Seafile client for a Cli server

Installation¶

You can follow this documentaion to install Seafile CLI client on various Linux distributions.
Basic Usage¶

Initialize & start the client

# choose a folder where to store the seafile client settings e.g ~/seafile-client
mkdir ~/seafile-client            # create the settings folder
seaf-cli init -d ~/seafile-client  # initialise seafile client with this folder
seaf-cli start

Download and sync a library from a server.

    retrieve the library id by browsing into a library on the server. The ID is part of the URL. The format looks like f4962ce9-ba07-47b8-a83a-73dd96c2ebfd .
    then

seaf-cli download -l "the id of the library" -s  "the url + port of server" -d "the folder where the library folder will be downloaded" -u "username on server" [-p "password"]
seaf-cli status  # check status of ongoing downloads
# Name  Status  Progress
# Apps    downloading     9984/10367, 9216.1KB/s

Note: if you don't supply the password parameter in the command, it will be asked later, which is more secure.

Example: seaf-cli download -l 0536c006-8a43-449e-8718-39f12111620d -s http://cloud.seafile.com -d /tmp -u freeplant@test.com

The above command will create a new folder with the same name as the library under the specified folder.

You can also sync a library with an existing folder on the local computer. The existing files in the local folder will be merged with the files in the library.

seaf-cli sync -l "the id of the library" -s  "the url + port of server" -d "the folder which the library will be synced with" -u "username on server" [-p "password"]

After running the download or sync command, the local folder will be automatically synced with the library.
Detailed documentation¶

seaf-cli is the command line interface for seafile client.

Subcommands:

    init                Initialize config directory
    start               Start ccnet and seafile daemon
    stop                Stop ccnet and seafile daemon
    list                List local libraries
    list-remote         List remote libraries
    status              Show syncing status
    download            Download and sync a library from seafile server
    download-by-name    Download and sync a library defined by name from seafile server
    sync                Sync a library with an existing folder
    desync              De-sync a library with seafile server
    create              Create a library
    config              Configure seafile client

Running seaf-cli -h will show the above help. For each subcommand, you can also use -h option to get help, e.g. seaf-cli download -h.

Seafile client stores all its configure information in a config dir. The default location is ~/.ccnet. All the commands below accept an option -c <config-dir>.
init¶

Initialize seafile client. This command initializes the config dir. It also creates sub-directories seafile-data and seafile under parent-dir. seafile-data is used to store internal data, while seafile is used as the default location put downloaded libraries.

seaf-cli init [-c <config-dir>] -d <parent-dir>

A file named seafile.ini will be created under ~/.ccnet to record the location of seafile-data directory.

If you want to run multiple instances of Seafile cli client in the same machine, you can specify different config-dir and parent-dir when initializing different client instances. Then the instances can run without interfering each others. When starting the instances, just specify ccnet config directories with the -c option.
start¶

Start seafile client. This command starts seaf-daemon , which is the file syncing engine for Seafile client.

seaf-cli start [-c <config-dir>]

stop¶

Stop seafile client.

seaf-cli stop [-c <config-dir>]

Download/Download-by-name¶

Download and sync a library from seafile server. It will create a new folder with the same name as the library under the parent folder. The local folder will be automatically synced with the library. The download-by-name command works similarly, but can save you from finding the library ID. It only works when the library name is unique on the server.

seaf-cli download -l <library-id> -s <seahub-server-url> -d <parent-directory> -u <username> [-p <password>]

sync¶

Synchronize a library with an existing folder. The existing files in the local folder will be merged with the files in the library.

seaf-cli sync -l <library-id> -s <seahub-server-url> -d <existing-folder> -u <username> [-p <password>]

desync¶

Desynchronize a library from seafile server. After running this command, the local folder will no longer be synced with the server.

seaf-cli desync -d <existing-folder>

create¶

Create a new library on server

seaf-cli create [-h] -n library-name -t description [-e library-password] -s server -u username -p password

list¶

List information about synced libraries. The information includes library name, library ID and local folder path for the library.

seaf-cli list [-c <config-dir>] [--json]

list-remote¶

List information about accessible libraries on the server. The information includes library names and ID.

seaf-cli list-remote -s <seahub-server-url> -u <username> [-p <password>] [-c <config-dir>] [--json]

status¶

List syncing status of libraries. This will return the name, syncing status and progress information about all local libraries.

seaf-cli status

The returned status and their meaning:
status 	meaning
synchronized 	Local folder is consistent with the remote library
committing 	Files in local folder are being indexed
initializing 	Getting sync information from server
downloading file list 	Downloading file list from server. Progress will be displayed.
downloading files 	Downloading files from server. Progress will be displayed.
uploading 	Uploading files to server. Progress will be displayed.
error 	Error message will be displayed in the progress column.
Skip SSL certificate verify¶

If you're using self-signed certificate on the server, you should ask the client to skip verifying certificate.

seaf-cli config -k disable_verify_certificate -v true

Set Transfer Speed Limit¶

Set upload speed limit to 1MB/s :

seaf-cli config -k upload_limit -v 1000000

Set download speed limit to 1MB/s :

seaf-cli config -k download_limit -v 1000000

Two factor authentication¶

seaf-cli supports 'Two Factor Authentication'.

If you want to use the feature, you should add the argument --tfa <token> to any seaf-cli commands. <token> is Google Authenticator's verification code.

