Introduction

Seafile is a powerful, open-source file syncing and sharing platform that provides an alternative to commercial cloud storage services. When deploying Seafile in a production environment, you’ll typically want to place it behind a reverse proxy like Traefik to handle SSL termination, routing, and additional security features.

In this guide, I’ll walk you through the exact Traefik configuration needed to properly expose Seafile 12 to the internet. This setup handles all three essential components of Seafile: the web interface, the file transfer service (seafhttp), and WebDAV access (seafdav).

Understanding Seafile’s Architecture

Before diving into the configuration, it’s important to understand that Seafile consists of multiple services that need to be properly routed:

Main Web UI - The primary interface for users to interact with Seafile
Seafhttp - Handles file uploads and downloads
Seafdav - Provides WebDAV access to files

Each of these services needs its own routing rules in Traefik.

Traefik Configuration

Let’s start with the complete Traefik configuration needed for Seafile 12:

http:
  routers:
    routerSeafile:
      entryPoints: websecure
      service: seafile
      rule: "Host(`sf.mydomain.com`)"
      middlewares:
        - "HSTS"
      tls: {}
    routerSeafHttp:
      entryPoints: websecure
      service: seafhttp
      rule: "Host(`sf.mydomain.com`) && PathPrefix(`/seafhttp`)"
      middlewares:
        - "HSTS"
        - "seafhttp-strip-prefix"
        - "removeDuplicateSlashes"
      tls: {}
    routerSeafdav:
      entryPoints: websecure
      service: seafdav
      rule: "Host(`sf.mydomain.com`) && PathPrefix(`/seafdav`)"
      middlewares:
        - "HSTS"
      tls: {}

  services:
    seafile:
      loadBalancer:
        servers:
          - url: http://seafile.local:8000
        serversTransport: insecureTransport
    seafhttp:
      loadBalancer:
        servers:
          - url: http://seafile.local:8082
        serversTransport: insecureTransport
    seafdav:
      loadBalancer:
        servers:
          - url: http://seafile.local:8080
        serversTransport: insecureTransport

Middleware Configuration

In addition to the core routing rules, we need to define some middlewares to handle security and path manipulation:

http:
  middlewares:
    HSTS:
      headers:
        stsSeconds: 15552000
        stsIncludeSubdomains: true
        forceSTSHeader: true
        stsPreload: true
        frameDeny: true
        browserXssFilter: true
    seafhttp-strip-prefix:
      stripPrefix:
        prefixes:
          - "/seafhttp"
        forceSlash: true
    removeDuplicateSlashes:
      replacePathRegex:
        regex: "/{2,}"
        replacement: "/"
  serversTransports:
    insecureTransport:
      insecureSkipVerify: true

Configuration Breakdown

Let’s break down the key parts of this configuration:

1. Router Definitions

We define three separate routers, each handling a different component of Seafile:

routerSeafile: Routes requests to the main Seafile UI
routerSeafHttp: Routes file transfer requests to the seafhttp service
routerSeafdav: Routes WebDAV requests to the seafdav service

2. Routing Rules

Each router uses a combination of hostname and path-based rules:

Main UI: Matches requests to sf.mydomain.com
Seafhttp: Matches requests to sf.mydomain.com/seafhttp
Seafdav: Matches requests to sf.mydomain.com/seafdav

3. Services

Each router is connected to its corresponding service, which defines where Traefik should proxy the requests:

Main UI: Proxied to http://seafile.local:8000
Seafhttp: Proxied to http://seafile.local:8082
Seafdav: Proxied to http://seafile.local:8080

4. Middlewares

We apply several important middlewares:

HSTS: Enforces HTTPS usage by clients
seafhttp-strip-prefix: Removes the /seafhttp prefix before forwarding to the backend
removeDuplicateSlashes: Cleans up URLs with duplicate slashes. This was made necessary for me after the migration from Seafile 11 to 12, but you may not need it.

5. Security Considerations

The insecureTransport setting allows Traefik to communicate with internal services using HTTP
HSTS headers ensure clients always use HTTPS for future connections
Additional security headers protect against common web vulnerabilities

Conclusion

This configuration provides a secure and efficient way to expose Seafile 12 behind Traefik. The setup properly handles all three components of Seafile, ensuring that users can access the web interface, upload/download files, and use WebDAV functionality.

By using Traefik as a reverse proxy, you gain several benefits including automatic SSL certificate management (if configured), powerful routing capabilities, and additional security layers. This particular configuration focuses on the specific routing needs of Seafile while implementing security best practices.

Remember that this configuration assumes you’ve already set up Seafile correctly and that it’s accessible internally at the defined addresses. The configuration also assumes that you have Traefik properly configured with SSL certificates for the specified domain.

Introduction#

Understanding Seafile’s Architecture#

Traefik Configuration#

Middleware Configuration#

Configuration Breakdown#

1. Router Definitions#

2. Routing Rules#

3. Services#

4. Middlewares#

5. Security Considerations#

Conclusion#