Rick_C137

cross-posted from: https://programming.dev/post/18360806

Hi everyone,

I would like to enable Cross-Origin Resource Sharing on my Nginx server. for few origins (cors requestor)/domains.

I've found this article https://www.juannicolas.eu/how-to-set-up-nginx-cors-multiple-origins that is nice, but not complete and on my browser seem really hard to read due to the layout 🤮

So I've opened a CodeBerg git repository for the good soul that want to perfect this piece of code the allow the most of use to use CORS with Nginx.

https://codeberg.org/R1ckSanchez_C137/BestOfxxx/src/branch/main/Nginx/CORS_MultiDomains.py

If you don't want to create an account on codeberg feel free to post your code here !

server {
    # Server

    map "$http_origin" $cors { # map in Nginx is somewhat like a switch case in a programming language.
        default ''; #Seem to set $cors to '' empty string if none of the follwing rexeg match ?
        "~^https:\/\/([\w-_\.]+\.)?example.com$" "$http_origin";
            #regex domain match
            # ~ mean I suppose the string is RegEx ?
            # Need to come with a RegEx expression that match https://anything.example.com[optional ports and Query string ?X=Y]
        "~^https:\/\/([\w-_\.]+\.)?example2.com$" "$http_origin"; #regex domain match
        }
               

    location /static {
        
        # if preflight request, we will cache it
        if ($request_method = 'OPTIONS') {
            add_header 'Access-Control-Max-Age' 1728000; #20 days
            add_header 'Content-Type' 'text/plain charset=UTF-8';
            add_header 'Content-Length' 0;
            return 204; #https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/204 }

        if ($cors != "") {
            add_header 'Access-Control-Allow-Origin' "$cors" always; # <-- Variable $cors
            add_header 'Access-Control-Allow-Credentials' 'true' always;
            add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
            add_header 'Access-Control-Allow-Headers' 'Accept, Authorization, Cache-Control, Content-Type, DNT, If-Modified-Since, Keep-Alive, Origin, User-Agent, X-Requested-With' always;}

       # configuration lines...

    }
}

}

cross-posted from: https://programming.dev/post/18360806

Hi everyone,

I would like to enable Cross-Origin Resource Sharing on my Nginx server. for few origins (cors requestor)/domains.

I've found this article https://www.juannicolas.eu/how-to-set-up-nginx-cors-multiple-origins that is nice, but not complete and on my browser seem really hard to read due to the layout 🤮

So I've opened a CodeBerg git repository for the good soul that want to perfect this piece of code the allow the most of use to use CORS with Nginx.

https://codeberg.org/R1ckSanchez_C137/BestOfxxx/src/branch/main/Nginx/CORS_MultiDomains.py

If you don't want to create an account on codeberg feel free to post your code here !

server {
    # Server

    map "$http_origin" $cors { # map in Nginx is somewhat like a switch case in a programming language.
        default ''; #Seem to set $cors to '' empty string if none of the follwing rexeg match ?
        "~^https:\/\/([\w-_\.]+\.)?example.com$" "$http_origin";
            #regex domain match
            # ~ mean I suppose the string is RegEx ?
            # Need to come with a RegEx expression that match https://anything.example.com[optional ports and Query string ?X=Y]
        "~^https:\/\/([\w-_\.]+\.)?example2.com$" "$http_origin"; #regex domain match
        }
               

    location /static {
        
        # if preflight request, we will cache it
        if ($request_method = 'OPTIONS') {
            add_header 'Access-Control-Max-Age' 1728000; #20 days
            add_header 'Content-Type' 'text/plain charset=UTF-8';
            add_header 'Content-Length' 0;
            return 204; #https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/204 }

        if ($cors != "") {
            add_header 'Access-Control-Allow-Origin' "$cors" always; # <-- Variable $cors
            add_header 'Access-Control-Allow-Credentials' 'true' always;
            add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
            add_header 'Access-Control-Allow-Headers' 'Accept, Authorization, Cache-Control, Content-Type, DNT, If-Modified-Since, Keep-Alive, Origin, User-Agent, X-Requested-With' always;}

       # configuration lines...

    }
}

}

Hi everyone,

I would like to enable Cross-Origin Resource Sharing on my Nginx server. for few origins (cors requestor)/domains.

