Major update coming *hopefully* within the last week of May bringing major features and bugfixes listed below. I'm about 90% completed with the following list for v1.0.0.
Markdown (GitHub flavored):
## v1.0.0
### Staff Permissions and Moderation Foundation
- Added a staff-capability layer so admins can be restricted by specific permissions instead of the old all-or-nothing role model.
- Added a new `moderator` role for file moderation plus abuse and DMCA handling and self-healed older installs on upgrade by expanding the `users.role` and creating the new `staff_permissions` table automatically.
- Added a protected super-admin model for User Management so the first installed admin is marked as the setup-time super admin, older installs automatically backfill that protection to the earliest admin if none is marked yet, normal admins do not get super-admin edit power by default, and the new `staff.edit_super_admin` capability must be explicitly granted before another staff account can edit, demote, ban, delete, or override 2FA on that protected account.
- Expanded admin activity logging into a broader staff activity tracker with a new `/admin/staff-activity` view, richer metadata support, actor-role tracking, and targeted logging for staff account management, file moderation, and other high-impact staff actions so main admins can see what admins and moderators are doing over time.
- Hardened admin access boundaries across Configuration, Security, Plugins, Site Content, Search, Files, Users, current-download monitoring, and related infrastructure pages so restricted staff can only reach the tools their assigned capabilities allow instead of merely having those links hidden in the sidebar.
- Added first-pass investigation surfaces for uploader and file review, including dedicated `/admin/investigations/uploader/{id}` and `/admin/investigations/file/{id}` pages, direct investigation links from fraud review and admin file moderation, and supporting summaries for reward activity, referrers, countries, top files, and recent staff actions.
- Strengthened the groundwork for upcoming notifications and remote-upload management by bringing the notifications and remote upload queue schemas into the master/self-healing path, adding event-key dedupe and richer metadata to notifications, tracking remote-upload attempts and job timing more cleanly, sending default queued/completed/failed remote-upload notifications with a 30-day-friendly history model, and routing support, abuse, and DMCA staff notifications according to each staff account's assigned capabilities instead of assuming every queue belongs to every admin.
### Security Hardening
- Stopped storing new email verification, password reset, and email-change bearer tokens as raw database values by hashing them at rest while keeping legacy token lookups compatible with links that were already sent before upgrading.
- Brought login-device IP history into the encrypted-at-rest schema path and widened the helper table to encrypted-safe column sizes so new device-login records no longer leave plaintext IPs behind.
- Normalized the credential-specific login rate-limit key so casing or spacing variants of the same email or username do not spread repeated attempts across separate limiter buckets.
- Added dedicated brute-force protection for two-factor verification and recovery-code entry, with safe default limits and adjustable admin controls in Security so second-factor prompts are no longer an unthrottled online guessing surface.
- Continued a broad integrity and abuse-resistance hardening pass across rewards, withdrawals, payments, downloads, uploads, remote uploads, API tokens, sessions, CAPTCHA enforcement, proxy trust, and package policy enforcement so high-risk flows honor admin-configured limits more consistently, fail closed more often when security settings are incomplete, and behave more predictably under concurrency or retry pressure.
### Rewards Fraud Review
- Reworked `/admin/rewards-fraud` into a queue-first moderation workspace for busy sites with pagination, queue filters, bulk review actions, expandable row context, clearer separation between live review work and tuning settings, and safer admin-side username/file-name search that matches decrypted names inside a bounded work slice without adding new searchable plaintext columns to the database.
- Expanded rewards-fraud case review with richer decision context including uploader and file patterns over the last 30 days, linked session proof and network details, repeat-signal counts for recent visitor/browser clusters, downloader-account context, recent reward activity when the live queue is empty, and the last 5 unique referring pages that recently led to rewarded sessions for the file, while self-healing `download_sessions` on upgrade by adding the new referrer columns automatically.
