pydio-core icon indicating copy to clipboard operation
pydio-core copied to clipboard

Published 20 hours ago verified publisher icon pydio

[NGINX] Sendfile should send URI instead of absolute path

Open josh4trunks opened this issue 11 years ago • 8 comments

https://github.com/pydio/pydio-core/commit/67549c71b8be00c7ef570b6054855a13861d9722

Currently the complete filepath is sent to NGINX. NGINX should instead be sent a URI and resolution of each File System Workspace should be done in the NGINX config. The current method can cause location conflicts and issues if NGINX and PHP-FPM are on different hosts with the data directories mounted in different locations.

See https://github.com/owncloud/core/issues/7754 https://github.com/owncloud/core/pull/7838/files

josh4trunks avatar Mar 22 '14 01:03 josh4trunks

I'll take a look and see if I can reproduce the fix I made on ownCloud. This shouldn't be too hard as the topic is fresh in my mind right now.

EDIT After further inspection I see pydio is sending a URI '/data/X' but it will only work for a single workspace. I'm looking into simplifying the code to take ajxp.fs://REPOID/relative-path and output (/WEBROOT)?/data/REPONAME/relative-path.

josh4trunks avatar Mar 22 '14 01:03 josh4trunks

Mmm, let's digg that one, but it seems quite cryptic to me the fact that SendFile must take an URI. The principle is that by security, any workspace should be out of the WEBROOT, so SendSync will never work for those ones?

cdujeu avatar Mar 24 '14 13:03 cdujeu

NGINX want's a URI per http://wiki.nginx.org/XSendfile.

I don't see the security implication, they are 'internal' locations only accessible by X-Accel-Redirect header pass by the application to the webserver.

josh4trunks avatar Mar 24 '14 15:03 josh4trunks

ok, you are referring to a "virtual" location actually. You were actually using /data/ wich is already a real folder, thus creating a confusion. We should use some /dl/ or /send/ or something else instead. Will have a look at that when I can. -c

cdujeu avatar Mar 24 '14 22:03 cdujeu

I like /data because nginx configs wouldnt need to have alias/root modifications for their MyFiles/commonfiles locations.

is there a reason you don't like using a real folder? it's not accessible by normal requests. BTW the PR I submitted solves this issue, (just in case they weren't linked for some reason).

josh4trunks avatar Mar 24 '14 23:03 josh4trunks

mm, because basically we'd better have people redefine their own workspaces outside of data/

-c

cdujeu avatar Mar 24 '14 23:03 cdujeu

did you see my sample nginx config? you add an additional nested location for each workspace with an alias to the real location.

josh4trunks avatar Mar 24 '14 23:03 josh4trunks

https://github.com/pydio/pydio-core/pull/503#issue-29958168

josh4trunks avatar Mar 24 '14 23:03 josh4trunks