I've found this article https://www.juannicolas.eu/how-to-set-up-nginx-cors-multiple-origins that is nice, but not complete and on my browser seem really hard to read due to the layout 🤮

So I've opened a CodeBerg git repository for the good soul that want to perfect this piece of code the allow the most of use to use CORS with Nginx.

https://codeberg.org/R1ckSanchez_C137/BestOfxxx/src/branch/main/Nginx/CORS_MultiDomains.py
and
https://codeberg.org/R1ckSanchez_C137/BestOfxxx/issues \

If you don't want to create an account on codeberg feel free to post your code here !

server {
    # Server

    map "$http_origin" $cors { # map in Nginx is somewhat like a switch case in a programming language.
        default ''; #Seem to set $cors to '' empty string if none of the follwing rexeg match ?
        "~^https:\/\/([\w-_\.]+\.)?example.com$" "$http_origin";
            #regex domain match
            # ~ mean I suppose the string is RegEx ?
            # Need to come with a RegEx expression that match https://anything.example.com[optional ports and Query string ?X=Y]
        "~^https:\/\/([\w-_\.]+\.)?example2.com$" "$http_origin"; #regex domain match
        }
               

    location /static {
        
        # if preflight request, we will cache it
        if ($request_method = 'OPTIONS') {
            add_header 'Access-Control-Max-Age' 1728000; #20 days
            add_header 'Content-Type' 'text/plain charset=UTF-8';
            add_header 'Content-Length' 0;
            return 204; #https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/204 }

        if ($cors != "") {
            add_header 'Access-Control-Allow-Origin' "$cors" always; # <-- Variable $cors
            add_header 'Access-Control-Allow-Credentials' 'true' always;
            add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
            add_header 'Access-Control-Allow-Headers' 'Accept, Authorization, Cache-Control, Content-Type, DNT, If-Modified-Since, Keep-Alive, Origin, User-Agent, X-Requested-With' always;}

       # configuration lines...

    }
}

}

Hi,

I got FileA that have 640 a getfacl FileA give me

# file: FileA
# owner: me
# group: me
user::rw-
user:aUser:r--
group::r-x			#effective:r--
mask::r--
other::---

So it's give me the expected...

but when I do

chmod 600 aFile
getfacl aFile

...
user:aUser:r--		#effective:---
...
mask::---
...

Why suddenly aUser lost his ability to read the file !?!?!

Hi,

I've set for a directory the following

setfacl -dm u:aUser:r aDirectory
#set new files to be readable by aUser

cp ~/Desktop/aFile.txt /xx/xx/xx/aDirectory

getfacl aFile.txt #the copied one

# file: aFile.txt
# owner: me
# group: me
user::rwx
user:aUser:r--
group::r-x
mask::rwx
other::rwx

So indeed we see the aUser got r--

but

stat aFile.txt

return

(0777/-rwxrwxrwx) #!!!!

is that normal !!!!???

Thanks.

Hi,

I've noticed something quite odd, but I don't know if the problem come from Linux itself or nginx..

In order to grant nginx access to a directory let say your static see: https://stackoverflow.com/questions/16808813/nginx-serve-static-file-and-got-403-forbidden

These parent directories "/", "/root", "/root/downloads" should give the execute(x) permission to 'www-data' or 'nobody'. i.e.

but it seem not only the direct parent need to be given XX5 but all the chain

for example

example
└── sub1
    └── sub2
        └── static

it seem you need to set allow others to read and execute 5 all the parents example, sub1, sub2 Why is that !?? I've found it so akward and unsecure ! is there a workaround ?

Thanks.

Hi,

You might be aware that if a DNS request point your nginx server.

and this later do not have a server rule for it , nginx will server anyway the first server found in your config file, WTF !

So I've found https://stackoverflow.com/a/23281442

server {
  listen       80 default_server;
  server_name  everythingelse;

  error_page 404 /404.html;

  # Everything is a 404
  location / {
    return 404; #return the code 404
  }

  # link the code to the file
  location = /404.html {
    #EDIT this line to make it match the folder where there is your errors page
    #Dont forget to create 404.html in this folder
    root  /var/www/nginx/errors/;
  }
}

But this is not working !

I made one of my domain pointing to this nginx server, and he still server another site aka server For httpS for http nothing appear..

Thanks.

cross-posted from: https://programming.dev/post/13465911

Hi,

I'm confuse about those mandatory legal notices that governments impose for websites..

Before going further I invite you to read:
A Declaration of the Independence of Cyberspace
and
Discourse on Voluntary Servitude[^1] \

From all the articles^2 that I read about the mandatory notice to display for website none of them reference the URL of their claim !! / of the legal text !! WTF[^links]

Internet is by essence world wide, and when reading all those legal requirement it's seem that you should display notices for EVERY country !

it's seem also that if you own a private website, just for your own or family use, like for example a web file hosting services. (NextCloud etc..) You should comply with the same requirement that are asked for company ! again... WTF !

Also I don't understand, why make mandatory those notices...(beside the scam (money) ) , I'll come back to this below.

• If you want to buy something off a website, and this later do not mentions any legal address , contact info and so on, the responsibility to buy or not should be only yours. (For example, will you buy a yogurt in the supermarket if there were no brand, contact info on the packing or bill ?)
• if the state want to ~~censor~~ "regulate" a website on the old internet[^OI] there is plenty of way to know who is the author or at the very least where is it hosted..
• if a website use/distribute a copyrighted© elements. The right holder can do/contact in the following order:
  • check the website for contact (if any)
  • check the DNS record
  • check the hosting
  • contact the owner of the IP (IP are leased by company../ ISP )

So there is no sense to ask everyone that extra heavy burden. The only advantage is for law firm (and those cookies related firm) that make a profit out of it. I heard in my entourage peoples that had pay thousandth of $$ to generate those text, keep up to date etc.. even for small website.

