jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
6,811 Commits 33 Branches 583 Tags
6cd060162940fbae6ea9224d07388b77a739677a
Commit Graph

142 Commits

Author SHA1 Message Date
Girish Ramakrishnan
2c871705c7 Add a referrer policy 2017-03-31 16:11:54 -07:00
Girish Ramakrishnan
e9456f70f9 use connlimit module to rate limit 
hitcount cannot be more than 255 in recent module
 2017-03-29 21:51:24 -07:00
Girish Ramakrishnan
ffbda22145 Fine tune rate limits a bit more 2017-03-29 16:03:08 -07:00
Girish Ramakrishnan
956fe86250 Add firewall service 
Docker really insists on adding itself to the top of the FORWARD
chain. Making our firewall side-steps this docker design.
 2017-03-29 02:31:53 -07:00
Johannes Zellner
9d98b55881 Merge branch 'tobru/fix_278' into 'master' 
get disk_size_bytes by directly querying df /. fixes #278

Closes #278

See merge request !4
 2017-03-27 11:46:49 +00:00
Girish Ramakrishnan
18e59c4754 Rate limit nginx routes that verify the password 
Also remove rate-limit middleware

Test using something like:

    ab -v 1 -n 1000 -c 10 -s 5 -m POST https://my.<doamain>/api/v1/developer/login

Part of #187
 2017-03-27 00:06:42 -07:00
Tobias Brunner
0c6c835a39 get disk_size_bytes by directly querying df /. fixes #278 
This simplifies the logic to get the available space the root
mountpoint has available and makes it more robust.
 2017-03-26 18:03:10 +02:00
Girish Ramakrishnan
b86cfabd17 Do not allocate more than 4GB swap 
Also resize existing swap file, if necessary. Note that if the user
allocates more than what we expect, we don't do anything.

Fixes #277
 2017-03-24 16:03:30 -07:00
Johannes Zellner
543c9843ba Use df instead of fdisk 
some disk types do not contain proper partition tables like on time4vps
the type is simfs. On those fdisk fails to access the partition table,
thus being unable to determine the size of the volume.
df does only return the real usable disk space by the user, thus we
lower the 20GB threshold to 18

Fixes #275
 2017-03-22 14:23:59 +01:00
Johannes Zellner
103cb10cad Ignore upstream headers for security headers we set in nginx 
Apps like nextcloud set their own security headers ending up with having
them set twice. I am not 100% sure if our headers should win or if we
should not inject headers with nginx if the upstream app sets them already.
This looks like the more permissive case where we simply enforce our
values, regardless what the apps sets.

This also fixes the nextcloud/owncloud security checks which were
failing because the header values were duplicated, which results in
string concatenation of values from same headers.
 2017-03-21 14:18:39 +01:00
Girish Ramakrishnan
6a523606ca Revert "Bump version to Nginx IPv6 support." 
This reverts commit 5555321cf5.
This reverts commit f087ebbee0.
This reverts commit d04f64d3d4.

Part of #264
 2017-03-19 14:25:30 -07:00
Jonah Aragon
f087ebbee0 Add listen [::]:80; for IPv6 redirects. 2017-03-17 19:13:18 +00:00
Jonah Aragon
d04f64d3d4 Add IPv6 listen directives 2017-03-17 19:12:25 +00:00
Girish Ramakrishnan
3fdc10c523 Parse free and fdisk output with C locale 
some vps providers seem to set a different locale by default.
Settings LC_ALL overrides all the other LC_*
 2017-03-13 10:36:05 -07:00
Girish Ramakrishnan
4b3ef33989 Add some basic secure headers 
Part of #249
 2017-03-08 22:14:44 -08:00
Johannes Zellner
101a44affd Add authorized_keys.sh 2017-03-07 15:16:18 +01:00
Girish Ramakrishnan
7f4f525551 dhparams.pem must be part of backup 2017-02-14 14:12:03 -08:00
Johannes Zellner
1d5465f21e Update the ssl ciphers and add dhparams.pem 
Fixes #218
 2017-02-13 00:28:22 +01:00
Girish Ramakrishnan
cd31e12bec Do not includeSubdomains in HSTS 
This prevents one from redirecting to some http-only subdomain.
For example, surfer in naked domain redirects to www subdomain
(which is on github pages...)
 2017-02-02 00:05:56 -08:00
Girish Ramakrishnan
56b0f57e11 Move unbound systemd config to separate file 2017-01-30 12:39:19 -08:00
Girish Ramakrishnan
08ffa99c78 Use %s instead of %d 
awk's %d behaves differently with mawk (scaleway) and gawk (do)

