Privatebin: Private backend and public frontend?

Created on 30 Jan 2018  Â·  7Comments  Â·  Source: PrivateBin/PrivateBin

Hi, probably a stupid question: is it possible to make Privatebin as really "private" (as opposed to public usable).
So in the sense there is backend for the user to input the paste, and the www just see the paste results in frontend.
Ofc backend may require auth.

Could there be a simple way to achieve this?

question

All 7 comments

Yes, you would only allow access to the / (the document root of the PB installation) by password protection or your fixed IP in your webserver configuration, while allowing public access to the paste URLs at /?[a-z0-9]{16}

In addition you could modify the template, removing the new and clone buttons and remove/change the link behind the logo. That way users would not feel invited to use these buttons to create pastes.

@elrido

Yeah, just did exactly what you suggested.
In Apache it's as simple as:

#PrivateBin
<Directory "www/path/to/privatebin/">
RewriteCond %{REQUEST_URI} ^/privatebin
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^ - [E=auth:1]

AuthName "PrivateBin"
AuthType Basic
AuthUserFile "/path/to/.htpasswd"

# first, allow everybody
Order Allow,Deny
Satisfy any
Allow from all
Require valid-user
# then, deny only if required
Deny from env=auth
</Directory>

I had to tweak the template a bit, but you're right, since no server-side check is done it's simply 'discouraging' in most sense, also commenting for public link doesn't work with my approach; the form is submitted to as POST to the root path "/" it seems, so commenting will always require authentication.

..but good enough.

since no server-side check is done it's simply 'discouraging' in most sense

Well... you just added the server side check. It is the Apache config.
And when you disallow the root, nobody without a password can create paste. And as comments are also an "edit action", which is handled via the root, you also cannot create comments. See the API docs for details about the paths.

So your instance would basically be "read-only" for public users.

So as it seems this question has been answered and I thus close this issue. If anyone has further questions on that topic, feel free to comment here, again.

I've managed to get it working with database registered users.
I used: https://github.com/peredurabefrog/phpSecureLogin
I had to work with the security requirements for adding new javascript to the PrivateBin main. I'm sure it could do with some work, so that's why I'm posting here really. I think it's relevant to this thread and if there's anyone who wants to help me clean the code up. Please pm me.

Demo: https://privatebin.ml/
You will be greeted with a Guest page. There's nothing you can do as a Guest, other than view Pastes that registered members have created, example: https://privatebin.ml/?cd1a46f2d590d890#8W0hpuRkyZUftYY1iGa4laye05MsE/tk/0CU31rt8nw=

Hope this is ok rugk. I needed to practice my php skills, so thought I'd give this a go.

EDIT: Also, if anyone wants to use either the .ga or .gq tld's for privatebin , I'll gladly release them. I'm keeping the .tk for guest pastes and .cf for testing stuffs :) , obviously the .ml is for registered members pastes. Right, i'm off for some rest.

Nice work. As for the SRI (JS error mesage), see the FAQ. In your case, you could also just remove the SRI hash there, then the browser would load it all.

I'm afraid it would likely not make sense to incooperate this into the main PB, however. Especially not with a unmaintained dependency (last commit 4 years ago…). :smile:

Anyway, what you do with your fork is your thing. Personally I'd rather go with server config changes, as it has been explained before.

I'm not seeing any js error messages. I followed the official guide as llinked to from your faq. Hope I didn't give you the wrong impression, I was just offering a solution for those who wanted this feature. I put the framework together, which works nicely. But I'm just asking if anyone with more coding experience than me to volunteer and help bring the scripts up to date.

Meanwhile, I'll continue to proudly host my PrivateBin instances :)

Thank you .

Was this page helpful?
0 / 5 - 0 ratings

Related issues

Kcchouette picture Kcchouette  Â·  5Comments

hardware picture hardware  Â·  4Comments

Forza-tng picture Forza-tng  Â·  5Comments

elrido picture elrido  Â·  3Comments

elrido picture elrido  Â·  4Comments