Traefik Reverse Proxy

Does anyone have Seafile working with the Traefik reverse proxy? A bit of searching doesn’t turn anything up. If so, I’d really appreciate seeing a sample of how to get the /seafhttp directory proxied properly.

2 Likes

I figured it out. The PathPrefixStrip rule is pretty nifty. For anyone else interested in using Traefik, this is how I configured the Traefik labels on the Seafile docker container:

labels:
      - traefik.docker.network=traefik
      - traefik.enable=true
      - traefik.seafgui.frontend.rule=Host:example.com
      - traefik.seafgui.port=8000
      - traefik.seafdav.frontend.rule=Host:example.com;PathPrefixStrip:/seafdav
      - traefik.seafdav.port=8080
      - traefik.seafhttp.frontend.rule=Host:example.com;PathPrefixStrip:/seafhttp
      - traefik.seafhttp.port=8082
1 Like

If you’re using the official container, nginx is included an so you only have to proxy nginx, not all directories.

1 Like

Please submit your findings to the manual.

Submitted in https://github.com/haiwen/seafile-docs/pull/480

The meat of it is:

Here we deploy Seahub and FileServer with the Traefik reverse proxy. We assume you are running Seahub using domain seafile.example.com.

Configuring Traefik with a Configuration File

Traefik can be configured in the main traefik.toml file, and / or in files specified therein. Here is an example of configuring Traefik’s configuration file for a locally installed instance of Seafile:

[backends]
  [backends.seafapp]
    [backends.seafapp.servers.primary]
      url = "http://127.0.0.1:8000"
      weight = 1
  [backends.seafdav]
    [backends.seafdav.servers.primary]
      url = "http://127.0.0.1:8080"
      weight = 1
  [backends.seafile]
    [backends.seafhttp.servers.primary]
      url = "http://127.0.0.1:8082"
      weight = 1

[frontends]
   [frontends.seafapp]
     backend = "seafapp"
     [frontends.seafapp.routes]
       [frontends.seafapp.routes.primary]
         rule = "Host:seafile.example.com"
   [frontends.seafdav]
     backend = "seafdav"
     [frontends.seafdav.routes]
       [frontends.seafdav.routes.primary]
         rule = "Host:seafile.example.com;PathPrefixStrip:/seafdav"
   [frontends.seafhttp]
     backend = "seafhttp"
     [frontends.seafhttp.routes]
       [frontends.seafhttp.routes.primary]
         rule = "Host:seafile.example.com;PathPrefixStrip:/seafhttp"

Note that this is valid for a locally installed instance of Traefik, or a Traefik container running with NET=HOST. If Traefik is running in a container without these privelages, host.docker.internal or an address bound to the host’s loopback interface should be substituted for 127.0.0.1.

Proxying the Official Docker Image

The official Docker image for Seafile has a built-in Nginx server that proxies the /seafhttp and /seafdav paths to their respective ports. Thus the official Docker image can be proxied simply by making Traefik aware through labels:

services:
  seafile:
    labels:
      - traefik.docker.network=traefik
      - traefik.enable=true
      - traefik.frontend.rule=Host:seafile.example.com
      - traefik.port=80
    networks:
      - traefik

Proxying Unofficial Docker Images

In Docker images that do not include their own proxy, Traefik can handle proxying the /seafhttp and /seafdav paths to the right ports through segment labels:

services:
  seafile:
    labels:
      - traefik.docker.network=traefik
      - traefik.enable=true
      - traefik.seafapp.backend=Seafile Web App
      - traefik.seafapp.frontend.rule=Host:seafile.example.com
      - traefik.seafdav.port=8000
      - traefik.seafdav.backend=Seafile WebDAV Server
      - traefik.seafdav.frontend.rule=Host:seafile.example.com;PathPrefixStrip:/seafdav
      - traefik.seafdav.port=8080
      - traefik.seafhttp.backend=Seafile File Server
      - traefik.seafhttp.frontend.rule=Host:seafile.example.com;PathPrefixStrip:/seafhttp
      - traefik.seafhttp.port=8082
    networks:
      - traefik
3 Likes

Hi,

thanks for the docs. Unfortunately I am just starting out with Docker. Could you please provide a more complete example including a docker-compse.yml as well?

My reason to look for running seafile with docker and traefik is that I want to run two instances of seafile on one host, next to other microservices. All should be accessible on Port 443, have a let’s encrypt SSL cert and routing should take place based on host-names

That would be great! I cannot (yet) get my head around all this…

got it!

For anyone interested, I outlined a full config at

3 Likes

Have you tested the proxying settings you mentioned for the official docker image?
I am facing the problem that uploads fail when using traefik as a reverse proxy in front of seafiles nginx. Unfortunately I can’t seem to find any useful logs for this problem. If I strap away the reverse proxy and use seafile directly it works flawlessly. Any ideas?

