ChristophWurst
commented
3 years ago we can look into this but it's not a priority
Open timreeves opened 3 years ago
ChristophWurst
commented
3 years ago we can look into this but it's not a priority
timreeves
commented
3 years ago Hi Christoph, thanks for your prompt reply. I can halfway understand your sentiment - but let's not forget that Nextcloud is meant to be a very secure app. As server manager it's my responsibility to keep the whole server secure; and one good way to do that is to check access logs for IPs which are generating too many 404's - i.e. fishing around for files which they can exploit. So would be grateful if this aspect doesn't fall off the end of the list... Tim
timreeves
commented
2 years ago Hi Christoph, I've just implemented my nginx / fail2ban magic on a client server with a large Nextcloud installation - and guess what I'm seeing in the logs - all those 404's. Currently I'm not actually filtering for 404's in terms of fail2ban - there are, in general, still too many, from various sources. But to me the whole question - and I think you're not gonna like this - is based on the design of the mail app as a JS programm running in the clients browser. I remember inputting ideas on this topic years ago. So there we are, in the browser, and we need to get... well whatever, e.g. an avatar, from the server. We create a dang load of server requests, mostly to be told 404 - for something that the server could have known at the time the page was generated. I don't know how you pass information between client and server, but would it not be possible to include avatar info in the original data stream from the server? At least "has avatar"? Thanks for your good work - I really know how much work such an app makes! Tim
Feature Request
I work with Debian, Plesk, Nginx and Fail2Ban. Fail2Ban overloads the server if there is too much writing to access logs happening, seems to get into a race condition on disc io. So I have found a way to configure nginx (under Plesk) such that 2xx and 3xx request responses are not written to the access log. This means that only errors are left in the logs (4xx and 5xx), which is just what I need. It also means that when inspecting the access logs, it is much much easier to see any problems.
What I have seen with Nextcloud is like this:
/index.php/apps/mail/api/avatars/url/myname%40example.com => 404 not found
I really want to avoid all avoidable 404's, so that I can monitor those which do happen and ban the offending IPs. The only thing within my power would be to match that location in Nginx and return some other code, but it would need to be a 2xx or 3xx for it to be not logged at all - and none of those tell the client that the request failed.
And I'm a bit surprised that it's happening at all, as I have the option for Gravatar and Favicon Icons deselected.
Summary
Please implement an option to suppress the looking for email-matching icons. This may be useful in some contexts, but in many they will all fail, e.g. as the emails I receive are all from people not in my private Nextcloud instance. I get a lot of emails from many different addresses, so they all end up as 404s - both from the dashboard and from the main email page. Predictably as 404's - and that's messing up my attempts to ban clients which produce too many 404s - I would have to make an extra set of jails just for Nextcloud, where the 404s are not tested )-: