Seafile with separated reverse proxy?

saljut7 · April 13, 2019, 1:53am

Hi,

I would like to separate my Nginx reverse proxy from my Seafile server. The Seafile server is configured to be accessed via “non-root directory” and the whole setup was running just fine before I separted the Nginx.

The Nginx config of the server working as Reverse Proxy is currently:

server {
		listen 80;
		server_name my.ddns.net;
		# force redirect http to https
		rewrite ^ https://$http_host$request_uri? permanent;
		# The following option enables or disables emitting nginx version on error pages and in the "Server" response header field:
		server_tokens off;
		}

server {
		# without spdy or html2 support:
		#listen 443;
		# with spdy or html2 support depending on your nginx version:
		# nginx version 1.9.5 and higher:
		listen 443 http2;
		# nginx version below 1.9.5:
		#listen 443 spdy;
		# IPv6 support
		#listen [::]:443;
		ssl on;
		# path to your cacert.pem:
		ssl_certificate /etc/letsencrypt/live/my.ddns.net/fullchain.pem;
		# path to your privkey.pem:
		ssl_certificate_key /etc/letsencrypt/live/my.ddns.net/privkey.pem;
		server_name my.ddns.net;
		ssl_session_timeout 5m;
		ssl_session_cache shared:SSL:5m;

		# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
		# openssl dhparam -out /etc/ssl/dh4096.param 4096
		ssl_dhparam /etc/ssl/dh4096.param;

		# secure settings (A+ at SSL Labs ssltest at time of writing)
		# compare
		# https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
		# https://github.com/mozilla/cipherscan
		# https://cipherli.st/
		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
		ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS';
		ssl_prefer_server_ciphers on;

		proxy_set_header X-Forwarded-For $remote_addr;

		# HSTS header:
		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
		# Obfuscate nginx version:
		server_tokens off;

		location / {
			# First attempt to serve request as file, then
			# as directory, then fall back to displaying a 404.
			#try_files $uri $uri/index.nginx-debian.html =404;
			try_files $uri $uri/index.html =404;
			root /var/www/html;
			}

		location /seafile {
			proxy_pass         http://vm-seafile:8000;
			proxy_set_header   Host $host;
			proxy_set_header   X-Real-IP $remote_addr;
			proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header   X-Forwarded-Host $server_name;
			proxy_set_header   X-Forwarded-Proto https;

			access_log      /var/log/nginx/seahub.access.log;
			error_log       /var/log/nginx/seahub.error.log;

			proxy_read_timeout  1200s;

			# used for view/edit office file via Office Online Server
			# https://manual.seafile.com/deploy/deploy_with_nginx.html
			# Nginx settings client_max_body_size is by default 1M. Uploading a file bigger than this limit will give you an error message HTTP error code 413 ("Request Entity Too Large").
			# You should use 0 to disable this feature or write the same value than for the parameter max_upload_size in section [fileserver] of seafile.conf. Client uploads are only partly effected by this limit. With a limit of 100 MiB they can safely upload files of any size.
			client_max_body_size 0;
			}

			location /media {
				root /opt/seafile/seafile-server-latest/seahub;
				}

			location /seafdav {
				# https://manual.seafile.com/extension/webdav.html  
				proxy_pass                http://vm-seafile:8080;
				proxy_set_header          Host $host;
				proxy_set_header          X-Real-IP $remote_addr;
				proxy_set_header          X-Forwarded-For $proxy_add_x_forwarded_for;
				proxy_set_header          X-Forwarded-Host $server_name;
				proxy_set_header          X-Forwarded-Proto https;
				proxy_http_version        1.1;
				proxy_connect_timeout     36000s;
				proxy_read_timeout        36000s;
				proxy_send_timeout        36000s;
				send_timeout              36000s;
				client_max_body_size      0;

				# if you want to support file uploads larger than 4GB, we suggest to install Nginx version >= 1.8.0 and add the following option to Nginx config file (set to "off") -  https://manual.seafile.com/deploy/deploy_with_nginx.html
				proxy_request_buffering off;

				access_log      /var/log/nginx/seafdav.access.log;
				error_log       /var/log/nginx/seafdav.error.log;
				}

			location /seafhttp {
				rewrite ^/seafhttp(.*)$ $1 break;
				proxy_pass http://vm-seafile:8082;
				client_max_body_size 0;
				proxy_connect_timeout  36000s;
				proxy_read_timeout  36000s;
				proxy_send_timeout  36000s;
				send_timeout  36000s;
				# if you want to support file uploads larger than 4GB, we suggest to install Nginx version >= 1.8.0 and add the following option to Nginx config file (set to "off") -  https://manual.seafile.com/deploy/deploy_with_nginx.html
				proxy_request_buffering off;
				}

			location /seafmedia {
				rewrite ^/seafmedia(.*)$ /media$1 break;
				root /opt/seafile/seafile-server-latest/seahub;
				}

		}

The nginx of the Seafile-Server is disabled.
Both servers are part of the same LAN. Internal DNS translation works fine (so I don’t use IP addresses).

