Securing PiGallery2 by client certficates via nginx proxy

[knalltuete86]

One of the most interesting features of PG2 is the option to share photos and videos with your family and friends via your own self-hosted instance.

I'm running some self hosted services since years and introduced X.509 Client Certificates for Client Authentication for all of them.

Of course this is difficult as the sharing option should not be used by authenticated clients only. So my goal was

1.) Ensure access to regular instance (gallery, albums, admin area etc.) only for authenticated clients
2.) Enable access to shared media for any other clients as well.

By today I got it working as intended.

Assuming Client Authentication & SSL via nginx is working already (there're a lot of tutorials around the internet) the steps are as follows:

1.) Define your public domain in admin area, e.g. "photos.example.com"
2.) Your shared links should appear as "photos.example.com/share/hash1234"
3.) Configure your nginx site as follows:

server {
       listen 443;
       listen [::]:443;

        server_name photos.example.com;

        ssl_verify_client optional;

        #forward to https - if configured
        if ($scheme = http) {
                return 302 https://$http_host$request_uri;
        }

        #Change Header Policy for PiGallery2 - currently secure CSP are not supported yet (see #671)
        add_header Content-Security-Policy-Report-Only "default-src https: 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:;" always;

#Access to these URI should be granted for securily authenticated clients only
        location ~* "^/(gallery|albums|faces|duplicates|admin|login)" {
                limit_except GET {
                        deny all;
                }

                if ($ssl_client_verify != "SUCCESS") { return 403; }

                proxy_pass http://127.0.0.1:80;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_redirect off;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Original-uri $http_referer;
        }

#these URI has to be accessable from public
        location ~* "^/(share|pgapi|assets|polyfills|runtime.db|main|styles|scripts|manifest.json|open-iconic)" {
                proxy_pass http://127.0.0.1:80;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host$request_uri;
                proxy_cache_bypass $http_upgrade;
                proxy_redirect off;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Original-uri $http_referer;
        }

#Access to Basis URL (e.g. photos.example.com) should be granted to authenticated clients only
        location = / {          
                if ($ssl_client_verify != "SUCCESS") { return 403; }

                proxy_pass http://127.0.0.1:80;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host$request_uri;
                proxy_cache_bypass $http_upgrade;
                proxy_redirect off;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Original-uri $http_referer;
        }
}

Options like IP, Port and SSL settings has to be adjusted by your own settings.

Have fun and stay safe

[knalltuete86]

Hi,
from V1.9.6 there is a change necessary to keep it working:

server {
       listen 443;
       listen [::]:443;

        server_name photos.example.com;

        ssl_verify_client optional;

        #forward to https - if configured
        if ($scheme = http) {
                return 302 https://$http_host$request_uri;
        }

        #Change Header Policy for PiGallery2 - currently secure CSP are not supported yet (see #671)
        add_header Content-Security-Policy-Report-Only "default-src https: 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:;" always;

#Access to these URI should be granted for securily authenticated clients only
        location ~* "^/(gallery|albums|faces|duplicates|admin|login)" {
                limit_except GET {
                        deny all;
                }

                if ($ssl_client_verify != "SUCCESS") { return 403; }

                proxy_pass http://127.0.0.1:80;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_redirect off;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Original-uri $http_referer;
        }

#these URI has to be accessable from public
        location ~* "^/(share|pgapi|assets|polyfills|runtime|de.main|styles|scripts|manifest.json|open-iconic)" {
                proxy_pass http://127.0.0.1:80;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host$request_uri;
                proxy_cache_bypass $http_upgrade;
                proxy_redirect off;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Original-uri $http_referer;
        }

#Access to Basis URL (e.g. photos.example.com) should be granted to authenticated clients only
        location = / {          
                if ($ssl_client_verify != "SUCCESS") { return 403; }

                proxy_pass http://127.0.0.1:80;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host$request_uri;
                proxy_cache_bypass $http_upgrade;
                proxy_redirect off;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Original-uri $http_referer;
        }
}