Okay, welcome to the deep dive. Today we're unpacking something, well, pretty
specific, based on sources you've shared with us, a tool called Jirafo.
That's right. Yeah, we've looked through the docs and descriptions you sent over.
And our goal today is really to walk you through what Jirafo actually is, its main
features, and, you know, why it might be interesting for you. We're pulling this
straight from the source material.
Exactly. And before we really get into the weeds, just a quick word from Safe
Server. They support digital transformation, and they handle the kind of hosting
that software like Jirafo might need to run smoothly. You can check them out at www.safeserver.de.
Yeah, getting your own infrastructure sorted is well, it's pretty fundamental for
tools like this one. So having that support available is definitely valuable.
Absolutely. So okay, Jirafo, right off the bat, the sources call it a project for
one click file sharing. Let's maybe start there. What does that phrase really
capture?
It really gets to the heart of it. Simplicity. You've got a file, right? You want
to share it, you just upload it to your Jirafo instance, and boom, it gives you a
unique link. Just for that file. That's the one click idea. It's meant to be a
really straightforward way to get a shareable link.
Simple and direct. Yeah. Okay. And looking at the history, you mentioned it's built
on something else. A fork, you said? Yeah, exactly. The sources point out it's a
fork of an older project called Jirafi. It started from their version 0.5. Okay.
And forking. Well, it just means taking the code from one project and starting a
new separate one. The docs are pretty open about why they did it too. Apparently,
the original Jirafi seemed, well, inactive. And the Jirafo folks wanted to build on
that stable base, but actually, you know,
add new stuff, improve security, actively develop it.
Gotcha. So picking up a good idea and just kind of running with it and that new
direction seems to have a philosophy behind it. Kiss. Keep it simple, stupid.
How does that actually show up in Jirafo?
Well, they mentioned it explicitly. Yeah. It's a design principle.
The developers are really focused on that main job, simple file sharing.
The sources even stress that Jirafo is designed not to become some big complex
file manager, right? No extra bells and whistles beyond sharing.
It's meant to stay lean, focused.
And that focus, that simplicity seems connected to a pretty big technical
detail. No database needed, just basic PHP.
Why is that such a big deal?
Well, in the world of web apps, needing a database like MySQL or, you know,
PostgreSQL, it just adds another layer you have to manage.
Right. Set up maintenance.
Exactly. Setting it up, managing it, maybe tuning it. By only needing basic PHP,
Girofo really lowers the bar for installation and upkeep.
If your server runs PHP, you can probably get this going pretty easily.
No whole database system to worry about. If it's right in with that,
keep it simple thing.
Okay. So simple idea, simple tech.
But then you look at the features list in the sources and actually there's quite
a bit it can do. It seems like it adds power without maybe breaking that
simplicity rule. Let's dig into some of those. First off, control over the links.
Yeah. This is pretty key for the user. When you upload a file,
you don't just get the download link.
You also get a separate unique delete link just for that upload. Oh,
so you, the user,
you have the power right away to just remove your file whenever you want.
No need to ask an admin.
It feels important. Yeah. Putting the control right back in your hands.
The sources also mentioned it handles large files pretty well.
Something about the HTML five file API, right?
The HTML file API lets modern browsers do some file processing locally,
like before sending the data.
This can kind of get around some older limits on upload size.
You might hit with PHP settings. So yeah,
you can potentially upload much bigger files than you could with simpler,
older scripts. It's a modern touch supporting that core function.
Good to know if you're sharing like videos or big data sets and while it's
uploading, you actually know what's going on.
Yeah. The interface is designed to give you feedback.
It shows you the progress, you know, upload speed, percentage done,
estimated time left keeps you in the loop. Nice.
User experience matters and it can even preview files sometimes. Yes.
If your browser can handle the file type directly, think images,
plain text, maybe PDFs,
GFO can show you a preview save you a download sometimes just to check.
Handy. Okay. Let's talk security and privacy features.
The sources list a few options here that seem to go beyond just basic
sharing. Yeah. There are several layers you can add optionally.
You can password protect the upload page itself. Okay.
So only certain people can upload. Right. And then for individual files,
you can password protect the download link too.
Plus you can set expiration times.
So the link just stops working after say a day or a week, whatever you choose.
Okay. Passwords, time limits, pretty standard.
But then there's that other one,
the one that sounds like something from a spy movie,
the self-destruct option. Yeah, that's pretty cool.
