reword and reformat documents
This commit is contained in:
parent
f0d0daffcc
commit
3a7350c5c4
124
INSTALL.md
124
INSTALL.md
@ -1,39 +1,47 @@
|
|||||||
# Installation
|
# Installation
|
||||||
|
|
||||||
**TL;DR:** Download the
|
**TL;DR:** Download the
|
||||||
[latest release archive](https://github.com/PrivateBin/PrivateBin/releases/latest) (with the link labelled as „Source code (…)“)
|
[latest release archive](https://github.com/PrivateBin/PrivateBin/releases/latest)
|
||||||
and extract it in your web hosts folder where you want to install your PrivateBin
|
(with the link labelled as "Source code (…)") and extract it in your web hosts
|
||||||
instance. We try to provide a mostly safe default configuration, but we urge you to
|
folder where you want to install your PrivateBin instance. We try to provide a
|
||||||
check the [security section](#hardening-and-security) below and the [configuration
|
mostly safe default configuration, but we urge you to check the
|
||||||
options](#configuration) to adjust as you see fit.
|
[security section](#hardening-and-security) below and the
|
||||||
|
[configuration options](#configuration) to adjust as you see fit.
|
||||||
|
|
||||||
**NOTE:** See [our FAQ](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#how-can-i-securely-clonedownload-your-project) for information how to securely download the PrivateBin release files.
|
**NOTE:** See our [FAQ entry on securely downloading release files](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#how-can-i-securely-clonedownload-your-project)
|
||||||
|
for more information.
|
||||||
|
|
||||||
**NOTE:** There is a [ansible](https://ansible.com) role by @e1mo available to install and configure PrivateBin on your server. It's available on [ansible galaxy](https://galaxy.ansible.com/e1mo/privatebin) ([source code](https://git.sr.ht/~e1mo/ansible-role-privatebin)).
|
**NOTE:** There is a [ansible](https://ansible.com) role by @e1mo available to
|
||||||
|
install and configure PrivateBin on your server. It's available on
|
||||||
|
[ansible galaxy](https://galaxy.ansible.com/e1mo/privatebin)
|
||||||
|
([source code](https://git.sr.ht/~e1mo/ansible-role-privatebin)).
|
||||||
|
|
||||||
### Minimal requirements
|
### Minimal Requirements
|
||||||
|
|
||||||
- PHP version 7.0 or above
|
- PHP version 7.0 or above
|
||||||
- Or PHP version 5.6 AND _one_ of the following sources of cryptographically safe randomness:
|
- Or PHP version 5.6 AND _one_ of the following sources of cryptographically
|
||||||
- [Libsodium](https://download.libsodium.org/libsodium/content/installation/) and it's [PHP extension](https://paragonie.com/book/pecl-libsodium/read/00-intro.md#installing-libsodium)
|
safe randomness:
|
||||||
- open_basedir access to `/dev/urandom`
|
- [Libsodium](https://download.libsodium.org/libsodium/content/installation/)
|
||||||
- mcrypt extension (mcrypt needs to be able to access `/dev/urandom`. This means if `open_basedir` is set, it must include this file.)
