summaryrefslogtreecommitdiff
path: root/src/blog/a
diff options
context:
space:
mode:
authorDavid Luevano Alvarado <david@luevano.xyz>2023-08-20 03:50:09 -0600
committerDavid Luevano Alvarado <david@luevano.xyz>2023-08-20 03:50:09 -0600
commit758ea8188a9a35d73ebfb1b973462ffaf00c5757 (patch)
treeee9edfcb0f6daf071dde619a02f3ab2bf2d3c390 /src/blog/a
parent5911502c501c23a06c4663346ccc8d6d34e8cf9b (diff)
finish privatebin entry
Diffstat (limited to 'src/blog/a')
-rw-r--r--src/blog/a/pastebin_alt_with_privatebin.md326
1 files changed, 326 insertions, 0 deletions
diff --git a/src/blog/a/pastebin_alt_with_privatebin.md b/src/blog/a/pastebin_alt_with_privatebin.md
new file mode 100644
index 0000000..643b753
--- /dev/null
+++ b/src/blog/a/pastebin_alt_with_privatebin.md
@@ -0,0 +1,326 @@
+title: Set up a pastebin alternative with PrivateBin and YOURLS
+author: David Luévano
+lang: en
+summary: How to set up a pastebin alternative with PrivateBin and YOURLS as shortener, on Arch.
+tags: server
+ tools
+ code
+ tutorial
+ english
+
+I learned about PrivateBin a few weeks back and ever since I've been looking into installing it, along with a URL shortener (a service I wanted to self host since forever). It took me a while as I ran into some problems while experimenting and documenting all the necessary bits in here.
+
+My setup is exposed to the public, and as always is heavily based on previous entries as described in [Prerequisites](#Prerequisites). Descriptions on setting up MariaDB (preferred MySQL replacement for Arch) and PHP are written in this entry as this is the first time I've needed them.
+
+Everything here is performed in ==arch btw== and all commands should be run as root unless stated otherwise.
+
+# Table of contents
+
+[TOC]
+
+# Prerequisites
+
+If you want to expose to a (sub)domain, then similar to my early [tutorial](https://blog.luevano.xyz/tag/@tutorial.html) entries (specially the [website](https://blog.luevano.xyz/a/website_with_nginx.html) for the reverse proxy plus certificates):
+
+- `nginx` for the reverse proxy.
+- `certbot` for the SSL certificates.
+- `yay` to install AUR packages.
+ - I briefly mention how to install and use it on [Manga server with Komga: yay](https://blog.luevano.xyz/a/manga_server_with_komga.html#yay).
+- An **A** (and/or **AAAA**) or a **CNAME** for `privatebin` and `yourls` (or whatever you want to call them).
+
+# MariaDB
+
+[MariaDB](https://wiki.archlinux.org/title/MariaDB) is a drop-in replacement of [MySQL](https://wiki.archlinux.org/title/MySQL).
+
+Install the `mariadb` package:
+
+```sh
+pacman -S mariadb
+```
+
+Before starting/enabling the systemd service run:
+
+```sh
+mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
+```
+
+`start`/`enable` the `mariadb.service`:
+
+```sh
+systemctl start mariadb.service
+systemctl enable mariadb.service
+```
+
+Run and follow the secure installation script before proceding any further:
+
+```sh
+mariadb-secure-installation
+```
+
+Change the binding address so the service listens on `localhost` only by modifying `/etc/my.cnf.d/server.cnf`:
+
+```ini
+[mariadb]
+bind-address = localhost
+```
+
+## Create users/databases
+
+To use `mariadb` simply run the command and it will try to login with the corresponding linux user running it, for example for root. Else the general login command is:
+
+```sh
+mariadb -u <username> -p <database_name>
+```
+
+The `database_name` is optional. It will prompt a password input field.
+
+Using `mariadb` as root, create users with their respective database if needed with the following queries:
+
+```sql
+MariaDB> CREATE USER '<username>'@'localhost' IDENTIFIED BY '<password>';
+MariaDB> CREATE DATABASE <database_name>;
+MariaDB> GRANT ALL PRIVILEGES ON <database_name>.* TO '<username>'@'localhost';
+MariaDB> quit
+```
+
+The `database_name` will depend on how YOURLS and PrivateBin are configured, that is if the services use a separate database and/or table prefixes are used.
+
+# PHP
+
+[PHP](https://wiki.archlinux.org/title/PHP) is a general-purpose scripting language that is usually used for web development, which was supposed to be ass for a long time but it seems to be a misconseption from the *old times*.
+
+Install the `php`, `php-fpm`, `php-gd` packages:
+
+```sh
+pacman -S php php-fpm php-gd
+```
+
+`start`/`enable` the `php-fpm.service`:
+
+```sh
+systemctl start php-fpm.service
+systemctl enable php-fpm.service
+```
+
+## Configuration
+
+Only showing changes needed, main config file is located at `/etc/php/php.ini`, or drop-in files can be placed at `/etc/php/conf.d/` instead.
+
+Set timezone ([list of timezones](https://www.php.net/manual/en/timezones.php)):
+
+```ini
+date.timezone = Europe/Berlin
+```
+
+Enable the `gd` and `mysql` extensions:
+
+```ini
+extension=gd
+extension=pdo_mysql
+extension=mysqli
+```
+
+## Nginx
+
+Create a PHP specific config that can be reusable at `/etc/nginx/php_fastcgi.conf`:
+
+```nginx
+location ~ \.php$ {
+ # required for yourls
+ add_header Access-Control-Allow-Origin $http_origin;
+
+ # 404
+ try_files $fastcgi_script_name =404;
+
+ # default fastcgi_params
+ include fastcgi_params;
+
+ # fastcgi settings
+ fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
+ fastcgi_index index.php;
+ fastcgi_buffers 8 16k;
+ fastcgi_buffer_size 32k;
+
+ # fastcgi params
+ fastcgi_param DOCUMENT_ROOT $realpath_root;
+ fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+ #fastcgi_param PHP_ADMIN_VALUE "open_basedir=$base/:/usr/lib/php/:/tmp/";
+}
+```
+
+This then can be imported by any `server` directive that needs it.
