this post was submitted on 27 May 2024
24 points (92.9% liked)

Selfhosted

40296 readers
284 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hello,

I'm currently using Minio as an easy database for serving my images. To make things simpler everything is set to public, so that just with the URL, you can access it directly. While it's working great for my website, by setting everything public you can easily see ALL the images. So my question is : What is the best way to setup my node JS app as a proxy ? Is it going through the full S3 protocol hell mess, or is there any solution ?

PS : I have a lot of images, so setting everything in the node app is not possible

all 12 comments
sorted by: hot top controversial new old
[–] moh9aiTh@lemmy.world 16 points 5 months ago (2 children)
[–] scrubbles@poptalk.scrubbles.tech 3 points 5 months ago

Very cool! Thanks for posting this. Minio was great, but they started tailoring to enterprise clients, and it's become more and more annoying to keep it running in a homelab. (Security is 100% a great thing, but forcing high levels of security on me when I'm running 2 containers in a compose stack, where the minio container will never have exterior access... eh, I just gave up). So, I'm happy there's one tailored a bit more towards self hosters

[–] corsicanguppy@lemmy.ca 0 points 5 months ago (2 children)

We ship a single dependency-free binary that runs on all Linux distributions

It's like 20 years of security awareness vanished in an instant.

[–] RealBot@lemmy.world 1 points 5 months ago (1 children)
[–] julianwgs@discuss.tchncs.de 1 points 5 months ago (1 children)

Dependency-free doesnt mean they dont have dependencies. Its just that they bundle them all in the executable. When there is a security vulnerability in a library on your Linux system the vendor of your distribution (Canonical, Redhat, SUSE) takes care that it is fixed. All dependent software and libraries are then fixed as well. All I say? Not the ones which have been bundled in the executable. First they need to find out that you are affected and then the maintainer has to update the dependency manually. Often they can only do this after there has been a coordinated release of the fix by the major distributors, which can leave you vulnerable no matter how fast the maintainer is. This is the way it is in Windows. (This was a short summary)

[–] palitu@aussie.zone 2 points 5 months ago (1 children)

this is the same with every docker container.

[–] julianwgs@discuss.tchncs.de 3 points 5 months ago

Yes, in the sense that you are responsible to update the Docker container and often this can lead to vulnerable containers. No, in the sense that it is much easier to scan for dependencies inside a Docker container and identify vulnerabilities. Also most containers are based on Linux distribution, so those distribute the security fixes for specific libraries. All you have to is update the base image.

[–] rglullis@communick.news 8 points 5 months ago

You know that you can configure minio to only serve images for authenticated requests, right?

Don't reinvent the wheel unless you have a very good reason to do so.

[–] partizan@lemm.ee 3 points 5 months ago

Why do you use minio for image serving ? There are much better ways to do so. Nextcloud, Immich, Photoprism and others...

[–] asperan@programming.dev 1 points 5 months ago

Hi, just a disclaimer as I've never used Minio in a serious/professional project, only in home fiddling and school projects, so I may not suggest the optimal way to do things.

You can create Access Keys (Service Accounts) in Minio for your application, and make the bucket(s) accessible only by this account (private with an access policy, I guess). In your JS app, if I remember correctly, you should be able to specify an access key to use for the connection.

Access keys are credentials, so be sure to store them (and pass them around) safely.

I hope this gives you at least a general direction to investigate, happy tinkering!

[–] computergeek125@lemmy.world 1 points 5 months ago

I'm not entirely sure what you're seeking to accomplish here - are you looking to just impose authorization on a subset of the images? Probably those should be in a non-public bucket for starters.

Looking to only give certain people access to files and also have a nicer UI (a la Google Drive / Photos)? Maybe plain S3 isn't the play here and a dedicated application is needed for that subset.

Pre signed URLs may also be a thing useful to what you're trying to to solve. https://docs.min.io/docs/javascript-client-api-reference.html#presignedGetObject