jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
9,801 Commits 33 Branches 583 Tags
4a6f36bc0ea396138a9028ea702fc48cd978398f
Commit Graph

127 Commits

Author SHA1 Message Date
Girish Ramakrishnan
3e62f1913a acme2: issuer name has changed 
There is now Let's Encrypt R3 and Let's Encrypt R4 etc

https://scotthelme.co.uk/lets-encrypts-new-root-and-intermediate-certificates/
 2020-12-04 11:48:45 -08:00
Girish Ramakrishnan
d23662c464 acme2: better logs 2020-12-04 11:47:19 -08:00
Girish Ramakrishnan
d331597bff proxyAuth: allow protecting specific subpath 
while I don't think this is useful for apps, it is useful for e2e test atleast
 2020-11-20 18:29:55 -08:00
Girish Ramakrishnan
c0b0029935 statically allocate app container IPs 
We removed httpPort with the assumption that docker allocated IPs
and kept them as long as the container is around. This turned out
to be not true because the IP changes on even container restart.

So we now allocate IPs statically. The iprange makes sure we don't
overlap with addons and other CI app or JupyterHub apps.

https://github.com/moby/moby/issues/6743
https://github.com/moby/moby/pull/19001
 2020-11-20 16:19:59 -08:00
Girish Ramakrishnan
0a3aad0205 Add httpPaths support 2020-11-19 11:02:53 -08:00
Girish Ramakrishnan
d703d1cd13 remove httpPort 
we can just use container IP instead of all this httpPort exporting magic.
this is also required for exposing httpPaths feature (we have to otherwise
have multiple httpPorts).
 2020-11-19 00:38:52 -08:00
Girish Ramakrishnan
625dc7c49b Add proxyAuth as an addon 2020-11-10 16:50:36 -08:00
Girish Ramakrishnan
71666a028b add support for protected sites 
https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/
https://gock.net/blog/2020/nginx-subrequest-authentication-server/
https://github.com/andygock/auth-server
 2020-11-10 01:06:39 -08:00
Girish Ramakrishnan
0064ac5ead reduce the duration of self-signed certs 
https://support.apple.com/en-us/HT210176
https://forum.cloudron.io/topic/3346/automatically-generated-self-signed-wildcard-certificate-doesn-t-appear-to-be-able-to-be-trusted-by-ios-13-or-greater
 2020-10-08 14:39:23 -07:00
Girish Ramakrishnan
f2489c0845 some logs for tracking the cron issue 2020-10-07 14:47:51 -07:00
Girish Ramakrishnan
0f9168052a nginx: add separate endpoint for ip/setup screens 
'setup' endpoint for setup/restore. we show the setup wizard.
'ip' endpoint is post activation. we show a splash screen here.

Also, the https://ip will not respond to any api calls anymore
(since this will leak the admin fqdn otherwise).

We should probably make this customizable at some point.

Fixes #739
 2020-09-23 23:07:40 -07:00
Girish Ramakrishnan
7b04817874 rename writeAdmin to writeDashboard 2020-09-23 15:45:04 -07:00
Girish Ramakrishnan
3507269321 Allow mail server name to be configurable 
Fixes #721
 2020-08-17 21:49:59 -07:00
Girish Ramakrishnan
510121bf54 remove support for hyphentated domains 
this has not been used for a long time
 2020-08-15 18:50:07 -07:00
Girish Ramakrishnan
ba29889f54 remove IP nginx configuration that redirects to dashboard after activation 
fixes #728
 2020-08-13 14:10:17 -07:00
Girish Ramakrishnan
bf5b7294a0 Add missing debugs 2020-08-10 14:54:37 -07:00
Girish Ramakrishnan
1f1c94de70 Fix certificate ordering logic 
* app certs set by user are always preferred
* If fallback, choose fallback certs. ignore others
* If LE, try to pick LE certs. Otherwise, provider fallback.

Fixes #724
 2020-08-07 23:02:24 -07:00
Girish Ramakrishnan
6b9454100e certs: remove caas backend 2020-08-07 17:58:27 -07:00
Girish Ramakrishnan
b94dbf5fa3 remove restricted fallback cert 
this feature was never used. iirc, it was for managed hosting
 2020-08-07 17:57:25 -07:00
Johannes Zellner
d60714e4e6 Use webmaster@ instead of support@ as LetsEncrypt fallback 2020-05-03 11:02:18 +02:00
Girish Ramakrishnan
91af2495a6 Make key validation work for ecc certs 2020-03-24 21:20:21 -07:00
Girish Ramakrishnan
e6d881b75d Use owner email for LE certs 
https://forum.cloudron.io/topic/2244/email-contact-on-let-s-encrypt-ssl-tls-certificates-uses-password-recovery-email-rather-than-primary-email-address
 2020-03-20 13:39:58 -07:00
Girish Ramakrishnan
db330b23cb Stopped apps should not renew certificates 
We had a case where a stopped/ununsed app was generating cert renewal
errors.

