Open mostafa-norouzi opened 3 weeks ago
levlam
commented
3 weeks ago When you run Bot API server locally, files are available by full path on the local disk, so there is no reason to download them again over HTTP. If you need to access the files from a different server, then you need an HTTPS-reverse proxy, which will be responsoble for encryption and can serve local file from disk.
mostafa-norouzi
commented
3 weeks ago The requests are sending from bot server to api server! They are on two different server. So I'm a little confused, you mean API server can not send files? Even if they were in same server, the bot surely can not access to the root to get files.
levlam
commented
3 weeks ago The requests are sending from bot server to api server!
Do you send HTTP requests between different servers? This is already a very bad idea. You need an HTTPS-reverse proxy on the server with Bot API and then the reverse proxy can serve the files from disk.
Even if they were in same server, the bot surely can not access to the root to get files.
It is also a very bad idea to allow the Bot API server to access /root, given it can work from a regular user.
The common setup is to run Bot API server and HTTPS proxy server under different non-root users from the same group, so the HTTPS server can access files created by the Bot API server.
mostafa-norouzi
commented
3 weeks ago Ok, I did setup reverse proxy and now requests are sending through SSL protocol, also API is running on a non-root user. So guess new pattern should be like :
But still 404 error returns! Is it normal?
I also Thought about getting file through https request (like direct access to the file) but because of reverse proxy, my requests will be redirected to the telegram API and not the default http web server :|
I should mention : in new reverse proxy mode, uploading a file with size about 100 MB to the telegram server has been very slow & got error 503 at last (small files doesn't have problem) whereas in http IP mode there was no problem!
levlam
commented
3 weeks ago Yes, it can work like this, but you need to set up the reverse proxy to serve paths starting with "/file" from local disk by taking the path to the file from the rest of the URL.
The HTTPS server shouldn't affect upload/download speed significantly. The situation described isn't normal.
mostafa-norouzi
commented
3 weeks ago Thank you for your guidance.
I changed the reverse proxy rules and now the URL of files are valid. The amazing point is API writes the files in this folder with permission 0640 (not public) and the link is not accessible from public (and the bot server sees 403 error) !!! I also checked the API switches and there is no config to change it. Now I don't know what was the benefits of all this path.
Anyway I put a script on this folder that have access to the files and now bot sends requests to the script not direct file.
And the last strange thing is for the upload to the telegram server, if I hit the API by IP there is no problem but if use domain (reverse proxy) I get 503 error.
levlam
commented
3 weeks ago The HTTPS server has to be run under user from the same group as the user that is used for the Bot API server to allow the HTTPS server read access to files created by the Bot API server.
mostafa-norouzi
commented
3 weeks ago Yes, currently I started the API server with the non-root user and this user has full access to the folder and files. The problem is the [remote server] that host the bot, needs to access the files through direct link and obviously it should be public! How two different servers can be in same group!?
Just as the same as Telegram bot server! if you open the URL [api.telegram.org/file/...] in browser, download would be start. So this prove files has permission 644 or higher whereas my local server set files permission as 640. Anyway As I said before I bypass this issue with a script and there is no problem anymore.
Did I missed something ?
levlam
commented
3 weeks ago The link should contain the bot's token (or other secret), so noone except the bot knows the URL to access the files.
At api.telegram.org exactly the same Bot API server is used, and all files have 0640 permissions. The files are served by an HTTPS server from the same group, which can read them. But your approach with a script also should be fine.
Hi
I send a request for [file_path] based on file id and result is something like this : /root/telegram-bot-api/[token]/documents/file_1.exe
But when send the second request to fetch it: http://x.x.x.x:8081/file/bot[token]/root/telegram-bot-api/[token]/documents/file_1.exe
404 error returns : {"ok":false,"error_code":404,"description":"Not Found"}
The strange thing is the file exists in /root/telegram-bot-api/[token]/documents/file_1.exe on my server! So what is the reason? Can be a permission issue or some extra setting needed for local server? (The server is up with --local switch )