Tutorial for Seafile CE + Nginx + dynamic DNS (on ARM / Cubietruck / RaspberryPi)


#1

This tutorial is licensed under CC-BY-SA - feel free to share and modify it (but keep information free)!

:triangular_flag_on_post: This tutorial is not longer maintained. :triangular_flag_on_post:

Anyway it can be helpful to get an idea how to set up a current version of Seafile server CE. The official tutorial steps I used for this tutorial were:

  1. https://manual.seafile.com/deploy/using_mysql.html
  2. https://manual.seafile.com/deploy/add_memcached.html
  3. https://manual.seafile.com/deploy/deploy_with_nginx.html
  4. https://manual.seafile.com/deploy/https_with_nginx.html
  5. https://manual.seafile.com/deploy/start_seafile_at_system_bootup.html
  6. https://manual.seafile.com/deploy/using_logrotate.html
  7. https://manual.seafile.com/config/
  8. https://manual.seafile.com/extension/

Tutorial for Seafile CE + Nginx + dynamic DNS (on ARM / Cubietruck / RaspberryPi)

Some advices

  1. Prepare something like keepass to save several (strong) passwords.
  2. Keep in mind that some of the commans in the tutorial are redundant and should show before-after-status. Originally this tutorial was written for some of my friends who are “first time Linux users”.
  3. I’m far away to be a Linux expert and just someone who likes challenges and share my knowledge with others. I didn’t write this tutorial in a rush but proof every command with man %%UnkownCommand%% to understand what you are going to do.
  4. This tutorial was written under GNU/Linux (Debian 8 so all commands are Linux commands. If your client is running Windows you can use PuTTY to connect to the Seafile server.
  5. All symbols %% mark a %%VARIABLE%% in this tutorial so %%YourServerIP%% can mean 192.168.1.1 in your case.
  6. %%YourEditor%% means to use a program of your choice for editing config files. I use vi which is a little bit confusing for the first time. If you don’t know what to do just use the program editor for %%YourEditor%%.

Overview

  1. installing Linux on an SD-Card for your ARM board (in my case: ARMbian on a Cubietruck - just choose a Debian based operation system fitting for your ARM board (Raspberry Pi -> Raspbian) and all following commands should work fine)
  2. setting up Seafile 4.3.2 CE with MySQL (I would prefer MariaDB but as far as I know there is no package for ARM at the moment)
  3. setting up NGINX with a “quick and dirty” certificate so later we have to activate Do not verify server certifcate in HTTPS syncing.
  4. Setting up a dynamic DNS address to address your serve from outside of your LAN.
  5. Setting up iptables with filters for the seafile server.

Installing ARMbian on SD-Card

I would suggest to open 2 terminal windows. One for operations on your client, one for your server. This will make things more comfortable.
Download your prefered server image and remember the location where you saved it.

On your client-terminal do:

sudo -s
apt-get update
apt-get install pv gpg
cd %%/to/your/download/location/of/ARMbian/%%
unzip %%YouARMbianImage.zip%% 
gpg %%YourARMbianImage.raw.asc%%
gpg --keyserver pgpkeys.mit.edu --recv-key %%KeyIDlistedInTheErrorMessage%%
gpg %%YourArmbianImage.raw.asc%%

Comparing the Primary key fingerprint with the one the creator of the image provides us (on his website) will tell us that the image is the one the creator really wants to provide us. Unfortunately Igor Pecovnik (the creator of ARMbian) doesn’t list the fingerprint on his website at the moment but he told me to do as soon as possible. Go on on your client-terminal with:

lsblk
pv %%YourArmbianImage.raw%% | dd of=/dev/%%YourSDCardDriveLetter%%
sync

Eject your SD-Card, plug it in your Cubietruck. It is a good idea to connect another display to the Cubietruck so that you can observe the first boot up of the system. Go on on your client-terminal with:

apt-get install zenmap

Open zenmap and find the ip address of your Cubietruck with Target: entry 192.168.1.* (depends on your router setup) and Profile: entry Quick scan. You will find all hosts of your network on the left side under Hosts. Remember the IP of your Cubietruck.

