jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
17,537 Commits 33 Branches 583 Tags
e8488eb4069b48717a7849d54cb0d4504e0f8aa3
Commit Graph

719 Commits

Author SHA1 Message Date
Girish Ramakrishnan
3ccad9ada9 cloudron-setup: remove --generate-setup-token 
this code path is hardly ever tested and seems unnecesary
 2025-06-06 10:22:06 +02:00
Girish Ramakrishnan
83d7535d84 turn: add outbound ratelimit 
coturn will send 401 when receiving UDP packets with forged source IP.
this can cause a flood of 401s at the victim. the primary concern appears
to be that these packets are quite large compared to handshake packets
below.

TCP is also affected but effects are minimal because they will get
discarded at the connection handshake level.

UDP/TLS (DTLS) has similar handshake mechanism of TCP and effects are
minimal.

https://forum.cloudron.io/topic/13855/reflection-attack-via-stun-turn
https://github.com/coturn/coturn/pull/1588
 2025-06-04 14:15:45 +02:00
Girish Ramakrishnan
811cc9c028 turn: reduce the exposed ports to 100 2025-06-04 13:23:47 +02:00
Girish Ramakrishnan
4615418000 graphs: replace collectd with our custom collector 
collectd (with the python plugin) seems semi-abandoned. replace
with our own. we have more control over how to collect things instead
of relying on random plugins.
 2025-05-20 12:19:40 +02:00
Girish Ramakrishnan
7f87af5a08 firewall: open up NDP port 
Port 546 is reserved for the client-side of the Neighbor Discovery Protocol (NDP).
This is used for communication between IPv6 nodes (such as a device and its router)
to discover and configure network information (such as IP address).

Router Advertisement (RA) messages sent by routers use port 547 (router-side), and
devices use port 546 to receive these messages.

See https://forum.cloudron.io/topic/13566/infomaniak-ipv6-issues/61
 2025-04-29 22:06:34 +02:00
Girish Ramakrishnan
a138425298 storage: start migration of s3 api 2025-02-12 23:04:37 +01:00
Johannes Zellner
42ce3cb405 Limit motd lines to 90 2025-01-27 22:02:29 +01:00
Girish Ramakrishnan
e34e479c33 services: separate volume clear and rm 2025-01-12 18:08:53 +01:00
Girish Ramakrishnan
e536c94028 firewall: add dockerproxy 2025-01-03 21:14:19 +01:00
Girish Ramakrishnan
d57020d269 firewall: allow udp responses to come back from docker 2025-01-03 19:50:42 +01:00
Girish Ramakrishnan
d47aa816d3 firewall: accept ldap connections 2025-01-03 19:33:51 +01:00
Girish Ramakrishnan
29a9b3d68a firewall: use a chain instead of adding rules directly 
this helps in updating rules across upgrades
 2025-01-03 17:59:24 +01:00
Girish Ramakrishnan
746bcb1dd0 firewall: ip6tables requires ipv6 2025-01-02 23:48:19 +01:00
Girish Ramakrishnan
874f8328b8 firewall: wait-interval is deprecated 2025-01-02 23:44:50 +01:00
Girish Ramakrishnan
62e2283992 firewall: add masquerade rule for access via public IP 2025-01-02 23:34:46 +01:00
Girish Ramakrishnan
1894ed7721 box: no oidc messages 2024-12-14 19:04:59 +01:00
Girish Ramakrishnan
de0909248d start.sh: collapse the mkdir lines 2024-12-05 15:53:03 +01:00
Girish Ramakrishnan
2a6c52800b system: filesystems in exclude are excluded from content analysis 
some disks can be very slow and noisy (at home). this allows users to simply skip them.
also, applicable for large storage boxes
 2024-11-30 13:08:21 +01:00
Girish Ramakrishnan
19c744b17d unbound-anchor is now part of ExecStartPre 
it seems unbound-anchor is not a dep of unbound in ubuntu 24. some
installations are thus missing this package.

in any case, ignore unbound-anchor exit status
 2024-09-20 10:00:01 +02:00
Girish Ramakrishnan
22a0874188 grammar 2024-09-16 10:37:01 +02:00
Johannes Zellner
859fef62d4 Revert "Make unbound prefer ipv4 to avoid using ipv6 for spam checking" 
This reverts commit aedf55dba0.
 2024-09-12 17:41:12 +02:00
Girish Ramakrishnan
0647a3a233 unbound: prefer ip4 on ubuntu 24 and above 
ip6 queries seems to be blocked by spamhaus
 2024-09-12 17:13:50 +02:00
Johannes Zellner
aedf55dba0 Make unbound prefer ipv4 to avoid using ipv6 for spam checking 2024-09-12 16:43:34 +02:00
Girish Ramakrishnan
e5dcf78ceb unbound: setup anchor on service restart 2024-09-10 09:48:10 +02:00
Girish Ramakrishnan
ba99e3b9b7 already in setup script now 2024-07-14 17:06:13 +02:00
Johannes Zellner
d892cc5763 Add comment how to debug the openid provider 2024-07-03 11:33:58 +02:00
Girish Ramakrishnan
082e659c7b disable rpcbind 
rpcbind is required for NFSv2 and v3 . It seems this gets installed
by nfs-common. It was never used by us since the firewall blocks
port 111 anyways.

