jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
6,330 Commits 33 Branches 583 Tags
5be39bc271510a95a4e34f0fa4e72ffbd5daa7cf
Commit Graph

6330 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Girish Ramakrishnan 806b458ff1 Move it to the selfhosting guide instead 2017-03-29 10:33:51 -07:00
Girish Ramakrishnan d5d4e237bd doc: add security section 2017-03-29 10:23:08 -07:00
Girish Ramakrishnan 956fe86250 Add firewall service 
Docker really insists on adding itself to the top of the FORWARD
chain. Making our firewall side-steps this docker design.
 2017-03-29 02:31:53 -07:00
Girish Ramakrishnan 4d000e377f Enable iptables based ratelimit for cloudron auth services 
The goal here is to simply add a rate limit to prevent brute
force password attacks.

Covered services includes:
    (public) http, https, ssh, smtp, msa, imap, sieve
    (private) postgres, redis, mysql, ldap, mongodb. msa

The private limits are higher because some apps will create
a db connection for each page request.  Some apps like mailtrain
will send out lots of emails etc.

Note that apps that use SSO are ratelimited by the ldap limit.

Part of #187
 2017-03-29 00:02:05 -07:00
Johannes Zellner 39e827be04 Add rosehosting to the help output if no provider is specified 2017-03-28 10:38:00 +02:00
Girish Ramakrishnan e50b4cb7ec doc: fixup the best practices docs 
Fixes #232
 2017-03-27 15:29:07 -07:00
Johannes Zellner 1938ec635b Remove bestpractices.md as this was already incorporated into the main packaging guide 2017-03-27 16:05:03 +02:00
Johannes Zellner 03a3d367a4 Incorporate best practices into app package guide 
Part of #232
 2017-03-27 16:03:19 +02:00
Johannes Zellner 38c2f75b5e Also patch the cloudron-setup to match the resize script 
Part of #278
 2017-03-27 13:51:37 +02:00
Johannes Zellner 9d98b55881 Merge branch 'tobru/fix_278' into 'master' 
get disk_size_bytes by directly querying df /. fixes #278

Closes #278

See merge request !4
 2017-03-27 11:46:49 +00:00
Girish Ramakrishnan 18e59c4754 Rate limit nginx routes that verify the password 
Also remove rate-limit middleware

Test using something like:

    ab -v 1 -n 1000 -c 10 -s 5 -m POST https://my.<doamain>/api/v1/developer/login

Part of #187
 2017-03-27 00:06:42 -07:00
Girish Ramakrishnan 64cb951206 Fix failing dns test 2017-03-26 22:07:28 -07:00
Girish Ramakrishnan 77df520b07 addons is optional in manifest 2017-03-26 21:55:31 -07:00
Girish Ramakrishnan 32f94a03ce Fix failing test 2017-03-26 21:53:45 -07:00
Girish Ramakrishnan fc6ce4945f add sendmail/recvmail ldap tests 2017-03-26 20:42:46 -07:00
Girish Ramakrishnan 17b7d89db9 Generate password for mailboxes 
Fixes #109
 2017-03-26 20:07:59 -07:00
Girish Ramakrishnan 6ea741e92f Verify password for sendmail/recvmail addon 
Part of #109
 2017-03-26 20:07:55 -07:00
Girish Ramakrishnan 790ad4e74d Add getAddonConfigByName 2017-03-26 19:06:36 -07:00
Girish Ramakrishnan f92297cc99 Store env vars as name, value pairs 
Part of #109
 2017-03-26 12:22:19 -07:00
Tobias Brunner 0c6c835a39 get disk_size_bytes by directly querying df /. fixes #278 
This simplifies the logic to get the available space the root
mountpoint has available and makes it more robust.
 2017-03-26 18:03:10 +02:00
Girish Ramakrishnan 514341172c Add name to appAddonConfigs 
Part of #109
 2017-03-25 18:06:56 -07:00
Girish Ramakrishnan e535ffa778 Disable bind9 as it conflicts with unbound 
part of #194
 2017-03-25 17:36:10 -07:00
Girish Ramakrishnan b86cfabd17 Do not allocate more than 4GB swap 
Also resize existing swap file, if necessary. Note that if the user
allocates more than what we expect, we don't do anything.