One idea might be to suppress the notification as well.
 2020-01-26 16:22:20 -08:00
Girish Ramakrishnan
3ec5c713bf debug: certFilePath is undefined 2019-12-08 18:23:12 -08:00
Girish Ramakrishnan
53e39f571c Make addons code remove a BoxError 2019-12-04 14:28:42 -08:00
Girish Ramakrishnan
8d944f74c0 Make reverseProxy return BoxError consistently 2019-10-24 10:28:38 -07:00
Girish Ramakrishnan
51cb3b0ba8 Move DomainsError to BoxError 2019-10-23 15:15:19 -07:00
Girish Ramakrishnan
db6c07f86a Move ReverseProxyError with BoxError 2019-10-22 21:24:31 -07:00
Girish Ramakrishnan
8878bc4bf9 frameAncestors -> csp 
It seems we cannot separate frame ancestors from CSP because the hide
header just hides everything and not a specific resource. This means
that the user has to set or unset the full policy whole sale.
 2019-10-14 17:12:01 -07:00
Girish Ramakrishnan
9c12f1fe15 Add field to configure the reverse proxy 
part of #596
 2019-10-14 15:05:25 -07:00
Girish Ramakrishnan
488763fc42 rename appconfig to nginxconfig 2019-10-13 17:08:33 -07:00
Girish Ramakrishnan
0542ab16d4 If cert renewal failed, continue using old cert 2019-10-03 11:11:02 -07:00
Girish Ramakrishnan
7e75ef7685 cert: add more debugs 2019-10-03 10:36:57 -07:00
Girish Ramakrishnan
c428f649aa typo 2019-10-01 14:40:24 -07:00
Girish Ramakrishnan
ccecaca047 Fix crash 2019-10-01 14:04:39 -07:00
Girish Ramakrishnan
c7ee684f25 Fix bug where nginx was not reloaded on cert renewal 
Looks like it worked so far because nginx got reloaded in situations
like apptask or server reboot.
 2019-10-01 11:25:57 -07:00
Girish Ramakrishnan
52156c9a35 Remove unused type field 2019-10-01 11:17:12 -07:00
Girish Ramakrishnan
1d00c788d1 Remove dead code 2019-09-30 15:54:18 -07:00
Girish Ramakrishnan
d891d39587 reverseproxy: rename to writeDefaultConfig 2019-09-30 15:28:05 -07:00
Girish Ramakrishnan
cfde6e31ad reverseproxy: improve the note 2019-09-30 15:25:53 -07:00
Girish Ramakrishnan
243772d1f5 reverseproxy: do not export reload 2019-09-30 15:23:53 -07:00
Girish Ramakrishnan
1c36b8eaf7 Add debugs 2019-09-30 11:52:23 -07:00
Girish Ramakrishnan
79f9963792 Add robotsTxt tests 2019-09-09 21:52:01 -07:00
Girish Ramakrishnan
6dfafae342 move the comment 2019-07-26 22:19:14 -07:00
Girish Ramakrishnan
9b74bb73aa config.js is dead, long live config.js 
we use settings now
 2019-07-26 14:51:51 -07:00
Girish Ramakrishnan
6a77a58489 Move hasIPv6 into sysinfo 2019-07-25 14:35:08 -07:00
Girish Ramakrishnan
9d2f81d6b9 Remove X-Frame-Options 
This option is now obsolete in the standards and browsers are complaining.
This needs to move to be a CSP header but this is hard to do from outside
the app (since it has to be 'merged' with the app's existing CSP).

fixes #596
 2019-05-20 10:11:52 -07:00
Girish Ramakrishnan
c7f6ae5be9 remove unused require 2019-03-04 19:49:25 -08:00
Girish Ramakrishnan
d83d2d5f4e Do not restart mail container when setting fallback certs 2019-03-04 19:35:22 -08:00
Girish Ramakrishnan
da2b00c9cf Move cert change notification into ensureCertificate() 
When ensureCertificate renews the cert, the filename will match the
nginx config cert file. The current code detects that this implies
that the cert has not changed and thus does not update mail container.

Move the notification into ensureCertificate() itself. If we have a wildcard
cert and it gets renewed when installing a new app, then mail container will
still get it.
 2019-03-04 15:24:09 -08:00