[Owncloud] urlrouting

Frank Karlitschek frank at owncloud.org
Sun Mar 18 04:48:59 UTC 2012 

On 16.03.2012, at 12:25, Roland van Laar <roland at micite.net> wrote:

> On 03/15/2012 03:44 AM, Frank Karlitschek wrote:
>> On 15.03.2012, at 00:47, Roland van Laar<roland at micite.net>  wrote:
>> 
>>> On 03/14/2012 01:49 PM, Frank Karlitschek wrote:
>>>> On 14.03.2012, at 01:46, Roland van Laar<roland at micite.net>   wrote:
> <snip>
>> If .htaccess files are not possible or a different webservers than apache is used than it´s still safe to use ownCloud if the data directory is located outside the htdocs folder. This is the recommended setup for our IIS, nginx, lighttpd or other webserver users.
>> I agree that we should improve the checks during installation and show a proper security warning to the user if the setup is not secure.
>> 
>> 
>> 
>>>> One of the main design goal of ownCloud is that is should run on as many servers as possible without problems and don´t require manual configuration from the user.
>>> That's a good and noble goal, although the 'run everywhere' matra shouldn't come before basic security
>>> because private files that are accessible for the whole world is a bit of a problem.
>> sure. But it is of course possible to setup ownCloud in a secure way as described above.
> 
> Could you add more about this and security in the documentation, especially on the Linux Server Installation page?

Sure.
The best solution would be, of course, if ownCloud detects automatically that the current configuration is unsecure and refuses to work et all.
An idea is that ownCloud could try to read from the data directory via http and check if the .htaccess blocks access.
ownCloud could also refuse to work if a webserver different that apache is detected and the data directory is inside the document root.



> 
> <snip>
>>>> There are a lot of areas in ownCloud where we need help.
>>>> 
>>>> If you need some inspiration you can have a look at:
>>>> http://owncloud.org/dev/junior-jobs/  or
>>>> http://bugs.owncloud.org/
>>> Well I worked on bug 135 ;-).
>> Hehe. Yes. :-)
>> Not every bug that suggest a big design change is necessary a good idea of course. :-)
>> 
>> 
>>>> It would be awesome if you would help us to improve ownCloud in other areas and become a contributor.
>>> OwnCloud is an interesting project that I would like  to see become more and more useful.
>>> I already contributed some code and documentation :-).
>>> And I would like to contribute more.
>>> 
>>> However I would like to see (a bit) more action by the current maintainer/committers.
>>> I made a merge request [4] and there hasn't been any action on it.
>>> I also wrote and email about security [2] for the installation page [9]
>>> because the default install on ubuntu is wide open and I haven't seen that being picked up.
>> You are right of course. Sorry for the late reply.
>> I promisse to be more responsive in the future. :-)
> Thnx,
> 
> Regards,
> 
> Roland van Laar

More information about the Owncloud mailing list