Lufi是一个支持E2E加密的文件上传工具,用户上传的所有文件都由浏览器进行加密,Lufi的实例管理员也无法得知你上传的是什么文件。
下面在Debian10上安装一下:
apt -y update
apt -y install build-essential libssl-dev libio-socket-ssl-perl liblwp-protocol-https-perl nginx python-certbot-nginx git
安装Carton:
cpan Carton
程序支持SQLite/MySQL/PostgreSQL作为数据库,这里直接使用SQLite,所以就不需要安装其他的依赖了。
拉取源码/复制一份配置文件/给予正确的权限/:
git clone https://framagit.org/fiat-tux/hat-softwares/lufi
cp lufi/lufi.conf.template lufi/lufi.conf
chown -R www-data:www-data lufi
cd lufi
安装/编辑配置文件:
carton install --deployment --without=test --without=postgresql --without=mysql --without=ldap --without=htpasswd
nano lufi.conf
至少取消下面贴出来的注释,还有很多其他的配置可以自己根据配置文件里的说明更改:
{
####################
# Hypnotoad settings
####################
# see http://mojolicio.us/perldoc/Mojo/Server/Hypnotoad for a full list of settings
hypnotoad => {
# array of IP addresses and ports you want to listen to
# you can specify a unix socket too, like 'http+unix://%2Ftmp%2Flufi.sock'
listen => ['http://127.0.0.1:8081'],
# if you use Lufi behind a reverse proxy like Nginx, you want to set proxy to 1
# if you use Lufi directly, let it commented
proxy => 1,
# Please read http://mojolicious.org/perldoc/Mojo/Server/Hypnotoad#workers
# to adjust this to your server
workers => 30,
clients => 1,
},
# Put a way to contact you here and uncomment it
# You can put some HTML in it
# MANDATORY
contact => 'Contact page',
# Put an URL or an email address to receive file reports and uncomment it
# It's for make reporting illegal files easy for users
# MANDATORY
report => 'report@example.com',
# Array of random strings used to encrypt cookies
# optional, default is ['fdjsofjoihrei'], PLEASE, CHANGE IT
secrets => ['fdjsofjoihrei'],
# Name of the instance, displayed next to the logo
# optional, default is Lufi
instance_name => 'Lufi',
# Choose a theme. See the available themes in `themes` directory
# Optional, default is 'default'
theme => 'default',
# Length of the random URL
# optional, default is 8
length => 8,
# How many URLs will be provisioned in a batch ?
# optional, default is 5
provis_step => 5,
# Max number of URLs to be provisioned
# optional, default is 100
provisioning => 100,
# Length of the modify/delete token
# optional, default is 32
token_length => 32,
# Max file size, in octets
# You can write it 100*1024*1024
# optional, no default
max_file_size => 104857600,
#############
# DB settings
#############
# Choose what database you want to use
# Valid choices are sqlite, postgresql and mysql (all lowercase)
# optional, default is sqlite
dbtype => 'sqlite',
# SQLite ONLY - only used if dbtype is set to sqlite
# Define a path to the SQLite database
# You can define it relative to lufi directory or set an absolute path
# Remember that it has to be in a directory writable by Lufi user
# optional, default is lufi.db
db_path => 'lufi.db',
};
新建systemd服务文件:
nano /etc/systemd/system/lufi.service
写入如下内容:
[Unit]
Description=File hosting service with encryption
Documentation=https://framagit.org/luc/lufi
Requires=network.target
After=network.target
[Service]
Type=forking
User=www-data
RemainAfterExit=yes
WorkingDirectory=/opt/lufi/
PIDFile=/opt/lufi/script/hypnotoad.pid
ExecStart=/usr/local/bin/carton exec hypnotoad script/lufi
ExecStop=/usr/local/bin/carton exec hypnotoad -s script/lufi
ExecReload=/usr/local/bin/carton exec hypnotoad script/lufi
[Install]
WantedBy=multi-user.target
启动/设置开机启动:
systemctl start lufi
systemctl enable lufi nginx.service
新建一个nginx站点配置文件:
nano /etc/nginx/conf.d/lufi.conf
写入如下内容:
server {
listen 80;
# Adapt this to your domain!
server_name yourdomain.com;
location / {
# Add cache for static files
if ($request_uri ~* ^/(img|css|font|js)/) {
add_header Expires "Thu, 31 Dec 2037 23:55:55 GMT";
add_header Cache-Control "public, max-age=315360000";
}
# HTTPS only header, improves security
#add_header Strict-Transport-Security "max-age=15768000";
# Adapt this to your configuration (port, subdirectory (see below))
proxy_pass http://127.0.0.1:8081;
# Really important! Lufi uses WebSocket, it won't work without this
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# If you want to log the remote port of the file senders, you'll need that
proxy_set_header X-Remote-Port $remote_port;
proxy_set_header X-Forwarded-Proto $scheme;
# We expect the downstream servers to redirect to the right hostname, so don't do any rewrites here.
proxy_redirect off;
}
}
检查你的nginx配置有没有错误:
nginx -t
没有问题的话使用certbot签发一个ssl证书:
certbot --nginx --agree-tos --no-eff-email --email xxxxx@qq.com
打开你的域名应该可以访问到程序界面了.
上传的文件如果要下载必须先解密.
