Unhandled http redirect from server error with Windows client after adding ssl cetificates

KugisMugis · November 23, 2020, 10:20pm

I have followed seafile readthedocs io guide and after basic set up my seafile server was working fine. I had no problems hosting seafile server on linux, and acessing and synchronizing files on linux, windows and android clients. After a week or so, I decided what it would be nice to add ssl certificate.
I created and installed my own certificate with letsencrypt and certbot and after that I configured nginx according to the guide. But now I’m having some problems.
I can access https : / / seafile mydomain com web service and upload files. Same with android client.
But on windows client, the most important one to me, I get “Unhandled http redirect from server. Please check server configuration.” error.
Things I have tried but didn’t work for me:

proxy_set_header Host $host:$server_port as seen in other thread
in windows client application change client address to https
checked seahub_settings.py and ccnet.conf. Https is set
deleting sqlite .db file

At this point I am lost, and don’t know where to look. I would be really happy, if someone could help me or at least point me in the right direction.
Here is my configuration file

server {
    listen       80;
    server_name  seafile mydomainname com;
    server_tokens off;
#   location / {
        rewrite ^ https :// $http_host$request_uri? permanent;    # force redirect http to https
#   }
    location /.well-known/acme-challenge {
        alias /var/www/letsencrypt/.well-known/acme-challenge;
        location ~ /.well-known/acme-challenge/(.*) {
            add_header Content-Type application/jose+json;
        }
    }
#    error_log /var/log/nginx/seafile.mydomainname.com.error.log debug;
}

server {
    listen      443 ssl http2; 
    server_name _;
    server_tokens off;
    ssl_protocols TLSv1.2;
    # ssl_certificate /etc/ssl/private/cacert.pem;
    # ssl_certificate_key /etc/ssl/private/privkey.pem;
    ssl_certificate /etc/letsencrypt/live/seafile.mydomainname.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/seafile.mydomainname.com/privkey.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 192 168 0 1;
    ssl_dhparam /etc/ssl/private/dhparam2048.pem;
    ssl_ecdh_curve secp384r1;
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:!MD5:!RC4:!LOW:!MEDIUM:!CAMELLIA:!ECDSA:!DES:!DSS:!3DES:!NULL;
    ssl_prefer_server_ciphers on;        ssl_session_timeout 10m;  proxy_set_header X-Forwarded-For $remote_addr;
    add_header Strict-Transport-Security "max-age=31536000;
    includeSubDomains";
    
    location / {
        proxy_pass http :// 127 0 0 1:8000;
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Host $server_name;
        proxy_set_header   X-Forwarded-Proto https;
        proxy_http_version 1.1;
        proxy_connect_timeout  36000s;
        proxy_read_timeout  36000s;
        proxy_send_timeout  36000s;
        send_timeout  36000s;     # used for view/edit office file via Office Online Server
        client_max_body_size 0;
        access_log      /var/log/nginx/seahub.access.log;
        error_log       /var/log/nginx/seahub.error.log;
    }
    
    location /seafhttp {
        rewrite ^/seafhttp(.*)$ $1 break;
        proxy_pass http://127.0.0.1:8082;
        client_max_body_size 0;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_connect_timeout  36000s;
        proxy_read_timeout  36000s;
        proxy_send_timeout  36000s;
        send_timeout  36000s;
        proxy_request_buffering off;
        proxy_http_version 1.1;
    }
    
    location /seafmedia {
        rewrite ^/seafmedia(.*)$ /media$1 break;
        root /opt/seafile/seafile-server-latest/seahub;
    }
    
    location /seafdav {
        proxy_pass http // 127 0 0 1:8080;
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Host $server_name;
        proxy_http_version 1.1;
        proxy_connect_timeout  36000s;
        proxy_read_timeout  36000s;
        proxy_send_timeout  36000s;
        send_timeout  36000s;     # This option is only available for Nginx >= 1.8.0.
        client_max_body_size 0;
        proxy_request_buffering off;
        access_log      /var/log/nginx/seafdav.access.log;
        error_log       /var/log/nginx/seafdav.error.log;
    }
    #    error_log /var/log/nginx/seafile.mydomainname.com.error2.log debug;
}

dots in urls were edited out, because as a new member I can’t post links
p.s. sry for my poor english.

KugisMugis · December 15, 2020, 8:19pm

After trying to debug for a bit I think a managed to narrow my problem a bit.
This is not seafile problem, but nginx configuration problem.
By watching nginx logs and /seafhttp logs I managed to find that these requests are not being redirected to /seafhttp

78.58.211.199 - - [15/Dec/2020:22:08:03 +0200] "POST /seafhttp/repo/head-commits-multi/ HTTP/1.1" 301 162 "-" "Seafile/7.0.10 (Windows NT)" 
78.58.211.199 - - [15/Dec/2020:22:08:04 +0200] "PUT /seafhttp/repo/ad84fe7b-090f-4b37-91f9-ccc694736197/commit/1dff36e1674cf66ab27cefd7256b0e17d0220753 HTTP/1.1" 301 162 "-" "Seafile/7.0.10 (Windows NT)"

Yet I still don’t know how to solve this problem

jobenvil · December 17, 2020, 8:42pm

Do the test without the redirect:

#rewrite ^ https :// $http_host$request_uri? permanent;    # force redirect http to https

Had the same issue.

KugisMugis · December 17, 2020, 9:05pm

I just get failed to load libraries information now.
By commenting out rewrite line even GET requests don’t reach /seafhttp.

What is even weirder to me that when I’m uploading a file by web browser I can see /seafhttp POST request go trough.

I’m so lost that I’m starting to think I should look at other alternatives, like nextcloud maybe?

KugisMugis · December 17, 2020, 9:38pm

Solved by just moving this part from listen on 443 port to listen on 80

location /seafhttp {
        rewrite ^/seafhttp(.*)$ $1 break;
        proxy_pass http://127.0.0.1:8082;
        client_max_body_size 0;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_connect_timeout  36000s;
        proxy_read_timeout  36000s;
        proxy_send_timeout  36000s;
        send_timeout  36000s;
        proxy_request_buffering off;
        proxy_http_version 1.1;
    }

And by adding if clause to filter GET requests

if ($request_method = GET) {
             rewrite ^ https :// $http_host$request_uri? permanent;    # force redirect http to https
}

I don’t know which change solved my problem and I still don’t know that is correct way to setup but at this point I’m too afraid to change anything so that I don’t break something again
I wanted to increase security by using https with letsencrypt certificates. I don’t think I succeeded, but I guess first ill need to complete courses on cryptography and IT security first, before tinkering with settings.

Anyway, thank you everyone in this thread for help!

jobenvil · December 17, 2020, 10:00pm

I had same issue, i don’t know why suddenly. I had to stop synchronisation, unsynch libraries, delete profile, etc. It seems weird, but I didn’t know really what was helping exactly and not idea what was the trigger. I understand your fear though.

lrq3000 · October 1, 2021, 8:42pm

The issue may be with the Windows client itself. Try to uninstall the client, accept the dialog asking if you want to delete the profiles, and then reinstall. For me this worked.

I also tweaked my DNS server to point to the root domain by default (instead of www), but I don’t think this was the culprit.

See also: [SeaDrive Bug]; Work-around after switching to https - #2 by germeier