Drop media proxy same-domain default for base_url
Even more than with user uploads, a same-domain proxy setup bears significant security risks due to serving untrusted content under the main domain space. A risky setup like that should never be the default.
This commit is contained in:
parent
11ae8344eb
commit
fc36b04016
2 changed files with 23 additions and 6 deletions
|
@ -6,7 +6,16 @@ With the `mediaproxy` function you can use nginx to cache this content, so users
|
||||||
|
|
||||||
## Activate it
|
## Activate it
|
||||||
|
|
||||||
* Edit your nginx config and add the following location:
|
* Edit your nginx config and add the following location to your main server block:
|
||||||
|
```
|
||||||
|
location /proxy {
|
||||||
|
return 404;
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
* Set up a subdomain for the proxy with its nginx config on the same machine
|
||||||
|
*(the latter is not strictly required, but for simplicity we’ll assume so)*
|
||||||
|
* In this subdomain’s server block add
|
||||||
```
|
```
|
||||||
location /proxy {
|
location /proxy {
|
||||||
proxy_cache akkoma_media_cache;
|
proxy_cache akkoma_media_cache;
|
||||||
|
@ -26,9 +35,9 @@ config :pleroma, :media_proxy,
|
||||||
enabled: true,
|
enabled: true,
|
||||||
proxy_opts: [
|
proxy_opts: [
|
||||||
redirect_on_failure: true
|
redirect_on_failure: true
|
||||||
]
|
],
|
||||||
#base_url: "https://cache.akkoma.social"
|
base_url: "https://cache.akkoma.social"
|
||||||
```
|
```
|
||||||
If you want to use a subdomain to serve the files, uncomment `base_url`, change the url and add a comma after `true` in the previous line.
|
You **really** should use a subdomain to serve proxied files; while we will fix bugs resulting from this, serving arbitrary remote content on your main domain namespace is a significant attack surface.
|
||||||
|
|
||||||
* Restart nginx and Akkoma
|
* Restart nginx and Akkoma
|
||||||
|
|
|
@ -14,6 +14,8 @@ defmodule Pleroma.Web.MediaProxy do
|
||||||
|
|
||||||
@cachex Pleroma.Config.get([:cachex, :provider], Cachex)
|
@cachex Pleroma.Config.get([:cachex, :provider], Cachex)
|
||||||
|
|
||||||
|
@mix_env Mix.env()
|
||||||
|
|
||||||
def cache_table, do: @cache_table
|
def cache_table, do: @cache_table
|
||||||
|
|
||||||
@spec in_banned_urls(String.t()) :: boolean()
|
@spec in_banned_urls(String.t()) :: boolean()
|
||||||
|
@ -144,8 +146,14 @@ def filename(url_or_path) do
|
||||||
if path = URI.parse(url_or_path).path, do: Path.basename(path)
|
if path = URI.parse(url_or_path).path, do: Path.basename(path)
|
||||||
end
|
end
|
||||||
|
|
||||||
def base_url do
|
if @mix_env == :test do
|
||||||
Config.get([:media_proxy, :base_url], Endpoint.url())
|
def base_url do
|
||||||
|
Config.get([:media_proxy, :base_url], Endpoint.url())
|
||||||
|
end
|
||||||
|
else
|
||||||
|
def base_url do
|
||||||
|
Config.get!([:media_proxy, :base_url])
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
defp proxy_url(path, sig_base64, url_base64, filename) do
|
defp proxy_url(path, sig_base64, url_base64, filename) do
|
||||||
|
|
Loading…
Reference in a new issue