
Show HN: YouTransfer – Self-hosted file sharing - rbolte
http://www.youtransfer.io
======
rbolte
YouTransfer is a simple but elegant self-hosted file transfer & sharing
solution. It is an alternative to paid services like Dropbox and WeTransfer by
offering similar features but without limitations, price plans and a lengthy
privacy policy. You remain in control of your files.

Created to be installed behind the firewall on private servers, YouTransfer
aims to empower organisations and individuals that wish to combine ease-to-use
file transfer tooling with security and control.

You can watch a live demo at
[http://demo.youtransfer.io](http://demo.youtransfer.io)

If you want to see it in action on your own environment, you can use the
Docker image
([https://hub.docker.com/r/remie/youtransfer/](https://hub.docker.com/r/remie/youtransfer/))
or NPM package
([https://www.npmjs.com/package/youtransfer](https://www.npmjs.com/package/youtransfer))

~~~
daave
Sounds fairly similar to bradfitz's Camlistore
([https://camlistore.org/](https://camlistore.org/)).

If you're familiar with that project, could you comment on the main
differences in YouTransfer?

~~~
rbolte
I'm not familiar with camlistore, but a first glance at the project website
tells me that it has way more features and serves a different goal.

YouTransfer is basically a very simple hit & run file sharing application. The
goal is to make uploading & sharing files a matter of 2-3 clicks. The files
will be stored with a configurable retention time and will be deleted from the
server after they expire.

YouTransfer it's not meant to help you organise your digital life, or have
access to all your files remotely. It will only help you share files in a more
convenient way compared to SFTP or email.

------
dchest
If I read it correctly, this is how a file token is generated, which is
supposed to be secure:

    
    
         file.id = md5(file.name + (Math.random() * 1000));
    

First of all please do not use MD5 for anything anymore, it has known
collisions. But you shouldn't also use any hash functions here at all: just
generate a long enough random token. Math.random is not a secure PRNG, use
crypto.randomBytes in Node or window.crypto.getRandomValues in browsers.

PS And multiplication by 1000... is it just for fun?

~~~
rbolte
Thanks for scrutinising the codebase! You are absolutely right that there is
no need for creating a hash. This was just plain laziness on my part. I've
created an issue
([https://github.com/remie/YouTransfer/issues/101](https://github.com/remie/YouTransfer/issues/101))
to change the token generation.

~~~
tokenizerrr
Just to reiterate what dchest said, you should _never_ use MD5 anymore, even
if you do intent to hash something. MD5 is is broken and should not be used
for anything anymore.

~~~
nsgi
What about Gravatar?

~~~
Sir_Substance
Please just stop using it? It's the feature no one asked for.

~~~
scrollaway
I am not a very important person but I certainly ask for it, and I'd like you
to stop discarding me and my "kind" as "no one".

~~~
hobs
Do you ask for that with the awareness that gravatar then gets to track your
presence around the internet for the cost of a tiny picture?

I would rather have less ad tracking pixels on someone elses websites if
possible, but I am genuinely interested in the value that gravatar provides to
people who like the service.

~~~
scrollaway
There's a lot of things that can track presence around the web and gravatar's
not one of them. Iff you decide to implement gravatar without mirroring their
images, avatars are indeed loaded on their first query (and not subsequent
ones) and, _god knows what they 're doing with that information ohgod_. They
certainly can't "track my presence around the web", though - no js means no
fingerprinting, no tracking cookie, nothing. Juuuust a blind IP address.

But the recommended way is to prefetch the avatars directly from your server
and offer them on your own cdn.

As for the value it provides, well for one thing I pretty much never have to
upload my avatar to websites anymore - it's an avatar attached to my email
addresses instead and that's very nice. _Of course_ I'd prefer a proper
identity protocol but nobody's _working_ on one. If you want to, be my
guest...

~~~
hobs
I think we disagree on one basic topic, I dont want an easily distinguishable
identity to track across the internet.

I would rather external actors (say gravatar does nothing wrong) not be able
to identify which email address I use on a site they do not own, and not be
able to track my user signups by something that might be public information,
which generally a site does not advertise.

