Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Seafile Protocol: Are ports 8082, 10001 and 12001 safe and/or necessary? #791

Closed
fraber opened this issue Aug 10, 2014 · 13 comments

Comments

Projects
None yet
5 participants
@fraber
Copy link

commented Aug 10, 2014

Hi Seafile team!

First of all congratulations to such a slick and high-potential product.

I've got some questions/issues concerning the architecture of Seafile: We have tried to install Seafile securely using HTTPS and our favorite reverse proxy "Pound". This is actually working for the Web client by using a separate domain for the port 8082 service. Also, we can HTTPS-protect both ports this way.

However, I'm kind of surprised to see that additional ports 10001 and 12001 are necessary for synchronization operations of the Windows client. May I ask:

  • Is this safe? From what I understand ports 10001 and 12001 run a HTTP type of protocol, but unencrypted. Is that right? Also, there are now a total of 4 (different) Web servers that all need to be maintained. Isn't that an unnecessary large "attack surface"?
  • Is this a feature? It practically makes it impossible for a "road warrior" (somebody with a laptop outside the company firewall) to sync with a Windows Seafile client. This is our main use-case. So we are now considering to use OpenVPN in order to work around this issue.
  • Is this really necessary? Wouldn't it be possible to hide these 4 additional ports somehow? Everybody bitches about the old FTP protocol because of it's extra ports. Couldn't you just build a kind of forwarding feature in your Seahub component?

In some texts you mention performance as a reason for this architecture. Even though I understand that there may be slow components in the Seafile technology stack, I don't understand why you couldn't use Seahub to redirect these queries to the appropriate component. A few socket operations should be sufficient for that with minor performance impact.

We are evaluating Seafile both for internal use as well as providing it to our SaaS customers (I'm the founder of http://www.project-open.com/).

Again, congratulations to your product!
Frank

@killing

This comment has been minimized.

Copy link
Member

commented Aug 11, 2014

The data sent through the port 10001 and 12001 is encrypted, but not with Openssl. The encryption protocol is not so secure as SSL. If your users will sync outside intranet, using VPN is recommended.
We're already working on an https based syncing protocol right now. This should be available in the next (4.0) version.

@freeplant

This comment has been minimized.

Copy link
Member

commented Aug 11, 2014

Hi Frank,

The port 10001 and 12001 is encrypted using AES-256. You can check more at http://manual.seafile.com/security/README.html .

In version 4.0, we are going to support syncing via HTTP/HTTPS protocol. And finally port 10001 and 12001 can be dropped in the future.

@qnxor

This comment has been minimized.

Copy link

commented Apr 25, 2015

I just tried Seafile for the first time, v4.1.2 (server) and v4.1.6 (client) and I'm also very surprised to see it needs 4 different ports .. 8000, 8082, 10001, 12001 ... wasn't this plethora of ports going to be dropped in v4.0? What are the plans?

@freeplant

This comment has been minimized.

Copy link
Member

commented Apr 25, 2015

10001, 12001 is no longer needed from v4.0 if you config Seafile behind Nginx/Apache. See more here: http://manual.seafile.com/overview/components.html

@qnxor

This comment has been minimized.

Copy link

commented Apr 25, 2015

Ok, I just configured Seafile with Apache and HTTPS and the client still uses ports 10001 and 12001 ... clearly seen in tcpdump (MacOSX client v4.1.6)

I did enable sync via http in the client and I followed this and this for the server.

If I block port 10001 and 12001 on the server then the client stops working.

Any clues?

@freeplant

This comment has been minimized.

Copy link
Member

commented Apr 25, 2015

You can check the seafile.log. If it failed to connect to https://domain/seafhttp/protocol-version, it will fall back to using port 10001 and 12001. In the next version v4.2, it will not fall back but will try to https://domain/seafhttp/protocol-version every few seconds.

@qnxor

This comment has been minimized.

Copy link

commented Apr 25, 2015

[Deleted previous message] The client log indeed fails to see "https://domain/seafhttp/protocol-version" ... odd, because the apache logs do report that other /seafhttp requests are served just fiine (200)

Any ideas?

Permissions seem not to be an issue, even though apache runs as www-data, because the web interface works displays fine, I can access https://domain from a browser and get to my files on Seafile from there.

EDIT: Accessing https://domain/seafhttp with the browser it reports:

If you see this page, Seafile HTTP syncing component works.

and accessing https://domain/seafhttp/protocol-version the brower reports:

{"version": 1}

Now I'm lost ... any clues?

@qnxor

This comment has been minimized.

Copy link

commented Apr 25, 2015

Got it! The certificate was self-signed and the client's libcurl was refusing to get the /seafhttp/protocol-version url as it couldn't auth with the CA ... I check the "Do not verify server certificate in HTTPS syncing" in the client settings and it's now only using port 443.

Many thanks for the pointer.

@shoeper

This comment has been minimized.

Copy link
Collaborator

commented Apr 25, 2015

Of you use your own domain, you could get your certificate signed by StartSSL for free. Just make sure to also include chain certificates to make it work well.

@qnxor

This comment has been minimized.

Copy link

commented Apr 25, 2015

@shoeper I didn't know companies started to do that (is the browser coverage any good?). It requires verification of domain and email ownership so I'll leave as is for now -- I do have my own domain but it's privacy protected (for a reason).

@shoeper

This comment has been minimized.

Copy link
Collaborator

commented Apr 25, 2015

You just need the to setup the chain properly. Afaik their ca certificate is accpeted on all major platforms and browser.

You can get a certificate without having to identify yourself. You just receive a mail at postmaster@example.com (or ~4 others) and it'll be verified. No need of a personal mail, name or anything else. The certificate will just be domain validated (which is enough) and you won't have to include you name or anything else personal in the certificate.

@qnxor

This comment has been minimized.

Copy link

commented Apr 27, 2015

@shoeper I don't want to push this discussion further here as it's off-topic, but the free StartSSL cert does require you to provide all information about yourself, including name, address, phone number ... sure, you can lie about it and try to use disposable email addresses -- but they do reject most disposable email address domains (guerrilla, hmamail etc).

@shoeper

This comment has been minimized.

Copy link
Collaborator

commented Apr 27, 2015

@qnxor ok, sorry - didn't have that in mind anymore. Thanks for your hint.

@shoeper shoeper closed this Feb 9, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.