|
and it's [PHP extension](https://paragonie.com/book/pecl-libsodium/read/00-intro.md#installing-libsodium)
|
||||||
|
- `open_basedir` access to `/dev/urandom`
|
||||||
|
- mcrypt extension AND `open_basedir` access to `/dev/urandom`
|
||||||
- com_dotnet extension
|
- com_dotnet extension
|
||||||
- GD extension
|
- GD extension
|
||||||
- zlib extension
|
- zlib extension
|
||||||
- some disk space or (optionally) a database supported by [PDO](https://php.net/manual/book.pdo.php)
|
- some disk space or a database supported by [PDO](https://php.net/manual/book.pdo.php)
|
||||||
- ability to create files and folders in the installation directory and the PATH defined in index.php
|
- ability to create files and folders in the installation directory and the PATH
|
||||||
- A web browser with JavaScript support
|
defined in index.php
|
||||||
|
- A web browser with JavaScript and (optional) WebAssembly support
|
||||||
|
|
||||||
## Hardening and security
|
## Hardening and Security
|
||||||
|
|
||||||
### Changing the path
|
### Changing the Path
|
||||||
|
|
||||||
In the index.php you can define a different `PATH`. This is useful to secure your
|
In the index.php you can define a different `PATH`. This is useful to secure
|
||||||
installation. You can move the configuration, data files, templates and PHP
|
your installation. You can move the configuration, data files, templates and PHP
|
||||||
libraries (directories cfg, doc, data, lib, tpl, tst and vendor) outside of your
|
libraries (directories cfg, doc, data, lib, tpl, tst and vendor) outside of your
|
||||||
document root. This new location must still be accessible to your webserver / PHP
|
document root. This new location must still be accessible to your webserver and
|
||||||
process (see also
|
PHP process (see also
|
||||||
[open_basedir setting](https://secure.php.net/manual/en/ini.core.php#ini.open-basedir)).
|
[open_basedir setting](https://secure.php.net/manual/en/ini.core.php#ini.open-basedir)).
|
||||||
|
|
||||||
> #### PATH Example
|
> #### PATH Example
|
||||||
@ -42,24 +50,25 @@ process (see also
|
|||||||
> http://example.com/paste/
|
> http://example.com/paste/
|
||||||
>
|
>
|
||||||
> The full path of PrivateBin on your webserver is:
|
> The full path of PrivateBin on your webserver is:
|
||||||
> /home/example.com/htdocs/paste
|
> /srv/example.com/htdocs/paste
|
||||||
>
|
>
|
||||||
> When setting the path like this:
|
> When setting the path like this:
|
||||||
> define('PATH', '../../secret/privatebin/');
|
> define('PATH', '../../secret/privatebin/');
|
||||||
>
|
>
|
||||||
> PrivateBin will look for your includes / data here:
|
> PrivateBin will look for your includes and data here:
|
||||||
> /home/example.com/secret/privatebin
|
> /srv/example.com/secret/privatebin
|
||||||
|
|
||||||
### Changing the config path only
|
### Changing the config path only
|
||||||
|
|
||||||
In situations where you want to keep the PrivateBin static files separate from the
|
In situations where you want to keep the PrivateBin static files separate from the
|
||||||
rest of your data, or you want to reuse the installation files on multiple vhosts,
|
rest of your data, or you want to reuse the installation files on multiple vhosts,
|
||||||
you may only want to change the `conf.php`. In this instance, you can set the
|
you may only want to change the `conf.php`. In this case, you can set the
|
||||||
`CONFIG_PATH` environment variable to the absolute path to the `conf.php` file.
|
`CONFIG_PATH` environment variable to the absolute path to the `conf.php` file.
|
||||||
This can be done in your web server's virtual host config, the PHP config, or in
|
This can be done in your web server's virtual host config, the PHP config, or in
|
||||||
the index.php if you choose to customize it.
|
the index.php, if you choose to customize it.
|
||||||
|
|
||||||
Note that your PHP process will need read access to the config wherever it may be.
|
Note that your PHP process will need read access to the configuration file,
|
||||||
|
wherever it may be.
|
||||||
|
|
||||||
> #### CONFIG_PATH example
|
> #### CONFIG_PATH example
|
||||||
> Setting the value in an Apache Vhost:
|
> Setting the value in an Apache Vhost:
|
||||||
@ -73,23 +82,27 @@ Note that your PHP process will need read access to the config wherever it may b
|
|||||||
|
|
||||||
### Transport security
|
### Transport security
|
||||||
|
|
||||||
When setting up PrivateBin, also set up HTTPS, if you haven't already. Without HTTPS
|
When setting up PrivateBin, also set up HTTPS, if you haven't already. Without
|
||||||
PrivateBin is not secure, as the JavaScript files could be manipulated during transmission.
|
HTTPS PrivateBin is not secure, as the JavaScript or WebAssembly files could be
|
||||||
For more information on this, see our [FAQ entry on HTTPS setup](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#how-should-i-setup-https).
