commit 3ad243b31aadb0ea36453322548f0b22aa43ff4f Author: renz Date: Fri Jun 13 16:07:22 2025 +0200 hmac-file-server 3.2 [wiki] hinzugefügt diff --git a/hmac-file-server 3.2 %5Bwiki%5D.-.md b/hmac-file-server 3.2 %5Bwiki%5D.-.md new file mode 100644 index 0000000..90c17ff --- /dev/null +++ b/hmac-file-server 3.2 %5Bwiki%5D.-.md @@ -0,0 +1,1237 @@ +Willkommen im Wiki.This documentation provides detailed information on configuring, setting up, and maintaining the HMAC File Server. Whether you're a developer, system administrator, or an enthusiast, this guide will help you navigate through the server's features and configurations effectively. + +--- + +## Table of Contents + +1. [Introduction](#introduction) +2. [Configuration](#configuration) + - [Server Configuration](#server-configuration) + - [Deduplication Settings](#deduplication-settings) + - [ISO Settings](#iso-settings) + - [Timeout Settings](#timeout-settings) + - [Security Settings](#security-settings) + - [Versioning Settings](#versioning-settings) + - [Uploads Settings](#uploads-settings) + - [Downloads Settings](#downloads-settings) + - [ClamAV Settings](#clamav-settings) + - [Redis Settings](#redis-settings) + - [Worker Settings](#worker-settings) +3. [Example Configuration](#example-configuration) +4. [Setup Instructions](#setup-instructions) + - [1. HMAC File Server Installation](#1-hmac-file-server-installation) + - [2. Reverse Proxy Configuration](#2-reverse-proxy-configuration) + - [Apache2 Reverse Proxy](#apache2-reverse-proxy) + - [Nginx Reverse Proxy](#nginx-reverse-proxy) + - [3. ejabberd Configuration](#3-ejabberd-configuration) + - [4. Systemd Service Setup](#4-systemd-service-setup) +5. [Running with Docker & Docker Compose](#running-with-docker--docker-compose) +6. [Building for Different Architectures](#building-for-different-architectures) +7. [Additional Recommendations](#additional-recommendations) +8. [Notes](#notes) +9. [Using HMAC File Server for CI/CD Build Artifacts](#using-hmac-file-server-for-ci-cd-build-artifacts) +10. [Monitoring](#monitoring) + +--- + +## Introduction + +The **HMAC File Server** is a secure and efficient file management solution designed to handle file uploads, downloads, deduplication, and more. Built with a focus on security, scalability, and performance, it integrates seamlessly with various tools and services to provide a comprehensive file handling experience. + +--- + +## Configuration + +The HMAC File Server is configured using a `config.toml` file. Below are the detailed explanations of each configuration section and their respective options. + +### Server Configuration + +```toml +# Server configuration +listenport = "8080" # TCP port for incoming requests +unixsocket = false # Use Unix domain socket instead of TCP +storagepath = "/path/to/hmac-file-server/data/" # Directory to store uploaded files +loglevel = "debug" # Logging level: "debug", "info", "warn", "error" +logfile = "/path/to/hmac-file-server.log" # Path to log file; leave empty to use stdout +metricsenabled = true # Enable Prometheus metrics +metricsport = "9090" # Port for Prometheus metrics +deduplicationenabled = true +minfreebytes = "5GB" # Minimum free disk space required +filettl = "2Y" # Time-to-live for files +filettlenabled = false # Enable TTL checks and cleanup +autoadjustworkers = true # Automatically adjust worker threads based on load +networkevents = false # Enable detailed network event logging +pidfilepath = "./hmac-file-server.pid" # Path to PID file +precaching = true # Pre-cache file structures on startup + +# New option to force network protocol +forceprotocol = "auto" # Options: "ipv4", "ipv6", "auto" +``` + +#### Configuration Options + +- **listenport**: + - *Type*: `String` + - *Description*: Specifies the TCP port on which the server listens for incoming requests. + - *Default*: `"8080"` + +- **unixsocket**: + - *Type*: `Boolean` + - *Description*: Determines whether to use a Unix domain socket instead of a TCP port for communication. + - *Default*: `false` + +- **storagepath**: + - *Type*: `String` + - *Description*: Defines the directory path where uploaded files are stored. Ensure this path exists and has appropriate permissions. + - *Default*: `"/path/to/hmac-file-server/data/"` + +- **loglevel**: + - *Type*: `String` + - *Description*: Sets