Hello @Andrew Do you have a specific app in mind where you'd want to apply these limits?

Hello @sebastienserre Thanks for that. Fixing it right away.

@girish said in App proxy questions and proxy/authentication possible improvement suggestions: But from Cloudron's POV, there is authentication and authorization But basically having the option to block access to any hosted app by putting auth in front of it (presumably thorugh the web server) could have various good use cases.

Hello @3246 With the cloudron cli you can run e.g: cloudron exec --app $APP -- fallocate -l 4M /app/data/4M See cloudron exec --help: Usage: cloudron exec [options] [cmd...] Exec a command in an application Options: -t,--tty Allocate tty --app <id/location> App id or location -h, --help display help for command Examples: $ cloudron exec --app myapp # run an interactive shell $ cloudron exec --app myapp ls # run command $ cloudron exec --app myapp -- ls -l # use -- to indicate end of options Was not sure if possible via the API but since I can debug the cloudron cli and see what it do I figured something out. Send the to /api/v1/apps/$APPID/exec # Command is an array `ls -lah /app/data` would become for each space ["ls", "-lah", "/app/data/"] curl "https://my.$DOMAIN.$TLD/api/v1/apps/$APPID/exec" \ -H 'Authorization: Bearer $APITOKEN' \ -H 'content-type: application/json' \ --data-raw '["ls", "-lah", "/app/data/"]' # this returns and id { "id": "a90bcfcec1d29f7a595638ea66c8ac0bb53b594047ac74fc80bf97f75fed0c19" } But getting the output of the executed command is. . . tricky. Just look at the source code for the cli for this part: const searchParams = new URLSearchParams({ rows: stdout.rows || 24, columns: stdout.columns || 80, access_token: token, tty }); const req = https.request({ hostname: adminFqdn, path: `/api/v1/apps/${app.id}/exec/${execId}/start?${searchParams.toString()}`, method: 'GET', headers: { 'Connection': 'Upgrade', 'Upgrade': 'tcp' }, rejectUnauthorized }, function handler(res) { if (res.statusCode === 403) exit('Unauthorized.'); // only admin or only owner (for docker addon) exit('Could not upgrade connection to tcp. http status:', res.statusCode); }); req.on('upgrade', function (resThatShouldNotBeUsed, socket /*, upgradeHead*/) { // do not use res here! it's all socket from here on socket.on('error', exit); socket.setNoDelay(true); socket.setKeepAlive(true); if (tty) { stdin.setRawMode(true); stdin.pipe(socket, { end: false }); // the remote will close the connection socket.pipe(stdout); // in tty mode, stdout/stderr is merged socket.on('end', exitWithCode); // server closed the socket } else { // create stdin process on demand if (typeof stdin === 'function') stdin = stdin(); stdin.on('data', function (d) { var buf = Buffer.alloc(4); buf.writeUInt32BE(d.length, 0 /* offset */); socket.write(buf); socket.write(d); }); stdin.on('end', function () { var buf = Buffer.alloc(4); buf.writeUInt32BE(0, 0 /* offset */); socket.write(buf); }); stdout.on('close', exitWithCode); // this is only emitted when stdout is a file and not the terminal demuxStream(socket, stdout, process.stderr); // can get separate streams in non-tty mode socket.on('end', function () { // server closed the socket if (typeof stdin.end === 'function') stdin.end(); // required for this process to 'exit' cleanly. do not call exit() because writes may not have finished . the type check is required for when stdin: 'ignore' in execSync, not sure why if (stdout !== process.stdout) stdout.end(); // for push stream socket.end(); // process._getActiveHandles(); process._getActiveRequests(); if (stdout === process.stdout) setImmediate(exitWithCode); // otherwise, we rely on the 'close' event above }); } }); req.on('error', exit); // could not make a request req.end(); // this makes the request From a little debugging I got the API path: /api/v1/apps/$APPID/exec/$EXECID/start?rows=21&columns=257&tty=false But when CURL'ing this: curl "https://my.$DOMAIN.TLD/api/v1/apps/$APPID/exec/$EXECID/start?rows=21&columns=257&tty=false" \ -H "Authorization: Bearer $APITOKEN" \ -H 'content-type: application/json' { "status": "Not Found", "message": "exec requires TCP upgrade" } And I am not sure how to "TCP upgrade" the curl request. I will ask the team.

