Disable remote upload

[devon]

Can I disable remote upload images (via url) in panel ? I do not want to show my IP.

Never initiate an outbound connection based on user action.
If the attacker can get your web server to connect to an arbitrary address, they will reveal your origin IP. Features like "upload from URL" that allow the user to upload a photo from a given URL should be configured so that the server doing the download is not the website origin server. This is important because if an attacker can choose the URL entered, they can set up a web site specifically to monitor who connects to it, or use a public service that monitors the IPs that contact unique URLs.

 

[Rodolfo]

No, remote URL upload can't be disabled.

 

[devon]

Thank you for the quick reply.

 

[TimT]

Can I disable remote upload images (via url) in panel ? I do not want to show my IP.

Oh.. is this/this is something to worry about, security wise?


(And.. hi there, nice to meet you all! just signed up here to learn about chevereto.. intend buy a license 🙂)

 

[Rodolfo]

Oh.. is this/this is something to worry about, security wise?

Is more privacy wise than security, remote uploads could detect the server IP running Chevereto and for people hosting some illegal content it could be a problem because you can detect the real server IP. I don't like the idea of Chevereto being used for illegal activities or to conceal illegal activities, remove remote uploads will help those doing this kind of activities.

But, this also allows attackers to get your real server IP and issue several types of attacks.

In both scenarios is a problem.

 

[stras]

you do realize that's idiotic? why would you give attackers a way to "resolve" backend ip? this is a security issue for many people, anyone can resolve ip and ddos site and cause downtime for people who just use cloudflare as a reverse proxy to hide backend

 

[Rodolfo]

Most likely this will be configurable in V4.

By the way, hiding your real IP is the lazy way to deal with ddos. What kind of protection is obscuration anyway? It is a server, not a toy. You can put a firewall on top of it, in fact, it is standard to have a ddos firewall nowadays and any large production website should have firewall.

 

[stras]

what do you mean by v4?
and server has l4 protection but l7 is kinda shitty

 

[Rodolfo]

V4 = Chevereto 4

 

[rdn]

No, remote URL upload can't be disabled.

Please give us an option to disable it.
My site are always got hit by DDOS attack, that's why I need to hide every possible way.

 

[LibreArbitre]

So what is the way to only permit upload via the API? A friend is using one of my chevereto instance to upload image to his iOS app (he is a dev) and he wants to remove access to the website (for moderation purpose), so there is no way to use the API only?

 

[Rodolfo]

You could always customize the routes, the forms, the everything.

Literally you can achieve everything someone ever suggested or requested, the problem is that while some editing is easy as touching one line, other stuff is way harder and complicated. What you have to realize is that V3 was made to be a customizable solution by proving turnkey options, not pluggable code.

So what is the way to only permit upload via the API?

Disabling uploads and creating a custom API for your need.