Installer PrivateBin avec Docker

zarev 10 juil. 2024 10 min de lecture

Table des matières

Cette application est un grand classique, peut-être la connaissez-vous déjà. Si non, elle vaut vraiment le coup d’œil si vous êtes avide de sécurité pour l'échanges de données et du respect de la vie privée des utilisateurs concernant ce qu'ils font transiter sur votre serveur.

Aujourd'hui nous allons parler de PrivateBin! Tout le monde connaît déjà le principe de Pastbin, une application web qui permet aux utilisateurs de mettre en ligne des morceaux de textes, mais PrivateBin va encore plus loin, PrivateBin permet l'activation des discussions, l'envoi de fichiers, détection de la langue du navigateur,...

Voyons ça ensemble!

En tant qu'administrateur de serveur, vous n'avez pas à vous inquiéter si vos utilisateurs publient des contenus considérés comme illégaux dans votre pays. Vous pouvez nier de manière plausible le contenu des fichiers collés. En cas de demande ou d'obligation, vous pouvez supprimer n'importe quel contenu de votre système.
Système similaire à Pastebin pour stocker des documents textuels, des échantillons de code, etc.
Chiffrement des données envoyées au serveur
Possibilité de définir un mot de passe qui est nécessaire pour lire le texte collé. Ce mot de passe protège davantage un document et empêche les personnes qui tombent sur le lien de votre document de pouvoir le lire sans le mot de passe.

⚡Caractéristiques

Protection par mot de passe.
Discussions, anonymes ou avec des surnoms et des identifiants basés sur l'IP ou des vizhashes.
Délais d'expiration, y compris une option "pour toujours" et "brûler après lecture".
Prise en charge du format Markdown pour les collages au format HTML, y compris la fonction de prévisualisation.
Mise en évidence de la syntaxe du code source à l'aide de prettify.js, y compris 4 thèmes prettifyPrise en charge du téléchargement de fichiers, prévisualisation des images, des médias et des PDF (désactivé par défaut, limite de taille réglable)
Modèles : Par défaut, vous avez le choix entre bootstrap CSS, darkstrap et "classic ZeroBin". Il est facile de les adapter à la mise en page de votre site ou de créer votre propre modèle.
Système de traduction et détection automatique de la langue du navigateur (si activé dans le navigateur).
Sélection de la langue (désactivée par défaut, car elle utilise un cookie de session)
Code QR pour les URL à coller, afin de les transférer facilement sur des appareils mobiles.

💡

PrivateBin ne fonctionnera pas sans HTTPS. Veillez à proxy votre instance avec votre système préféré.

L'installation

Créez votre docker-compose.yml dans le dossier ou vous comptez installer PasteBin:

sudo nano docker-compose.yml

Collez ça dedans en prenant soin d'adapter le port et les volumes suivant votre configuration:

version: '3.8'
services:
  privatebin:
    image: privatebin/nginx-fpm-alpine
    restart: always
    read_only: true
    user: "1000:1000"
    ports:
      - "8082:8080"
    volumes:
      - ./data:/srv/data
      - ./conf.php:/srv/cfg/conf.php:ro

Nous allons créer le fichier de configuration:

sudo nano conf.php

Collez cette tartine dedans:

;<?php http_response_code(403); /*
; config file for PrivateBin
;
; An explanation of each setting can be find online at https://github.com/PrivateBin/PrivateBin/wiki/Configuration.

[main]
; (optional) set a project name to be displayed on the website
name = "belgiPast"

; The full URL, with the domain name and directories that point to the
; PrivateBin files, including an ending slash (/). This URL is essential to
; allow Opengraph images to be displayed on social networks.
; basepath = "https://privatebin.example.com/"

; enable or disable the discussion feature, defaults to true
discussion = true

; preselect the discussion feature, defaults to false
opendiscussion = false

; enable or disable the display of dates & times in the comments, defaults to true
; Note that internally the creation time will still get tracked in order to sort
; the comments by creation time, but you can choose not to display them.
; discussiondatedisplay = false

; enable or disable the password feature, defaults to true
password = true

; enable or disable the file upload feature, defaults to false
fileupload = true

; preselect the burn-after-reading feature, defaults to false
burnafterreadingselected = false

; which display mode to preselect by default, defaults to "plaintext"
; make sure the value exists in [formatter_options]
defaultformatter = "plaintext"

; (optional) set a syntax highlighting theme, as found in css/prettify/
; syntaxhighlightingtheme = "sons-of-obsidian"

; size limit per paste or comment in bytes, defaults to 10 Mebibytes
sizelimit = 10485760

; template to include, default is "bootstrap" (tpl/bootstrap.php), also
; available are "page" (tpl/page.php), the classic ZeroBin style and several
; bootstrap variants: "bootstrap-dark", "bootstrap-compact", "bootstrap-page",
; which can be combined with "-dark" and "-compact" for "bootstrap-dark-page"
; and finally "bootstrap-compact-page" - previews at:
; https://privatebin.info/screenshots.html
template = "bootstrap-dark"

; (optional) info text to display
; use single, instead of double quotes for HTML attributes
;info = "More information on the <a href='https://privatebin.info/'>project page</a>."

