what you need to do before mysql_secure_installation and seafile-setup is this:
Logon to MySQL server by running the commands below:
sudo mysql -u root
Send the following SQL-Commands:
USE mysql;
UPDATE user SET plugin=‘mysql_native_password’ WHERE User=‘root’;
FLUSH PRIVILEGES;
exit;
Restart and run the commands below to set a new password:
sudo systemctl restart mysql.service
Run the Secure Installation of MYSQL:
sudo mysql_secure_installation
Answer the questions below by following the guide:
Enter current password for root (enter for none): Just press Enter // I didn’t get this question
Set root password? [Y/n]: Y
New password: Enter password
Re-enter new password: Repeat password
Remove anonymous users? [Y/n]: Y
Disallow root login remotely? [Y/n]: Y
Remove test database and access to it? [Y/n]: Y
Reload privilege tables now? [Y/n]: Y

2019-04-16 20:33:47,281 [ERROR] django.request:135 handle_uncaught_exception Internal Server Error: /api/v2.1/notifications/
    Traceback (most recent call last):
      File "/home/seafile/seafile-server-6.3.4/seahub/thirdpart/django/core/handlers/exception.py", line 41, in inner
        response = get_response(request)
      File "/home/seafile/seafile-server-6.3.4/seahub/thirdpart/django/core/handlers/base.py", line 244, in _legacy_get_response
        response = middleware_method(request)
      File "/home/seafile/seafile-server-6.3.4/seahub/seahub/auth/middleware.py", line 18, in process_request
        if request.user.is_authenticated() and not request.user.is_active:
      File "/home/seafile/seafile-server-6.3.4/seahub/seahub/auth/middleware.py", line 10, in __get__
        request._cached_user = get_user(request)
      File "/home/seafile/seafile-server-6.3.4/seahub/seahub/auth/__init__.py", line 120, in get_user
        user = backend.get_user(username) or AnonymousUser()
      File "/home/seafile/seafile-server-6.3.4/seahub/seahub/base/accounts.py", line 509, in get_user
        user = self.get_user_with_import(username)
      File "/home/seafile/seafile-server-6.3.4/seahub/seahub/base/accounts.py", line 480, in get_user_with_import
        emailuser = seaserv.get_emailuser_with_import(username)
      File "/home/seafile/seafile-server-6.3.4/seafile/lib64/python2.7/site-packages/seaserv/service.py", line 132, in get_emailuser_wit$
        return ccnet_threaded_rpc.get_emailuser_with_import(email)
      File "/home/seafile/seafile-server-6.3.4/seafile/lib64/python2.7/site-packages/pysearpc/client.py", line 110, in newfunc
    ret_str = self.call_remote_func_sync(fcall_str)
      File "/home/seafile/seafile-server-6.3.4/seafile/lib64/python2.7/site-packages/ccnet/rpc.py", line 71, in call_remote_func_sync
        client = self.pool.get_client()
      File "/home/seafile/seafile-server-6.3.4/seafile/lib64/python2.7/site-packages/ccnet/pool.py", line 29, in get_client
        client = self._create_client()
      File "/home/seafile/seafile-server-6.3.4/seafile/lib64/python2.7/site-packages/ccnet/pool.py", line 21, in _create_client
        client.connect_daemon()
      File "/home/seafile/seafile-server-6.3.4/seafile/lib64/python2.7/site-packages/ccnet/client.py", line 131, in connect_daemon
        return self.connect_daemon_with_pipe()
    File "/home/seafile/seafile-server-6.3.4/seafile/lib64/python2.7/site-packages/ccnet/client.py", line 113, in connect_daemon_with_$
        raise NetworkError("Can't connect to daemon")
    NetworkError: Can't connect to daemon

rdb · April 17, 2019, 11:42am

Your problem is not an Let’s Encrypt problem. You did not do the changes necessary in Seafile’s conf files.

I have three comments - one for every conf file:

Please remove the “:8000”

Is this your entire seahub_settings.py? No variable for FILE_SERVER_ROOT?

The seafile manual explicity states that with SSL, you need to add a line for host.

Please have a look at this site: https://manual.seafile.com/deploy/https_with_nginx.html Scroll down and make the necessary changes.

Goldrush12 · April 17, 2019, 12:59pm

Thank you! I just applied the changes. We have made some progress because the progress bar actually shows up now when I try to upload a file. Unfortunately, I still get a network error shortly afterward.

ccnet.conf

[General]
USER_NAME = Me
ID = b6708019b7fa97939f8bec639ce4faf059cd8a91
NAME = Ben
SERVICE_URL = https://www.cloud.domain.com

[Client]
PORT = 13419

[Database]
ENGINE = mysql
HOST = 127.0.0.1
PORT = 3306
USER = seafile
PASSWD = Password
DB = ccnet-db
CONNECTION_CHARSET = utf8

seahub_settings.py

# -*- coding: utf-8 -*-
SECRET_KEY = "My_Key"

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql',
        'NAME': 'seahub-db',
        'USER': 'seafile',
        'PASSWORD': 'Password',
        'HOST': '127.0.0.1',
        'PORT': '3306'
    }
}

FILE_SERVER_ROOT = 'https://cloud.domain.com/seafhttp'

seafile.conf

[fileserver]
port = 8082
host = 127.0.0.1

[database]
type = mysql
host = 127.0.0.1
port = 3306
user = seafile
password = password
db_name = seafile-db
connection_charset = utf8

I tried it with and without specifying the port (like described in the manual).

rdb · April 17, 2019, 3:54pm

Add these two lines please:
SITE_ROOT = ‘/’
LOGIN_URL = SITE_ROOT + ‘accounts/login’

Restart both Seafile and Seahub after applying the changes.

Goldrush12 · April 17, 2019, 4:55pm

Thanks! Unfortunately, it doesn’t make a difference.

rdb · April 18, 2019, 9:52am

Please check that there are no override values for SERVICE_URL and FILE_SERVER_ROOT in Seahub’s admin panel in Seahub:

These values take precedence over parameters in the conf files.

Additionally, are you sure the SERVICE_URL in ccnet.conf is correct? Shouldn’t it be “https://cloud.domain.com” instead of “https://www.cloud.domain.com”?

If these two things don’t help, I am out of ideas.

Goldrush12 · April 18, 2019, 11:08am

Its’ working now! Your suggestion made me look at the different URLs and when I checked the admin panel I noticed that FILE_SERVER_ROOT was https://cloud.domain.com/seafhttp, while SERVICE_URL was https://www.cloud.domain.com. Adding www to FILE_SERVER_ROOT did the trick. I wonder why it doesn’t work without the www. Probably because I added www.cloud.domain.com to my Ngnix configuration under server_name?

Thank you so much for your help!

Edit: Just noticed that the way I setup my A-records is probably the reason I need the www in the URL. https://cloud.domain.com is currently forwarded to https://www.cloud.domain.com, while it should probably be the other way around, and Seafile might not be able to handle that.