From d59bdf42c8bb86b657ff6180fdd18206ea2c5944 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 16 Dec 2023 10:41:01 +0100 Subject: README: add an example nginx config --- README | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) (limited to 'README') diff --git a/README b/README index 2882216..0d2c189 100644 --- a/README +++ b/README @@ -35,3 +35,58 @@ will. Requests with an empty location will work as well, then the returned URL w and have no extension in the public mode. Fshare is distributed under the GNU AGPL licence. + +Example Nginx config +-------------------- +upstream fshare_py { + # host/port of the fshare.py process + server [::1]:5400; +} + +server { + # network config + listen [::]:443 ssl; + server_name fshare.example.com; + + # server's TLS cert+key + ssl_certificate ; + ssl_certificate_key ; + + # source authentication with TLS client certificates + ssl_client_certificate ; + ssl_verify_client optional; + + # define parameters for communicating with upstream + # enable chunked transfers + proxy_http_version 1.1; + proxy_buffering off; + proxy_request_buffering off; + # finish the upload even if the client does not bother waiting for our + # response + proxy_ignore_client_abort on; + + # only these methods are allowed + if ($request_method !~ ^(GET|POST|PUT|DELETE)$) { + return 405; # Method Not Allowed + } + + # privileged operation requested + if ($request_method ~ ^(POST|PUT|DELETE)$) { + set $priv_op "R"; + } + + # privileged operations are forbidden unless client cert has validated + # successfully + if ($ssl_client_verify != "SUCCESS") { + set $priv_op "${priv_op}F"; + } + + if ($priv_op = "RF") { + return 401; # unauthorized + } + + location / { + proxy_pass http://fshare_py; + proxy_set_header Host $host; + } +} -- cgit v1.2.3