Nginx Reverse Proxy for Seafile Redirecting Instead of Proxying

ohhimaaark · May 16, 2019, 2:04pm

Hello all,

I’m experiencing an issue where my nginx reverse proxy is simply redirecting my clients to the actual seafile/hub web interface.

Here’s my config:

server  {
  listen  443 ssl;
  server_name  seafileproxy.mydomain.com;
  proxy_set_header X-Real-IP $remote_addr;
  ssl  on;
  ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
  ssl_session_cache shared:TLS:2m;
  ssl_buffer_size 4k;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_protocols       TLSv1.2 TLSv1.3;
  ssl_dhparam    /opt/cert/dhparams.pem;
  ssl_certificate /etc/letsencrypt/live/you.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/you.com/privkey.pem;
location ^~ /seafhttp {
    rewrite ^/seafhttp(.*)$ $1 break;
    proxy_pass https://192.168.0.1:443;
    client_max_body_size 0;
    proxy_connect_timeout  36000s;
    proxy_read_timeout  36000s;
    proxy_send_timeout  36000s;
    send_timeout  36000s;
    proxy_set_header HOST $host;
    proxy_set_header Referer $http_referer;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
}

location ~ / {
    proxy_pass https://192.168.0.1:443;
    proxy_set_header HOST $host;
    proxy_set_header Referer $http_referer;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
}

Are there any suggestions for what I’m missing here? Can provide any other info that might be needed.

EDIT: found my solution. Working conf file in next reply.

ohhimaaark · June 5, 2019, 5:37am

server {
   listen 80;
   return 301 https://$host$request_uri;
}

server  {
  listen  443 ssl;
  server_name  seafileproxy.whatever.com;
  proxy_set_header X-Real-IP $remote_addr;
  ssl  on;
  ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
  ssl_session_cache shared:TLS:2m;
  ssl_buffer_size 4k;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_protocols       TLSv1.2;
  ssl_dhparam    /etc/ssl/dhparam.pem;
  ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;
location ^~ /seafhttp {
    rewrite ^/seafhttp(.*)$ $1 break;
    proxy_pass https://192.168.0.1:443;
    client_max_body_size 0;
    proxy_connect_timeout  36000s;
    proxy_read_timeout  36000s;
    proxy_send_timeout  36000s;
    send_timeout  36000s;
    proxy_set_header HOST $host;
    proxy_set_header Referer $http_referer;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
}

location ~ / {
    proxy_pass https://192.168.0.1:443;
    proxy_set_header HOST $host;
    proxy_set_header Referer $http_referer;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
}
}

mercury · June 5, 2019, 4:01pm

Not sure I follow. Are TLSv1.3 and Let’s Encrypt the big factors?

I’m not sure I see a complete configuration in either case. Where is location /media, for example?

Why do you substitute the IP address for 127.0.0.1? Are you running a separate proxy machine?

-Thanks!

ohhimaaark · June 14, 2019, 7:29pm

log_format seafileformat '$http_x_forwarded_for $remote_addr [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $upstream_response_ti$

server {
   listen 80;
   return 301 https://$host$request_uri;
}

server  {
  listen  443 ssl;
  server_name  seafile.x.com;
  proxy_set_header X-Real-IP $remote_addr;
  ssl  on;
  ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNU$
  ssl_session_cache shared:TLS:2m;
  ssl_buffer_size 4k;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_protocols       TLSv1.2;
  ssl_dhparam    /etc/ssl/dhparam.pem;
  ssl_certificate /etc/ssl/cert.pem;
  ssl_certificate_key /etc/ssl/key.pem;

location /seafhttp {
    rewrite ^/seafhttp(.*)$ $1 break;
    proxy_pass https://192.168.230.x:8082;
    client_max_body_size 0;
    proxy_connect_timeout  36000s;
    proxy_read_timeout  36000s;
    proxy_send_timeout  36000s;
    send_timeout  36000s;
    proxy_request_buffering off;
    proxy_buffering off;
}

location /media {
  root /srv/seafile/seafile-server-latest/seahub;
  proxy_pass http://192.168.230.x:443;
}

location ~ / {
    proxy_pass https://192.168.230.x:443;
    proxy_set_header HOST $host;
    proxy_set_header Referer $http_referer;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
}
}

That’s the full conf. My mistake. DOes that look correct?