Trying to setup HTTPS access

Tarsopilami · November 2, 2016, 3:50pm

Hi there,

I just setup seafile and everything is working alright using normal http configuration.

Now, I want to take the next step and enable HTTPS access to seafile server. I followed the instructions on

Config Seahub with Apache · Seafile Server Manual
Enabling Https with Apache · Seafile Server Manual

But when I try to access the https server-address from WAN I get

Service Unavailable
The server is temporarily unable to service your
request due to maintenance downtime or capacity
problems. Please try again later.

Apache/2.4.7 (Ubuntu) Server at xx.xx-xx.xx Port 443

I do not have experience with Apache - so I have no clue as to what this could mean.

OS is Ubuntu, and the .tar seafile-installation file used is the one for raspberry. Don’t know if that matters ?!

Any help would be appreciated

Thomas · November 2, 2016, 7:23pm

Did you open the port in your firewall? Could it be a problem with SELinux?

Tarsopilami · November 2, 2016, 9:40pm

Hello Thomas and thank you for reply. Yes I opened and forwarded port 443 in the firewall. I do get to the webpage 503, so my guess is it is not a matter of Linux itself but has more something to do with configuration of apache and seafile server. But where to start looking ?

Thomas · November 3, 2016, 8:06am

Next I would check the logs at /var/log/apache2 for details

Tarsopilami · November 3, 2016, 8:31am

Well here I found something interesting in error.log:

[Wed Nov 02 17:41:52.885121 2016] [proxy:error] [pid 12259:tid 3051353136] AH00959: ap_proxy_connect_backend disabling worker for (127.0.0.1) for 60s
[Wed Nov 02 17:41:52.885182 2016] [proxy_http:error] [pid 12259:tid 3051353136] [client 192.168.20.21:53583] AH01114: HTTP: failed to make connection to backend: 127.0.0.1

what to do next ?

markusweb · November 3, 2016, 10:00am

Is seafile really running? it seems that seafile is not running.
you can check it with “ps -ef | grep seahub” in the terminal, you should den see something like:

ps -ef|grep seahub

seafile    777  2396  0 Okt24 ?        00:00:15 python2.7 /home/to/seafile/seafile-pro-server-6.0.2/seahub/manage.py runfcgi host=127.0.0.1 port=8000 ....

AND have you started seahub as “fastcgi”? the start command looks like

sudo -u seafile ./seafile.sh start
sudo -u seafile ./seahub.sh start-fastcgi

maybe check my config example Trouble Running Seahub behind Apache

Tarsopilami · November 3, 2016, 8:14pm

Hi markusweb - I tried again, here are all the outputs I could reap:

sudo ./seafile.sh start

[11/03/16 20:55:13] …/common/session.c(132): using config file /home/android/seafile/conf/ccnet.conf
Starting seafile server, please wait …
Seafile server started

Done.

sudo ./seahub.sh start-fastcgi
LC_ALL is not set in ENV, set to en_US.UTF-8
./seahub.sh: line 207: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8): No such file or directory
Starting seahub (fastcgi) at 127.0.0.1:8000 …

Seahub is started

Done.

android@localhost:~$ ps -aux|grep seahub

root 17005 0.0 0.9 24664 18324 ? S 20:55 0:00 python2.7 /home/android/seafile/seafile-server-5.1.3/seahub/manage.py runfcgi host=127.0.0.1 port=8000 pidfile=/home/android/seafile/seafile-server-5.1.3/runtime/seahub.pid outlog=/home/android/seafile/seafile-server-5.1.3/runtime/access.log errlog=/home/android/seafile/seafile-server-5.1.3/runtime/error.log
(…)

sudo cat /var/log/apache2/error.log

[Thu Nov 03 21:08:04.916652 2016] [proxy:error] [pid 16757:tid 2976904240] (13)Permission denied: AH00952: FCGI: error creating fam 2 socket for target 127.0.0.1
[Thu Nov 03 21:08:04.917293 2016] [proxy:error] [pid 16757:tid 2976904240] AH00959: ap_proxy_connect_backend disabling worker for (127.0.0.1) for 60s
[Thu Nov 03 21:08:04.917446 2016] [proxy_fcgi:error] [pid 16757:tid 2976904240] [client 213.162.68.163:25937] AH01079: failed to make connection to backend: 127.0.0.1

So it seems seahub is running - but there is a proxy:error and proxy_fcgi:error that I do not quite understand. What do you think of this ?

szijo · November 4, 2016, 5:12pm

As someone else said, this is probably an SELinux permissions issue. Can you post the output of “sestatus -b”?

Tarsopilami · November 4, 2016, 10:32pm

hmm let me check out - Here goes:

android@192.168.20.33’s password:
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.4.0-g0baf67b armv7l)

Documentation: https://help.ubuntu.com/
Ubuntu 14.04 LTS [running via Linux Deploy]
Last login: Fri Nov 4 17:11:38 2016 from xx
android@localhost:~$ sestatus -b
-bash: sestatus: command not found

should sestatus be installed ?

android@localhost:~$ sudo apt-get install sestatus
Reading package lists… Done
Building dependency tree
Reading state information… Done
E: Unable to locate package sestatus

android@localhost:~$ ls /sys/fs/selinux/
access checkreqprot context disable load null policyvers status
avc class create enforce member policy reject_unknown user
booleans commit_pending_bools deny_unknown initial_contexts mls policy_capabilities relabel
android@localhost:~$ ls /etc/selinux/
semanage.conf

I went to see Why am I getting an Apache Proxy 503 error? - Stack Overflow - the solution suggested is

echo 0 >/selinux/enforce

but enforce is already set to 0

cat /sys/fs/selinux/enforce
0

then I tried this

/usr/sbin/setsebool httpd_can_network_connect true
-bash: /usr/sbin/setsebool: No such file or directory

and since the system is using Deploy Linux/ chroot / container - I also tried Selinux Mode Changer (XDADevs) to set Android Selinux mode to permissive.

Same problem.

Does anybody have a suggestion what to check next ?

Tarsopilami · November 26, 2016, 9:50pm

Update:

changing /etc/apache2/envvars solves the problem:

change www-data > seafile

APACHE_RUN_USER=seafile
APACHE_RUN_GROUP=seafile

Seahub works with https now: but is this safe?

fabianT · November 27, 2016, 8:02pm

Have you tried adding seafile to the www-data group?

Tarsopilami · November 29, 2016, 7:38pm

seafile@localhost:~$ groups seafile|grep www-data
seafile : seafile adm www-data aid_radio aid_bluetooth aid_graphics aid_input aid_audio aid_camera aid_log aid_compass aid_mount aid_wifi aid_adb aid_install aid_media aid_dhcp aid_sdcard_rw aid_vpn aid_keystore aid_usb aid_drm aid_available aid_gps aid_media_rw aid_mtp aid_drmrpc aid_nfc aid_sdcard_r aid_clat aid_loop_radio aid_media_drm aid_package_info aid_sdcard_pics aid_sdcard_av aid_sdcard_all aid_logd aid_shared_relro aid_shell aid_cache aid_diag aid_net_bt_admin aid_net_bt aid_inet aid_net_raw aid_net_admin aid_net_bw_stats aid_net_bw_acct aid_net_bt_stack

sudo cat /var/log/nginx/seahub.error.log
2016/11/29 20:35:49 [alert] 31262#0: *6 socket() failed (13: Permission denied) while connecting to upstream, client

Unfortunately, it doesn’t work