My problem: Accessing https://my.ddns.net/seafile/ shows a “broken” Seahub page but client access works fine.

I think this problem is caused by

			location /media {
				root /opt/seafile/seafile-server-latest/seahub;
				}

...

			location /seafmedia {
				rewrite ^/seafmedia(.*)$ /media$1 break;
				root /opt/seafile/seafile-server-latest/seahub;
				}

which is the configuration mentioned in Deploy Seahub at Non-root domain.

Does anyone know how to forward the /media and /seafmedia location block to the Seafile server in the right way (so similar to the /seafile location block)?

The existing topics…

…were not really helpful for me (or I didn’t understand the answers).

Thx for any help!

Nightshade · April 16, 2019, 12:03pm

Yes, it can be done. Although I use a different proxy, the cause lies within the seafile config.

You need to edit the seahub_settings.py, adding or modifying the following entries:

SERVE_STATIC = True
MEDIA_URL = '/seafile/media/'
COMPRESS_URL = MEDIA_URL
STATIC_URL = MEDIA_URL + 'assets/'

This will enable serving the static content from the seahub itself (which was formerly done by the nginx itself, but is not possible when the proxy is on a different machine). However, when run from a subfolder (non-root dir), the static content url is generated incorrectly in seahub, which requires the following fix in seafile/seahub/seahub/urls.py… Scroll down to a line containing the following:

if settings.SERVE_STATIC:

this was line 505 for my server (6.3.4). in the block of code below that line, replace

media_url = settings.MEDIA_URL.strip('/')

with the following lines:

## — Original code
##media_url = settings.MEDIA_URL.strip('/')
## — Begin new code
media_url = settings.MEDIA_URL
site_root = settings.SITE_ROOT
if media_url.startswith(site_root):
    media_url = media_url[len(site_root):]
media_url = media_url.strip('/')
## — End new code

This will fix the media url generation.

You will need to restart the seahub service afterwards, and you should delete /tmp/seahub_cache/ (I had to do that, as there were still old entries there with wrongly generated urls).

After that, you should be able to remove /media and /seafmedia locations from your proxy config completely, as both will now be covered by the /seafile proxy entry.

saljut7 · September 26, 2019, 3:30pm

I’ve tried @Nightshade s suggestion which caused some problems I can’t remember (however: Thank you very much for your reply @Nightshade !). In the end (after some months of usage tests), the following setup seems to work (except the problem that my Seafile server behaved strange after upgrading from CE version 6.3.4 to 7.0.4 so I had to do a VM rollback to the state to 6.3.4 so at least I can confirm the solution for 6.3.4):

Nginx config for the Seafile server:

log_format seafileformat '$http_x_forwarded_for $remote_addr [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $upstream_response_time';

server {
		listen 80;
		server_name your.ddns.net;

		location /seafile {
			proxy_pass          http://127.0.0.1:8000;
			proxy_pass_request_headers  on;

			proxy_read_timeout  1200s;

			access_log      /var/log/nginx/seahub.access.log;
			error_log       /var/log/nginx/seahub.error.log;
			}

			location /media {
				root /opt/seafile/seafile-server-latest/seahub;

				access_log      /var/log/nginx/seahub-media.access.log;
				error_log       /var/log/nginx/seahub-media.error.log;
				}

			location /seafmedia {
				rewrite ^/seafmedia(.*)$ /media$1 break;
				root /opt/seafile/seafile-server-latest/seahub;
				}

			location /seafdav {
				proxy_pass                http://127.0.0.1:8080;
				proxy_pass_request_headers  on;

				proxy_request_buffering off;

				access_log      /var/log/nginx/seafdav.access.log;
				error_log       /var/log/nginx/seafdav.error.log;
				}

			location /seafhttp {
				#The file server path MUST be /seafhttp because this path is hardcoded in the clients.
				rewrite ^/seafhttp(.*)$ $1 break;
				proxy_pass http://127.0.0.1:8082;
				proxy_pass_request_headers  on;
				# Nginx settings client_max_body_size is by default 1M. Uploading a file bigger than this limit will give you an error message HTTP error code 413 ("Request Entity Too Large").
				# You should use 0 to disable this feature or write the same value than for the parameter max_upload_size in section [fileserver] of seafile.conf. Client uploads are only partly effected by this limit. With a limit of 100 MiB they can safely upload files of any size.
				client_max_body_size 0;

				send_timeout  36000s;

				access_log      /var/log/nginx/seafhttp.access.log seafileformat;
				error_log       /var/log/nginx/seafhttp.error.log;

