• Welcome to the Chevereto user community!

    Here users from all over the world gather around to learn the latest about Chevereto and contribute with ideas to improve the software.

    Please keep in mind:

    • 😌 This community is user driven. Be polite with other users.
    • 👉 Is required to purchase a Chevereto license to participate in this community (doesn't apply to Pre-sales).
    • 💸 Purchase a Pro Subscription to get access to active software support and faster ticket response times.

Disable remote upload

devon

Chevereto Noob
Can I disable remote upload images (via url) in panel ? I do not want to show my IP.
Cloudflare said:
Never initiate an outbound connection based on user action.
If the attacker can get your web server to connect to an arbitrary address, they will reveal your origin IP. Features like "upload from URL" that allow the user to upload a photo from a given URL should be configured so that the server doing the download is not the website origin server. This is important because if an attacker can choose the URL entered, they can set up a web site specifically to monitor who connects to it, or use a public service that monitors the IPs that contact unique URLs.
 
Can I disable remote upload images (via url) in panel ? I do not want to show my IP.

Oh.. is this/this is something to worry about, security wise?


(And.. hi there, nice to meet you all! just signed up here to learn about chevereto.. intend buy a license :))
 
Oh.. is this/this is something to worry about, security wise?

Is more privacy wise than security, remote uploads could detect the server IP running Chevereto and for people hosting some illegal content it could be a problem because you can detect the real server IP. I don't like the idea of Chevereto being used for illegal activities or to conceal illegal activities, remove remote uploads will help those doing this kind of activities.

But, this also allows attackers to get your real server IP and issue several types of attacks.

In both scenarios is a problem.
 
you do realize that's idiotic? why would you give attackers a way to "resolve" backend ip? this is a security issue for many people, anyone can resolve ip and ddos site and cause downtime for people who just use cloudflare as a reverse proxy to hide backend
 
Most likely this will be configurable in V4.

By the way, hiding your real IP is the lazy way to deal with ddos. What kind of protection is obscuration anyway? It is a server, not a toy. You can put a firewall on top of it, in fact, it is standard to have a ddos firewall nowadays and any large production website should have firewall.
 
So what is the way to only permit upload via the API? A friend is using one of my chevereto instance to upload image to his iOS app (he is a dev) and he wants to remove access to the website (for moderation purpose), so there is no way to use the API only?
 
You could always customize the routes, the forms, the everything.

Literally you can achieve everything someone ever suggested or requested, the problem is that while some editing is easy as touching one line, other stuff is way harder and complicated. What you have to realize is that V3 was made to be a customizable solution by proving turnkey options, not pluggable code.

So what is the way to only permit upload via the API?
Disabling uploads and creating a custom API for your need.
 
Back
Top