OK, I figured it out. Was missing the s in https in the FILE_SERVER_ROOT option.

Isn’t so that for Container you just have to proxy port 443 (optionally 8080) and make a redirection from port 80?

For anyone using Traefik v2, here are the labels I needed to use on my Seafile container:

- traefik.http.routers.seafile.rule=Host(`seafile.example.com`)
- traefik.http.services.seafile.loadbalancer.server.port=8000
- traefik.http.routers.seafile.service=seafile

# on upload/download, a request to https://seafile.example.com/seafhttp/files/xxx/xxx.xx is attempted
# this needs to turn in to http://<container-ip>:8082:/files/xxx/xxx/xx
- traefik.http.routers.seafhttp.rule=Host(`seafile.example.com`) && PathPrefix(`/seafhttp`)
- traefik.http.services.seafhttp.loadbalancer.server.port=8082
- traefik.http.routers.seafhttp.service=seafhttp
- traefik.http.middlewares.sf-replacepath.replacepathregex.regex=^/seafhttp/(.*)
- traefik.http.middlewares.sf-replacepath.replacepathregex.replacement=/$$1
- traefik.http.routers.seafhttp.middlewares=sf-replacepath
3 Likes

Do you have an example of your full docker-compose file to get seafile working? Thanks!

1 Like

I wanted to post and say thank you very much for sharing this! I am using traefik v2 on unraid and following your labels I was able to get this to work with cloudflare.

Do you know what the additional labels would be to get this to work on https ?

disregard my question. I took all the labels you provided then added the following to force HTTPS

# to tell traefik to try get a letsencrypt cert for your domain
-traefik.http.routers.seafile.tls.certresolver=letsencrypt

#If you want to redirect port 80 to 443 when connecting to this domain on port 80
-traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
-traefik.http.routers.https-redirect.entrypoints=web
-traefik.http.routers.https-redirect.middlewares=https-redirect
-traefik.http.routers.https-redirect.rule=Host(seafile.example.com)

when I enter the above, I can get it to go HTTPS, but I can’t figure out why I can’t upload any files or view PDFs in the browser

My roommate have an old 6.x version of Seafile deployed which was behind a nginx reverse proxy.
With my roommate we move it behind Traefik 2.5 to havind easy certificate auto-renewal and having single reverse-proxy on our single public ipv4.
But we encountered some difficulties with Seafile not correctly handle https urls, it’s like our Seafile completely ignore either X-Forwaded-Proto: https nor https:// in SERVICE_URL= and FILE_SERVER_ROOT=

Docker container labels for Seafile

   labels:
      # handle HTTPS to port 8000
      - traefik.http.routers.seafile.entrypoints=websecure
      - traefik.http.routers.seafile.rule=Host(`seafile.local`)
      - traefik.http.routers.seafile.tls=true
      - traefik.http.services.seafile.loadbalancer.server.port=80
      - traefik.http.routers.seafile.service=seafile
      # Uncomment the line below to use letsencrypt
      # - traefik.http.routers.seafile.tls.certresolver=letsencrypt

      # handle HTTP to be redirect to HTTPS
      - traefik.http.routers.seafile-http.entrypoints=web
      - traefik.http.routers.seafile-http.rule=Host(`seafile.local`)
      - traefik.http.routers.seafile-http.middlewares=mid-to-https
      - traefik.http.middlewares.mid-to-https.redirectscheme.scheme=https
      - traefik.http.routers.seafile-http.service=seafile

      # handle HTTPS with path starting with /seafhttp to go to port 8082 and strip the prefix
      - traefik.http.routers.seafhttp.entrypoints=websecure
      - traefik.http.routers.seafhttp.rule=Host(`seafile.local`) && PathPrefix(`/seafhttp`)
      - traefik.http.routers.seafhttp.tls=true
      - traefik.http.services.seafhttp.loadbalancer.server.port=8082
      - traefik.http.routers.seafhttp.service=seafhttp
      - traefik.http.routers.seafhttp.middlewares=sf-strippath
      - traefik.http.middlewares.sf-strippath.stripprefix.prefixes=/seafhttp
      # Uncomment the line below to use letsencrypt
      # - traefik.http.routers.seafhttp.tls.certresolver=letsencrypt

Sample config for /etc/traefik/traefik.yml

api:
  insecure: true
providers:
  docker: {}
entryPoints:
  web:
    address: ":80"
    forwardedHeaders:
      insecure: true
  websecure:
    address: ":443"
    forwardedHeaders:
      insecure: true

providers:
  file:
    filename: "/etc/traefik/config.yml"
  docker: {}

certificatesResolvers:
  letsencrypt:
    acme:
      email: gabi@youpi.local
      storage: acme.json
      httpChallenge:
        # used during the challenge
        entryPoint: web

All our sample configuration is here home.hugopoi . net/gitea/hugopoi/traefik-examples.