|
manipulated during transmission. For more information on this, see our
|
||||||
|
[FAQ entry on HTTPS setup recommendations](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#how-should-i-setup-https).
|
||||||
|
|
||||||
### File-level permissions
|
### File-level permissions
|
||||||
|
|
||||||
After completing the installation, you should make sure, other users on the system cannot read the config file or the `data/` directory, as – depending on your configuration – potential secret information are saved there.
|
After completing the installation, you should make sure, that other users on the
|
||||||
|
system cannot read the config file or the `data/` directory, as – depending on
|
||||||
|
your configuration – potentially sensitive information may be stored in there.
|
||||||
|
|
||||||
See [this FAQ item](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#what-are-the-recommended-file-and-folder-permissions-for-privatebin) for a detailed guide on how to "harden" the permissions of files and folders.
|
See our [FAQ entry on permissions](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#what-are-the-recommended-file-and-folder-permissions-for-privatebin)
|
||||||
|
for a detailed guide on how to "harden" access to files and folders.
|
||||||
|
|
||||||
## Configuration
|
## Configuration
|
||||||
|
|
||||||
In the file `cfg/conf.php` you can configure PrivateBin. A `cfg/conf.sample.php`
|
In the file `cfg/conf.php` you can configure PrivateBin. A `cfg/conf.sample.php`
|
||||||
is provided containing all options and default values. You can copy it to
|
is provided containing all options and their default values. You can copy it to
|
||||||
`cfg/conf.php` and adapt it as needed. Alternatively you can copy it anywhere and
|
`cfg/conf.php` and change it as needed. Alternatively you can copy it anywhere
|
||||||
set the `CONFIG_PATH` environment variable (see above notes). The config file is
|
and set the `CONFIG_PATH` environment variable (see above notes). The config
|
||||||
divided into multiple sections, which are enclosed in square brackets.
|
file is divided into multiple sections, which are enclosed in square brackets.
|
||||||
|
|
||||||
In the `[main]` section you can enable or disable the discussion feature, set
|
In the `[main]` section you can enable or disable the discussion feature, set
|
||||||
the limit of stored pastes and comments in bytes. The `[traffic]` section lets
|
the limit of stored pastes and comments in bytes. The `[traffic]` section lets
|
||||||
@ -107,28 +120,28 @@ A `robots.txt` file is provided in the root dir of PrivateBin. It disallows all
|
|||||||
robots from accessing your pastes. It is recommend to place it into the root of
|
robots from accessing your pastes. It is recommend to place it into the root of
|
||||||
your web directory if you have installed PrivateBin in a subdirectory. Make sure
|
your web directory if you have installed PrivateBin in a subdirectory. Make sure
|
||||||
to adjust it, so that the file paths match your installation. Of course also
|
to adjust it, so that the file paths match your installation. Of course also
|
||||||
adjust the file if you already use a `robots.txt`.
|
adjust the file, if you already use a `robots.txt`.
|
||||||
|
|
||||||
A `.htaccess.disabled` file is provided in the root dir of PrivateBin. It blocks
|
A `.htaccess.disabled` file is provided in the root dir of PrivateBin. It blocks
|
||||||
some known robots and link-scanning bots. If you use Apache, you can rename the
|
some known robots and link-scanning bots. If you use Apache, you can rename the
|
||||||
file to `.htaccess` to enable this feature. If you use another webserver, you
|
file to `.htaccess` to enable this feature. If you use another webserver, you
|
||||||
have to configure it manually to do the same.
|
have to configure it manually to do the same.
|
||||||
|
|
||||||
### When using Cloudflare
|
### On using Cloudflare
|
||||||
|
|
||||||
If you want to use PrivateBin behind Cloudflare, make sure you have disabled the Rocket
|
If you want to use PrivateBin behind Cloudflare, make sure you have disabled the
|
||||||
loader and unchecked "Javascript" for Auto Minify, found in your domain settings,
|
Rocket loader and unchecked "Javascript" for Auto Minify, found in your domain
|
||||||
under "Speed". (More information
|
settings, under "Speed". More information can be found in our
|
||||||
[in this FAQ entry](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#user-content-how-to-make-privatebin-work-when-using-cloudflare-for-ddos-protection))
|
[FAQ entry on Cloudflare related issues](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#user-content-how-to-make-privatebin-work-when-using-cloudflare-for-ddos-protection).
