No access to seafile server over the Internet, local access works fine

Sebastian_Ga · November 11, 2016, 2:58pm

Hello,

I am spending hours to solve the following problem without any success.

Problem
When I want to access seafile server over the webbrowser under my ddns-domain (Port 80) it stucks while loading the website:

When I access the server under the local address in my home network, it works fine! The Problem started suddenly, maybe after an system update. Before the server was running without any problems. After the problem occurs I performed a fresh installation (erase sd card content) on my raspberry but the problem still exists.

System

Raspberry Pi 2, Raspbian Jessy Image
Webserver: Nginx (v. 1.6.2), Database: Mysql (mysqld 5.5.52-0+deb8u1)
Seafile-Server 6.0.5. installed under a system-user “seafile” with setup-skript “setup-seafile-mysql.sh”

Seafile & Seahub starts sucessfully without any error. The error Logs in /var/logs/nginx and in /home/seafile/haiwen/logs are empty.

Hope you can help me guys, because I really like seafile!

Please see below some config files:

/etc/nginx/nginx.conf:

user www-data;
worker_processes 1;
pid /run/nginx.pid;

events {
	worker_connections 128;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "msie6";

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
# 
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

/etc/nginx/sites-enabled/seafile_server:

server {
    listen 80;
    server_name xyz.ddns.net;

    proxy_set_header X-Forwarded-For $remote_addr;
    
    location / {
        fastcgi_pass    127.0.0.1:8000;
        fastcgi_param   SCRIPT_FILENAME     $document_root$fastcgi_script_name;
        fastcgi_param   PATH_INFO           $fastcgi_script_name;

        fastcgi_param    SERVER_PROTOCOL        $server_protocol;
        fastcgi_param   QUERY_STRING        $query_string;
        fastcgi_param   REQUEST_METHOD      $request_method;
        fastcgi_param   CONTENT_TYPE        $content_type;
        fastcgi_param   CONTENT_LENGTH      $content_length;
        fastcgi_param    SERVER_ADDR         $server_addr;
        fastcgi_param    SERVER_PORT         $server_port;
        fastcgi_param    SERVER_NAME         $server_name;
        fastcgi_param   REMOTE_ADDR         $remote_addr;

        access_log      /var/log/nginx/seahub.access.log;
        error_log       /var/log/nginx/seahub.error.log;
        fastcgi_read_timeout 36000;
    }

    location /seafhttp {
        rewrite ^/seafhttp(.*)$ $1 break;
        proxy_pass http://127.0.0.1:8082;
        client_max_body_size 0;
        proxy_connect_timeout  36000s;
        proxy_read_timeout  36000s;
        proxy_send_timeout  36000s;
        send_timeout  36000s;
    }

    location /media {
        root /home/seafile/haiwen/seafile-server-latest/seahub;
    }
}

/home/seafile/haiwen/conf/ccnet.conf:

[General]
USER_NAME = ---
ID = ----
NAME = ---
SERVICE_URL = http://xyz.ddns.net

[Client]
PORT = 13419

[Database]
ENGINE = mysql
HOST = 127.0.0.1
PORT = 3306
USER = seafile
PASSWD = ---
DB = ccnet-db
CONNECTION_CHARSET = utf8

/home/seafile/haiwen/conf/seahub.py:

SECRET_KEY = "---"

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql',
        'NAME': 'seahub-db',
        'USER': 'seafile',
        'PASSWORD': '---',
        'HOST': '127.0.0.1',
        'PORT': '3306'
    }
}

FILE_SERVER_ROOT = 'http://xyz.ddns.net/seafhttp'

Vertex · November 11, 2016, 11:05pm

You know that you have to open your firewall and forward the port on your router ?!

Sebastian_Ga · November 12, 2016, 9:22am

Hi, thanks for your reply. Regarding to your hints:

Portforwarding
I forwarded port 80/8082/10001/12001

Firewall
This is the output of “sudo iptables -L”:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Vertex · November 12, 2016, 10:28am

I think you have to explain your setup a little bit more. Do you have a “normal” router like e.g. a Fritz!Box or do you run a server as router behind a DSL- or cable-modem ?

Sebastian_Ga · November 12, 2016, 3:03pm

I have an O2 Homebox 6441. It is approx. a router like Fritz!Box. The Raspberry is directly connected over LAN and gets a fixed IP from the router over DHCP. DynDNS Service is controlled by the router and the WAN IP which is stored under DynDNS fits to the one from the router.

Furthermore I checked in the web menu from the router (O2 Homebox) whether there is a firewall on. I didn’t find anything.

Vertex · November 12, 2016, 10:47pm

I do not know the O2 Homebox, but there should be an option to enable port forwarding for your Raspberry like that:

Maybe this site can help you with the setup.

Sebastian_Ga · November 13, 2016, 3:42pm

I also think now that it has something to do with my router or ISP.

Please see my settings for port forwarding:

The Column “Computer” is bind to the MAC-Address of the Raspberry Pi.

Additional Server installed
I installed next to the seafile server a baikal server which is on port 8001. This is working proper and can be accessed over my ddns-domain.

The data sheet of the router mentioned an integrated SPI-Firewall. Do you think it has something to do with my problem?

MaEh · November 13, 2016, 4:31pm

O2 Homebox means, you Connect through Mobile Network, right? Are you sure that your ISP serves Public IPs to your Router?

Vertex · November 13, 2016, 5:52pm

Your port forwarding rules drill little holes in your firewall, so the firewall is not the problem.

Did you read this in the manual ?:

You don't need to open port 8000 and 8082 if you deploy Seafile behind Apache/Nginx

You should use the IP address of your Raspi not the MAC address for port forwarding.

If you want to access more than one service on your Raspi over the internet, then it would be a good idea to setup a VPN connection, which is much more secure and you only got one hole in your firewall. First I thought you got a problem with DSL-Lite but as you said, you can access your Baikal server, so that shouldn’t be a problem for you.

Sebastian_Ga · November 13, 2016, 6:23pm

Thanks so far for your help Vertex!

I checked the manual “Deploy Seafile behind NAT” and changed my port forwarding settings according to your suggestion, but the problem still exists.

The router can only bind the MAC address to perform port forwarding.

I tried telnet to access the Raspberry. It can connect well over my WAN-IP / Dyndns-Domain.

MaEh · November 13, 2016, 8:15pm

Your Port-forwarding rules Looks confusing. Can you Post a Screenshot from editing the Port 80 Rule? Wgy does Port 8082 stand directly behind Port 80?

Simsala · November 14, 2016, 8:46am

I dont know this O2-router but @MaEh is right the port forwarding rules for seafile are looking somehow strange. Looks like you are forwarding port 80 from pi to 8082 of your ddns and 10001 to 12001.

Sebastian_Ga · November 14, 2016, 9:20am

Hi, I am sorry the screenshot from port forwarding can defenitly be misunderstood. The ports do not change, e.g. mydyndns-domain:80 will forwarded to my Raspberry-IP on port 80. You can define two port-ranges for each rule in the router menu that is the reason why it was written like “80/8082”.