Seafile Server Community Edition Installation
https://www.seafile.com/en/home/

Seafile is an open source cloud storage system with file encryption and group sharing.

Collections of files are called libraries, and each library can be synced
separately. A library can be encrypted with a user chosen password. This
password is not stored on the server, so even the server admin cannot view a
file’s contents.

Seafile allows users to create groups with file syncing, a wiki and discussions to
enable easy collaboration around documents within a team.

Seafile is also a good fast alternative to ownCloud and NextCloud. You can run it with low cost devices such as the Pi. We will use the SQLite as the database instead of MariaDB or PostgreSQL.

Open a tmux session

$ tmux

Create a new account for seafile to isolate it from our main user account.

$ sudo useradd --create-home / --home-dir /home/seafile --shell /bin/bash seafile

Login as seafile

$ sudo su seafile

Download the latest server installer for Raspberry Pi at seafile’s github.
https://github.com/haiwen/seafile-rpi/releases

wget -c https://github.com/haiwen/seafile-rpi/releases/download/v6.2.5/seafile-server_6.2.5_stable_pi.tar.gz

Extract the installation archive.

$ tar xvf seafile-server_6.2.5_stable_pi.tar.gz

Install dependencies if you have not

$ sudo apt install elinks nginx python2.7 libpython2.7 python-setuptools python-imaging python-ldap python-urllib3 ffmpeg python-pip sqlite3 python-requests fail2ban

Start the seafile installation and fill in the details

$ cd seafile*
$ ./setup-seafile.sh domain: mydomain.mooo.com
port file server: 8082
name: Home Seafile
seafdata /home/seafile/seafile-data

Configurations

$ nano ~/conf/ccnet.conf
SERVICE_URL=https://mydomain.mooo.com
$ nano ~/conf/seahub_settings.py
FILE_SERVER_ROOT='https://mydomain.mooo.com/seafhttp'
#modify the following options
TIME_ZONE ='Asia/Manila'
MAX_NUMBER_OF_FILES_FOR_FILEUPLOAD = 2000
SESSION_EXPIRE_AT_BROWSER_CLOSE = True
LOGIN_ATTEMPT_LIMIT = 3

Start seafile manually, for a systemd script go to the references.

$ ./seafile.sh start
$ ./seahub.sh start

Check if seafile is working

$ elinks http://127.0.0.1:8000

To stop seafile

$ ./seafile.sh stop
$ ./seahub.sh stop

Setup Apache or NGINX
Apache:




<VirtualHost *:443>

ServerAdmin webmaster@mydomain.mooo.com
Servername mydomain.mooo.com
ServerAlias mydomain.mooo.com
ServerSignature   Off
HostnameLookups   On

Alias /media /home/seafile/seafile-server-latest/seahub/media

SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/mydomain.mooo.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.mooo.com/privkey.pem

Header set Content-Security-Policy "default-src 'none'; script-src http://seafile.com/ https://www.seafile.com/ 'self' 'unsafe-inline'$

RewriteEngine On

<IfModule mod_qos.c>
<Location /media>
     Require all granted
     SetOutputFilter RATE_LIMIT
     SetEnv rate-limit 528
     SetEnv rate-initial-burst 784

</Location>

</IfModule>

#
# seafile fileserver
#
<Location /seafhttp>
        Order Deny,Allow
</Location>
ProxyPass /seafhttp http://127.0.0.1:8082
ProxyPassReverse /seafhttp http://127.0.0.1:8082
RewriteRule ^/seafhttp - [QSA,L]

#
# seahub
#
<Location />
        Order Deny,Allow
</Location>
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
ProxyPass / http://127.0.0.1:8000/
ProxyPassReverse / http://127.0.0.1:8000/

</VirtualHost>

NGINX:



limit_req_zone $binary_remote_addr zone=sef:10m rate=20r/s;
 #################################################
 # Stock useful config options, but ignore them :)
 #################################################
 include /etc/nginx/mime.types;


    # mozilla config https://mozilla.github.io/server-side-tls/ssl-config-generator/
    listen 443 ssl http2;
    ssl on;
    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /etc/letsencrypt/live/mydomain.mooo.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mydomain.mooo.com/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/nginx/dhparam.pem;

    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    #...
    ssl_prefer_server_ciphers on;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/letsencrypt/live/mydomain.mooo.com/chain.pem;

    proxy_cookie_path / "/; secure";
    add_header X-XSS-Protection "1; mode=block";
    if ($request_method !~ ^(GET|HEAD|POST|PUT)$ )
    {
         return 444;
    }

    add_header Content-Security-Policy "default-src 'none'; script-src http://seafile.com/ https://www.seafile.com/ 'self' 'unsafe-inl$
    add_header X-Frame-Options "sameorigin";
    add_header Referrer-Policy "strict-origin";
   # END MOZ ENC


    # prevent attacks (someone uploading a .txt file that the browser
    # interprets as an HTML file, etc.)
    add_header X-Content-Type-Options nosniff;

    server_name mydomain.mooo.com;
    access_log /var/log/nginx/seafile.access.log combined;

#Serve an empty 1x1 gif for favicon.ico
  location = /favicon.ico {
    empty_gif;
  }

 #BEGIN SEAFILE
 #https://manual.seafile.com/deploy/deploy_with_nginx.html
 #https://manual.seafile.com/deploy/https_with_nginx.html

 rewrite ^ https://$http_host$request_uri? permanent;    # force redirect http to https
  proxy_set_header X-Forwarded-For $remote_addr;

  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; #HSTS HTTP TO HTTPS ONLY

  location / {
         limit_req zone=sef burst=15;
         limit_rate 135k;

         proxy_pass         http://127.0.0.1:8000;
         proxy_set_header   Host $host;
         proxy_set_header   X-Real-IP $remote_addr;
         proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header   X-Forwarded-Host $server_name;
         proxy_set_header   X-Forwarded-Proto https;

         proxy_read_timeout  1200s;

         # used for view/edit office file via Office Online Server
         client_max_body_size 0;
    }

    location /seafhttp {
        limit_req zone=sef burst=15;
        limit_rate 135k;
        rewrite ^/seafhttp(.*)$ $1 break;
        proxy_pass http://127.0.0.1:8082;
        client_max_body_size 0;

        proxy_connect_timeout  36000s;
        proxy_read_timeout  36000s;
        proxy_send_timeout  36000s;

        send_timeout  36000s;
    }

    location /media {
        limit_req zone=sef burst=15;
        limit_rate 135k;
        
        root /home/seafile/seafile-server-latest/seahub;
    }


}

Fail2ban configuration to block brute forcers.


$ sudo nano /etc/fail2ban/filter.d/seafile-auth.conf

# Fail2Ban filter for seafile
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = seaf-server

failregex = Login attempt limit reached.*, ip: 

ignoreregex =

Edit your default jail configuration.
$ sudo nano /etc/fail2ban/jail.d/defaults-debian.conf
[DEFAULT]
ignoreip = 192.168.1.0/24
bantime = 864000
findtime = 300
banaction = ufw #change this based on your config

[seafile]
enabled  = true
port     = https
filter   = seafile-auth
logpath  = /home/seafile/logs/seahub.log
maxretry = 3

References:
https://manual.seafile.com/deploy/using_sqlite.html

Except where otherwise noted, this work is licensed under Creative Commons Attribution-ShareAlike 4.0 International License (http://creativecommons.org/licenses/by-sa/4.0/).
I hope that this post is useful to you, if you liked this post you may support me via liberapay. Thank you for your support.

Donate using Liberapay