| CARVIEW |
Select Language
HTTP/2 200
date: Tue, 22 Jul 2025 08:39:45 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
x-robots-tag: none
etag: W/"3596e40d38c61c9e208f111421022c29"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=MAyRnybUu3l3aMBwdi0ii3XXEntN4mpyqO0gzywPXwMworedpouneLjAk4PIuzktpmrgVNfNpkDRw%2Fb4HIlK%2Fy197LnlIHVJOYTcdFpQdahG7O%2F1rTh9zPobijt1jFCotAGGIRIpAPEoeD%2Fp8qm2uHFkiQkly8mYlYguazTwRsyGeb3cgRiI8UET12CqP50nof56fJiGkEin4ZUCVNGtubLnKdo0ibZA%2BBbsnbD1K48p2oa1tBU0M36vT%2BhyRVWBqbe9XwPuZ9OlP0obqeCRqw%3D%3D--OB27rr8eI%2Fw4usQI--n7OM%2BqMvG1YNnwVkVlZgog%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.1096971769.1753173585; Path=/; Domain=github.com; Expires=Wed, 22 Jul 2026 08:39:45 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Wed, 22 Jul 2026 08:39:45 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: 8194:32D311:3A4129:410FEA:687F4E51
Restrict upload using NGINX · PrivateBin/PrivateBin Wiki · GitHub
Skip to content
Navigation Menu
{{ message }}
-
Notifications
You must be signed in to change notification settings - Fork 883
Restrict upload using NGINX
rugk edited this page Jan 1, 2023
·
10 revisions
This is a neat and effective way to restrict paste uploading using NGINX without breaking anything and without modifying PrivateBin.
An authentication page is created using NGINX, which, if provided with the correct credentials, will set a cookie with a secret key. All POST requests to the server are restricted using NGINX and only allowed if this secret key is provided. This allows viewing pastes by anyone but not uploading.
Alternative methods/solutions are described in this FAQ question.
- Create your credentials file at:
/etc/nginx/.htpasswd. You can use the htpasswd tool, tutorial here. - Use the following NGINX configuration, make sure you replace
server_nameand configure HTTPS:
Attention: The config listed on this page, was insecure for some time and was revised! Please update your configuration if you still use an insecure old version.
server {
server_name paste.example.com;
# update this path
root /usr/local/www/privatebin;
location ~* \.(jpg|jpeg|gif|css|png|js|map|woff|woff2|ttf|svg|eot)$ {
expires 30d;
access_log off;
}
location ~ ^/(data|cfg|tmp) {
deny all;
}
location ~* /(.*)\.(?:markdown|md|twig|yaml|yml|ht|htaccess|ini)$ {
deny all;
}
location ~ /\. {
deny all;
}
location / {
limit_except GET HEAD {
auth_basic 'Restricted';
auth_basic_user_file /etc/nginx/.htpasswd;
}
try_files $uri $uri/ /index.php;
}
# this should be whatever you use with PHP
# check your php-fpm.conf files for the correct fastcgi_pass value
location ~ \.php$ {
limit_except GET HEAD {
auth_basic 'Restricted';
auth_basic_user_file /etc/nginx/.htpasswd;
}
fastcgi_index index.php;
fastcgi_pass unix:/var/run/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /usr/local/etc/nginx/fastcgi_params;
}
}Copyright 2021 wiki contributors. Licensed under CC BY 4.0. The PrivateBin software itself is licensed differently.
- Project Home
- Demo Instance
- Instance Directory
- Third Party Clients
- Overview:
- Development:
- Installation Methods:
Clone this wiki locally
You can’t perform that action at this time.