Nixius
/
hastebin
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
hastebin/README.md

311 lines
9.3 KiB
Markdown
Raw Blame History

# Hastebin
Hastebin is an open-source pastebin software written in node.js, which is easily installable in any network. It can be backed by either redis or filesystem, and has a very easy adapter interface for other stores. A publicly available version can be found at [haste.nixc.us](http://haste.nixc.us)
## Quick Start
```bash
# Clone the repository
git clone https://github.com/seejohnrun/haste-server.git
cd haste-server
# Install dependencies
npm install
# Start with file storage (no Redis needed)
npm run start:dev
# Access in your browser
# http://localhost:7777
```
## Features
- **Simple**: Easy to set up and use
- **Secure**: Includes CSP and other security headers
- **Flexible**: Supports multiple storage backends (Redis, File, Postgres, etc.)
- **Customizable**: Configurable via environment variables or config file
- **Modern**: Self-destructing pastes with syntax highlighting
## Installation
### Quick Install
```bash
# Clone the repository
git clone https://github.com/seejohnrun/haste-server.git
cd haste-server
# Install dependencies
npm install
# Start with file storage (no Redis needed)
npm run start:file
# OR run directly with environment variables
# NODE_ENV=development HASTEBIN_STORAGE_TYPE=file node server.js
```
### Running Options
```bash
# Start with default settings (requires Redis)
npm start
# Start in development mode with file storage
npm run start:dev
# Same as start:dev (for backward compatibility)
npm run start:file
```
### Docker Installation
```bash
# Clone the repository
git clone https://github.com/seejohnrun/haste-server.git
cd haste-server
# Start with Docker Compose (includes Redis)
docker compose up -d
```
The Docker container is configured to use Redis as the storage backend by default. The `docker-compose.yml` file sets up both a Hastebin container and a Redis container, linking them together.
If you need to customize the Docker setup, you can modify the environment variables in the `docker-compose.yml` file:
```yaml
environment:
- NODE_ENV=production
- STORAGE_TYPE=redis
- STORAGE_HOST=redis
- HASTEBIN_ENABLE_CSP=true
- HASTEBIN_ENABLE_HSTS=true
```
The container exists at git.nixc.us/colin/haste:haste-production and may be made public eventually.
## Configuration
### Environment Variables
Hastebin can be configured using the following environment variables:
```bash
# Server configuration
HASTEBIN_PORT=7777 # Port to listen on (default: 7777)
HASTEBIN_HOST=0.0.0.0 # Host to bind to (default: 0.0.0.0)
# Storage configuration
HASTEBIN_STORAGE_TYPE=file # Storage type: file, redis, postgres, etc.
HASTEBIN_STORAGE_PATH=./data # Path for file storage
DATABASE_URL=postgres://user:pass@host:5432/db # For postgres storage
# Docker-specific storage settings
STORAGE_TYPE=redis # Storage type in Docker (default: redis)
STORAGE_HOST=redis # Redis host in Docker environment
STORAGE_PORT=6379 # Redis port
STORAGE_PASSWORD= # Redis password if needed
STORAGE_DB=0 # Redis database number
# Security settings
HASTEBIN_ENABLE_CSP=true # Enable Content Security Policy
HASTEBIN_ENABLE_HSTS=true # Enable HTTP Strict Transport Security
HASTEBIN_ENABLE_CROSS_ORIGIN_ISOLATION=true # Enable Cross-Origin Isolation
HASTEBIN_BYPASS_CSP_IN_DEV=true # Bypass CSP in development mode
# Other settings
NODE_ENV=development # Environment: development or production
```
You can also configure Hastebin by editing the `config.js` file.