|
||||||
|
|
||||||
### Using a database instead of flat files
|
### Using a Database Instead of Flat Files
|
||||||
|
|
||||||
In the configuration file the `[model]` and `[model_options]` sections let you
|
In the configuration file the `[model]` and `[model_options]` sections let you
|
||||||
configure your favourite way of storing the pastes and discussions on your
|
configure your favourite way of storing the pastes and discussions on your
|
||||||
server.
|
server.
|
||||||
|
|
||||||
`Filesystem` is the default model, which stores everything in files in the
|
`Filesystem` is the default model, which stores everything in files in the
|
||||||
data folder. This is the recommended setup for most sites.
|
data folder. This is the recommended setup for most sites on single hosts.
|
||||||
|
|
||||||
Under high load, in distributed setups or if you are not allowed to store files
|
Under high load, in distributed setups or if you are not allowed to store files
|
||||||
locally, you might want to switch to the `Database` model. This lets you
|
locally, you might want to switch to the `Database` model. This lets you
|
||||||
@ -142,21 +155,26 @@ to use a prefix for
|
|||||||
The table prefix option is called `tbl`.
|
The table prefix option is called `tbl`.
|
||||||
|
|
||||||
> #### Note
|
> #### Note
|
||||||
> The `Database` model has only been tested with SQLite, MySQL and PostgreSQL,
|
> The `Database` model has only been tested with SQLite, MariaDB/MySQL and
|
||||||
> although it would not be recommended to use SQLite in a production environment.
|
> PostgreSQL, although it would not be recommended to use SQLite in a production
|
||||||
> If you gain any experience running PrivateBin on other RDBMS, please let us
|
> environment. If you gain any experience running PrivateBin on other RDBMS,
|
||||||
> know.
|
> please let us know.
|
||||||
|
|
||||||
The following GRANTs (privileges) are required for the PrivateBin user in **MySQL**. In normal operation:
|
The following GRANTs (privileges) are required for the PrivateBin user in
|
||||||
|
**MariaDB/MySQL**. In normal operation:
|
||||||
- INSERT, SELECT, DELETE on the paste and comment tables
|
- INSERT, SELECT, DELETE on the paste and comment tables
|
||||||
- SELECT on the config table
|
- SELECT on the config table
|
||||||
|
|
||||||
If you want PrivateBin to handle table creation (when you create the first paste) and updates (after you update PrivateBin to a new release), you need to give the user these additional privileges:
|
If you want PrivateBin to handle table creation (when you create the first paste)
|
||||||
|
and updates (after you update PrivateBin to a new release), you need to give the
|
||||||
|
user these additional privileges:
|
||||||
- CREATE, INDEX and ALTER on the database
|
- CREATE, INDEX and ALTER on the database
|
||||||
- INSERT and UPDATE on the config table
|
- INSERT and UPDATE on the config table
|
||||||
|
|
||||||
For reference or if you want to create the table schema for yourself to avoid having to give PrivateBin too many permissions (replace
|
For reference or if you want to create the table schema for yourself to avoid
|
||||||
`prefix_` with your own table prefix and create the table schema with your favourite MySQL console):
|
having to give PrivateBin too many permissions (replace `prefix_` with your own
|
||||||
|
table prefix and create the table schema with your favourite MariaDB/MySQL
|
||||||
|
client):
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
CREATE TABLE prefix_paste (
|
CREATE TABLE prefix_paste (
|
||||||
@ -199,7 +217,7 @@ to be `CLOB` and not `BLOB` or `MEDIUMBLOB`, the `id` column in the `config`
|
|||||||
table needs to be `VARCHAR2(16)` and the `meta` column in the `paste` table
|
table needs to be `VARCHAR2(16)` and the `meta` column in the `paste` table
|
||||||
and the `value` column in the `config` table need to be `VARCHAR2(4000)`.
