Self-hosted Secure Storage

Self-hosted Secure Storage

Researching alternatives

Self-hosted Dropbox

Others:

Resources:

Installing Seafile

First, as there will probably be a lot of files, increase file limit with ulimit -n 50000 (check with ulimit -a | grep open, default is 1024).

By default Seafile is using SQLite3, and they state that with less than 100 users, there is no reason to use MySQL. Also note that we’ll install everything under new user safecloud.

sudo apt-get install -y python2.7 python-setuptools python-simplejson python-imaging python-flup sqlite3
sudo adduser --disabled-login --gecos "Seafile Cloud" safecloud

sudo su - safecloud

Download Seafile for server:

mkdir -p seafile/installed cloudstorage

cd seafile;
wget -c https://bintray.com/artifact/download/seafile-org/seafile/seafile-server_5.1.3_x86-64.tar.gz
tar -xzf seafile-server_*_x86-64.tar.gz
mv seafile-server_*_x86-64.tar.gz installed/

Start install:

cd seafile-server-*/
./setup-seafile.sh

I’ve decided to use standard these values:

Data folder: ~/cloudstorage

Server name: safecloud
Server domain: safe.etaktiker.com

Seafile fileserver: 8082
Seahub: 8000

Seahub is the web interface for seafile server.

cd ~/seafile/seafile-server-latest

./seafile.sh start
./seahub.sh start

When you start seahub for the first time, it will ask you for first user.

http://safe.etaktiker.com:8000/

Configure nginx

/* HSTS header */
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

Now, century old problem of location block for nginx:

# Seafile Cloud Storage
#
proxy_set_header X-Forwarded-For $remote_addr;

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
server_tokens off;

location ^~ /cloud/ {
  rewrite ^/cloud(.*)$ $1 break;
  proxy_pass http://127.0.0.1:8082;
  client_max_body_size 0;
  proxy_connect_timeout 36000s;
  proxy_read_timeout 36000s;
  proxy_send_timeout 36000s;
}

location ^~ /media/ {
  root /home/safecloud/seafile/seafile-server-latest/seahub;
}

location ^~ /lib/ { try_files /dummy_nonexistant_file @seahub; }
location ^~ /thumbnail/ { try_files /dummy_nonexistant_file @seahub; }
location ^~ /repo/ { try_files /dummy_nonexistant_file @seahub; }

location ~ / {
  try_files /dummy_nonexistant_file @seahub;
}

# Seahub Web interface
#
location @seahub {
  fastcgi_pass    127.0.0.1:8000;
  fastcgi_param   SCRIPT_FILENAME     $document_root$fastcgi_script_name;
  fastcgi_param   PATH_INFO           $fastcgi_script_name;

  fastcgi_param   SERVER_PROTOCOL     $server_protocol;
  fastcgi_param   QUERY_STRING        $query_string;
  fastcgi_param   REQUEST_METHOD      $request_method;
  fastcgi_param   CONTENT_TYPE        $content_type;
  fastcgi_param   CONTENT_LENGTH      $content_length;
  fastcgi_param   SERVER_ADDR         $server_addr;
  fastcgi_param   SERVER_PORT         $server_port;
  fastcgi_param   SERVER_NAME         $server_name;
  fastcgi_param   HTTPS               on;
  fastcgi_param   HTTP_SCHEME         https;

  access_log      /var/log/nginx/seahub.access.log;
  error_log       /var/log/nginx/seahub.error.log;
}

You need to inform Seafile about domain, so modify this line in /home/safecloud/seafile/conf/ccnet.conf:

SERVICE_URL = https://safe.etaktiker.com

Add this line to /home/safecloud/seafile/conf/seahub_settings.py:

FILE_SERVER_ROOT = 'https://safe.etaktiker.com/cloud'

./seafile.sh start ./seahub.sh start-fastcgi

Issuing DB synchronization that fills in DBs with needed tables and superuser creation - the first user for your Seafile cloud.

cd ~/seafile/seafile-server-latest/seahub

export CCNET_CONF_DIR=/home/safecloud/seafile/ccnet
export SEAFILE_CONF_DIR=/home/safecloud/cloudstorage

INSTALLPATH=/home/safecloud/seafile/seafile-server-latest
export PYTHONPATH=${INSTALLPATH}/seafile/lib/python2.6/site-packages:${INSTALLPATH}/seafile/lib64/python2.6/site-packages:${INSTALLPATH}/seahub/thirdpart:$PYTHONPATH
python manage.py syncdb

python manage.py createsuperuser

cd /home/safecloud/seafile/seafile-server-latest
./seahub.sh start-fastcgi

There is no need to change any firewall settings on server, as we are proxying through web server. If we didn’t, we would open 2 ports, 8000 and 8082.

Prerequisites

Before continuing, we must install fastcgi module.

apt-get -y install libapache2-mod-fastcgi

We also must enable that and couple more apache modules, for various purposes. Modules are enabled in Tools & Settings > Apache Web Server Settings.

We need obviously fastcgi module and mod_proxy - options are proxy and fastcgi. Note that we also must activate proxy_http besides proxy or you will get error like: proxy: No protocol handler was valid for the URL.

And at the end, we also need headers module, not directly because of main task, but we want to set HSTS headers.

