Seahub redirects to http about seafile HOT 12 CLOSED

I have the same issue with version 1.5. After login i'm redirected to http://example.org/home/my/.
Assuming you are using nginx, add the following entry in nginx.conf:

server {
    listen 80;
    rewrite ^(.*) https://$host$1 permanent;
}

Every HTTP request will be rewritten to HTTPS!
(Similar to xiez solution for apache.)

from seafile.

We just tested with nginx proxy, https redirects works fine.

Can you give us more details like how you configure apache proxy?

from seafile.

Hi, this is my virtual server config for the proxy:

<VirtualHost *:443>
    ServerAdmin [email protected]

    Servername seafile.domain.com
    ServerAlias seafile.domain.com
    SSLProxyEngine On
    SSLEngine On
    ProxyPreserveHost On

    SSLCertificateFile /etc/apache2/ssl/seafile.cert
    SSLCertificateKeyFile /etc/apache2/ssl/seafile.key

    ProxyPass / http://192.168.0.13:8000/
    ProxyPassReverse / http://192.168.0.13:8000/

</VirtualHost>


<VirtualHost *:80>
    ServerAdmin [email protected]
    Servername seafile.domain.com
    ServerAlias seafile.domain.com

    ProxyPreserveHost On
    ProxyPass / http://192.168.0.13:8000/
    ProxyPassReverse / http://192.168.0.13:8000/
</VirtualHost>

And a capture of the headers:

https://seafile.domain.com/

GET / HTTP/1.1
Host: seafile.domain.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:17.0) Gecko/20100101 Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: csrftoken=df73966d1b296127c108e233050e68de; sessionid=7b8579212731db99efd89015afb1b74b

HTTP/1.1 302 FOUND
Date: Thu, 13 Dec 2012 14:13:06 GMT
Server: gunicorn/0.16.1
Vary: Accept-Language,Cookie
Content-Type: text/html; charset=utf-8
Location: http://seafile.domain.com/accounts/login?next=/
Content-Language: en
Set-Cookie: csrftoken=d73966d1b296127c108e233050e68de; expires=Thu, 12-Dec-2013 14:13:06 GMT; Max-Age=31449600; Path=/
Via: 1.1 seafile.domain.com
Content-Length: 0
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive

My CCnet config

[General]
USER_NAME = domain
ID = 9be68e5ba095d39a0c31c6fe0ec3649c9447b607
NAME = domain
SERVICE_URL = https://seafile.domain.com

[Network]
PORT = 10001

[Client]
PORT = 13419

from seafile.

This should work using mod_rewrite.

<VirtualHost *:80>
    ServerAdmin [email protected]
    Servername seafile.domain.com
    ServerAlias seafile.domain.com

    ProxyPreserveHost On
    ProxyPass / http://192.168.0.13:8000/
    ProxyPassReverse / http://192.168.0.13:8000/

    RewriteEngine On
    RewriteCond %{HTTPS} on
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

Apache proxy will rewrite all http request to https. But in this way, you can only use https. Hope this fits your scene.

BTW, using apach as proxy server will not gain best performance. We recommend using Apach with fcgi. This will also solve the https redirect issue. Check out here, https://github.com/haiwen/seafile/wiki/Deploy-Seafile-Web-with-nginx-apache

from seafile.

Thank for your reply and for writing the apache-fastcgi howto. But I dont know if fastcgi suites my setup. I would have to maintain two parts of seafile on two different virtual machines. /media on the apache server and the rest on the seafile server.

I already had a "fix" for the http problem by using

RedirectMatch permanent (/.*) https://seafile.domain.com$1

but there is still the problem that the client sends one unencrypted http request including its session-id cookie to the server, before it gets redirected to https.

Looks like there is no easy way to fix this single redirect to http in the seahub code? Another option is to add a HSTS information into the apache response headers, but this is not supported by all browsers.

from seafile.

According to https://docs.djangoproject.com/en/dev/topics/security/, you need to set SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE to True in seahub_settings.py, this will secure your session id, and csrf token id.

from seafile.

Thanks, im happy with this solution.

But i have also found the root cause of my problem. In Line 86 of views.py

@login_required
def root(request):
    return HttpResponseRedirect(reverse(myhome))

the user gets redirected. The django framework redirects to http because is_secure() returns false (https://code.djangoproject.com/ticket/12043), due to the fact that the apache proxy talks to the application in http. Sadly the proposed solution (https://docs.djangoproject.com/en/dev/ref/settings/#secure-proxy-ssl-header) is not available in django 1.3.

from seafile.

The following setting in the nginx conf fixes the problem if you don't want to open port 80 for rewrite purpose. Add the following line to the fastcgi_param settings:

fastcgi_param HTTPS $https;

from seafile.

@hostirosti Is there also a solution without fastcgi?

$ curl -v https://myhost 
> GET / HTTP/1.1
> Host: myhost
> 
< HTTP/1.1 302 FOUND
< Location: http://myhost/accounts/login?next=/

from seafile.

@daald Have you tried any of the solutions mentioned above? I haven't worked with seafile for years so not sure what they currently support.

from seafile.

@hostirosti I didn't see J4nsen's comment so far, which looks very helpful. The other options didn't apply to my setup (don't have fastcgi and don't have port 80). I listed all possible options in a comment of another issue: #250 (comment)

from seafile.

@hostirosti Yes, the trick with the Django config works. #250 (comment). I highly recommend adding a paragraph with this solution to https://manual.seafile.com/deploy/https_with_nginx.html. Without this setting, seafile breaks all the security you can get using https

from seafile.