jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
4,829 Commits 33 Branches 583 Tags
d5d4e237bd26a5d25e706b7f611a46460e3442de
Commit Graph

4829 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Girish Ramakrishnan
d5d4e237bd doc: add security section 2017-03-29 10:23:08 -07:00
Girish Ramakrishnan
956fe86250 Add firewall service 
Docker really insists on adding itself to the top of the FORWARD
chain. Making our firewall side-steps this docker design.
 2017-03-29 02:31:53 -07:00
Girish Ramakrishnan
4d000e377f Enable iptables based ratelimit for cloudron auth services 
The goal here is to simply add a rate limit to prevent brute
force password attacks.

Covered services includes:
    (public) http, https, ssh, smtp, msa, imap, sieve
    (private) postgres, redis, mysql, ldap, mongodb. msa

The private limits are higher because some apps will create
a db connection for each page request.  Some apps like mailtrain
will send out lots of emails etc.

Note that apps that use SSO are ratelimited by the ldap limit.

Part of #187
 2017-03-29 00:02:05 -07:00
Johannes Zellner
39e827be04 Add rosehosting to the help output if no provider is specified 2017-03-28 10:38:00 +02:00
Girish Ramakrishnan
e50b4cb7ec doc: fixup the best practices docs 
Fixes #232
 2017-03-27 15:29:07 -07:00
Johannes Zellner
1938ec635b Remove bestpractices.md as this was already incorporated into the main packaging guide 2017-03-27 16:05:03 +02:00
Johannes Zellner
03a3d367a4 Incorporate best practices into app package guide 
Part of #232
 2017-03-27 16:03:19 +02:00
Johannes Zellner
38c2f75b5e Also patch the cloudron-setup to match the resize script 
Part of #278
 2017-03-27 13:51:37 +02:00
Johannes Zellner
9d98b55881 Merge branch 'tobru/fix_278' into 'master' 
get disk_size_bytes by directly querying df /. fixes #278

Closes #278

See merge request !4
 2017-03-27 11:46:49 +00:00
Girish Ramakrishnan
18e59c4754 Rate limit nginx routes that verify the password 
Also remove rate-limit middleware

Test using something like:

    ab -v 1 -n 1000 -c 10 -s 5 -m POST https://my.<doamain>/api/v1/developer/login

Part of #187
 2017-03-27 00:06:42 -07:00
Girish Ramakrishnan
64cb951206 Fix failing dns test 2017-03-26 22:07:28 -07:00
Girish Ramakrishnan
77df520b07 addons is optional in manifest 2017-03-26 21:55:31 -07:00
Girish Ramakrishnan
32f94a03ce Fix failing test 2017-03-26 21:53:45 -07:00
Girish Ramakrishnan
fc6ce4945f add sendmail/recvmail ldap tests 2017-03-26 20:42:46 -07:00
Girish Ramakrishnan
17b7d89db9 Generate password for mailboxes 
Fixes #109
 2017-03-26 20:07:59 -07:00
Girish Ramakrishnan
6ea741e92f Verify password for sendmail/recvmail addon 
Part of #109
 2017-03-26 20:07:55 -07:00
Girish Ramakrishnan
790ad4e74d Add getAddonConfigByName 2017-03-26 19:06:36 -07:00
Girish Ramakrishnan
f92297cc99 Store env vars as name, value pairs 
Part of #109
 2017-03-26 12:22:19 -07:00
Tobias Brunner
0c6c835a39 get disk_size_bytes by directly querying df /. fixes #278 
This simplifies the logic to get the available space the root
mountpoint has available and makes it more robust.
 2017-03-26 18:03:10 +02:00
Girish Ramakrishnan
514341172c Add name to appAddonConfigs 
Part of #109
 2017-03-25 18:06:56 -07:00
Girish Ramakrishnan
e535ffa778 Disable bind9 as it conflicts with unbound 
part of #194
 2017-03-25 17:36:10 -07:00
Girish Ramakrishnan
b86cfabd17 Do not allocate more than 4GB swap 
Also resize existing swap file, if necessary. Note that if the user
allocates more than what we expect, we don't do anything.

