Drop media proxy same-domain default for base_url
Even more than with user uploads, a same-domain proxy setup bears significant security risks due to serving untrusted content under the main domain space. A risky setup like that should never be the default.
This commit is contained in:
parent
11ae8344eb
commit
fc36b04016
2 changed files with 23 additions and 6 deletions
|
@ -6,7 +6,16 @@ With the `mediaproxy` function you can use nginx to cache this content, so users
|
|||
|
||||
## Activate it
|
||||
|
||||
* Edit your nginx config and add the following location:
|
||||
* Edit your nginx config and add the following location to your main server block:
|
||||
```
|
||||
location /proxy {
|
||||
return 404;
|
||||
}
|
||||
```
|
||||
|
||||
* Set up a subdomain for the proxy with its nginx config on the same machine
|
||||
*(the latter is not strictly required, but for simplicity we’ll assume so)*
|
||||
* In this subdomain’s server block add
|
||||
```
|
||||
location /proxy {
|
||||
proxy_cache akkoma_media_cache;
|
||||
|
@ -26,9 +35,9 @@ config :pleroma, :media_proxy,
|
|||
enabled: true,
|
||||
proxy_opts: [
|
||||
redirect_on_failure: true
|
||||
]
|
||||
#base_url: "https://cache.akkoma.social"
|
||||
],
|
||||
base_url: "https://cache.akkoma.social"
|
||||
```
|
||||
If you want to use a subdomain to serve the files, uncomment `base_url`, change the url and add a comma after `true` in the previous line.
|
||||
You **really** should use a subdomain to serve proxied files; while we will fix bugs resulting from this, serving arbitrary remote content on your main domain namespace is a significant attack surface.
|
||||
|
||||
* Restart nginx and Akkoma
|
||||
|
|
|
@ -14,6 +14,8 @@ defmodule Pleroma.Web.MediaProxy do
|
|||
|
||||
@cachex Pleroma.Config.get([:cachex, :provider], Cachex)
|
||||
|
||||
@mix_env Mix.env()
|
||||
|
||||
def cache_table, do: @cache_table
|
||||
|
||||
@spec in_banned_urls(String.t()) :: boolean()
|
||||
|
@ -144,8 +146,14 @@ defmodule Pleroma.Web.MediaProxy do
|
|||
if path = URI.parse(url_or_path).path, do: Path.basename(path)
|
||||
end
|
||||
|
||||
def base_url do
|
||||
Config.get([:media_proxy, :base_url], Endpoint.url())
|
||||
if @mix_env == :test do
|
||||
def base_url do
|
||||
Config.get([:media_proxy, :base_url], Endpoint.url())
|
||||
end
|
||||
else
|
||||
def base_url do
|
||||
Config.get!([:media_proxy, :base_url])
|
||||
end
|
||||
end
|
||||
|
||||
defp proxy_url(path, sig_base64, url_base64, filename) do
|
||||
|
|
Loading…
Reference in a new issue