## Security Settings
The `security` section in the configuration allows you to control various security features, particularly the Content Security Policy (CSP):
```json
{
"security": {
"csp": true, // Enable/disable CSP entirely
"hsts": false, // Enable HTTP Strict Transport Security
"scriptSources": [], // Additional allowed script sources
"bypassCSPInDev": false, // Use permissive CSP in development mode
"allowUnsafeHashes": true, // Allow 'unsafe-hashes' in production for event handlers
"enableCrossOriginIsolation": false // Enable strict Cross-Origin isolation headers
}
}
```
### Content Security Policy Options
* `csp` - Enable or disable Content Security Policy headers (default: true)
* `hsts` - Enable HTTP Strict Transport Security headers (default: false)
* `scriptSources` - Additional script sources to allow - comma-separated list in env vars
* `bypassCSPInDev` - In development mode (NODE_ENV=development), use a more permissive CSP that includes 'unsafe-inline' (default: false)
* `allowUnsafeHashes` - Allow 'unsafe-hashes' in production mode for DOM event handlers (default: true)
* `enableCrossOriginIsolation` - Enable strict Cross-Origin isolation headers (COEP, COOP, CORP) which enhance security but may break certain integrations (default: false)
### Environment Variables for Security Settings
You can set these options through environment variables:
* `HASTEBIN_ENABLE_CSP` - Enable/disable CSP (true/false)
* `HASTEBIN_ENABLE_HSTS` - Enable/disable HSTS (true/false)
* `HASTEBIN_SCRIPT_SOURCES` - Additional script sources (comma-separated)
* `HASTEBIN_BYPASS_CSP_IN_DEV` - Allow unsafe-inline in development (true/false)
* `HASTEBIN_ALLOW_UNSAFE_HASHES` - Allow unsafe-hashes in production (true/false)
* `HASTEBIN_ENABLE_CROSS_ORIGIN_ISOLATION` - Enable Cross-Origin isolation headers (true/false)
### CSP Implementation Details
The Content Security Policy implementation in Hastebin uses nonces to secure inline scripts while maintaining functionality:
1. **Nonces**: A unique cryptographic nonce is generated for each request and applied to all script tags
2. **Development Mode**: When running with `NODE_ENV=development`, you can bypass strict CSP checks using the `bypassCSPInDev` option
3. **Production Mode**: In production, the CSP is configured to use nonces for all scripts, with optional 'unsafe-hashes' for event handlers
4. **Templates**: The template system automatically injects nonces into script tags, so you don't need to manually add them to the HTML
### Additional Security Headers
Besides CSP, Hastebin implements several other security headers:
1. **X-Content-Type-Options**: `nosniff`
## Troubleshooting
### Common Issues
#### Port Already in Use
If you see an error like `Error: listen EADDRINUSE: address already in use :::7777`:
```bash
# Find and kill processes using port 7777
lsof -i :7777 -t | xargs kill -9 || true
# Or use a different port
HASTEBIN_PORT=8000 npm run start:file
```
#### Redis Connection Issues
If you're using Redis and see connection errors:
```bash
# Check if Redis is running
redis-cli ping
# Start Redis if needed
redis-server
# Or use file storage instead
npm run start:file
```
#### Permission Issues with File Storage
If you see permission errors when using file storage:
```bash
# Create data directory with proper permissions
mkdir -p data
chmod 777 data
HASTEBIN_STORAGE_PATH=./data npm run start:file
```
#### Test Server Issues
If tests are failing:
```bash
# Make sure no server is running
lsof -i :7777 -t | xargs kill -9 || true
# Run tests with clean environment
npm run test:all
```
## Testing
### Quick Test Commands
```bash
# Start a local test server with file storage
npm run start:dev
# Run all tests
npm test
# Run core functionality tests
npm run test:core
# Run security tests
npm run test:security
```
### Test Structure
Hastebin includes a comprehensive test suite covering both core functionality and security features. The tests are organized in the following structure:
```
test/
├── core/ # Core functionality tests
│ └── core_functionality_spec.js # Tests for basic operations
├── security/ # Security-related tests
│ ├── security_spec.js # Main security test suite
│ └── security_shell_spec.sh # Shell-based security tests
├── key_generators/ # Key generator tests
├── utils/ # Test utilities
│ └── test-local.js # Local test server setup
└── document_handler_spec.js # Document handler tests
```
### Running Test Suites
```bash
# Run all tests (unit + security)
npm run test:all
# Run specific test suites
npm run test:core # Run core functionality tests
npm run test:security # Run all security tests
# Run specific security tests
npm run test:security:csp # Test CSP configuration
npm run test:security:cors # Test CORS settings
npm run test:security:combined # Test combined security features
```
## Storage
## API Usage
### Creating a Document
```bash
# Using curl
curl -X POST -d "Hello, world!" http://localhost:7777/documents
# Response: {"key":"uniquekey"}
```
### Retrieving a Document
```bash
# Using curl
curl http://localhost:7777/raw/uniquekey
# Response: Hello, world!
```
### Document Formats
- `http://localhost:7777/uniquekey` - HTML view with syntax highlighting
- `http://localhost:7777/raw/uniquekey` - Raw document content
- `http://localhost:7777/documents/uniquekey` - JSON response with document content
### Client Libraries
- [haste-client](https://git.nixc.us/Nixius/haste-client) - Command line client for Hastebin
- Example usage: `cat file.txt | haste`
## License Update
Reference in New Issue View Git Blame Copy Permalink