Now, let’s first create also one important thing:

echo "FastCGIExternalServer /var/www/vhosts/etaktiker.com/web/seahub.fcgi -host 127.0.0.1:8000" >> /etc/apache2/apache2.conf
service apache2 restart

Finaly, in Plesk, write in non-SSL directives area:

# force HTTPS, but allow Let's Encrypt to renew
#
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} !^/.well-known/
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R,QSA]

And the important one - in HTTPS part:

# Set HSTS
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Alias /media /home/safecloud/seafile/seafile-server-latest/seahub/media
RewriteEngine On

# seafile httpserver
ProxyPass /seafhttp http://127.0.0.1:8082
ProxyPassReverse /seafhttp http://127.0.0.1:8082
RewriteRule ^/seafhttp - [QSA,L]

# seahub
RewriteRule ^/(media.*)$ /$1 [QSA,L,PT]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ /seahub.fcgi/$1 [QSA,L,E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# RewriteRule ^/(seafile.*)$ /seahub.fcgi/$1 [QSA,L,E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

Start at boot

Everything as in manual.

cat <<'EOF' > /etc/init.d/seafile-server
#!/bin/bash

# Change the value of "user" to your linux user name
user=safecloud

# Change the value of "seafile_dir" to your path of seafile installation
# usually the home directory of $user
seafile_dir=/home/safecloud/seafile

script_path=${seafile_dir}/seafile-server-latest
seafile_init_log=${seafile_dir}/logs/seafile.init.log
seahub_init_log=${seafile_dir}/logs/seahub.init.log

# Change the value of fastcgi to falst if fastcgi is not used
fastcgi=true
# Set the port of fastcgi, default is 8000. Change it if you need different.
fastcgi_port=8000
#
# Write a polite log message with date and time
#
echo -e "\n \n About to perform $1 for seafile at `date -Iseconds` \n " >> ${seafile_init_log}
echo -e "\n \n About to perform $1 for seahub at `date -Iseconds` \n " >> ${seahub_init_log}
case "$1" in
        start)
                sudo -u ${user} ${script_path}/seafile.sh ${1} >> ${seafile_init_log}
                if [ $fastcgi = true ];
                then
                        sudo -u ${user} ${script_path}/seahub.sh ${1}-fastcgi ${fastcgi_port} >> ${seahub_init_log}
                else
                        sudo -u ${user} ${script_path}/seahub.sh ${1} >> ${seahub_init_log}
                fi
        ;;
        restart)
                sudo -u ${user} ${script_path}/seafile.sh ${1} >> ${seafile_init_log}
                if [ $fastcgi = true ];
                then
                        sudo -u ${user} ${script_path}/seahub.sh ${1}-fastcgi ${fastcgi_port} >> ${seahub_init_log}
                else
                        sudo -u ${user} ${script_path}/seahub.sh ${1} >> ${seahub_init_log}
                fi
        ;;
        stop)
                sudo -u ${user} ${script_path}/seahub.sh ${1} >> ${seahub_init_log}
                sudo -u ${user} ${script_path}/seafile.sh ${1} >> ${seafile_init_log}
        ;;
        *)
                echo "Usage: /etc/init.d/seafile-server {start|stop|restart}"
                exit 1
        ;;
esac
EOF

# Make it executable
#
chmod +x /etc/init.d/seafile-server


cat <<'EOF' > /etc/init/seafile-server.conf

start on (runlevel [2345])
stop on (runlevel [016])

pre-start script
/etc/init.d/seafile-server start
end script

post-stop script
/etc/init.d/seafile-server stop
end script

EOF


Now, you can control it with:

service seafile-server restart

Usage & debugging

Checking problems on client

Right click on system tray and select Open logs folder.

Bug on client: This is how I found out that there is a bug in client which in reality forbids to change /seafhttp value from default as it is by error hardcoded in client.

The library is stuck at indexing files, and in debug files is message: Bad response code for GET http:/xxx:8000/seafhttp/protocol-version: 404., as stated here

Encrypted Library

File encryption/decryption is performed in the client-side when using the desktop client for file syncing. The password is not stored in the server and nobody, not even system administrator, can’t view the file contents on server without that password.

SSH/FTP: etaktiker_com / aLcrowGtvnelgiubLq5m Seafile Admin: v@etk.rs / AjfswnkmP5cWeokhhxnh Encrypted library password, if ever needed: wpgbrwiypfdy

https://safe.etaktiker.com/ (Let’s Encrypt SSL Certificate)

Upgrade to Pro edition with 3 free users

Migrate from Seafile Community Server · Seafile Server Manual

You don’t really need a license file to start the Seafile Professional server for up to 3 users.

sudo apt-get install python-urllib3 poppler-utils default-jre

# Download URL, after registering:
# https://download.seafile.de/server/professional/linux/

sudo su - safecloud

# Stop community version
cd ~safecloud/seafile
cd seafile-server-latest
./seafile.sh stop
./seahub.sh stop

# Download
cd ~safecloud/seafile/
wget --user=cvladan@gmail.com --password=MQ3xrOHTBeiFJh7LS https://download.seafile.de/server/professional/linux/seafile-pro-server_5.1.8_x86-64.tar.gz
tar -xzf seafile-pro-server_*_x86-64.tar.gz
mv seafile-pro-server_*_x86-64.tar.gz installed/

# Upgrade
cd ~safecloud/seafile/
cd seafile-pro-server-*/
./pro/pro.py setup --migrate

# Start pro version
cd ~safecloud/seafile/seafile-pro-server-*/
./seafile.sh start
./seahub.sh start

cd ~safecloud/seafile/seafile-server-latest; ./seafile.sh start; ./seahub.sh start;

Details about File Search · Seafile Server Manual

  • The search module uses an Elasticsearch server bundled with the Seafile Professional Server.
  • The search index is updated every 10 minutes by default.
  • Also note that encrypted files cannot be indexed or searched.

Enabling Https with Nginx · Seafile Server Manual

date 01. Jan 0001 | modified 17. Jan 2023
filename: Seafile as Secure Storage