Categories
SysOps

How to install and configure private Seafile cloud storage server

Since the beginning of this year, I have started using Seafile, and I absolutely love it as it offers simple data organization using libraries and reliable file synchronization between multiple devices with built-in encryption. Check for yourself as it is undoubtedly worth it.

Graphical user interface

Use the web-interface as the central administration interface. The desktop client uses a simple yet elegant design.

Android client provides quick access to the stored files, but the two-way synchronization functionality is not implemented.

Initial notes

Perform minimal Debian Jessie installation. Define static IP address, hostname.

I will use private.example.org hostname and /private/seafile web-directory.

Install and configure the OpenSSH server and sudo utility.

Synchronize system time using NTP protocol

Install chrony NTP implementation.

milosz@private:~$ sudo apt-get install chrony

Configure service to operates purely as an NTP client.

milosz@private:~$ sudo sed -i -e 's/^allow/#allow/' /etc/chrony/chrony.conf

Restart service.

milosz@private:~$ sudo systemctl restart chrony

Create a system user

Create seafile system user with defined /srv/seafile home directory.

milosz@private:~$ sudo useradd --system --create-home --home-dir /srv/seafile --shell /bin/bash seafile

Install application dependencies

Satisfy Seafile dependencies by installing the following packages.

milosz@private:~$ sudo apt-get install curl python2.7 libpython2.7 python-setuptools python-imaging sqlite3

Install Seafile server

Switch to seafile user.

milosz@private:~$ sudo su - seafile

Download the latest software version.

seafile@private:~$ curl -OL https://download.seafile.de/seafile-server_latest_x86-64.tar.gz

Extract downloaded archive.

seafile@private:~$ tar xvfz seafile-server_latest_x86-64.tar.gz
seafile@private:~$ ls
seafile-server-5.0.4  seafile-server_latest_x86-64.tar.gz

Change directory to the extracted one.

seafile@private:~$ cd seafile-server-5.0.4/

Start the installation process.

seafile@private:~/seafile-server-5.0.4$ bash setup-seafile.sh

Provide server name (it is a custom name), server domain (real server name), do not change other settings (data directory and recommended file-server port).

-----------------------------------------------------------------
This script will guide you to config and setup your seafile server.
Make sure you have read seafile server manual at
	https://github.com/haiwen/seafile/wiki
Note: This script will guide your to setup seafile server using sqlite3,
which may have problems if your disk is on a NFS/CIFS/USB.
In these cases, we suggest you setup seafile server using MySQL.
Press [ENTER] to continue
-----------------------------------------------------------------
Checking packages needed by seafile ...
Checking python on this machine ...
Find python: python2.7
  Checking python module: setuptools     ... Done.
  Checking python module: python-imaging ... Done.
  Checking python module: python-sqlite3 ... Done.
  Checking for sqlite3                   ... Done.
  Checking Done.
What would you like to use as the name of this seafile server?
Your seafile users will be able to see the name in their seafile client.
You can use a-z, A-Z, 0-9, _ and -, and the length should be 3 ~ 15
[server name]:  private
What is the ip or domain of this server?
For example, www.mycompany.com, or, 192.168.1.101
[This server's ip or domain]: private.example.org
Where would you like to store your seafile data?
Note: Please use a volume with enough free space.
[default: /srv/seafile/seafile-data ] 
What tcp port do you want to use for seafile fileserver?
8082 is the recommended port.
[default: 8082 ] 
This is your config information:
server name:        private
server ip/domain:   private.example.org
seafile data dir:   /srv/seafile/seafile-data
fileserver port:    8082
If you are OK with the configuration, press [ENTER] to continue.
Generating ccnet configuration in /srv/seafile/ccnet...
done
Successfully created configuration dir /srv/seafile/ccnet.
Generating seafile configuration in /srv/seafile/seafile-data ...
Done.
-----------------------------------------------------------------
Seahub is the web interface for seafile server.
Now let's setup seahub configuration. Press [ENTER] to continue
-----------------------------------------------------------------
Creating seahub database now, it may take one minute, please wait...
Done.
creating seafile-server-latest symbolic link ... done
-----------------------------------------------------------------
Your seafile server configuration has been completed successfully.
-----------------------------------------------------------------
run seafile server:     ./seafile.sh { start | stop | restart }
run seahub  server:     ./seahub.sh  { start <port> | stop | restart <port> }
-----------------------------------------------------------------
If the server is behind a firewall, remember to open these tcp ports:
-----------------------------------------------------------------
port of seafile fileserver:   8082
port of seahub:               8000
When problems occur, refer to
      https://github.com/haiwen/seafile/wiki
for more information.

Verify the installation process

Start application services.

seafile@private:~/seafile-server-5.0.4$ ./seafile.sh start
seafile@private:~/seafile-server-5.0.4$ ./seahub.sh start

Connect to the port 8000 and verify that the installation process went fine.

Stop application services.

seafile@private:~/seafile-server-5.0.4$ ./seafile.sh stop
seafile@private:~/seafile-server-5.0.4$ ./seahub.sh stop

Install and configure the HTTP server.

Install nginx server.

milosz@private:~$ sudo apt-get install nginx

Configure the HTTP server.

milosz@private:~$ cat << EOF | sudo tee /etc/nginx/sites-enabled/default
server {
    listen 443 ssl;
    server_name private.example.org
    ssl on;
    ssl_certificate     certs/private.pem;
    ssl_certificate_key certs/private.key;
    ssl_dhparam         dhparams.pem;
    proxy_set_header X-Forwarded-For $remote_addr;
    location / {
        deny all;
    }
    location /private/seafile {
        fastcgi_pass    127.0.0.1:8000;
        fastcgi_param   SCRIPT_FILENAME     $document_root$fastcgi_script_name;
        fastcgi_param   PATH_INFO           $fastcgi_script_name;
        fastcgi_param   SERVER_PROTOCOL     $server_protocol;
        fastcgi_param   QUERY_STRING        $query_string;
        fastcgi_param   REQUEST_METHOD      $request_method;
        fastcgi_param   CONTENT_TYPE        $content_type;
        fastcgi_param   CONTENT_LENGTH      $content_length;
        fastcgi_param   SERVER_ADDR         $server_addr;
        fastcgi_param   SERVER_PORT         $server_port;
        fastcgi_param   SERVER_NAME         $server_name;
        fastcgi_param   REMOTE_ADDR         $remote_addr;
        fastcgi_param   HTTPS               on;
        fastcgi_param   HTTP_SCHEME         https;
        access_log      /var/log/nginx/seahub.access.log;
        error_log       /var/log/nginx/seahub.error.log;
        fastcgi_read_timeout 36000;
    }
    location /seafhttp {
        rewrite ^/seafhttp(.*)$ $1 break;
        proxy_pass http://127.0.0.1:8082;
        client_max_body_size 0;
        proxy_connect_timeout  36000s;
        proxy_read_timeout  36000s;
        proxy_send_timeout  36000s;
        send_timeout  36000s;
    }
    location /private/seafile-media/ {
        alias /srv/seafile/seafile-server-latest/seahub/media/;
    }
}
Notice that you need an SSL certificate and DH parameters file.

Update Seafile configuration

Modify seafile configuration to take into account /private/seafile web-directory.

seafile@private:~$ sed 's|SERVICE_URL .*|SERVICE_URL = https://private.example.org/private/seafile|' conf/ccnet.conf
seafile@private:~$ cat << EOF | tee -a conf/seahub_settings.py
FILE_SERVER_ROOT = 'https://private.example.org/seafhttp'
SERVE_STATIC = False
MEDIA_URL = '/private/seafile-media/'
COMPRESS_URL = MEDIA_URL
STATIC_URL = MEDIA_URL + 'assets/'
SITE_ROOT = '/private/seafile/'
LOGIN_URL = '/private/seafile/accounts/login/'    # NOTE: since version 5.0.4
EOF

Configure service startup

Configure seafile service.

milosz@private:~$ cat << EOF | sudo tee /etc/systemd/system/seafile.service
[Unit]
Description=Seafile server
After=network.target
[Service]
Type=oneshot
ExecStart=/srv/seafile/seafile-server-latest/seafile.sh start
ExecStop=/srv/seafile/seafile-server-latest/seafile.sh stop
RemainAfterExit=yes
User=seafile
Group=nogroup
[Install]
WantedBy=multi-user.target
EOF

Enable seafile service.

milosz@private:~$ sudo systemctl enable seafile

Configure seahub service.

milosz@private:~$ cat << EOF | sudo tee /etc/systemd/system/seahub.service
[Unit]
Description=Seafile hub
After=network.target seafile.service
Requires=seafile.service
[Service]
Type=oneshot
ExecStart=/srv/seafile/seafile-server-latest/seahub.sh start-fastcgi
ExecStop=/srv/seafile/seafile-server-latest/seahub.sh stop
User=seafile
Group=nogroup
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
EOF

Enable seahub service.

milosz@private:~$ sudo systemctl enable seahub

Start both of the services.

milosz@private:~$ sudo systemctl start seahub

Install and configure the firewall

Install the Shorewall firewall configuration tool.

milosz@private:~$ sudo apt-get install shorewall

Configure firewall.

I won’t delve into details. The basic configuration is quite simple, so just inspect the mentioned manual pages.
milosz@private:~$ cat << EOF | sudo tee /etc/shorewall/zones
#
# Shorewall version 4 - Zones File
#
# For information about this file, type "man shorewall-zones"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-zones.html
#
###############################################################################
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ip
EOF
milosz@private:~$ cat << EOF | sudo tee /etc/shorewall/interfaces
#
# Shorewall version 4 - Interfaces File
#
# For information about entries in this file, type "man shorewall-interfaces"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-interfaces.html
#
###############################################################################
FORMAT 2
###############################################################################
#ZONE   INTERFACE   OPTIONS
-       lo          ignore
net	    all         physical=+,optional
EOF
milosz@private:~$ cat << EOF | sudo tee /etc/shorewall/policy 
#
# Shorewall version 4 - Policy File
#
# For information about entries in this file, type "man shorewall-policy"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-policy.html
#
###############################################################################
#SOURCE DEST    POLICY  LOG LIMIT:  CONNLIMIT:
#               LEVEL   BURST       MASK
\$FW     net     ACCEPT
net     all     DROP
EOF
milosz@private:~$ cat << EOF | sudo tee /etc/shorewall/rules 
#
# Shorewall version 4 - Rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
###################################################################################################################################################################################
#ACTION        SOURCE        DEST        PROTO    DEST    SOURCE        ORIGINAL    RATE        USER/    MARK    CONNLIMIT    TIME         HEADERS         SWITCH
#                            PORT    PORT(S)        DEST        LIMIT        GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
?SECTION NEW

SSH(ACCEPT)        net        \$FW              -      -       -               -               s:ssh:3/min:5
Ping(ACCEPT)       net        \$FW
HTTPS(ACCEPT)      net        \$FW
EOF
milosz@private:~$ cat << EOF | tee /etc/shorewall/policy 
#
# Shorewall version 4 - Policy File
#
# For information about entries in this file, type "man shorewall-policy"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-policy.html
#
###############################################################################
#SOURCE    DEST    POLICY        LOG    LIMIT:        CONNLIMIT:
#                LEVEL    BURST        MASK
\$FW        net        ACCEPT
net        all        DROP
EOF

Allow shorewall to start.

milosz@private:~$ sudo sed -i "s/startup=0/startup=1/" /etc/default/shorewall

Enable shorewall service.

milosz@private:~$ sudo systemctl enable shorewall

Start shorewall service.

milosz@private:~$ sudo systemctl start shorewall

Additional notes

These are introductory installation notes. Further steps should include configuration of Monit, logrotate, sshguard/fail2ban, and memcached.

References

Seafile Server Manual

Script collection to setup production-ready Seafile server installations with HTTPS

Guide to Deploying Diffie-Hellman for TLS