; (optional) notice to display
; notice = "Note: This is a test service: Data may be deleted anytime. Kittens will die if you abuse this service."

; by default PrivateBin will guess the visitors language based on the browsers
; settings. Optionally you can enable the language selection menu, which uses
; a session cookie to store the choice until the browser is closed.
languageselection = false

; set the language your installs defaults to, defaults to English
; if this is set and language selection is disabled, this will be the only language
; languagedefault = "en"

; (optional) URL shortener address to offer after a new paste is created.
; It is suggested to only use this with self-hosted shorteners as this will leak
; the pastes encryption key.
; urlshortener = "https://shortener.example.com/api?link="

; (optional) Let users create a QR code for sharing the paste URL with one click.
; It works both when a new paste is created and when you view a paste.
qrcode = true

; (optional) Let users send an email sharing the paste URL with one click.
; It works both when a new paste is created and when you view a paste.
; email = true

; (optional) IP based icons are a weak mechanism to detect if a comment was from
; a different user when the same username was used in a comment. It might get
; used to get the IP of a comment poster if the server salt is leaked and a
; SHA512 HMAC rainbow table is generated for all (relevant) IPs.
; Can be set to one these values:
; "none" / "identicon" (default) / "jdenticon" / "vizhash".
; icon = "none"

; Content Security Policy headers allow a website to restrict what sources are
; allowed to be accessed in its context. You need to change this if you added
; custom scripts from third-party domains to your templates, e.g. tracking
; scripts or run your site behind certain DDoS-protection services.
; Check the documentation at https://content-security-policy.com/
; Notes:
; - If you use any bootstrap theme, you can remove the allow-popups from the
;   sandbox restrictions.
; - If you use the bootstrap5 theme, you must change default-src to 'self' to
;   enable display of the svg icons
; - By default this disallows to load images from third-party servers, e.g. when
;   they are embedded in pastes. If you wish to allow that, you can adjust the
;   policy here. See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-it-load-embedded-images
;   for details.
; - The 'unsafe-eval' is used in two cases; to check if the browser supports
;   async functions and display an error if not and for Chrome to enable
;   webassembly support (used for zlib compression). You can remove it if Chrome
;   doesn't need to be supported and old browsers don't need to be warned.
; cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads"

; stay compatible with PrivateBin Alpha 0.19, less secure
; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of
; sha256 in HMAC for the deletion token
; zerobincompatibility = false

; Enable or disable the warning message when the site is served over an insecure
; connection (insecure HTTP instead of HTTPS), defaults to true.
; Secure transport methods like Tor and I2P domains are automatically whitelisted.
; It is **strongly discouraged** to disable this.
; See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-it-show-me-an-error-about-an-insecure-connection for more information.
; httpwarning = true

; Pick compression algorithm or disable it. Only applies to pastes/comments
; created after changing the setting.
; Can be set to one these values: "none" / "zlib" (default).
; compression = "zlib"

[expire]
; expire value that is selected per default
; make sure the value exists in [expire_options]
default = "1week"

[expire_options]
; Set each one of these to the number of seconds in the expiration period,
; or 0 if it should never expire
5min = 300
10min = 600
1hour = 3600
1day = 86400
1week = 604800
; Well this is not *exactly* one month, it's 30 days:
1month = 2592000
1year = 31536000
never = 0

[formatter_options]
; Set available formatters, their order and their labels
plaintext = "Plain Text"
syntaxhighlighting = "Source Code"
markdown = "Markdown"

[traffic]
; time limit between calls from the same IP address in seconds
; Set this to 0 to disable rate limiting.
limit = 10

; (optional) Set IPs addresses (v4 or v6) or subnets (CIDR) which are exempted
; from the rate-limit. Invalid IPs will be ignored. If multiple values are to
; be exempted, the list needs to be comma separated. Leave unset to disable
; exemptions.
; exempted = "1.2.3.4,10.10.10/24"

; (optional) If you want only some source IP addresses (v4 or v6) or subnets
; (CIDR) to be allowed to create pastes, set these here. Invalid IPs will be
; ignored. If multiple values are to be exempted, the list needs to be comma
; separated. Leave unset to allow anyone to create pastes.
; creators = "1.2.3.4,10.10.10/24"

; (optional) if your website runs behind a reverse proxy or load balancer,
; set the HTTP header containing the visitors IP address, i.e. X_FORWARDED_FOR
; header = "X_FORWARDED_FOR"

