From e7fbdb823f8fd6f5cbe8d5af6c9ba4ad1f357feb Mon Sep 17 00:00:00 2001 From: Jens Diemer Date: Mon, 3 Oct 2022 16:37:47 +0200 Subject: [PATCH 1/5] Update nginx.conf Set client_max_body_size to 5MB to fix #6 See "chunkSize" in https://github.com/psi-4ward/psitransfer/blob/master/app/src/Upload/store/upload.js --- conf/nginx.conf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index a5f3122..97d9d45 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -6,7 +6,10 @@ location __PATH__/ { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection upgrade; - + + # Must be at least as large as the chunk size of PsiTransfer. + client_max_body_size 5M; + # Include SSOWAT user panel. include conf.d/yunohost_panel.conf.inc; } From 4d2bf768d25b0f989c07fc4fdaee95c9e85bd6d5 Mon Sep 17 00:00:00 2001 From: Jens Diemer Date: Mon, 3 Oct 2022 16:39:41 +0200 Subject: [PATCH 2/5] Update systemd.service Fix https://github.com/YunoHost-Apps/psitransfer_ynh/issues/7 --- conf/systemd.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/systemd.service b/conf/systemd.service index 47b29b2..6eeda3f 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -1,5 +1,5 @@ [Unit] -Description=CryptPad is an encrypted PAD Creator +Description=__APP__ After=syslog.target After=network.target From 2363e70a0e35b7cc37b8e731085767484c81b465 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Wed, 20 Sep 2023 17:00:27 +0200 Subject: [PATCH 3/5] fix --- conf/app.src | 4 ++-- manifest.json | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/conf/app.src b/conf/app.src index aad4b30..c8e4ef7 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/psi-4ward/psitransfer/releases/download/v2.0.1/psitransfer-v2.0.1.tar.gz -SOURCE_SUM=6fe182de23e04f871405992d0109471469225541da8a701fdc27d7d73baebd77 +SOURCE_URL=https://github.com/psi-4ward/psitransfer/releases/download/v2.1.2/psitransfer-v2.1.2.tar.gz +SOURCE_SUM=cf960dcb2fc5cd6911397373e91b9237afd95fe34d4ad8270bfab7c2b2218459 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=false diff --git a/manifest.json b/manifest.json index bc0ff2b..e456718 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Transfer files or images without problem", "fr": "Transférer des fichiers sans soucis" }, - "version": "1.12.0~ynh1", + "version": "2.1.2~ynh1", "url": "https://psi.cx/tags/PsiTransfer/", "upstream": { "license": "BSD-2-Clause", @@ -21,7 +21,7 @@ "url": "https://github.com/frju365/psitransfer_ynh" }, "requirements": { - "yunohost": ">= 4.3.0" + "yunohost": ">= 11.2" }, "multi_instance": true, "services": [ From 5650bcc97be8a2e110befb2187a6440bf0129b59 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Wed, 20 Sep 2023 15:00:32 +0000 Subject: [PATCH 4/5] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index c038e8c..2a34963 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,7 @@ It's an alternative to paid services like Dropbox, WeTransfer. * Explicit named bucket IDs with query param `sid=` -**Shipped version:** 1.12.0~ynh1 +**Shipped version:** 2.1.2~ynh1 ## Screenshots diff --git a/README_fr.md b/README_fr.md index fd81345..a64f84c 100644 --- a/README_fr.md +++ b/README_fr.md @@ -34,7 +34,7 @@ It's an alternative to paid services like Dropbox, WeTransfer. * Explicit named bucket IDs with query param `sid=` -**Version incluse :** 1.12.0~ynh1 +**Version incluse :** 2.1.2~ynh1 ## Captures d’écran From e69dd5bc28217442f7001eeace6bb7f6b8848aa2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Wed, 20 Sep 2023 17:02:42 +0200 Subject: [PATCH 5/5] fix --- conf/nginx.conf | 1 + conf/systemd.service | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+) diff --git a/conf/nginx.conf b/conf/nginx.conf index 97d9d45..fbddffd 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,5 +1,6 @@ #sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; location __PATH__/ { + proxy_pass http://localhost:__PORT__/; more_set_headers "X-Frame-Options: SAMEORIGIN"; proxy_set_header Host $host; diff --git a/conf/systemd.service b/conf/systemd.service index 6eeda3f..08f1f49 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -14,5 +14,39 @@ ExecStart=__YNH_NODE__ app.js StandardOutput=append:/var/log/__APP__/__APP__.log Restart=always +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target