jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
10,702 Commits 33 Branches 583 Tags
08d41f4302872e36a21477d1901048c4cfb36b4d
Commit Graph

270 Commits

Author SHA1 Message Date
Johannes Zellner
d69758e559 Only set ldap allowlist if file exists and is not empty 2021-12-15 19:23:22 +01:00
Girish Ramakrishnan
6492c9b71f nginx: remove combined2 custom log format 
collectd does not use this anymore (eb47476c83)

This makes nginx work better with a variety of tools like Wazuh and ossec

https://forum.cloudron.io/topic/6077/nginx-logs-format/
https://forum.cloudron.io/topic/6161/implement-default-nginx-logging
 2021-12-13 10:47:12 -08:00
Johannes Zellner
1c7eeb6ac6 Handle exposed ldap allowlist 2021-12-10 17:04:30 +01:00
Johannes Zellner
63fe75ecd2 Reduce noisy externalldap debug()s 2021-11-26 09:55:59 +01:00
Girish Ramakrishnan
e5301fead5 exclude externalldap debugs by default 2021-11-25 14:49:59 -08:00
Johannes Zellner
3a8aaf72ba Expose LDAP via iptables 2021-11-23 12:37:03 +01:00
Johannes Zellner
735737b513 Initial attempt to expose the ldap server 2021-11-22 21:29:23 +01:00
Girish Ramakrishnan
405eae4495 Fix installation detection 2021-10-12 10:26:58 -07:00
Johannes Zellner
9eed3af8b6 add volume remount 2021-10-11 16:22:56 +02:00
Girish Ramakrishnan
f17e3b3a62 mail: export pop3 port 2021-10-07 22:06:26 -07:00
Girish Ramakrishnan
593038907c unbound: on ubuntu 16, sd_notify is not working 
not clear, when unbound added support for this.

on ubuntu 16, unbound is 1.5.8.
on ubuntu 20, unbound is 1.9.4
 2021-06-04 09:41:54 -07:00
Girish Ramakrishnan
2421536c23 add indexes for ORDER BY fields used in code 
we hit ER_OUT_OF_SORTMEMORY with large tables
 2021-05-17 07:06:11 -07:00
Girish Ramakrishnan
a56766ab0e ensure nss-lookup.target is hit after unbound starts 
https://github.com/NLnetLabs/unbound/issues/296

this fixes volume hostname resolution on reboot
 2021-05-14 12:07:05 -07:00
Girish Ramakrishnan
50407eba0b volumes: generate systemd mount files based on mount type 2021-05-12 23:57:12 -07:00
Girish Ramakrishnan
7de454911e migrate firewall configuration into database 
the ports.json is for the moment server specific
 2021-05-04 15:55:54 -07:00
Girish Ramakrishnan
00856b79dd firewall: Set BOX_ENV 2021-04-14 23:01:08 -07:00
Girish Ramakrishnan
131711ef5c mysql: bump connection limit to 200 2021-04-09 10:55:31 -07:00
Girish Ramakrishnan
84dfd4aa84 firewall: no need to keep 25 always open 2021-03-30 15:56:01 -07:00
Girish Ramakrishnan
c1ee3dcbd4 collectd: cache du values and send it every Interval (20) 
collectd plugin ordering matters. the write_graphite plugin establishes
a TCP connection but there is a race between that and the df/du values that
get reported. du is especially problematic since we report this only every 12 hours.

so, instead we cache the values and report it every 20 seconds. on the carbon side,
it will just retain every 12 hours (since that is the whisper retention period).

there is also FlushInterval which I am not 100% sure has any effect. by default, the
write_graphite plugin waits for 1428 bytes to be accumulated. (https://manpages.debian.org/unstable/collectd-core/collectd.conf.5.en.html)

https://github.com/collectd/collectd/issues/2672
https://github.com/collectd/collectd/pull/1044

I found this syntax hidden deep inside https://www.cisco.com/c/en/us/td/docs/net_mgmt/virtual_topology_system/2_6_3/user_guide/Cisco_VTS_2_6_3_User_Guide/Cisco_VTS_2_6_1_User_Guide_chapter_01111.pdf
 2021-03-26 00:21:38 -07:00
Girish Ramakrishnan
c1b61bc56b add note 2021-03-24 20:30:02 -07:00
Girish Ramakrishnan
0447dce0d6 graphite: restart collectd as well 2021-03-23 16:34:36 -07:00
Girish Ramakrishnan
f7bd47888a Fix issue where df output is not parsed correctly 
LANG is the default locale i.e when LC_* are not specificall
LC_ALL will override them all

https://forum.cloudron.io/topic/4681/going-to-system-info-triggers-assertion-error
 2021-03-17 11:14:07 -07:00
Girish Ramakrishnan
4d4aad084c remove hard dep on systemd-resolved 
the start.sh script does a "systemctl restart systemd-resolved". this
ends up restarting the box code prematurely! and then later when mysql
restarts, the box code loses connection and bad things happen (tm)
especially during a platform update.

