Quantum safe file upload with curl Docker Container as Client and nginx/httpd Container as Server

[Pascal-T-Ripper]

Hi guys,
I tried to perform a secure file upload with the predefined docker containers from oqs. Unfortunately, it did not work. First I tried it with the nginx server. I used a normal file upload curl command together with the oqs curl container. Maybe there is the problem that the curl conatiner doesn't understand the file upload or can't execute it together with the pqc stuff. Anyway, to make this possible, I changed the configuration file of nginx. I tried many different options, but nothing worked. I don't remember all the options I tried, but I put something like this in the config file:

server {
	   location /upload/ {
		root /html;
        	autoindex on;
		limit_except POST PUT { deny all; }
		client_body_temp_path /tmp/
		client_body_buffer_size 128k;
		client_max_body_size 100M;
	   }
}

Then I tried it with httpd. Under httpd I tried it with a cgi script. To do this, I activated all the necessary modules in the configuration file, e.g. LoadModule cgid_module modules/mod_cgid.so.
Then I added the following to the configuration:

<Directory "/opt/httpd/cgi-bin">
   AllowOverride None
   Options +ExecCGI
   AddHandler cgi-script .cgi .pl
   Require all granted
</Directory>

I also played around with the attributes in it, added others and removed others. But nothing has worked. When I make a curl request to the script, only the content of the script is returned instead of executing it on the server.
Does anyone have any ideas or have they done something similar before? Any help would be greatly appreciated. Maybe it's easier to do it with a php. But I'm not sure if I would have to modify the dockerfile or just a server config. Let me know if you need more information. I have really tried a lot.
Thank you very much, best regards
Pascal

[Raytonne]

Could you try nginx-quic and curl-quic? If they don't work, could you share the nginx error log?

[Pascal-T-Ripper]

Hello, thank you for your suggestion.
I have tried with the curl dockerfiles. I think I encountered the same problems.
First, I added the following part to the nginx-quic.conf file after building and starting the nginx container under the location / part:

location /upload {
    client_body_max_size 50M;
    root /opt/nginx/html/upload;
    dav_methods POST PUT;
    create_full_path on;
    dav:access user:rw group:rw all:r;
}

I added the upload directory directly in the container because it doesn't work in the Dockerfile. I don't understand why my additional Dockerfile commands don't work either.

Then I executed the curl connection with the following command:
sudo docker run -v test.txt:/home/test.txt --network nginx-test -it openquantumsafe/curl curl -L -X POST -F "file=@/home/test.txt" https://oqs-nginx-quic:4433/upload --insecure.

Unfortunately, I get a 403 HTTP code from the server. I can see the following in the server log:
2024/10/26 20:01:53 [error] 160#0: *24 directory index of "/opt/nginx/html/upload" is forbidden, client: 172.19.0.3, server: , request: "POST /upload/ HTTP/1.1", host: "oqs-nginx-quic:4433"

I suspect that there is a misconfiguration somewhere. But I don't understand where. I have given the uplads directory 777 permissions to make sure it is not a problem that has arisen for some silly reason like that. If you have any other tips, I would be very grateful. Please let me know if you need any more details about my quic attempt.

[pi-314159]

Try adding autoindex on; to your config.

If that doesn't resolve the issue, consider searching Google for a solution, as this problem isn't linked to our changes to nginx and curl.

PS You should use Dockerfile-QUIC since it has more modules enabled, whereas the original Dockerfile only has the HTTPS module.

[Pascal-T-Ripper]

I added it, but I still get a 403. I also used the QUIC dockerfile, but it didn't help anything. So you think because it's not related to the changes in nginx and curl, the same problem would happen with a ‘normal’ nginx and curl docker installation?

[pi-314159]

Yes

[Pascal-T-Ripper]

Ok, then I guess I'll have to do some general research. Thank you.