Pages: 1 2
Hello/Hi/Greetings,
I'm a new user with Piwigo and loving it so far!!! Only thing I have a question about so far, is if you take the direct link of a picture and it is public to anyone with that direct link, even though the albums are marked as visible to "Admins and Family"
Is there a way to stop that?
Piwigo version: 2.9.3
PHP version: 7.1.17
MySQL version: 5.5.5-10.1.34-MariaDB-1~xenial
Offline
can you give an example?
Offline
Well, if you right click on any picture and copy image address, and then go to another browser or incognito mode and paste that, the picture that is supposed to be only visible to certain groups, is visible to everyone.
URL would look like this:
https://<sitename>/upload/<year>/<month>/<day>/<image name>
It looks like piwigo is limiting from frontend UI, but not really backend. Even though I've disabled right clicking so no one can get the direct link, it doesn't mean people with harmful intent would not be attempting to scan the upload directory.
Offline
Take a closer look at the image names.
Offline
You could use $conf['derivative_url_style']=2 which proxies everything through i.php and block direct access to /_data/i and /upload.
It requires some configuration:
https://piwigo.org/forum/viewtopic.php? … 98#p162898
https://kuther.net/blog/host-your-own-p … -and-nginx
Offline
teekay - That is good news!
unfortunately, i'm having issues starting nginx now. I'm not familiar with nginx really to know whats going on. but here are my errors:
ginx: [emerg] "location" directive is not allowed here in /config/nginx/nginx.conf:59 nginx: [emerg] "location" directive is not allowed here in /config/nginx/nginx.conf:59 nginx: [emerg] "location" directive is not allowed here in /config/nginx/nginx.conf:59
And below is my nginx.conf. I am using docker, but I don't believe that should make any difference. Also, i'm using traefik to handle reverse proxy and SSL handling.
user abc; worker_processes 4; pid /run/nginx.pid; events { worker_connections 768; # multi_accept on; } http { ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; client_max_body_size 0; include /etc/nginx/mime.types; default_type application/octet-stream; ## # Logging Settings ## access_log /config/log/nginx/access.log; error_log /config/log/nginx/error.log; ## # Gzip Settings ## gzip on; gzip_disable "msie6"; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; #location = /robots.txt { #allow all; #log_not_found off; #access_log off; #} # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). location ~ /\. { deny all; access_log off; log_not_found off; } # piwigo distribution files location ~ ^/(README|doc)$ { deny all; } # prevent direct acces to uploaded images, derivates and logs location ~ ^/(_data/(i|logs)|upload)/ { deny all; } location / { index index.php; try_files $uri $uri/ @rewrite; } location @rewrite { rewrite ^/picture((/|$).*)$ /picture.php$1 last; rewrite ^/index((/|$).*)$ /index.php$1 last; rewrite ^/i((/|$).*)$ /i.php$1 last; } location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ { try_files $script_name = 404; include /etc/nginx/fastcgi_params; fastcgi_pass 127.0.0.1:9000; fastcgi_param PATH_INFO $path_info; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } # prevent any hotlinks and direct access to alias URIs (/i/upload/...) # which are not from Piwigo itself (happens when exporting from lightroom via ws.php) # this section needs to go _after_ the php handler, no idea why. set $check_referal ""; # very restrictive valid_referers *.domain.tld; # if you want google etc to be able to show your images: #valid_referers ~google\.com ~bing\.com *.domain.tld if ($invalid_referer) { set $check_referal "invalid"; } if ($http_user_agent !~ "Piwigo") { set $check_referal "${check_referal}+not_piwigo"; } location ~* \.(gif|png|jpe?g)$ { if ($check_referal = "invalid+not_piwigo") { return 403; } try_files $uri $uri/ @rewrite; } ## # nginx-naxsi config ## # Uncomment it if you installed nginx-naxsi ## #include /etc/nginx/naxsi_core.rules; ## # nginx-passenger config ## # Uncomment it if you installed nginx-passenger ## #passenger_root /usr; #passenger_ruby /usr/bin/ruby; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /config/nginx/site-confs/*; } #mail { # # See sample authentication script at: # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript # # # auth_http localhost/auth.php; # # pop3_capabilities "TOP" "USER"; # # imap_capabilities "IMAP4rev1" "UIDPLUS"; # # server { # listen localhost:110; # protocol pop3; # proxy on; # } # # server { # listen localhost:143; # protocol imap; # proxy on; # } #} daemon off;
Last edited by yyaghi (2018-06-29 02:21:13)
Offline
All those piwigo specific location rules etc need to go into a server{ ... } block.
Offline
hmm. it didn't like that.