Fixes #277
 2017-03-24 16:03:30 -07:00
Girish Ramakrishnan b44f0b78a1 remove spurious console.log 2017-03-24 14:55:22 -07:00
Johannes Zellner 76d234d0bf Also allow data: uri to be loaded for images 2017-03-24 17:23:20 +01:00
Johannes Zellner a694acba44 Redirect to /setupdns.html if cloudron is activated but no domain is set 
This happens in the restore case where no domain is provided to
cloudron-setup

Fixes #273
 2017-03-23 15:40:18 +01:00
Johannes Zellner 046120befc Move email toggle button above checks to make it more likely people read the text 2017-03-23 11:41:26 +01:00
Girish Ramakrishnan b65fee4b73 Pass ENABLE_MDA flag to mail addon v0.107.0 2017-03-22 20:42:28 -07:00
Girish Ramakrishnan 153dcc1826 Fix bug in example text 2017-03-22 18:23:24 -07:00
Girish Ramakrishnan fa4725176c Group help text together 2017-03-22 16:44:18 -07:00
Girish Ramakrishnan e42607fec6 Always show the password input 2017-03-22 16:13:18 -07:00
Girish Ramakrishnan 297c1ff266 Show error message only if the domain changed 2017-03-22 16:06:47 -07:00
Girish Ramakrishnan 5afe75f137 Bump mail container (for mx bypass fix) 2017-03-22 14:39:30 -07:00
Girish Ramakrishnan 4cfc85f6d3 Do not validate password length 2017-03-22 13:50:20 -07:00
Girish Ramakrishnan b03f901bbf More 0.107.0 changes 2017-03-22 12:01:04 -07:00
Johannes Zellner b9dfac94ed Revert "Add ldapjs-rate-limit module" 
This reverts commit 3d60a04b36.
 2017-03-22 19:35:06 +01:00
Johannes Zellner c905adde1e Revert "Limit ldap queries per client to 60 per minute" 
This reverts commit 466dfdf81f.
 2017-03-22 19:35:06 +01:00
Girish Ramakrishnan 0e7efa77a5 Bump the mail container 2017-03-22 09:55:04 -07:00
Johannes Zellner 875ca0307f Fix the node tutorial to export the node PATH and use latest node release 2017-03-22 16:20:48 +01:00
Johannes Zellner 543c9843ba Use df instead of fdisk 
some disk types do not contain proper partition tables like on time4vps
the type is simfs. On those fdisk fails to access the partition table,
thus being unable to determine the size of the volume.
df does only return the real usable disk space by the user, thus we
lower the 20GB threshold to 18

Fixes #275
 2017-03-22 14:23:59 +01:00
Johannes Zellner 83254a16f9 Do not restrict CSP img-src as 3rd party apps might use other origins for medialinks 2017-03-21 20:20:16 +01:00
Johannes Zellner 466dfdf81f Limit ldap queries per client to 60 per minute 
Part of #187
 2017-03-21 16:43:22 +01:00
Johannes Zellner 3d60a04b36 Add ldapjs-rate-limit module 2017-03-21 16:43:02 +01:00
Johannes Zellner 103cb10cad Ignore upstream headers for security headers we set in nginx 
Apps like nextcloud set their own security headers ending up with having
them set twice. I am not 100% sure if our headers should win or if we
should not inject headers with nginx if the upstream app sets them already.
This looks like the more permissive case where we simply enforce our
values, regardless what the apps sets.

This also fixes the nextcloud/owncloud security checks which were
failing because the header values were duplicated, which results in
string concatenation of values from same headers.
 2017-03-21 14:18:39 +01:00
Johannes Zellner 29ef079a83 Do not let the invite link overflow the dialog 2017-03-21 13:36:36 +01:00
Johannes Zellner a55645770e Add missing csp img-src policy for app icons 2017-03-21 13:25:29 +01:00
Johannes Zellner 132ddd2671 Add 0.107.0 changes 2017-03-21 11:15:51 +01:00
Johannes Zellner fa5891b149 Also put csp meta tag in oauth views 2017-03-21 11:12:04 +01:00
Johannes Zellner d01929debc Be more permissive with csp header values 2017-03-21 11:12:04 +01:00
Johannes Zellner 7c01ee58b5 Template the cloudron origin for csp to support local development 2017-03-21 11:12:04 +01:00