arno/privatebin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'master' of https://github.com/PrivateBin/PrivateBin.wiki

rugk 2017-12-25 12:57:34 +01:00
commit 78ebda2505
No known key found for this signature in database
GPG Key ID: 05D40A636AFAB34D
4 changed files with 108 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
FAQ.md

@ -21,7 +21,7 @@ Please have a look at these questions *before* opening an issue in this repo.
* [How to make PrivateBin work on my Android phone with data saver mode?](#user-content-how-to-make-privatebin-work-on-my-android-phone-with-data-saver-mode)
* [How to make PrivateBin work when using Cloudflare for DDoS protection?](#user-content-how-to-make-privatebin-work-when-using-cloudflare-for-ddos-protection)
* [How to make PrivateBin work when I have changed some JavaScript files?](#user-content-how-to-make-privatebin-work-when-i-have-changed-some-javascript-files)
* [What are the recommended file and folder permissions for Privatebin?](#what-are-the-recommended-file-and-folder-permissions-for-privatebin)
## General
@ -204,10 +204,48 @@ More details on Google Chromes Data Saver mode on Android can be found at [Googl
### How to make PrivateBin work when using Cloudflare for DDoS protection?
Cloudflare works as a reverse proxy in front of your webserver. Apart from protecting your site against DDoS it acts as a man-in-the-middle even for HTTPS sites and by default tries to optimize your site for faster loading. Part of that optimization (currently) breaks our [SRI](https://scotthelme.co.uk/subresource-integrity/) used to ensure that your JS files don't get modified (actually it works as intended as Cloudflare _does_ modify them). It has been reported that disabling the "rocket loader" feature in Cloudflare solves this issue.
Cloudflare works as a reverse proxy in front of your webserver. Apart from protecting your site against DDoS it acts as a man-in-the-middle even for HTTPS sites and by default tries to optimize your site for faster loading. Part of that optimization (currently) breaks our [SRI](https://scotthelme.co.uk/subresource-integrity/) used to ensure that your JS files don't get modified (actually it works as intended as Cloudflare _does_ modify them). It has been reported that disabling the "rocket loader" feature in Cloudflare solves this issue. If you don't want to disable "Rocket Loader" site wide, then you can disable it on a per page basis by adding the "Disable Performance" rule to that page only, this will turn off "Minification, Rocket Loader, Mirage and Polish".
Similarly, if you encounter problems with `email-decode.min.js` you've enabled "email obfuscation" for your site in Cloudflare. In that case you will need to create a page rule for your PrivateBin URL to disable "email obfuscation".
### How to make PrivateBin work when I have changed some JavaScript files?
When changing the JS files (or adding new ones) you need to [regenerate the SRI hashes](https://github.com/PrivateBin/PrivateBin/wiki/Development#subresource-integrity-for-javascript-resources) in your template, so that they match the updated files.
If you didn't change the JS files intentionally, there might be someone/something interfering with these files. Most likely this is a (reverse) proxy, such as Cloudflare, certain VPNs, data saver modes in your client, etc. Try to use it from a different internet connection and a different device to figure out what is manipulating the files and if you can disable/circumvent it.
If you didn't change the JS files intentionally, there might be someone/something interfering with these files. Most likely this is a (reverse) proxy, such as Cloudflare, certain VPNs, data saver modes in your client, etc. Try to use it from a different internet connection and a different device to figure out what is manipulating the files and if you can disable/circumvent it.
### What are the recommended file and folder permissions for Privatebin?
Depending on your setup, the PHP process may run under a different user then the web server. Here are a few common setup scenarios:
1. "Classic" Apache web server with mod_php - In this case PHP scripts are run as child-processes of the apache server and as the same user as the apache server. Since there is only one user in this scenario that needs access, one could go with just owner level permissions (0600 instead of 0640 for example).
2. Any webserver, PHP runs as (fast)cgi or PHP-FPM (fast process manager) process - here the webserver and PHP may run in separate users. This is very common on shared hosters, where each customers PHP scripts are run in their own user, so that they can't read other customers files, etc. For this setup to work, the owner needs to be set to the same as the php process (usually not something that you can change on a share hoster) and the group needs to be set to a group the web servers user is in.
The permissions need to look like this:
* Directories: 0550 (read-only for owner and group, not accessible for others)
* Data directory: 0750 (writeable for owner, read-only for group, not accessible for others)
* Files: 0640 (writeable for owner, read-only for group, not accessible for others), created files get these permissions automatically
For most setups it is also possible to use the following script. Make sure to edit the users and folders where necessary.
