Seafile + nginx with ssl

aleandro6804 · December 3, 2024, 11:46pm

Hi, i’m new both with seafile and nginx.

I managed to setup seafile with docker on HTTP and then I made ngnix work with a self-signed SSL certificate (I use it in my local network) on my local hostname seafile.muratori.lan.

This is my seafile docker compose:

services:
  db:
    image: mariadb:10.11
    container_name: seafile-mysql
    environment:
      - MYSQL_ROOT_PASSWORD=###  # Required, set the root's password of MySQL service.
      - MYSQL_LOG_CONSOLE=true
      - MARIADB_AUTO_UPGRADE=1
    volumes:
      - /opt/seafile-mysql/db:/var/lib/mysql  # Required, specifies the path to MySQL data persistent store.
    networks:
      - seafile-net

  memcached:
    image: memcached:1.6.18
    container_name: seafile-memcached
    entrypoint: memcached -m 256
    networks:
      - seafile-net

  seafile:
    image: seafileltd/seafile-mc:11.0-latest
    container_name: seafile
    ports:
#       - "8000:80"
       - "8000:443"  # If https is enabled, cancel the comment.
    volumes:
      - /opt/seafile-data:/shared   # Required, specifies the path to Seafile data persistent store.
    environment:
      - DB_HOST=db
      - DB_ROOT_PASSWD=###  # Required, the value should be root's password of MySQL service.
      - TIME_ZONE=Etc/UTC  # Optional, default is UTC. Should be uncomment and set to your local time zone.
      - SEAFILE_ADMIN_EMAIL=### # Specifies Seafile admin user, default is 'me@example.com'.
      - SEAFILE_ADMIN_PASSWORD=###     # Specifies Seafile admin password, default is 'asecret'.
      - SEAFILE_SERVER_LETSENCRYPT=false   # Whether to use https or not.
      - SEAFILE_SERVER_HOSTNAME=seafile.muratori.lan # Specifies your host name if https is enabled.
    depends_on:
      - db
      - memcached
    networks:
      - seafile-net

networks:
  seafile-net:

And this is my nginx configuration file:

log_format seafileformat '$http_x_forwarded_for $remote_addr [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $upstream_response_time';

 server {
    listen 80;
    server_name seafile.muratori.lan;
    rewrite ^ https://$http_host$request_uri? permanent;    # force redirect http to https
}


server {
    listen 443 http2 ssl;
    listen [::]:443 http2 ssl;

    server_name seafile.muratori.lan;

    ssl_certificate /etc/ssl/certs/httpd-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/httpd-selfsigned.key;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    proxy_set_header X-Forwarded-For $remote_addr;

    location / {
         proxy_pass         http://127.0.0.1:8000;
         proxy_set_header   Host $http_host;
         proxy_set_header   X-Real-IP $remote_addr;
         proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header   X-Forwarded-Host $server_name;
         proxy_read_timeout  1200s;

         # used for view/edit office file via Office Online Server
         client_max_body_size 0;

         access_log      /var/log/nginx/seahub.access.log seafileformat;
         error_log       /var/log/nginx/seahub.error.log;
    }

    location /seafhttp {
        rewrite ^/seafhttp(.*)$ $1 break;
        proxy_pass http://127.0.0.1:8082;
        client_max_body_size 0;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_connect_timeout  36000s;
        proxy_read_timeout  36000s;
        proxy_send_timeout  36000s;

        send_timeout  36000s;

        access_log      /var/log/nginx/seafhttp.access.log seafileformat;
        error_log       /var/log/nginx/seafhttp.error.log;
    }
    location /media {
        root /opt/seafile/seafile-server-latest/seahub;
    }

As you can see:
- Nginx 80->443 (force https)
- Nginx 443->8000
- Seafile 8000->443 (this 443 is the container internal port)

I can’t setup seafile to use 443 ->443 since the external 443 port is already in use by nginx.
The problem is that if i try to connect to https:// seafile.muratori.lan i get the " 502 Bad Gateway" error.

Using the mapping 8000->80 in seafile I can actually enter the website but I can’t upload file (probably it’s because I’m using HTTPS on nginx and HTTP on seafile).

I’m pretty sure this is a port-mapping related problem but I’m not skilled enough to solve it on my own; can somebody help me?

Thanks

WhisperWarlord · December 5, 2024, 9:31pm

Hi there,

It looks like you’re on the right track with setting up Seafile and Nginx, but there are a few adjustments you can make to resolve the “502 Bad Gateway” error and ensure everything works smoothly.

Key Recommendations:

1. Port Mapping in Docker Compose:

Instead of using 8000:443, you should map Seafile’s internal HTTP port to an external port that Nginx can access. Typically, Seafile listens on port 80 internally, so you can map it like this:

ports:
- “8000:80”
#- “8000:443”

- This setup allows Nginx to handle HTTPS, while Seafile handles HTTP internally.

2. Nginx Configuration:

Since Seafile already includes its own Nginx server, your external Nginx configuration should focus on handling SSL termination and proxying requests to Seafile. Here’s a simplified configuration that should suffice:

   log_format seafileformat '$http_x_forwarded_for $remote_addr [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $upstream_response_time';

   server {
       listen 80;
       server_name seafile.muratori.lan;
       rewrite ^ https://$http_host$request_uri? permanent;    # force redirect http to https
   }

   server {
       listen 443 http2 ssl;
       listen [::]:443 http2 ssl;

       server_name seafile.muratori.lan;

       ssl_certificate /etc/ssl/certs/httpd-selfsigned.crt;
       ssl_certificate_key /etc/ssl/private/httpd-selfsigned.key;
       ssl_dhparam /etc/ssl/certs/dhparam.pem;

       # No limit for the uploads
       client_max_body_size 0;

       location / {
           proxy_pass http://127.0.0.1:8000;
           proxy_set_header Host $http_host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
           proxy_set_header Connection "";

           # For large files
           proxy_connect_timeout 36000s;
           proxy_read_timeout 36000s;
           proxy_send_timeout 36000s;

           # Support WebSocket
           proxy_http_version 1.1;
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection "upgrade";

           access_log /var/log/nginx/seahub.access.log seafileformat;
           error_log /var/log/nginx/seahub.error.log;
       }
   }

3. Ensure Proper Headers:

Make sure that Nginx is correctly forwarding the necessary headers to Seafile. This includes X-Forwarded-Proto to indicate the original protocol (HTTPS).

4. Testing and Logs:

After making these changes, restart your Docker containers and Nginx. Check the Nginx and Seafile logs for any additional errors that might provide more context.

By ensuring that your port mappings and SSL configurations are correctly set up, you should be able to resolve the “502 Bad Gateway” error and enable file uploads. If you continue to experience issues, feel free to share more details, and we can further troubleshoot together.

Best of luck, and let me know if you need any more help!

NOTE

I noticed in your original configuration that you have the line:

proxy_pass http://127.0.0.1:8000;

However, in your Docker Compose setup, you mapped port 8000 to 443, which is an HTTPS port. This mismatch can cause the “502 Bad Gateway” error because Nginx is trying to communicate over HTTP with a port that’s expecting HTTPS.