NFSv3 needs 2049 for NFS, 111 for portmap, 635 for mountd, 4045 for NLM, 4046 for NSM, 4049 for rquota ...

NFSv4 works better because there's just a single target port, plus the "heartbeat" of lease renewal would keep the TCP/IP session alive.

https://serverfault.com/questions/949127/nfs-client-firewall-settings-and-rpcbind
https://docs.redhat.com/en/documentation/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/s2-nfs-methodology-portmap.html#s2-nfs-methodology-portmap
https://community.netapp.com/t5/Tech-ONTAP-Blogs/NFSv3-and-NFSv4-What-s-the-difference/ba-p/441316
 2024-06-27 20:37:08 +02:00
Girish Ramakrishnan
8df97de8c6 Ubuntu 24.04 
* update docker to 26.0.1
* cloudron-syslog needs to have correct perms for fifo socket
 2024-04-29 11:07:10 +02:00
Girish Ramakrishnan
cd5cae33ce dns: switch over to systemd for the host 
this changes unbound to listen to 127.0.0.150 (150 is roman CL)

we cannot only bind on docker bridge because unbound is relied
upon for the initial domain setup. docker itself is only initialized
when the platform initializes
 2024-04-29 11:06:03 +02:00
Girish Ramakrishnan
608ce53e7d scripts: remove unused cloudron-logs 2024-04-29 10:21:33 +02:00
Girish Ramakrishnan
88231e3d35 sftp: add rate limit 2024-04-21 21:04:00 +02:00
Girish Ramakrishnan
1aa683aeab add comments on the rate limits 2024-04-21 21:02:55 +02:00
Girish Ramakrishnan
95eeb9ce93 s/your/the 2024-04-19 18:33:17 +02:00
Girish Ramakrishnan
caf1c37171 motd: mention troubleshooting tool 2024-04-15 13:46:44 +02:00
Girish Ramakrishnan
4ee56782ba move syslog.js to top level 2024-03-21 19:09:51 +01:00
Girish Ramakrishnan
d0dc104ede logs: make logPaths work 
we have to tail via sudo script

Fixes #811
 2024-02-23 17:46:22 +01:00
Johannes Zellner
ec990bd16a WIP: Add some portrange support 2024-02-08 17:39:22 +01:00
Girish Ramakrishnan
b8c297b178 ldap allow list is not a json 2024-01-13 12:29:00 +01:00
Girish Ramakrishnan
793c4ac017 add some debugs to the firewall script 2023-12-08 11:05:55 +01:00
Girish Ramakrishnan
48f0c75c57 network: increase maxelem of the ipsets 2023-12-07 23:20:24 +01:00
Johannes Zellner
e7208278fc Only collect stats for app main containers 2023-10-23 22:23:23 +02:00
Girish Ramakrishnan
ec23c7d2b8 Suppress aws sdk warning 
https://github.com/aws/aws-sdk-js/issues/4354#issuecomment-1664694545
 2023-08-04 09:21:48 +05:30
Girish Ramakrishnan
ff539e2669 remove crashnotifier 
it's not really used
 2023-05-15 11:08:00 +02:00
Girish Ramakrishnan
b26c8d20cd network: add trusted ips 
This allows the user to set trusted ips to Cloudflare or some other CDN
and have the logs have the correct IPs.

fixes #801
 2023-05-13 16:15:47 +02:00
Johannes Zellner
89c5b81eb0 Add very basic initial cloudron-logs helper 2023-05-11 12:30:00 +02:00
Girish Ramakrishnan
4c475818bc syslog: restructure code 2023-04-14 20:06:28 +02:00
Girish Ramakrishnan
928e61e0f6 Revert "Only use "kill" as done in the upstream docs" 
This reverts commit 829d53915d.

This breaks on Ubuntu 18

systemd[1]: /etc/systemd/system/unbound.service:12: Executable path is not absolute: kill -HUP $MAINPID
 2023-03-29 11:18:44 +02:00
Johannes Zellner
9089616e85 Store oidc data in platformdata/oidc 2023-03-19 16:01:22 +01:00
Girish Ramakrishnan
495e54b54a cloudron.conf is long gone 2023-01-31 18:03:23 +01:00
Johannes Zellner
10e07fa300 Add disk speeds to disk usage data 2023-01-27 21:05:25 +01:00