				# if you want to support file uploads larger than 4GB, we suggest to install Nginx version >= 1.8.0 and add the following option to Nginx config file (set to "off") -  https://manual.seafile.com/deploy/deploy_with_nginx.html
				proxy_request_buffering off;
				}

		}

Nginx config for the Reverse Proxy server:

log_format seafileformat '$http_x_forwarded_for $remote_addr [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $upstream_response_time';

server {
		listen 80;
		server_name your.ddns.net;
		
		#comment out the following line before renewing LE certs
		return 301 https://your.ddns.net$request_uri/;
		
		# The following option enables or disables emitting nginx version on error pages and in the "Server" response header field:
		server_tokens off;

		location /.well-known/acme-challenge {
			default_type "text/plain";
			root /var/www/certbot-webroot/;
			}

		}

server {
		# without spdy or html2 support:
		#listen 443;
		# with spdy or html2 support depending on your nginx version:
		# nginx version 1.9.5 and higher:
		listen 443 http2;
		# nginx version below 1.9.5:
		#listen 443 spdy;
		# IPv6 support
		#listen [::]:443;
		ssl on;
		# path to your cacert.pem:
		ssl_certificate /etc/letsencrypt/live/your.ddns.net/fullchain.pem;
		# path to your privkey.pem:
		ssl_certificate_key /etc/letsencrypt/live/your.ddns.net/privkey.pem;
		server_name your.ddns.net;
		ssl_session_timeout 5m;
		ssl_session_cache shared:SSL:5m;

		# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
		# but we use 4096 bits because it's more secure
		# openssl dhparam -out /etc/ssl/dh4096.param 4096
		ssl_dhparam /etc/ssl/dh4096.param;

		# secure settings (A+ at SSL Labs ssltest at time of writing)
		# compare
		# https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
		# https://github.com/mozilla/cipherscan
		# https://cipherli.st/
		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
		ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS';
		ssl_prefer_server_ciphers on;

		proxy_set_header X-Forwarded-For $remote_addr;

		# HSTS header:
		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
		# Obfuscate nginx version:
		server_tokens off;

		location / {
			# First attempt to serve request as file, then
			# as directory, then fall back to displaying a 404.
			#try_files $uri $uri/index.nginx-debian.html =404;
			try_files $uri $uri/index.html =404;
			root /var/www/html;
			}

		location /seafile {
			include /etc/nginx/conf.d/include.proxy_pass-seafile.common;
			#proxy_pass         http://127.0.0.1:8000;
			#proxy_set_header   Host $host;
			#proxy_set_header   X-Real-IP $remote_addr;
			#proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
			#proxy_set_header   X-Forwarded-Host $server_name;
			#proxy_set_header   X-Forwarded-Proto $scheme;

			proxy_read_timeout  1200s;

			# Nginx settings client_max_body_size is by default 1M. Uploading a file bigger than this limit will give you an error message HTTP error code 413 ("Request Entity Too Large").
			# You should use 0 to disable this feature or write the same value than for the parameter max_upload_size in section [fileserver] of seafile.conf. Client uploads are only partly effected by this limit. With a limit of 100 MiB they can safely upload files of any size.
			# used for view/edit office file via Office Online Server
			client_max_body_size 0;

			access_log      /var/log/nginx/seahub.access.log;
			error_log       /var/log/nginx/seahub.error.log;
			}

			location /media {
				#root /opt/seafile/seafile-server-latest/seahub;
				include /etc/nginx/conf.d/include.proxy_pass-seafile.common;

				access_log      /var/log/nginx/seahub-media.access.log;
				error_log       /var/log/nginx/seahub-media.error.log;
				}

			location /seafmedia {
				#rewrite ^/seafmedia(.*)$ /media$1 break;
				#root /home/user/haiwen/seafile-server-latest/seahub;
				rewrite ^/seafmedia(.*)$ /media$1 last;
				}

			location /seafdav {
				include /etc/nginx/conf.d/include.proxy_pass-seafile.common;

				# Nginx settings client_max_body_size is by default 1M. Uploading a file bigger than this limit will give you an error message HTTP error code 413 ("Request Entity Too Large").
				# You should use 0 to disable this feature or write the same value than for the parameter max_upload_size in section [fileserver] of seafile.conf. Client uploads are only partly effected by this limit. With a limit of 100 MiB they can safely upload files of any size.
				client_max_body_size       0;

				proxy_connect_timeout      36000s;
				proxy_read_timeout         36000s;
				proxy_send_timeout         36000s;
				send_timeout               36000s;