On your server-terminal do:

ssh %%YourServerIP%% -l root

At the moment the standard root password of ARMbian is 1234. You will be forced to change the root password (remember to use something like keepass - you will save a lot of time if you save all passwords in a digital password manager because you can copy&paste even very complex passwords into the terminal window). Go on on your server-terminal with:

apt-get update
apt-get upgrade
reboot

On your server-terminal do:

ssh %%YourServerIP%% -l root
adduser %%YourNewArmbianUser%%
adduser %%YourNewArmbianUser%% sudo
exit
ssh %%YourServerIP%% -l %%YourNewArmbianUser%%

Optional: For security reasons you can completely disable your root user now in your server-terminal with (if you want to use Logwatch later don’t lock the root account - in this case skip this step!):

sudo -s
usermod --lock --expiredate 1970-02-02 root

For unlocking the root account again:

usermod --unlock --expiredate '' root

Optional: You can change the hostname of your server now in your server-terminal with:

cp /etc/hosts /etc/hosts_org
cp /etc/hostname /etc/hostname_org
%%YourEditor%% /etc/hosts
%%YourEditor%% /etc/hostname
reboot

The first two commands create a backup of the files we have to edit. Just change the original hostname your prefered Linux image is listing in the two files. The server should show the now hostname with the command hostname after rebooting. Go in your server-terminal with setting the right time zone of your server with:

ssh %%YourServerIP%% -l %%YourNewArmbianUser%%
sudo -s
dpkg-reconfigure tzdata
shutdown

Backup the system SD-Card

Now detach your SD-Card from your server to create a backup. In case you think you messed up something with the coming seafile part you can just restart without starting over with all steps. So plugin your SD-Card on your client system and go in your client-erminal with:

lsblk
pv /dev/%%YourSDCardDriveLetter%% | dd of=%%YourSDCardBackUpName%%
sync

Plug in your SD-Card again in your server and start it again.


Installing all necessary dependencies for Seafile, MySQL and NGINX

Go on in your server-terminal with installing all necessary programs for Seafile, MySQL and NGINX and adding an unprivileged user with home directory in /srv/seafile who runs Seafile later (you can use another home directory but this is the directory I used in all coming templates which means: This is the directory your seafile server program will run in!):

ssh %%YourServerIP%% -l %%YourNewArmbianUser%%
sudo -s

During the next step you will be asked to setting up a MySQL root password - set a complex password and save it well in your password manager:

apt-get install nginx mysql-server mysql-client php5-fpm php5-mysql python2.7 python-setuptools python-simplejson python-imaging python-mysqldb python-flup python-memcache

(Because people were asking why I’m using MySQL:
I would prefer MariaDB but there are no MariaDB packages in the official Debian ARM repositories so I had to compile it on my own and this would cause complicate update processes for MariaDB. When there are official MariaDB packages for Debian ARM I will add a tutorial for switching the database here. :wink: )

Prepare an unprivileged system user for Seafile

useradd -m -d /srv/seafile -s /bin/false %%YourSystemUserNameForSeafile%%

Setting up Seafile with MySQL - Part 1/2

Open a third terminal for commands with your unprivileged seafile-user on the server (= Terminal-SEAFusr):

ssh %%YourServerIP%% -l %%YourNewArmbianUser%%
sudo -s
su - %%YourSystemUserNameForSeafile%% -s /bin/bash
pwd

Check if pwd command gives you /srv/seafile as directory (or whatever you set up while creating %%YourSystemUserNameForSeafile%% - otherwise switch to the home directory of %%YourSystemUserNameForSeafile%% with cd /path/to/home/of/%%YourSystemUserNameForSeafile%%. Related to my tutorial go on in /srv/seafile:

wget %%https://github.com/haiwen/seafile-rpi/releases/download/v4.3.2/seafile-server_4.3.2_pi.tar.gz%%
tar -xzvf seafile-server_*
mkdir installed
ls -la
mv %%seafile-server_4.3.2_pi.tar.gz%% installed/
cd %%seafile-server-4.3.2/%%

The following command will open a wizard which will ask you several questions to set up the Seafile server.
The second question will ask for the server ip or domain (%%your.dyndns.address%%). Here you will need a Dynamic DNS address.