- Added high-volume review controls for busy sites by introducing queue-level safe-vs-fraud summaries, cluster-first review panels for uploaders, files, referrer funnels, and network pockets, trust-tier controls for uploaders, trust-aware risk scoring, and automatic decision lanes that can auto-clear routine low-risk traffic or auto-reverse blocked or hard-fraud traffic while older installs self-heal the new trust-control storage on upgrade.
### Promotions and Bonus Offers
- Added a Bonus Offers system inside Monetization with a dedicated Bonus Offers tab, self-healing offer and award tables, editable milestone / limited-time / referral-style campaigns, custom thresholds and units, timezone-aware schedules, optional weekday windows, audience targeting, public visibility controls, and per-offer notification/email settings instead of hardcoded promo presets.
- Added admin-side review and award handling for promotions so bonus offers can default to pending staff approval, optionally auto-credit for safer campaigns, and write approved or auto-credited awards into the existing rewards ledger as `earnings.type = bonus`, which lets bonus money flow into the same withdrawable balance users already cash out from.
- Added a user-facing `/promotions` page plus conditional Promotions links in the public top navigation and logged-in account sidebar whenever relevant offers are active, and expanded `/rewards` with bonus summary cards, active-promotion visibility, and a bonus history table so users can see pending bonus reviews, credited bonus value, and paid bonus totals alongside their main rewards balance.
- Added email-template support for bonus offer start, earned-pending-review, and credited events so promo messaging can be edited from the Email Templates area instead of being hardcoded into the reward flow.
### Coupons and Premium Checkout
- Added a full premium coupon system with dedicated admin create/edit pages, clearer operator guidance, page-guide and `/admin/docs` coverage, transactional reservation and redemption tracking, and install/upgrade-safe schema support for `coupons`, `coupon_redemptions`, and coupon-aware transaction/subscription history.
- Added premium checkout coupon support for fixed-dollar and percent discounts, optional percent caps, package targeting, start/end windows, new-account and renewal eligibility rules, one-cycle / first-X-cycles / forever duration handling, total and per-user redemption limits, and safe zero-dollar checkout completion without forcing Stripe or PayPal.
- Hardened coupon handling so checkout reserves limited-use coupons atomically, refunded purchases no longer burn campaign stock permanently, one coupon is enforced per order, checkout-start abuse is rate-limited, users cannot hoard live pending coupon reservations, and coupon preview no longer leaks codes into checkout URLs or browser history.
### Storage and Upload Reliability
- Widened `upload_sessions.multipart_upload_id` to `VARCHAR(512)` in the base schema, runtime schema builder, and multipart-upload upgrade self-heal path so longer provider-generated multipart upload IDs from multipart-capable storage backends do not get truncated on fresh installs or upgrades.
- Added an optional `Replace File In Place` upload feature, disabled by default and controlled from `Admin > Configuration > Uploads`, which lets signed-in users upload a new binary behind an existing file record while keeping the same public file URL, handling deduplication safely, and adjusting storage usage by the real size delta instead of treating it like a brand-new file.
- Reworked deduplication into a real on/off storage policy across classic uploads, remote uploads, multipart/API uploads, replace-file, and save-to-account, including safer cross-file-server reuse checks, server-verified chunked-upload hashing when dedup is enabled, per-hash concurrency locks to stop duplicate-object races, fresh-install and upgrade schema fixes for `stored_files` hash indexes, and cleanup of older shortcut paths that could misreport or weaken dedup behavior.fyuhls
High-Performance File Hosting Script for Real Operators
GitHub: https://github.com/softerfish/fyuhls
Live Demo: https://privacyglance.com
Demo Login: tester / tester
Wiki: https://github.com/softerfish/fyuhls/wiki
Price: Pay what you feel is fair
High-Performance File Hosting Script for Real Operators
GitHub: https://github.com/softerfish/fyuhls
Live Demo: https://privacyglance.com
Demo Login: tester / tester
Wiki: https://github.com/softerfish/fyuhls/wiki
Price: Pay what you feel is fair
Launch a real file hosting platform on your own infrastructure
fyuhls is a modern self-hosted file hosting script built for people who want more than a basic upload box. It is designed for operators who need serious control over storage, packages, uploads, downloads, monetization, fraud handling, support workflows, and day-to-day admin operations.
