Total Pageviews

Monday, 30 March 2020

Lufi:一个支持E2E加密的文件上传工具

Lufi是一个支持E2E加密的文件上传工具,用户上传的所有文件都由浏览器进行加密,Lufi的实例管理员也无法得知你上传的是什么文件。

下面在Debian10上安装一下:

apt -y update
apt -y install build-essential libssl-dev libio-socket-ssl-perl liblwp-protocol-https-perl nginx python-certbot-nginx git

安装Carton:
cpan Carton
程序支持SQLite/MySQL/PostgreSQL作为数据库,这里直接使用SQLite,所以就不需要安装其他的依赖了。

拉取源码/复制一份配置文件/给予正确的权限/:

git clone https://framagit.org/fiat-tux/hat-softwares/lufi
cp lufi/lufi.conf.template lufi/lufi.conf
chown -R www-data:www-data lufi
cd lufi

安装/编辑配置文件:
carton install --deployment --without=test --without=postgresql --without=mysql --without=ldap --without=htpasswd
nano lufi.conf
至少取消下面贴出来的注释,还有很多其他的配置可以自己根据配置文件里的说明更改:
{
    ####################
    # Hypnotoad settings
    ####################
    # see http://mojolicio.us/perldoc/Mojo/Server/Hypnotoad for a full list of settings
    hypnotoad => {
        # array of IP addresses and ports you want to listen to
        # you can specify a unix socket too, like 'http+unix://%2Ftmp%2Flufi.sock'
        listen => ['http://127.0.0.1:8081'],
        # if you use Lufi behind a reverse proxy like Nginx, you want to set proxy to 1
        # if you use Lufi directly, let it commented
        proxy  => 1,

        # Please read http://mojolicious.org/perldoc/Mojo/Server/Hypnotoad#workers
        # to adjust this to your server
        workers => 30,
        clients => 1,
    },

    # Put a way to contact you here and uncomment it
    # You can put some HTML in it
    # MANDATORY
    contact       => 'Contact page',

    # Put an URL or an email address to receive file reports and uncomment it
    # It's for make reporting illegal files easy for users
    # MANDATORY
    report => 'report@example.com',

    # Array of random strings used to encrypt cookies
    # optional, default is ['fdjsofjoihrei'], PLEASE, CHANGE IT
    secrets        => ['fdjsofjoihrei'],

    # Name of the instance, displayed next to the logo
    # optional, default is Lufi
    instance_name => 'Lufi',

    # Choose a theme. See the available themes in `themes` directory
    # Optional, default is 'default'
    theme         => 'default',

    # Length of the random URL
    # optional, default is 8
    length            => 8,

    # How many URLs will be provisioned in a batch ?
    # optional, default is 5
    provis_step       => 5,

    # Max number of URLs to be provisioned
    # optional, default is 100
    provisioning      => 100,

    # Length of the modify/delete token
    # optional, default is 32
    token_length      => 32,

    # Max file size, in octets
    # You can write it 100*1024*1024
    # optional, no default
    max_file_size     => 104857600,

    #############
    # DB settings
    #############

    # Choose what database you want to use
    # Valid choices are sqlite, postgresql and mysql (all lowercase)
    # optional, default is sqlite
    dbtype => 'sqlite',

    # SQLite ONLY - only used if dbtype is set to sqlite
    # Define a path to the SQLite database
    # You can define it relative to lufi directory or set an absolute path
    # Remember that it has to be in a directory writable by Lufi user
    # optional, default is lufi.db
    db_path           => 'lufi.db',
};

新建systemd服务文件:
nano /etc/systemd/system/lufi.service
写入如下内容:
[Unit]
Description=File hosting service with encryption
Documentation=https://framagit.org/luc/lufi
Requires=network.target
After=network.target

[Service]
Type=forking
User=www-data
RemainAfterExit=yes
WorkingDirectory=/opt/lufi/
PIDFile=/opt/lufi/script/hypnotoad.pid
ExecStart=/usr/local/bin/carton exec hypnotoad script/lufi
ExecStop=/usr/local/bin/carton exec hypnotoad -s script/lufi
ExecReload=/usr/local/bin/carton exec hypnotoad script/lufi

[Install]
WantedBy=multi-user.target

启动/设置开机启动:
systemctl start lufi
systemctl enable lufi nginx.service

新建一个nginx站点配置文件:
nano /etc/nginx/conf.d/lufi.conf
写入如下内容:

server {
    listen 80;

    # Adapt this to your domain!
    server_name yourdomain.com;

    location / {
        # Add cache for static files
        if ($request_uri ~* ^/(img|css|font|js)/) {
            add_header Expires "Thu, 31 Dec 2037 23:55:55 GMT";
            add_header Cache-Control "public, max-age=315360000";
        }
        # HTTPS only header, improves security
        #add_header Strict-Transport-Security "max-age=15768000";
        # Adapt this to your configuration (port, subdirectory (see below))
        proxy_pass  http://127.0.0.1:8081;
        # Really important! Lufi uses WebSocket, it won't work without this
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        # If you want to log the remote port of the file senders, you'll need that
        proxy_set_header X-Remote-Port $remote_port;
        proxy_set_header X-Forwarded-Proto $scheme;
        # We expect the downstream servers to redirect to the right hostname, so don't do any rewrites here.
        proxy_redirect     off;
    }
}

检查你的nginx配置有没有错误:
nginx -t

没有问题的话使用certbot签发一个ssl证书:
certbot --nginx --agree-tos --no-eff-email --email xxxxx@qq.com

打开你的域名应该可以访问到程序界面了.
上传的文件如果要下载必须先解密.
而服务器内存储的数据是加密的,管理员也看不见你上传的文件具体内容.