diff options
author | David Luevano Alvarado <david@luevano.xyz> | 2023-08-20 03:50:09 -0600 |
---|---|---|
committer | David Luevano Alvarado <david@luevano.xyz> | 2023-08-20 03:50:09 -0600 |
commit | 758ea8188a9a35d73ebfb1b973462ffaf00c5757 (patch) | |
tree | ee9edfcb0f6daf071dde619a02f3ab2bf2d3c390 /src/blog/a | |
parent | 5911502c501c23a06c4663346ccc8d6d34e8cf9b (diff) |
finish privatebin entry
Diffstat (limited to 'src/blog/a')
-rw-r--r-- | src/blog/a/pastebin_alt_with_privatebin.md | 326 |
1 files changed, 326 insertions, 0 deletions
diff --git a/src/blog/a/pastebin_alt_with_privatebin.md b/src/blog/a/pastebin_alt_with_privatebin.md new file mode 100644 index 0000000..643b753 --- /dev/null +++ b/src/blog/a/pastebin_alt_with_privatebin.md @@ -0,0 +1,326 @@ +title: Set up a pastebin alternative with PrivateBin and YOURLS +author: David Luévano +lang: en +summary: How to set up a pastebin alternative with PrivateBin and YOURLS as shortener, on Arch. +tags: server + tools + code + tutorial + english + +I learned about PrivateBin a few weeks back and ever since I've been looking into installing it, along with a URL shortener (a service I wanted to self host since forever). It took me a while as I ran into some problems while experimenting and documenting all the necessary bits in here. + +My setup is exposed to the public, and as always is heavily based on previous entries as described in [Prerequisites](#Prerequisites). Descriptions on setting up MariaDB (preferred MySQL replacement for Arch) and PHP are written in this entry as this is the first time I've needed them. + +Everything here is performed in ==arch btw== and all commands should be run as root unless stated otherwise. + +# Table of contents + +[TOC] + +# Prerequisites + +If you want to expose to a (sub)domain, then similar to my early [tutorial](https://blog.luevano.xyz/tag/@tutorial.html) entries (specially the [website](https://blog.luevano.xyz/a/website_with_nginx.html) for the reverse proxy plus certificates): + +- `nginx` for the reverse proxy. +- `certbot` for the SSL certificates. +- `yay` to install AUR packages. + - I briefly mention how to install and use it on [Manga server with Komga: yay](https://blog.luevano.xyz/a/manga_server_with_komga.html#yay). +- An **A** (and/or **AAAA**) or a **CNAME** for `privatebin` and `yourls` (or whatever you want to call them). + +# MariaDB + +[MariaDB](https://wiki.archlinux.org/title/MariaDB) is a drop-in replacement of [MySQL](https://wiki.archlinux.org/title/MySQL). + +Install the `mariadb` package: + +```sh +pacman -S mariadb +``` + +Before starting/enabling the systemd service run: + +```sh +mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql +``` + +`start`/`enable` the `mariadb.service`: + +```sh +systemctl start mariadb.service +systemctl enable mariadb.service +``` + +Run and follow the secure installation script before proceding any further: + +```sh +mariadb-secure-installation +``` + +Change the binding address so the service listens on `localhost` only by modifying `/etc/my.cnf.d/server.cnf`: + +```ini +[mariadb] +bind-address = localhost +``` + +## Create users/databases + +To use `mariadb` simply run the command and it will try to login with the corresponding linux user running it, for example for root. Else the general login command is: + +```sh +mariadb -u <username> -p <database_name> +``` + +The `database_name` is optional. It will prompt a password input field. + +Using `mariadb` as root, create users with their respective database if needed with the following queries: + +```sql +MariaDB> CREATE USER '<username>'@'localhost' IDENTIFIED BY '<password>'; +MariaDB> CREATE DATABASE <database_name>; +MariaDB> GRANT ALL PRIVILEGES ON <database_name>.* TO '<username>'@'localhost'; +MariaDB> quit +``` + +The `database_name` will depend on how YOURLS and PrivateBin are configured, that is if the services use a separate database and/or table prefixes are used. + +# PHP + +[PHP](https://wiki.archlinux.org/title/PHP) is a general-purpose scripting language that is usually used for web development, which was supposed to be ass for a long time but it seems to be a misconseption from the *old times*. + +Install the `php`, `php-fpm`, `php-gd` packages: + +```sh +pacman -S php php-fpm php-gd +``` + +`start`/`enable` the `php-fpm.service`: + +```sh +systemctl start php-fpm.service +systemctl enable php-fpm.service +``` + +## Configuration + +Only showing changes needed, main config file is located at `/etc/php/php.ini`, or drop-in files can be placed at `/etc/php/conf.d/` instead. + +Set timezone ([list of timezones](https://www.php.net/manual/en/timezones.php)): + +```ini +date.timezone = Europe/Berlin +``` + +Enable the `gd` and `mysql` extensions: + +```ini +extension=gd +extension=pdo_mysql +extension=mysqli +``` + +## Nginx + +Create a PHP specific config that can be reusable at `/etc/nginx/php_fastcgi.conf`: + +```nginx +location ~ \.php$ { + # required for yourls + add_header Access-Control-Allow-Origin $http_origin; + + # 404 + try_files $fastcgi_script_name =404; + + # default fastcgi_params + include fastcgi_params; + + # fastcgi