What is Nostr?
/
npub1ajw…aj8d
2023-05-29 10:27:54
in reply to nevent1q…rnwj

​ on Nostr: lain Alex Gleason anime graf mays 🛰️🪐 >Move your media and proxy to a ...

lain (npub1wah…xc8t) Alex Gleason (npub108p…yev6) anime graf mays 🛰️🪐 (npub108z…dkr5) >Move your media and proxy to a subdomain
Yeah I'm not doing that. There's six mirrors across different networks, all of which would need to have subdomains configured somehow, even the one that is a plain IPv6 without domain (moving it to different port like I did with bloat?). Old media would still dangle in the same dir unless you introduce more overhead by putting redirects.
Speaking of media, here's my setup:
>mediaproxy is disabled as it doesn't play well with upstream proxies, the state of HTTP adapters in Erlang/Elixir is abysmal and you all know it
>nginx serves media directly from Pleroma's upload dir, bypassing Cowboy, Oban and other shit
>since nginx doesn't analyze file contents, it sends the MIME type that is corresponding to extension, so you can't load js file uploaded as txt because it'll be text/plain or octet-stream (don't remember if that's also a default pleroma behavior or not)
>as for .js uploads themselves, they all return 403, that was one of the first things I did after the initial hack
So far I don't see how it can be exploited if there's no way to access any scripts that aren't part of frontend, due to the basic 403, CORS/CSP block on subdomain or otherwise.
Author Public Key
npub1ajw6axeack23437kedc8pkwghneenrkh9ljfxxgxumr6t6k4rtvqecaj8d