the verbosity level of logs. + - *Options*: `"debug"`, `"info"`, `"warn"`, `"error"` + - *Default*: `"debug"` + +- **logfile**: + - *Type*: `String` + - *Description*: Specifies the file path for logging. If left empty, logs are output to `stdout`. + - *Default*: `"/path/to/hmac-file-server.log"` + +- **metricsenabled**: + - *Type*: `Boolean` + - *Description*: Enables or disables the Prometheus metrics endpoint. + - *Default*: `true` + +- **metricsport**: + - *Type*: `String` + - *Description*: Defines the port on which Prometheus metrics are exposed. + - *Default*: `"9090"` + +- **deduplicationenabled**: + - *Type*: `Boolean` + - *Description*: Enables or disables file deduplication to optimize storage usage. + - *Default*: `true` + +- **minfreebytes**: + - *Type*: `String` + - *Description*: Specifies the minimum free disk space required for the server to operate effectively. + - *Default*: `"5GB"` + +- **filettl**: + - *Type*: `String` + - *Description*: Sets the default Time-to-Live (TTL) for files, determining how long files are retained before deletion. + - *Format*: Duration (e.g., `"2Y"` for two years) + - *Default*: `"2Y"` + +- **filettlenabled**: + - *Type*: `Boolean` + - *Description*: Enables or disables TTL checks and automatic file cleanup based on the `filettl` value. + - *Default*: `false` + +- **autoadjustworkers**: + - *Type*: `Boolean` + - *Description*: Automatically adjusts the number of worker threads based on server load and system resources. + - *Default*: `true` + +- **networkevents**: + - *Type*: `Boolean` + - *Description*: Enables detailed logging of network events, which can be useful for debugging but may increase log verbosity. + - *Default*: `false` + +- **pidfilepath**: + - *Type*: `String` + - *Description*: Specifies the file path where the server writes its Process ID (PID) file. This is useful for managing the server process. + - *Default*: `"./hmac-file-server.pid"` + +- **precaching**: + - *Type*: `Boolean` + - *Description*: Enables pre-caching of file structures on startup to improve access speed and performance. + - *Default*: `true` + +- **forceprotocol**: + - *Type*: `String` + - *Description*: Specifies the network protocol to use for server communication. + - `"ipv4"`: Forces the server to use IPv4. + - `"ipv6"`: Forces the server to use IPv6. + - `"auto"`: Uses the system's default behavior (dual-stack). + - *Default*: `"auto"` + +--- + +### Deduplication Settings + +```toml +# Deduplication settings +[deduplication] +enabled = true +directory = "/path/to/hmac-file-server/deduplication/" # Path to deduplication metadata store +``` + +#### Configuration Options + +- **enabled**: + - *Type*: `Boolean` + - *Description*: Enables or disables the deduplication feature, which helps in eliminating duplicate files to save storage space. + - *Default*: `true` + +- **directory**: + - *Type*: `String` + - *Description*: Specifies the directory path where deduplication metadata is stored. Ensure this directory exists and has appropriate permissions. + - *Default*: `"/path/to/hmac-file-server/deduplication/"` + +--- + +### ISO Settings + +```toml +# ISO settings +[iso] +enabled = false +size = "1TB" # Maximum ISO size +mountpoint = "/path/to/hmac-file-server/iso/" # ISO mount point +charset = "utf-8" # Filesystem character set encoding +``` + +#### Configuration Options + +- **enabled**: + - *Type*: `Boolean` + - *Description*: Enables or disables the mounting of an ISO-based filesystem for specialized storage needs. + - *Default*: `false` + +- **size**: + - *Type*: `String` + - *Description*: Defines the maximum allowed size for the ISO container. + - *Default*: `"1TB"` + +- **mountpoint**: + - *Type*: `String` + - *Description*: Specifies the directory path where the ISO is mounted. Ensure this path exists and has appropriate permissions. + - *Default*: `"/path/to/hmac-file-server/iso/"` + +- **charset**: + - *Type*: `String` + - *Description*: Sets the filesystem character set encoding for the ISO. + - *Default*: `"utf-8"` + +> **Note**: Ensure only one `[iso]` block is active in your `config.toml` to avoid configuration conflicts. + +--- + +### Timeout Settings + +```toml +# Timeout settings +[timeouts] +readtimeout = "3600s" # Maximum time to read a request +writetimeout = "3600s" # Maximum time to write