-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix Nginx .well-known redirects #6221
Conversation
Two more questions: Line 333 - 335:
This is inside the
|
cc @josh4trunks |
I think this is a good idea and should work as expected. But I don't currently have time/brain power to test myself (got a newborn and crazy 2 year old at home), so if someone else could test that would be appreciated. Also CC'ing @jivanpal since I know he started the major effort in aligning with |
I'll try to take a look at this by the weekend, but things are hectic here, too, so it might take longer. |
Apologies for the delay in looking at this. Your changes to the
I can't commit these changes here as I don't have permissions to write to any branch on this repo, so here's a patch file you can download; please use
That's correct.
No; longest match is applied on a per-matching-type basis, with order of preference for the matching types being:
Thus, for example, we can have a short regex rule that takes precedence over a longer regular prefix rule. See Nginx's algorithm for full details. The purpose of the encapsulating Is the request for:
Step (6) above is what the nested
The goal is to have consistent behaviour regardless of what web server is being used, so the approach I took in #2197 in rewriting the Nginx configs was to simply replicate Apache's behaviour, which I tried to do by replicating the |
Follow the .htaccess and exclude .well-known redirects for ACME challenges and PKI validation, which are not handled by Nextcloud. Preserve the query string when redirecting .well-known URIs. Signed-off-by: MichaIng <micha@dietpi.com>
8419da9
to
a48ada9
Compare
Looks good, I removed trailing white spaces from the files but applied it otherwise without changes.
Yes I got that. This was more a general question why cache TTL is not applied to other image assets, but it makes sense to handle this in an own issue/PR that includes changed the |
Sorry, as I said earlier in this thread, I don't have much time to review. It looks like changes here are minimal and non-controversial, so I trust @jivanpal @MorrisJobke or others to review and approve. |
I don't have review/approval permissions, unfortunately — Paging @ChristophWurst just in case. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Christoph has given me permissions; approving.
+ DietPi-Software | Nextcloud: Add missing pretty URL remote.php redirects from latest official Nextcloud docs update: nextcloud/documentation#6221
Hi, ATM, the latest nginx docs redirect Is there a good reason for the last §? Shouldn't the last
Managing a whitelist of known services in |
Redirecting the list of URLs which are known to be handled correctly by Nextcloud IMO makes much more sense than redirecting everything and leaving it to admins to report one after the other errors to fill a growing list of excludes. But @moviuro |
I think having our example nginx config serve any file from a .well-known folder, that doesn't normally exist in Nextcloud, is making too many assumptions. I think if an admin is able to create the hidden folder, and add the text file, they can also do the "hard work" of editing their Nginx config But I am open to having my mind changed on a seperate PR. Maybe the ideal solution is documentation to create a |
I see it exactly the opposite way 😄: Too many assumptions are made when every .well-known URL is redirected to Nextcloud, considering the large number of possible uses, shown in the Wikipedia article linked above and despite the existence of the file. Creating a hidden directory in Linux is nothing more than a leading dot in its name, and in many cases those are created by other software, which is then broken (like the cases which led to this PR). So I'll always vote for redirecting less (a defined list of URLs) to Nextcloud by default and having additional redirects e.g. commented in the config and/or in the documentation to be enabled only when explicitly required. But I'm developing a distro which explicitly deals with multiple websites/applications served through the same webserver, so naturally not 100% objective in this regards 😉. The |
For additional context please also see nextcloud/server#24702. Nextcloud has an API for apps to hook into well known handling. From a static point of view of this documentation we can't make assumption about what well known services Nextcloud will handle. It will depend on the enabled apps. |
https://nginx.org/en/docs/http/ngx_http_core_module.html#try_files It is possible to use the following. It will try by order of preference 1. try the files on disk at the specified location and 2. if not found, then redirect to Nextcloud.
One-size-fits-all? (Also, what about |
Sure, If an admin wants to serve other files not related to Nextcloud they will need to adapt their Nginx config accordingly. |
Do you really consider it that way? I have a dedicated machine (jail) that is used only for Nextcloud, and I for sure don't expect any interference from Nextcloud when querying |
You are free to use whatever Nginx configuration works for your setup. I also run multiple services, in separate jails, all handled my a single Nginx frontend, and in my case I realize need to customize my configuration accordingly. If you really believe this is necessary, we should also make sure the Apache .htaccess configuration also handles .well-known/server.txt correctly since the nginx config should match the Apache behavior. |
I'm all for having a But unless this is a file or URI served by Nextcloud, I do not see why we need our example Nginx config to handle it. |
Probably it's splitting hairs with the words, but that sentence somehow exactly supports our argument: Why should Nextcloud handle a file/URI that it is not able to serve? The change would not add but remove URIs from being handled special (via redirect) with the config. But I understand how you mean it, when seeing the excludes as what is handled. Especially example configs, which are often copy&pasted, are IMO good when they are compatible and not shaped a way as if the own software is the only software/purpose that is ever going to run on that server. Additional optional features are great when offered in a commented way with some explanation. I remember the webfinger rewrite rule from an earlier version of the Nginx example config, where it was commented with some explanation. Now it throws an admin panel warning, when not redirected, regardless whether the admin wants webfinger to work or not, or wants a different handler for it than Nextcloud. Same with nodeinfo, IMO the wrong direction. The question is whether Yes the same is true for
The ACME/PKI excludes are then not required anymore, as those don't match the condition when the file/dir exists, but could still be kept to be failsafe and support parent config rewrite rules or such. The above of course has some performance implication, as additional checks are done, same with the Nginx |
Ok, if Apache handles serving files a certain way, in general we should match the functionality. (unless there is an nginx specific difference/reason not too) So if you are saying Apache handles this like the |
Ah no sorry, I meant it should do also that way, but it does not currently. The two Based on acceptance/result a companion Nginx example config PR can then be opened here. |
Ok, thanks for the explanation, that process makes sense to me. I see the An even cooler solution for security.txt would be if Nextcloud had a settings page similar to the link below, which allowed you to enter relevant details. Then it could generate the needed file, and handle using the new functionality @ChristophWurst mentioned. |
Follow the .htaccess and exclude .well-known redirects for ACME challenges and PKI validation, which are not handled by Nextcloud.
Preserve the query string when redirecting .well-known URIs.
Related to discussion here: #5825 (comment)