Self-hosted Secure Storage

Self-hosted Secure Storage

Researching alternatives

Self-hosted Dropbox



Installing Seafile

First, as there will probably be a lot of files, increase file limit with ulimit -n 50000 (check with ulimit -a | grep open, default is 1024).

By default Seafile is using SQLite3, and they state that with less than 100 users, there is no reason to use MySQL. Also note that we’ll install everything under new user safecloud.

sudo apt-get install -y python2.7 python-setuptools python-simplejson python-imaging python-flup sqlite3
sudo adduser --disabled-login --gecos "Seafile Cloud" safecloud

sudo su - safecloud

Download Seafile for server:

mkdir -p seafile/installed cloudstorage

cd seafile;
wget -c
tar -xzf seafile-server_*_x86-64.tar.gz
mv seafile-server_*_x86-64.tar.gz installed/

Start install:

cd seafile-server-*/

I’ve decided to use standard these values:

Data folder: ~/cloudstorage

Server name: safecloud
Server domain:

Seafile fileserver: 8082
Seahub: 8000

Seahub is the web interface for seafile server.

cd ~/seafile/seafile-server-latest

./ start
./ start

When you start seahub for the first time, it will ask you for first user.

Configure nginx

/* HSTS header */
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

Now, century old problem of location block for nginx:

# Seafile Cloud Storage
proxy_set_header X-Forwarded-For $remote_addr;

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
server_tokens off;

location ^~ /cloud/ {
  rewrite ^/cloud(.*)$ $1 break;
  client_max_body_size 0;
  proxy_connect_timeout 36000s;
  proxy_read_timeout 36000s;
  proxy_send_timeout 36000s;

location ^~ /media/ {
  root /home/safecloud/seafile/seafile-server-latest/seahub;

location ^~ /lib/ { try_files /dummy_nonexistant_file @seahub; }
location ^~ /thumbnail/ { try_files /dummy_nonexistant_file @seahub; }
location ^~ /repo/ { try_files /dummy_nonexistant_file @seahub; }

location ~ / {
  try_files /dummy_nonexistant_file @seahub;

# Seahub Web interface
location @seahub {
  fastcgi_param   SCRIPT_FILENAME     $document_root$fastcgi_script_name;
  fastcgi_param   PATH_INFO           $fastcgi_script_name;

  fastcgi_param   SERVER_PROTOCOL     $server_protocol;
  fastcgi_param   QUERY_STRING        $query_string;
  fastcgi_param   REQUEST_METHOD      $request_method;
  fastcgi_param   CONTENT_TYPE        $content_type;
  fastcgi_param   CONTENT_LENGTH      $content_length;
  fastcgi_param   SERVER_ADDR         $server_addr;
  fastcgi_param   SERVER_PORT         $server_port;
  fastcgi_param   SERVER_NAME         $server_name;
  fastcgi_param   HTTPS               on;
  fastcgi_param   HTTP_SCHEME         https;

  access_log      /var/log/nginx/seahub.access.log;
  error_log       /var/log/nginx/seahub.error.log;

You need to inform Seafile about domain, so modify this line in /home/safecloud/seafile/conf/ccnet.conf:


Add this line to /home/safecloud/seafile/conf/


./ start ./ start-fastcgi

Issuing DB synchronization that fills in DBs with needed tables and superuser creation - the first user for your Seafile cloud.

cd ~/seafile/seafile-server-latest/seahub

export CCNET_CONF_DIR=/home/safecloud/seafile/ccnet
export SEAFILE_CONF_DIR=/home/safecloud/cloudstorage

export PYTHONPATH=${INSTALLPATH}/seafile/lib/python2.6/site-packages:${INSTALLPATH}/seafile/lib64/python2.6/site-packages:${INSTALLPATH}/seahub/thirdpart:$PYTHONPATH
python syncdb

python createsuperuser

cd /home/safecloud/seafile/seafile-server-latest
./ start-fastcgi

There is no need to change any firewall settings on server, as we are proxying through web server. If we didn’t, we would open 2 ports, 8000 and 8082.


Before continuing, we must install fastcgi module.

apt-get -y install libapache2-mod-fastcgi

We also must enable that and couple more apache modules, for various purposes. Modules are enabled in Tools & Settings > Apache Web Server Settings.

We need obviously fastcgi module and mod_proxy - options are proxy and fastcgi. Note that we also must activate proxy_http besides proxy or you will get error like: proxy: No protocol handler was valid for the URL.

And at the end, we also need headers module, not directly because of main task, but we want to set HSTS headers.

