This tutorial is licensed under CC-BY-SA - feel free to share and modify it (but keep all information free)!
This tutorial is not longer maintained.
Anyway it can be helpful to get an idea how to set up a current version of Seafile server CE. The official tutorial steps I used for this tutorial were:
- https://manual.seafile.com/deploy/using_mysql.html
- https://manual.seafile.com/deploy/add_memcached.html
- https://manual.seafile.com/deploy/deploy_with_nginx.html
- https://manual.seafile.com/deploy/https_with_nginx.html
- https://manual.seafile.com/deploy/start_seafile_at_system_bootup.html
- https://manual.seafile.com/deploy/using_logrotate.html
- Outline - Seafile Admin Manual
- WebDAV and FUSE extensions - Seafile Admin Manual
Tutorial for Seafile CE + Nginx + dynamic DNS (on ARM / Cubietruck / RaspberryPi)
Some advices
- Prepare something like keepass to save several (strong) passwords.
- Keep in mind that some of the commans in the tutorial are redundant and should show before-after-status. Originally this tutorial was written for some of my friends who are âfirst time Linux usersâ.
- Iâm far away to be a Linux expert and just someone who likes challenges and share my knowledge with others. I didnât write this tutorial in a rush but proof every command with
man %%UnkownCommand%%
to understand what you are going to do. - This tutorial was written under GNU/Linux (Debian 8 so all commands are Linux commands. If your client is running Windows you can use PuTTY to connect to the Seafile server.
- All symbols
%%
mark a%%VARIABLE%%
in this tutorial so%%YourServerIP%%
can mean192.168.1.1
in your case. %%YourEditor%%
means to use a program of your choice for editing config files. I usevi
which is a little bit confusing for the first time. If you donât know what to do just use the programeditor
for%%YourEditor%%
.
Overview
- installing Linux on an SD-Card for your ARM board (in my case: ARMbian on a Cubietruck - just choose a Debian based operation system fitting for your ARM board (Raspberry Pi â Raspbian) and all following commands should work fine)
- setting up Seafile 4.3.2 CE with MySQL (I would prefer MariaDB but as far as I know there is no package for ARM at the moment)
- setting up NGINX with a âquick and dirtyâ certificate so later we have to activate
Do not verify server certifcate in HTTPS syncing
. - Setting up a dynamic DNS address to address your serve from outside of your LAN.
- Setting up iptables with filters for the seafile server.
Installing ARMbian on SD-Card
I would suggest to open 2 terminal windows. One for operations on your client, one for your server. This will make things more comfortable.
Download your prefered server image and remember the location where you saved it.
On your client-terminal do:
sudo -s
apt-get update
apt-get install pv gpg
cd %%/to/your/download/location/of/ARMbian/%%
unzip %%YouARMbianImage.zip%%
gpg %%YourARMbianImage.raw.asc%%
gpg --keyserver pgpkeys.mit.edu --recv-key %%KeyIDlistedInTheErrorMessage%%
gpg %%YourArmbianImage.raw.asc%%
Comparing the Primary key fingerprint
with the one the creator of the image provides us (on his website) will tell us that the image is the one the creator really wants to provide us. Unfortunately Igor Pecovnik (the creator of ARMbian) doesnât list the fingerprint on his website at the moment but he told me to do as soon as possible. Go on on your client-terminal with:
lsblk
pv %%YourArmbianImage.raw%% | dd of=/dev/%%YourSDCardDriveLetter%%
sync
Eject your SD-Card, plug it in your Cubietruck. It is a good idea to connect another display to the Cubietruck so that you can observe the first boot up of the system. Go on on your client-terminal with:
apt-get install zenmap
Open zenmap
and find the ip address of your Cubietruck with Target:
entry 192.168.1.*
(depends on your router setup) and Profile:
entry Quick scan
. You will find all hosts of your network on the left side under Hosts
. Remember the IP of your Cubietruck.