It just feels wrong.

~~~
scrollaway
Unlike every actual tracker on the internet, Gravatar is opt-in. Things like
google analytics, facebook like button/tweet button etc, they are all opt-out.

------
StavrosK
It's a different use case, but I love magic wormhole for directly and securely
sending files to people:

[https://github.com/warner/magic-wormhole](https://github.com/warner/magic-
wormhole)

It's file sending from 1995.

------
noonespecial
Might I suggest that you split the folders up in your uploads.

0b692a00635682fabc78b6a50655242c.binary gets stored, for example in
"./uploads/0b/69/2a/0b692a00635682fabc78b6a50655242c.binary" etc. Too many
files in one dir can have problems or be slow.

~~~
rbolte
Good suggestion! I've added an issue on GitHub
([https://github.com/remie/YouTransfer/issues/106](https://github.com/remie/YouTransfer/issues/106)).

BTW: normally the files will expire within a specific timeframe and will be
removed by a scheduled cleanup process. This should limit the impact, but if
the system is heavily used it might become a problem.

------
adnanh
You might want to fix the XSS [1] on the page and prevent the path traversal
(try typing ../config in download input)

[1] XSS Example:
[http://demo.youtransfer.io/download/%3Cscript%3Ealert(%27xss...](http://demo.youtransfer.io/download/%3Cscript%3Ealert\(%27xss%27\)%3B%3C%2Fscript%3E)

~~~
rbolte
Good catch! The XSS error was introduced with the implementation of error
handling, but is a really unwanted side effect :)

I've created two issues on GitHub
([https://github.com/remie/YouTransfer/issues/107](https://github.com/remie/YouTransfer/issues/107),
[https://github.com/remie/YouTransfer/issues/108](https://github.com/remie/YouTransfer/issues/108))
which will be fixed in a new hotfix release asap.

------
Sir_Cmpwn
I made this once pomf.se went down:

[https://github.com/SirCmpwn/sr.ht](https://github.com/SirCmpwn/sr.ht)

pomf.se was my replacement after my own hosting service, MediaCrush, went
down.

~~~
ParadoxOryx
I've been searching for a pomf.se replacement for some time now, so this is
great! Can I request an account?

~~~
Sir_Cmpwn
I would prefer if you ran it on your own infrastructure.

------
thenomad
Oh, thank goodness. I was looking for a solution like this less than a month
ago and couldn't find ANYTHING usable.

Much appreciated, added to my list o' useful things.

~~~
rbolte
Thanks! I'm glad I could help :)

------
rbolte
Released version 1.0.3 which fixes the XSS and path traversal security issues
(as well as 3 other issues, see
[https://github.com/remie/YouTransfer/issues?q=milestone%3A1....](https://github.com/remie/YouTransfer/issues?q=milestone%3A1.0.3)
for more info)

------
stevekemp
These kind of projects are a lot of fun. I wrote a simple one, in Ruby, using
Sinatra here:

[https://github.com/skx/web-file-publisher](https://github.com/skx/web-file-
publisher)

But then as an experiment I wrote another which uses TOTP to authenticate
uploads, so you can upload a file directly via CURL with a suitable TOTP
device. This is written in golang:

[https://github.com/skx/go-
experiments/tree/master/publishr](https://github.com/skx/go-
experiments/tree/master/publishr)

Using TOTP limits compromise if your upload is sniffed, although I run it
behind SSL so I'm protected against that regardless.

Interesting project though; and I like that you can deploy it via Docker.

~~~
rbolte
Thanks!

------
amelius
I've just seen the demo. What about security? Can anybody just "dump" files on
your server?

Also, when people run this at home on their home computers there is limited
upload speed (typically 1/10th of the download speed).

~~~
rbolte
Basically... yeah, if you do not take any additional security measures,
anybody can just "dump" files on your server.

You could opt for the S3 storage provider, which will dump the files to Amazon
AWS instead.

The YouTransfer project does not implement access control or SSL, so it is
highly recommended that you look at the hosting options on the Wiki
([https://github.com/remie/YouTransfer/wiki/hosting](https://github.com/remie/YouTransfer/wiki/hosting)).

I'm afraid there is not much the project can do concerning upload speeds of
individual connections at home :)

~~~
teekert
This is very nice! Personally I'd really like some kind of login for the
uploader so I can offer this service to friends and family (and myself ;))
without the risk of someone discovering the url and using it as a way to
distribute illegal things... Perhaps it is easy to do with Apache/Nginx (when
the upload site is on another subdomain for example), I don't know actually.

The speeds issue can be solved by running on a cheap DO droplet or scaleway
arm server btw (my city luckily has fiber everywhere :)).

