Configuration of Seahub behind Nginx¶
Both components of Seafile Server, Seahub and seaf-server, can be configured to run behind a reverse proxy. A reverse proxy increases the performance of Seafile and allows the encryption of inbound and outbound traffic.
For production use, a setup with a reverse proxy and HTTPS encryption is a MUST .
Nginx, a popular and resource-friendly HTTP server and reverse proxy, is a good option. Nginx's documentation is available at http://nginx.org/en/docs/.
Setup¶
The configuration of Seafile behind Nginx as a reverse proxy is demonstrated using the sample host name seafile.example.com
.
These instructions assume the following requirements:
- Seafile Server Community Edition/Professional Edition was setup according to the instructions in this manual (i.e., a dedicated user seafile exists and all Seafile files are stored in /opt/seafile)
- A host name points at the IP address of the server and the server is available on port 80
If your setup differs from thes requirements, adjust the following instructions accordingly.
Installing Nginx¶
Install Nginx using the package repositories:
# CentOS
sudo yum install nginx -y
# Debian/Ubuntu
sudo apt install nginx -y
After the installation, start the server and enable it so that Nginx starts at system boot:
# CentOS/Debian/Ubuntu
sudo systemctl start nginx
sudo systemctl enable nginx
Preparing Nginx¶
The configuration of a proxy server in Nginx differs slightly between CentOS and Debian/Ubuntu. Additionally, the restrictive default settings of SELinux's configuration on CentOS require a modification.
Preparing Nginx on CentOS¶
Switch SELinux into permissive mode and perpetuate the setting:
sudo setenforce permissive
sed -i 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config
Create a configuration file for seafile in /etc/nginx/conf.d
:
touch /etc/nginx/conf.d/seafile.conf
Preparing Nginx on Debian/Ubuntu¶
Create a configuration file for seafile in /etc/nginx/sites-available/
:
touch /etc/nginx/sites-available/seafile.conf
Delete the default files in /etc/nginx/sites-enabled/
and /etc/nginx/sites-available
:
rm /etc/nginx/sites-enabled/default
rm /etc/nginx/sites-available/default
Create a symbolic link:
ln -s /etc/nginx/sites-available/seafile.conf /etc/nginx/sites-enabled/seafile.conf
Configuring Nginx¶
Copy the following sample Nginx config file into the just created seafile.conf
and modify the content to fit your needs:
log_format seafileformat '$http_x_forwarded_for $remote_addr [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $upstream_response_time';
server {
listen 80;
server_name seafile.example.com;
proxy_set_header X-Forwarded-For $remote_addr;
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_read_timeout 1200s;
# used for view/edit office file via Office Online Server
client_max_body_size 0;
access_log /var/log/nginx/seahub.access.log seafileformat;
error_log /var/log/nginx/seahub.error.log;
}
# If you are using [FastCGI](http://en.wikipedia.org/wiki/FastCGI),
# which is not recommended, you should use the following config for location `/`.
#
# location / {
# fastcgi_pass 127.0.0.1:8000;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# fastcgi_param PATH_INFO $fastcgi_script_name;
#
# fastcgi_param SERVER_PROTOCOL $server_protocol;
# fastcgi_param QUERY_STRING $query_string;
# fastcgi_param REQUEST_METHOD $request_method;
# fastcgi_param CONTENT_TYPE $content_type;
# fastcgi_param CONTENT_LENGTH $content_length;
# fastcgi_param SERVER_ADDR $server_addr;
# fastcgi_param SERVER_PORT $server_port;
# fastcgi_param SERVER_NAME $server_name;
# fastcgi_param REMOTE_ADDR $remote_addr;
# fastcgi_read_timeout 36000;
#
# client_max_body_size 0;
#
# access_log /var/log/nginx/seahub.access.log;
# error_log /var/log/nginx/seahub.error.log;
# }
location /seafhttp {
rewrite ^/seafhttp(.*)$ $1 break;
proxy_pass http://127.0.0.1:8082;
client_max_body_size 0;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 36000s;
proxy_read_timeout 36000s;
proxy_send_timeout 36000s;
send_timeout 36000s;
access_log /var/log/nginx/seafhttp.access.log seafileformat;
error_log /var/log/nginx/seafhttp.error.log;
}
location /media {
root /opt/seafile/seafile-server-latest/seahub;
}
}
The following options must be modified in the CONF file:
- Server name (server_name)
Optional customizable options in the seafile.conf are:
- Server listening port (listen) - if Seafile server should be available on a non-standard port
- Proxy pass for location / - if Seahub is configured to start on a different port than 8000
- Proxy pass for location /seafhttp - if seaf-server is configured to start on a different port than 8082
- Maximum allowed size of the client request body (client_max_body_size)
The default value for client_max_body_size
is 1M. Uploading larger files will result in an error message HTTP error code 413 ("Request Entity Too Large"). It is recommended to syncronize the value of client_max_body_size with the parameter max_upload_size
in section [fileserver]
of seafile.conf. Optionally, the value can also be set to 0 to disable this feature. Client uploads are only partly effected by this limit. With a limit of 100 MiB they can safely upload files of any size.
Finally, make sure your seafile.conf does not contain syntax errors and restart Nginx for the configuration changes to take effect:
nginx -t
nginx -s reload
Modifying ccnet.conf¶
The SERVICE_URL
in ccnet.conf informs Seafile about the chosen domain, protocol and port. Change the SERVICE_URL
so as to correspond to your host name (the http://
must not be removed):
SERVICE_URL = http://seafile.example.com
Note: TheSERVICE_URL
can also be modified in Seahub via System Admininstration > Settings. If SERVICE_URL
is configured via System Admin and in ccnet.conf, the value in System Admin will take precedence.
Modifying seahub_settings.py¶
The FILE_SERVER_ROOT
in seahub_settings.py informs Seafile about the location of and the protocol used by the file server. Change the FILE_SERVER_ROOT
so as to correspond to your host name (the http://
and the trailing /seafhttp
must not be removed):
FILE_SERVER_ROOT = 'http://seafile.example.com/seafhttp'
Note: TheFILE_SERVER_ROOT
can also be modified in Seahub via System Admininstration > Settings. If FILE_SERVER_ROOT
is configured via System Admin and in seahub_settings.py, the value in System Admin will take precedence.
Modifying seafile.conf¶
To improve security, the file server should only be accessible via Nginx.
Add the following line in the [fileserver] block on seafile.conf
in /opt/seafile/conf
:
host = 127.0.0.1 ## default port 0.0.0.0
After his change, the file server only accepts requests from Nginx.
Starting Seafile and Seahub¶
Restart the seaf-server and Seahub for the config changes to take effect:
su seafile
cd /opt/seafile/seafile-server-latest
./seafile.sh restart
./seahub.sh restart # or "./seahub.sh start-fastcgi" if you're using fastcgi