diff --git a/FAQ.md b/FAQ.md index c59cab0..ad7198f 100644 --- a/FAQ.md +++ b/FAQ.md @@ -21,7 +21,7 @@ Please have a look at these questions *before* opening an issue in this repo. * [How to make PrivateBin work on my Android phone with data saver mode?](#user-content-how-to-make-privatebin-work-on-my-android-phone-with-data-saver-mode) * [How to make PrivateBin work when using Cloudflare for DDoS protection?](#user-content-how-to-make-privatebin-work-when-using-cloudflare-for-ddos-protection) * [How to make PrivateBin work when I have changed some JavaScript files?](#user-content-how-to-make-privatebin-work-when-i-have-changed-some-javascript-files) - + * [What are the recommended file and folder permissions for Privatebin?](#what-are-the-recommended-file-and-folder-permissions-for-privatebin) ## General @@ -204,10 +204,48 @@ More details on Google Chromes Data Saver mode on Android can be found at [Googl ### How to make PrivateBin work when using Cloudflare for DDoS protection? -Cloudflare works as a reverse proxy in front of your webserver. Apart from protecting your site against DDoS it acts as a man-in-the-middle even for HTTPS sites and by default tries to optimize your site for faster loading. Part of that optimization (currently) breaks our [SRI](https://scotthelme.co.uk/subresource-integrity/) used to ensure that your JS files don't get modified (actually it works as intended as Cloudflare _does_ modify them). It has been reported that disabling the "rocket loader" feature in Cloudflare solves this issue. +Cloudflare works as a reverse proxy in front of your webserver. Apart from protecting your site against DDoS it acts as a man-in-the-middle even for HTTPS sites and by default tries to optimize your site for faster loading. Part of that optimization (currently) breaks our [SRI](https://scotthelme.co.uk/subresource-integrity/) used to ensure that your JS files don't get modified (actually it works as intended as Cloudflare _does_ modify them). It has been reported that disabling the "rocket loader" feature in Cloudflare solves this issue. If you don't want to disable "Rocket Loader" site wide, then you can disable it on a per page basis by adding the "Disable Performance" rule to that page only, this will turn off "Minification, Rocket Loader, Mirage and Polish". + +Similarly, if you encounter problems with `email-decode.min.js` you've enabled "email obfuscation" for your site in Cloudflare. In that case you will need to create a page rule for your PrivateBin URL to disable "email obfuscation". ### How to make PrivateBin work when I have changed some JavaScript files? When changing the JS files (or adding new ones) you need to [regenerate the SRI hashes](https://github.com/PrivateBin/PrivateBin/wiki/Development#subresource-integrity-for-javascript-resources) in your template, so that they match the updated files. -If you didn't change the JS files intentionally, there might be someone/something interfering with these files. Most likely this is a (reverse) proxy, such as Cloudflare, certain VPNs, data saver modes in your client, etc. Try to use it from a different internet connection and a different device to figure out what is manipulating the files and if you can disable/circumvent it. \ No newline at end of file +If you didn't change the JS files intentionally, there might be someone/something interfering with these files. Most likely this is a (reverse) proxy, such as Cloudflare, certain VPNs, data saver modes in your client, etc. Try to use it from a different internet connection and a different device to figure out what is manipulating the files and if you can disable/circumvent it. + + + +### What are the recommended file and folder permissions for Privatebin? + +Depending on your setup, the PHP process may run under a different user then the web server. Here are a few common setup scenarios: + +1. "Classic" Apache web server with mod_php - In this case PHP scripts are run as child-processes of the apache server and as the same user as the apache server. Since there is only one user in this scenario that needs access, one could go with just owner level permissions (0600 instead of 0640 for example). + +2. Any webserver, PHP runs as (fast)cgi or PHP-FPM (fast process manager) process - here the webserver and PHP may run in separate users. This is very common on shared hosters, where each customers PHP scripts are run in their own user, so that they can't read other customers files, etc. For this setup to work, the owner needs to be set to the same as the php process (usually not something that you can change on a share hoster) and the group needs to be set to a group the web servers user is in. + +The permissions need to look like this: + +* Directories: 0550 (read-only for owner and group, not accessible for others) +* Data directory: 0750 (writeable for owner, read-only for group, not accessible for others) +* Files: 0640 (writeable for owner, read-only for group, not accessible for others), created files get these permissions automatically + +For most setups it is also possible to use the following script. Make sure to edit the users and folders where necessary. + +```sh +#!/bin/sh +pbpath='/var/www/privatebin' +pbdata='/var/www/privatebin/data' +# htuser='www-data' (unused) +htgroup='www-data' +rootuser='root' + +echo "[chmod] files and directories" +find "${pbpath}/" -type f -print0 | xargs -0 chmod 0640 +find "${pbpath}/" -type d -print0 | xargs -0 chmod 0550 +find "${pbdata}/" -type f -print0 | xargs -0 chmod 0640 +find "${pbdata}/" -type d -print0 | xargs -0 chmod 0750 + +echo "[chown] Directories" +chown -R ${rootuser}:${htgroup} "${pbpath}/" +``` \ No newline at end of file diff --git a/Installation.md b/Installation.md index 41b090e..2baa48c 100644 --- a/Installation.md +++ b/Installation.md @@ -1,14 +1,13 @@ **TL;DR:** Download the [latest release archive](https://github.com/PrivateBin/PrivateBin/releases/latest) and extract it in your web hosts folder where you want to install your PrivateBin -instance. We try to provide a safe default configuration, but we advise you to -check the options and adjust them as you see fit. +instance. We try to provide a mostly safe default configuration, but we urge you to +check the [security section](#hardening-and-security) below and the [configuration +options](#configuration) to adjust as you see fit. **NOTE:** See [our FAQ](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#how-can-i-securely-clonedownload-your-project) for information how to securely download the PrivateBin release files. -## Basic installation - -### Requirements +### Minimal requirements - PHP version 5.4 or above - _one_ of the following sources of cryptographically safe randomness is required: @@ -20,37 +19,11 @@ check the options and adjust them as you see fit. Mcrypt needs to be able to access `/dev/urandom`. This means if `open_basedir` is set, it must include this file. - GD extension -- some disk space or (optional) a database supported by [PDO](https://secure.php.net/manual/book.pdo.php) -- ability to create files and folders in the installation directory and the PATH +- some disk space or (optionally) a database supported by [PDO](https://secure.php.net/manual/book.pdo.php) +- ability to create files and folders in the installation directory and the PATH defined in index.php - A web browser with javascript support -### Configuration - -In the file `cfg/conf.ini` you can configure PrivateBin. A `cfg/conf.ini.sample` -is provided containing all options and default values. You can copy it to -`cfg/conf.ini` and adapt it as needed. The config file is divided into multiple -sections, which are enclosed in square brackets. - -In the `[main]` section you can enable or disable the discussion feature, set -the limit of stored pastes and comments in bytes. The `[traffic]` section lets -you set a time limit in seconds. Users may not post more often then this limit -to your PrivateBin installation. - -More details can be found in the -[configuration documentation](https://github.com/PrivateBin/PrivateBin/wiki/Configuration). - -## Further configuration - -After (or before) setting up PrivateBin, also set up HTTPS, as without HTTPS -PrivateBin is not secure. ( -[More information](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#how-should-i-setup-https)) - -If you want to use PrivateBin behind Cloudflare, make sure you disabled Rocket -loader and unchecked "Javascript" for Auto Minify, found in your domain settings, -under "Speed". (More information -[in this FAQ entry](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#user-content-how-to-make-privatebin-work-when-using-cloudflare-for-ddos-protection)) - -## Advanced installation +## Hardening and security ### Changing the path @@ -75,6 +48,35 @@ process (see also > PrivateBin will look for your includes / data here: > /home/example.com/secret/privatebin +### Transport security + +When setting up PrivateBin, also set up HTTPS, if you haven't already. Without HTTPS +PrivateBin is not secure, as the javascript files could be manipulated during transmission. +For more information on this, see our [FAQ entry on HTTPS setup](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#how-should-i-setup-https). + +### File-level permissions + +After completing the installation, you should make sure, other users on the system cannot read the config file or the `data/` directory, as – depending on your configuration – potential secret information are saved there. + +See [this FAQ item](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#what-are-the-recommended-file-and-folder-permissions-for-privatebin) for a detailed guide on how to "harden" the permissions of files and folders. + +## Configuration + +In the file `cfg/conf.php` you can configure PrivateBin. A `cfg/conf.sample.php` +is provided containing all options and default values. You can copy it to +`cfg/conf.php` and adapt it as needed. The config file is divided into multiple +sections, which are enclosed in square brackets. + +In the `[main]` section you can enable or disable the discussion feature, set +the limit of stored pastes and comments in bytes. The `[traffic]` section lets +you set a time limit in seconds. Users may not post more often then this limit +to your PrivateBin installation. + +More details can be found in the +[configuration documentation](https://github.com/PrivateBin/PrivateBin/wiki/Configuration). + +## Advanced installation + ### Web server configuration A `robots.txt` file is provided in the root dir of PrivateBin. It disallows all @@ -88,6 +90,13 @@ some known robots and link-scanning bots. If you use Apache, you can rename the file to `.htaccess` to enable this feature. If you use another webserver, you have to configure it manually to do the same. +### When using Cloudflare + +If you want to use PrivateBin behind Cloudflare, make sure you have disabled the Rocket +loader and unchecked "Javascript" for Auto Minify, found in your domain settings, +under "Speed". (More information +[in this FAQ entry](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#user-content-how-to-make-privatebin-work-when-using-cloudflare-for-ddos-protection)) + ### Using a database instead of flat files In the configuration file the `[model]` and `[model_options]` sections let you @@ -150,4 +159,4 @@ CREATE TABLE prefix_config ( INSERT INTO prefix_config VALUES('VERSION', '1.1'); ``` -In PostgreSQL the attachment column needs to be TEXT and not BLOB or MEDIUMBLOB. \ No newline at end of file +In PostgreSQL, the attachment column needs to be TEXT and not BLOB or MEDIUMBLOB. \ No newline at end of file diff --git a/PrivateBin-Directory.md b/PrivateBin-Directory.md index a6d05e7..c064c6c 100644 --- a/PrivateBin-Directory.md +++ b/PrivateBin-Directory.md @@ -4,36 +4,43 @@ Need a server to paste your texts? Here is a list of URLs to choose from (in not URL | forced HTTPS | file upload | other ----|:------------:|:-----------:|------ -https://snip.dssr.ch | :white_check_mark: | :white_check_mark: +https://pasteit.se | :white_large_square: | :white_large_square: | darkstrap theme, Let's Encrypt SSL +https://paste.itworx-solutions.at/ | :white_check_mark: | :white_check_mark: | Let's Encrypt SSL +https://pb.nwsec.de | :white_check_mark: | :white_large_square: | Let's Encrypt SSL, A rated on SSL Labs, A rated on securityheaders.io https://privatebin.net | :white_check_mark: | :white_large_square: -https://p.dousse.eu | :white_check_mark: | :white_check_mark: | No IP Logs, Let's Encrypt SSL, A+ rated on SSL Labs, A rated on securityheaders.io +https://snip.dssr.ch | :white_check_mark: | :white_check_mark: +https://p.dousse.eu | :white_check_mark: | :white_check_mark: | No IP Logs, Let's Encrypt SSL, A+ rated on SSL Labs, A+ rated on securityheaders.io https://paste.unixcorn.org | :white_check_mark: | :white_large_square: | French / Français https://wtf.roflcopter.fr/paste/ | :white_check_mark: | :white_large_square: https://paste.biocrafting.net | :white_check_mark: | :white_large_square: | No IP Logs, Let's Encrypt SSL, HPKP, HSTS (preload) https://paste.imirhil.fr | :white_check_mark: | :white_large_square: | No IP Logs, Let's Encrypt SSL, HPKP, HSTS (preload), CAA, DNSSec, DANE/TLSA,… -http://paste.aeriszyr4wbpvuo2.onion/ | :white_large_square: | :white_large_square: | Tor hidden service https://paste.warth-hofer.de | :white_check_mark: | :white_check_mark: | No IP Logs, Let's Encrypt SSL, A+ rated on [SSL Labs](https://www.ssllabs.com/ssltest/analyze.html?d=paste.warth-hofer.de&s=37.120.174.18&hideResults=on) and [securityheaders.io](https://securityheaders.io/?q=https%3A%2F%2Fpaste.warth-hofer.de%2F&hide=on) https://jaegers.net/privatebin/ | :white_check_mark: | :white_check_mark: | No IP Logs, all languages, logo added to bootstrap theme https://pastebin.aquilenet.fr | :white_check_mark: | :white_large_square: | darkstrap theme https://paste.carrade.eu | :white_check_mark: | :white_check_mark: | French / Français, Let's Encrypt SSL, A rated on [SSL Labs](https://www.ssllabs.com/ssltest/analyze.html?d=paste.carrade.eu&hideResults=on) https://paste.wiidatabase.de | :white_check_mark: | :white_large_square: | German / Deutsch, modified darkstrap theme +https://paste.debian-fr.xyz | :white_check_mark: | :white_large_square: | modified darkstrap theme, uses Piwik +https://nopaste.xyz | :white_check_mark: | :white_large_square: | uses Cloudflare +https://zerobin.farcy.me | :white_large_square: | :white_large_square: +https://webapps.leutek.de/PrivateBin/ | :white_check_mark: | :white_check_mark: +https://p.0x0f.su | :white_check_mark: | :white_check_mark: | No logs +https://paste.nolsen.xyz | :white_check_mark: | :white_check_mark: | No IP Logs, Available Tor Hidden Service +https://paste.mondedie.fr | :white_check_mark: | :white_large_square: | french / français, modified bootstrap theme +https://paste.dd.zom.bi | :white_check_mark: | :white_large_square: | darkstrap theme +https://www.systemli.org/paste/ | :white_check_mark: | :white_large_square: +https://paste.tecff.de | :white_check_mark: | :white_large_square: +https://bin.acquia.com | :white_check_mark: | :white_large_square: +https://paste.fizi.ca | :white_check_mark: | :white_check_mark: | darkstrap theme +https://paste.schleicloud.de | :white_check_mark: | :white_check_mark: +https://pastebin.togart.de | :white_check_mark: | :white_large_square: | Let's Encrypt SSL, A+ rated on SSL Labs, A rated on securityheaders.io +https://thecloud.org.uk/paste/ | :white_check_mark: | :white_large_square: | SSL, No Logging ## PrivateBin 1.0 URL | forced HTTPS | file upload | other ----|:------------:|:-----------:|------ -https://paste.schleicloud.de | :white_check_mark: | :white_check_mark: -https://paste.fizi.ca | :white_check_mark: | :white_check_mark: | darkstrap theme -https://bin.acquia.com | :white_check_mark: | :white_large_square: -https://paste.tecff.de | :white_check_mark: | :white_large_square: -https://www.systemli.org/paste/ | :white_check_mark: | :white_large_square: -https://paste.dd.zom.bi | :white_check_mark: | :white_large_square: | darkstrap theme -https://paste.mondedie.fr | :white_check_mark: | :white_large_square: | french / français, modified bootstrap theme -https://nsa.black | :white_check_mark: | :white_check_mark: | No IP Logs https://paste.tech-port.de | :white_check_mark: | :white_large_square: | No IP Logs, modified darkstrap theme -https://paste.nolsen.xyz | :white_check_mark: | :white_check_mark: | No IP Logs, Available Tor Hidden Service https://paste.nikul.in | :white_check_mark: | :white_large_square: | No IP Logs, modified darkstrap theme -https://p.0x0f.su | :white_check_mark: | :white_check_mark: | No logs ## ZeroBin 0.22 @@ -41,22 +48,11 @@ URL | forced HTTPS | file upload | other ----|:------------:|:-----------:|------ https://share.cyberguerrilla.info | :white_check_mark: | :white_check_mark: | modified darkstrap theme https://paste.chatq.net | :white_check_mark: | :white_check_mark: | modified bootstrap theme -https://webapps.leutek.de/PrivateBin/ | :white_check_mark: | :white_check_mark: https://paste.kwachu.org | :white_check_mark: | :white_large_square: -https://zerobin.farcy.me | :white_large_square: | :white_large_square: http://paste.gehaxelt.in | :white_large_square: | :white_large_square: http://gilles.wittezaele.fr/paste/ | :white_large_square: | :white_large_square: -https://nopaste.xyz | :white_check_mark: | :white_large_square: | uses Cloudflare -https://paste.debian-fr.xyz | :white_check_mark: | :white_large_square: | modified darkstrap theme, uses Piwik -https://www.mycodebin.com | :white_check_mark: | :white_large_square: | uses Google Adsense https://p.k0nsl.org | :white_check_mark: | :white_check_mark: | Let's Encrypt SSL; modified default theme; uses Piwik -## ZeroBin 0.21.1 - -URL | forced HTTPS | file upload | other -----|:------------:|:-----------:|------ -https://www.riebart.ca/zerobin/ | :white_check_mark: | :white_check_mark: - ## ZeroBin 0.19 (latest release of Seb Sauvage) URL | Version | forced HTTPS | other @@ -73,23 +69,15 @@ http://paste.piratux.com | 0.19 | :white_large_square: http://zerobin.thican.net | 0.19 | :white_large_square: http://paste.vinilox.eu | 0.19 | :white_large_square: http://zerobin.zertrin.org | 0.19 | :white_large_square: +http://www.karinafolkmusic.altervista.org/zerobin/ | 0.19.5 | :white_large_square: | uses Altervista Toolbar ## ZeroBin 0.18 URL | forced HTTPS ----|:-----------: -http://traviscj.com/ZeroBin/ | :white_large_square: +https://traviscj.com/ZeroBin/ | :white_check_mark: http://zb.zerosgaming.de | :white_large_square: -## ZeroBin 0.15 - -URL | forced HTTPS | other -----|:------------:|------ -http://www.nullfile.com/index.php | :white_large_square: -http://paste.ethernia.net | :white_large_square: -http://paste.kyleundefined.com | :white_large_square: -http://www.karinafolkmusic.altervista.org/zerobin/ | :white_large_square: | uses Altervista Toolbar - ## Other URL | Version | forced HTTPS | other diff --git a/Third-party-clients.md b/Third-party-clients.md index 2a9f168..9dad5d0 100644 --- a/Third-party-clients.md +++ b/Third-party-clients.md @@ -1,3 +1,3 @@ Here is a list of clients, which implement the [PrivateBin API](https://github.com/PrivateBin/PrivateBin/wiki/API) so you can use them with any PrivateBin server of your choice: -* coming soon... \ No newline at end of file +* [proof-of-concept CLI client in node.js](https://github.com/PrivateBin/PrivateBin-Cli) \ No newline at end of file