~~~
rbolte
The problem with ACL is that I'm worried it will make the project more
complex. I've added an issue on GitHub for future reference
([https://github.com/remie/YouTransfer/issues/105](https://github.com/remie/YouTransfer/issues/105))

------
Tepix
The software looks interesting, however the web page is hard to read due to
low contrast and very thin fonts.

Join [http://contrastrebellion.com/](http://contrastrebellion.com/)

~~~
rbolte
Are you referring to the generated GitHub pages on
[http://youtransfer.io](http://youtransfer.io) or to the demo instance
([http://demo.youtransfer.io](http://demo.youtransfer.io)) which is the actual
application?

~~~
fnordfnordfnord
Probably [http://www.youtransfer.io/](http://www.youtransfer.io/)

I'm having a little trouble, too. Even making the type a little bit darker
would help.

~~~
rbolte
I'm a bit hesitant to change this as I'm using the GitHub site generator for
convenience. There is a limited set of templates available, most of which are
either ugly or have readability issues. As the website basically only consists
of the README file, you can also look at the GitHub project for more
information
([https://github.com/remie/YouTransfer](https://github.com/remie/YouTransfer))

~~~
fnordfnordfnord
haha, fair enough. I just checked my github, and as you can probably guess,
I've just used their template which is pretty low-contrast.

------
Svenstaro
Hoes does it compare to Seafile or Owncloud?

~~~
rbolte
It has less features :)

The success of services like WeTransfer or Dropbox is that it is dead simple
to use. It does one thing (sharing files) and makes this as easy as possible.

Seafile seems to be easy enough, yet still has a multitude of features
compared to YouTransfer. OwnCloud simply has a whole different goal. It's not
about sharing files, it is about organising your entire cloud presence (with
e-mail, calendar, foto's, etc).

With YouTransfer, you can have the same ease-of-use but on your own terms. It
runs on your own servers, with your own (secure) storage. You are in full
control.

Given that it is also published as an NPM package, YouTransfer can be modified
to suit your specific needs. This makes it interesting for companies to
rebrand it and use it as their file-sharing system.

------
usermac
Congrats on the project. Without loading and looking myself, how are the file
accessible on the server? I asked because I'd like to have clients use this to
send ME files only. Is that an option?

~~~
rbolte
Currently, the files are stored as a flat file list on the file system using
their randomly generated token to create a [token].json and [token].binary
file. The JSON file contains meta information, the .binary file is the actual
file.

Using the default settings, you would get something like
"./uploads/0b692a00635682fabc78b6a50655242c.binary" in the application
directory.

I've already has plans on making it possible to change the interface, for
instance not allowing direct download from the homepage. I could ament this
with the feature to send email notifications to the system administrator upon
successful file transfer. The combination of both would allow you to use
YouTransfer.io as a public drop box for files. Does this sound about right to
you?

~~~
usermac
Yes, it sounds as expected. Thank you again for your work.

------
Animats
The amount of of infrastructure you have to deploy to use this seems
excessive.[1] You need NGrok (a commercial service) to get through NAT. You
need Docker to install. You need Heroku, Microsoft Azure, Amazon AWS or Google
Cloud to host. Then you need a reverse proxy, HAProxy, Nginx or Apache Httpd,
for some reason.

How many sysadmins does it take to screw this in?

[1]
[https://github.com/remie/YouTransfer/wiki/hosting](https://github.com/remie/YouTransfer/wiki/hosting)

~~~
rbolte
Actually... you don't _need_ any of those. It's only a suggestion. You can
also install NodeJS, download YouTransfer, set the port to 80 and run it.

However, it is highly recommended to either use Docker, a reverse proxy, any
of the PaaS providers or a combination of the above.

EDIT: I've updated the wiki with additional information on running it locally.

------
listic
How is this related to Dropzone?
[http://www.dropzonejs.com/](http://www.dropzonejs.com/)

~~~
rbolte
It's not really related. YouTransfer.io uses DropzoneJS as the file transfer
UI for javascript enabled browsers.

------
BillyParadise
Any chance for a more readable font?

~~~
rbolte
Any suggestions?

~~~
snorrah
Not San Francisco not San Francisco not San Francisco ;)

~~~
rbolte
:D

How about Proxima Nova? ([http://www.marksimonson.com/fonts/view/proxima-
nova](http://www.marksimonson.com/fonts/view/proxima-nova))

------
notjk
See also transfer.sh

