Profile Pictures Are Public (accesssable to anyone without login) In Docker Version

[HHousen]

I've migrated my setup from a manual install over to the docker version. The docker version is great except that any file in "www.myserver.com/storage/avatars/" can be accessed by anyone if they know the image file name. In my previous manual install I had a setup in my virtual host in Apache that blocked access to these files. It was as follows:

<Directory /var/www/monica>
   Options FollowSymLinks
   Options -Indexes
   AllowOverride All
   Require all denied
 </Directory>
 <Directory /var/www/monica/public>
   Require all granted
 </Directory>

However, to my knowledge it isn't possible to do this with docker because you can't use <Directory> for a reverse proxy. I tried to use <Location> and <LocationMatch> but I was unable to make those work.

Is having the images public intentional or is this a bug with the docker version of Monica?

This is my current reverse proxy virtual host for the Docker version:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin webmaster@myserver.com
    ServerName monica.myserver.com
    ErrorLog ${APACHE_LOG_DIR}/monica-error.log
    ProxyPreserveHost On
    ProxyRequests Off
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/
SSLCertificateFile /etc/letsencrypt/live/monica.myserver.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/monica.myserver.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

[degan6]

This is true for any verision of Monica. Its more of a side effect of how images are stored.

It is possible to move the images to a non public dir and stream them through PHP on a per request basis but that slows load time.

I'd also say that this isn't an issue, the images are renamed with a random 40 char name. Its not really possible to guess that URL.

[djaiss]

Is there a way to avoid this? You can also access a private image on Facebook if you know the URL.

[kissgyorgy]

Yes, you are authenticating every image path with PHP, but then use X-Sendfile to serve the images fast (it's implemented with a syscall, so the Linux kernel will do the sending after PHP finished).
In nginx, it's done with the internal directive and the X-Accel-Redirect header: https://nginx.org/en/docs/http/ngx_http_core_module.html#internal
https://www.nginx.com/resources/wiki/start/topics/examples/x-accel/

[naiba]

Hey, I implement this security feature. check out this instance http://monica.naibahq.com/storage/photos/0Y7BpsgvyCgMB1Ku4RK2r1y184GtEZCgYxPRXv2F.jpg
You knew what I mean.

I forked Monica ( https://github.com/naiba/monica-fork ) because they do not want to merge my PR OR give me any feedback.

[asbiin]

@naiba Could you describe your solution here, and maybe implement it here, it would benefit to everyone.
BTW, we never refused to merge your PR, it's just a question of (limited free) time.

[naiba]

@naiba Could you describe your solution here, and maybe implement it here, it would benefit to everyone.
BTW, we never refused to merge your PR, it's just a question of (limited free) time.

@asbiin FYI naiba-archived/monica-fork@21d9a19
Can we merge Lunar Calendar support? then I can close the fork forever 😄

[github-actions]

🎉 This issue has been resolved in version 3.1.0 🎉

The release is available on:

• GitHub release
• v3.1.0

Your semantic-release bot 📦🚀

[github-actions]

This issue has been automatically locked since there
has not been any recent activity after it was closed.
Please open a new issue for related bugs.