Prepare a Dynamic DNS address with noip.com

Register an account and choose %%your.dyndns.address%% on https://www.noip.com/sign-up under “Hostname” (just to confirm: this will be the address you will use to open your Seafile server later, example: seafile-fan.ddns.net ).

Setting up Seafile with MySQL - part 2/2

When you registered your Dynamic DNS name go on with the Seafile wizard:

./setup-seafile-mysql.sh

-----------------------------------------------------------------
This script will guide you to setup your seafile server using MySQL.
Make sure you have read seafile server manual at

https://github.com/haiwen/seafile/wiki

Press ENTER to continue
-----------------------------------------------------------------


What is the name of the server? It will be displayed on the client.
3 - 15 letters or digits
[ server name ] %%YourSeafileServerName%%

What is the ip or domain of the server?
For example: www.mycompany.com, 192.168.1.101
[ This server's ip or domain ] %%your.dyndns.address%%

Where do you want to put your seafile data?
Please use a volume with enough free space
[ default "/srv/seafile/seafile-data" ] <JustPressEnter>

Which port do you want to use for the seafile fileserver?
[ default "8082" ] <PressEnter>

-------------------------------------------------------
Please choose a way to initialize seafile databases:
-------------------------------------------------------

[1] Create new ccnet/seafile/seahub databases
[2] Use existing ccnet/seafile/seahub databases

[ 1 or 2 ] 1

What is the host of mysql server?
[ default "localhost" ] <JustPressEnter>

What is the port of mysql server?
[ default "3306" ] <JustPressEnter>

What is the password of the mysql root user?
[ root password ] %%YourMySQLrootPassword%%

verifying password of user root ...  done

Enter the name for mysql user of seafile. It would be created if not exists.
[ default "root" ] %%YourMySQLuserForSeafile%%

Enter the password for mysql user "%%":
[ password for %% ] %%PasswordForYourMySQLuserForSeafile%%

Enter the database name for ccnet-server:
[ default "ccnet-db" ] <JustPressEnter>

Enter the database name for seafile-server:
[ default "seafile-db" ] <JustPressEnter>

Enter the database name for seahub:
[ default "seahub-db" ] <JustPressEnter>

---------------------------------
This is your configuration
---------------------------------

server name: %%YourSeafileServerName%%
server ip/domain: %%your.dyndns.address%%

seafile data dir:   /srv/seafile/seafile-data
fileserver port:8082

database:   create new
ccnet database: ccnet-db
seafile database:   seafile-db
seahub database:seahub-db
database user:  %%YourMySQLuserForSeafile%%



---------------------------------
Press ENTER to continue, or Ctrl-C to abort
---------------------------------

Use your second terminal for root commands with %%YourNewArmbianUser%% (= Terminal-ROOTusr):

ssh %%YourServerIP%% -l %%YourNewArmbianUser%%
sudo -s
ulimit -n 30000

In your Terminal-SEAFusr:

./seafile.sh start
./seahub.sh start

Now check in the browser of your client if you can reach seafile
under the address %%YourServerIP%%:8000.


Setting up NGINX with full certificate chain

Preparation of Nginx site configuration

In your Terminal-ROOTusr:

cd /etc/nginx/sites-available/
touch seafile.conf
%%YourEditor%% seafile.conf

Btw: the name seafile.conf doesn’t matter. You can name this file whatever you think is a nice name to identify your Nginx site configuration of your Seafile server.

