on Nostr: lain Alex Gleason anime graf mays 🛰️🪐 >Move your media and proxy to a ...
lain (npub1wah…xc8t) Alex Gleason (npub108p…yev6) anime graf mays 🛰️🪐 (npub108z…dkr5) >Move your media and proxy to a subdomain
Yeah I'm not doing that. There's six mirrors across different networks, all of which would need to have subdomains configured somehow, even the one that is a plain IPv6 without domain (moving it to different port like I did with bloat?). Old media would still dangle in the same dir unless you introduce more overhead by putting redirects.
Speaking of media, here's my setup:
>mediaproxy is disabled as it doesn't play well with upstream proxies, the state of HTTP adapters in Erlang/Elixir is abysmal and you all know it
>nginx serves media directly from Pleroma's upload dir, bypassing Cowboy, Oban and other shit
>since nginx doesn't analyze file contents, it sends the MIME type that is corresponding to extension, so you can't load js file uploaded as txt because it'll be text/plain or octet-stream (don't remember if that's also a default pleroma behavior or not)
>as for .js uploads themselves, they all return 403, that was one of the first things I did after the initial hack
So far I don't see how it can be exploited if there's no way to access any scripts that aren't part of frontend, due to the basic 403, CORS/CSP block on subdomain or otherwise.
Yeah I'm not doing that. There's six mirrors across different networks, all of which would need to have subdomains configured somehow, even the one that is a plain IPv6 without domain (moving it to different port like I did with bloat?). Old media would still dangle in the same dir unless you introduce more overhead by putting redirects.
Speaking of media, here's my setup:
>mediaproxy is disabled as it doesn't play well with upstream proxies, the state of HTTP adapters in Erlang/Elixir is abysmal and you all know it
>nginx serves media directly from Pleroma's upload dir, bypassing Cowboy, Oban and other shit
>since nginx doesn't analyze file contents, it sends the MIME type that is corresponding to extension, so you can't load js file uploaded as txt because it'll be text/plain or octet-stream (don't remember if that's also a default pleroma behavior or not)
>as for .js uploads themselves, they all return 403, that was one of the first things I did after the initial hack
So far I don't see how it can be exploited if there's no way to access any scripts that aren't part of frontend, due to the basic 403, CORS/CSP block on subdomain or otherwise.