For example:

seaf-cli download -l "4b11d9d4-e3b1-4394-be85-9d4a80f626fa" -s "https://demo.seafile.top" -d "testst" -u "abc@abc.com" -p "abc" --tfa 002755

Authenticate with Tokens¶

If your server uses SSO (Single Sign-On) for login, you cannot use password to login from CLI. To enable using CLI in such cases, we provide an option to authenticate with an API token since seafile client version 8.0.4. You should be able to get your API token from profile page in the web interface. (You should run 8.0.6 server .) Use "-T token" option instead of "-p password" to authenticate in the following commands:

seaf-cli create
seaf-cli download
seaf-cli sync
seaf-cli list-remote


#############


Using Seafile Drive Client on Linux¶

You can find supported OS versions on https://cloud.seatable.io/dtable/external-links/a85d4221e41344c19566/?tid=YzYy&vid=pO5i
Installing on Debian/Ubuntu¶

To install the client, first add the signing key:

sudo wget https://linux-clients.seafile.com/seafile.asc -O /usr/share/keyrings/seafile-keyring.asc

If apt-get reports following error: "The following signatures couldn't be verified because the public key is not available", please update the key for seafile repository.

Then add the repo to your apt source list, using the line corresponding to your Debian/Ubuntu version :

For Debian 9 / Debian 10 / Debian 11 / Ubuntu 18.04 / Ubuntu 20.04 / Ubuntu 22.04

echo "deb [arch=amd64 signed-by=/usr/share/keyrings/seafile-keyring.asc] https://linux-clients.seafile.com/seadrive-deb/$(lsb_release -cs)/ stable main" | sudo tee /etc/apt/sources.list.d/seadrive.list > /dev/null

Update your local apt cache :

sudo apt update

To install SeaDrive with GUI:

sudo apt-get install seadrive-gui

To install SeaDrive without GUI:

sudo apt-get install seadrive-daemon

Centos 7¶

Since 7.0.3 version, we provide official repo for CentOS or RHEL. Currently only CentOS/RHEL 7 is supported.

Add the repo (The same repo is used for seadrive.)

sudo cat > /etc/yum.repos.d/seadrive.repo <<EOF
[seadrive]
name=seadrive
baseurl=https://linux-clients.seafile.com/seadrive-rpm/centos7
gpgcheck=0
enabled=1
EOF

Install SeaDrive Client

sudo yum install -y epel-release
sudo yum install -y seadrive --enablerepo=cr

Fedora¶

Note: You can install directly from the official Fedora repository.

sudo dnf install -y seadrive-gui

Running SeaDrive with GUI¶

To use SeaDrive, just run "SeaDrive" from your desktop environment, or type "seadrive-gui" in command line. After logging into your server, the virtual drive will be mounted in ~/SeaDrive.
Running SeaDrive without GUI¶

In some use cases, it is useful to run SeaDrive in a server environment. To use SeaDrive without GUI, you can directly run seadrive-daemon (the background daemon) from command line.

First, you have to obtain an access token from your server.

curl -d "username=username@example.com" -d "password=123456" https://seafile.example.com/api2/auth-token/

Then you have to prepare a config file for SeaDrive. Let's assume that you save the config file as ~/seadrive.conf.

[account]
server = https://seafile.example.com
username = username@example.com
token = 3131a3a93156f80bc86aa9f12cf794e0364ed57b
is_pro = true

[general]
client_name = johns-ubuntu

[cache]
size_limit = 10GB
clean_cache_interval = 10

You can only specify one account in the config file. If you need to switch accounts, you'll have to stop SeaDrive, change config file and restart. Meaning of config options are as following:

    token: The access token you obtained above.
    is_pro: Set to true if your server is Pro edition.
    client_name: This name will be displayed in the device information on the server.
    size_limit: Size limit of local cache space.
    clean_cache_interval: Interval of cache cleaning. The unit is minute.

Then you can start seadrive:

seadrive -c ~/seadrive.conf -f -d data-directory [-l logfile] virtual-drive-dir

Note that you must give -f option in the command line, to make sure seadrive runs in foregound, instead of forking as a daemon. By default, the data directory used by the SeaDrive GUI client will be ~/.seadrive/data. It's recommended to use this path for data directory to be consistent with the GUI client. The log file path is ~/.seadrive/logs/seadrive.log.

Sometimes you'll see the following error:

fuse: bad mount point `/home/user/SeaDrive': Transport endpoint is not connected

You can run fusermount -u /home/user/SeaDrive to fix the problem.

#############

setup server

Installation of Seafile Server Community Edition with MySQL/MariaDB¶

This manual explains how to deploy and run Seafile Server Community Edition (Seafile CE) on a Linux server from a pre-built package using MySQL/MariaDB as database. The deployment has been tested for Debian/Ubuntu and CentOS, but Seafile should also work on other Linux distributions.

Tip: If you have little experience with Seafile Server, we recommend that you use an installation script for deploying Seafile.
Requirements¶

Seafile CE for x86 architecture requires a minimum of 2 cores and 2GB RAM.

There is a community-supported package for the installation on Raspberry Pi.
Setup¶
Installing and preparing the SQL database¶

Seafile supports MySQL and MariaDB. We recommend that you use the preferred SQL database management engine included in the package repositories of your distribution. This means:

    CentOS and Debian: MariaDB
    Ubuntu: MySQL

You can find step-by-step how-tos for installing MySQL and MariaDB in the tutorials on the Digital Ocean website.

