PrivateBin
PrivateBin is a minimalist, open source online pastebin where the server has zero knowledge of pasted data.
Data is encrypted and decrypted in the browser using 256bit AES in Galois Counter mode.
License
PrivateBin consists of PHP and JS code which was originally written by Sébastien Sauvage in 2012 and falls under the Zlib/libpng license. All relevant legal information can be found in the Github repository of the project.
Prerequisites
We’re using PHP in the stable version 8.1:
[isabell@stardust ~]$ uberspace tools version show php
Using 'PHP' version: '8.1'
[isabell@stardust ~]$
The domain you want to use must be set up:
[isabell@stardust ~]$ uberspace web domain list
isabell.uber.space
[isabell@stardust ~]$
Installation
Download the source
Check the Github release section and copy the release tag version of the latest release. Set the variable PBIN_VERSION to the version you just copied.
Then cd
to your ~/html
folder and use wget
to download it.
[isabell@stardust ~]$ cd ~/html
[isabell@stardust ~]$ PBIN_VERSION=0.0.0
[isabell@stardust html]$ wget https://github.com/PrivateBin/PrivateBin/archive/$PBIN_VERSION.tar.gz -O "PrivateBin-$PBIN_VERSION.tar.gz"
[…]
Saving to: ‘PrivateBin-1.5.1.tar.gz’
100%[=================================================>] 3,172,029 3.45MB/s in 0.9s
2022-11-17 16:27:44 (8.32 MB/s) - ‘PrivateBin-1.5.1.tar.gz’ saved [523648]
[isabell@stardust html]$
Untar the archive and then delete it.
[isabell@stardust html]$ tar -xzf PrivateBin-$PBIN_VERSION.tar.gz --strip-components=1
[isabell@stardust html]$ rm PrivateBin-$PBIN_VERSION.tar.gz
[isabell@stardust html]$
Activate the .htaccess file
PrivateBin provides a .htaccess file, which blocks some known robots and link-scanning bots. Activate it by renaming it from .htaccess.disabled
to .htaccess
.
[isabell@stardust html]$ mv .htaccess.disabled .htaccess
[isabell@stardust html]$
Moving files outside of DocumentRoot
It is recommended to move the configuration, data files, templates and PHP libraries outside of your document root. This is useful to secure your installation.
To do that, create a folder privatebin
in /home/isabell/
and move the folders to the new location (remember to replace isabell
with your own username!).
If not already there, go to the html
directory before running mv
.
[isabell@stardust ~]$ cd ~/html
[isabell@stardust html]$ mkdir ~/privatebin
[isabell@stardust html]$ mv -t ~/privatebin cfg/ lib/ tpl/ vendor/
[isabell@stardust html]$
Changing index.php
Now edit ~/html/index.php
to inform PrivateBin about the new location of the folders.
[...]
// change this, if your php files and data is outside of your webservers document root
define('PATH', '/home/isabell/privatebin/');
[...]
Configuration
Configure your PrivateBin Instance
Note
You don’t need to change any of the default settings as they are mostly secure.
You can find an example configuration file at cfg/conf.sample.php
with the default settings. To change these, copy the sample file to cfg/conf.php
and adapt the values as needed.
[isabell@stardust ~]$ cd ~/privatebin
[isabell@stardust privatebin]$ cp cfg/conf.sample.php cfg/conf.php
[isabell@stardust privatebin]$
The file is in ini format, meaning that lines beginning with semicolons ;
are comments,
configuration options are grouped in sections, marked by square brackets [
and ]
and the option keys are separated by the values with equal signs =
.
A full list of the possible configuration values can be found here.
Best practices
Robots.txt
PrivateBin comes with a robots.txt
file in the root directory.
It disallows all robots from accessing your pastes.
If you followed this guide, it is already at the right place in your DocumentRoot.
However, if you installed PrivateBin into a subdirectory, you have to move robots.txt
back into the DocumentRoot.
Of course also adjust the file if you already use a robots.txt.
Making your PrivateBin Instance read-only
This section will teach you how you can limit write access to your PrivateBin instance, i.e. specify who can paste data.
While PrivateBin does not have a concept of access control in itself, the documentation suggests different ways in which a read-only mode can be achieved using some custom configuration. In this guide we will implement the second method that will require basic authentication for POST requests.
Choose a username that should have write access and provide it to the htpasswd
command:
[isabell@stardust ~]$ cd ~/html
[isabell@stardust html]$ htpasswd -c .htpasswd sample_user
New password:
Re-type new password:
Adding password for user sample_user
[isabell@stardust html]$
Further users can be added by omitting the -c
flag:
[isabell@stardust html]$ htpasswd .htpasswd another-user
New password:
Re-type new password:
Adding password for user another-user
[isabell@stardust html]$
Edit the .htaccess
file and add the following lines (exchange isabell
by your uberspace username):
AuthType Basic
AuthName "Login to PrivateBin"
AuthUserFile /var/www/virtual/isabell/html/.htpasswd
<LimitExcept GET>
Require valid-user
</LimitExcept>
The .htaccess
file should look similar to this example:
[isabell@stardust html]$ cat .htaccess
RewriteEngine on
RewriteCond !%{HTTP_USER_AGENT} "Let's Encrypt validation server" [NC]
RewriteCond %{HTTP_USER_AGENT} ^.*(bot|spider|crawl|https?://|WhatsApp|SkypeUriPreview|facebookexternalhit) [NC]
RewriteRule .* - [R=403,L]
AuthType Basic
AuthName "Login to PrivateBin"
AuthUserFile /var/www/virtual/isabell/html/.htpasswd
<LimitExcept GET>
Require valid-user
</LimitExcept>
The PrivateBin site is still visible to the public. When a user tries to publish content in your pastebin, a Basic-Auth popup will ask for username and password. The generated links are accessible to everyone.
Updates
Note
Check the update feed regularly to stay informed about the latest version.
Backup your config:
[isabell@stardust ~]$ cd ~/html
[isabell@stardust html]$ cp -p .htaccess .htaccess.backup
[isabell@stardust html]$ cp -p .htpasswd .htpasswd.backup
[isabell@stardust html]$ cp -rp ~/privatebin/ ~/privatebin-backup
[isabell@stardust html]$
Then repeat the steps of the Installation chapter. Your configuration file won’t get overwritten.
Check the Release-Notes if the configuration changed between cfg/conf.sample.php
and your conf.php
.
Also check .htaccess.disabled
if further adjustments needed to be made.
Tested with PrivateBin 1.5.1, Uberspace 7.15.1, PHP 8.1
Written by: Nepomacs <https://github.com/Nepomacs/>, franok <https://franok.de>