+
+# YOURLS
+
+[YOURLS](https://yourls.org/) is a self-hosted URL shortener that is supported by PrivateBin.
+
+Install from the AUR with `yay`:
+
+```sh
+yay -S yourls
+```
+
+Create a new user and database as described in [MariaDB: Create users/databases](#Create users/databases).
+
+## Configuration
+
+The default configuration file is self explanatory, it is located at `/etc/webapps/yourls/config.php`.
+
+Set the user/database YOURLS will use and either create a cookie or get one from [URL provided](http://yourls.org/cookie). It is important to change the `$yours_user_passwords` variable, YOURLS will hash the passwords on login so it is not stored in plaintext. Password hashing can be disabled with:
+
+```php
+define( 'YOURLS_NO_HASH_PASSWORD', true );
+```
+
+I also changed the "shortening method" to `62` to include more characters:
+
+```php
+define( 'YOURLS_URL_CONVERT', 62 );
+```
+
+Lastly, the `$yourls_reserved_URL` variable will need more blacklisted words depending on the use-case. `YOURLS_SITE` needs to match whatever is set in `nginx`.
+
+## Nginx
+
+Create a `yourls.conf` at the usual `sites-<available/enabled>` path for `nginx`:
+
+```nginx
+server {
+ listen 80;
+ root /usr/share/webapps/yourls/;
+ server_name short.yourdomain.com;
+ index index.php;
+
+ location / {
+ try_files $uri $uri/ /yourls-loader.php$is_args$args;
+ }
+
+ include /etc/nginx/php_fastcgi.conf;
+}
+```
+
+Make sure the following header is included in the `php`'s nginx location block described in [YOURLS: Nginx](#Nginx):
+
+```nginx
+add_header Access-Control-Allow-Origin $http_origin;
+```
+
+### SSL certificate
+
+Create/extend the certificate by running:
+
+```sh
+certbot --nginx
+```
+
+Restart the `nginx` service for changes to take effect:
+
+```sh
+systemctl restart nginx.service
+```
+
+# PrivateBin
+
+[PrivateBin](https://privatebin.info/) is a minimalist self-hosted alternative to [pastebin](https://pastebin.com/).
+
+Install from the AUR with `yay`:
+
+```sh
+yay -S privatebin
+```
+
+Create a new user and database as described in [MariaDB: Create users/databases](#Create users/databases).
+
+## Configuration
+
+This heavily depends on personal preference, all defaults are fine. Make a copy of the sample config template:
+
+```sh
+cp /etc/webapps/privatebin/conf.sample.php /etc/webapps/privatebin/conf.php
+```
+
+The most important changes needed are `basepath` according to the `privatebin` URL and the `[model]` and `[model_options]` to use MySQL instead of plain filesystem files:
+
+```php
+[model]
+; example of DB configuration for MySQL
+class = Database
+[model_options]
+dsn = "mysql:host=localhost;dbname=privatebin;charset=UTF8"
+tbl = "privatebin_" ; table prefix
+usr = "privatebin"
+pwd = "<password>"
+opt[12] = true ; PDO::ATTR_PERSISTENT
+```
+
+Any other `[model]` or `[model_options]` needs to be commented out (for example, the default filesystem setting).
+
+### YOURLS integration
+
+I recommend creating a separate user for `privatebin` in `yourls` by modifying the `$yours_user_passwords` variable in `yourls` config file. Then login with this user and get the `signature` from the "Tools" section in the admin page, for more: [YOURLS: Passwordless API](https://yourls.org/docs/guide/advanced/passwordless-api).
+
+For a "private" `yourls` installation (that needs username/pasword), set `urlshortener`:
+
+```php
+urlshortener = "https://short.example.com/yourls-api.php?signature=xxxxxxxxxx&action=shorturl&format=json&url="
+```
+
+==Note that this will expose the `signature` in the HTTP requests and anybody with the signature can use it to shorten external URLs.==
+
+## Nginx
+
+To deny access to some bots/crawlers, PrivateBin provides a sample `.htaccess`, which is used in Apache. We need an Nginx version, which I found [here](https://gist.github.com/benediktg/948a70136e2104c8601da7d355061323).
+
+Add the following at the beginning of the `http` block of the `/etc/nginx/nginx.conf` file:
+
+```nginx
+http {
+ map $http_user_agent $pastebin_badagent {
+ ~*bot 1;
+ ~*spider 1;
+ ~*crawl 1;
+ ~https?:// 1;
+ WhatsApp 1;
+ SkypeUriPreview 1;
+ facebookexternalhit 1;
+ }
+
+ #...
+}
+```
+
+Create a `privatebin.conf` at the usual `sites-<available/enabled>` path for `nginx`:
+
+```nginx
+server {
+ listen 80;
+ root //usr/share/webapps/privatebin/;
+ server_name bin.yourdomain.com;
+ index index.php;
+
+ if ($pastebin_badagent) {
+ return 403;
+ }
+
+ location / {
+ try_files $uri $uri/ /index.php$is_args$args;
+ }
+
+ include /etc/nginx/php_fastcgi.conf;
+}
+```
+
+### SSL certificate
+
+Create/extend the certificate by running:
+
+```sh
+certbot --nginx
+```
+
+Restart the `nginx` service for changes to take effect:
+
+```sh
+systemctl restart nginx.service
+```
+