Fixes #200
 2017-01-30 10:24:26 -08:00
Girish Ramakrishnan
d93edc6375 box.service: start after nginx 2017-01-25 11:28:31 -08:00
Girish Ramakrishnan
f142d34f83 Move box data out of appdata volume 
This lets us restore the box if the app volume becomes full

Fixes #186
 2017-01-24 13:48:09 -08:00
Johannes Zellner
6eafac2cad Do not rely on fdisk's human readable unit output 
Using the bytes output will fix an issue where the disk size is reported
either as terrabyte or also megabyte.
So far we disallowed 1TB disks but allowed 20MB disks.
 2017-01-19 13:53:50 +01:00
Johannes Zellner
9b9d30c092 Remove commented out section of the nginx.conf 2017-01-11 00:09:51 +01:00
Johannes Zellner
fd479d04a0 Fix nginx config to make non vhost configs default_server 
Nginx does not match on the ip as a vhost. This no basically replaces
the commented out section in the nginx.conf
 2017-01-06 22:09:10 +01:00
Johannes Zellner
801c40420c Create setup nginx config and cert for ip setup 2017-01-05 16:02:03 +01:00
Girish Ramakrishnan
90c1fd4c31 rename the service to cloudron-resize-fs 2016-12-30 11:27:00 -08:00
Girish Ramakrishnan
fad6221750 Run cloudron-system-setup before box 2016-12-30 11:23:53 -08:00
Johannes Zellner
7d06f9e1e3 Add comment why the script might fail on unsupported small disks 2016-12-30 11:53:35 +01:00
Johannes Zellner
1e4e76b0dd give disk size a unit in cloudron-system-setup.sh 2016-12-30 11:49:57 +01:00
Girish Ramakrishnan
379042616f Ensure box.service starts after mysql.service 2016-12-29 14:24:29 -08:00
Girish Ramakrishnan
7de94fff1b Merge container logic into start.sh 
This whole container thinking is over-engineered and we will get to
it if and when we need to.
 2016-12-29 12:01:59 -08:00
Johannes
d39a84ea53 Do not redirect on app upstream error but show static error page 
Fixes #4
 2016-11-21 16:25:23 +01:00
Girish Ramakrishnan
94037e5266 remove oauth proxy backend logic 2016-11-19 17:13:08 +05:30
Girish Ramakrishnan
b932a9be10 Set X-Forwarded-Ssl to on 
https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#supporting-proxied-ssl
http://stackoverflow.com/questions/16042647/whats-the-de-facto-standard-for-a-reverse-proxy-to-tell-the-backend-ssl-is-used
 2016-08-17 17:46:36 -07:00
Johannes Zellner
867e875707 Revert "Add basic 404 page" 
This reverts commit 3793220dd48356d5fe421312915a8392fcccca0e.
 2016-07-27 19:09:43 +02:00
Johannes Zellner
dcdca52dbd Add basic 404 page 2016-07-27 17:52:54 +02:00
Johannes Zellner
3331d1aa13 Ensure the X-Frame-Options header has a single string argument 2016-07-15 11:26:05 +02:00
Johannes Zellner
66049a9e2d Support x-frame-options in appconfig.ejs template 2016-07-14 16:28:59 +02:00
Johannes Zellner
ce116e56bf Remove webdav specific headers 
This is not actually doing anything in that directive
 2016-06-22 16:06:11 +02:00
Johannes Zellner
a37f87511b Prevent clickjacking by sending X-Frame-Options 2016-06-15 13:10:26 +02:00
Girish Ramakrishnan
dc31946e50 move webdav block outside location 
when inside location, nginx is redirecting to 127.0.0.1 (no clue why)
 2016-06-11 12:05:16 -07:00
Johannes Zellner
d06398dbfd Move webdav nginx fixes into app endpoint 
Not sure if this will now still work with oauth proxy though.
 2016-06-02 09:49:01 +02:00
Girish Ramakrishnan
dfa08469d6 set timeouts explicitly 2016-06-01 17:33:28 -07:00
Girish Ramakrishnan
d798073d95 fix comment of default_server 2016-06-01 17:28:15 -07:00
Girish Ramakrishnan
41632b8c11 fix favicon of naked domain 2016-06-01 17:27:39 -07:00
Girish Ramakrishnan
eb29bdd575 document keepalive_timeout 2016-06-01 16:51:52 -07:00
Johannes Zellner
47978436c2 Set Destination header for webdav in nginx proxy 2016-06-01 18:49:50 +02:00
Girish Ramakrishnan
27d2daae93 leave a note in nginx config 2016-05-19 12:27:54 -07:00