• If you think those legal notice are a good thing please do not hesitate to motivate your answer.
• If you have any good links about it, feel free to share.
• What are you doing your self on website of customer and/or for your private websites ?
• if you know a Lemmy community worth to share this post, step forward.

Thanks...

[^1]:https://en.wikipedia.org/wiki/Discourse_on_Voluntary_Servitude
https://archive.org/details/0000-00-00-00-etienne-de-la-boetie-00_202201/1548-00-00_Discourse%20on%20Voluntary%20Servitude_1942_org/mode/2up \

https://www.websitepolicies.com/blog/legal-requirements-for-websites [^OI]:The one that you are using now with the domains scam. A future internet might be using TOR or GNU Name System

[^links]: if you have those links feel free to share !

Hi,

I'm confuse about those mandatory legal notices that governments impose for websites..

Before going further I invite you to read:
A Declaration of the Independence of Cyberspace
and
Discourse on Voluntary Servitude[^1] \

From all the articles^2 that I read about the mandatory notice to display for website none of them reference the URL of their claim !! / of the legal text !! WTF[^links]

Internet is by essence world wide, and when reading all those legal requirement it's seem that you should display notices for EVERY country !

it's seem also that if you own a private website, just for your own or family use, like for example a web file hosting services. (NextCloud etc..) You should comply with the same requirement that are asked for company ! again... WTF !

Also I don't understand, why make mandatory those notices...(beside the scam (money) ) , I'll come back to this below.

• If you want to buy something off a website, and this later do not mentions any legal address , contact info and so on, the responsibility to buy or not should be only yours. (For example, will you buy a yogurt in the supermarket if there were no brand, contact info on the packing or bill ?)
• if the state want to ~~censor~~ "regulate" a website on the old internet[^OI] there is plenty of way to know who is the author or at the very least where is it hosted..
• if a website use/distribute a copyrighted© elements. The right holder can do/contact in the following order:
  • check the website for contact (if any)
  • check the DNS record
  • check the hosting
  • contact the owner of the IP (IP are leased by company../ ISP )

So there is no sense to ask everyone that extra heavy burden. The only advantage is for law firm (and those cookies related firm) that make a profit out of it. I heard in my entourage peoples that had pay thousandth of $$ to generate those text, keep up to date etc.. even for small website.

• If you think those legal notice are a good thing please do not hesitate to motivate your answer.
• If you have any good links about it, feel free to share.
• What are you doing your self on website of customer and/or for your private websites ?
• if you know a Lemmy community worth to share this post, step forward.

Thanks...

[^1]:https://en.wikipedia.org/wiki/Discourse_on_Voluntary_Servitude
https://archive.org/details/0000-00-00-00-etienne-de-la-boetie-00_202201/1548-00-00_Discourse%20on%20Voluntary%20Servitude_1942_org/mode/2up \

https://www.websitepolicies.com/blog/legal-requirements-for-websites [^OI]:The one that you are using now with the domains scam. A future internet might be using TOR or GNU Name System

[^links]: if you have those links feel free to share !

Hi,

Unfortunately I need to register a domain name for the "old" Internet. So this one with the domain name scam[^DomainScam] and so on..

So which registrar would you recommend that is the closed regarding the FLOSS / GNU philosophy ?

And then I hope the world, will migrate to something better than this WWW scam and I could get rid of this domain..

Thanks.

[^DomainScam]: - https://www.namepros.com/threads/is-the-domain-industry-like-a-ponzi-scheme.725672 - https://www.w3.org/2014/strint/papers/65.pdf - https://www.gnunet.org/en - https://www.torproject.org - https://youbroketheinternet.org

cross-posted from: https://programming.dev/post/10497245

Hi,

For websites I've always restricted username to use Apostrophe ' and " and some times even space . If a website necessitate special character then I prefer to create an additional DB field ~DisplayName.

It's easier to forbid the use of Apostrophe, otherwise you will have to escape also your search query to match what has been recorded in the DB.

On the topic I've this https://security.stackexchange.com/questions/202902/is-single-quote-filtering-nonsense

But if you have better documentation feel free to share :)

Thanks

Hi,

For websites I've always restricted username to use Apostrophe ' and " and some times even space . If a website necessitate special character then I prefer to create an additional DB field ~DisplayName.

It's easier to forbid the use of Apostrophe, otherwise you will have to escape also your search query to match what has been recorded in the DB.

On the topic I've this https://security.stackexchange.com/questions/202902/is-single-quote-filtering-nonsense

But if you have better documentation feel free to share :)

Thanks