jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
11,262 Commits 33 Branches 583 Tags
2133eab341fe656f6da319138d50e1f6f27cc7d6
Commit Graph

62 Commits

Author SHA1 Message Date
Girish Ramakrishnan
54af286fcd app proxy: workaround for nginx not starting if upstream is down 
https://sandro-keil.de/blog/let-nginx-start-if-upstream-host-is-unavailable-or-down/

without a resolver, dns names do not resolve
 2022-09-30 10:36:44 +02:00
Johannes Zellner
a955457ee7 Support proxy app 2022-06-09 10:48:54 +02:00
Girish Ramakrishnan
b5c2a0ff44 exec: rework API to get exit code 2022-05-16 11:23:58 -07:00
Johannes Zellner
6bd478b8b0 Add profile backgroundImage api 2022-05-15 12:08:11 +02:00
Girish Ramakrishnan
1b34a3e599 proxyAuth: add header spoofing note 2022-04-26 14:59:38 -07:00
Girish Ramakrishnan
c63709312d proxyAuth: set X-Remote-User, X-Remote-Email headers 
Apps like firefly-iii support https://datatracker.ietf.org/doc/html/rfc3875#section-4.1.10
 2022-04-25 22:24:41 -07:00
Girish Ramakrishnan
11cf24075b Keep proxyAuth.enabled configs together 2022-04-25 22:09:34 -07:00
Girish Ramakrishnan
9bb5096f1c nginx: enable underscores in headers 
chatwoot requires this

https://www.chatwoot.com/docs/self-hosted/deployment/caprover#api-requests-failing-with-you-need-to-sign-in-or-sign-up-before-continuing

They are apparently disabled by default since they conflict with some CGI headers:

https://stackoverflow.com/questions/22856136/why-do-http-servers-forbid-underscores-in-http-header-names
https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/?highlight=disappearing%20http%20headers#missing-disappearing-http-headers
 2022-03-13 23:04:34 -07:00
Girish Ramakrishnan
eb0662b245 Up the json size to 2mb for block list route 
https://forum.cloudron.io/topic/6575/cloudron-7-1-2-firewall-not-ipv6-ready
 2022-03-01 11:57:50 -08:00
Girish Ramakrishnan
f18d108467 nginx: add listen note 2022-02-09 23:15:37 -08:00
Girish Ramakrishnan
2ab2255115 fix dhparam generation 
it cannot be created in default config creation time since it is
already run pre-VM snapshot time
 2021-11-17 11:48:06 -08:00
Girish Ramakrishnan
1c8e699a71 generate dhparams per server 
this way we don't need to save/restore it from the database.
 2021-11-16 23:03:16 -08:00
Girish Ramakrishnan
01a1803625 provision: delay initialization of secrets until provision time 
when we create the DO 1-click image, the key also gets snapshotted.

https://community.letsencrypt.org/t/receiving-expiration-emails-for-dozens-of-domains/165441
 2021-11-15 23:33:54 -08:00
Johannes Zellner
3826ae64c6 Ensure the main login route is rate-limited 2021-11-12 11:14:21 +01:00
Girish Ramakrishnan
68db4524f1 remove unused httpPaths from manifest 2021-11-09 21:50:33 -08:00
Girish Ramakrishnan
85e3e4b955 Accomodate redhat client 
Patch from @jk at https://forum.cloudron.io/topic/4383/cannot-install-apps-from-docker-registry-because-authentication-fails
 2021-08-13 09:36:06 -07:00
Girish Ramakrishnan
9418e93428 reverseproxy: adminOrigin is not used in the ejs 2021-05-05 13:13:04 -07:00
Girish Ramakrishnan
c17743d869 migrate secrets into the database 
the infra version is bumped because the nginx's dhparams path has changed
and the sftp server key path has changed.
 2021-05-03 22:11:18 -07:00
Johannes Zellner
70f2337b09 Allow apps to override the Referrer-Policy header 2021-04-26 11:48:18 +02:00
Girish Ramakrishnan
4d919127a7 implement OCSP stapling 
can verify stapling using openssl s_client -connect hostname:443 -status

status_request is RFC6066. there is also status_request_v2 (RFC6961) but this is
not implemented even in openssl libs yet
 2021-04-16 12:13:54 -07:00
Girish Ramakrishnan
c6920bd860 HSTS: bump the max-age to 2 years 
Side note: https://hstspreload.org/ . This is what the chromium project expects
for preloading.
 2021-03-22 19:04:28 -07:00
Girish Ramakrishnan
dd58c174a8 change default referrer policy to same-origin 
https://forum.cloudron.io/topic/4546/referrer-policy-header-is-overwritten
 2021-03-01 09:34:23 -08:00
Girish Ramakrishnan
2f58092af2 Fix .well-known not served up properly for redirection 2021-02-18 09:30:39 -08:00
Girish Ramakrishnan
c8c4f99849 Reduce gzip_min_length to keep tools like semrush happy 2021-02-15 11:46:36 -08:00
Girish Ramakrishnan
1d0ad3cb47 proxyAuth: Fix docker UA detection 2021-02-09 13:45:00 -08:00
Girish Ramakrishnan
8f7b224846 proxyauth: make auth error handler return 401 for docker client 2021-01-27 00:33:27 -08:00
Girish Ramakrishnan
1a5fc894d6 Fix proxyAuth nginx config 2021-01-11 21:52:41 -08:00
Girish Ramakrishnan
29ab352846 proxyAuth: add exclusion path 
had to move the ~ login/logout regexp inside. This is because of
https://www.ruby-forum.com/t/proxy-pass-location-inheritance/239135