we don't log to journald anymore, so not sure if EPIPE is still an issue
 2021-03-04 21:07:52 -08:00
Girish Ramakrishnan
03a59cd500 mysql: disable binlogs altogether 
this is useful primarily for replication

http://dimitrik.free.fr/blog/archives/2018/04/mysql-performance-testing-80-with-less-blood.html
 2021-02-26 09:53:37 -08:00
Girish Ramakrishnan
bbed7c1d8a stack scripts: add hint that cloudron is installing 
with linode, user has no clue that cloudron is installing when they SSH in.
 2021-02-25 13:36:57 -08:00
Girish Ramakrishnan
7a6a170451 remove retire.sh 2021-02-25 10:32:53 -08:00
Girish Ramakrishnan
a546914796 mysql: keep binlog to couple of days 2021-02-24 16:00:46 -08:00
Girish Ramakrishnan
38607048ee mysql: make binlog have 5 day expiry 2021-02-24 09:19:26 -08:00
Girish Ramakrishnan
9ccd82ce4e set binlog config in mysql 
keep max binlog file size to 100M. and rotate then in 10 days
 2021-02-23 14:24:58 -08:00
Girish Ramakrishnan
48c52533c4 firewall: syntax cleanup 2021-02-12 08:13:47 -08:00
Johannes Zellner
1a98d6d2bd iptables --dports only supports up to 15 ports apparently 2021-02-12 15:56:19 +01:00
Girish Ramakrishnan
7bdeaca75b secure the provision and activation routes with a token 
fixes #751
 2020-12-21 23:33:31 -08:00
Girish Ramakrishnan
f497d5d309 fix thp disable on kernels that have it disabled 2020-12-07 11:38:11 -08:00
Girish Ramakrishnan
6810d823f5 collectd(df): convert byte string to string 
this makes the graphs work
 2020-12-04 12:10:59 -08:00
Girish Ramakrishnan
4287642308 firewall: add udp ports to allowed list 2020-11-30 10:26:39 -08:00
Girish Ramakrishnan
213ce114e3 disable thp 
https://docs.mongodb.com/manual/tutorial/transparent-huge-pages/

redis complains loudly and this oftens results in support requests
 2020-11-28 16:30:04 -08:00
Girish Ramakrishnan
1d3d8288a9 unbound does not depend on box 2020-11-25 18:31:30 -08:00
Girish Ramakrishnan
e511b70d8f bring back resolvconf and unbound DNS 
bd9c664b1a tried to remove it and use
the system resolver. However, we found that debian has a quirk that it adds
it adds the fqdn as 127.0.1.1. This means that the docker containers
resolve the my.example.com domain to that and can't connect.

This affects any apps doing a turn test (CLOUDRON_TURN/STUN_SERVER)
and also apps like SOGo which use the mail server hostname directly (since
they require proper certs).

https://www.debian.org/doc/manuals/debian-reference/ch05.en.html#_the_hostname_resolution

So, the solution is to go back to unbound, now that port 53 binding is specially
handled anyway in docker.js
 2020-11-25 10:02:43 -08:00
Girish Ramakrishnan
09c8248e31 move back docker network creation to start.sh 
dockerproxy and unbound rely on it.
 2020-11-20 17:22:57 -08:00
Girish Ramakrishnan
4d55783ed8 unbound: start it after docker 2020-11-19 23:22:11 -08:00
Girish Ramakrishnan
bd9c664b1a Free up port 53 
It's all very complicated.

Approach 1: Simple move unbound to not listen on 0.0.0.0 and only the internal
ones. However, docker has no way to bind only to the "public" interface.

Approach 2: Move the internal unbound to some other port. This required a PR
for haraka - https://github.com/haraka/Haraka/pull/2863 . This works and we use
systemd-resolved by default. However, it turns out systemd-resolved with hog the
lo and thus docker cannot bind again to port 53.

Approach 3: Get rid of systemd-resolved and try to put the dns server list in
/etc/resolv.conf. This is surprisingly hard because the DNS listing can come from
DHCP or netplan or wherever. We can hardcode some public DNS servers but this seems
not a good idea for privacy.

Approach 4: So maybe we don't move the unbound away to different port after all.
However, all the work for approach 2 is done and it's quite nice that the default
resolver is used with the default dns server of the network (probably a caching
server + also maybe has some home network firewalled dns).

So, the final solution is to bind to the make docker bind to the IP explicity.
It's unclear what will happen if the IP changes, maybe it needs a restart.
 2020-11-18 23:25:56 -08:00
Girish Ramakrishnan
9b37597ac8 Bump up max_allowed_packet 
https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_max_allowed_packet
has it already set to 64M by default. I also saw some mysql connection
drop issues and think this is the reason
 2020-11-17 19:45:28 -08:00
Girish Ramakrishnan
0f9168052a nginx: add separate endpoint for ip/setup screens 
'setup' endpoint for setup/restore. we show the setup wizard.
'ip' endpoint is post activation. we show a splash screen here.

Also, the https://ip will not respond to any api calls anymore
(since this will leak the admin fqdn otherwise).

We should probably make this customizable at some point.

Fixes #739
 2020-09-23 23:07:40 -07:00
Girish Ramakrishnan
eb47476c83 collectd: remove nginx status collection 
we don't use this at all
 2020-09-23 16:09:46 -07:00
Girish Ramakrishnan
191be658d5 firewall: fix race where blocklist was added after docker rules 2020-09-22 12:02:40 -07:00
Girish Ramakrishnan
1f209d0fb4 fix some comments 2020-09-22 11:43:14 -07:00
Girish Ramakrishnan
933918ea27 Fix docs url 2020-09-15 14:46:22 -07:00
Girish Ramakrishnan
20e206fa43 migrate blocklist to a txt file 
this allows easy copy/pasting of existing deny lists which contain
comments and blank lines
 2020-09-14 12:10:29 -07:00
Girish Ramakrishnan
722808a0e4 firewall: make sure blocklist is first in the forward chain 2020-09-09 17:47:20 -07:00
Girish Ramakrishnan
b7440ee516 Do IP based check first before accepting port based checks 2020-08-31 21:55:45 -07:00