laantungir/ginxsom
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Stuck on a bug with auth, but got to push anyway.

Browse Source
This commit is contained in:
Your Name
2025-08-20 06:20:32 -04:00
parent b2b1240136
commit 8c3d2b1aac
18 changed files with 10443 additions and 151 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
config/local-nginx.conf
View File

@@ -46,6 +46,20 @@ http {
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
# Delete blob endpoint - DELETE /<sha256> (must come first)
location ~ "^/([a-f0-9]{64}).*$" {
# Only handle DELETE method for this pattern
if ($request_method != DELETE) {
# Let other patterns handle non-DELETE requests for this path
return 404;
}
# Pass to FastCGI application for processing
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/ginxsom.fcgi;
fastcgi_pass fastcgi_backend;
}
# Old working regex pattern - testing rollback
location ~ "^/([a-f0-9]{64})(\.[a-zA-Z0-9]+)?$" {
limit_except HEAD GET {

131
config/nginx/ginxsom.conf
View File

@@ -1,131 +0,0 @@
# Ginxsom Blossom Server Configuration
# This configuration serves files directly via nginx for maximum performance
# while handling authenticated operations through FastCGI
server {
listen 80;
server_name localhost; # Change this to your domain
# Root directory for blossom files (organized by SHA-256 hash)
root /var/lib/ginxsom/files;
# Maximum upload size (adjust as needed)
client_max_body_size 100M;
# Security headers
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
# Logging
access_log /var/log/nginx/ginxsom_access.log;
error_log /var/log/nginx/ginxsom_error.log;
# Static file serving - nginx handles this directly for maximum performance
# Files are stored as: /var/lib/ginxsom/files/{first2chars}/{remaining_hash}
location ~ ^/([a-f0-9]{64})$ {
set $hash $1;
set $prefix $1; # First 2 characters
set $suffix $1; # Remaining characters
# Extract first 2 chars and remaining
if ($hash ~ ^([a-f0-9]{2})([a-f0-9]{62})$) {
set $prefix $1;
set $suffix $2;
}
try_files /$prefix/$suffix =404;
# Set proper content type based on file extension in metadata
# This will be enhanced when we add metadata lookup
add_header Content-Type application/octet-stream;
add_header Cache-Control "public, max-age=31536000, immutable";
}
# HEAD requests for file existence checking
# This endpoint checks if a file exists and returns metadata
location ~ ^/head/([a-f0-9]{64})$ {
# Pass to FastCGI application for metadata lookup
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/ginxsom.fcgi;
fastcgi_param REQUEST_METHOD HEAD;
fastcgi_param BLOSSOM_HASH $1;
fastcgi_pass unix:/run/ginxsom/ginxsom.sock;
}
# Upload endpoint - requires authentication
location /upload {
# Pass to FastCGI application for processing
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/ginxsom.fcgi;
fastcgi_pass unix:/run/ginxsom/ginxsom.sock;
# Only allow PUT method for uploads
if ($request_method !~ ^(PUT)$ ) {
return 405;
}
}
# List endpoint - returns list of files (if enabled)
location /list {
# Pass to FastCGI application
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/ginxsom.fcgi;
fastcgi_pass unix:/run/ginxsom/ginxsom.sock;
# Only allow GET method
if ($request_method !~ ^(GET)$ ) {
return 405;
}
}
# Mirror endpoint - for mirroring files from other servers
location /mirror {
# Pass to FastCGI application
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/ginxsom.fcgi;
fastcgi_pass unix:/run/ginxsom/ginxsom.sock;
# Only allow PUT method
if ($request_method !~ ^(PUT)$ ) {
return 405;
}
}
# Delete endpoint - requires authentication
location ~ ^/([a-f0-9]{64})$ {
# Handle DELETE requests through FastCGI
if ($request_method = DELETE) {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/ginxsom.fcgi;
fastcgi_param BLOSSOM_HASH $1;
fastcgi_pass unix:/run/ginxsom/ginxsom.sock;
}
# For GET/HEAD, fall through to static file serving above
}
# Health check endpoint
location /health {
# Pass to FastCGI application
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/ginxsom.fcgi;
fastcgi_pass unix:/run/ginxsom/ginxsom.sock;
access_log off;
}
# Deny access to hidden files and directories
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# Deny access to backup and temporary files
location ~ ~$ {
deny all;
access_log off;
log_not_found off;
}
}

47
config/systemd/ginxsom.service
View File

@@ -1,47 +0,0 @@
[Unit]
Description=Ginxsom Blossom Server FastCGI Application
After=network.target
Wants=network-online.target
After=network-online.target
[Service]
Type=notify
User=ginxsom
Group=ginxsom
WorkingDirectory=/var/lib/ginxsom
ExecStart=/usr/local/bin/ginxsom --fastcgi --socket /run/ginxsom/ginxsom.sock
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=5s
# Security settings
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/lib/ginxsom /run/ginxsom /var/log/ginxsom
PrivateTmp=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictRealtime=true
RestrictSUIDSGID=true
LockPersonality=true
MemoryDenyWriteExecute=true
# Resource limits
LimitNOFILE=65536
LimitNPROC=4096
# Environment
Environment=GINXSOM_CONFIG=/etc/ginxsom/config.toml
Environment=GINXSOM_DATA_DIR=/var/lib/ginxsom
Environment=GINXSOM_LOG_LEVEL=info
[Install]
WantedBy=multi-user.target