filestash icon indicating copy to clipboard operation
filestash copied to clipboard

Published 20 hours ago • verified publisher icon mickael-kerjean

Question about serving publicly shared files when access controling with NGINX

Open fredrikburmester opened this issue 2 years ago • 6 comments

I am using Filestash behind an NGINX reverse proxy with LDAP. This means that public shares in Filestash are unavailable to users not authenticated with LDAP.

I would like a way for unauthenticated users to access publicly shared links. Right now, I've allowed NGINX access to the necessary files when opening a shared link. The files necessary for this are the /s folder, one CSS files, some JS files, the /api folder and the /assets folder.

location ~ /(s|custom.css|xdg-open.js|app(.*)\.js|favicon.ico|api|assets) {
    ...
}

This is a workaround. It would be fantastic if all necessary content were served from /s since we would only need to allow that path.

Is it possible to do this a better way? Thank you in advance!

fredrikburmester avatar Nov 11 '22 16:11 fredrikburmester

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jun 18 '23 14:06 stale[bot]

This is a great idea and I was just looking into something similar myself.

johnmmcgee avatar Nov 21 '23 03:11 johnmmcgee

I am using Filestash behind an NGINX reverse proxy with LDAP. This means that public shares in Filestash are unavailable to users not authenticated with LDAP.

I would like a way for unauthenticated users to access publicly shared links. Right now, I've allowed NGINX access to the necessary files when opening a shared link. The files necessary for this are the /s folder, one CSS files, some JS files, the /api folder and the /assets folder.

location ~ /(s|custom.css|xdg-open.js|app(.*)\.js|favicon.ico|api|assets) {
    ...
}

This is a workaround. It would be fantastic if all necessary content were served from /s since we would only need to allow that path.

Is it possible to do this a better way? Thank you in advance!

The configuration you posted currently works for you under nginx to forward shared links?

johnmmcgee avatar Nov 24 '23 00:11 johnmmcgee

@johnmmcgee It did, but I did not test it thoroughly. I am also not using it this way anymore so I can't speak to if it still works.

fredrikburmester avatar Nov 24 '23 05:11 fredrikburmester

Ya i setup something similar, but it doesn't seem to be working. Its unfortunate that the documentation for this project is pretty nonexistent.

johnmmcgee avatar Nov 24 '23 13:11 johnmmcgee

Why not only have the /login and /api/session/auth paths restricted? Other paths should be fine to expose.

sevmonster avatar Feb 08 '24 20:02 sevmonster