You can set up an upload so that the file and its link are just automatically
wiped out the very first time someone downloads it. Wow.
Perfect for sending something really sensitive that should only be seen once.
Very neat. And the links themselves, they're shortened somehow. Yeah.
They use base 64 encoding. It just makes those unique URLs more compact. Okay.
What about customizing things like,
can you set size limits or change how it looks? Oh yeah, absolutely.
While it can handle large files, you can still set a maximum upload size.
If you need to, you know, enforce limits on your server and language support
looks pretty good too. The sources list flags for a English, French,
German, Italian, Chinese, Russian, Spanish, Turkish,
quite a few. Good range. Plus you can apply different visual themes. Okay.
And beyond what the user sees their admin tools mentioned. Yep.
There's a small admin interface,
usually an admin dot PHP lets you manage uploads across the whole setup. Right.
And for automation, there's a command line script.
You can use it with cron jobs like admin dot PHP,
clean expired or clean a sync to automatically get rid of files that have
passed their expiry date. Keeps things tidy. Makes sense.
There's also a basic API script dot PHP,
even a bash script if you want to upload from the command line.
And you can easily tweak the terms of service page just by editing a text file.
Okay. Admin controls automation. That makes sense.
But here's why I thought it got really interesting.
Maybe even a bit surprising for a tool calling itself simple.
File level deduplication. How does that work? Why is it even there?
Yeah, this is pretty clever.
It's all about efficiency for whoever's running the server.
If different people upload the exact same file, I mean, identical,
down to the last byte GERFO is smart enough to notice,
instead of storing say five copies of the same PDF on the disk,
it stores it only once. Wait, really? So five different uploads, same file,
just one copy on the server's disk. Exactly.
And it tracks this with a little counter for that single stored file.
Every time someone uploads an identical copy, the counter goes up by one.
When a user clicks their unique delete link, the counter goes down, right?
The counter decrements and the actual file data on the disk.
It only gets deleted when that counter hits zero,
meaning no links point to it anymore. Wow.
That's incredibly efficient for storage space,
especially if people are sharing like the same company logo or a common
document over and over for sure.
And it makes that distinction in the admin panel clearer.
The difference between delete link and delete file and links. Right.
Explain that. Well,
delete link is what the user does with their link. It just removes their access,
lowers the counter by one. If other links still point to it, the file stays,
but delete file and links. That's an admin action.
It news all the links for that file forces the counter to zero and deletes the
file itself. Doesn't matter who uploaded the original copies.
Fascinating. A really smart feature.
Balancing that user simplicity with server-side smarts. Okay.
Let's shift to another powerful and maybe equally surprising feature,
optional server-side encryption. How does that fit in?
So this is a big privacy feature you can turn on. When it's active,
the files you upload get encrypted on the server after they arrive.
But this is the crucial part. The key needed to decrypt the file.
It's not stored on the server with the file. Okay.
If the key isn't on the server, where is it?
The key gets generated, sent back to you, the user,
and it's actually embedded right into the download URL, the one you share. Ah,
so the link isn't just the location, it is the key, basically,
the secrets in the URL.
Precisely. And the cool thing here is what this protects against.
Imagine the server itself gets hacked, right?
An attacker gets access to the storage. It just find a bunch of encrypted data.
Without those unique decryption keys, which are only in the user shared URLs,
they can't actually read the files.
That's a pretty strong guarantee against server breaches then,
but the sources also flag some downsides, right?
Enabling this has trade-offs.
Definitely. There are several listed. First,
encrypting and decrypting takes server CPU power,
so it can slow down uploads and downloads.
It also needs a specific PHP module, mcrypt, to be installed on the server.
And importantly, it breaks that file deduplication feature we just talked about.
Oh, why?
Because if you encrypt the same file twice, even with the same content,
the encrypted output will look totally different.
So the system can't tell they were originally the same file.
Gotcha. Can't duplicate encrypted blobs.
Yeah. Right.
The source has also warned that your server shouldn't be logging full client
requests because that URL with the decryption key could end up in your server
logs in plain text. Big security risk there.
Thanks. Okay.
And finally using this really, really requires HTTPS.
You need that secure connection to make sure the URL with the key inside it
isn't intercepted between the server and the user's browser.
Okay. Lots to way up there.
Privacy versus performance and losing deduplication.
It sounds like future plans might include client side encryption though.
Yeah. The sources mentioned that as a possibility encrypting in the browser
before it even hits the server. That's a whole different approach, but yeah,
noted as may becoming leader.
