Since we want to upgrade from Seafile 6.2 to 6.3, we need to finally switch from fastcgi to wsgi, because fastcgi is not supported anymore by the underlying Django framework.
As a university user, we are currently depending on Shibboleth for authentication and I’m not happy about the current solution of transferring the trusted information of Shibboleth SP to seahub using an untrusted path (HTTP headers).
This was already discussed in 6.2 Pro beta : Shibboleth Login fails (apache config), but I’m not convinced.
All Shibboleth resources state (even the one cited in the other thread), that you should use environment variables as a secure channel, where possible. And with mod_wsgi it would be possible.
Please consider supporting mod_wsgi as a secure alternative to gunicorn and mod_proxy.
At first glance it doesn’t seem too complicated to use that instead. And it could even be faster.
The biggest problem here is, that we need to configure the same environment build by seahub.sh for mod_wsgi.
For me using HTTP headers and relying on anti-spoofing measures is like having a walk on the german Autobahn, but having a safety car behind you. Instead you could simply use a pedestrian path next to the Autobahn (environment variables).