-
Notifications
You must be signed in to change notification settings - Fork 766
Restrict upload using NGINX
ViRb3 edited this page Aug 17, 2019
·
10 revisions
This is a neat and effective way to restrict paste uploading using NGINX without breaking anything and without modifying PrivateBin.
An authentication page is created using NGINX, which, if provided with the correct credentials, will set a cookie with a secret key. All POST requests to the server are restricted using NGINX and only allowed if this secret key is provided. This allows viewing pastes by anyone but not uploading.
- Create your credentials file at:
/etc/nginx/.htpasswd
. You can use the htpasswd tool, tutorial here - Use the following NGINX configuration, make sure you replace
server_name
andSUPER_SECRET_KEY
, and setup HTTPS:
server {
server_name paste.website.com;
location / {
if ($request_method = POST) {
set $block 1;
}
if ($cookie_secret = 'SUPER_SECRET_KEY') {
set $block 0;
}
if ($block = 1) {
return 401;
}
proxy_pass http://localhost:8080;
}
location /auth {
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
# return is executed first, so extract it in its own location
try_files DUMMY @login;
}
location @login {
add_header Set-Cookie 'secret=SUPER_SECRET_KEY;Secure;SameSite=Strict';
return 302 $scheme://$host;
}
listen 443 ssl http2;
}
Copyright 2021 wiki contributors. Licensed under CC BY 4.0. The PrivateBin software itself is licensed differently.