settings + fastcgi_pass unix:/run/php-fpm/php-fpm.sock; + fastcgi_index index.php; + fastcgi_buffers 8 16k; + fastcgi_buffer_size 32k; + + # fastcgi params + fastcgi_param DOCUMENT_ROOT $realpath_root; + fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; + #fastcgi_param PHP_ADMIN_VALUE "open_basedir=$base/:/usr/lib/php/:/tmp/"; +} +``` + +This then can be imported by any `server` directive that needs it. + +# YOURLS + +[YOURLS](https://yourls.org/) is a self-hosted URL shortener that is supported by PrivateBin. + +Install from the AUR with `yay`: + +```sh +yay -S yourls +``` + +Create a new user and database as described in [MariaDB: Create users/databases](#Create users/databases). + +## Configuration + +The default configuration file is self explanatory, it is located at `/etc/webapps/yourls/config.php`. + +Set the user/database YOURLS will use and either create a cookie or get one from [URL provided](http://yourls.org/cookie). It is important to change the `$yours_user_passwords` variable, YOURLS will hash the passwords on login so it is not stored in plaintext. Password hashing can be disabled with: + +```php +define( 'YOURLS_NO_HASH_PASSWORD', true ); +``` + +I also changed the "shortening method" to `62` to include more characters: + +```php +define( 'YOURLS_URL_CONVERT', 62 ); +``` + +Lastly, the `$yourls_reserved_URL` variable will need more blacklisted words depending on the use-case. `YOURLS_SITE` needs to match whatever is set in `nginx`. + +## Nginx + +Create a `yourls.conf` at the usual `sites-<available/enabled>` path for `nginx`: + +```nginx +server { + listen 80; + root /usr/share/webapps/yourls/; + server_name short.yourdomain.com; + index index.php; + + location / { + try_files $uri $uri/ /yourls-loader.php$is_args$args; + } + + include /etc/nginx/php_fastcgi.conf; +} +``` + +Make sure the following header is included in the `php`'s nginx location block described in [YOURLS: Nginx](#Nginx): + +```nginx +add_header Access-Control-Allow-Origin $http_origin; +``` + +### SSL certificate + +Create/extend the certificate by running: + +```sh +certbot --nginx +``` + +Restart the `nginx` service for changes to take effect: + +```sh +systemctl restart nginx.service +``` + +# PrivateBin + +[PrivateBin](https://privatebin.info/) is a minimalist self-hosted alternative to [pastebin](https://pastebin.com/). + +Install from the AUR with `yay`: + +```sh +yay -S privatebin +``` + +Create a new user and database as described in [MariaDB: Create users/databases](#Create users/databases). + +## Configuration + +This heavily depends on personal preference, all defaults are fine. Make a copy of the sample config template: + +```sh +cp /etc/webapps/privatebin/conf.sample.php /etc/webapps/privatebin/conf.php +``` + +The most important changes needed are `basepath` according to the `privatebin` URL and the `[model]` and `[model_options]` to use MySQL instead of plain filesystem files: + +```php +[model] +; example of DB configuration for MySQL +class = Database +[model_options] +dsn = "mysql:host=localhost;dbname=privatebin;charset=UTF8" +tbl = "privatebin_" ; table prefix +usr = "privatebin" +pwd = "<password>" +opt[12] = true ; PDO::ATTR_PERSISTENT +``` + +Any other `[model]` or `[model_options]` needs to be commented out (for example, the default filesystem setting). + +### YOURLS integration + +I recommend creating a separate user for `privatebin` in `yourls` by modifying the `$yours_user_passwords` variable in `yourls` config file. Then login with this user and get the `signature` from the "Tools" section in the admin page, for more: [YOURLS: Passwordless API](https://yourls.org/docs/guide/advanced/passwordless-api). + +For a "private" `yourls` installation (that needs username/pasword), set `urlshortener`: + +```php +urlshortener = "https://short.example.com/yourls-api.php?signature=xxxxxxxxxx&action=shorturl&format=json&url=" +``` + +==Note that this will expose the `signature` in the HTTP requests and anybody with the signature can use it to shorten external URLs.== + +## Nginx + +To deny access to some bots/crawlers, PrivateBin provides a sample `.htaccess`, which is used in Apache. We need an Nginx version, which I found [here](https://gist.github.com/benediktg/948a70136e2104c8601da7d355061323). + +Add the following at the beginning of the `http` block of the `/etc/nginx/nginx.conf` file: + +```nginx +http { + map $http_user_agent $pastebin_badagent { + ~*bot 1; + ~*spider 1; + ~*crawl 1; + ~https?:// 1; + WhatsApp 1; + SkypeUriPreview 1; + facebookexternalhit 1; + } + + #... +} +``` + +Create a `privatebin.conf` at the usual `sites-<available/enabled>` path for `nginx`: + +```nginx +server { + listen 80; + root //usr/share/webapps/privatebin/; + server_name bin.yourdomain.com; + index index.php; + + if ($pastebin_badagent) { + return 403; + } + + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + + include /etc/nginx/php_fastcgi.conf; +} +``` + +### SSL certificate + +Create/extend the certificate by running: + +```sh +certbot --nginx +``` + +Restart the `nginx` service for changes to take effect: + +```sh +systemctl restart nginx.service +``` + |