Seahub only on localhost

Hi all,
is there a way to force seahub to listen only on localhost?
I have seafile working with apache2 and want to avoid seahub listening on port 8000 from internet.

Thank you,
John

If you are using Apache2, then you don’t have to open port 8000 on the router for external access. Apache2 set up as a reverse proxy eliminates the need for opening ports on the router to anything except the listen port you have set up in Apache.

Example:

Seahub listens locally on port 8000
You set up Apache to listen on 443 and open only that port on the router. Apache then proxies the data over to the internal port 8000.

I think they ment localhost as in the loopback interface, not a local subnet.

You could fiddle around with iptables to make the seahub ports only available to localhost. I recommend using docker, it will let you expose only the ports that you want.

I was addressing his statement about listening on port 8000 from the internet. With Apache, it isn’t necessary to open port 8000 on the router.

If, however, he is trying to prevent internal machines from accessing port 8000, then a firewall might be ideal. There may also be a way to do it in the seahub settings, but I’m not certain.

If you have a VPS with a dedicated interface exposed to the internet or a DMZed server (no router creating a NAT), then there’s virtually no router in the middle as far as this is concerned. If @a1961531 does have a router in the middle with a NAT firewall, then that’s valid. I’m assuming that’s not the case, given that it’d be dumb to create a port forwarding rule and then ask the forwarded client to ignore it instead of just removing it.

1 Like

Yeah, knowing more about his setup would be helpful for certain.

Thanks all for your answers.
Yes, I have a VPS with one interface exposed to the internet and I dont want the port 8000 to be listening. I know, I can configure iptables to do that but I’m sure it is possible with the seafile configuration: I did it in my past setup but I cannot remember how.

This is the only thing I could find in the manual, under the seahub_settings.py section.

#For security consideration, please set to match the host/domain of your site, e.g., ALLOWED_HOSTS = [’.example.com’].
#Please refer https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts for details.
ALLOWED_HOSTS = [’.myseafile.com’]

This has been raised a couple of times before. If you’re happy to edit seahub.sh then edit this line:

$PYTHON $gunicorn_exe seahub.wsgi:application -c “${gunicorn_conf}” -b “0.0.0.0:${port}” --preload

replacing 0.0.0.0 with 127.0.0.1. There is supposed to be an option for this sometime in the future.

This made ports 8000 8082 only accessible on the loopback interface, I think that’s what you need.


(I version my configs with git just in case I mess up when trying to modify configs.)