On your server-terminal do:
ssh %%YourServerIP%% -l root
At the moment the standard root password of ARMbian is 1234
. You will be forced to change the root password (remember to use something like keepass - you will save a lot of time if you save all passwords in a digital password manager because you can copy&paste even very complex passwords into the terminal window). Go on on your server-terminal with:
apt-get update
apt-get upgrade
reboot
On your server-terminal do:
ssh %%YourServerIP%% -l root
adduser %%YourNewArmbianUser%%
adduser %%YourNewArmbianUser%% sudo
exit
ssh %%YourServerIP%% -l %%YourNewArmbianUser%%
Optional: For security reasons you can completely disable your root user now in your server-terminal with (if you want to use Logwatch later donât lock the root account - in this case skip this step!):
sudo -s
usermod --lock --expiredate 1970-02-02 root
For unlocking the root account again:
usermod --unlock --expiredate '' root
Optional: You can change the hostname of your server now in your server-terminal with:
cp /etc/hosts /etc/hosts_org
cp /etc/hostname /etc/hostname_org
%%YourEditor%% /etc/hosts
%%YourEditor%% /etc/hostname
reboot
The first two commands create a backup of the files we have to edit. Just change the original hostname your prefered Linux image is listing in the two files. The server should show the now hostname with the command hostname
after rebooting. Go in your server-terminal with setting the right time zone of your server with:
ssh %%YourServerIP%% -l %%YourNewArmbianUser%%
sudo -s
dpkg-reconfigure tzdata
shutdown
Backup the system SD-Card
Now detach your SD-Card from your server to create a backup. In case you think you messed up something with the coming seafile part you can just restart without starting over with all steps. So plugin your SD-Card on your client system and go in your client-erminal with:
lsblk
pv /dev/%%YourSDCardDriveLetter%% | dd of=%%YourSDCardBackUpName%%
sync
Plug in your SD-Card again in your server and start it again.
Installing all necessary dependencies for Seafile, MySQL and NGINX
Go on in your server-terminal with installing all necessary programs for Seafile, MySQL and NGINX and adding an unprivileged user with home directory in /srv/seafile who runs Seafile later (you can use another home directory but this is the directory I used in all coming templates which means: This is the directory your seafile server program will run in!):
ssh %%YourServerIP%% -l %%YourNewArmbianUser%%
sudo -s
During the next step you will be asked to setting up a MySQL root password - set a complex password and save it well in your password manager:
apt-get install nginx mysql-server mysql-client php5-fpm php5-mysql python2.7 python-setuptools python-simplejson python-imaging python-mysqldb python-flup python-memcache
(Because people were asking why Iâm using MySQL:
I would prefer MariaDB but there are no MariaDB packages in the official Debian ARM repositories so I had to compile it on my own and this would cause complicate update processes for MariaDB. When there are official MariaDB packages for Debian ARM I will add a tutorial for switching the database here. )
Prepare an unprivileged system user for Seafile
useradd -m -d /srv/seafile -s /bin/false %%YourSystemUserNameForSeafile%%
Setting up Seafile with MySQL - Part 1/2
Open a third terminal for commands with your unprivileged seafile-user on the server (= Terminal-SEAFusr):
ssh %%YourServerIP%% -l %%YourNewArmbianUser%%
sudo -s
su - %%YourSystemUserNameForSeafile%% -s /bin/bash
pwd
Check if pwd
command gives you /srv/seafile
as directory (or whatever you set up while creating %%YourSystemUserNameForSeafile%%
- otherwise switch to the home directory of %%YourSystemUserNameForSeafile%%
with cd /path/to/home/of/%%YourSystemUserNameForSeafile%%
. Related to my tutorial go on in /srv/seafile
:
wget %%https://github.com/haiwen/seafile-rpi/releases/download/v4.3.2/seafile-server_4.3.2_pi.tar.gz%%
tar -xzvf seafile-server_*
mkdir installed
ls -la
mv %%seafile-server_4.3.2_pi.tar.gz%% installed/
cd %%seafile-server-4.3.2/%%
The following command will open a wizard which will ask you several questions to set up the Seafile server.
The second question will ask for the server ip or domain (%%your.dyndns.address%%
). Here you will need a Dynamic DNS address.
Prepare a Dynamic DNS address with noip.com
Register an account and choose %%your.dyndns.address%% on Sign Up - Create a No-IP Dynamic DNS Account under âHostnameâ (just to confirm: this will be the address you will use to open your Seafile server later, example: seafile-fan.ddns.net ).
