docs: real-ip (with or without cloudflare)
This commit is contained in:
		
							parent
							
								
									2def4cd248
								
							
						
					
					
						commit
						ee80cdb9cf
					
				
							
								
								
									
										13
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										13
									
								
								README.md
									
									
									
									
									
								
							| @ -75,6 +75,7 @@ turn almost any device into a file server with resumable uploads/downloads using | ||||
|     * [themes](#themes) | ||||
|     * [complete examples](#complete-examples) | ||||
|     * [reverse-proxy](#reverse-proxy) - running copyparty next to other websites | ||||
|         * [real-ip](#real-ip) - teaching copyparty how to see client IPs | ||||
|     * [prometheus](#prometheus) - metrics/stats can be enabled | ||||
| * [packages](#packages) - the party might be closer than you think | ||||
|     * [arch package](#arch-package) - now [available on aur](https://aur.archlinux.org/packages/copyparty) maintained by [@icxes](https://github.com/icxes) | ||||
| @ -357,6 +358,9 @@ upgrade notes | ||||
| * firefox refuses to connect over https, saying "Secure Connection Failed" or "SEC_ERROR_BAD_SIGNATURE", but the usual button to "Accept the Risk and Continue" is not shown | ||||
|   * firefox has corrupted its certstore; fix this by exiting firefox, then find and delete the file named `cert9.db` somewhere in your firefox profile folder | ||||
| 
 | ||||
| * the server keeps saying `thank you for playing` when I try to access the website | ||||
|   * you've gotten banned for malicious traffic! if this happens by mistake, and you're running a reverse-proxy and/or something like cloudflare, see [real-ip](#real-ip) on how to fix this | ||||
| 
 | ||||
| * copyparty seems to think I am using http, even though the URL is https | ||||
|   * your reverse-proxy is not sending the `X-Forwarded-Proto: https` header; this could be because your reverse-proxy itself is confused. Ensure that none of the intermediates (such as cloudflare) are terminating https before the traffic hits your entrypoint | ||||
| 
 | ||||
| @ -1383,6 +1387,15 @@ example webserver configs: | ||||
| * [apache2 config](contrib/apache/copyparty.conf) -- location-based | ||||
| 
 | ||||
| 
 | ||||
| ### real-ip | ||||
| 
 | ||||
| teaching copyparty how to see client IPs  when running behind a reverse-proxy, or a WAF, or another protection service such as cloudflare | ||||
| 
 | ||||
| if you (and maybe everybody else) keep getting a message that says `thank you for playing`, then you've gotten banned for malicious traffic. This ban applies to the IP address that copyparty *thinks* identifies the shady client -- so, depending on your setup, you might have to tell copyparty where to find the correct IP | ||||
| 
 | ||||
| for most common setups, there should be a helpful message in the server-log explaining what to do, but see [docs/xff.md](docs/xff.md) if you want to learn more, including a quick hack to **just make it work** (which is **not** recommended, but hey...) | ||||
| 
 | ||||
| 
 | ||||
| ## prometheus | ||||
| 
 | ||||
| metrics/stats can be enabled  at URL `/.cpr/metrics` for grafana / prometheus / etc (openmetrics 1.0.0) | ||||
|  | ||||
| @ -11,6 +11,14 @@ | ||||
| # (5'000 requests per second, or 20gbps upload/download in parallel) | ||||
| # | ||||
| # on fedora/rhel, remember to setsebool -P httpd_can_network_connect 1 | ||||
| # | ||||
| # if you are behind cloudflare (or another protection service), | ||||
| # remember to reject all connections which are not coming from your | ||||
| # protection service -- for cloudflare in particular, you can | ||||
| # generate the list of permitted IP ranges like so: | ||||
| #   (curl -s https://www.cloudflare.com/ips-v{4,6} | sed 's/^/allow /; s/$/;/'; echo; echo "deny all;") > /etc/nginx/cloudflare-only.conf | ||||
| # | ||||
| # and then enable it below by uncomenting the cloudflare-only.conf line | ||||
| 
 | ||||
| upstream cpp { | ||||
| 	server 127.0.0.1:3923 fail_timeout=1s; | ||||
| @ -21,7 +29,10 @@ server { | ||||
| 	listen [::]:443 ssl; | ||||
| 
 | ||||
| 	server_name fs.example.com; | ||||
| 	 | ||||
| 
 | ||||
| 	# uncomment the following line to reject non-cloudflare connections, ensuring client IPs cannot be spoofed: | ||||
| 	#include /etc/nginx/cloudflare-only.conf; | ||||
| 
 | ||||
| 	location / { | ||||
| 		proxy_pass http://cpp; | ||||
| 		proxy_redirect off; | ||||
|  | ||||
							
								
								
									
										45
									
								
								docs/xff.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										45
									
								
								docs/xff.md
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,45 @@ | ||||
| when running behind a reverse-proxy, or a WAF, or another protection service such as cloudflare: | ||||
| 
 | ||||
| if you (and maybe everybody else) keep getting a message that says `thank you for playing`, then you've gotten banned for malicious traffic. This ban applies to the IP-address that copyparty *thinks* identifies the shady client -- so, depending on your setup, you might have to tell copyparty where to find the correct IP | ||||
| 
 | ||||
| knowing the correct IP is also crucial for some other features, such as the unpost feature which lets you delete your own recent uploads -- but if everybody has the same IP, well... | ||||
| 
 | ||||
| ---- | ||||
| 
 | ||||
| for most common setups, there should be a helpful message in the server-log explaining what to do, something like `--xff-src=10.88.0.0/16` or `--xff-src=lan` to accept the `X-Forwarded-For` header from your reverse-proxy with a LAN IP of `10.88.x.y` | ||||
| 
 | ||||
| if you are behind cloudflare, it is recommended to also set `--xff-hdr=cf-connecting-ip` to use a more trustworthy source of info, but then it's also very important to ensure your reverse-proxy does not accept connections from anything BUT cloudflare; you can do this by generating an ip-address allowlist and reject all other connections | ||||
| 
 | ||||
| * if you are using nginx as your reverse-proxy, see the [example nginx config](https://github.com/9001/copyparty/blob/hovudstraum/contrib/nginx/copyparty.conf) on how the cloudflare allowlist can be done | ||||
| 
 | ||||
| ---- | ||||
| 
 | ||||
| the server-log will give recommendations in the form of commandline arguments; | ||||
| 
 | ||||
| to do the same thing using config files, take the options that are suggested in the serverlog and put them into the `[global]` section in your `copyparty.conf` like so: | ||||
| 
 | ||||
| ```yaml | ||||
| [global] | ||||
|   xff-src: lan | ||||
|   xff-hdr: cf-connecting-ip | ||||
| ``` | ||||
| 
 | ||||
| ---- | ||||
| 
 | ||||
| # but if you just want to get it working: | ||||
| 
 | ||||
| ...and don't care about security, you can optionally disable the bot-detectors, either by specifying commandline-args `--ban-404=no --ban-403=no --ban-422=no --ban-url=no --ban-pw=no` | ||||
| 
 | ||||
| or by adding these lines inside the `[global]` section in your `copyparty.conf`: | ||||
| 
 | ||||
| ```yaml | ||||
| [global] | ||||
|   ban-404: no | ||||
|   ban-403: no | ||||
|   ban-422: no | ||||
|   ban-url: no | ||||
|   ban-pw: no | ||||
| ``` | ||||
| 
 | ||||
| but remember that this will make other features insecure as well, such as unpost | ||||
| 
 | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user
	 ed
						ed