Seafile with separated reverse proxy?

server

#1

Hi,

I would like to separate my Nginx reverse proxy from my Seafile server. The Seafile server is configured to be accessed via “non-root directory” and the whole setup was running just fine before I separted the Nginx.

The Nginx config of the server working as Reverse Proxy is currently:

server {
		listen 80;
		server_name my.ddns.net;
		# force redirect http to https
		rewrite ^ https://$http_host$request_uri? permanent;
		# The following option enables or disables emitting nginx version on error pages and in the "Server" response header field:
		server_tokens off;
		}

server {
		# without spdy or html2 support:
		#listen 443;
		# with spdy or html2 support depending on your nginx version:
		# nginx version 1.9.5 and higher:
		listen 443 http2;
		# nginx version below 1.9.5:
		#listen 443 spdy;
		# IPv6 support
		#listen [::]:443;
		ssl on;
		# path to your cacert.pem:
		ssl_certificate /etc/letsencrypt/live/my.ddns.net/fullchain.pem;
		# path to your privkey.pem:
		ssl_certificate_key /etc/letsencrypt/live/my.ddns.net/privkey.pem;
		server_name my.ddns.net;
		ssl_session_timeout 5m;
		ssl_session_cache shared:SSL:5m;

		# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
		# openssl dhparam -out /etc/ssl/dh4096.param 4096
		ssl_dhparam /etc/ssl/dh4096.param;

		# secure settings (A+ at SSL Labs ssltest at time of writing)
		# compare
		# https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
		# https://github.com/mozilla/cipherscan
		# https://cipherli.st/
		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
		ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS';
		ssl_prefer_server_ciphers on;

		proxy_set_header X-Forwarded-For $remote_addr;

		# HSTS header:
		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
		# Obfuscate nginx version:
		server_tokens off;

		location / {
			# First attempt to serve request as file, then
			# as directory, then fall back to displaying a 404.
			#try_files $uri $uri/index.nginx-debian.html =404;
			try_files $uri $uri/index.html =404;
			root /var/www/html;
			}

		location /seafile {
			proxy_pass         http://vm-seafile:8000;
			proxy_set_header   Host $host;
			proxy_set_header   X-Real-IP $remote_addr;
			proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header   X-Forwarded-Host $server_name;
			proxy_set_header   X-Forwarded-Proto https;

			access_log      /var/log/nginx/seahub.access.log;
			error_log       /var/log/nginx/seahub.error.log;

			proxy_read_timeout  1200s;

			# used for view/edit office file via Office Online Server
			# https://manual.seafile.com/deploy/deploy_with_nginx.html
			# Nginx settings client_max_body_size is by default 1M. Uploading a file bigger than this limit will give you an error message HTTP error code 413 ("Request Entity Too Large").
			# You should use 0 to disable this feature or write the same value than for the parameter max_upload_size in section [fileserver] of seafile.conf. Client uploads are only partly effected by this limit. With a limit of 100 MiB they can safely upload files of any size.
			client_max_body_size 0;
			}

			location /media {
				root /opt/seafile/seafile-server-latest/seahub;
				}

			location /seafdav {
				# https://manual.seafile.com/extension/webdav.html  
				proxy_pass                http://vm-seafile:8080;
				proxy_set_header          Host $host;
				proxy_set_header          X-Real-IP $remote_addr;
				proxy_set_header          X-Forwarded-For $proxy_add_x_forwarded_for;
				proxy_set_header          X-Forwarded-Host $server_name;
				proxy_set_header          X-Forwarded-Proto https;
				proxy_http_version        1.1;
				proxy_connect_timeout     36000s;
				proxy_read_timeout        36000s;
				proxy_send_timeout        36000s;
				send_timeout              36000s;
				client_max_body_size      0;

				# if you want to support file uploads larger than 4GB, we suggest to install Nginx version >= 1.8.0 and add the following option to Nginx config file (set to "off") -  https://manual.seafile.com/deploy/deploy_with_nginx.html
				proxy_request_buffering off;

				access_log      /var/log/nginx/seafdav.access.log;
				error_log       /var/log/nginx/seafdav.error.log;
				}

			location /seafhttp {
				rewrite ^/seafhttp(.*)$ $1 break;
				proxy_pass http://vm-seafile:8082;
				client_max_body_size 0;
				proxy_connect_timeout  36000s;
				proxy_read_timeout  36000s;
				proxy_send_timeout  36000s;
				send_timeout  36000s;
				# if you want to support file uploads larger than 4GB, we suggest to install Nginx version >= 1.8.0 and add the following option to Nginx config file (set to "off") -  https://manual.seafile.com/deploy/deploy_with_nginx.html
				proxy_request_buffering off;
				}

			location /seafmedia {
				rewrite ^/seafmedia(.*)$ /media$1 break;
				root /opt/seafile/seafile-server-latest/seahub;
				}

		}

The nginx of the Seafile-Server is disabled.
Both servers are part of the same LAN. Internal DNS translation works fine (so I don’t use IP addresses).

My problem: Accessing https://my.ddns.net/seafile/ shows a “broken” Seahub page but client access works fine.

I think this problem is caused by

			location /media {
				root /opt/seafile/seafile-server-latest/seahub;
				}

...

			location /seafmedia {
				rewrite ^/seafmedia(.*)$ /media$1 break;
				root /opt/seafile/seafile-server-latest/seahub;
				}

which is the configuration mentioned in Deploy Seahub at Non-root domain.

Does anyone know how to forward the /media and /seafmedia location block to the Seafile server in the right way (so similar to the /seafile location block)?

The existing topics…

…were not really helpful for me (or I didn’t understand the answers).

Thx for any help!


#2

Yes, it can be done. Although I use a different proxy, the cause lies within the seafile config.

You need to edit the seahub_settings.py, adding or modifying the following entries:

SERVE_STATIC = True
MEDIA_URL = '/seafile/media/'
COMPRESS_URL = MEDIA_URL
STATIC_URL = MEDIA_URL + 'assets/'

This will enable serving the static content from the seahub itself (which was formerly done by the nginx itself, but is not possible when the proxy is on a different machine). However, when run from a subfolder (non-root dir), the static content url is generated incorrectly in seahub, which requires the following fix in seafile/seahub/seahub/urls.py… Scroll down to a line containing the following:

if settings.SERVE_STATIC:

this was line 505 for my server (6.3.4). in the block of code below that line, replace

media_url = settings.MEDIA_URL.strip('/')

with the following lines:

## — Original code
##media_url = settings.MEDIA_URL.strip('/')
## — Begin new code
media_url = settings.MEDIA_URL
site_root = settings.SITE_ROOT
if media_url.startswith(site_root):
    media_url = media_url[len(site_root):]
media_url = media_url.strip('/')
## — End new code

This will fix the media url generation.

You will need to restart the seahub service afterwards, and you should delete /tmp/seahub_cache/ (I had to do that, as there were still old entries there with wrongly generated urls).

After that, you should be able to remove /media and /seafmedia locations from your proxy config completely, as both will now be covered by the /seafile proxy entry.