Seafile uses the mysql_native_password plugin for authentication. The versions of MySQL and MariaDB installed on CentOS 8, Debian 10, and Ubuntu 20.04 use a different authentication plugin by default. It is therefore required to change to authentication plugin to mysql_native_password for the root user prior to the installation of Seafile. The above mentioned tutorials explain how to do it.
Installing prerequisites¶

For Seafile 8.0.x

# Debian 10
sudo apt-get update
sudo apt-get install python3 python3-setuptools python3-pip default-libmysqlclient-dev -y

sudo pip3 install --timeout=3600 Pillow==9.4.0 pylibmc captcha jinja2 sqlalchemy==1.4.3 \
    django-pylibmc django-simple-captcha python3-ldap mysqlclient

# Ubuntu 18.04
sudo apt-get update
sudo apt-get install python3 python3-setuptools python3-pip -y

sudo pip3 install --timeout=3600 Pillow==9.4.0 pylibmc captcha jinja2 sqlalchemy==1.4.3 \
    django-pylibmc django-simple-captcha python3-ldap

# Ubuntu 20.04
sudo apt-get update
sudo apt-get install python3 python3-setuptools python3-pip libmysqlclient-dev memcached libmemcached-dev -y

sudo pip3 install --timeout=3600 Pillow==9.4.0 pylibmc captcha jinja2 sqlalchemy==1.4.3 \
    django-pylibmc django-simple-captcha python3-ldap mysqlclient

# CentOS 8
sudo yum install python3 python3-setuptools python3-pip python3-devel mysql-devel gcc -y

sudo pip3 install --timeout=3600 Pillow==9.4.0 pylibmc captcha jinja2 sqlalchemy==1.4.3 \
    django-pylibmc django-simple-captcha python3-ldap mysqlclient

For Seafile 9.0.x

Note: CentOS 8 is no longer supported.

# Ubuntu 20.04 (almost the same for Ubuntu 18.04 and Debian 10)
sudo apt-get update
sudo apt-get install -y python3 python3-setuptools python3-pip libmysqlclient-dev
sudo apt-get install -y memcached libmemcached-dev

sudo pip3 install --timeout=3600 django==3.2.* Pillow==9.4.0 pylibmc captcha jinja2 sqlalchemy==1.4.3 \
    django-pylibmc django-simple-captcha python3-ldap mysqlclient pycryptodome==3.12.0 cffi==1.14.0 lxml

For Seafile 10.0.x

# Ubuntu 22.04 (almost the same for Ubuntu 20.04 and Debian 11, Debian 10)
sudo apt-get update
sudo apt-get install -y python3 python3-setuptools python3-pip libmysqlclient-dev
sudo apt-get install -y memcached libmemcached-dev

sudo pip3 install --timeout=3600 django==3.2.* future==0.18.* mysqlclient==2.1.* \
    pymysql pillow==10.2.* pylibmc captcha==0.5.* markupsafe==2.0.1 jinja2 sqlalchemy==1.4.3 \
    psd-tools django-pylibmc django_simple_captcha==0.5.20 djangosaml2==1.5.* pysaml2==7.2.* pycryptodome==3.16.* cffi==1.15.1 lxml

For Seafile 11.0.x

# Ubuntu 22.04 (almost the same for Ubuntu 20.04 and Debian 11, Debian 10)
sudo apt-get update
sudo apt-get install -y python3 python3-dev python3-setuptools python3-pip libmysqlclient-dev ldap-utils libldap2-dev
sudo apt-get install -y memcached libmemcached-dev

sudo pip3 install --timeout=3600 django==4.2.* future==0.18.* mysqlclient==2.1.* \
    pymysql pillow==10.2.* pylibmc captcha==0.5.* markupsafe==2.0.1 jinja2 sqlalchemy==2.0.18 \
    psd-tools django-pylibmc django_simple_captcha==0.6.* djangosaml2==1.5.* pysaml2==7.2.* pycryptodome==3.16.* cffi==1.15.1 lxml python-ldap==3.4.3

# Debian 12
sudo apt-get update
sudo apt-get install -y python3 python3-dev python3-setuptools python3-pip libmariadb-dev-compat libmariadb-dev ldap-utils libldap2-dev libsasl2-dev
sudo apt-get install -y memcached libmemcached-dev

sudo pip3 install --timeout=3600 django==4.2.* future==0.18.* mysqlclient==2.1.* \
    pymysql pillow==10.2.* pylibmc captcha==0.5.* markupsafe==2.0.1 jinja2 sqlalchemy==2.0.18 \
    psd-tools django-pylibmc django_simple_captcha==0.6.* djangosaml2==1.5.* pysaml2==7.2.* pycryptodome==3.16.* cffi==1.15.1 lxml python-ldap==3.4.3

Creating the program directory¶

The standard directory for Seafile's program files is /opt/seafile. Create this directory and change into it:

mkdir /opt/seafile
cd /opt/seafile

The program directory can be changed. The standard directory /opt/seafile is assumed for the rest of this manual. If you decide to put Seafile in another directory, modify the commands accordingly.
Creating user seafile¶

It is good practice not to run applications as root.

Create a new user and follow the instructions on the screen:

adduser seafile

Change ownership of the created directory to the new user:

chown -R seafile: /opt/seafile

All the following steps are done as user seafile.

