jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
16,314 Commits 33 Branches 583 Tags
a865320e3af1deea2b05604d00a472dea6926018
Commit Graph

87 Commits

Author SHA1 Message Date
Johannes Zellner
57bf3709f3 proxyauth: also preserve request uri for proxyauth addon apps 2024-06-11 19:15:58 +02:00
Johannes Zellner
9d258d33cf Use 127.0.0.53 as a resolver for nginx 2024-06-11 18:59:19 +02:00
Johannes Zellner
62e322c451 proxyauth: stash path and query for further use in the session 2024-06-11 18:59:19 +02:00
Girish Ramakrishnan
c2326bc5cc oidc: add rate limit for login requests 2024-04-21 20:58:12 +02:00
Johannes Zellner
255fb0cac0 proxyauth: show intermediate login button page 2024-04-16 13:43:12 +02:00
Johannes Zellner
c3be0018fe proxyauth: send user to oidc login instead of /login 2024-04-16 11:29:00 +02:00
Johannes Zellner
21d7438bbe proxyauth: user OpenID instead of basic auth 2024-04-15 15:59:16 +02:00
Johannes Zellner
86986d8f34 Allow img-src blob: 2024-04-05 19:59:38 +02:00
Johannes Zellner
0fd4a831c8 Do not set frame-action and default-src CSP for openid routes 
If set chrome wants a rule with * and safari on iOS wants an explicit
schema, so not setting any works with both.
 2023-09-26 23:37:55 +02:00
Girish Ramakrishnan
26cf5b8b80 app proxy: set the Host header 
The Host header will help the destination request identify which
service the request is meant for. This can potentially be an internal
endpoint identifier.

X-Forwarded-Host is meant to have the external facing server endpoint.

This means that: if the user wants to expose internal.service.com which
resolves to some internal IP as external.service.com, then:
* Host header has to be internal.service.com
* X-Forwarded-Host is external.service.com
* proxy_pass to internal.service.com
 2023-09-21 21:54:02 +05:30
Girish Ramakrishnan
348eb16cef api: fix background image route 2023-09-13 20:08:52 +05:30
Girish Ramakrishnan
6c4aa605df move various login routes under auth/ 2023-08-10 16:24:10 +05:30
Girish Ramakrishnan
740e69c8dd change redirections to 301 2023-07-31 06:04:49 +05:30
Johannes Zellner
299e40c389 Allow cors for translation 2023-06-20 10:40:27 +02:00
Johannes Zellner
38860cd70c Redirect to / on dashboard 404 2023-06-19 15:02:28 +02:00
Girish Ramakrishnan
2e38e1a79c nginx: refactor the config 2023-04-24 21:13:01 +02:00
Johannes Zellner
f24e8b7132 Allow csp for form action on openId connect views 
Only because of chrome and https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action
 2023-04-19 18:45:44 +02:00
Girish Ramakrishnan
cc811522e0 reverseproxy: prevent duplication of STS header 2023-04-02 20:03:57 +02:00
Johannes Zellner
e9fc355ac5 Move openid provider into its own express server 2023-03-21 14:39:58 +01:00
Girish Ramakrishnan
8448d28f6f Implement HSTS preload 
This allows browsers to query https directly instead of the initial http redirect

https://hstspreload.org/#opt-in says it should be explicitly opt in
 2023-03-06 11:46:05 +01:00
Johannes Zellner
0a34ace16a Allow proxy auth login pages to load the font from the dashboard 2023-01-09 22:53:35 +01:00
Johannes Zellner
183d4c026f Support proxyAuth for proxy app 2023-01-09 21:51:32 +01:00
Girish Ramakrishnan
30fb1aa351 proxy: do not set Host header when proxying 
The default when proxying is $proxy_host.

Proxied apps must used X-Forwarded-Host header to determine the intended
target. I think we overwrote the Host header back in the day because apps
had varied support for this. Ideally, it can be removed across all our configurations.
 2022-11-23 16:50:38 +01:00
Girish Ramakrishnan
351292ce1a graph: return sum cpu value 2022-10-13 23:03:31 +02:00
Girish Ramakrishnan
3caffdb4e1 Rework app stats 
Previously, the du plugin was collecting data every 20 seconds but
carbon was configured to only keep data every 12 hours causing much
confusion.

In the process of reworking this, it was determined:

* No need to collect disk usage info over time. Not sure how that is useful
* Instead, collect CPU/Network/Block info over time. We get this now from docker stats
* We also collect info about the services (addon containers)
* No need to reconfigure collectd for each app change anymore since there is no per
app collectd configuration anymore.
 2022-10-10 21:13:26 +02:00
Girish Ramakrishnan
54af286fcd app proxy: workaround for nginx not starting if upstream is down 
https://sandro-keil.de/blog/let-nginx-start-if-upstream-host-is-unavailable-or-down/

without a resolver, dns names do not resolve
 2022-09-30 10:36:44 +02:00
Johannes Zellner
a955457ee7 Support proxy app 2022-06-09 10:48:54 +02:00
Girish Ramakrishnan
b5c2a0ff44 exec: rework API to get exit code 2022-05-16 11:23:58 -07:00
Johannes Zellner
6bd478b8b0 Add profile backgroundImage api 2022-05-15 12:08:11 +02:00
Girish Ramakrishnan
1b34a3e599 proxyAuth: add header spoofing note 2022-04-26 14:59:38 -07:00
Girish Ramakrishnan
c63709312d proxyAuth: set X-Remote-User, X-Remote-Email headers 
Apps like firefly-iii support https://datatracker.ietf.org/doc/html/rfc3875#section-4.1.10
 2022-04-25 22:24:41 -07:00
Girish Ramakrishnan
11cf24075b Keep proxyAuth.enabled configs together 2022-04-25 22:09:34 -07:00
Girish Ramakrishnan
9bb5096f1c nginx: enable underscores in headers 
chatwoot requires this

https://www.chatwoot.com/docs/self-hosted/deployment/caprover#api-requests-failing-with-you-need-to-sign-in-or-sign-up-before-continuing

They are apparently disabled by default since they conflict with some CGI headers:

https://stackoverflow.com/questions/22856136/why-do-http-servers-forbid-underscores-in-http-header-names
https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/?highlight=disappearing%20http%20headers#missing-disappearing-http-headers
 2022-03-13 23:04:34 -07:00
Girish Ramakrishnan
eb0662b245 Up the json size to 2mb for block list route 
https://forum.cloudron.io/topic/6575/cloudron-7-1-2-firewall-not-ipv6-ready
 2022-03-01 11:57:50 -08:00
Girish Ramakrishnan
f18d108467 nginx: add listen note 2022-02-09 23:15:37 -08:00
Girish Ramakrishnan
2ab2255115 fix dhparam generation 
it cannot be created in default config creation time since it is
already run pre-VM snapshot time
 2021-11-17 11:48:06 -08:00
Girish Ramakrishnan
1c8e699a71 generate dhparams per server 
this way we don't need to save/restore it from the database.
 2021-11-16 23:03:16 -08:00
Girish Ramakrishnan
01a1803625 provision: delay initialization of secrets until provision time 
when we create the DO 1-click image, the key also gets snapshotted.

https://community.letsencrypt.org/t/receiving-expiration-emails-for-dozens-of-domains/165441
 2021-11-15 23:33:54 -08:00
Johannes Zellner
3826ae64c6 Ensure the main login route is rate-limited 2021-11-12 11:14:21 +01:00
Girish Ramakrishnan
68db4524f1 remove unused httpPaths from manifest 2021-11-09 21:50:33 -08:00
Girish Ramakrishnan
85e3e4b955 Accomodate redhat client 
Patch from @jk at https://forum.cloudron.io/topic/4383/cannot-install-apps-from-docker-registry-because-authentication-fails
 2021-08-13 09:36:06 -07:00
Girish Ramakrishnan
9418e93428 reverseproxy: adminOrigin is not used in the ejs 2021-05-05 13:13:04 -07:00
Girish Ramakrishnan
c17743d869 migrate secrets into the database 
the infra version is bumped because the nginx's dhparams path has changed
and the sftp server key path has changed.
 2021-05-03 22:11:18 -07:00
Johannes Zellner
70f2337b09 Allow apps to override the Referrer-Policy header 2021-04-26 11:48:18 +02:00
Girish Ramakrishnan
4d919127a7 implement OCSP stapling 
can verify stapling using openssl s_client -connect hostname:443 -status

status_request is RFC6066. there is also status_request_v2 (RFC6961) but this is
not implemented even in openssl libs yet
 2021-04-16 12:13:54 -07:00
Girish Ramakrishnan
c6920bd860 HSTS: bump the max-age to 2 years 
Side note: https://hstspreload.org/ . This is what the chromium project expects
for preloading.
 2021-03-22 19:04:28 -07:00
Girish Ramakrishnan
dd58c174a8 change default referrer policy to same-origin 
https://forum.cloudron.io/topic/4546/referrer-policy-header-is-overwritten
 2021-03-01 09:34:23 -08:00
Girish Ramakrishnan
2f58092af2 Fix .well-known not served up properly for redirection 2021-02-18 09:30:39 -08:00
Girish Ramakrishnan
c8c4f99849 Reduce gzip_min_length to keep tools like semrush happy 2021-02-15 11:46:36 -08:00
Girish Ramakrishnan
1d0ad3cb47 proxyAuth: Fix docker UA detection 2021-02-09 13:45:00 -08:00