What it says is that a regexp inside a matching location prefix is
given precedence regardless of how it appears in the file. This means
that the negative regexp got precedence over login|logout and thus
went into infinite redirect. By moving it to same level, the regexps
are considered in order.

Some notes on nginx location:

* First, it will match the prefixes (= and the /). If =, the matching stops.
  If /xx then the longest match is "remembered"
* It will then match the regex inside the longest match. First match wins
* It will then match the rest of the regex locations. First match win
* If no regex matched, it will then do the remembered longest prefix

fixes #762
 2021-01-08 21:16:49 -08:00
Girish Ramakrishnan
4a6f36bc0e make the notfound page customizable 
fixes #755
 2021-01-08 11:02:09 -08:00
Girish Ramakrishnan
0ef0c77305 rename splash to notfound 
part of #755
 2021-01-08 10:13:01 -08:00
Girish Ramakrishnan
8a17e13ec4 automate wellknown setup 
the main reason this is under app and not domain is because it let's
the user know that an app has to be installed for the whole thing to work.

part of #703
 2020-12-23 15:20:53 -08:00
Girish Ramakrishnan
64a4b712cc proxyAuth: add a hack to invalidate cache 
when user goes to /logout and then goes to /, the browser will
serve up the cached / based on cache-control. This might make the
user believe they are not logged out.

fixes #753
 2020-12-19 22:09:14 -08:00
Girish Ramakrishnan
ccc65127f1 volumes: fix upload limit 2020-12-04 10:35:51 -08:00
Girish Ramakrishnan
1db868bf9c httpPaths: add trailing slash to proxy_pass 
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass

"If the proxy_pass directive is specified with a URI, then when a request
is passed to the server, the part of a normalized request URI matching the
location is replaced by a URI specified in the directive"
 2020-11-21 14:37:39 -08:00
Girish Ramakrishnan
d331597bff proxyAuth: allow protecting specific subpath 
while I don't think this is useful for apps, it is useful for e2e test atleast
 2020-11-20 18:29:55 -08:00
Girish Ramakrishnan
279f7a80c5 make appstatus work again for apps 2020-11-20 12:04:58 -08:00
Girish Ramakrishnan
0a3aad0205 Add httpPaths support 2020-11-19 11:02:53 -08:00
Girish Ramakrishnan
d703d1cd13 remove httpPort 
we can just use container IP instead of all this httpPort exporting magic.
this is also required for exposing httpPaths feature (we have to otherwise
have multiple httpPorts).
 2020-11-19 00:38:52 -08:00
Girish Ramakrishnan
641704a741 proxyauth: support basic auth 
this is required for apps like transmission
 2020-11-11 15:11:36 -08:00
Girish Ramakrishnan
008fa09877 proxyauth: redirect correctly after login 2020-11-11 00:01:36 -08:00
Girish Ramakrishnan
625dc7c49b Add proxyAuth as an addon 2020-11-10 16:50:36 -08:00
Girish Ramakrishnan
71666a028b add support for protected sites 
https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/
https://gock.net/blog/2020/nginx-subrequest-authentication-server/
https://github.com/andygock/auth-server
 2020-11-10 01:06:39 -08:00
Girish Ramakrishnan
0f9168052a nginx: add separate endpoint for ip/setup screens 
'setup' endpoint for setup/restore. we show the setup wizard.
'ip' endpoint is post activation. we show a splash screen here.

Also, the https://ip will not respond to any api calls anymore
(since this will leak the admin fqdn otherwise).

We should probably make this customizable at some point.

Fixes #739
 2020-09-23 23:07:40 -07:00
Girish Ramakrishnan
eb47476c83 collectd: remove nginx status collection 
we don't use this at all
 2020-09-23 16:09:46 -07:00
Girish Ramakrishnan
8b5c7d3d87 make http redirect to https://final-destination 2020-09-02 18:56:22 -07:00
Girish Ramakrishnan
b14b5f141b Hide nginx version 2020-07-13 09:27:57 -07:00
Johannes Zellner
a481ceac8c Allow larger file uploads for filemanager 2020-07-10 18:23:55 +02:00
Girish Ramakrishnan
6648f41f3d nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive 2020-06-30 16:00:52 -07:00
Girish Ramakrishnan
7eafa661fe check .well-known presence upstream 
this is required for apps like nextcloud which have caldav/cardav
routes
 2020-04-15 16:56:41 -07:00
Girish Ramakrishnan
2fe323e587 remove bogus internal route 2020-04-14 23:11:44 -07:00