				# if you want to support file uploads larger than 4GB, we suggest to install Nginx version >= 1.8.0 and add the following option to Nginx config file (set to "off") -  https://manual.seafile.com/deploy/deploy_with_nginx.html
				proxy_request_buffering off;

				access_log      /var/log/nginx/seafdav.access.log;
				error_log       /var/log/nginx/seafdav.error.log;
				}

			location /seafhttp {
				#The file server path MUST be /seafhttp because this path is hardcoded in the clients.
				include /etc/nginx/conf.d/include.proxy_pass-seafile.common;
				#rewrite ^/seafhttp(.*)$ $1 break;
				#proxy_pass http://127.0.0.1:8082;
				# Nginx settings client_max_body_size is by default 1M. Uploading a file bigger than this limit will give you an error message HTTP error code 413 ("Request Entity Too Large").
				# You should use 0 to disable this feature or write the same value than for the parameter max_upload_size in section [fileserver] of seafile.conf. Client uploads are only partly effected by this limit. With a limit of 100 MiB they can safely upload files of any size.
				client_max_body_size 0;
				#proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;

				proxy_connect_timeout  36000s;
				proxy_read_timeout  36000s;
				proxy_send_timeout  36000s;
				send_timeout  36000s;

				access_log      /var/log/nginx/seafhttp.access.log seafileformat;
				error_log       /var/log/nginx/seafhttp.error.log;

				# if you want to support file uploads larger than 4GB, we suggest to install Nginx version >= 1.8.0 and add the following option to Nginx config file (set to "off") -  https://manual.seafile.com/deploy/deploy_with_nginx.html
				proxy_request_buffering off;
				}

		}

HBaer · November 5, 2021, 7:15pm

Hi there,
I am also facing the problem that my Nginx is running on a different server than Seafile.
In your NGINX conf you refer to a file “/etc/nginx/conf.d/include.proxy_pass-seafile.common”.
What is the content of this file?
Thx for your help

saljut7 · December 18, 2021, 1:36am

Sorry for my late reply (was moving to a new home). My content of /etc/nginx/conf.d/include.proxy_pass-seafile.common is:

# The following settings are shared by all redirects for Seafile in /etc/nginx/sites-available/seafile
proxy_pass http://vm-seafile:80;
proxy_set_header          Host $host;
proxy_set_header          X-Real-IP $remote_addr;
proxy_set_header          X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header          X-Forwarded-Host $server_name;
#proxy_set_header          X-Forwarded-Proto https;
proxy_http_version        1.1;

Hope it helps. Happy hacking!

briceparmentier · January 28, 2022, 7:29pm

Hello here !

I’m also in the same situation where my reverse proxy (Nginx) is running on a separate machine.
But I think I have a configuration that is a bit different, which is that I have multiple applications behind my reverse proxy and I have an entry in my proxy to redirect to every app.

Machine A: running Nginx

server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;
        return 301 https://$host$request_uri;
}
server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name example.domain.com;
        location /app1/ {
              include proxy_params;
              proxy_pass http://another_ip:port;
        }
        location /seafile/ {
              include proxy_params;
              proxy_pass http://seafile_ip:8000;
        }
        location /seafhttp {
                rewrite ^/seafhttp(.*)$ $1 break;
                proxy_pass http://seafile_ip:8082;
                client_max_body_size 0;
                proxy_connect_timeout  36000s;
                proxy_read_timeout  36000s;
                proxy_send_timeout  36000s;
                send_timeout  36000s;
        }
}

Machine B:

running SeaFile with default parameters
no nginx
other apps

Accessing the SeaFile from its local IP address on the LAN with port 8000 works like a charm, but if I want to access it from the outside, with my DNS, I’m getting a SeaFile 404. Meaning the reverse proxy is able to reach the SeaFile server/hub, but is not able to get the correct path to files (logo can’t load, neither can css and so on).

Basically I want to target my seafile server from the outside with https://example.domain.com/seafile, just like I do with my other apps https://example.domain.com/app2.

I’m not sure my infos are very clear, let me know if you need more details.

Thanks
Brice

Merill_Heebner · May 27, 2022, 2:14pm

It is possible to do this, but a reverse split proxy had many limitations!

saljut7 · May 29, 2022, 8:30pm

But I think I have a configuration that is a bit different, which is that I have multiple applications behind my reverse proxy and I have an entry in my proxy to redirect to every app.

If this was a reply to my case: Same for me (several application VMs behind a dedicated Reverse Proxy VM).