Unable to connect to WebDav of Seafile Server 6.0.6 using NGINX, HTTPS and MySQL running on Ubuntu Server 16.04.1 LTS

Dear Seafile Support Team and Community Users,

I’m using Seafile since 4 years and I have tried out different OS running Seafile Server with good findings.

My current private project is to move my own private cloud storage from my virtual machine with Ubuntu 14.04.4 LTS running Seafile Server 5.0.5 using Apache and SQLite with Seafile using HTTPS and WebDav using HTTP which is running fully stable to a new virtual machine with Ubuntu Server 16.04.1 LTS running Seafile Server 6.0.6 using NGINX, HTTPS (seafile+webdav) and MySQL.

Seafile and seahub is up and running. And I’m able to access to Seafile Server 6.0.6 using Webinterface and Seafile-Client. The Seafile Server 6.0.6 looks like fully functional.

But unfortunately I’m unable to connect to Webdav: https://my.domain.de:8080/seafdav/

The log files for nginx/seafdav* are empty:

root@seaf-priv:/var/log/nginx# ls -latr
total 104
-rw-r--r--  1 www-data root       0 Dec  4 01:08 seafdav.error.log
-rw-r--r--  1 www-data root       0 Dec  4 01:08 seafdav.access.log

I have deactivated the firewall for troubleshooting:

root@seaf-priv:~# ufw status
Status: inactive

The active connections looks okay for me:

root@seaf-priv:~# netstat -tulpn 
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1156/mysqld     
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      1359/python2.7  
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1243/nginx -g daemo
tcp        0      0 0.0.0.0:8082            0.0.0.0:*               LISTEN      1360/seaf-server
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1135/sshd       
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      1243/nginx -g daemo
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      1447/python2.7  
tcp6       0      0 :::22                   :::*                    LISTEN      1135/sshd

This is the seafdav.conf:

[WEBDAV]
enabled = true
port = 8080
fastcgi = true
share_name = /seafdav

And this is the seafile.conf:

[general]
enable_syslog = true

[fileserver]
port = 8082
web_token_expire_time = 7200

[database]
type = mysql
host = 127.0.0.1
port = 3306
user = seafile
password = xxx
db_name = seafile-db
connection_charset = utf8
max_connections = 1000

[quota]
default = 400GB

[zip]
windows_encoding = iso-8859-1

And this is the /etc/nginx/sites-available/seafile.conf:

server {
    listen 80;
    server_name my.domain.de;
    rewrite ^ https://$http_host$request_uri? permanent;
}
server {
    listen 443;
    ssl on;
    ssl_certificate /home/seacloud/seaf-server/cacert.pem;
    ssl_certificate_key /home/seacloud/seaf-server/privkey.pem;
    server_name my.domain.de;
    proxy_set_header X-Forwarded-For $remote_addr;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
    server_tokens off;

    location / {
        fastcgi_pass    127.0.0.1:8000;
        fastcgi_param   SCRIPT_FILENAME     $document_root$fastcgi_script_name;
        fastcgi_param   PATH_INFO           $fastcgi_script_name;

        fastcgi_param    SERVER_PROTOCOL        $server_protocol;
        fastcgi_param   QUERY_STRING        $query_string;
        fastcgi_param   REQUEST_METHOD      $request_method;
        fastcgi_param   CONTENT_TYPE        $content_type;
        fastcgi_param   CONTENT_LENGTH      $content_length;
        fastcgi_param    SERVER_ADDR         $server_addr;
        fastcgi_param    SERVER_PORT         $server_port;
        fastcgi_param    SERVER_NAME         $server_name;
        fastcgi_param   REMOTE_ADDR         $remote_addr;
        fastcgi_param   HTTPS               on;
        fastcgi_param   HTTP_SCHEME         https;	

        access_log      /var/log/nginx/seahub.access.log;
        error_log       /var/log/nginx/seahub.error.log;
        fastcgi_read_timeout 36000;
    }

    location /seafhttp {
        rewrite ^/seafhttp(.*)$ $1 break;
        proxy_pass http://127.0.0.1:8082;
        client_max_body_size 0;
        proxy_connect_timeout  36000s;
        proxy_read_timeout  36000s;
        proxy_send_timeout  36000s;
        proxy_request_buffering off;
        send_timeout  36000s;
    }

     location /seafdav {
        fastcgi_pass    127.0.0.1:8080;
        fastcgi_param   SCRIPT_FILENAME     $document_root$fastcgi_script_name;
        fastcgi_param   PATH_INFO           $fastcgi_script_name;

        fastcgi_param   SERVER_PROTOCOL     $server_protocol;
        fastcgi_param   QUERY_STRING        $query_string;
        fastcgi_param   REQUEST_METHOD      $request_method;
        fastcgi_param   CONTENT_TYPE        $content_type;
        fastcgi_param   CONTENT_LENGTH      $content_length;
        fastcgi_param   SERVER_ADDR         $server_addr;
        fastcgi_param   SERVER_PORT         $server_port;
        fastcgi_param   SERVER_NAME         $server_name;
        fastcgi_param   HTTPS               on;
        fastcgi_param   HTTP_SCHEME         https;

        client_max_body_size 0;
        proxy_connect_timeout  36000s;
        proxy_read_timeout  36000s;
        proxy_send_timeout  36000s;
        send_timeout  36000s;

