Prevent default http port 8000 from listening?

I installed the (free) Pro version of Seafile Server 6.27 and put it behind nginx. Using all the various instructions available, I set the https port to 8001. This included editing the nginx files, seafile.conf, seahub settings, FILE_SERVER_ROOT, etc.

All this is working well. Using my self-signed cert, I can indeed navigate to https://my-server:8001 and it works great.

The problem is it still answers to http://my-server on port 80, unencrypted. How do I turn that off?

There are 2 options:

  1. You have to disable in the nginx conf that nginx is listening on port 80
  2. You have make a Firewall, or you open django without nginx.

You should redirect to 8001, then it’ll work.

This is the default port 8000, not port 80. Removing the server section for the port 80 redirect didn’t work.

New problem now that I started using it…

I can only create a new library under the http:// :8000 url
If I try to do it under the https:// :8001 url it fails with an error.

Did you started seahub on port 8001 or only nginx? Maybe you could fix it in seahub_settings.py
Please let me show your config data, post it here.

No I just start it normally. The idea is I (only) want https via port 8001 and it somewhat works, but I cannot do anything under my Admin account on the web gui without it throwing an error, so that is now far more important than figuring out how to block port 8000 on http, since that’s the only one that works correctly!

Server is Ubuntu 16.04 running the 3-user Pro version of Seafile and using SQLite.
This is for home use. If you can get this working flawlessly, I would so much appreciate it!

In order of my problems:

  1. Make https://ns.mydomain.net:8001 work correctly with same permissions as .http://ns.mydomain.net:8000
  2. Make the redirect work to correctly https://ns.mydomain.net:8001. Right now it only works if I had previously logged in. If my login isn’t cached in my browser, it throw this redirect to nowhere.
    https://ns.mydomain/accounts/login?next=/
  3. Remove it listening on port 8000, but I can’t do that if 8001 isn’t working first! Now I don’t even care much about this though as I simply could avoid using it, and I’m only forwarding port 8001 over my firewall publicly anyway.

Here is a sanitized set of configs:

seafile@hserver2:~/conf$ cat ccnet.conf
[General]
USER_NAME = XSeafile
ID = xxxxxx
NAME = XSeafile
SERVICE_URL = https://ns.mydomain.net:8001

[Client]
PORT = 13419



seafile@hserver2:~/conf$ cat seafile.conf
[fileserver]
port=8082
# bind address for fileserver
# default to 0.0.0.0, if deployed without proxy: no access restriction
# set to 127.0.0.1, if used with local proxy: only access by local
host = 127.0.0.1

# How long time a session can bee open before it times out.
web_token_expire_time=7200
# Max upload size, it's in MB
max_upload_size=10000

[zip]
# Changes the encoding on the zip download files so it works with Windows.
windows_encoding = iso-8859-1

[history]
# How many days that users can keep their history
keep_days = 30

[library_trash]
# How often trashed libraries are scanned for removal, default 1 day.
scan_days = 1
# How many days to keep trashed libraries, default 30 days.
expire_days = 30



seafile@hserver2:~/conf$ cat seahub_settings.py
# -*- coding: utf-8 -*-
SECRET_KEY = "xxxxxxxxxx"
FILE_SERVER_ROOT = 'https://ns.mydomain.net:8001/seafhttp'
SITE_NAME = 'XSeafile'
# Browser tab's title
SITE_TITLE = 'XSeafile'
# Time Zone, this is needed to get Fail2Ban to work correctly.
TIME_ZONE = 'America/New_York'
seafile@hserver2:~/conf$ 


seafile@hserver2:/etc/nginx/sites-enabled$ cat seafile.conf
    server {
        listen       80;
        server_name  ns.mydomain.net;
        rewrite ^ https://$http_host$request_uri? permanent;    # force redirect http to https
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header X-Frame-Options "DENY" always;
        add_header Referrer-Policy "strict-origin" always;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        server_tokens off;
    }
    server {
        listen 8001;
        ssl on;
        ssl_certificate /etc/ssl/private/cacert.pem;        # path to your cacert.pem
        ssl_certificate_key /etc/ssl/private/privkey.pem;    # path to your privkey.pem
        server_name ns.mydomain.net;
        ssl_session_timeout 9m;
        ssl_session_cache shared:SSL:9m;
 
        # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
        ssl_dhparam /etc/ssl/private/dhparam.pem;
 
        # secure settings (A+ at SSL Labs ssltest at time of writing)
        # see https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS';
        ssl_prefer_server_ciphers on;
 
        proxy_set_header X-Forwarded-For $remote_addr;
 
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header X-Frame-Options "DENY" always;
        add_header Referrer-Policy "strict-origin" always;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
        server_tokens off;
 
        location / {
            proxy_pass         http://127.0.0.1:8000;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Host $server_name;
            proxy_set_header   X-Forwarded-Proto https;
            proxy_request_buffering off;
 
            access_log      /var/log/nginx/seahub.access.log;
            error_log       /var/log/nginx/seahub.error.log;
 
            proxy_read_timeout  1200s;
 
            client_max_body_size 0;
        }
 
        location /seafhttp {
            rewrite ^/seafhttp(.*)$ $1 break;
            proxy_pass http://127.0.0.1:8082;
            client_max_body_size 0;
            proxy_connect_timeout  36000s;
            proxy_request_buffering off;
            proxy_read_timeout  36000s;
            proxy_send_timeout  36000s;
            send_timeout  36000s;
        }
        location /media {
            root /home/seafile/seafile-server-latest/seahub;
        }
    }



seafile@hserver2:/etc/systemd/system$ cat seafile.service
[Unit]
Description=Seafile Server
After=network.target

[Service]
Type=oneshot
ExecStart=/home/seafile/seafile-server-latest/seafile.sh start
ExecStop=/home/seafile/seafile-server-latest/seafile.sh stop
RemainAfterExit=yes
User=seafile
Group=seafile

[Install]
WantedBy=multi-user.target



seafile@hserver2:/etc/systemd/system$ cat seafile.service
[Unit]
Description=Seafile Server
After=network.target

[Service]
Type=oneshot
ExecStart=/home/seafile/seafile-server-latest/seafile.sh start
ExecStop=/home/seafile/seafile-server-latest/seafile.sh stop
RemainAfterExit=yes
User=seafile
Group=seafile

[Install]
WantedBy=multi-user.target
seafile@hserver2:/etc/systemd/system$ cat seahub.service
[Unit]
Description=Seafile Hub
After=network.target seafile.service

[Service]
Type=oneshot
ExecStart=/home/seafile/seafile-server-latest/seahub.sh start
ExecStop=/home/seafile/seafile-server-latest/seahub.sh stop
RemainAfterExit=yes
User=seafile
Group=seafile

[Install]
WantedBy=multi-user.target

Oops. And because https://ns.mydomain.net:8001 doesn’t work without a previous login, I can’t it working from the iOS App on my iPhone either.

Edit:
I fixed #1 and #2. I won’t worry about #3 now. I needed to change something the site file for nginx.

location / {
proxy_set_header host $http_host;

I changed $host to $http_host which allows for a non-standard port change, and that fixed it up.

1 Like