Seafile and Seahub without reverse proxy

amfournda · February 12, 2020, 6:35pm

Given that Gunicorn supports HTTPS/SSL connections directly, is there a reason I need a reverse proxy at all? I’ve actually managed to get Seafile installed and mostly working without any reverse proxy at all. Here is my gunicorn.conf.py

> seafile@host1 ~ $ cat conf/gunicorn.conf.py 
> import os
> daemon = True
> workers = 5
> bind = "0.0.0.0:8000"
> certfile = '/etc/letsencrypt/live/my.domain.com/fullchain.pem'
> keyfile = '/etc/letsencrypt/live/my.domain.com/privkey.pem'
> pids_dir = '/home/seafile/pids'
> pidfile = os.path.join(pids_dir, 'seahub.pid')
> timeout = 1200
> limit_request_line = 8190

And my ccnet.conf

> seafile@host1 ~ $ cat conf/ccnet.conf 
> [General]
> SERVICE_URL = https://<my_domain>:8000
> FILE_SERVER_ROOT = http://<my_domain>:8082
> 
> [Database]
> ENGINE = mysql
> HOST = 127.0.0.1
> PORT = 3306
> USER = seafile
> PASSWD = nope
> DB = ccnet_db
> CONNECTION_CHARSET = utf8

With the domain and passwords sanitized just to avoid unwanted attention. Things seem to mostly work properly, and I can point a web browser at https://<my_domain>:8000 and log in. My only remaining problem is I am unable to upload any files via the web interface. Even a small 1KB text file gives “Network Error” in the upload page and nothing in logs/seahub.log

In the web interface’s Admin area I’ve set:

SERVICE_URL = https://<my_domain>:8000
FILE_SERVER_ROOT = http://<my_domain>:8082

I believe this is correct because the FILE_SERVER_ROOT doesn’t appear to accept HTTPS connections:

> seafile@host1 ~ $ curl -v 'https://<my_domain>:8082'
> *   Trying 111.111.111.111:8082...
> * TCP_NODELAY set
> * Connected to <my_domain> (111.111.111.111) port 8082 (#0)
> * ALPN, offering http/1.1
> * successfully set certificate verify locations:
> *   CAfile: /etc/ssl/certs/ca-certificates.crt
>   CApath: /etc/ssl/certs
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to <my_domain>:8082 
> * Closing connection 0
> curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to <my_domain>:8082 
> seafile@host1 ~ $ curl -v 'http://<my_domain>:8082'
> *   Trying 111.111.111.111:8082...
> * TCP_NODELAY set
> * Connected to <my_domain> (111.111.111.111) port 8082 (#0)
> > GET / HTTP/1.1
> > Host: <my_domain>:8082
> > User-Agent: curl/7.66.0
> > Accept: */*
> > 
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 404 Not Found
> < Content-Length: 0
> < 
> * Connection #0 to host <my_domain> left intact

However I still get the immediate “Network Error” message when trying to upload any file via the web interface. I’ve looked around for answers, but everything assumes I’m running a reverse proxy, which I’d honestly prefer to avoid. Anyone have any suggestions?

shoeper · February 12, 2020, 8:37pm

Looks like you find it out yourself. The fileserver does not support TLS. So when not using a reverse proxy all your data will be transferred unencrypted. Even if it would support TLS the disadvantage would be that multiple ports where required.

afras_dmes · December 12, 2023, 8:12pm

Using TLS usually involves using specific ports for secure communication (for example, HTTPS on port 443). This can be seen as a disadvantage, especially if you prefer to use a single port or have port availability limitations. Alternatively, you could buy proxies and try logging in through a different location. You mentioned that if you don’t use a reverse proxy, the data is transmitted unencrypted. A reverse proxy can help by handling TLS encryption and redirecting requests to the file server.