        # This option is only available for Nginx >= 1.8.0. See more details below.
        proxy_request_buffering off;

        access_log      /var/log/nginx/seafdav.access.log;
        error_log       /var/log/nginx/seafdav.error.log;
    }

    location /media {
        root /home/seacloud/seaf-server/seafile-server-latest/seahub;
    }
}

To see whether WebDav is generally working I have change the configuration temporarily. I have found a hint to change the configuration for troubleshooting as followed to see whether it is possible to connect to: https://my.domain.de:8080/seafdav/seafile_logo.png

But unfortunately it does not work. And it is very interesting the web browsers Safari and Firefox does not run into a time out or connection error. Only a “working ring” is visible.

And the log files are still empty:

root@seaf-priv:/var/log/nginx# ls -latr
total 96
-rw-r--r--  1 www-data root       0 Dec  4 01:08 seafdav.error.log
-rw-r--r--  1 www-data root       0 Dec  4 01:08 seafdav.access.log

The firewall is still inactive:

root@seaf-priv:/var/log/nginx# ufw status
Status: inactive

And the active connections are:

root@seaf-priv:/var/log/nginx# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1144/mysqld
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1691/nginx -g daemo
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      1347/python2.7  
tcp        0      0 0.0.0.0:8082            0.0.0.0:*               LISTEN      1348/seaf-server
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1122/sshd       
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      1691/nginx -g daemo
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      1532/python2.7  
tcp6       0      0 :::22                   :::*                    LISTEN      1122/sshd

I have added the last line to seafdav.conf for troubleshooting:

[WEBDAV]
enabled = true
port = 8080
fastcgi = true
share_name = /seafdav
host = 0.0.0.0

And also I have added this line:

host = 0.0.0.0

for troubleshooting to seafile.conf:

[general]
enable_syslog = true

[fileserver]
host = 0.0.0.0
port = 8082
web_token_expire_time = 7200

[database]
type = mysql
host = 127.0.0.1
port = 3306
user = seafile
password = xxx
db_name = seafile-db
connection_charset = utf8
max_connections = 1000

[quota]
default = 400GB

[zip]
windows_encoding = iso-8859-1

For troubleshooting I have out comment lines in /etc/nginx/sites-available/seafile.conf - see below - and I have added this two lines:

	rewrite ^/seafdav(.*)$ /media/img$1 break;
	root /home/seacloud/seaf-server/seafile-server-latest/seahub;

Fully troubleshooting configuration of /etc/nginx/sites-available/seafile.conf:

server {
    listen 80;
    server_name my.domain.de;
    rewrite ^ https://$http_host$request_uri? permanent;
}
server {
    listen 443;
    ssl on;
    ssl_certificate /home/seacloud/seaf-server/cacert.pem;
    ssl_certificate_key /home/seacloud/seaf-server/privkey.pem;
    server_name my.domain.de;
    proxy_set_header X-Forwarded-For $remote_addr;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
    server_tokens off;

    location / {
        fastcgi_pass    127.0.0.1:8000;
        fastcgi_param   SCRIPT_FILENAME     $document_root$fastcgi_script_name;
        fastcgi_param   PATH_INFO           $fastcgi_script_name;

        fastcgi_param    SERVER_PROTOCOL        $server_protocol;
        fastcgi_param   QUERY_STRING        $query_string;
        fastcgi_param   REQUEST_METHOD      $request_method;
        fastcgi_param   CONTENT_TYPE        $content_type;
        fastcgi_param   CONTENT_LENGTH      $content_length;
        fastcgi_param    SERVER_ADDR         $server_addr;
        fastcgi_param    SERVER_PORT         $server_port;
        fastcgi_param    SERVER_NAME         $server_name;
        fastcgi_param   REMOTE_ADDR         $remote_addr;
        fastcgi_param   HTTPS               on;
        fastcgi_param   HTTP_SCHEME         https;

        access_log      /var/log/nginx/seahub.access.log;
        error_log       /var/log/nginx/seahub.error.log;
        fastcgi_read_timeout 36000;
    }

    location /seafhttp {
        rewrite ^/seafhttp(.*)$ $1 break;
        proxy_pass http://127.0.0.1:8082;
        client_max_body_size 0;
        proxy_connect_timeout  36000s;
        proxy_read_timeout  36000s;
        proxy_send_timeout  36000s;
        proxy_request_buffering off;
        send_timeout  36000s;
    }