Fixes #277
 2017-03-24 16:03:30 -07:00
Girish Ramakrishnan
b44f0b78a1 remove spurious console.log 2017-03-24 14:55:22 -07:00
Johannes Zellner
76d234d0bf Also allow data: uri to be loaded for images 2017-03-24 17:23:20 +01:00
Johannes Zellner
a694acba44 Redirect to /setupdns.html if cloudron is activated but no domain is set 
This happens in the restore case where no domain is provided to
cloudron-setup

Fixes #273
 2017-03-23 15:40:18 +01:00
Johannes Zellner
046120befc Move email toggle button above checks to make it more likely people read the text 2017-03-23 11:41:26 +01:00
Girish Ramakrishnan
b65fee4b73 Pass ENABLE_MDA flag to mail addon v0.107.0 2017-03-22 20:42:28 -07:00
Girish Ramakrishnan
153dcc1826 Fix bug in example text 2017-03-22 18:23:24 -07:00
Girish Ramakrishnan
fa4725176c Group help text together 2017-03-22 16:44:18 -07:00
Girish Ramakrishnan
e42607fec6 Always show the password input 2017-03-22 16:13:18 -07:00
Girish Ramakrishnan
297c1ff266 Show error message only if the domain changed 2017-03-22 16:06:47 -07:00
Girish Ramakrishnan
5afe75f137 Bump mail container (for mx bypass fix) 2017-03-22 14:39:30 -07:00
Girish Ramakrishnan
4cfc85f6d3 Do not validate password length 2017-03-22 13:50:20 -07:00
Girish Ramakrishnan
b03f901bbf More 0.107.0 changes 2017-03-22 12:01:04 -07:00
Johannes Zellner
b9dfac94ed Revert "Add ldapjs-rate-limit module" 
This reverts commit 3d60a04b36.
 2017-03-22 19:35:06 +01:00
Johannes Zellner
c905adde1e Revert "Limit ldap queries per client to 60 per minute" 
This reverts commit 466dfdf81f.
 2017-03-22 19:35:06 +01:00
Girish Ramakrishnan
0e7efa77a5 Bump the mail container 2017-03-22 09:55:04 -07:00
Johannes Zellner
875ca0307f Fix the node tutorial to export the node PATH and use latest node release 2017-03-22 16:20:48 +01:00
Johannes Zellner
543c9843ba Use df instead of fdisk 
some disk types do not contain proper partition tables like on time4vps
the type is simfs. On those fdisk fails to access the partition table,
thus being unable to determine the size of the volume.
df does only return the real usable disk space by the user, thus we
lower the 20GB threshold to 18

Fixes #275
 2017-03-22 14:23:59 +01:00
Johannes Zellner
83254a16f9 Do not restrict CSP img-src as 3rd party apps might use other origins for medialinks 2017-03-21 20:20:16 +01:00
Johannes Zellner
466dfdf81f Limit ldap queries per client to 60 per minute 
Part of #187
 2017-03-21 16:43:22 +01:00
Johannes Zellner
3d60a04b36 Add ldapjs-rate-limit module 2017-03-21 16:43:02 +01:00
Johannes Zellner
103cb10cad Ignore upstream headers for security headers we set in nginx 
Apps like nextcloud set their own security headers ending up with having
them set twice. I am not 100% sure if our headers should win or if we
should not inject headers with nginx if the upstream app sets them already.
This looks like the more permissive case where we simply enforce our
values, regardless what the apps sets.

This also fixes the nextcloud/owncloud security checks which were
failing because the header values were duplicated, which results in
string concatenation of values from same headers.
 2017-03-21 14:18:39 +01:00
Johannes Zellner
29ef079a83 Do not let the invite link overflow the dialog 2017-03-21 13:36:36 +01:00
Johannes Zellner
a55645770e Add missing csp img-src policy for app icons 2017-03-21 13:25:29 +01:00
Johannes Zellner
132ddd2671 Add 0.107.0 changes 2017-03-21 11:15:51 +01:00
Johannes Zellner
fa5891b149 Also put csp meta tag in oauth views 2017-03-21 11:12:04 +01:00
Johannes Zellner
d01929debc Be more permissive with csp header values 2017-03-21 11:12:04 +01:00
Johannes Zellner
7c01ee58b5 Template the cloudron origin for csp to support local development 2017-03-21 11:12:04 +01:00
Johannes Zellner
ec89f8719c Add CSP meta tag for webadmin 2017-03-21 11:12:04 +01:00