Alex Gleason on Nostr: Pleroma / Akkoma / Rebased need to be patched, but here’s how you can secure your ...
Pleroma / Akkoma / Rebased need to be patched, but here’s how you can secure your site without any code changes:
yoursite.com/media -> media.yoursite.com yoursite.com/proxy -> proxy.yoursite.com
To do this, add the following configuration to your site:
config :pleroma, Pleroma.Upload,
base_url: "https://media.yoursite.com";
config :pleroma, :media_proxy,
base_url: "https://proxy.yoursite.com";
You will need to add DNS records for the subdomains. For media, it’s recommended to use an S3 bucket (or equivalent). For the proxy, you can simply point the DNS to the same server, and edit your Nginx file. A sample Nginx file is here: https://termbin.com/tj7q You’re on your own setting up letsencrypt, etc.
Here’s what does NOT work:
A CSP one-liner in Nginx. That’s not how CSP works. CSP affects the page it was loaded on, not other resources. This is straight up misinformation.
Disabling the media proxy on its own. The media proxy does appear to be vulnerable, but it cannot be the only action you take.
yoursite.com/media -> media.yoursite.com yoursite.com/proxy -> proxy.yoursite.com
To do this, add the following configuration to your site:
config :pleroma, Pleroma.Upload,
base_url: "https://media.yoursite.com";
config :pleroma, :media_proxy,
base_url: "https://proxy.yoursite.com";
You will need to add DNS records for the subdomains. For media, it’s recommended to use an S3 bucket (or equivalent). For the proxy, you can simply point the DNS to the same server, and edit your Nginx file. A sample Nginx file is here: https://termbin.com/tj7q You’re on your own setting up letsencrypt, etc.
Here’s what does NOT work:
A CSP one-liner in Nginx. That’s not how CSP works. CSP affects the page it was loaded on, not other resources. This is straight up misinformation.
Disabling the media proxy on its own. The media proxy does appear to be vulnerable, but it cannot be the only action you take.