Restrict Upload using NGINX
Background
This is a neat and effective way to restrict paste uploading using NGINX without breaking anything and without modifying PrivateBin.
Approach
An authentication page is created using NGINX, which, if provided with the correct credentials, will set a cookie with a secret key. All POST requests to the server are restricted using NGINX and only allowed if this secret key is provided. This allows viewing pastes by anyone but not uploading.
Alternative methods/solutions are described in this FAQ question.
Setup
- Create your credentials file at:
/etc/nginx/.htpasswd. You can use the htpasswd tool, tutorial here. - Use the following NGINX configuration, make sure you replace
server_nameand configure HTTPS:Attention: The config listed on this page, was insecure for some time and was revised! Please update your configuration if you still use an insecure old version.
server {
server_name paste.example.com;
# update this path
root /usr/local/www/privatebin;
location ~* \.(jpg|jpeg|gif|css|png|js|map|woff|woff2|ttf|svg|eot)$ {
expires 30d;
access_log off;
}
location ~ ^/(data|cfg|tmp) {
deny all;
}
location ~* /(.*)\.(?:markdown|md|twig|yaml|yml|ht|htaccess|ini)$ {
deny all;
}
location ~ /\. {
deny all;
}
location / {
limit_except GET HEAD {
auth_basic 'Restricted';
auth_basic_user_file /etc/nginx/.htpasswd;
}
try_files $uri $uri/ /index.php;
}
# this should be whatever you use with PHP
# check your php-fpm.conf files for the correct fastcgi_pass value
location ~ \.php$ {
limit_except GET HEAD {
auth_basic 'Restricted';
auth_basic_user_file /etc/nginx/.htpasswd;
}
fastcgi_index index.php;
fastcgi_pass unix:/var/run/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /usr/local/etc/nginx/fastcgi_params;
}
}