Important: fyuhls is still a pre release. You should expect errors, rough edges, and incomplete behavior. It is not intended to be treated as a fully polished or fully functional production website at this time. I cannot test everything on my own, so I appreciate any help.
If you find bugs or broken flows, please send them through the built-in Bug Report area using the sanitized error log export so the issue can be reviewed safely and reproduced faster. You can also e-mail logs to fyuhls.script@gmail.com and I will support best I can when available. Keep in mind, this is a passion project, not a full time job.
Everyone is welcome to download the script and play around with it. It's still not tested under heavy use, so beware. Please send me all errors you encounter. I've built in a one click updater when I release new versions. I wouldn't get too deep yet unless you are decent with coding.
Storage backends
Cloudflare R2
Backblaze B2
Wasabi
Generic S3-compatible
Rewards and Payouts
Run pay-per-download or pay-per-sale style models with withdrawal methods, fraud controls, and payout review tools built into the script.
High-Performance Delivery
Serve downloads through PHP or optimized server-assisted handoff paths with Nginx, Apache, and LiteSpeed delivery modes available in the admin surface.
Rewards Fraud Review
Hold earnings, score suspicious traffic, inspect network and uploader risk signals, and manually clear, hold, or reverse questionable reward activity from a dedicated fraud console.
Admin Infrastructure
Manage packages, users, files, live downloads, withdrawals, plugins, system status, cron behavior, and support exports from one admin area.
User and Package Control
Create packages with upload limits, storage limits, remote upload access, download controls, and plan-specific behavior.
Public API and Tokens
Expose account-bound API access with personal tokens, managed upload shortcuts, multipart session control, owner-scoped file metadata, and application-signed download links.
Security Controls
Use login protection, optional 2FA, abuse reporting, proxy and VPN screening, encrypted sensitive data, and server-side validation across key flows.
SEO Command Center
Control titles, descriptions, canonicals, sitemap rules, robots.txt, structured data, file-page templates, and verification tokens from a dedicated SEO area in the admin hub.
Install and Support Tools
The script includes a web installer, a post-install check page, support bundle export, and a documentation section for setup and admin workflows.
I have checked out the demo & code. This looks like a professionally coded MVC script. It looks like its in advanced stages of polishing and ready to be in production. Every feature I could think of is already included & the plugin system could expand it for cusom needs.
I will install the script later on & check out how it manages uploading using buckets and logging.
I have checked out the demo & code. This looks like a professionally coded MVC script. It looks like its in advanced stages of polishing and ready to be in production. Every feature I could think of is already included & the plugin system could expand it for cusom needs.
I will install the script later on & check out how it manages uploading using buckets and logging.
Awesome thannks. Let me know how it goes. B2 has been tested quite a bit. R2 and Wasabi have only been tested a bit.
Post automatically merged:
Hey everyone. I'd like to thank everyone for all the emails with questions and issues. I was able to make a big update over the past week which you will see below.
I have yet to have anyone use nginx or rewards testing. If you're reading this and would like to, shoot me a PM or email and I will work with you directly on this including but not limited to getting bugfixes on the spot without having to wait for public releases.
Please play around with the script and tell your friends.
## v0.1.1
### Security
- Restricted the API download-link endpoint so it no longer issues signed public download URLs outside the normal protected browser flow. The route now requires authenticated `files.read` access and is limited to the file owner or an admin.
- Removed the public `/test` debug route from the production app surface.
- Hardened installer and post-install behavior so configured sites do not keep exposing useful installation state to normal visitors, and replaced raw setup error reflection with safer generic messages while keeping details in server logs.
- Switched CSRF verification to a session-authoritative flow instead of trusting the readable cookie token as the primary source of truth.
- Replaced deterministic AES IV generation with a fresh random IV for each encryption call so repeated encrypted values no longer produce identical ciphertext in the database.
- Tightened CSP with nonce-based inline handling, stronger default browser protections, and removal of inline event/style allowances across the live app and setup pages.
- Added proxy-aware HTTPS and secure-cookie handling so direct-server and Cloudflare-style deployments apply transport security consistently.
- Tightened trusted proxy handling so forwarded IP headers are not accepted from broad private-network ranges by default.
- Hardened plugin path and ZIP extraction handling to better prevent unsafe extraction targets and deletion outside the intended plugin area.
- Improved upload and media-processing safety by handling temp-file failures, malformed image thumbnail inputs, and ffmpeg path execution more defensively.
### Storage and Setup
- Improved the storage server add and edit pages with clearer setup guidance for keys, endpoints, regions, and bucket CORS.
- Added Wasabi bucket loading and Fyuhls CORS automation directly to the storage server forms.
- Updated Wasabi CORS automation so it preserves existing non-Fyuhls bucket rules instead of overwriting the full bucket policy.
### Frontend and CSP Cleanup
- Removed inline event handlers and source-level inline `style` attributes across the app so the stricter CSP rollout could be applied safely.
### Download Page UX
- Download limit responses now render in the normal website layout with the download-page styling and ad placements instead of plain text error pages.
- Public download pages now include click-to-copy share fields above the abuse section, with page, HTML, forum, and image embed code formats where applicable.
- Daily download limit pages now distinguish between users who have already used their daily allowance and files that are too large to fit within the package's total daily bandwidth limit.
- Dashboard-style account sidebars now show the remaining daily download allowance, including `Unlimited` for packages without a daily bandwidth cap.
- Referral link displays now consistently use the non-guessable public user ID instead of falling back to numeric account IDs, and the rewards payout toolbar layout was tightened so the action button fits cleanly.
- Storage migration batches now remember the previously selected source server, destination server, and batch limit between clicks so large moves can be processed in repeated batches without re-entering the form each time.
- The admin stored-files view now distinguishes unique stored objects from deduplicated logical file entries, with a quick summary count and per-file duplicate badges based on shared storage references.
### Upload Experience
- Improved upload session error responses so users now see clear package-limit, quota, and storage-capacity messages instead of only a generic upload failure.
- Replaced generic browser alert popups during upload failures with on-screen file manager notices so errors feel cleaner and less disruptive.
- Upload errors now feel much cleaner overall: users stay on the page, see the real reason, and do not get hit with the old generic browser popups anymore.
- Blocked file types are now rejected during multipart session creation, so disallowed uploads show the real file-type error instead of a misleading storage or CORS failure.
- Updated CSP so direct multipart uploads to configured storage providers are allowed by the browser, and improved the fallback network error text so CSP-related upload blocks are not misreported as only bucket CORS issues.
- Fixed the public download countdown so it becomes visible correctly after captcha verification instead of staying hidden while the timer runs.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