a response +idletimeout = "3600s" # Maximum keep-alive time for idle connections +``` + +#### Configuration Options + +- **readtimeout**: + - *Type*: `String` + - *Description*: Sets the maximum duration for reading the entire request, including the body. + - *Format*: Duration (e.g., `"3600s"` for one hour) + - *Default*: `"3600s"` + +- **writetimeout**: + - *Type*: `String` + - *Description*: Defines the maximum duration before timing out writes of the response. + - *Format*: Duration (e.g., `"3600s"` for one hour) + - *Default*: `"3600s"` + +- **idletimeout**: + - *Type*: `String` + - *Description*: Specifies the maximum amount of time to wait for the next request when keep-alives are enabled. + - *Format*: Duration (e.g., `"3600s"` for one hour) + - *Default*: `"3600s"` + +--- + +### Security Configuration + +```toml +# Security settings +[security] +secret = "your-secure-secret-key" # HMAC shared secret key (change to a secure value) +enablejwt = false # Enable JWT authentication +jwtsecret = "your-jwt-secret" # JWT signing secret +jwtalgorithm = "HS256" # JWT algorithm +jwtexpiration = "24h" # JWT token expiration +``` + +#### Configuration Options + +- **secret**: + - *Type*: `String` + - *Description*: The HMAC shared secret key used for signing requests and operations. + - *Default*: `"your-secure-secret-key"` + - *Warning*: **Change this immediately** to a unique, strong string in production environments to ensure the security of HMAC operations. + +- **enablejwt**: + - *Type*: `Boolean` + - *Description*: Enables or disables JWT token authentication. When enabled, the server will accept JWT tokens for authentication. + - *Default*: `false` + +- **jwtsecret**: + - *Type*: `String` + - *Description*: The secret key used for signing and validating JWT tokens. Must be strong and secure. + - *Default*: `"your-jwt-secret"` + +- **jwtalgorithm**: + - *Type*: `String` + - *Description*: The algorithm used for JWT token signing. + - *Options*: `"HS256"`, `"HS384"`, `"HS512"` + - *Default*: `"HS256"` + +- **jwtexpiration**: + - *Type*: `String` + - *Description*: The expiration time for JWT tokens. + - *Format*: Duration (e.g., `"24h"` for 24 hours, `"30m"` for 30 minutes) + - *Default*: `"24h"` + +--- + +### Versioning Settings + +```toml +# Versioning settings +[versioning] +enableversioning = false +maxversions = 1 # Number of file versions to retain +``` + +#### Configuration Options + +- **enableversioning**: + - *Type*: `Boolean` + - *Description*: Enables or disables the versioning feature, which maintains multiple versions of the same file. + - *Default*: `false` + +- **maxversions**: + - *Type*: `Integer` + - *Description*: Specifies the maximum number of versions to retain for each file. + - *Default*: `1` + +--- + +### Logging Configuration + +```toml +# Logging settings +[logging] +level = "debug" +file = "/path/to/hmac-file-server.log" +max_size = 100 # Maximum log file size in MB +max_backups = 7 # Number of backup log files to keep +max_age = 30 # Maximum age of log files in days +compress = true # Compress old log files +``` + +#### Configuration Options + +- **level**: + - *Type*: `String` + - *Description*: Sets the verbosity level of logs. + - *Options*: `"debug"`, `"info"`, `"warn"`, `"error"` + - *Default*: `"debug"` + +- **file**: + - *Type*: `String` + - *Description*: Specifies the file path for logging. If left empty, logs are output to `stdout`. + - *Default*: `"/path/to/hmac-file-server.log"` + +- **max_size**: + - *Type*: `Integer` + - *Description*: Maximum size of log files before rotation (in MB). + - *Default*: `100` + +- **max_backups**: + - *Type*: `Integer` + - *Description*: Number of backup log files to retain after rotation. + - *Default*: `7` + +- **max_age**: + - *Type*: `Integer` + - *Description*: Maximum age of log files in days before deletion. + - *Default*: `30` + +- **compress**: + - *Type*: `Boolean` + - *Description*: Whether to compress old log files with gzip. + - *Default*: `true` + +--- + +### Uploads Configuration + +```toml +# Upload settings +[uploads] +resumableuploadsenabled = false +chunkeduploadsenabled = true +chunksize = "32MB" # Chunk size for uploads +allowedextensions = [ + ".txt", ".pdf", ".png", ".jpg", ".jpeg", ".gif", + ".mpeg", ".mpg", ".m4v", ".3gp", ".3g2", ".mp3", ".ogg" +] +``` + +#### Configuration