Change to user seafile:

su seafile

Downloading the install package¶

Download the install package from the download page on Seafile's website using wget.

We use Seafile CE version 8.0.4 as an example in the rest of this manual.
Uncompressing the package¶

The install package is downloaded as a compressed tarball which needs to be uncompressed.

Uncompress the package using tar:

tar xf seafile-server_8.0.4_x86-64.tar.gz

Now you have:

$ tree -L 2
.
├── seafile-server-8.0.4
│   ├── check_init_admin.py
│   ├── reset-admin.sh
│   ├── runtime
│   ├── seaf-fsck.sh
│   ├── seaf-fuse.sh
│   ├── seaf-gc.sh
│   ├── seafile
│   ├── seafile.sh
│   ├── seahub
│   ├── seahub.sh
│   ├── setup-seafile-mysql.py
│   ├── setup-seafile-mysql.sh
│   ├── setup-seafile.sh
│   ├── sql
│   └── upgrade
└── seafile-server_8.0.4_x86-64.tar.gz

Setting up Seafile CE¶

The install package comes with a script that sets Seafile up for you. Specifically, the script creates the required directories and extracts all files in the right place. It can also create a MySQL user and the three databases that Seafile's components require :

    ccnet server
    seafile server
    seahub

Note: While ccnet server was merged into the seafile-server in Seafile 8.0, the corresponding database is still required for the time being.

Run the script as user seafile:

cd seafile-server-8.0.4
./setup-seafile-mysql.sh

Configure your Seafile Server by specifying the following three parameters:
Option 	Description 	Note
server name 	Name of the Seafile Server 	3-15 characters, only English letters, digits and underscore ('_') are allowed
server's ip or domain 	IP address or domain name used by the Seafile Server 	Seafile client program will access the server using this address
fileserver port 	TCP port used by the Seafile fileserver 	Default port is 8082, it is recommended to use this port and to only change it if is used by other service

In the next step, choose whether to create new databases for Seafile or to use existing databases. The creation of new databases requires the root password for the SQL server.

grafik

When choosing "[1] Create new ccnet/seafile/seahub databases", the script creates these databases and a MySQL user that Seafile Server will use to access them. To this effect, you need to answer these questions:
Question 	Description 	Note
mysql server host 	Host address of the MySQL server 	Default is localhost
mysql server port 	TCP port used by the MySQL server 	Default port is 3306; almost every MySQL server uses this port
mysql root password 	Password of the MySQL root account 	The root password is required to create new databases and a MySQL user
mysql user for Seafile 	MySQL user created by the script, used by Seafile's components to access the databases 	Default is seafile; the user is created unless it exists
mysql password for Seafile user 	Password for the user above, written in Seafile's config files 	Percent sign ('%') is not allowed
database name 	Name of the database used by ccnet 	Default is "ccnet_db", the database is created if it does not exist
seafile database name 	Name of the database used by Seafile 	Default is "seafile_db", the database is created if it does not exist
seahub database name 	Name of the database used by seahub 	Default is "seahub_db", the database is created if it does not exist

When choosing "[2] Use existing ccnet/seafile/seahub databases", this are the prompts you need to answer:
Question 	Description 	Note
mysql server host 	Host address of the MySQL server 	Default is localhost
mysql server port 	TCP port used by MySQL server 	Default port is 3306; almost every MySQL server uses this port
mysql user for Seafile 	User used by Seafile's components to access the databases 	The user must exists
mysql password for Seafile user 	Password for the user above 	
ccnet database name 	Name of the database used by ccnet, default is "ccnet_db" 	The database must exist
seafile database name 	Name of the database used by Seafile, default is "seafile_db" 	The database must exist
seahub dabase name 	Name of the database used by Seahub, default is "seahub_db" 	The database must exist

If the setup is successful, you see the following output:

grafik

The directory layout then looks as follows:

$ tree /opt/seafile -L 2
seafile
├── ccnet
├── conf
│   └── ccnet.conf
│   └── gunicorn.conf.py
│   └── seafdav.conf
│   └── seafile.conf
│   └── seahub_settings.py
├── seafile-data
│   └── library-template
├── seafile-server-8.0.4
│   └── check_init_admin.py
│   ├── reset-admin.sh
│   ├── runtime
│   └── seaf-fsck.sh
│   └── seaf-gc.sh
│   ├── seafile
│   ├── seafile.sh
│   ├── seahub
│   ├── seahub.sh
│   └── setup-seafile-mysql.py
│   ├── setup-seafile-mysql.sh
│   └── sql
│   └── upgrade
├── seafile-server-latest -> seafile-server-8.0.6
├── seahub-data
│   └── avatars

The folder seafile-server-latest is a symbolic link to the current Seafile Server folder. When later you upgrade to a new version, the upgrade scripts update this link to point to the latest Seafile Server folder.

Note: If you don't have the root password, you need someone who has the privileges, e.g., the database admin, to create the three databases required by Seafile, as well as a MySQL user who can access the databases. For example, to create three databases ccnet_db / seafile_db / seahub_db for ccnet/seafile/seahub respectively, and a MySQL user "seafile" to access these databases run the following SQL queries:

create database `ccnet_db` character set = 'utf8';
create database `seafile_db` character set = 'utf8';
create database `seahub_db` character set = 'utf8';

create user 'seafile'@'localhost' identified by 'seafile';

GRANT ALL PRIVILEGES ON `ccnet_db`.* to `seafile`@localhost;
GRANT ALL PRIVILEGES ON `seafile_db`.* to `seafile`@localhost;
GRANT ALL PRIVILEGES ON `seahub_db`.* to `seafile`@localhost;

Setup Memory Cache¶

Seahub caches items(avatars, profiles, etc) on file system by default(/tmp/seahub_cache/). You can replace with Memcached or Redis.
Use Memcached¶

Use the following commands to install memcached and corresponding libraies on your system:

# on Debian/Ubuntu 18.04+
apt-get install memcached libmemcached-dev -y
pip3 install --timeout=3600 pylibmc django-pylibmc

systemctl enable --now memcached

Add the following configuration to seahub_settings.py.

CACHES = {
    'default': {
        'BACKEND': 'django_pylibmc.memcached.PyLibMCCache',
        'LOCATION': '127.0.0.1:11211',
    },
}

Use Redis¶

Redis is supported since version 11.0.

First, install Redis with package installers in your OS.

Then refer to Django's documentation about using Redis cache to add Redis configurations to seahub_settings.py.
Tweaking conf files¶

Seafile's config files as created by the setup script are prepared for Seafile running behind a reverse proxy.

To access Seafile's web interface and to create working sharing links without a reverse proxy, you need to modify two configuration files in /opt/seafile/conf:

    seahub_settings.py (if you use 9.0.x): Add port 8000 to the SERVICE_URL (i.e., SERVICE_URL = 'http://1.2.3.4:8000/').
    ccnet.conf (if you use 8.0.x or 7.1.x): Add port 8000 to the SERVICE_URL (i.e., SERVICE_URL = http://1.2.3.4:8000/).
    gunicorn.conf.py: Change the bind to "0.0.0.0:8000" (i.e., bind = "0.0.0.0:8000")

Starting Seafile Server¶

Run the following commands in /opt/seafile-server-latest:

./seafile.sh start # starts seaf-server
./seahub.sh start  # starts seahub

The first time you start Seahub, the script prompts you to create an admin account for your Seafile Server. Enter the email address of the admin user followed by the password.

Now you can access Seafile via the web interface at the host address and port 8000 (e.g., http://1.2.3.4:8000)

Note: On CentOS, the firewall blocks traffic on port 8000 by default.
Troubleshooting¶

If seafile.sh and/or seahub.sh fail to run successfully, use pgrep to check if seafile/seahub processes are still running:

pgrep -f seafile-controller # checks seafile processes
pgrep -f "seahub" # checks seahub process

Use pkill to kill the processes:

pkill -f seafile-controller
pkill -f "seahub"

Stopping and Restarting Seafile and Seahub¶
Stopping¶

./seahub.sh stop    # stops seahub
./seafile.sh stop   # stops seaf-server

Restarting¶

./seafile.sh restart
./seahub.sh restart

Enabling HTTPS¶

It is strongly recommended to switch from unencrypted HTTP (via port 8000) to encrypted HTTPS (via port 443).

This manual provides instructions for enabling HTTPS for the two most popular web servers and reverse proxies:

######
NGINX
###

Enabling HTTPS with Nginx¶

After completing the installation of Seafile Server Community Edition and Seafile Server Professional Edition, communication between the Seafile server and clients runs over (unencrypted) HTTP. While HTTP is ok for testing purposes, switching to HTTPS is imperative for production use.

HTTPS requires a SSL certificate from a Certificate Authority (CA). Unless you already have a SSL certificate, we recommend that you get your SSL certificate from Let’s Encrypt using Certbot. If you have a SSL certificate from another CA, skip the section "Getting a Let's Encrypt certificate".

A second requirement is a reverse proxy supporting SSL. Nginx, a popular and resource-friendly web server and reverse proxy, is a good option. Nginx's documentation is available at http://nginx.org/en/docs/.

If you prefer Apache, you find instructions for enabling HTTPS with Apache here.
Setup¶

The setup of Seafile using Nginx as a reverse proxy with HTTPS is demonstrated using the sample host name seafile.example.com.

This manual assumes the following requirements:

    Seafile Server Community Edition/Professional Edition was set up according to the instructions in this manual
    A host name points at the IP address of the server and the server is available on port 80 and 443

If your setup differs from thes requirements, adjust the following instructions accordingly.

The setup proceeds in two steps: First, Nginx is installed. Second, a SSL certificate is integrated in the Nginx configuration.
Installing Nginx¶

Install Nginx using the package repositories:

# CentOS
$ sudo yum install nginx -y

# Debian/Ubuntu
$ sudo apt install nginx -y

After the installation, start the server and enable it so that Nginx starts at system boot:

# CentOS/Debian/Ubuntu
$ sudo systemctl start nginx
$ sudo systemctl enable nginx

Preparing Nginx¶

The configuration of a proxy server in Nginx differs slightly between CentOS and Debian/Ubuntu. Additionally, the restrictive default settings of SELinux's configuration on CentOS require a modification.
Preparing Nginx on CentOS¶

Switch SELinux into permissive mode and perpetuate the setting:

$ sudo setenforce permissive
$ sed -i 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config

Create a configuration file for seafile in /etc/nginx/conf.d:

$ touch /etc/nginx/conf.d/seafile.conf

Preparing Nginx on Debian/Ubuntu¶

Create a configuration file for seafile in /etc/nginx/sites-available/:

$ touch /etc/nginx/sites-available/seafile.conf

Delete the default files in /etc/nginx/sites-enabled/ and /etc/nginx/sites-available:

$ rm /etc/nginx/sites-enabled/default
$ rm /etc/nginx/sites-available/default

Create a symbolic link:

$ ln -s /etc/nginx/sites-available/seafile.conf /etc/nginx/sites-enabled/seafile.conf

Configuring Nginx¶

Copy the following sample Nginx config file into the just created seafile.conf and modify the content to fit your needs:

log_format seafileformat '$http_x_forwarded_for $remote_addr [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $upstream_response_time';

server {
    listen 80;
    server_name seafile.example.com;

    proxy_set_header X-Forwarded-For $remote_addr;

    location / {
         proxy_pass         http://127.0.0.1:8000;
         proxy_set_header   Host $http_host;
         proxy_set_header   X-Real-IP $remote_addr;
         proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header   X-Forwarded-Host $server_name;
         proxy_read_timeout  1200s;

         # used for view/edit office file via Office Online Server
         client_max_body_size 0;

         access_log      /var/log/nginx/seahub.access.log seafileformat;
         error_log       /var/log/nginx/seahub.error.log;
    }

    location /seafhttp {
        rewrite ^/seafhttp(.*)$ $1 break;
        proxy_pass http://127.0.0.1:8082;
        client_max_body_size 0;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_connect_timeout  36000s;
        proxy_read_timeout  36000s;
        proxy_send_timeout  36000s;

        send_timeout  36000s;

        access_log      /var/log/nginx/seafhttp.access.log seafileformat;
        error_log       /var/log/nginx/seafhttp.error.log;
    }
    location /media {
        root /opt/seafile/seafile-server-latest/seahub;
    }
}

The following options must be modified in the CONF file:

    Server name (server_name)

Optional customizable options in the seafile.conf are:

    Server listening port (listen) - if Seafile server should be available on a non-standard port
    Proxy pass for location / - if Seahub is configured to start on a different port than 8000
    Proxy pass for location /seafhttp - if seaf-server is configured to start on a different port than 8082
    Maximum allowed size of the client request body (client_max_body_size)

The default value for client_max_body_size is 1M. Uploading larger files will result in an error message HTTP error code 413 ("Request Entity Too Large"). It is recommended to syncronize the value of client_max_body_size with the parameter max_upload_size in section [fileserver] of seafile.conf. Optionally, the value can also be set to 0 to disable this feature. Client uploads are only partly effected by this limit. With a limit of 100 MiB they can safely upload files of any size.

Finally, make sure your seafile.conf does not contain syntax errors and restart Nginx for the configuration changes to take effect:

$ nginx -t
$ nginx -s reload

Getting a Let's Encrypt certificate¶

Getting a Let's Encrypt certificate is straightforward thanks to Certbot. Certbot is a free, open source software tool for requesting, receiving, and renewing Let's Encrypt certificates.

First, go to the Certbot website and choose your webserver and OS. grafik

Second, follow the detailed instructions then shown.

grafik

We recommend that you get just a certificate and that you modify the Nginx configuration yourself:

$ sudo certbot certonly --nginx

Follow the instructions on the screen.

Upon successful verification, Certbot saves the certificate files in a directory named after the host name in /etc/letsencrypt/live. For the host name seafile.example.com, the files are stored in /etc/letsencrypt/live/seafile.example.com.
Modifying Nginx configuration file¶

Add an server block for port 443 and a http-to-https redirect to the seafile.conf configuration file in /etc/nginx.

This is a (shortened) sample configuration for the host name seafile.example.com:

log_format seafileformat '$http_x_forwarded_for $remote_addr [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $upstream_response_time';

server {
    listen       80;
    server_name  seafile.example.com;
    rewrite ^ https://$http_host$request_uri? permanent;    # Forced redirect from HTTP to HTTPS

    server_tokens off;      # Prevents the Nginx version from being displayed in the HTTP response header
}

server {
    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/seafile.example.com/fullchain.pem;    # Path to your fullchain.pem
    ssl_certificate_key /etc/letsencrypt/live/seafile.example.com/privkey.pem;  # Path to your privkey.pem
    server_name seafile.example.com;
    server_tokens off;

    location / {
        proxy_pass         http://127.0.0.1:8000;
        proxy_set_header   Host $http_host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Host $server_name;
        proxy_read_timeout 1200s;

        proxy_set_header   X-Forwarded-Proto https;

... # No changes beyond this point compared to the Nginx configuration without HTTPS

Finally, make sure your seafile.conf does not contain syntax errors and restart Nginx for the configuration changes to take effect:

nginx -t
nginx -s reload

Large file uploads¶

Tip for uploading very large files (> 4GB): By default Nginx will buffer large request body in temp file. After the body is completely received, Nginx will send the body to the upstream server (seaf-server in our case). But it seems when file size is very large, the buffering mechanism dosen't work well. It may stop proxying the body in the middle. So if you want to support file upload larger for 4GB, we suggest you install Nginx version >= 1.8.0 and add the following options to Nginx config file:

    location /seafhttp {
        ... ...
        proxy_request_buffering off;
    }

If you have WebDAV enabled it is recommended to add the same:

    location /seafdav {
        ... ...
        proxy_request_buffering off;
    }

Modifying seahub_settings.py¶

The SERVICE_URL in seahub_settings.py informs Seafile about the chosen domain, protocol and port. Change the SERVICE_URLso as to account for the switch from HTTP to HTTPS and to correspond to your host name (the http://must not be removed):

SERVICE_URL = 'https://seafile.example.com'

The FILE_SERVER_ROOT in seahub_settings.py informs Seafile about the location of and the protocol used by the file server. Change the FILE_SERVER_ROOTso as to account for the switch from HTTP to HTTPS and to correspond to your host name (the trailing /seafhttp must not be removed):

FILE_SERVER_ROOT = 'https://seafile.example.com/seafhttp'

Note: The SERVICE_URL and FILE_SERVER_ROOT can also be modified in Seahub via System Admininstration > Settings. If they are configured via System Admin and in seahub_settings.py, the value in System Admin will take precedence.
Modifying seafile.conf (optional)¶

To improve security, the file server should only be accessible via Nginx.

Add the following line in the [fileserver] block on seafile.conf in /opt/seafile/conf:

host = 127.0.0.1  ## default port 0.0.0.0

After his change, the file server only accepts requests from Nginx.
Starting Seafile and Seahub¶

Restart the seaf-server and Seahub for the config changes to take effect:

$ su seafile
$ cd /opt/seafile/seafile-server-latest
$ ./seafile.sh restart
$ ./seahub.sh restart # or "./seahub.sh start-fastcgi" if you're using fastcgi

Additional modern settings for Nginx (optional)¶
Activating IPv6¶

Require IPv6 on server otherwise the server will not start! Also the AAAA dns record is required for IPv6 usage.

listen 443;
listen [::]:443;

Activating HTTP2¶

Activate HTTP2 for more performance. Only available for SSL and nginx version>=1.9.5. Simply add http2.

listen 443 http2;
listen [::]:443 http2;

Advanced TLS configuration for Nginx (optional)¶

The TLS configuration in the sample Nginx configuration file above receives a B overall rating on SSL Labs. By modifying the TLS configuration in seafile.conf, this rating can be significantly improved.

The following sample Nginx configuration file for the host name seafile.example.com contains additional security-related directives . (Note that this sample file uses a generic path for the SSL certificate files.) Some of the directives require further steps as explained below.

    server {
        listen       80;
        server_name  seafile.example.com;
        rewrite ^ https://$http_host$request_uri? permanent;    # Forced redirect from HTTP to HTTPS
        server_tokens off;
    }
    server {
        listen 443 ssl;
        ssl_certificate /etc/ssl/cacert.pem;        # Path to your cacert.pem
        ssl_certificate_key /etc/ssl/privkey.pem;   # Path to your privkey.pem
        server_name seafile.example.com;
        server_tokens off;

        # HSTS for protection against man-in-the-middle-attacks
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

        # DH parameters for Diffie-Hellman key exchange
        ssl_dhparam /etc/nginx/dhparam.pem;

        # Supported protocols and ciphers for general purpose server with good security and compatability with most clients
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers off;

        # Supported protocols and ciphers for server when clients > 5years (i.e., Windows Explorer) must be supported
        #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        #ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
        #ssl_prefer_server_ciphers on;

        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:5m;

        location / {
            proxy_pass         http://127.0.0.1:8000;
            proxy_set_header   Host $http_host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Host $server_name;
            proxy_set_header   X-Forwarded-Proto https;

            access_log      /var/log/nginx/seahub.access.log;
            error_log       /var/log/nginx/seahub.error.log;

            proxy_read_timeout  1200s;

            client_max_body_size 0;
        }

        location /seafhttp {
            rewrite ^/seafhttp(.*)$ $1 break;
            proxy_pass http://127.0.0.1:8082;
            client_max_body_size 0;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_connect_timeout  36000s;
            proxy_read_timeout  36000s;
            proxy_send_timeout  36000s;
            send_timeout  36000s;
        }

        location /media {
            root /home/user/haiwen/seafile-server-latest/seahub;
        }
    }

Enabling HTTP Strict Transport Security¶

Enable HTTP Strict Transport Security (HSTS) to prevent man-in-the-middle-attacks by adding this directive:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

HSTS instructs web browsers to automatically use HTTPS. That means, after the first visit of the HTTPS version of Seahub, the browser will only use https to access the site.
Using Perfect Forward Secrecy¶

Enable Diffie-Hellman (DH) key-exchange. Generate DH parameters and write them in a .pem file using the following command:

$ openssl dhparam 2048 > /etc/nginx/dhparam.pem  # Generates DH parameter of length 2048 bits

The generation of the the DH parameters may take some time depending on the server's processing power.

Add the following directive in the HTTPS server block:

ssl_dhparam /etc/nginx/dhparam.pem;

Restricting TLS protocols and ciphers¶

Disallow the use of old TLS protocols and cipher. Mozilla provides a configuration generator for optimizing the conflicting objectives of security and compabitility. Visit https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx for more Information.


#######

APACHE
###
Enabling HTTPS with Apache¶

After completing the installation of Seafile Server Community Edition and Seafile Server Professional Edition, communication between the Seafile server and clients runs over (unencrypted) HTTP. While HTTP is ok for testing purposes, switching to HTTPS is imperative for production use.

