jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
7,625 Commits 33 Branches 583 Tags
9d45e4e0ae1d220d65a4df4b6cc127e44ae782a2
Commit Graph

472 Commits

Author SHA1 Message Date
Girish Ramakrishnan
1a3e3638ff iptables-restore is not used anymore 2017-04-04 13:00:48 -07:00
Girish Ramakrishnan
8f912d8a1b add note on how to view graphite browser 2017-04-04 12:35:29 -07:00
Johannes Zellner
da857f520b Only stop apps and addons on data migration 2017-04-04 14:30:45 +02:00
Johannes Zellner
7c7ef15e1c Do not collect data for btrfs file systems 2017-04-04 12:34:55 +02:00
Johannes Zellner
aa22ab8847 Cleanup the btrfs mounts and the user data file 2017-04-04 12:34:55 +02:00
Johannes Zellner
3e23c3efce Do not move the whole mail folder but only its content 2017-04-04 12:34:55 +02:00
Johannes Zellner
c4f96bbd6b Some directory creation fixes 2017-04-04 12:34:55 +02:00
Johannes Zellner
3a17bf9a0f Ensure apps and platform data dirs exist 2017-04-04 12:34:55 +02:00
Johannes Zellner
602f8bcd04 Split platform and app data folders and get rid of btrfs volumes 2017-04-04 12:34:55 +02:00
Girish Ramakrishnan
2c871705c7 Add a referrer policy 2017-03-31 16:11:54 -07:00
Girish Ramakrishnan
e9456f70f9 use connlimit module to rate limit 
hitcount cannot be more than 255 in recent module
 2017-03-29 21:51:24 -07:00
Girish Ramakrishnan
ffbda22145 Fine tune rate limits a bit more 2017-03-29 16:03:08 -07:00
Girish Ramakrishnan
956fe86250 Add firewall service 
Docker really insists on adding itself to the top of the FORWARD
chain. Making our firewall side-steps this docker design.
 2017-03-29 02:31:53 -07:00
Girish Ramakrishnan
4d000e377f Enable iptables based ratelimit for cloudron auth services 
The goal here is to simply add a rate limit to prevent brute
force password attacks.

Covered services includes:
    (public) http, https, ssh, smtp, msa, imap, sieve
    (private) postgres, redis, mysql, ldap, mongodb. msa

The private limits are higher because some apps will create
a db connection for each page request.  Some apps like mailtrain
will send out lots of emails etc.

Note that apps that use SSO are ratelimited by the ldap limit.

Part of #187
 2017-03-29 00:02:05 -07:00
Johannes Zellner
9d98b55881 Merge branch 'tobru/fix_278' into 'master' 
get disk_size_bytes by directly querying df /. fixes #278

Closes #278

See merge request !4
 2017-03-27 11:46:49 +00:00
Girish Ramakrishnan
18e59c4754 Rate limit nginx routes that verify the password 
Also remove rate-limit middleware

Test using something like:

    ab -v 1 -n 1000 -c 10 -s 5 -m POST https://my.<doamain>/api/v1/developer/login

Part of #187
 2017-03-27 00:06:42 -07:00
Tobias Brunner
0c6c835a39 get disk_size_bytes by directly querying df /. fixes #278 
This simplifies the logic to get the available space the root
mountpoint has available and makes it more robust.
 2017-03-26 18:03:10 +02:00
Girish Ramakrishnan
b86cfabd17 Do not allocate more than 4GB swap 
Also resize existing swap file, if necessary. Note that if the user
allocates more than what we expect, we don't do anything.

Fixes #277
 2017-03-24 16:03:30 -07:00
Johannes Zellner
543c9843ba Use df instead of fdisk 
some disk types do not contain proper partition tables like on time4vps
the type is simfs. On those fdisk fails to access the partition table,
thus being unable to determine the size of the volume.
df does only return the real usable disk space by the user, thus we
lower the 20GB threshold to 18

Fixes #275
 2017-03-22 14:23:59 +01:00
Johannes Zellner
103cb10cad Ignore upstream headers for security headers we set in nginx 
Apps like nextcloud set their own security headers ending up with having
them set twice. I am not 100% sure if our headers should win or if we
should not inject headers with nginx if the upstream app sets them already.
This looks like the more permissive case where we simply enforce our
values, regardless what the apps sets.

This also fixes the nextcloud/owncloud security checks which were
failing because the header values were duplicated, which results in
string concatenation of values from same headers.
 2017-03-21 14:18:39 +01:00
Girish Ramakrishnan
6a523606ca Revert "Bump version to Nginx IPv6 support." 
This reverts commit 5555321cf5.
This reverts commit f087ebbee0.
This reverts commit d04f64d3d4.

