How to install and configure private Seafile cloud storage server

I have started using Seafile since the beginning of this year and I absolutely love it as it offers simple data organization using libraries and reliable file synchronization between multiple devices with built-in encryption. Check for yourself as it is undoubtedly worth it.

Graphical user interface

Use web-interface as the main administration interface. Desktop client uses simple yet elegant design.

Android client provides quick access to the stored files, but the two-way synchronization functionality is not implemented.

Initial notes

Perform minimal Debian Jessie installation. Define static IP address, host name.

I will use private.example.org host name and /private/seafile web-directory.

Install and configure OpenSSH server and sudo utility.

Synchronize system time using NTP protocol

Install chrony NTP implementation .

milosz@private:~$ sudo apt-get install chrony

Configure service to operates purely as an NTP client.

milosz@private:~$ sudo sed -i -e 's/^allow/#allow/' /etc/chrony/chrony.conf

Restart service.

milosz@private:~$ sudo systemctl restart chrony

Create system user

Create seafile system user with defined /srv/seafile home directory.

milosz@private:~$ sudo useradd --system --create-home --home-dir /srv/seafile --shell /bin/bash seafile

Install application dependencies

Satisfy Seafile dependencies by installing the following packages.

milosz@private:~$ sudo apt-get install curl python2.7 libpython2.7 python-setuptools python-imaging sqlite3

Install Seafile server

Switch to seafile user.

milosz@private:~$ sudo su - seafile

Download latest software version.

seafile@private:~$ curl -OL https://download.seafile.de/seafile-server_latest_x86-64.tar.gz

Extract downloaded archive.

seafile@private:~$ tar xvfz seafile-server_latest_x86-64.tar.gz 
seafile@private:~$ ls
seafile-server-5.0.4  seafile-server_latest_x86-64.tar.gz

change directory to the extracted one.

seafile@private:~$ cd seafile-server-5.0.4/

Start installation process.

seafile@private:~/seafile-server-5.0.4$ bash setup-seafile.sh

Provide server name (it is a custom name), server domain (real server name), do not change other settings (data directory and recommended file-server port).

-----------------------------------------------------------------
This script will guide you to config and setup your seafile server.

Make sure you have read seafile server manual at 

	https://github.com/haiwen/seafile/wiki

Note: This script will guide your to setup seafile server using sqlite3,
which may have problems if your disk is on a NFS/CIFS/USB.
In these cases, we sugguest you setup seafile server using MySQL.

Press [ENTER] to continue
-----------------------------------------------------------------

Checking packages needed by seafile ...

Checking python on this machine ...
Find python: python2.7

  Checking python module: setuptools     ... Done.
  Checking python module: python-imaging ... Done.
  Checking python module: python-sqlite3 ... Done.

  Checking for sqlite3                   ... Done.

  Checking Done.

What would you like to use as the name of this seafile server?
Your seafile users will be able to see the name in their seafile client.
You can use a-z, A-Z, 0-9, _ and -, and the length should be 3 ~ 15
[server name]:  private

What is the ip or domain of this server?
For example, www.mycompany.com, or, 192.168.1.101

[This server's ip or domain]: private.example.org
Where would you like to store your seafile data? 
Note: Please use a volume with enough free space.
[default: /srv/seafile/seafile-data ] 
What tcp port do you want to use for seafile fileserver?
8082 is the recommended port.
[default: 8082 ] 

This is your config information:

server name:        private
server ip/domain:   private.example.org
seafile data dir:   /srv/seafile/seafile-data
fileserver port:    8082

If you are OK with the configuration, press [ENTER] to continue.
Generating ccnet configuration in /srv/seafile/ccnet...

done
Successly create configuration dir /srv/seafile/ccnet.

Generating seafile configuration in /srv/seafile/seafile-data ...

Done.

-----------------------------------------------------------------
Seahub is the web interface for seafile server.
Now let's setup seahub configuration. Press [ENTER] to continue
-----------------------------------------------------------------

Creating seahub database now, it may take one minute, please wait... 

Done.

creating seafile-server-latest symbolic link ... done


-----------------------------------------------------------------
Your seafile server configuration has been completed successfully.
-----------------------------------------------------------------

run seafile server:     ./seafile.sh { start | stop | restart }
run seahub  server:     ./seahub.sh  { start <port> | stop | restart <port> }

-----------------------------------------------------------------
If the server is behind a firewall, remember to open these tcp ports:
-----------------------------------------------------------------

port of seafile fileserver:   8082
port of seahub:               8000

When problems occur, refer to

      https://github.com/haiwen/seafile/wiki

for more information.

Verify installation process

Start application services.

seafile@private:~/seafile-server-5.0.4$ ./seafile.sh start
seafile@private:~/seafile-server-5.0.4$ ./seahub.sh start

Connect to the port 8000 and verify that installation process went fine.

Stop application services.

seafile@private:~/seafile-server-5.0.4$ ./seafile.sh stop
seafile@private:~/seafile-server-5.0.4$ ./seahub.sh stop

Install and configure HTTP server.

Install nginx server.

milosz@private:~$ sudo apt-get install nginx

Configure HTTP server.

milosz@private:~$ cat << EOF | sudo tee /etc/nginx/sites-enabled/default
server {
    listen 443 ssl; 
    server_name private.example.org

    ssl on;
    ssl_certificate     certs/private.pem;
    ssl_certificate_key certs/private.key;
    ssl_dhparam         dhparams.pem;

    proxy_set_header X-Forwarded-For $remote_addr;

    location / {
        deny all;
    }

    location /private/seafile {
        fastcgi_pass    127.0.0.1:8000;
        fastcgi_param   SCRIPT_FILENAME     $document_root$fastcgi_script_name;
        fastcgi_param   PATH_INFO           $fastcgi_script_name;

        fastcgi_param   SERVER_PROTOCOL     $server_protocol;
        fastcgi_param   QUERY_STRING        $query_string;
        fastcgi_param   REQUEST_METHOD      $request_method;
        fastcgi_param   CONTENT_TYPE        $content_type;
        fastcgi_param   CONTENT_LENGTH      $content_length;
        fastcgi_param   SERVER_ADDR         $server_addr;
        fastcgi_param   SERVER_PORT         $server_port;
        fastcgi_param   SERVER_NAME         $server_name;
        fastcgi_param   REMOTE_ADDR         $remote_addr;
        fastcgi_param   HTTPS               on;
        fastcgi_param   HTTP_SCHEME         https;

        access_log      /var/log/nginx/seahub.access.log;
        error_log       /var/log/nginx/seahub.error.log;
        fastcgi_read_timeout 36000;
    }

    location /seafhttp {
        rewrite ^/seafhttp(.*)$ $1 break;
        proxy_pass http://127.0.0.1:8082;
        client_max_body_size 0;
        proxy_connect_timeout  36000s;
        proxy_read_timeout  36000s;
        proxy_send_timeout  36000s;
        send_timeout  36000s;
    }

    location /private/seafile-media/ {
        alias /srv/seafile/seafile-server-latest/seahub/media/;
    }
}
Notice, that you need SSL certificate and DH parameters file.

Update Seafile configuration

Modify seafile configuration to take into account /private/seafile web-directory.

seafile@private:~$ sed 's|SERVICE_URL .*|SERVICE_URL = https://private.example.org/private/seafile|' conf/ccnet.conf 
seafile@private:~$ cat << EOF | tee -a conf/seahub_settings.py
FILE_SERVER_ROOT = 'https://private.example.org/seafhttp'

SERVE_STATIC = False
MEDIA_URL = '/private/seafile-media/'
COMPRESS_URL = MEDIA_URL
STATIC_URL = MEDIA_URL + 'assets/'
SITE_ROOT = '/private/seafile/'
LOGIN_URL = '/private/seafile/accounts/login/'    # NOTE: since version 5.0.4
EOF

Configure service startup

Configure seafile service.

milosz@private:~$ cat << EOF | sudo tee /etc/systemd/system/seafile.service
[Unit]
Description=Seafile server
After=network.target

[Service]
Type=oneshot
ExecStart=/srv/seafile/seafile-server-latest/seafile.sh start
ExecStop=/srv/seafile/seafile-server-latest/seafile.sh stop
RemainAfterExit=yes
User=seafile
Group=nogroup

[Install]
WantedBy=multi-user.target
EOF

Enable seafile service.

milosz@private:~$ sudo systemctl enable seafile

Configure seahub service.

milosz@private:~$ cat << EOF | sudo tee /etc/systemd/system/seahub.service
[Unit]
Description=Seafile hub
After=network.target seafile.service
Requires=seafile.service

[Service]
Type=oneshot
ExecStart=/srv/seafile/seafile-server-latest/seahub.sh start-fastcgi
ExecStop=/srv/seafile/seafile-server-latest/seahub.sh stop
User=seafile
Group=nogroup
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
EOF

Enable seahub service.

milosz@private:~$ sudo systemctl enable seahub

Start both of services.

milosz@private:~$ sudo systemctl start seahub

Install and configure firewall

Install Shorewall firewall configuration tool.

milosz@private:~$ sudo apt-get install shorewall

Configure firewall.

I won't delve into details. Basic configuration is quite simple, so just inspect mentioned manual pages.
milosz@private:~$ cat << EOF | sudo tee /etc/shorewall/zones 
#
# Shorewall version 4 - Zones File
#
# For information about this file, type "man shorewall-zones"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-zones.html
#
###############################################################################
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ip
EOF
milosz@private:~$ cat << EOF | sudo tee /etc/shorewall/interfaces
#
# Shorewall version 4 - Interfaces File
#
# For information about entries in this file, type "man shorewall-interfaces"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-interfaces.html
#
###############################################################################
FORMAT 2
###############################################################################
#ZONE   INTERFACE   OPTIONS
-       lo          ignore
net	    all         physical=+,optional
EOF
milosz@private:~$ cat << EOF | sudo tee /etc/shorewall/policy 
#
# Shorewall version 4 - Policy File
#
# For information about entries in this file, type "man shorewall-policy"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-policy.html
#
###############################################################################
#SOURCE DEST    POLICY  LOG LIMIT:  CONNLIMIT:
#               LEVEL   BURST       MASK
\$FW     net     ACCEPT
net     all     DROP
EOF
milosz@private:~$ cat << EOF | sudo tee /etc/shorewall/rules 
#
# Shorewall version 4 - Rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
###################################################################################################################################################################################
#ACTION        SOURCE        DEST        PROTO    DEST    SOURCE        ORIGINAL    RATE        USER/    MARK    CONNLIMIT    TIME         HEADERS         SWITCH
#                            PORT    PORT(S)        DEST        LIMIT        GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
?SECTION NEW

SSH(ACCEPT)        net        \$FW              -      -       -               -               s:ssh:3/min:5
Ping(ACCEPT)       net        \$FW
HTTPS(ACCEPT)      net        \$FW
EOF
milosz@private:~$ cat << EOF | tee /etc/shorewall/policy 
#
# Shorewall version 4 - Policy File
#
# For information about entries in this file, type "man shorewall-policy"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-policy.html
#
###############################################################################
#SOURCE    DEST    POLICY        LOG    LIMIT:        CONNLIMIT:
#                LEVEL    BURST        MASK
\$FW        net        ACCEPT
net        all        DROP
EOF

Allow shorewall to start.

milosz@private:~$ sudo sed -i "s/startup=0/startup=1/" /etc/default/shorewall 

Enable shorewall service.

milosz@private:~$ sudo systemctl enable shorewall

Start shorewall service.

milosz@private:~$ sudo systemctl start shorewall

Additional notes

This is only basic installation process. Further steps should include configuration of Monit, logrotate, sshguard/fail2ban and memcached.

References

Seafile Server Manual

Script collection to setup production-ready Seafile server installations with HTTPS

Guide to Deploying Diffie-Hellman for TLS

Milosz Galazka's Picture

About Milosz Galazka

Milosz is a Linux Foundation Certified Engineer working for a successful Polish company as a system administrator and a long time supporter of Free Software Foundation and Debian operating system.

Gdansk, Poland https://sleeplessbeastie.eu