Options + +- **resumableuploadsenabled**: + - *Type*: `Boolean` + - *Description*: Enables or disables support for resumable (chunked) file uploads. + - *Default*: `false` + +- **chunkeduploadsenabled**: + - *Type*: `Boolean` + - *Description*: Specifically enables or disables chunked uploads. + - *Default*: `true` + +- **chunksize**: + - *Type*: `String` + - *Description*: Defines the size of each chunk in chunked uploads. + - *Format*: Size (e.g., `"32MB"`) + - *Default*: `"32MB"` + +- **allowedextensions**: + - *Type*: `Array of Strings` + - *Description*: Lists the file extensions permitted for upload. + - *Default*: + ```toml + allowedextensions = [ + ".txt", ".pdf", ".png", ".jpg", ".jpeg", ".gif", + ".mpeg", ".mpg", ".m4v", ".3gp", ".3g2", ".mp3", ".ogg" + ] + ``` + +--- + +### Downloads Configuration + +```toml +# Downloads settings +[downloads] +resumabledownloadsenabled = false +chunkeddownloadsenabled = true +chunksize = "32MB" +``` + +#### Configuration Options + +- **resumabledownloadsenabled**: + - *Type*: `Boolean` + - *Description*: Enables or disables support for resumable (chunked) downloads. + - *Default*: `false` + +- **chunkeddownloadsenabled**: + - *Type*: `Boolean` + - *Description*: Specifically enables or disables chunked downloads. + - *Default*: `true` + +- **chunksize**: + - *Type*: `String` + - *Description*: Defines the size of each chunk in chunked downloads. + - *Format*: Size (e.g., `"32MB"`) + - *Default*: `"32MB"` + +> **Note**: Downloads inherit allowed extensions from the uploads configuration. There is no separate `allowedextensions` setting for downloads. + +--- + +### ClamAV Settings + +```toml +# ClamAV settings +[clamav] +clamavenabled = true +clamavsocket = "/path/to/clamav/clamd.ctl" # Path to ClamAV socket +numscanworkers = 4 # Number of concurrent scan workers +scanfileextensions = [ + ".exe", ".dll", ".bin", ".com", ".bat", + ".sh", ".php", ".js" +] +``` + +#### Configuration Options + +- **clamavenabled**: + - *Type*: `Boolean` + - *Description*: Enables or disables ClamAV integration for virus scanning of uploaded files. + - *Default*: `true` + +- **clamavsocket**: + - *Type*: `String` + - *Description*: Specifies the file path to the ClamAV socket (`.ctl` file). Ensure ClamAV is installed and the socket path is correct. + - *Default*: `"/path/to/clamav/clamd.ctl"` + +- **numscanworkers**: + - *Type*: `Integer` + - *Description*: Sets the number of concurrent workers dedicated to scanning files with ClamAV. + - *Default*: `4` + +- **scanfileextensions**: + - *Type*: `Array of Strings` + - *Description*: Lists the file extensions that should be scanned for viruses. + - *Default*: + ```toml + scanfileextensions = [ + ".exe", ".dll", ".bin", ".com", ".bat", + ".sh", ".php", ".js" + ] + ``` + +--- + +### Redis Settings + +```toml +# Redis settings +[redis] +redisenabled = true +redisdbindex = 0 +redisaddr = "localhost:6379" # Redis server address +redispassword = "" # Redis password if required +redishealthcheckinterval = "120s" # Interval for Redis health checks +``` + +#### Configuration Options + +- **redisenabled**: + - *Type*: `Boolean` + - *Description*: Enables or disables Redis integration for caching or session tracking. + - *Default*: `true` + +- **redisaddr**: + - *Type*: `String` + - *Description*: Specifies the address of the Redis server (e.g., `"localhost:6379"`). + - *Default*: `"localhost:6379"` + +- **redispassword**: + - *Type*: `String` + - *Description*: Sets the Redis authentication password, if required. + - *Default*: `""` + +- **redisdbindex**: + - *Type*: `Integer` + - *Description*: Specifies the Redis database index to use. + - *Default*: `0` + +- **redishealthcheckinterval**: + - *Type*: `String` + - *Description*: Defines the interval for performing health checks on the Redis connection. + - *Format*: Duration (e.g., `"120s"` for two minutes) + - *Default*: `"120s"` + +--- + +### Workers Configuration + +```toml +# Workers settings +[workers] +numworkers = 10 # Number of worker threads +uploadqueuesize = 5000 # Size of upload queue +``` + +#### Configuration Options + +- **numworkers**: + - *Type*: `Integer` + - *Description*: Specifies the number of worker threads to handle file operations. + - *Default*: `10` + +- **uploadqueuesize**: + - *Type*: `Integer` + - *Description*: Sets the size of the upload queue buffer. + - *Default*: `5000` + +--- + +#### Configuration Options + +- **maxfilesize**: + - *Type*: `String` + - *Description*: Defines the maximum allowed file size for uploads. + - *Format*: Size (e.g., `"10GB"`) + - *Default*: `"10GB"` + +--- + +## Configuration Validation + +The HMAC File Server v3.2 includes a comprehensive configuration validation system with specialized command-line flags for different validation scenarios. + +### Available Validation Flags + +#### Core Validation Commands + +**`--validate-config`** +- **Purpose**: Full comprehensive validation of all configuration sections +- **Usage**: `./hmac-file-server --validate-config` +- **Output**: Complete validation report with all errors and warnings + +```bash +# Example +./hmac-file-server -config config.toml --validate-config +``` + +**`--test-config`** +- **Purpose**: Run predefined configuration test scenarios +- **Usage**: `./hmac-file-server --test-config` +- **Output**: Test scenario results for configuration validation + +#### Specialized Validation Modes + +**`--check-security`** +- **Purpose**: Security-focused validation only +- **Checks**: Secret strength, default values, JWT algorithms, network exposure, file permissions +- **Example**: `./hmac-file-server -config config.toml --check-security` + +**`--check-performance`** +- **Purpose**: Performance-focused validation only +- **Checks**: Worker optimization, memory usage, timeout balance, large file handling +- **Example**: `./hmac-file-server -config config.toml --check-performance` + +**`--check-connectivity`** +- **Purpose**: Network connectivity validation only +- **Checks**: Redis connections, ClamAV sockets, address validation, DNS resolution +- **Example**: `./hmac-file-server -config config.toml --check-connectivity` + +#### Output Control Flags + +**`--validate-quiet`** +- **Purpose**: Minimal output, returns only exit codes +- **Usage**: Perfect for automation and scripts + +**`--validate-verbose`** +- **Purpose**: Detailed output with comprehensive analysis +- **Usage**: Best for troubleshooting and development + +**`--check-fixable`** +- **Purpose**: Show only issues that can be automatically fixed +- **Usage**: Helps prioritize configuration improvements + +### Validation Categories + +#### Security Checks (6 categories) +- Secret strength analysis +- Default value detection +- Algorithm recommendations +- Network exposure warnings +- File permission analysis +- Debug logging security + +#### Performance Checks (5 categories) +- Resource optimization +- Memory usage analysis +- Timeout balancing +- Large file preparation +- Configuration efficiency + +#### Connectivity Checks (4 categories) +- Service connectivity +- Socket accessibility +- Address validation +- DNS resolution + +#### System Checks (5 categories) +- CPU availability +- Memory monitoring +- Disk space validation +- Permission testing +- Resource constraints + +### Integration Examples + +#### Shell Script Integration +```bash +#!/bin/bash +CONFIG_FILE="/etc/hmac-file-server/config.toml" + +echo "🔍 Validating HMAC File Server configuration..." + +# Run validation +if ./hmac-file-server -config "$CONFIG_FILE" --validate-config; then + echo "✅ Configuration validation passed" + + # Additional specific checks + echo "🔐 Running security audit..." + ./hmac-file-server -config "$CONFIG_FILE" --check-security + + echo "⚡ Checking performance settings..." + ./hmac-file-server -config "$CONFIG_FILE" --check-performance +else + echo "❌ Configuration validation failed" + echo "💡 Try: ./hmac-file-server -config $CONFIG_FILE --check-fixable" + exit 1 +fi +``` + +#### Docker Integration +```dockerfile +# Add validation step to Dockerfile +RUN ./hmac-file-server -config /etc/config.toml --validate-config && \ + ./hmac-file-server -config /etc/config.toml --check-security +``` + +#### Kubernetes Health Check +```yaml +livenessProbe: + exec: + command: + - /usr/local/bin/hmac-file-server + - -config + - /etc/config/config.toml + - --validate-quiet + initialDelaySeconds: 30 + periodSeconds: 60 +``` + +The enhanced command-line validation system provides comprehensive coverage with 50+ validation checks across all configuration areas, making HMAC File Server v3.2 production-ready