Okay. Let's talk actually getting this thing running installation and crucially
keeping it secure once it is running. What are the basics needed?
Core requirement, PHP version 5.6 or higher. And like we said,
no database, no mail server needed. Big plus for simplicity.
Using Git is optional, but they recommend it for easier updates.
Setup can be done either through a web wizard or on the command line and
configuration mostly happens in one file libconfig.local.php.
Okay. Seems straightforward enough,
but once it's running and people start uploading files,
how do you make sure those files are actually safe?
Not just sitting there for anyone to grab.
Yeah, this is super important and the sources are very clear.
The main thing you need to protect is the VAR directory.
That's where the files and linked data actually live.
Jirifo gives it a random name, but that's not enough on its own.
So the web server shouldn't just be allowed to serve files directly from that
folder. Exactly.
The sources recommend configuring your web server like Apache or Nginx to
specifically deny anyone direct access to that VAR folder or anything starting
like VAR. They even give examples using .htaccess for Apache or location rules
for Nginx. So you're basically telling the web server,
Hey, if anyone tries to look inside this specific folder pattern, block them.
Pretty much. Or even better,
they strongly suggest configuring Girifo to store the VAR folder completely
outside the web server's main directory.
Ah, outside the document route.
Yeah. That way the web server physically can't serve anything from it.
Direct web access becomes impossible. They mention other things too,
like disabling directory listing, but those are less robust.
Makes sense. Beyond protecting the data folder,
any other basic security advice from the sources?
Yep. Removing unnecessary write permissions after setup is mentioned.
You only really need write access for that VAR directory day-to-day.
And the big one, fundamental for any web service really, use HTTPS.
Always HTTPS. Always.
Encrypts the connection, protects logins, protects those download URLs,
especially if they contain encryption keys, it's essential.
Solid advice.
Okay, let's just briefly touch on the project itself.
The license, contributing, and just loop back on why they forked it.
Sure. It's under the AGPL 3.0 license. Open source.
One key thing the sources note about AGPL is if you modify the code
and run it as a public service, you generally have to provide a link
back to your modified source code, maybe on your Terms of Service page
or somewhere similar. Keeps things open.
Right. Standard for AGPL.
And if people want to contribute or report bugs.
The sources point to GitLab. That's where the code lives.
They have contribution guidelines there.
For translations, they use a platform called WebLate.
And bugs, standard process, open an issue on their GitLab tracker.
Okay. And that fork decision, just to remind us.
Yeah. The reason given in the sources was simple.
The original Jirafer project just seemed inactive.
The Jirafer team wanted to actively maintain it, add features, fix security issues,
starting from that stable Jirafer 4.5 baseline.
Makes sense.
Okay. We've covered its simple core.
The surprisingly deep features like deduplication and encryption,
how to install and secure it, the project background.
So pulling all this info from the sources together,
what's the takeaway for you, our listener?
Well, based on everything in the sources,
Jirafer seems to fill a really specific and I think pretty compelling niche.
If you want self-hosted file sharing like you control it on your server,
not relying on big cloud companies, this looks like a really interesting balance.
It's designed to be simple upfront, especially with that no database requirement.
But then it offers these quite sophisticated features underneath,
like deduplication for efficiency and that optional server-side encryption for
privacy.
You get really fine-grained control over who gets the link and how long it lasts.
Yeah, it's clearly not trying to be Dropbox or Google Drive,
but for that specific job of generating and managing share links, it offers a lot
of control.
Exactly. It prioritizes your control, your privacy options, server efficiency for
that task,
assuming, of course, you're okay with the responsibility of running and securing it
yourself.
Which kind of leaves us with a final thought for you to chew on, maybe, after
listening to this.
In an age where, let's face it, handing our data over to huge, convenient cloud
platforms,
it's just normal. What's the real value of a tool like Girofo? One that basically
says,
no, you take control, you manage it, you prioritize privacy and efficiency,
even if it means a bit more work.
It really throws that whole trade-off between convenience and maybe digital
autonomy into sharp focus, doesn't it?
It really does. And if you're thinking about that path, about digital autonomy and
self-hosting,
remember how important solid infrastructure is. Safe Server supports digital
transformation.
They offer hosting solutions that could be part of that picture.
You can find out more at www.safeserver.de.
Yeah, the foundation matters.
It absolutely does. Well, thank you for joining us for this deep dive into Girofo,
what this tool is
what this tool is