diff options
| -rw-r--r-- | README | 55 |
1 files changed, 55 insertions, 0 deletions
@@ -35,3 +35,58 @@ will. Requests with an empty location will work as well, then the returned URL w and have no extension in the public mode. Fshare is distributed under the GNU AGPL licence. + +Example Nginx config +-------------------- +upstream fshare_py { + # host/port of the fshare.py process + server [::1]:5400; +} + +server { + # network config + listen [::]:443 ssl; + server_name fshare.example.com; + + # server's TLS cert+key + ssl_certificate <path_to_cert>; + ssl_certificate_key <path_to_key>; + + # source authentication with TLS client certificates + ssl_client_certificate <path_to_client_CA>; + ssl_verify_client optional; + + # define parameters for communicating with upstream + # enable chunked transfers + proxy_http_version 1.1; + proxy_buffering off; + proxy_request_buffering off; + # finish the upload even if the client does not bother waiting for our + # response + proxy_ignore_client_abort on; + + # only these methods are allowed + if ($request_method !~ ^(GET|POST|PUT|DELETE)$) { + return 405; # Method Not Allowed + } + + # privileged operation requested + if ($request_method ~ ^(POST|PUT|DELETE)$) { + set $priv_op "R"; + } + + # privileged operations are forbidden unless client cert has validated + # successfully + if ($ssl_client_verify != "SUCCESS") { + set $priv_op "${priv_op}F"; + } + + if ($priv_op = "RF") { + return 401; # unauthorized + } + + location / { + proxy_pass http://fshare_py; + proxy_set_header Host $host; + } +} |