Disable remote upload

devon

New Member
Joined
Mar 20, 2016
Messages
13
Likes
2
Points
3
Location
https://browserdiet.com/
Website
browserdiet.com
#1
Can I disable remote upload images (via url) in panel ? I do not want to show my IP.
Cloudflare said:
Never initiate an outbound connection based on user action.
If the attacker can get your web server to connect to an arbitrary address, they will reveal your origin IP. Features like "upload from URL" that allow the user to upload a photo from a given URL should be configured so that the server doing the download is not the website origin server. This is important because if an attacker can choose the URL entered, they can set up a web site specifically to monitor who connects to it, or use a public service that monitors the IPs that contact unique URLs.
 

TimT

New Member
Joined
Feb 8, 2017
Messages
1
Likes
0
Points
3
#4
Can I disable remote upload images (via url) in panel ? I do not want to show my IP.
Oh.. is this/this is something to worry about, security wise?


(And.. hi there, nice to meet you all! just signed up here to learn about chevereto.. intend buy a license :))
 

Rodolfo

Chevereto Guru
Staff member
Joined
Oct 7, 2008
Messages
15,929
Likes
4,103
Points
237
Location
Chevereto HQ
Website
rodolfoberrios.com
#5
Oh.. is this/this is something to worry about, security wise?
Is more privacy wise than security, remote uploads could detect the server IP running Chevereto and for people hosting some illegal content it could be a problem because you can detect the real server IP. I don't like the idea of Chevereto being used for illegal activities or to conceal illegal activities, remove remote uploads will help those doing this kind of activities.

But, this also allows attackers to get your real server IP and issue several types of attacks.

In both scenarios is a problem.
 

stras

New Member
Joined
Jan 22, 2018
Messages
4
Likes
0
Points
1
#6
you do realize that's idiotic? why would you give attackers a way to "resolve" backend ip? this is a security issue for many people, anyone can resolve ip and ddos site and cause downtime for people who just use cloudflare as a reverse proxy to hide backend
 

Rodolfo

Chevereto Guru
Staff member
Joined
Oct 7, 2008
Messages
15,929
Likes
4,103
Points
237
Location
Chevereto HQ
Website
rodolfoberrios.com
#7
Most likely this will be configurable in V4.

By the way, hiding your real IP is the lazy way to deal with ddos. What kind of protection is obscuration anyway? It is a server, not a toy. You can put a firewall on top of it, in fact, it is standard to have a ddos firewall nowadays and any large production website should have firewall.
 

stras

New Member
Joined
Jan 22, 2018
Messages
4
Likes
0
Points
1
#8
what do you mean by v4?
and server has l4 protection but l7 is kinda shitty