Taiga allows public access to the /media/attachments directory? how can i restrict that

i installed self hosted Taiga, /media/attachments can be see without login now. this can be a security concern. how can i restrict access to the /media/attachments directory?
Thanks

Hi there!

Did you install from source or docker? Did you install and configure Taiga media protected? Could you share your nginx configuration?

Best regards!

Hi, thank you for answer.
I installed from docker. How can i install and configure Taiga media protected?

server {
listen 443 ssl;
ssl_certificate /etc/nginx/conf.d/science.pem;
ssl_certificate_key /etc/nginx/conf.d/pkey.science.pem;
server_name xxxxx;

client_max_body_size 8100M;
charset utf-8;

# Frontend
location /taiga/ {
    proxy_pass http://taiga-front/;
    proxy_pass_header Server;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

# API
location /taiga/api/ {
    proxy_pass http://taiga-back:8000/api/;
    proxy_pass_header Server;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Scheme $scheme;
}

# Admin
location /taiga/admin/ {
    proxy_pass http://taiga-back:8000/admin/;
    proxy_pass_header Server;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Scheme $scheme;
}

# Static
location /static/ {
    alias /taiga/static/;
}

# Media
location /_protected/ {
    internal;
    alias /taiga/media/;
    add_header Content-disposition "attachment";
}

# Unprotected section
location /media/exports/ {
    alias /taiga/media/exports/;
    add_header Content-disposition "attachment";
}

location /taiga/media/ {
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://taiga-protected:8003/;
    proxy_redirect off;
}

# Events
location /taiga/events {
    proxy_pass http://taiga-events:8888/events;  
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_connect_timeout 7d;
    proxy_send_timeout 7d;
    proxy_read_timeout 7d;
}

}

Blockquote

Since you are using docker, it should already be working.

Can you share a screenshot example of you accesing directly /media/attachments and getting a file?

Best regards!

grafik

Hi again!

You seem to be correctly using taiga_protected. Can you download the file if you remove the token parameter or change it?

Best regards!

oh, you are right. iI can not download the file if i change the token. What’s the problem?

Forbidden

You don’t have the permission to access the requested resource. It is either read-protected or not readable by the server.

I’m glad to see it’s working. We implemented that feature precisely to protect (hence the name) attachments while being able to serve them.

The token refreshes regularly as well, so probably if you use the link from yesterday with the token it will not work either.

You could still further restrict it using Nginx if you know how and wish to do so.

Best regards!

1 Like

Yes, I want to restrict this using Nginx, can you share a sample or guide? thank you very much.

Take into account that this is not endorsed by us in particular, and that you may lose attachments functionality (like viewing the attachments on Taiga at all) depending on how you configure it.

This should be a good start, though: nginx, only allow certain IPs to access a URL prefix - Server Fault

Best regards!

1 Like