     location /seafdav {
#        fastcgi_pass    127.0.0.1:8080;
#        fastcgi_param   SCRIPT_FILENAME     $document_root$fastcgi_script_name;
#        fastcgi_param   PATH_INFO           $fastcgi_script_name;
#
#        fastcgi_param   SERVER_PROTOCOL     $server_protocol;
#        fastcgi_param   QUERY_STRING        $query_string;
#        fastcgi_param   REQUEST_METHOD      $request_method;
#        fastcgi_param   CONTENT_TYPE        $content_type;
#        fastcgi_param   CONTENT_LENGTH      $content_length;
#        fastcgi_param   SERVER_ADDR         $server_addr;
#        fastcgi_param   SERVER_PORT         $server_port;
#        fastcgi_param   SERVER_NAME         $server_name;
#        fastcgi_param   HTTPS               on;
#        fastcgi_param   HTTP_SCHEME         https;
#
#        client_max_body_size 0;
#        proxy_connect_timeout  36000s;
#        proxy_read_timeout  36000s;
#        proxy_send_timeout  36000s;
#        send_timeout  36000s;
#
#        # This option is only available for Nginx >= 1.8.0. See more details below.
#        proxy_request_buffering off;

        rewrite ^/seafdav(.*)$ /media/img$1 break;
        root /home/seacloud/seaf-server/seafile-server-latest/seahub;

        access_log      /var/log/nginx/seafdav.access.log;
        error_log       /var/log/nginx/seafdav.error.log;
    }

    location /media {
        root /home/seacloud/seaf-server/seafile-server-latest/seahub;
    }
}

Now I’m unsure whether it is a configuration error, because the nginx log files for seafdav are empty in both cases.

Furthermore I have tried to switch seafdav to not using fastcgi and http only. But with the same result.

Has anyone a idea how to get webdav running in this setup:

  • Ubuntu Server 16.04.1 LTS
  • Seafile Server 6.0.6
  • NGINX with HTTPS (for seafile+webdav)
  • MySQL

Thanks in advance for your support.

Greetings

lucki.luck

You should never use the webdav server port (8080) directly. If you do that, you are circumventing any security measures of your reverse proxy (nginx), including HTTPS. In this case, it doesn’t work, because you are trying to communicate with an HTTP server over HTTPS. Instead, use the default HTTPS port and let the reverse proxy do the redirection:

https://my.domain.de/seafdav/

Since your requests did not reach nginx (which is listening on port 443, not 8080) nothing was logged either.
All internal ports (such as 8000, 8080, basically all except 80 and 443) should not be reachable from the internet, for security reasons!

Dear Cybran,

thanks a lot for your answer.

Yes, you’re right. And that’s the difference to the configuration of my old Seafile Server 5.0.5 using Apache and SQLite with Seafile using HTTPS and WebDav using HTTP. For this I’m using Port 8084 and for the Apache Configuration with Webdav using HTTP it was necessary to use this Port in the URL.

So I have changed the Port for my Seafile Server 6.0.6 for using Webdav. I have changed the configuration to listen to 127.0.0.1 only and activated the firewall.
And it works with this example URL: https://my.domain.de/seafdav/
And the log file ‘seafdav.access.log’ is not empty anymore.

root@seaf-priv:~# netstat -tulpn 
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1228/mysqld     
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      1208/memcached  
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1325/nginx -g daemo
tcp        0      0 127.0.0.1:8082          0.0.0.0:*               LISTEN      1437/seaf-server
tcp        0      0 127.0.0.1:8084          0.0.0.0:*               LISTEN      1436/python2.7  
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1206/sshd       
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      1325/nginx -g daemo
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      1524/python2.7  
tcp6       0      0 :::22                   :::*                    LISTEN      1206/sshd       
udp        0      0 127.0.0.1:11211         0.0.0.0:*                           1208/memcached  
root@seaf-priv:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere                  
Nginx HTTP                 ALLOW       Anywhere                  
Nginx HTTPS                ALLOW       Anywhere                  
22 (v6)                    ALLOW       Anywhere (v6)             
Nginx HTTP (v6)            ALLOW       Anywhere (v6)             
Nginx HTTPS (v6)           ALLOW       Anywhere (v6)             

root@seaf-priv:~# 

Thanks a lot. The big mistake was to use the Port into the URL.
And for security reason I have changed the Port for using WebDav as I have done for one of my older Seafile Server too.

FYI - I have two hardware firewalls to allow HTTPS only for my Public Seafile Server which is reachable from internet. For this I have configure HTTPS only and not WebDav. And on this I have no important or critical data. This server I’m using to share pictures with my family.
A second Seafile Server I’m using only internal which is reachable via VPN only, and on this I’m using WebDav. And via HTTPS only :slight_smile:

Greetings and thanks again for the important hint

lucki.luck

Just an additional remark:
WebDAV is simply an extension for HTTP that can be used over HTTP or HTTPS.
So there is no security difference between WebDAV via HTTPS and HTTPS by itself.

Best regards,
Moritz

1 Like

Glad I was able to help and you got it working! And good thing you have those firewall rules in place and are binding the WebDAV server to the loopback interface. The setup you described seems to be secure, transport-wise :slight_smile:

Also, may I suggest that you mark the thread as solved? This way other users will more easily see that you have found a solution for the problem.

Best regards
Cybran

1 Like

Thanks a lot for your quick and good support!