Object storage for user uploads
Today's second security release v4.2.7 of Mastodon this week contains a fix for a yet undisclosed vulnerability with the advisory GHSA-jhrq-qvrm-qr36 to be released later during the day.
Word has it, that the exploit appears to be related to hosting user generated content, such as media and other files, on the same domain as the Mastodon instance.
The latest Mastodon security vuln (GHSA-jhrq-qvrm-qr36) appears to be an exploit that can be used against instances that host their media on the same domain as the Mastodon instance itself
Reminder: It is best practice to put user uploaded media on a different hostname - ideally, a separate domain name entirely, but if not possible a subdomain will suffice.
(Note: Even if you do this, you still need to upgrade; the exploit is against remote instances0
–
-
Minio is configured to serve buckets also with subdomain addressing (incl. dns-01
wildcard certificate for*.lake.ecobytes.net
), a dependency for the example Nginx cache.-
The Minio console is served from a different subdomain than the namespace of the S3 endpoint, console.minio.ecobytes.net
, to avoid collision with bucket names.
-
-
User account, bucket, policy and anonymous read policy without directory listing have been provisioned to Minio. -
An Nginx S3 cache container has been added to the Mastodon setup to serve uploaded assets from humus.degrowth.social
-
It transparently caches already uploaded media from either local file system storage or the S3 bucket.
-
-
Mastodon is configured to use S3 and has the S3 alias host configured. -
The working setup has been tested and validated.
References:
📄 Configuring object storage - Mastodon documentation📄 Proxying object storage through nginx - Mastodon documentation
📰 Switching Mastodon from Scaleway S3 to self-hosted Minio S3 media storage📰 Mastodon: Adding S3 based cloud storage to your instance
📄 Object Management — MinIO Object Storage for Linux📄 S3 - Configuring your environment - Mastodon documentation
Follow up:
-
Investigate hosting of static assets from a CDN on a separate (second-level) domain. You can serve static assets (logos, emojis, CSS, JS, etc) from a separate host, like a CDN (Content Delivery Network) as it can decrease loading times for your users.
-
Investigate hosting user uploads from a separate second-level domain, due to eventual cookie stealing from the subdomain. Advantages of a separate domain entirely include “if someone manages to upload some HTML the Javascript can’t just steal cookies
-
Transfer existing media (~ 400 GiB) into Minio, when it has been migrated into a 3-node cluster, and remove local file system contents after validation.
📄 Migrate from Gateway or Filesystem Mode — MinIO Object Storage for Container