diff --git a/README.md b/README.md index 7b6e5339..2b382aac 100644 --- a/README.md +++ b/README.md @@ -75,6 +75,7 @@ turn almost any device into a file server with resumable uploads/downloads using * [themes](#themes) * [complete examples](#complete-examples) * [reverse-proxy](#reverse-proxy) - running copyparty next to other websites + * [real-ip](#real-ip) - teaching copyparty how to see client IPs * [prometheus](#prometheus) - metrics/stats can be enabled * [packages](#packages) - the party might be closer than you think * [arch package](#arch-package) - now [available on aur](https://aur.archlinux.org/packages/copyparty) maintained by [@icxes](https://github.com/icxes) @@ -357,6 +358,9 @@ upgrade notes * firefox refuses to connect over https, saying "Secure Connection Failed" or "SEC_ERROR_BAD_SIGNATURE", but the usual button to "Accept the Risk and Continue" is not shown * firefox has corrupted its certstore; fix this by exiting firefox, then find and delete the file named `cert9.db` somewhere in your firefox profile folder +* the server keeps saying `thank you for playing` when I try to access the website + * you've gotten banned for malicious traffic! if this happens by mistake, and you're running a reverse-proxy and/or something like cloudflare, see [real-ip](#real-ip) on how to fix this + * copyparty seems to think I am using http, even though the URL is https * your reverse-proxy is not sending the `X-Forwarded-Proto: https` header; this could be because your reverse-proxy itself is confused. Ensure that none of the intermediates (such as cloudflare) are terminating https before the traffic hits your entrypoint @@ -1383,6 +1387,15 @@ example webserver configs: * [apache2 config](contrib/apache/copyparty.conf) -- location-based +### real-ip + +teaching copyparty how to see client IPs when running behind a reverse-proxy, or a WAF, or another protection service such as cloudflare + +if you (and maybe everybody else) keep getting a message that says `thank you for playing`, then you've gotten banned for malicious traffic. This ban applies to the IP address that copyparty *thinks* identifies the shady client -- so, depending on your setup, you might have to tell copyparty where to find the correct IP + +for most common setups, there should be a helpful message in the server-log explaining what to do, but see [docs/xff.md](docs/xff.md) if you want to learn more, including a quick hack to **just make it work** (which is **not** recommended, but hey...) + + ## prometheus metrics/stats can be enabled at URL `/.cpr/metrics` for grafana / prometheus / etc (openmetrics 1.0.0) diff --git a/contrib/nginx/copyparty.conf b/contrib/nginx/copyparty.conf index 0fc43ab7..6e762bb7 100644 --- a/contrib/nginx/copyparty.conf +++ b/contrib/nginx/copyparty.conf @@ -11,6 +11,14 @@ # (5'000 requests per second, or 20gbps upload/download in parallel) # # on fedora/rhel, remember to setsebool -P httpd_can_network_connect 1 +# +# if you are behind cloudflare (or another protection service), +# remember to reject all connections which are not coming from your +# protection service -- for cloudflare in particular, you can +# generate the list of permitted IP ranges like so: +# (curl -s https://www.cloudflare.com/ips-v{4,6} | sed 's/^/allow /; s/$/;/'; echo; echo "deny all;") > /etc/nginx/cloudflare-only.conf +# +# and then enable it below by uncomenting the cloudflare-only.conf line upstream cpp { server 127.0.0.1:3923 fail_timeout=1s; @@ -21,7 +29,10 @@ server { listen [::]:443 ssl; server_name fs.example.com; - + + # uncomment the following line to reject non-cloudflare connections, ensuring client IPs cannot be spoofed: + #include /etc/nginx/cloudflare-only.conf; + location / { proxy_pass http://cpp; proxy_redirect off; diff --git a/docs/xff.md b/docs/xff.md new file mode 100644 index 00000000..f5c3ee96 --- /dev/null +++ b/docs/xff.md @@ -0,0 +1,45 @@ +when running behind a reverse-proxy, or a WAF, or another protection service such as cloudflare: + +if you (and maybe everybody else) keep getting a message that says `thank you for playing`, then you've gotten banned for malicious traffic. This ban applies to the IP-address that copyparty *thinks* identifies the shady client -- so, depending on your setup, you might have to tell copyparty where to find the correct IP + +knowing the correct IP is also crucial for some other features, such as the unpost feature which lets you delete your own recent uploads -- but if everybody has the same IP, well... + +---- + +for most common setups, there should be a helpful message in the server-log explaining what to do, something like `--xff-src=10.88.0.0/16` or `--xff-src=lan` to accept the `X-Forwarded-For` header from your reverse-proxy with a LAN IP of `10.88.x.y` + +if you are behind cloudflare, it is recommended to also set `--xff-hdr=cf-connecting-ip` to use a more trustworthy source of info, but then it's also very important to ensure your reverse-proxy does not accept connections from anything BUT cloudflare; you can do this by generating an ip-address allowlist and reject all other connections + +* if you are using nginx as your reverse-proxy, see the [example nginx config](https://github.com/9001/copyparty/blob/hovudstraum/contrib/nginx/copyparty.conf) on how the cloudflare allowlist can be done + +---- + +the server-log will give recommendations in the form of commandline arguments; + +to do the same thing using config files, take the options that are suggested in the serverlog and put them into the `[global]` section in your `copyparty.conf` like so: + +```yaml +[global] + xff-src: lan + xff-hdr: cf-connecting-ip +``` + +---- + +# but if you just want to get it working: + +...and don't care about security, you can optionally disable the bot-detectors, either by specifying commandline-args `--ban-404=no --ban-403=no --ban-422=no --ban-url=no --ban-pw=no` + +or by adding these lines inside the `[global]` section in your `copyparty.conf`: + +```yaml +[global] + ban-404: no + ban-403: no + ban-422: no + ban-url: no + ban-pw: no +``` + +but remember that this will make other features insecure as well, such as unpost +