Seafile Server Community Edition Installation
https://www.seafile.com/en/home/
Seafile is an open source cloud storage system with file encryption and group sharing.
Collections of files are called libraries, and each library can be synced
separately. A library can be encrypted with a user chosen password. This
password is not stored on the server, so even the server admin cannot view a
file’s contents.
Seafile allows users to create groups with file syncing, a wiki and discussions to
enable easy collaboration around documents within a team.
Seafile is also a good fast alternative to ownCloud and NextCloud. You can run it with low cost devices such as the Pi. We will use the SQLite as the database instead of MariaDB or PostgreSQL.
Open a tmux session
$ tmux
Create a new account for seafile to isolate it from our main user account.
$ sudo useradd --create-home / --home-dir /home/seafile --shell /bin/bash seafile
Login as seafile
$ sudo su seafile
Download the latest server installer for Raspberry Pi at seafile’s github.
https://github.com/haiwen/seafile-rpi/releases
wget -c https://github.com/haiwen/seafile-rpi/releases/download/v6.2.5/seafile-server_6.2.5_stable_pi.tar.gz
Extract the installation archive.
$ tar xvf seafile-server_6.2.5_stable_pi.tar.gz
Install dependencies if you have not
$ sudo apt install elinks nginx python2.7 libpython2.7 python-setuptools python-imaging python-ldap python-urllib3 ffmpeg python-pip sqlite3 python-requests fail2ban
Start the seafile installation and fill in the details
$ cd seafile* $ ./setup-seafile.sh
domain: mydomain.mooo.com port file server: 8082 name: Home Seafile seafdata /home/seafile/seafile-data
Configurations
$ nano ~/conf/ccnet.conf
SERVICE_URL=https://mydomain.mooo.com
$ nano ~/conf/seahub_settings.py
FILE_SERVER_ROOT='https://mydomain.mooo.com/seafhttp'
#modify the following options
TIME_ZONE ='Asia/Manila'
MAX_NUMBER_OF_FILES_FOR_FILEUPLOAD = 2000
SESSION_EXPIRE_AT_BROWSER_CLOSE = True
LOGIN_ATTEMPT_LIMIT = 3
Start seafile manually, for a systemd script go to the references.
$ ./seafile.sh start
$ ./seahub.sh start
Check if seafile is working
$ elinks http://127.0.0.1:8000
To stop seafile
$ ./seafile.sh stop
$ ./seahub.sh stop
Setup Apache or NGINX
Apache:
<VirtualHost *:443>
ServerAdmin webmaster@mydomain.mooo.com
Servername mydomain.mooo.com
ServerAlias mydomain.mooo.com
ServerSignature Off
HostnameLookups On
Alias /media /home/seafile/seafile-server-latest/seahub/media
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/mydomain.mooo.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.mooo.com/privkey.pem
Header set Content-Security-Policy "default-src 'none'; script-src http://seafile.com/ https://www.seafile.com/ 'self' 'unsafe-inline'$
RewriteEngine On
<IfModule mod_qos.c>
<Location /media>
Require all granted
SetOutputFilter RATE_LIMIT
SetEnv rate-limit 528
SetEnv rate-initial-burst 784
</Location>
</IfModule>
#
# seafile fileserver
#
<Location /seafhttp>
Order Deny,Allow
</Location>
ProxyPass /seafhttp http://127.0.0.1:8082
ProxyPassReverse /seafhttp http://127.0.0.1:8082
RewriteRule ^/seafhttp - [QSA,L]
#
# seahub
#
<Location />
Order Deny,Allow
</Location>
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
ProxyPass / http://127.0.0.1:8000/
ProxyPassReverse / http://127.0.0.1:8000/
</VirtualHost>
NGINX:
limit_req_zone $binary_remote_addr zone=sef:10m rate=20r/s;
#################################################
# Stock useful config options, but ignore them :)
#################################################
include /etc/nginx/mime.types;
# mozilla config https://mozilla.github.io/server-side-tls/ssl-config-generator/
listen 443 ssl http2;
ssl on;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/letsencrypt/live/mydomain.mooo.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.mooo.com/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/dhparam.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#...
ssl_prefer_server_ciphers on;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/mydomain.mooo.com/chain.pem;
proxy_cookie_path / "/; secure";
add_header X-XSS-Protection "1; mode=block";
if ($request_method !~ ^(GET|HEAD|POST|PUT)$ )
{
return 444;
}
add_header Content-Security-Policy "default-src 'none'; script-src http://seafile.com/ https://www.seafile.com/ 'self' 'unsafe-inl$
add_header X-Frame-Options "sameorigin";
add_header Referrer-Policy "strict-origin";
# END MOZ ENC
# prevent attacks (someone uploading a .txt file that the browser
# interprets as an HTML file, etc.)
add_header X-Content-Type-Options nosniff;
server_name mydomain.mooo.com;
access_log /var/log/nginx/seafile.access.log combined;
#Serve an empty 1x1 gif for favicon.ico
location = /favicon.ico {
empty_gif;
}
#BEGIN SEAFILE
#https://manual.seafile.com/deploy/deploy_with_nginx.html
#https://manual.seafile.com/deploy/https_with_nginx.html
rewrite ^ https://$http_host$request_uri? permanent; # force redirect http to https
proxy_set_header X-Forwarded-For $remote_addr;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; #HSTS HTTP TO HTTPS ONLY
location / {
limit_req zone=sef burst=15;
limit_rate 135k;
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 1200s;
# used for view/edit office file via Office Online Server
client_max_body_size 0;
}
location /seafhttp {
limit_req zone=sef burst=15;
limit_rate 135k;
rewrite ^/seafhttp(.*)$ $1 break;
proxy_pass http://127.0.0.1:8082;
client_max_body_size 0;
proxy_connect_timeout 36000s;
proxy_read_timeout 36000s;
proxy_send_timeout 36000s;
send_timeout 36000s;
}
location /media {
limit_req zone=sef burst=15;
limit_rate 135k;
root /home/seafile/seafile-server-latest/seahub;
}
}
Fail2ban configuration to block brute forcers.
$ sudo nano /etc/fail2ban/filter.d/seafile-auth.conf
# Fail2Ban filter for seafile
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = seaf-server
failregex = Login attempt limit reached.*, ip:
ignoreregex =
Edit your default jail configuration.
$ sudo nano /etc/fail2ban/jail.d/defaults-debian.conf
[DEFAULT]
ignoreip = 192.168.1.0/24
bantime = 864000
findtime = 300
banaction = ufw #change this based on your config
[seafile]
enabled = true
port = https
filter = seafile-auth
logpath = /home/seafile/logs/seahub.log
maxretry = 3
References:
https://manual.seafile.com/deploy/using_sqlite.html
Except where otherwise noted, this work is licensed under Creative Commons Attribution-ShareAlike 4.0 International License (http://creativecommons.org/licenses/by-sa/4.0/).
I hope that this post is useful to you, if you liked this post you may support me via liberapay. Thank you for your support.