```sh
#!/bin/sh
pbpath='/var/www/privatebin'
pbdata='/var/www/privatebin/data'
# htuser='www-data' (unused)
htgroup='www-data'
rootuser='root'
echo "[chmod] files and directories"
find "${pbpath}/" -type f -print0 | xargs -0 chmod 0640
find "${pbpath}/" -type d -print0 | xargs -0 chmod 0550
find "${pbdata}/" -type f -print0 | xargs -0 chmod 0640
find "${pbdata}/" -type d -print0 | xargs -0 chmod 0750
echo "[chown] Directories"
chown -R ${rootuser}:${htgroup} "${pbpath}/"
```

79
Installation.md

@ -1,14 +1,13 @@
**TL;DR:** Download the
[latest release archive](https://github.com/PrivateBin/PrivateBin/releases/latest)
and extract it in your web hosts folder where you want to install your PrivateBin
instance. We try to provide a safe default configuration, but we advise you to
check the options and adjust them as you see fit.
instance. We try to provide a mostly safe default configuration, but we urge you to
check the [security section](#hardening-and-security) below and the [configuration
options](#configuration) to adjust as you see fit.
**NOTE:** See [our FAQ](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#how-can-i-securely-clonedownload-your-project) for information how to securely download the PrivateBin release files.
## Basic installation
### Requirements
### Minimal requirements
- PHP version 5.4 or above
- _one_ of the following sources of cryptographically safe randomness is required:
@ -20,37 +19,11 @@ check the options and adjust them as you see fit.
Mcrypt needs to be able to access `/dev/urandom`. This means if `open_basedir` is set, it must include this file.
- GD extension
- some disk space or (optional) a database supported by [PDO](https://secure.php.net/manual/book.pdo.php)
- ability to create files and folders in the installation directory and the PATH
- some disk space or (optionally) a database supported by [PDO](https://secure.php.net/manual/book.pdo.php)
- ability to create files and folders in the installation directory and the PATH defined in index.php
- A web browser with javascript support
### Configuration
In the file `cfg/conf.ini` you can configure PrivateBin. A `cfg/conf.ini.sample`
is provided containing all options and default values. You can copy it to
`cfg/conf.ini` and adapt it as needed. The config file is divided into multiple
sections, which are enclosed in square brackets.
In the `[main]` section you can enable or disable the discussion feature, set
the limit of stored pastes and comments in bytes. The `[traffic]` section lets
you set a time limit in seconds. Users may not post more often then this limit
to your PrivateBin installation.
More details can be found in the
[configuration documentation](https://github.com/PrivateBin/PrivateBin/wiki/Configuration).
## Further configuration
After (or before) setting up PrivateBin, also set up HTTPS, as without HTTPS
PrivateBin is not secure. (
[More information](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#how-should-i-setup-https))
If you want to use PrivateBin behind Cloudflare, make sure you disabled Rocket
loader and unchecked "Javascript" for Auto Minify, found in your domain settings,
under "Speed". (More information
[in this FAQ entry](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#user-content-how-to-make-privatebin-work-when-using-cloudflare-for-ddos-protection))
## Advanced installation
## Hardening and security
### Changing the path
@ -75,6 +48,35 @@ process (see also
> PrivateBin will look for your includes / data here:
> /home/example.com/secret/privatebin
### Transport security
When setting up PrivateBin, also set up HTTPS, if you haven't already. Without HTTPS
PrivateBin is not secure, as the javascript files could be manipulated during transmission.
For more information on this, see our [FAQ entry on HTTPS setup](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#how-should-i-setup-https).
### File-level permissions
After completing the installation, you should make sure, other users on the system cannot read the config file or the `data/` directory, as depending on your configuration potential secret information are saved there.
See [this FAQ item](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#what-are-the-recommended-file-and-folder-permissions-for-privatebin) for a detailed guide on how to "harden" the permissions of files and folders.
## Configuration
In the file `cfg/conf.php` you can configure PrivateBin. A `cfg/conf.sample.php`
is provided containing all options and default values. You can copy it to
`cfg/conf.php` and adapt it as needed. The config file is divided into multiple
sections, which are enclosed in square brackets.
In the `[main]` section you can enable or disable the discussion feature, set
the limit of stored pastes and comments in bytes. The `[traffic]` section lets
you set a time limit in seconds. Users may not post more often then this limit
to your PrivateBin installation.
More details can be found in the
[configuration documentation](https://github.com/PrivateBin/PrivateBin/wiki/Configuration).
## Advanced installation
### Web server configuration
A `robots.txt` file is provided in the root dir of PrivateBin. It disallows all
@ -88,6 +90,13 @@ some known robots and link-scanning bots. If you use Apache, you can rename the
file to `.htaccess` to enable this feature. If you use another webserver, you
have to configure it manually to do the same.
### When using Cloudflare
If you want to use PrivateBin behind Cloudflare, make sure you have disabled the Rocket
loader and unchecked "Javascript" for Auto Minify, found in your domain settings,
under "Speed". (More information
[in this FAQ entry](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#user-content-how-to-make-privatebin-work-when-using-cloudflare-for-ddos-protection))
### Using a database instead of flat files
In the configuration file the `[model]` and `[model_options]` sections let you
@ -150,4 +159,4 @@ CREATE TABLE prefix_config (
INSERT INTO prefix_config VALUES('VERSION', '1.1');
```
In PostgreSQL the attachment column needs to be TEXT and not BLOB or MEDIUMBLOB.
In PostgreSQL, the attachment column needs to be TEXT and not BLOB or MEDIUMBLOB.

56
PrivateBin-Directory.md

@ -4,36 +4,43 @@ Need a server to paste your texts? Here is a list of URLs to choose from (in not
URL | forced HTTPS | file upload | other
----|:------------:|:-----------:|------
https://snip.dssr.ch | :white_check_mark: | :white_check_mark:
https://pasteit.se | :white_large_square: | :white_large_square: | darkstrap theme, Let's Encrypt SSL
https://paste.itworx-solutions.at/ | :white_check_mark: | :white_check_mark: | Let's Encrypt SSL
https://pb.nwsec.de | :white_check_mark: | :white_large_square: | Let's Encrypt SSL, A rated on SSL Labs, A rated on securityheaders.io
https://privatebin.net | :white_check_mark: | :white_large_square:
https://p.dousse.eu | :white_check_mark: | :white_check_mark: | No IP Logs, Let's Encrypt SSL, A+ rated on SSL Labs, A rated on securityheaders.io
https://snip.dssr.ch | :white_check_mark: | :white_check_mark:
https://p.dousse.eu | :white_check_mark: | :white_check_mark: | No IP Logs, Let's Encrypt SSL, A+ rated on SSL Labs, A+ rated on securityheaders.io
https://paste.unixcorn.org | :white_check_mark: | :white_large_square: | French / Français
https://wtf.roflcopter.fr/paste/ | :white_check_mark: | :white_large_square:
https://paste.biocrafting.net | :white_check_mark: | :white_large_square: | No IP Logs, Let's Encrypt SSL, HPKP, HSTS (preload)
https://paste.imirhil.fr | :white_check_mark: | :white_large_square: | No IP Logs, Let's Encrypt SSL, HPKP, HSTS (preload), CAA, DNSSec, DANE/TLSA,…
http://paste.aeriszyr4wbpvuo2.onion/ | :white_large_square: | :white_large_square: | Tor hidden service
https://paste.warth-hofer.de | :white_check_mark: | :white_check_mark: | No IP Logs, Let's Encrypt SSL, A+ rated on [SSL Labs](https://www.ssllabs.com/ssltest/analyze.html?d=paste.warth-hofer.de&s=37.120.174.18&hideResults=on) and [securityheaders.io](https://securityheaders.io/?q=https%3A%2F%2Fpaste.warth-hofer.de%2F&hide=on)
https://jaegers.net/privatebin/ | :white_check_mark: | :white_check_mark: | No IP Logs, all languages, logo added to bootstrap theme
https://pastebin.aquilenet.fr | :white_check_mark: | :white_large_square: | darkstrap theme
https://paste.carrade.eu | :white_check_mark: | :white_check_mark: | French / Français, Let's Encrypt SSL, A rated on [SSL Labs](https://www.ssllabs.com/ssltest/analyze.html?d=paste.carrade.eu&hideResults=on)
https://paste.wiidatabase.de | :white_check_mark: | :white_large_square: | German / Deutsch, modified darkstrap theme
https://paste.debian-fr.xyz | :white_check_mark: | :white_large_square: | modified darkstrap theme, uses Piwik
https://nopaste.xyz | :white_check_mark: | :white_large_square: | uses Cloudflare
https://zerobin.farcy.me | :white_large_square: | :white_large_square:
https://webapps.leutek.de/PrivateBin/ | :white_check_mark: | :white_check_mark:
https://p.0x0f.su | :white_check_mark: | :white_check_mark: | No logs
https://paste.nolsen.xyz | :white_check_mark: | :white_check_mark: | No IP Logs, Available Tor Hidden Service
https://paste.mondedie.fr | :white_check_mark: | :white_large_square: | french / français, modified bootstrap theme
https://paste.dd.zom.bi | :white_check_mark: | :white_large_square: | darkstrap theme
https://www.systemli.org/paste/ | :white_check_mark: | :white_large_square:
https://paste.tecff.de | :white_check_mark: | :white_large_square:
https://bin.acquia.com | :white_check_mark: | :white_large_square:
https://paste.fizi.ca | :white_check_mark: | :white_check_mark: | darkstrap theme
https://paste.schleicloud.de | :white_check_mark: | :white_check_mark:
https://pastebin.togart.de | :white_check_mark: | :white_large_square: | Let's Encrypt SSL, A+ rated on SSL Labs, A rated on securityheaders.io
https://thecloud.org.uk/paste/ | :white_check_mark: | :white_large_square: | SSL, No Logging
## PrivateBin 1.0
URL | forced HTTPS | file upload | other
----|:------------:|:-----------:|------
https://paste.schleicloud.de | :white_check_mark: | :white_check_mark:
https://paste.fizi.ca | :white_check_mark: | :white_check_mark: | darkstrap theme
https://bin.acquia.com | :white_check_mark: | :white_large_square:
https://paste.tecff.de | :white_check_mark: | :white_large_square:
https://www.systemli.org/paste/ | :white_check_mark: | :white_large_square:
https://paste.dd.zom.bi | :white_check_mark: | :white_large_square: | darkstrap theme
https://paste.mondedie.fr | :white_check_mark: | :white_large_square: | french / français, modified bootstrap theme
https://nsa.black | :white_check_mark: | :white_check_mark: | No IP Logs
https://paste.tech-port.de | :white_check_mark: | :white_large_square: | No IP Logs, modified darkstrap theme
https://paste.nolsen.xyz | :white_check_mark: | :white_check_mark: | No IP Logs, Available Tor Hidden Service
https://paste.nikul.in | :white_check_mark: | :white_large_square: | No IP Logs, modified darkstrap theme
https://p.0x0f.su | :white_check_mark: | :white_check_mark: | No logs
## ZeroBin 0.22
@ -41,22 +48,11 @@ URL | forced HTTPS | file upload | other
----|:------------:|:-----------:|------
https://share.cyberguerrilla.info | :white_check_mark: | :white_check_mark: | modified darkstrap theme
https://paste.chatq.net | :white_check_mark: | :white_check_mark: | modified bootstrap theme
https://webapps.leutek.de/PrivateBin/ | :white_check_mark: | :white_check_mark:
https://paste.kwachu.org | :white_check_mark: | :white_large_square:
https://zerobin.farcy.me | :white_large_square: | :white_large_square:
http://paste.gehaxelt.in | :white_large_square: | :white_large_square:
http://gilles.wittezaele.fr/paste/ | :white_large_square: | :white_large_square:
https://nopaste.xyz | :white_check_mark: | :white_large_square: | uses Cloudflare
https://paste.debian-fr.xyz | :white_check_mark: | :white_large_square: | modified darkstrap theme, uses Piwik
https://www.mycodebin.com | :white_check_mark: | :white_large_square: | uses Google Adsense
https://p.k0nsl.org | :white_check_mark: | :white_check_mark: | Let's Encrypt SSL; modified default theme; uses Piwik
## ZeroBin 0.21.1
URL | forced HTTPS | file upload | other
----|:------------:|:-----------:|------
https://www.riebart.ca/zerobin/ | :white_check_mark: | :white_check_mark:
## ZeroBin 0.19 (latest release of Seb Sauvage)
URL | Version | forced HTTPS | other
@ -73,23 +69,15 @@ http://paste.piratux.com | 0.19 | :white_large_square:
http://zerobin.thican.net | 0.19 | :white_large_square:
http://paste.vinilox.eu | 0.19 | :white_large_square:
http://zerobin.zertrin.org | 0.19 | :white_large_square:
http://www.karinafolkmusic.altervista.org/zerobin/ | 0.19.5 | :white_large_square: | uses Altervista Toolbar
## ZeroBin 0.18
URL | forced HTTPS
----|:-----------:
http://traviscj.com/ZeroBin/ | :white_large_square:
https://traviscj.com/ZeroBin/ | :white_check_mark:
http://zb.zerosgaming.de | :white_large_square:
## ZeroBin 0.15
URL | forced HTTPS | other
----|:------------:|------
http://www.nullfile.com/index.php | :white_large_square:
http://paste.ethernia.net | :white_large_square:
http://paste.kyleundefined.com | :white_large_square:
http://www.karinafolkmusic.altervista.org/zerobin/ | :white_large_square: | uses Altervista Toolbar
## Other
URL | Version | forced HTTPS | other

2
Third-party-clients.md

@ -1,3 +1,3 @@
Here is a list of clients, which implement the [PrivateBin API](https://github.com/PrivateBin/PrivateBin/wiki/API) so you can use them with any PrivateBin server of your choice:
* coming soon...
* [proof-of-concept CLI client in node.js](https://github.com/PrivateBin/PrivateBin-Cli)