|
and the `value` column in the `config` table need to be `VARCHAR2(4000)`.
|
||||||
|
|
||||||
### Using Google Cloud Storage
|
#### Using Google Cloud Storage
|
||||||
If you want to deploy PrivateBin in a serverless manner in the Google Cloud, you
|
If you want to deploy PrivateBin in a serverless manner in the Google Cloud, you
|
||||||
can choose the `GoogleCloudStorage` as backend. To use this backend, you create
|
can choose the `GoogleCloudStorage` as backend. To use this backend, you create
|
||||||
a GCS bucket and specify the name as the model option `bucket`. Alternatively,
|
a GCS bucket and specify the name as the model option `bucket`. Alternatively,
|
||||||
|
51
README.md
51
README.md
@ -2,24 +2,26 @@
|
|||||||
|
|
||||||
*Current version: 1.3.5*
|
*Current version: 1.3.5*
|
||||||
|
|
||||||
**PrivateBin** is a minimalist, open source online [pastebin](https://en.wikipedia.org/wiki/Pastebin)
|
**PrivateBin** is a minimalist, open source online
|
||||||
|
[pastebin](https://en.wikipedia.org/wiki/Pastebin)
|
||||||
where the server has zero knowledge of pasted data.
|
where the server has zero knowledge of pasted data.
|
||||||
|
|
||||||
Data is encrypted and decrypted in the browser using 256bit AES in [Galois Counter mode](https://en.wikipedia.org/wiki/Galois/Counter_Mode).
|
Data is encrypted and decrypted in the browser using 256bit AES in
|
||||||
|
[Galois Counter mode](https://en.wikipedia.org/wiki/Galois/Counter_Mode).
|
||||||
|
|
||||||
This is a fork of ZeroBin, originally developed by
|
This is a fork of ZeroBin, originally developed by
|
||||||
[Sébastien Sauvage](https://github.com/sebsauvage/ZeroBin). ZeroBin was refactored
|
[Sébastien Sauvage](https://github.com/sebsauvage/ZeroBin). PrivateBin was
|
||||||
to allow easier and cleaner extensions. PrivateBin has many more features than the
|
refactored to allow easier and cleaner extensions and has many additional
|
||||||
original ZeroBin. It is, however, still fully compatible to the original ZeroBin 0.19
|
features. It is, however, still fully compatible to the original ZeroBin 0.19
|
||||||
data storage scheme. Therefore, such installations can be upgraded to PrivateBin
|
data storage scheme. Therefore, such installations can be upgraded to PrivateBin
|
||||||
without losing any data.
|
without losing any data.
|
||||||
|
|
||||||
## What PrivateBin provides
|
## What PrivateBin provides
|
||||||
|
|
||||||
+ As a server administrator you don't have to worry if your users post content
|
+ As a server administrator you don't have to worry if your users post content
|
||||||
that is considered illegal in your country. You have no knowledge of any
|
that is considered illegal in your country. You have plausible deniability of
|
||||||
of the pastes content. If requested or enforced, you can delete any paste from
|
any of the pastes content. If requested or enforced, you can delete any paste
|
||||||
your system.
|
from your system.
|
||||||
|
|
||||||
+ Pastebin-like system to store text documents, code samples, etc.
|
+ Pastebin-like system to store text documents, code samples, etc.
|
||||||
|
|
||||||
@ -31,13 +33,13 @@ without losing any data.
|
|||||||
|
|
||||||
## What it doesn't provide
|
## What it doesn't provide
|
||||||
|
|
||||||
- As a user you have to trust the server administrator not to inject any malicious
|
- As a user you have to trust the server administrator not to inject any
|
||||||
javascript code.
|
malicious code. For security, a PrivateBin installation *has to be used over*
|
||||||
For basic security, the PrivateBin installation *has to provide HTTPS*!
