Is it possible to create a nextcloud application that would contain just a standalone .php file that can be directly called from web browser - without any of the standard nextcloud pipeline (calling through index.php/remote.php, including base.php, middlewares, etc.). I am asking this because what I have is mind is performance sensitive and having standard pipeline for every request would not work.
This is not really supported. The biggest issues are:
- How would we know which app to call?
- How is access/authentication checked?
Mind to explain more of your usecase and what you are trying to do?
The point is that access/authentication should not be checked - it should be up to the app developer how he handles security. As for knowing which app to call - my idea was that during app installation a .php file would be placed in folder where it could be called directly from outside so at the execution stage there would be no need to determine which app it belongs to. This would give more power to app developers, but also means more responsibility therefore if such possibility does not exist yet and would be implemented I think such applications should have explicit warning about security concerns.
What am I trying to achieve? Performance. I don’t see great support for https://github.com/nextcloud/server/issues/14131 but I thought that this could be implemented as an independent app given some extensibility points. One would be having “pure entry points” (this one), another would be able to rewrite some URLs so that those entry points can be used by existing apps (to be sketched).
For me that works with performance and security this is pretty much unwanted to have support for in core. The best approach would be more profiling and fixing in core to make everything faster. I do want things faster but not in expense to authentication and security. (This is a strong reason why many chooses nextcloud in the first place)
If you have something where you need performance it is not that hard to write your standalone app and make changes to the web server, so that it is served from the same domain as your nextcloud installation. And from within that call nextcloud to scan a folder for content if something is uploaded or changed. (I do this with an ftp server for photography where the camera uploads directly to the server).
Not sure I understand you regarding performance and security… do you want it in core or not? My approach is that if some of the changes I propose to improve performance cannot be put right away into Nextcloud core then maybe we could meet on some middle ground: put less invasive changes into core and more invasive ones into separate third party application.
I do agree security is important. But you can write an app for nextcloud that has public access. You can write application that steals data from your server. You can write application that overloads your server. So even today you can write insecure application. But you cannot write fast application. And my proposal here is just to give a choice for app developers and users.
I think it would be fair to be very explicit about how such application works (I mean: have a BIG FAT WARNING while installing the application), but still allow it to be installed as nextcloud app. Having to change webserver config might be too much overhead for some users, especially that it is supposed to work explicitly for nextcloud, use upgrade mechanism and be integrated with other apps.
Could you please let me know why you don’t use WebDAV for you photo upload? Is it by any chance performance related? As for profiling: been there, done that. Most of the time is spent on useless over and over again application setup for every request. But that’s not the point - what I am asking here is additional extensibility point. Nothing more.
I do not want an app that has a possible insecure file that doesn’t use the checks for authentication but has its own stuff in it. Consistent behavior. And if one wants it add the special webserver config (if you install nextcloud manually step by step there is a fair amount of hacking in the config files anyway)
For my photo stuff i cant use webdav since the cameras doesn’t support it. So i have to use ftp instead. So not that much performance related. But illustrates that you can with small modifications use external parts to interact with nextcloud.
“I do not want an app that has a possible insecure file” - every app has a possibly insecure file (at least if it is doing anything useful). Period.
You haven’t looked at my PoC under the link I provided above, have you? I do not propose to have application with “own stuff in it” for authentication. I propose to have a proxy.php file that forwards all requests to php application server so that for every request not all setup routines have to be run. Still all nextcloud middlewares, controller and authentication would be from nextcloud codebase - just the setup/registration bloatware would be run once at application server start.
So if people can run custom stuff anyway - why not make it easier for them providing easy update and compatibility benefits?
BTW, how does it work for Nextcloud Talk? Are Websockets used or are we in late 90’s with long polling?
This appears to be the only discussion on this issue - I’ll give a more generic use-case:
I have a new Nextcloud site, which I’d like to register with Sucuri, a third-party auditing and malware detection/removal site. To do that and verify I own the site, Sucuri needs me to place a .php file into my server at the root page.
So right now I can’t sign up for the monitoring. (Without going deeper and giving Sucuri an actual login to my server, which would get them more access.)
I’m sure there are other third-party monitoring sites that work similarly. Yes, I have to trust the site to be good.
For that fix a route in you webserver to handle that specific file. It is not that hard. In nginx you can always do:
location ~ ^/test.php {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
include /etc/nginx/conf.d/php_optimization.conf;
fastcgi_pass php-handler;
fastcgi_param HTTPS on;
}
(adjust to fit your own site)
I would like to place custom php file in different dir than root dir but make it served like it is inside root dir. If it is inside root dir, then updating/upgrading nextcloud is impossible without removing it first. php-fpm is chrooted.
Can you show us apache config in this regard? Or is it possible to make upgrade/update process skip custom php files/directories?
thanks,