Setting up Seafile with MySQL - part 2/2
When you registered your Dynamic DNS name go on with the Seafile wizard:
./setup-seafile-mysql.sh
-----------------------------------------------------------------
This script will guide you to setup your seafile server using MySQL.
Make sure you have read seafile server manual at
https://github.com/haiwen/seafile/wiki
Press ENTER to continue
-----------------------------------------------------------------
What is the name of the server? It will be displayed on the client.
3 - 15 letters or digits
[ server name ] %%YourSeafileServerName%%
What is the ip or domain of the server?
For example: www.mycompany.com, 192.168.1.101
[ This server's ip or domain ] %%your.dyndns.address%%
Where do you want to put your seafile data?
Please use a volume with enough free space
[ default "/srv/seafile/seafile-data" ] <JustPressEnter>
Which port do you want to use for the seafile fileserver?
[ default "8082" ] <PressEnter>
-------------------------------------------------------
Please choose a way to initialize seafile databases:
-------------------------------------------------------
[1] Create new ccnet/seafile/seahub databases
[2] Use existing ccnet/seafile/seahub databases
[ 1 or 2 ] 1
What is the host of mysql server?
[ default "localhost" ] <JustPressEnter>
What is the port of mysql server?
[ default "3306" ] <JustPressEnter>
What is the password of the mysql root user?
[ root password ] %%YourMySQLrootPassword%%
verifying password of user root ... done
Enter the name for mysql user of seafile. It would be created if not exists.
[ default "root" ] %%YourMySQLuserForSeafile%%
Enter the password for mysql user "%%":
[ password for %% ] %%PasswordForYourMySQLuserForSeafile%%
Enter the database name for ccnet-server:
[ default "ccnet-db" ] <JustPressEnter>
Enter the database name for seafile-server:
[ default "seafile-db" ] <JustPressEnter>
Enter the database name for seahub:
[ default "seahub-db" ] <JustPressEnter>
---------------------------------
This is your configuration
---------------------------------
server name: %%YourSeafileServerName%%
server ip/domain: %%your.dyndns.address%%
seafile data dir: /srv/seafile/seafile-data
fileserver port:8082
database: create new
ccnet database: ccnet-db
seafile database: seafile-db
seahub database:seahub-db
database user: %%YourMySQLuserForSeafile%%
---------------------------------
Press ENTER to continue, or Ctrl-C to abort
---------------------------------
Use your second terminal for root commands with %%YourNewArmbianUser%% (= Terminal-ROOTusr):
ssh %%YourServerIP%% -l %%YourNewArmbianUser%%
sudo -s
ulimit -n 30000
In your Terminal-SEAFusr:
./seafile.sh start
./seahub.sh start
Now check in the browser of your client if you can reach seafile
under the address %%YourServerIP%%:8000
.
Setting up NGINX with full certificate chain
Preparation of Nginx site configuration
In your Terminal-ROOTusr:
cd /etc/nginx/sites-available/
touch seafile.conf
%%YourEditor%% seafile.conf
Btw: the name seafile.conf
doesnât matter. You can name this file whatever you think is a nice name to identify your Nginx site configuration of your Seafile server.
Here is a template you can use for the nginx site configuration you have just created/opened in your editor. Pay attention to edit all %%VARIABLES%%. Maybe it is better to copy the following template into an editor on your client so that you can find and replace the %%VARIABLES%%. Attention: Donât edit the two lines ssl_certificate
and ssl_certificate_key
now because you donât have the created certificates now. Certificate creattion will follow in the next step.