with enterprise-grade configuration management. + +--- + +## Example Configuration + +Below is an example `config.toml` file with default settings: + +```toml +# Example HMAC File Server configuration + +# Server configuration +listenport = "8080" +bind_ip = "0.0.0.0" +unixsocket = false +storagepath = "/path/to/hmac-file-server/data/" +metricsenabled = true +metricsport = "9090" +deduplicationenabled = true +minfreebytes = "5GB" +filettl = "2Y" +filettlenabled = false +autoadjustworkers = true +networkevents = false +pidfilepath = "./hmac-file-server.pid" +precaching = true +filenaming = "HMAC" +forceprotocol = "auto" + +# Logging settings +[logging] +level = "debug" +file = "/path/to/hmac-file-server.log" +max_size = 100 +max_backups = 7 +max_age = 30 +compress = true + +# Deduplication settings +[deduplication] +enabled = true +directory = "/path/to/hmac-file-server/deduplication/" + +# ISO settings +[iso] +enabled = false +size = "1TB" +mountpoint = "/path/to/hmac-file-server/iso/" +charset = "utf-8" + +# Timeout settings +[timeouts] +readtimeout = "3600s" +writetimeout = "3600s" +idletimeout = "3600s" + +# Security settings +[security] +secret = "your-secure-secret-key" +enablejwt = false +jwtsecret = "your-jwt-secret" +jwtalgorithm = "HS256" +jwtexpiration = "24h" + +# Versioning settings +[versioning] +enableversioning = false +maxversions = 1 + +# Upload settings +[uploads] +resumableuploadsenabled = false +chunkeduploadsenabled = true +chunksize = "32MB" +allowedextensions = [ + ".txt", ".pdf", ".png", ".jpg", ".jpeg", ".gif", + ".bmp", ".tiff", ".svg", ".webp", ".wav", ".mp4", + ".avi", ".mkv", ".mov", ".wmv", ".flv", ".webm", + ".mpeg", ".mpg", ".m4v", ".3gp", ".3g2", ".mp3", ".ogg" +] + +# Download settings +[downloads] +resumabledownloadsenabled = false +chunkeddownloadsenabled = true +chunksize = "32MB" + +# ClamAV settings +[clamav] +clamavenabled = true +clamavsocket = "/path/to/clamav/clamd.ctl" +numscanworkers = 4 +scanfileextensions = [ + ".exe", ".dll", ".bin", ".com", ".bat", + ".sh", ".php", ".js" +] + +# Redis settings +[redis] +redisenabled = true +redisdbindex = 0 +redisaddr = "localhost:6379" +redispassword = "" +redishealthcheckinterval = "120s" + +# Workers settings +[workers] +numworkers = 10 +uploadqueuesize = 5000 +``` + +--- + +## Setup Instructions + +### 1. HMAC File Server Installation + +To install the HMAC File Server, follow these steps: + +1. Clone the repository: + ```sh + git clone https://git.uuxo.net/uuxo/hmac-file-server.git + cd hmac-file-server + ``` + +2. Build the server: + ```sh + go build -o hmac-file-server ./cmd/server/main.go + ``` + +3. Create the necessary directories: + ```sh + mkdir -p /path/to/hmac-file-server/data/ + mkdir -p /path/to/hmac-file-server/deduplication/ + mkdir -p /path/to/hmac-file-server/iso/ + ``` + +4. Copy the example configuration file: + ```sh + cp config.example.toml config.toml + ``` + +5. Edit the `config.toml` file to match your environment and preferences. + +6. Start the server: + ```sh + ./hmac-file-server -config config.toml + ``` + +### 2. Reverse Proxy Configuration + +To set up a reverse proxy for the HMAC File Server, you can use either Apache2 or Nginx. Below are the configuration examples for both. + +#### Apache2 Reverse Proxy + +1. Enable the necessary Apache2 modules: + ```sh + sudo a2enmod proxy + sudo a2enmod proxy_http + sudo a2enmod headers + sudo a2enmod rewrite + ``` + +2. Create a new virtual host configuration file: + ```sh + sudo nano /etc/apache2/sites-available/hmac-file-server.conf + ``` + +3. Add the following configuration to the file: + ```apache + + ServerName your-domain.com + + ProxyPreserveHost On + ProxyPass / http://localhost:8080/ + ProxyPassReverse / http://localhost:8080/ + + + Require all granted + Header always set X-Content-Type-Options "nosniff" + Header always set X-Frame-Options "DENY" + Header always set X-XSS-Protection "1; mode=block" + + + ``` + +4. Enable the new site and restart Apache2: + ```sh + sudo a2ensite hmac-file-server.conf + sudo systemctl restart apache2 + ``` + +#### Nginx Reverse Proxy + +1. Install Nginx if not already installed: + ```sh + sudo apt-get update + sudo apt-get install nginx + ``` + +2. Create a new server block configuration file: + ```sh + sudo nano /etc/nginx/sites-available/hmac-file-server + ``` + +3. Add the following configuration to the file: + ```nginx + server { + listen 80; + server_name your-domain.com; + + location / { + proxy_pass http://localhost:8080; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Content-Type-Options "nosniff"; + proxy_set_header X-Frame-Options "DENY"; + proxy_set_header X-XSS-Protection "1; mode=block"; + } + } + ``` + +4. Enable the new site and restart Nginx: + ```sh + sudo ln -s /etc/nginx/sites-available/hmac-file-server /etc/nginx/sites-enabled/ + sudo systemctl restart nginx + ``` + +--- + +### Proxy Best Practices & Recommendations + +For production deployments, consider the following reverse proxy best practices: + +- **Timeouts**: Set reasonable timeouts (e.g., `proxy_read_timeout 300;` in Nginx) to avoid hanging connections. +- **Buffer Sizes**: Increase buffer sizes for large file uploads/downloads if needed (e.g., `client_max_body_size 2G;` in Nginx). +- **Headers**: Always set security headers (`X-Content-Type-Options`, `X-Frame-Options`, `X-XSS-Protection`). +- **Forwarded Headers**: Ensure `X-Forwarded-For` and `X-Forwarded-Proto` are set for correct client IP and protocol logging. +- **HTTP/2**: Enable HTTP/2 for better performance if supported by your proxy and clients. +- **SSL/TLS**: Terminate SSL at the proxy and use strong ciphers. Redirect HTTP to HTTPS. +- **Health Checks**: Configure health checks for the backend server to enable automatic failover or alerting. +- **Access Controls**: Restrict access to the management endpoints (e.g., `/metrics`) to trusted IPs only. + +See the official Nginx and Apache documentation for more advanced tuning options. + +--- + +#### 3. ejabberd Configuration + +```yaml +hosts: + - "your-domain.com" + +listen: + - + port: 5222 + module: ejabberd_c2s + certfile: "/etc/ejabberd/ejabberd.pem" + starttls: true + starttls_required: true + protocol_options: + - "no_sslv3" + - "no_tlsv1" + - "no_tlsv1_1" + ciphers: "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH" + dhfile: "/etc/ejabberd/dhparams.pem" + max_stanza_size: 65536 + shaper: c2s_shaper + access: c2s + + - + port: 5269 + module: ejabberd_s2s_in + certfile: "/etc/ejabberd/ejabberd.pem" + starttls: true + starttls_required: true + protocol_options: + - "no_sslv3" + - "no_tlsv1" + - "no_tlsv1_1" + ciphers: "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH" + dhfile: "/etc/ejabberd/dhparams.pem" + max_stanza_size: 131072 + shaper: s2s_shaper + access: s2s + +acl: + local: + user_regexp: "" + +access_rules: + local: + allow: local + +mod_http_upload: + max_size: 1073741824 + thumbnail: true + put_url: https://share.uuxo.net + get_url: https://share.uuxo.net + external_secret: "changeme" + custom_headers: + "Access-Control-Allow-Origin": "*" + "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS" + "Access-Control-Allow-Headers": "Content-Type" +``` + +4. Restart ejabberd: + ```sh + sudo systemctl restart ejabberd + ``` + +### 4. Systemd Service Setup + +To set up the HMAC File Server as a systemd service, follow these steps: + +1. Create a new systemd service file: + ```sh + sudo nano /etc/systemd/system/hmac-file-server.service + ``` + +2. Add the following configuration to the file: + ```ini + [Unit] + Description=HMAC File Server + After=network.target + + [Service] + ExecStart=/path/to/hmac-file-server -config /path/to/config.toml + WorkingDirectory=/path/to/hmac-file-server + Restart=always + User=www-data + Group=www-data + + [Install] + WantedBy=multi-user.target + ``` + +3. Reload systemd and enable the service: + ```sh + sudo systemctl daemon-reload + sudo systemctl enable hmac-file-server + sudo systemctl start hmac-file-server + ``` + +--- + +## Running with Docker & Docker Compose + +You can run the HMAC File Server using Docker and Docker Compose for easy deployment and environment management. + +### Automated Docker Deployment (Recommended) + +The easiest way to deploy with Docker is using the automated installer: + +```bash +git clone https://git.uuxo.net/uuxo/hmac-file-server.git +cd hmac-file-server +sudo ./installer.sh +``` + +When prompted, select **Option 2: Docker deployment (docker-compose)**. The installer will: +- Create a complete docker-compose.yml with Redis and ClamAV services +- Generate an optimized multi-stage Dockerfile +- Set up proper