Part of #264
 2017-03-19 14:25:30 -07:00
Jonah Aragon
f087ebbee0 Add listen [::]:80; for IPv6 redirects. 2017-03-17 19:13:18 +00:00
Jonah Aragon
d04f64d3d4 Add IPv6 listen directives 2017-03-17 19:12:25 +00:00
Girish Ramakrishnan
ae0e4de93e No semicolons in bash code 2017-03-15 15:40:43 -07:00
Johannes Zellner
876ae822b2 Skip splash setup if cloudron domain was not yet setup 
This is based on the existence of admin.conf nginx file.
The splash would create/overwrite that file, but it will depend on the
host.cert to be already created, which is only the case after domain
setup.
 2017-03-14 10:58:24 +01:00
Girish Ramakrishnan
7e8757a78c grep quietly 2017-03-13 13:52:16 -07:00
Girish Ramakrishnan
3fdc10c523 Parse free and fdisk output with C locale 
some vps providers seem to set a different locale by default.
Settings LC_ALL overrides all the other LC_*
 2017-03-13 10:36:05 -07:00
Girish Ramakrishnan
81313d1c40 reduce nxdomain caching timeout 
the other option is to use "/usr/sbin/unbound-control flush_negative"
on demand
 2017-03-09 15:03:14 -08:00
Girish Ramakrishnan
1c36918e92 Done -> Almost done 2017-03-09 10:21:52 -08:00
Girish Ramakrishnan
4b3ef33989 Add some basic secure headers 
Part of #249
 2017-03-08 22:14:44 -08:00
Johannes Zellner
101a44affd Add authorized_keys.sh 2017-03-07 15:16:18 +01:00
Girish Ramakrishnan
9d52397bcc Move dhparam creation 
Now that all cloudrons have the dhparams file, we can generate this
*after* restoring from backup and if required.
 2017-03-01 15:25:20 -08:00
Girish Ramakrishnan
3a5000ab1d Detect loop support on linode correctly 
We don't need any of the loop logic since it seems scaleway
also supports automatically this now
 2017-02-15 15:40:19 -08:00
Girish Ramakrishnan
7f4f525551 dhparams.pem must be part of backup 2017-02-14 14:12:03 -08:00
Johannes Zellner
1d5465f21e Update the ssl ciphers and add dhparams.pem 
Fixes #218
 2017-02-13 00:28:22 +01:00
Girish Ramakrishnan
9e2850ffad setup: do not restart mysql unnecessarily 2017-02-08 07:53:55 -08:00
Girish Ramakrishnan
19c665d747 docker daemon is deprecated 2017-02-06 11:33:10 -08:00
Girish Ramakrishnan
cd31e12bec Do not includeSubdomains in HSTS 
This prevents one from redirecting to some http-only subdomain.
For example, surfer in naked domain redirects to www subdomain
(which is on github pages...)
 2017-02-02 00:05:56 -08:00
Girish Ramakrishnan
0cee6de476 Check if cloudron.conf file exists 2017-01-31 01:53:06 -08:00
Girish Ramakrishnan
7b547e7ae9 Revert scaleway specific overlay2 support 
This reverts commit 16d65d3665.

Rainloop app breaks with overlay2
 2017-01-30 15:43:42 -08:00
Girish Ramakrishnan
16d65d3665 Use overlay2 for scaleway 
https://github.com/scaleway/image-ubuntu/issues/68
 2017-01-30 14:01:29 -08:00
Girish Ramakrishnan
ccb340cf80 Use systemd drop in to configure docker 
The built-in service files get overwritten by updates

Fixes #203
 2017-01-30 12:41:07 -08:00
Girish Ramakrishnan
56b0f57e11 Move unbound systemd config to separate file 2017-01-30 12:39:19 -08:00
Girish Ramakrishnan
08ffa99c78 Use %s instead of %d 
awk's %d behaves differently with mawk (scaleway) and gawk (do)

Fixes #200
 2017-01-30 10:24:26 -08:00
Girish Ramakrishnan
ddf5c51737 Make it 90 instead 2017-01-26 15:45:07 -08:00
Girish Ramakrishnan
88fc7ca915 move the files and not the directory 
... because box is a btrfs subvolume
 2017-01-26 14:16:27 -08:00
Girish Ramakrishnan
ebd3a15140 always restart nginx 2017-01-25 12:04:52 -08:00
Girish Ramakrishnan
d93edc6375 box.service: start after nginx 2017-01-25 11:28:31 -08:00
Girish Ramakrishnan
f142d34f83 Move box data out of appdata volume 
This lets us restore the box if the app volume becomes full

Fixes #186
 2017-01-24 13:48:09 -08:00
Girish Ramakrishnan
357ca55dec remove unused var 2017-01-24 10:41:58 -08:00