server {
listen 80;
server_name %%your.dyndns.address%%;
rewrite ^ https://$http_host$request_uri? permanent; # force redirect http to https
}
server {
listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl/%%your.server.tld.cert-chain.pem%%; # path to your certificate chain
ssl_certificate_key /etc/nginx/ssl/%%your.server.tld.key%%; # path to the private.key of your server certificate
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AES:EDH+AES:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA';
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
server_name %%your.dyndns.address%%;
proxy_set_header X-Forwarded-For $remote_addr;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
server_tokens off;
location / {
fastcgi_pass 127.0.0.1:8000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;
access_log /var/log/nginx/seahub.access.log;
error_log /var/log/nginx/seahub.error.log;
fastcgi_read_timeout 36000;
}
location /seafhttp {
rewrite ^/seafhttp(.*)$ $1 break;
proxy_pass http://127.0.0.1:8082;
client_max_body_size 0;
proxy_connect_timeout 36000s;
proxy_read_timeout 36000s;
proxy_send_timeout 36000s;
send_timeout 36000s;
#proxy_request_buffering off; #activation possible for nginx version 1.7.11 and higher
}
location /media {
root /srv/seafile/seafile-server-latest/seahub;
}
}
Optional: some Nginx tweaks
All these tweaks are not essential in the beginning. If you doonât know what to do go on now with step âFull certificate chainâ.
HTTPS2 or SPDY support
You can add support for HTTP2 or SPDY according to your nginx version. If you donât need HTTP2 or SPDY or you donât know what to do just skip this point.
To add support for HTTP2 or check your Nginx version with:
nginx -v
Then change the line listen 443;
to one of the following ones according to your Nginx version:
listen 443 http2; #nginx version 1.9.5 and higher
listen 443 spdy; #nginx version below 1.9.5
Optimizing large file uploads
Some users experiienced problems uploading large files (>4GB) if using small SD cards for the operation system. In thix contect for more reliable large file uploads there are two possibilities depending on your Nginx version. check your Nginx version with:
nginx -v
If your Nginx version is 1.7.11 or higher you can _dis_able proxy_request_buffering
deleting the hashtag (#) before #proxy_request_buffering off;
(so to activate: proxy_request_buffering off;
)in the provided Nginx config above.
You can find further information on this @seafile manual and @nginx documentation.
If your Nginx version is below 1.7.11 you could relocate Nginx directory (which is used as cache for large files) to an external drive (there is a tutorial for this here. If you want to do this finish the whole tutorial at first and come back later!
sudo -s
service nginx stop
cp /var/lib/nginx /var/lib/nginx_org
mkdir -p /mnt/externaldrive/nginx-data
mv -f /var/lib/nginx/* /mnt/externaldrive/nginx-data
rmdir /var/lib/nginx
cd /var/lib
ln -s /mnt/externaldrive/nginx-data nginx
If you have to _de_crypt your external drive after every server restart manually Nginx will not autostart properly (because it can not access /var/lib/nginx
until the external drive is encrypted). In this case you can disable autostart for Nginx with update-rc.d nginx disable
which means you have to start Nginx manually before you start Seafile with service nginx start
.
Full certificate chain
There are two missing %%VARIABLES%% in the Nginx site configuration (in the lines I told you not to touch: ssl_certificate
and ssl_certificate_key
). For these variables we need to create certificates now.
To set up a full certificate chain follow Tutorial for a complete certificate chain with your own Certificate Authority (CA).
If you are asking why you should set up a full certificate chain (and not just a âsimpleâ certificate): if you are not providing a certificate chain you (and any other user of your Seafile server) have to activate in your Seafile client under Settings / Advanced / âDo not verify server ertificate in HTTPS syncingâ later (otherwise your Seafiel client will not sync any data with your Seafile server). This is annoying, confusing - and checking âDo not verify server ertificate in HTTPS syncingâ even dangerous . Setting up a full certificate chain doesnât take really more time in comparison with setting up a simple certificate (if you use the âshort wayâ in the linked tutorial).
When you are done with the certificates come back here. Confirm that there are now %%VARIABLES%% anymore in the Nginx site configuration before you go on.
Activation of Nginx site configuration
To activate the complete Nginx site configuration for Seafile go on in your Terminal-ROOTusr:
cd /etc/nginx/sites-enabled/
ls -la
ln -s /etc/nginx/sites-available/seafile.conf /etc/nginx/sites-enabled/
ls -la
nginx -s reload
exit
Completing Dynamic DNS address configuration
Following this tutorial you should have registered on www.no-ip.com already. Now go on building the program that sends your dynamic ip address to the no-ip.com server so that %%your.dyndns.address%% is always linking to your actual dynamic ip of your server.
Notes:
- I prefer
checkinstall
instead ofmake install
but somehow this didnât work for me in this case. - Some routers offer a service to update the dynamic ip to a dynamic dns address. Check your router config for this and you donât need to set up the following step.