而服务器内存储的数据是加密的,管理员也看不见你上传的文件具体内容.
下面在Debian10上安装一下:
apt -y update
apt -y install build-essential libssl-dev libio-socket-ssl-perl liblwp-protocol-https-perl nginx python-certbot-nginx git
安装Carton:
cpan Carton
程序支持SQLite/MySQL/PostgreSQL作为数据库,这里直接使用SQLite,所以就不需要安装其他的依赖了。
拉取源码/复制一份配置文件/给予正确的权限/:
git clone https://framagit.org/fiat-tux/hat-softwares/lufi
cp lufi/lufi.conf.template lufi/lufi.conf
chown -R www-data:www-data lufi
cd lufi
安装/编辑配置文件:
carton install --deployment --without=test --without=postgresql --without=mysql --without=ldap --without=htpasswd
nano lufi.conf
至少取消下面贴出来的注释,还有很多其他的配置可以自己根据配置文件里的说明更改:
{
####################
# Hypnotoad settings
####################
# see http://mojolicio.us/perldoc/Mojo/Server/Hypnotoad for a full list of settings
hypnotoad => {
# array of IP addresses and ports you want to listen to
# you can specify a unix socket too, like 'http+unix://%2Ftmp%2Flufi.sock'
listen => ['http://127.0.0.1:8081'],
# if you use Lufi behind a reverse proxy like Nginx, you want to set proxy to 1
# if you use Lufi directly, let it commented
proxy => 1,
# Please read http://mojolicious.org/perldoc/Mojo/Server/Hypnotoad#workers
# to adjust this to your server
workers => 30,
clients => 1,
},
# Put a way to contact you here and uncomment it
# You can put some HTML in it
# MANDATORY
contact => 'Contact page',
# Put an URL or an email address to receive file reports and uncomment it
# It's for make reporting illegal files easy for users
# MANDATORY
report => 'report@example.com',
# Array of random strings used to encrypt cookies
# optional, default is ['fdjsofjoihrei'], PLEASE, CHANGE IT
secrets => ['fdjsofjoihrei'],
# Name of the instance, displayed next to the logo
# optional, default is Lufi
instance_name => 'Lufi',
# Choose a theme. See the available themes in `themes` directory
# Optional, default is 'default'
theme => 'default',
# Length of the random URL
# optional, default is 8
length => 8,
# How many URLs will be provisioned in a batch ?
# optional, default is 5
provis_step => 5,
# Max number of URLs to be provisioned
# optional, default is 100
provisioning => 100,
# Length of the modify/delete token
# optional, default is 32
token_length => 32,
# Max file size, in octets
# You can write it 100*1024*1024
# optional, no default
max_file_size => 104857600,
#############
# DB settings
#############
# Choose what database you want to use
# Valid choices are sqlite, postgresql and mysql (all lowercase)
# optional, default is sqlite
dbtype => 'sqlite',
# SQLite ONLY - only used if dbtype is set to sqlite
# Define a path to the SQLite database
# You can define it relative to lufi directory or set an absolute path
# Remember that it has to be in a directory writable by Lufi user
# optional, default is lufi.db
db_path => 'lufi.db',
};
新建systemd服务文件:
nano /etc/systemd/system/lufi.service
写入如下内容:
[Unit]
Description=File hosting service with encryption
Documentation=https://framagit.org/luc/lufi
Requires=network.target
After=network.target
[Service]
Type=forking
User=www-data
RemainAfterExit=yes
WorkingDirectory=/opt/lufi/
PIDFile=/opt/lufi/script/hypnotoad.pid
ExecStart=/usr/local/bin/carton exec hypnotoad script/lufi
ExecStop=/usr/local/bin/carton exec hypnotoad -s script/lufi
ExecReload=/usr/local/bin/carton exec hypnotoad script/lufi
[Install]
WantedBy=multi-user.target
启动/设置开机启动:
systemctl start lufi
systemctl enable lufi nginx.service
新建一个nginx站点配置文件:
nano /etc/nginx/conf.d/lufi.conf
写入如下内容:
server {
listen 80;
# Adapt this to your domain!
server_name yourdomain.com;
location / {
# Add cache for static files
if ($request_uri ~* ^/(img|css|font|js)/) {
add_header Expires "Thu, 31 Dec 2037 23:55:55 GMT";
add_header Cache-Control "public, max-age=315360000";
}
# HTTPS only header, improves security
#add_header Strict-Transport-Security "max-age=15768000";
# Adapt this to your configuration (port, subdirectory (see below))
proxy_pass http://127.0.0.1:8081;
# Really important! Lufi uses WebSocket, it won't work without this
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# If you want to log the remote port of the file senders, you'll need that
proxy_set_header X-Remote-Port $remote_port;
proxy_set_header X-Forwarded-Proto $scheme;
# We expect the downstream servers to redirect to the right hostname, so don't do any rewrites here.
proxy_redirect off;
}
}
检查你的nginx配置有没有错误:
nginx -t
没有问题的话使用certbot签发一个ssl证书:
certbot --nginx --agree-tos --no-eff-email --email xxxxx@qq.com
打开你的域名应该可以访问到程序界面了.
上传的文件如果要下载必须先解密.
而服务器内存储的数据是加密的,管理员也看不见你上传的文件具体内容.