Seafile behind NAT - unsafe without Apache?


#1

Hi

I’m running Seafile in my LAN but I have forwarded ports 8000 and 8082 to have access from the outside world. It worked fine with Seafile 6.x. After migration to 7.x I had some problems (as I was using local IP addresses in configurations) but finally I figured out what to do.

When I was googling for solutions I found official info about NAT in seafile manual.
What bothers me is this:

“If you do not deployed Seafile behind Apache/Nginx you need to configure port forward for all the components listed below. (not recomended!)” (from seafile manual)

Why is not recommended? Is it unsafe to expose bare seafile server to the outside world?

regards
Michał Walenciak


#2

Yes. It is neither made to handle many request nor to handle high load or bad connections. For this purposes, a reverse proxy was invented. There are also some potentially security risks, and Seafile will be faster with a reverse proxy. But the worst thing you did was that you probably used an unencrypted connection over the internet. Everyone can read your data and even your credentials. So it’s dangerous to run Seafile on www without a reverse proxy. I recommend nginx, because it’s easier to install and performs better than Apache.


#3

hi @bionade24

Thank you for clarification.

I find it quite surprising that information you provided is not written with bold in manuals.
Moreover “Deploying Seafile under Linux” suggests using configuration I have used - “Deploy Seafile in Home/Personal Environment”.

If I wasn’t having NAT problems probably I would never visit “Deploy Seafile behind NAT” chapter.
This is dangerous for 2 reasons:

  1. Some people may install seafile on server with public interface
  2. Some may get it working with simple port forwarding without need for manual read.

Frankly speaking I am quite dissapointed that seafile does not provide own encryption mechanisms which would not require additional knowledge and setup from user.
Now I am forced to configure and maintain additional services and learn about certification etc.


#4

If you don’t really need public access to the server site I’d suggest you use zerotier.


#5

@fakuivan I’d prefer to have public access however thx for this tool as it probably solves some of my other issues :wink:


#6

Using https is the internet standard for encryptions. Why would Seafile develop own encryption? This would be a waste of resources and, to be honest, the resoult would not be good as https.

The (basic) knowledge of a webserver IS A MUST for anyone who wants to run a file server with public access.


#7

Hi @Pazzoide

I think we misunderstood each other. From my point of view I just do not want to know what kind of encryption is being used. It can be https, I do not mind.
For example when I run sshd I do not need to learn anything about encryption mechanisms.

The fact that Seafile is a webserver should be transparent to me. From a user perspective it could be any kind of server. Once again - I do not care how sshd works.

This is just my opinion as a user.