In your Terminal-ROOTusr:
cd /home/%%YourNewArmbianUser%%
mkdir %%aFolderToCompileNo-IP-Updater%%
cd %%aFolderToCompileNo-IP-Updater%%/
wget http://www.no-ip.com/client/linux/noip-duc-linux.tar.gz
tar xvf noip-duc-linux.tar.gz
cd noip-2.1.9-1/
sudo make install
The no-ip-ipdater will ask you now for your registered data. Example:
Auto configuration for Linux client of no-ip.com.
Please enter the login/email string for no-ip.com %%YourNoIPUserName%%
Please enter the password for user '%%YourNoIPUserName%%' %%YourNoIPUserPassword%%
Only one host [%%your.dyndns.address%%] is registered to this account.
It will be used.
Please enter an update interval:[30]
Do you wish to run something at successful update?[N] (y/N) N
New configuration file 'CONFIG' created.
Now we have to set up autostart for the no-ip-updater:
noip2
sudo -s
%%YourEditor%% /etc/init.d/noip
You can use the following template for the just opened/created file:
#! /bin/sh
### BEGIN INIT INFO
# Provides: noip2
# Required-Start:
# Required-Stop:
# Should-Start:
# Should-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start and stop directadmin
# Description: DirectAdmin
### END INIT INFO
case "$1" in
start)
echo "Starting noip2"
/usr/local/bin/noip2
;;
stop)
echo -n "Shutting down noip2"
for i in `noip2 -S 2>&1 | grep Process | awk '{print $2}' | tr -d ','`
do
noip2 -K $i
done
;;
*)
echo "Usage: $0 {start|stop}"
exit 1
esac
exit 0
Finish the set up for no-ip in your Terminal-ROOTusr with:
chmod +x /etc/init.d/noip
chmod 700 /usr/local/bin/noip2
chown root:root /usr/local/bin/noip2
chmod 700 /etc/init.d/noip
chown root:root /etc/init.d/noip
chmod 700 /usr/local/etc/no-ip2.conf
chown root:root /usr/local/etc/no-ip2.conf
update-rc.d -n noip defaults
update-rc.d noip defaults
service noip stop
service noip start
Set up %%your.dyndns.address%% in seafile config files (ccnet.conf
and seahub_settings.py
) in your Terminal-SEAFusr:
cd /srv/seafile/conf/
%%YourEditor%% ccnet.conf
%%
SERVICE_URL = https://%%your.dyndns.address%%
%%
%%YourEditor%% seahub_settings.py
%%
FILE_SERVER_ROOT = âhttps://%%your.dyndns.address%%/seafhttpâ
%%
cd /srv/seafile/seafile-server-latest/
./seafile.sh start
./seahub.sh start-fastcgi
On your client system check in your browser if you can open seafile with %%your.dyndns.address%%
. If the Seafile site does not appear check your router configuration: the router has to forward port 80
and port 443
to the local LAN address of your server. So in your router configuration system bind the MAC address of your server to %%YourServerIP%%
and forward port 80
and 443
to %%YourServerIP%%
(you can find iMAC and IP with the command ip addr
on your server). If you can connect to seafile via browser you can go on in your Terminal-SEAFusr to stop your Seafile server:
./seahub.sh stop
./seafile.sh stop
Start/stop script for Seafile
In your Terminal-ROOTusr:
touch /etc/init.d/seafile-server
%%YourEditor%% /etc/init.d/seafile-server
You can use the following template for the just opened/created file. If your Seafile server directory is /srv/seafile/
you just need to adjust all %%YourSystemUserNameForSeafile%%
:
#!/bin/sh
### BEGIN INIT INFO
# Provides: seafile-server
# Required-Start: $local_fs $remote_fs $network
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Starts Seafile Server
# Description: starts Seafile Server
### END INIT INFO
# Change the value of "user" to linux user name who runs seafile
user=%%YourSystemUserNameForSeafile%%
# Change the value of "seafile_dir" to your path of seafile installation
# usually the home directory of $user
seafile_dir=/srv/seafile
script_path=${seafile_dir}/seafile-server-latest
seafile_init_log=${seafile_dir}/logs/seafile.init.log
seahub_init_log=${seafile_dir}/logs/seahub.init.log
# Change the value of fastcgi to true if fastcgi is to be used
fastcgi=true
# Set the port of fastcgi, default is 8000. Change it if you need different.
fastcgi_port=8000
#
# Write a polite log message with date and time
#
echo -e "\n \n About to perform $1 for seafile at `date -Iseconds` \n " >> ${seafile_init_log}
echo -e "\n \n About to perform $1 for seahub at `date -Iseconds` \n " >> ${seahub_init_log}
case "$1" in
start)
sudo -u ${user} ${script_path}/seafile.sh ${1} >> ${seafile_init_log}
if [ $fastcgi = true ];
then
sudo -u ${user} ${script_path}/seahub.sh ${1}-fastcgi ${fastcgi_port} >> ${seahub_init_log}
else
sudo -u ${user} ${script_path}/seahub.sh ${1} >> ${seahub_init_log}
fi
;;
restart)
sudo -u ${user} ${script_path}/seafile.sh ${1} >> ${seafile_init_log}
if [ $fastcgi = true ];
then
sudo -u ${user} ${script_path}/seahub.sh ${1}-fastcgi ${fastcgi_port} >> ${seahub_init_log}
else
sudo -u ${user} ${script_path}/seahub.sh ${1} >> ${seahub_init_log}
fi
;;
stop)
sudo -u ${user} ${script_path}/seahub.sh ${1} >> ${seahub_init_log}
sudo -u ${user} ${script_path}/seafile.sh ${1} >> ${seafile_init_log}
;;
*)
echo "Usage: /etc/init.d/seafile-server {start|stop|restart}"
exit 1
;;
esac
Go on in your Terminal-ROOTusr:
chmod +x /etc/init.d/seafile-server
update-rc.d seafile-server defaults
service seafile-server start
service seafile-server restart
service seafile-server stop
service seafile-server start
- If start/restart/stop works without any errors: Congratulation. Your seafile server is technically ready.
- For a minimum of security we should set up a working firewall with iptables now with the following chapter.
- In all following chapters I will not tell you which terminal you use. I assume you know how to handle the commands in a way that is best for you.
Setting up a firewall with iptables
sudo -s
%%YourEditor%% /etc/iptables.test.rules
%%YourEditor%% should open a new, empty file in which you include the following lines. Pay attention to edit the SSH port if you use another than port 22:
*filter
# based on https://wiki.debian.org/iptables
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allows SSH connections
# The --dport number is the same as in /etc/ssh/sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ping
# note that blocking other types of icmp packets is considered a bad idea by some
# remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp:
# https://security.stackexchange.com/questions/22711
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT
Now we restore this rules for testing and take a look if the rules are as intended:
iptables-restore < /etc/iptables.test.rules
iptables -vL
If everything as intended we can save the rules into a file that restores the rules on every restart of the server:
iptables-save > /etc/iptables.up.rules
Now we set up a script that enables the iptables rules on every startup:
%%YourEditor%% /etc/network/if-pre-up.d/iptables
Add the following two lines to enable new rules in the just opened/created file:
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules
Make the just created script executable:
chmod +x /etc/network/if-pre-up.d/iptables
Last steps
Go back to Own certificates with complete certificate chain and follow the âLast stepsâ.
When you are done check your web server security settings.
Thatâs it. Now have fun tweaking your seafile server.
If you want to use your Seafile server as a 24/7 system accessible in world wide web I highly recommend you 1. change standard SSH port, 2. use public key authentication in combination with a password and 3. permit SSH login only with username and password!
âNice to haveâ
- Tutorial for Logwatch on Debian for Nginx with Postfix configuration as
âSatellite systemâ - Tutorial for a complete certificate chain with your own Certificate
Authority (CA) - Tutorial for relocating seafile-data directory (optionally on an encrypted volume)
- Tutorial for importing old MySQL/MariaDB databases and old SEAFILE-DATA
- Tutorial for streaming video/audo with your Seafile server via miniDLNA and FUSE
- Nginx tweaks in step âPreparation of Nginx site configurationâ
Please ask all questions in this thread and not via PM (there are no stupid questions for me)