|
*HTTPS*! Otherwise you would also have to trust your internet provider, and
|
||||||
Otherwise you would also have to trust your internet provider, and any country
|
any jurisdiction the traffic passes through. Additionally the instance should
|
||||||
the traffic passes through.
|
be secured by
|
||||||
Additionally the instance should be secured by
|
[HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security). It can
|
||||||
[HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security). It can use traditional certificate authorities and/or use
|
use traditional certificate authorities and/or use a
|
||||||
[DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions)
|
[DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions)
|
||||||
protected
|
protected
|
||||||
[DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities)
|
[DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities)
|
||||||
@ -45,18 +47,17 @@ without losing any data.
|
|||||||
|
|
||||||
- The "key" used to encrypt the paste is part of the URL. If you publicly post
|
- The "key" used to encrypt the paste is part of the URL. If you publicly post
|
||||||
the URL of a paste that is not password-protected, anyone can read it.
|
the URL of a paste that is not password-protected, anyone can read it.
|
||||||
Use a password if you want your paste to be private. In this case, make sure to
|
Use a password if you want your paste to remain private. In that case, make
|
||||||
use a strong password and only share it privately and end-to-end-encrypted.
|
sure to use a strong password and share it privately and end-to-end-encrypted.
|
||||||
|
|
||||||
- A server admin might be forced to hand over access logs to the authorities.
|
- A server admin can be forced to hand over access logs to the authorities.
|
||||||
PrivateBin encrypts your text and the discussion contents, but who accessed a
|
PrivateBin encrypts your text and the discussion contents, but who accessed a
|
||||||
paste (first) might still be disclosed via access logs.
|
paste (first) might still be disclosed via access logs.
|
||||||
|
|
||||||
- In case of a server breach your data is secure as it is only stored encrypted
|
- In case of a server breach your data is secure as it is only stored encrypted
|
||||||
on the server. However, the server could be misused or the server admin could
|
on the server. However, the server could be absused or the server admin could
|
||||||
be legally forced into sending malicious JavaScript to all web users, which
|
be legally forced into sending malicious code to their users, which logs
|
||||||
grabs the decryption key and sends it to the server when a user accesses a
|
the decryption key and sends it to a server when a user accesses a paste.
|
||||||
PrivateBin.
|
|
||||||
Therefore, do not access any PrivateBin instance if you think it has been
|
Therefore, do not access any PrivateBin instance if you think it has been
|
||||||
compromised. As long as no user accesses this instance with a previously
|
compromised. As long as no user accesses this instance with a previously
|
||||||
generated URL, the content can't be decrypted.
|
generated URL, the content can't be decrypted.
|
||||||
@ -77,8 +78,8 @@ file](https://github.com/PrivateBin/PrivateBin/wiki/Configuration):
|
|||||||
* Syntax highlighting for source code using prettify.js, including 4 prettify
|
* Syntax highlighting for source code using prettify.js, including 4 prettify
|
||||||
themes
|
themes
|
||||||
|
|
||||||
* File upload support, images get displayed (disabled by default, possibility
|
* File upload support, image, media and PDF preview (disabled by default, size
|
||||||
to adjust size limit)
|
limit adjustable)
|
||||||
|
|
||||||
* Templates: By default there are bootstrap CSS, darkstrap and "classic ZeroBin"
|
* Templates: By default there are bootstrap CSS, darkstrap and "classic ZeroBin"
|
||||||
to choose from and it is easy to adapt these to your own websites layout or
|
to choose from and it is easy to adapt these to your own websites layout or
|
||||||
@ -89,7 +90,7 @@ file](https://github.com/PrivateBin/PrivateBin/wiki/Configuration):
|
|||||||
|
|
||||||
* Language selection (disabled by default, as it uses a session cookie)
|
* Language selection (disabled by default, as it uses a session cookie)
|
||||||
|
|
||||||
* QR code generation of URL, to easily transfer pastes over to a mobile device
|
* QR code for paste URLs, to easily transfer them over to mobile devices
|
||||||
|
|
||||||
## Further resources
|
## Further resources
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user