networking between services +- Create start/stop scripts (`start.sh`, `stop.sh`) +- Configure container-optimized configuration +- Provide an isolated deployment directory structure + +After installation, manage your deployment with: +```bash +cd /path/to/your/deployment/directory +./start.sh # Start all services +./stop.sh # Stop all services +``` + +### Manual Docker Compose Setup + +### Manual Docker Compose Setup + +For manual Docker setup without the installer, use this docker-compose.yml: + +```yaml +version: '3.8' + +services: + hmac-file-server: + image: ghcr.io/plusone/hmac-file-server:latest + ports: + - "8080:8080" + volumes: + - ./config:/etc/hmac-file-server + - ./data/uploads:/opt/hmac-file-server/data/uploads + - ./data/duplicates:/opt/hmac-file-server/data/duplicates + - ./data/temp:/opt/hmac-file-server/data/temp + - ./data/logs:/opt/hmac-file-server/data/logs + environment: + - CONFIG_PATH=/etc/hmac-file-server/config.toml + restart: unless-stopped +``` + +**Key paths:** +- `/etc/hmac-file-server/config.toml`: Main config file (mount your config here) +- `/opt/hmac-file-server/data/uploads`: Upload storage +- `/opt/hmac-file-server/data/duplicates`: Deduplication data +- `/opt/hmac-file-server/data/temp`: Temporary files +- `/opt/hmac-file-server/data/logs`: Log files + +### Docker Build + +The official Dockerfile supports multi-stage builds for minimal images: + +```dockerfile +# Stage 1: Build +FROM golang:1.24-alpine AS builder + +WORKDIR /build +RUN apk add --no-cache git +COPY go.mod go.sum ./ +RUN go mod download +COPY . . +RUN CGO_ENABLED=0 go build -o hmac-file-server ./cmd/server/main.go + +# Stage 2: Runtime +FROM alpine:latest + +RUN apk --no-cache add ca-certificates + +RUN mkdir -p /opt/hmac-file-server/data/uploads \ + && mkdir -p /opt/hmac-file-server/data/duplicates \ + && mkdir -p /opt/hmac-file-server/data/temp \ + && mkdir -p /opt/hmac-file-server/data/logs + +WORKDIR /opt/hmac-file-server + +COPY --from=builder /build/hmac-file-server . + +EXPOSE 8080 + +CMD ["./hmac-file-server", "--config", "/etc/hmac-file-server/config.toml"] +``` + +### Example Docker Config + +A sample `config.toml` for Docker deployments: + +```toml +[server] +listenport = "8080" +unixsocket = false +storagepath = "/opt/hmac-file-server/data/uploads" +metricsenabled = true +metricsport = "9090" +deduplicationenabled = true +minfreebytes = "5GB" +filettl = "2y" +filettlenabled = false +autoadjustworkers = true +networkevents = false +pidfilepath = "./hmac-file-server.pid" +precaching = false + +[deduplication] +enabled = true +directory = "/opt/hmac-file-server/data/duplicates" + +[logging] +level = "debug" +file = "./hmac-file-server.log" +max_size = 100 +max_backups = 7 +max_age = 30 +compress = true + +[iso] +enabled = false +size = "1TB" +mountpoint = "/mnt/nfs_vol01/hmac-file-server/iso/" +charset = "utf-8" + +[timeouts] +readtimeout = "3600s" +writetimeout = "3600s" +idletimeout = "3600s" + +[security] +secret = "hmac-file-server-is-the-win" + +[versioning] +enableversioning = false +maxversions = 1 + +[uploads] +resumableuploadsenabled = false +chunkeduploadsenabled = true +chunksize = "32MB" +allowedextensions = [ + ".txt", ".pdf", ".png", ".jpg", ".jpeg", ".gif", ".bmp", ".tiff", ".svg", ".webp", + ".wav", ".mp4", ".avi", ".mkv", ".mov", ".wmv", ".flv", ".webm", ".mpeg", ".mpg", + ".m4v", ".3gp", ".3g2", ".mp3", ".ogg" +] + +[downloads] +chunkeddownloadsenabled = false +chunksize = "32MB" +allowedextensions = [ + ".txt", ".pdf", ".png", ".jpg", ".jpeg", ".gif", ".bmp", ".tiff", ".svg", ".webp", + ".wav", ".mp4", ".avi", ".mkv", ".mov", ".wmv", ".flv", ".webm", ".mpeg", ".mpg", + ".m4v", ".3gp", ".3g2", ".mp3", ".ogg" +] + +[clamav] +clamavenabled = false +clamavsocket = "/var/run/clamav/clamd.ctl" +numscanworkers = 4 +scanfileextensions = [".exe", ".dll", ".bin", ".com", ".bat", ".sh", ".php", ".js"] + +[redis] +redisenabled = false +redisdbindex = 0 +redisaddr = "localhost:6379" +redispassword = "" +redishealthcheckinterval = "120s" + +[workers] +numworkers = 4 +uploadqueuesize = 5000 + +[file] +filerevision = 1 +``` + +### Quickstart with Docker Compose + +1. Place your `config.toml` in the `./config` directory. +2. Run: + +```zsh +docker compose up -d +``` + +3. The server will be available on `http://localhost:8080`. + +---