HTTPS requires a SSL certificate from a Certificate Authority (CA). Unless you already have a SSL certificate, we recommend that you get your SSL certificate from Let’s Encrypt using Certbot. If you have a SSL certificate from another CA, skip the section "Getting a Let's Encrypt certificate".

A second requirement is a reverse proxy supporting SSL. Apache, a popular web server and reverse proxy, is a good option. The full documentation of Apache is available at https://httpd.apache.org/docs/.

The recommended reverse proxy is Nginx. You find instructions for enabling HTTPS with Nginx here.
Setup¶

The setup of Seafile using Apache as a reverse proxy with HTTPS is demonstrated using the sample host name seafile.example.com.

This manual assumes the following requirements:

    Seafile Server Community Edition/Professional Edition was set up according to the instructions in this manual
    A host name points at the IP address of the server and the server is available on port 80 and 443

If your setup differs from thes requirements, adjust the following instructions accordingly.

The setup proceeds in two steps: First, Apache is installed. Second, a SSL certificate is integrated in the Apache configuration.
Installing Apache¶

Install and enable apache modules:

# Ubuntu
$ sudo a2enmod rewrite
$ sudo a2enmod proxy_http

Important: Due to the security advisory published by Django team, we recommend to disable GZip compression to mitigate BREACH attack. No version earlier than Apache 2.4 should be used.
Configuring Apache¶

Modify Apache config file. For CentOS, this is vhost.conf. For Debian/Ubuntu, this is sites-enabled/000-default.

<VirtualHost *:80>
    ServerName seafile.example.com
    # Use "DocumentRoot /var/www/html" for CentOS
    # Use "DocumentRoot /var/www" for Debian/Ubuntu
    DocumentRoot /var/www
    Alias /media  /opt/seafile/seafile-server-latest/seahub/media

    AllowEncodedSlashes On

    RewriteEngine On

    <Location /media>
        Require all granted
    </Location>

    #
    # seafile fileserver
    #
    ProxyPass /seafhttp http://127.0.0.1:8082
    ProxyPassReverse /seafhttp http://127.0.0.1:8082
    RewriteRule ^/seafhttp - [QSA,L]

    #
    # seahub
    #
    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:8000/
    ProxyPassReverse / http://127.0.0.1:8000/
</VirtualHost>

Getting a Let's Encrypt certificate¶

Getting a Let's Encrypt certificate is straightforward thanks to Certbot. Certbot is a free, open source software tool for requesting, receiving, and renewing Let's Encrypt certificates.

First, go to the Certbot website and choose your web server and OS.

grafik

Second, follow the detailed instructions then shown.

grafik

We recommend that you get just a certificate and that you modify the Apache configuration yourself:

sudo certbot --apache certonly

Follow the instructions on the screen.

Upon successful verification, Certbot saves the certificate files in a directory named after the host name in /etc/letsencrypt/live. For the host name seafile.example.com, the files are stored in /etc/letsencrypt/live/seafile.example.com.
Adjusting Apache configuration¶

To use HTTPS, you need to enable mod_ssl:

$ sudo a2enmod ssl

Then modify your Apache configuration file. Here is a sample:

<VirtualHost *:443>
  ServerName seafile.example.com
  DocumentRoot /var/www

  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/seafile.example.com/fullchain.pem;    # Path to your fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/seafile.example.com/privkey.pem;  # Path to your privkey.pem

  Alias /media  /opt/seafile/seafile-server-latest/seahub/media

  <Location /media>
    Require all granted
  </Location>

  RewriteEngine On

  #
  # seafile fileserver
  #
  ProxyPass /seafhttp http://127.0.0.1:8082
  ProxyPassReverse /seafhttp http://127.0.0.1:8082
  RewriteRule ^/seafhttp - [QSA,L]

  #
  # seahub
  #
  SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
  ProxyPreserveHost On
  ProxyPass / http://127.0.0.1:8000/
  ProxyPassReverse / http://127.0.0.1:8000/
</VirtualHost>

Finally, make sure the virtual host file does not contain syntax errors and restart Apache for the configuration changes to take effect:

sudo service apache2 restart

Modifying seahub_settings.py¶

The SERVICE_URL in seahub_settings.py informs Seafile about the chosen domain, protocol and port. Change the SERVICE_URLso as to account for the switch from HTTP to HTTPS and to correspond to your host name (the http://must not be removed):

SERVICE_URL = 'https://seafile.example.com'

The FILE_SERVER_ROOT in seahub_settings.py informs Seafile about the location of and the protocol used by the file server. Change the FILE_SERVER_ROOTso as to account for the switch from HTTP to HTTPS and to correspond to your host name (the trailing /seafhttp must not be removed):

FILE_SERVER_ROOT = 'https://seafile.example.com/seafhttp'

Note: The SERVICE_URL and FILE_SERVER_ROOT can also be modified in Seahub via System Admininstration > Settings. If they are configured via System Admin and in seahub_settings.py, the value in System Admin will take precedence.
Modifying seafile.conf (optional)¶

To improve security, the file server should only be accessible via Apache.

Add the following line in the [fileserver] block on seafile.conf in /opt/seafile/conf:

host = 127.0.0.1  ## default port 0.0.0.0

After his change, the file server only accepts requests from Apache.
Starting Seafile and Seahub¶

Restart the seaf-server and Seahub for the config changes to take effect:

$ su seafile
$ cd /opt/seafile/seafile-server-latest
$ ./seafile.sh restart
$ ./seahub.sh restart