I'm getting the following error:
nginx: [emerg] "server" directive is not allowed here in /config/nginx/nginx.conf:76
I am running this in a docker container, I don't think it would really make a difference. I'm running the linuxserver/piwigo version since I didn't see an "offical" version.
This is my "new" nginx.conf file:
user abc; worker_processes 4; pid /run/nginx.pid; events { worker_connections 768; # multi_accept on; } http { ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; client_max_body_size 0; include /etc/nginx/mime.types; default_type application/octet-stream; ## # Logging Settings ## access_log /config/log/nginx/access.log; error_log /config/log/nginx/error.log; ## # Gzip Settings ## gzip on; gzip_disable "msie6"; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; ## # nginx-naxsi config ## # Uncomment it if you installed nginx-naxsi ## #include /etc/nginx/naxsi_core.rules; ## # nginx-passenger config ## # Uncomment it if you installed nginx-passenger ## #passenger_root /usr; #passenger_ruby /usr/bin/ruby; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /config/nginx/site-confs/*; } server { client_max_body_size 500m; client_body_buffer_size 100m; location ~ ^/favicon.ico$ { log_not_found off; access_log off; } location = /robots.txt { log_not_found off; access_log off; } # Deny Piwigo distribution files location ~ ^/(README|doc)$ { deny all; } # Deny hidden dot files location ~ /\. { deny all; access_log off; log_not_found off; } # Prevent direct access to Piwigo images and logs on filesystem location ~ ^/(_data/(i|logs)|upload)/ { return 403; } # the @rewrite is required when using # $conf['question_mark_in_urls'] = false; # $conf['php_extension_in_urls'] = false; # location / { index index.php; try_files $uri $uri/ @rewrite; } location @rewrite { rewrite ^/picture((/|$).*)$ /picture.php$1 last; rewrite ^/index((/|$).*)$ /index.php$1 last; rewrite ^/i((/|$).*)$ /i.php$1 last; # for piwigo-openstreetmap rewrite ^/osmmap((/|$).*)$ /osmmap.php$1 last; } location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ { try_files $script_name =404; include /etc/nginx/fastcgi_params; fastcgi_pass 127.0.0.1:9000; fastcgi_param PATH_INFO $path_info; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } ### Prevent hotlinks - this section needs to be _after_ the php handler above # # When uploading images via ws.php (e.g. from Lightroom), the are requests from Piwigo # itself to /i/upload using the servers own IP and "Piwigo" user agent. We need to allow those ### # Only the site's own URL is a valid referer. # Empty referers and others like google etc are invalid, see Nginx docs for more info valid_referers gallery.domain.tld; # initialize empty variable set $check_referal ""; # if referer is not our own hostname, set variable's value to "invalid" if ($invalid_referer) { set $check_referal "invalid"; } # if the user agent is not "Piwigo", append "not_piwigo" to the value if ($http_user_agent !~ "Piwigo") { set $check_referal "${check_referal}+not_piwigo"; } # Now, for all images, test if referer is invalid and user agent is not piwigo # If so, block the request location ~* \.(gif|png|jpe?g)$ { if ($check_referal = "invalid+not_piwigo") { return 403; } try_files $uri $uri/ @rewrite; } } #mail { # # See sample authentication script at: # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript # # # auth_http localhost/auth.php; # # pop3_capabilities "TOP" "USER"; # # imap_capabilities "IMAP4rev1" "UIDPLUS"; # # server { # listen localhost:110; # protocol pop3; # proxy on; # } # # server { # listen localhost:143; # protocol imap; # proxy on; # } #} daemon off;
Offline
The server block needs to be inside the http block. If this is using the standard nginx image you‘d need to override conf.d/default.conf not the whole nginx.conf
Offline
So, your tip about the default file was perfect! No server errors being thrown now...but now all pictures are like this:
Offline
Did you configure the $conf... settings for Piwigo, too?
Offline
yyaghi wrote:
URL would look like this:
https://<sitename>/upload/<year>/<month>/<day>/<image name>
This is a common pattern for photo gallery software (e.g. Flickr does a similar thing, albeit with a different URL structure). The security is all based on the idea that the <image name> is not guessable. You're right, someone could try to iterate through the directories, but there is an 8-character random string in each filename, so it makes it hard.
Offline
That's what I was getting at. The security is good enough for most people. It's a sharing program, not a vault.
Offline
teekay - I need to check that again. The servers are down right now for maint.
samwilson & executive - Actually, the file names are the names that are uploaded originally. No deviation or anything. I'll double check tomorrow, but that's why I was like...I need to close this up.
Offline
If you are using the web upload the file name has a randomized number
Offline
Pages: 1 2