Now, let’s first create also one important thing:

echo "FastCGIExternalServer /var/www/vhosts/ -host" >> /etc/apache2/apache2.conf
service apache2 restart

Finaly, in Plesk, write in non-SSL directives area:

# force HTTPS, but allow Let's Encrypt to renew
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} !^/.well-known/
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R,QSA]

And the important one - in HTTPS part:

# Set HSTS
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Alias /media /home/safecloud/seafile/seafile-server-latest/seahub/media
RewriteEngine On

# seafile httpserver
ProxyPass /seafhttp
ProxyPassReverse /seafhttp
RewriteRule ^/seafhttp - [QSA,L]

# seahub
RewriteRule ^/(media.*)$ /$1 [QSA,L,PT]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ /seahub.fcgi/$1 [QSA,L,E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# RewriteRule ^/(seafile.*)$ /seahub.fcgi/$1 [QSA,L,E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

Start at boot

Everything as in manual.

cat <<'EOF' > /etc/init.d/seafile-server

# Change the value of "user" to your linux user name

# Change the value of "seafile_dir" to your path of seafile installation
# usually the home directory of $user


# Change the value of fastcgi to falst if fastcgi is not used
# Set the port of fastcgi, default is 8000. Change it if you need different.
# Write a polite log message with date and time
echo -e "\n \n About to perform $1 for seafile at `date -Iseconds` \n " >> ${seafile_init_log}
echo -e "\n \n About to perform $1 for seahub at `date -Iseconds` \n " >> ${seahub_init_log}
case "$1" in
                sudo -u ${user} ${script_path}/ ${1} >> ${seafile_init_log}
                if [ $fastcgi = true ];
                        sudo -u ${user} ${script_path}/ ${1}-fastcgi ${fastcgi_port} >> ${seahub_init_log}
                        sudo -u ${user} ${script_path}/ ${1} >> ${seahub_init_log}
                sudo -u ${user} ${script_path}/ ${1} >> ${seafile_init_log}
                if [ $fastcgi = true ];
                        sudo -u ${user} ${script_path}/ ${1}-fastcgi ${fastcgi_port} >> ${seahub_init_log}
                        sudo -u ${user} ${script_path}/ ${1} >> ${seahub_init_log}
                sudo -u ${user} ${script_path}/ ${1} >> ${seahub_init_log}
                sudo -u ${user} ${script_path}/ ${1} >> ${seafile_init_log}
                echo "Usage: /etc/init.d/seafile-server {start|stop|restart}"
                exit 1

# Make it executable
chmod +x /etc/init.d/seafile-server

cat <<'EOF' > /etc/init/seafile-server.conf

start on (runlevel [2345])
stop on (runlevel [016])

pre-start script
/etc/init.d/seafile-server start
end script

post-stop script
/etc/init.d/seafile-server stop
end script


Now, you can control it with:

service seafile-server restart

Usage & debugging

Checking problems on client

Right click on system tray and select Open logs folder.

Bug on client: This is how I found out that there is a bug in client which in reality forbids to change /seafhttp value from default as it is by error hardcoded in client.

The library is stuck at indexing files, and in debug files is message: Bad response code for GET http:/xxx:8000/seafhttp/protocol-version: 404., as stated here

Encrypted Library

File encryption/decryption is performed in the client-side when using the desktop client for file syncing. The password is not stored in the server and nobody, not even system administrator, can’t view the file contents on server without that password.

SSH/FTP: etaktiker_com / aLcrowGtvnelgiubLq5m Seafile Admin: / AjfswnkmP5cWeokhhxnh Encrypted library password, if ever needed: wpgbrwiypfdy (Let’s Encrypt SSL Certificate)

Upgrade to Pro edition with 3 free users

Migrate from Seafile Community Server · Seafile Server Manual

You don’t really need a license file to start the Seafile Professional server for up to 3 users.

sudo apt-get install python-urllib3 poppler-utils default-jre

# Download URL, after registering:

sudo su - safecloud

# Stop community version
cd ~safecloud/seafile
cd seafile-server-latest
./ stop
./ stop

# Download
cd ~safecloud/seafile/
wget --password=MQ3xrOHTBeiFJh7LS
tar -xzf seafile-pro-server_*_x86-64.tar.gz
mv seafile-pro-server_*_x86-64.tar.gz installed/

# Upgrade
cd ~safecloud/seafile/
cd seafile-pro-server-*/
./pro/ setup --migrate

# Start pro version
cd ~safecloud/seafile/seafile-pro-server-*/
./ start
./ start

cd ~safecloud/seafile/seafile-server-latest; ./ start; ./ start;

Details about File Search · Seafile Server Manual

  • The search module uses an Elasticsearch server bundled with the Seafile Professional Server.
  • The search index is updated every 10 minutes by default.
  • Also note that encrypted files cannot be indexed or searched.

Enabling Https with Nginx · Seafile Server Manual

date 01. Jan 0001 | modified 28. May 2021
filename: Seafile as Secure Storage