This is not just a front page and an upload form. It is a full platform with:
- multi-server storage support
- direct multipart uploads
- download delivery modes for real traffic
- PPD / PPS / hybrid rewards
- bonus promotions
- fraud review tooling
- package and user controls
- API access
- support and abuse workflows
- operator-focused diagnostics
What makes it stand out
1. Built for growth, not toy installs
- Local storage, Cloudflare R2, Backblaze B2, Wasabi, and generic S3-compatible backends
- Direct-to-storage multipart upload pipeline for large uploads
- Signed download links and multiple delivery strategies for Nginx, Apache, and LiteSpeed
- Scaling guidance built into the admin area
2. Real monetization features included
- Pay Per Download, Pay Per Sale, or hybrid reward models
- Referral commissions
- Withdrawal requests and payout review flow
- Bonus Offers system with milestone, limited-time, and referral-style promotions
- Uploader rewards dashboard with clearer payout readiness and performance breakdowns
3. Fraud and abuse controls are not an afterthought
- Reward fraud review console
- Held / cleared / rejected reward states
- Traffic and reward review tooling
- Proxy / VPN controls
- Rate limits, CSRF protection, and hardened sensitive flows
- Optional 2FA and stronger account security tooling
4. Operators get proper admin tooling
- Config Hub for day-to-day control
- Packages, users, files, withdrawals, current downloads, plugins, SEO, and email templates
- Unified support / contact / abuse / DMCA handling
- System Status, support exports, and admin docs
- Staff permissions and moderation controls
5. API and uploader workflows are already there
- Personal API tokens
- File and folder operations
- Remote upload support
- Bulk link generation
- Uploader stats and payout info
- OpenAPI output
Feature highlights
Storage + Uploads
- Local and object-storage support
- Direct multipart browser uploads
- Resumable upload sessions
- Storage quotas and package-based upload rules
- Optional replace-file-in-place workflow
Downloads + Delivery
- Signed download URLs
- Public file pages
- Nginx handoff, Apache X-SendFile, LiteSpeed support
- CDN/object delivery options
- Link checker and optional copy-to-account flow
Rewards + Promotions
- PPD / PPS / hybrid creator rewards
- Referral system
- Bonus Offers engine
- Payout queue and history
- Fraud review and suspicious-traffic handling
Security + Operations
- Encrypted sensitive data at rest
- Trusted proxy and Cloudflare-aware hardening
- 2FA support
- Session, token, and rate-limit hardening
- Heartbeat maintenance tasks and operational diagnostics
Admin areas included
- Dashboard
- Config Hub
- System Status
- Scaling Guide
- Users
- Packages
- Files
- Withdrawals
- Rewards Fraud
- Support / Contact / Abuse / DMCA queues
- Plugins
- Resources and in-app docs
Requirements
- Linux hosting
- PHP 8.2+
- MySQL 5.7+ or MariaDB 10.3+
- PDO, PDO MySQL, OpenSSL, JSON, cURL, Sockets
- mod_rewrite for Apache-based setups
Who it is for
- blog and forum owners wanting to earn off their files withough being cheated
- file hosting startups
- private or niche file platforms
- operators moving off older scripts
- people who want a customizable self-hosted file business
- admins who need more control than a basic upload manager gives them
Current status
fyuhls is actively developed and improving quickly. The platform already includes a lot of serious functionality, but it is still best approached like a growing modern script rather than a frozen legacy product.
If you want something you can inspect, modify, and actually run yourself without being boxed into somebody else's platform rules, this is built for that.
Links
- GitHub: https://github.com/softerfish/fyuhls
- Demo: https://privacyglance.com
- Wiki: https://github.com/softerfish/fyuhls/wiki
Questions, feedback, and serious operator suggestions are welcome.
Last edited:
