lainy (npub1wah…xc8t) Alex Gleason (npub108p…yev6) anime graf mays 🛰️🪐 (npub108z…dkr5) >Move your media and proxy to a subdomain
Yeah I'm not doing that. There's six mirrors across different networks, all of which would need to have subdomains configured somehow, even the one that is a plain IPv6 without domain (moving it to different port like I did with bloat?). Old media would still dangle in the same dir unless you introduce more overhead by putting redirects.
Speaking of media, here's my setup:
>mediaproxy is disabled as it doesn't play well with upstream proxies, the state of HTTP adapters in Erlang/Elixir is abysmal and you all know it
>nginx serves media directly from Pleroma's upload dir, bypassing Cowboy, Oban and other shit
>since nginx doesn't analyze file contents, it sends the MIME type that is corresponding to extension, so you can't load js file uploaded as txt because it'll be text/plain or octet-stream (don't remember if that's also a default pleroma behavior or not)
>as for .js uploads themselves, they all return 403, that was one of the first things I did after the initial hack
So far I don't see how it can be exploited if there's no way to access any scripts that aren't part of frontend, due to the basic 403, CORS/CSP block on subdomain or otherwise.
/
npub1aj…caj8d
2023-05-29 10:27:54
in reply to nevent1q…rnwj
Author Public Key
npub1ajw6axeack23437kedc8pkwghneenrkh9ljfxxgxumr6t6k4rtvqecaj8dPublished at
2023-05-29 10:27:54Event JSON
{
"id": "31b41c3797c9fc3e3e0e9157ea8ab1598e2a9c70b455c91fb3cd9cf3add6dfed",
"pubkey": "ec9dae9b3dc5951ac7d6cb7070d9c8bcf3998ed72fe4931906e6c7a5ead51ad8",
"created_at": 1685356074,
"kind": 1,
"tags": [
[
"p",
"776ed1a547e2693a2c964e4824d6306a11aa364cd9c798f3e1ccd638af3d3725",
"wss://relay.mostr.pub"
],
[
"p",
"79c2cae114ea28a981e7559b4fe7854a473521a8d22a66bbab9fa248eb820ff6",
"wss://relay.mostr.pub"
],
[
"p",
"79c4b3e2b1e7d8d74fa652cdc1dee37f9cd08fefdc13a79f8d1146c0b69fd1fb",
"wss://relay.mostr.pub"
],
[
"e",
"6182ca432e79ea7a2c7a9331b23bfb2e30b7b0e53afc27aa907f922390d9619c",
"wss://relay.mostr.pub",
"reply"
],
[
"mostr",
"https://ryona.agency/objects/3748bfbb-2b4c-4e76-9f91-d6801cf3c96f"
]
],
"content": "nostr:npub1wahdrf28uf5n5tykfeyzf43sdgg65djvm8re3ulpentr3teaxujs09xc8t nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 nostr:npub108zt8c43ulvdwnax2txurhhr07wdprl0msf608udz9rvpd5l68ascvdkr5 \u003eMove your media and proxy to a subdomain\nYeah I'm not doing that. There's six mirrors across different networks, all of which would need to have subdomains configured somehow, even the one that is a plain IPv6 without domain (moving it to different port like I did with bloat?). Old media would still dangle in the same dir unless you introduce more overhead by putting redirects.\nSpeaking of media, here's my setup:\n\u003emediaproxy is disabled as it doesn't play well with upstream proxies, the state of HTTP adapters in Erlang/Elixir is abysmal and you all know it\n\u003enginx serves media directly from Pleroma's upload dir, bypassing Cowboy, Oban and other shit\n\u003esince nginx doesn't analyze file contents, it sends the MIME type that is corresponding to extension, so you can't load js file uploaded as txt because it'll be text/plain or octet-stream (don't remember if that's also a default pleroma behavior or not)\n\u003eas for .js uploads themselves, they all return 403, that was one of the first things I did after the initial hack\nSo far I don't see how it can be exploited if there's no way to access any scripts that aren't part of frontend, due to the basic 403, CORS/CSP block on subdomain or otherwise.",
"sig": "4ea3bec5b303f20818347f89c9075d4524cc1d53270b9ca1a5d2b81dd787f1c64225c6bc0e89ed3932128860a1855591d32822f11da3d568d00c8cf90d6229f9"
}