[purge]
; minimum time limit between two purgings of expired pastes, it is only
; triggered when pastes are created
; Set this to 0 to run a purge every time a paste is created.
limit = 300

; maximum amount of expired pastes to delete in one purge
; Set this to 0 to disable purging. Set it higher, if you are running a large
; site
batchsize = 10

[model]
; name of data model class to load and directory for storage
; the default model "Filesystem" stores everything in the filesystem
class = Filesystem
[model_options]
dir = PATH "data"

;[model]
; example of a Google Cloud Storage configuration
;class = GoogleCloudStorage
;[model_options]
;bucket = "my-private-bin"
;prefix = "pastes"
;uniformacl = false

;[model]
; example of DB configuration for MySQL
;class = Database
;[model_options]
;dsn = "mysql:host=localhost;dbname=privatebin;charset=UTF8"
;tbl = "privatebin_"	; table prefix
;usr = "privatebin"
;pwd = "Z3r0P4ss"
;opt[12] = true	  ; PDO::ATTR_PERSISTENT

;[model]
; example of DB configuration for SQLite
;class = Database
;[model_options]
;dsn = "sqlite:" PATH "data/db.sq3"
;usr = null
;pwd = null
;opt[12] = true	; PDO::ATTR_PERSISTENT

;[model]
; example of DB configuration for PostgreSQL
;class = Database
;[model_options]
;dsn = "pgsql:host=localhost;dbname=privatebin"
;tbl = "privatebin_"     ; table prefix
;usr = "privatebin"
;pwd = "Z3r0P4ss"
;opt[12] = true    ; PDO::ATTR_PERSISTENT

;[model]
; example of S3 configuration for Rados gateway / CEPH
;class = S3Storage
;[model_options]
;region = ""
;version = "2006-03-01"
;endpoint = "https://s3.my-ceph.invalid"
;use_path_style_endpoint = true
;bucket = "my-bucket"
;accesskey = "my-rados-user"
;secretkey = "my-rados-pass"

;[model]
; example of S3 configuration for AWS
;class = S3Storage
;[model_options]
;region = "eu-central-1"
;version = "latest"
;bucket = "my-bucket"
;accesskey = "access key id"
;secretkey = "secret access key"

;[model]
; example of S3 configuration for AWS using its SDK default credential provider chain
; if relying on environment variables, the AWS SDK will look for the following:
; - AWS_ACCESS_KEY_ID
; - AWS_SECRET_ACCESS_KEY
; - AWS_SESSION_TOKEN (if needed)
; for more details, see https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_credentials.html#default-credential-chain
;class = S3Storage
;[model_options]
;region = "eu-central-1"
;version = "latest"
;bucket = "my-bucket"

[yourls]
; When using YOURLS as a "urlshortener" config item:
; - By default, "urlshortener" will point to the YOURLS API URL, with or without
;   credentials, and will be visible in public on the PrivateBin web page.
;   Only use this if you allow short URL creation without credentials.
; - Alternatively, using the parameters in this section ("signature" and
;   "apiurl"), "urlshortener" needs to point to the base URL of your PrivateBin
;   instance with "?shortenviayourls&link=" appended. For example:
;   urlshortener = "${basepath}?shortenviayourls&link="
;   This URL will in turn call YOURLS on the server side, using the URL from
;   "apiurl" and the "access signature" from the "signature" parameters below.

; (optional) the "signature" (access key) issued by YOURLS for the using account
; signature = ""
; (optional) the URL of the YOURLS API, called to shorten a PrivateBin URL
; apiurl = "https://yourls.example.com/yourls-api.php"

Quelques paramètres:

name = "belgiPast" => C'est le nom qui figurera dans votre onglet.
discussion = true => Sur true, la conversation sera disponible. Indiquez false si vous ne voulez pas permettre cette option.
fileupload = true => Sur true, l'envoi de fichier est autorisé. Indiquez false si vous ne voulez pas permettre cette option.
qrcode = true => Sur true, la génération d'un QR Code est autorisé. Indiquez false si vous ne voulez pas permettre cette option.

On va maintenant créer le dossier data et lui donner les permissions nécessaires:

sudo mkdir data

Un petit coup de chown, identifier votre ID et remplacez 1000:1000 par votre ID:

chown 1000:1000 data/

💡

Taper id dans votre terminal pour connaître votre uid & votre gid.

On déployer l'application:

docker-compose up -d

ou avec docker-compose V2:

docker compose up -d

Rendez-vous sur votre domaine:

https://mondomaine.com

Exploration de l'interface

Voici à quoi ressemble l'interface de PrivateBin:

Expire => Choisir le délai d'expiration.

Effacer après lecture => Ce message s'autodétruira après une seule lecture.
Autoriser la discussion => Si vous avez envie que votre correspondant puisse réagir à votre message.