search

owncloud / ocis

:atom_symbol: ownCloud Infinite Scale Stack
https://doc.owncloud.com/ocis/next/
Apache License 2.0
1.26k stars 170 forks source link

Add "OCIS_LOCAL_URL" for accessing ocis locally #8531

Open the-hotmann opened 4 months ago

the-hotmann commented 4 months ago

Nice - finally a Cloud based on GoLang :)

Just tested it. found some things that have been inconvinient:

I run ocis at home and make it public through Cloudflare Tunnle. It works surprisingly well, but some things caught my attention after some more in-depth testing.

  1. Having set the OCIS_URL to https://my.domain.tld I noticed, that it is not possible for me to locally login through my local IP (which is direct, faster and does not require internet. I think there should be the possibility to set OCIS_LOCAL_URL which allows local access to this URL. Also the Windows App shall know the local URL and the public URL and always first try to reach the server through the local URL (if the fingerprint of the server matches -> login)

  2. Upload sometimes werid: Since I use Cloudflare as a proxy and Cloudflare Tunnle, there are some limitations that come with it. Files shall be uploaded in Chunks. AFAIK ocis currently does not do this. Uploading in Chunks brings these benefits: 2.1. no proxy-timeouts 2.2. easier resume on error 2.3. not running into upload-limit-size errors

To solve this, I guess these general settings shall be able to set:

  1. LIMIT_UPLOAD_CHUNK_SIZE
  2. LIMIT_PROXY_TIMEOUT

Maybe they shall be named differently - but the general idea behind this would be the same. These limits shall just apply to the public URL - not the local one.

I, ofc am open for discussion on this :)

tl;dr:

WISHLIST:

ENVIRONMENT VARIABLE DEFAULT TYPE UNIT
OCIS_LOCAL_URL *``** "" string / url.URL -
LIMIT_UPLOAD_CHUNK_SIZE 0 int mb / Megabytes
LIMIT_PROXY_TIMEOUT 0 int s / seconds

*`**: access toOCIS_LOCAL_URLis limited to **Class A**, **Class B** and **Class C`** private IP Ranges.

micbar commented 2 weeks ago

Upload sometimes werid: Since I use Cloudflare as a proxy and Cloudflare Tunnle, there are some limitations that come with it. Files shall be uploaded in Chunks. AFAIK ocis currently does not do this. Uploading in Chunks brings these benefits: 2.1. no proxy-timeouts 2.2. easier resume on error 2.3. not running into upload-limit-size errors

That is already possible. We are using TUS and the chunk size can be configured via

FRONTEND_UPLOAD_MAX_CHUNK_SIZE int default: 10000000 "Sets the max chunk sizes in bytes for uploads via the clients."
micbar commented 2 weeks ago

TUS is capable of resuming uploads.

micbar commented 2 weeks ago

Having set the OCIS_URL to https://my.domain.tld I noticed, that it is not possible for me to locally login through my local IP (which is direct, faster and does not require internet. I think there should be the possibility to set OCIS_LOCAL_URL which allows local access to this URL. Also the Windows App shall know the local URL and the public URL and always first try to reach the server through the local URL (if the fingerprint of the server matches -> login)

I must admit, that this could be a use case. But from my POV, adding such a feature would not fit into the goals of ocis, to be "secure by default". We always want a FQDN and a valid SSL cert, so bypassing this locally weakens the security from my POV.

the-hotmann commented 2 weeks ago

It weakens security in a local environment. However, this does not necessarily have to be the case since an invalid SSL certificate is technically neither less nor more secure than a valid one. The technical encryption is still provided.

For instance, if I resolve cloud.localhost to the OCIS instance in my home LAN and use a self-signed SSL certificate, the same level of security is maintained. This setup has the added benefit of keeping the traffic within the local network, making it even more secure since no one outside can intercept the local traffic.