Here is a template you can use for the nginx site configuration you have just created/opened in your editor. Pay attention to edit all %%VARIABLES%%. Maybe it is better to copy the following template into an editor on your client so that you can find and replace the %%VARIABLES%%. Attention: Don’t edit the two lines ssl_certificate and ssl_certificate_key now because you don’t have the created certificates now. Certificate creattion will follow in the next step.

server {
        listen       80;
        server_name  %%your.dyndns.address%%;
        rewrite ^ https://$http_host$request_uri? permanent; # force redirect http to https
    }
    server {
        listen 443;
        ssl on;
        ssl_certificate /etc/nginx/ssl/%%your.server.tld.cert-chain.pem%%; # path to your certificate chain
        ssl_certificate_key /etc/nginx/ssl/%%your.server.tld.key%%;        # path to the private.key of your server certificate
        ssl_prefer_server_ciphers on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'EECDH+AES:EDH+AES:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA';
        ssl_dhparam /etc/nginx/ssl/dhparam.pem;
        server_name %%your.dyndns.address%%;
        proxy_set_header X-Forwarded-For $remote_addr;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
        server_tokens off;

        location / {
            fastcgi_pass    127.0.0.1:8000;
            fastcgi_param   SCRIPT_FILENAME     $document_root$fastcgi_script_name;
            fastcgi_param   PATH_INFO           $fastcgi_script_name;

            fastcgi_param   SERVER_PROTOCOL     $server_protocol;
            fastcgi_param   QUERY_STRING        $query_string;
            fastcgi_param   REQUEST_METHOD      $request_method;
            fastcgi_param   CONTENT_TYPE        $content_type;
            fastcgi_param   CONTENT_LENGTH      $content_length;
            fastcgi_param   SERVER_ADDR         $server_addr;
            fastcgi_param   SERVER_PORT         $server_port;
            fastcgi_param   SERVER_NAME         $server_name;
            fastcgi_param   REMOTE_ADDR         $remote_addr;
            fastcgi_param   HTTPS               on;
            fastcgi_param   HTTP_SCHEME         https;

            access_log      /var/log/nginx/seahub.access.log;
            error_log       /var/log/nginx/seahub.error.log;
            fastcgi_read_timeout 36000;
        }
        location /seafhttp {
            rewrite ^/seafhttp(.*)$ $1 break;
            proxy_pass http://127.0.0.1:8082;
            client_max_body_size 0;
            proxy_connect_timeout  36000s;
            proxy_read_timeout  36000s;
            proxy_send_timeout  36000s;
            send_timeout  36000s;
            #proxy_request_buffering off; #activation possible for nginx version 1.7.11 and higher
        }
        location /media {
            root /srv/seafile/seafile-server-latest/seahub;
        }
    }
Optional: some Nginx tweaks

All these tweaks are not essential in the beginning. If you doon’t know what to do go on now with step “Full certificate chain”.

HTTPS2 or SPDY support

You can add support for HTTP2 or SPDY according to your nginx version. If you don’t need HTTP2 or SPDY or you don’t know what to do just skip this point.
To add support for HTTP2 or check your Nginx version with:

nginx -v

Then change the line listen 443; to one of the following ones according to your Nginx version:

listen 443 http2; #nginx version 1.9.5 and higher
listen 443 spdy; #nginx version below 1.9.5
Optimizing large file uploads

Some users experiienced problems uploading large files (>4GB) if using small SD cards for the operation system. In thix contect for more reliable large file uploads there are two possibilities depending on your Nginx version. check your Nginx version with:

nginx -v

If your Nginx version is 1.7.11 or higher you can _dis_able proxy_request_buffering deleting the hashtag (#) before #proxy_request_buffering off; (so to activate: proxy_request_buffering off;)in the provided Nginx config above.
You can find further information on this @seafile manual and @nginx documentation.

If your Nginx version is below 1.7.11 you could relocate Nginx directory (which is used as cache for large files) to an external drive (there is a tutorial for this here. If you want to do this finish the whole tutorial at first and come back later!

sudo -s
service nginx stop
cp /var/lib/nginx /var/lib/nginx_org
mkdir -p /mnt/externaldrive/nginx-data
mv -f /var/lib/nginx/* /mnt/externaldrive/nginx-data
rmdir /var/lib/nginx
cd /var/lib
ln -s /mnt/externaldrive/nginx-data nginx

If you have to _de_crypt your external drive after every server restart manually Nginx will not autostart properly (because it can not access /var/lib/nginx until the external drive is encrypted). In this case you can disable autostart for Nginx with update-rc.d nginx disable which means you have to start Nginx manually before you start Seafile with service nginx start.

Full certificate chain

There are two missing %%VARIABLES%% in the Nginx site configuration (in the lines I told you not to touch: ssl_certificate and ssl_certificate_key). For these variables we need to create certificates now.
To set up a full certificate chain follow Tutorial for a complete certificate chain with your own Certificate Authority (CA).

If you are asking why you should set up a full certificate chain (and not just a “simple” certificate): if you are not providing a certificate chain you (and any other user of your Seafile server) have to activate in your Seafile client under Settings / Advanced / “Do not verify server ertificate in HTTPS syncing” later (otherwise your Seafiel client will not sync any data with your Seafile server). This is annoying, confusing - and checking “Do not verify server ertificate in HTTPS syncing” even dangerous . Setting up a full certificate chain doesn’t take really more time in comparison with setting up a simple certificate (if you use the “short way” in the linked tutorial).

When you are done with the certificates come back here. Confirm that there are now %%VARIABLES%% anymore in the Nginx site configuration before you go on.

Activation of Nginx site configuration

To activate the complete Nginx site configuration for Seafile go on in your Terminal-ROOTusr:

cd /etc/nginx/sites-enabled/
ls -la
ln -s /etc/nginx/sites-available/seafile.conf /etc/nginx/sites-enabled/
ls -la
nginx -s reload
exit

Completing Dynamic DNS address configuration

Following this tutorial you should have registered on www.no-ip.com already. Now go on building the program that sends your dynamic ip address to the no-ip.com server so that %%your.dyndns.address%% is always linking to your actual dynamic ip of your server.
Notes:

  1. I prefer checkinstall instead of make install but somehow this didn’t work for me in this case.
  2. Some routers offer a service to update the dynamic ip to a dynamic dns address. Check your router config for this and you don’t need to set up the following step.

In your Terminal-ROOTusr:

cd /home/%%YourNewArmbianUser%%
mkdir %%aFolderToCompileNo-IP-Updater%%
cd %%aFolderToCompileNo-IP-Updater%%/
wget http://www.no-ip.com/client/linux/noip-duc-linux.tar.gz
tar xvf noip-duc-linux.tar.gz
cd noip-2.1.9-1/
sudo make install

The no-ip-ipdater will ask you now for your registered data. Example:

Auto configuration for Linux client of no-ip.com.

Please enter the login/email string for no-ip.com %%YourNoIPUserName%%
Please enter the password for user '%%YourNoIPUserName%%' %%YourNoIPUserPassword%%

Only one host [%%your.dyndns.address%%] is registered to this account.
It will be used.
Please enter an update interval:[30] 
Do you wish to run something at successful update?[N] (y/N) N

New configuration file 'CONFIG' created.

Now we have to set up autostart for the no-ip-updater:

noip2
sudo -s
%%YourEditor%% /etc/init.d/noip

You can use the following template for the just opened/created file:

#! /bin/sh

### BEGIN INIT INFO
# Provides: noip2
# Required-Start:
# Required-Stop:
# Should-Start:
# Should-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start and stop directadmin
# Description: DirectAdmin
### END INIT INFO
    
case "$1" in
  start)
    echo "Starting noip2"
    /usr/local/bin/noip2
  ;;
  stop)
    echo -n "Shutting down noip2"
    for i in `noip2 -S 2>&1 | grep Process | awk '{print $2}' | tr -d ','`
    do
     noip2 -K $i
    done
  ;;
  *)
    echo "Usage: $0 {start|stop}"
    exit 1
esac
exit 0

Finish the set up for no-ip in your Terminal-ROOTusr with:

chmod +x /etc/init.d/noip
chmod 700 /usr/local/bin/noip2
chown root:root /usr/local/bin/noip2
chmod 700 /etc/init.d/noip
chown root:root /etc/init.d/noip
chmod 700 /usr/local/etc/no-ip2.conf
chown root:root /usr/local/etc/no-ip2.conf
update-rc.d -n noip defaults
update-rc.d noip defaults
service noip stop
service noip start

Set up %%your.dyndns.address%% in seafile config files (ccnet.conf and seahub_settings.py) in your Terminal-SEAFusr:

cd /srv/seafile/conf/
%%YourEditor%% ccnet.conf

%%
SERVICE_URL = https://%%your.dyndns.address%%
%%

%%YourEditor%% seahub_settings.py

%%
FILE_SERVER_ROOT = ‘https://%%your.dyndns.address%%/seafhttp’
%%

cd /srv/seafile/seafile-server-latest/
./seafile.sh start
./seahub.sh start-fastcgi

On your client system check in your browser if you can open seafile with %%your.dyndns.address%%. If the Seafile site does not appear check your router configuration: the router has to forward port 80 and port 443 to the local LAN address of your server. So in your router configuration system bind the MAC address of your server to %%YourServerIP%% and forward port 80 and 443 to %%YourServerIP%% (you can find iMAC and IP with the command ip addr on your server). If you can connect to seafile via browser you can go on in your Terminal-SEAFusr to stop your Seafile server:

./seahub.sh stop
./seafile.sh stop

Start/stop script for Seafile

In your Terminal-ROOTusr:

touch /etc/init.d/seafile-server
%%YourEditor%% /etc/init.d/seafile-server

You can use the following template for the just opened/created file. If your Seafile server directory is /srv/seafile/ you just need to adjust all %%YourSystemUserNameForSeafile%%:

#!/bin/sh

### BEGIN INIT INFO
# Provides:          seafile-server
# Required-Start:    $local_fs $remote_fs $network
# Required-Stop:     $local_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Starts Seafile Server
# Description:       starts Seafile Server
### END INIT INFO

# Change the value of "user" to linux user name who runs seafile
user=%%YourSystemUserNameForSeafile%%

# Change the value of "seafile_dir" to your path of seafile installation
# usually the home directory of $user
seafile_dir=/srv/seafile
script_path=${seafile_dir}/seafile-server-latest
seafile_init_log=${seafile_dir}/logs/seafile.init.log
seahub_init_log=${seafile_dir}/logs/seahub.init.log

# Change the value of fastcgi to true if fastcgi is to be used
fastcgi=true
# Set the port of fastcgi, default is 8000. Change it if you need different.
fastcgi_port=8000

#
# Write a polite log message with date and time
#
echo -e "\n \n About to perform $1 for seafile at `date -Iseconds` \n " >> ${seafile_init_log}
echo -e "\n \n About to perform $1 for seahub at `date -Iseconds` \n " >> ${seahub_init_log}

case "$1" in
        start)
                sudo -u ${user} ${script_path}/seafile.sh ${1} >> ${seafile_init_log}
                if [ $fastcgi = true ];
                then
                        sudo -u ${user} ${script_path}/seahub.sh ${1}-fastcgi ${fastcgi_port} >> ${seahub_init_log}
                else
                        sudo -u ${user} ${script_path}/seahub.sh ${1} >> ${seahub_init_log}
                fi
        ;;
        restart)
                sudo -u ${user} ${script_path}/seafile.sh ${1} >> ${seafile_init_log}
                if [ $fastcgi = true ];
                then
                        sudo -u ${user} ${script_path}/seahub.sh ${1}-fastcgi ${fastcgi_port} >> ${seahub_init_log}
                else
                        sudo -u ${user} ${script_path}/seahub.sh ${1} >> ${seahub_init_log}
                fi
        ;;
        stop)
                sudo -u ${user} ${script_path}/seahub.sh ${1} >> ${seahub_init_log}
                sudo -u ${user} ${script_path}/seafile.sh ${1} >> ${seafile_init_log}
        ;;
        *)
                echo "Usage: /etc/init.d/seafile-server {start|stop|restart}"
                exit 1
        ;;
esac

Go on in your Terminal-ROOTusr:

chmod +x /etc/init.d/seafile-server
update-rc.d seafile-server defaults
service seafile-server start
service seafile-server restart
service seafile-server stop
service seafile-server start
  • If start/restart/stop works without any errors: Congratulation. Your seafile server is technically ready.
  • For a minimum of security we should set up a working firewall with iptables now with the following chapter.
  • In all following chapters I will not tell you which terminal you use. I assume you know how to handle the commands in a way that is best for you.

Setting up a firewall with iptables

sudo -s
%%YourEditor%% /etc/iptables.test.rules

%%YourEditor%% should open a new, empty file in which you include the following lines. Pay attention to edit the SSH port if you use another than port 22:

*filter
# based on https://wiki.debian.org/iptables

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allows SSH connections
# The --dport number is the same as in /etc/ssh/sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Allow ping
#  note that blocking other types of icmp packets is considered a bad idea by some
#  remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp:
#  https://security.stackexchange.com/questions/22711
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

Now we restore this rules for testing and take a look if the rules are as intended:

iptables-restore < /etc/iptables.test.rules
iptables -vL

If everything as intended we can save the rules into a file that restores the rules on every restart of the server:

iptables-save > /etc/iptables.up.rules

Now we set up a script that enables the iptables rules on every startup:

%%YourEditor%% /etc/network/if-pre-up.d/iptables

Add the following two lines to enable new rules in the just opened/created file:

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules

Make the just created script executable:

chmod +x /etc/network/if-pre-up.d/iptables


Last steps

Go back to Own certificates with complete certificate chain and follow the “Last steps”.
When you are done check your web server security settings.


That’s it. :beers: Now have fun tweaking your seafile server.

:mega: If you want to use your Seafile server as a 24/7 system accessible in world wide web I highly recommend you 1. change standard SSH port, 2. use public key authentication in combination with a password and 3. permit SSH login only with username and password!



“Nice to have”

  1. Tutorial for Logwatch on Debian for Nginx with Postfix configuration as
    “Satellite system”
  2. Tutorial for a complete certificate chain with your own Certificate
    Authority (CA)
  3. Tutorial for relocating seafile-data directory (optionally on an encrypted volume)
  4. Tutorial for importing old MySQL/MariaDB databases and old SEAFILE-DATA
  5. Tutorial for streaming video/audo with your Seafile server via miniDLNA and FUSE
  6. Nginx tweaks in step “Preparation of Nginx site configuration”


Please ask all questions in this thread and not via PM (there are no stupid questions for me) :bangbang:


Tutorial for a complete certificate chain with your own Certificate Authority (CA)
Tutorial for relocating seafile-data directory (optionally on an encrypted volume)
Tutorial for Logwatch on Debian for Nginx with Postfix configuration as "Satellite system"
Tutorial for streaming video/audo with your Seafile server via miniDLNA and FUSE
Seafile & Windows= Dead end buggy software
Synchronisation between Ubuntu & Windows 10 + IP address setup
Tutorial for server migration (importing MySQL/MariaDB databases and seafile-data)
Kernel problems with Seafile server
#2

In the beginning of the iptables configuration I’ve changed the lines

-A INPUT -d 127.0.0.0/8 -j REJECT
# last line different from debian wiki and taken from http://www.rootathome.de/firewall-mit-iptables-unter-debian-einrichten/

with this one:

-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

The current one is the original one from the Debian wiki. I had to use the former one in Seafile v4 because otherwise I couldn’t sync. Nobody could tell me what is the reason for. Recently I found out that the Debian wiki version works fine with Seafile v5 now.


Installation Best Practices
#3

With a lot of thanks to @jobenvil @infinity and @Gabriele_Zappi I could add another part:

Hope I combined your information right. As always: comments welcome and thanks for the great team play! :slight_smile:


#4

/added missing fastcgi_param REMOTE_ADDR $remote_addr; in Nginx conf
/changed start/stop script based on http://manual.seafile.com/deploy/start_seafile_at_system_bootup.html