I use Cloudns for DNS - they’re good

I've been running with this setup for nearly 2 years, I have made the following changes to the config to use Cloudron provided services. Database (MySQL): DB_CONNECTION=mysql DB_HOST=${CLOUDRON_MYSQL_HOST} DB_DATABASE=${CLOUDRON_MYSQL_DATABASE} DB_USERNAME=${CLOUDRON_MYSQL_USERNAME} DB_PASSWORD=${CLOUDRON_MYSQL_PASSWORD} I can't remember whether I entered those environment variables into the install page on first time use or whether I had to put in the credentials directly then change them when I had finished installation. Email: MAIL_MAILER=smtp MAIL_HOST=${CLOUDRON_MAIL_SMTP_SERVER} MAIL_PORT=${CLOUDRON_MAIL_SMTP_PORT} MAIL_USERNAME=${CLOUDRON_MAIL_SMTP_USERNAME} MAIL_PASSWORD=${CLOUDRON_MAIL_SMTP_PASSWORD} MAIL_FROM_ADDRESS=${CLOUDRON_MAIL_FROM} MAIL_FROM_NAME="${APP_NAME}" Redis (https://blog.linkstack.org/redis-linkstack/ REDIS_HOST=${CLOUDRON_REDIS_HOST} REDIS_PASSWORD=${CLOUDRON_REDIS_PASSWORD} REDIS_PORT=${CLOUDRON_REDIS_PORT} CACHE_DRIVER=redis SESSION_DRIVER=redis Hope this helps. Andrew.

Curious to hear from anyone who is using external MX. What's your experience? What does your config look like?

@JOduMonT said in Ubuntu Pro & Cloudron: Cloudron lose control on the update ? Totally, completely, assuredly, obviously. Why pay for this "pro" service when Cloudron already manages the server? Cloudron IS the thing managing the server, and by that, also Ubuntu. Choose one. [image: 1761996317898-17937c13-0f69-494f-bb00-086de7b14899-image.png]

We use https://github.com/panva/node-oidc-provider internally and that is supposed to support PKCE. Not sure yet how to use it to test what this needs. Until that is working, the options are a keycloak instance or a small backend which gives the SPA some kind of session while handling the oidc login bits.

@jdaviescoates cheers! Well yes, basically people get a managed Cloudron with proper onboarding, the difference is the selection of preinstalled apps (or none for the Cloudron package), the distinction is mostly for marketing purposes.

Good on them for this initiative. Despite web browser now being fundamental functionality, the offerings from all the others are frankly pretty poor, bloated dinosaurs. Look forward to their first usable release

Thanks guys

An automatically created badge from Cloudron's perspective: App Verification and Registry After the app is reviewed and approved, Cloudron adds it to its verified apps registry, which includes metadata like app ID, name, version, and verified status. Badge Graphic Creation Cloudron prepares a badge image (SVG or PNG) showing "Packaged by Cloudron" or a similar verified label. This badge image is hosted on Cloudron's servers or CDN. Generate Standardized Markdown Snippet Cloudron creates a standardized Markdown snippet that developers can embed into their README or website. The snippet typically looks like this: [](https://cloudron.example.com/apps/appid) Here, the image URL links to the dynamically generated badge image, and the anchor URL links to the app's Cloudron info page. Probably this can be done here, taking comentario as an random example: https://www.cloudron.io/store/app.comentario.cloudronapp.html Badge Hosting and Dynamic Updates The badge image URL is managed by Cloudron, allowing automatic updates if badge styles, wording, or verification states change. All instances where the badge is embedded will reflect updates immediately. Developer/User Integration Cloudron provides the app developer or user with this snippet along with clear instructions to paste it into their GitHub README or other documentation. Automatic Badge Rendering When README files or web pages load, the badge image is fetched from Cloudron's servers and displayed in place, confirming official packaging and build trust visually. This automated generation and hosting process allows Cloudron to centrally manage trust badges and makes it very easy for app maintainers to add a professional verification mark to their repos without manual image management or styling.

Ha! Yes, and no. Let me explain: The one plugin to use, which is entirely free(!), is Litespeed caching for WordPress. It works regardless of you running OLS too, bar the direct tie-in to the caching service. With that and Cloudflare caching, I get to nearly 100% on pagespeed.web.dev, even for crappy sites with terrible themes. With OLS as a stack, I can probably get a lot more websites onto the same server without impacting on performance. Probably around 40% more according to some research I did. Interestingly, plain WordPress, with its stock themes and without Redis and Cloudflare get's nearly 100% on pagespeed.web.dev. At least in my testing, it suggests that the quality of the theme and plugins in use play a critical role. If only customers paid attention to that and spent money wisely with decent web devs instead of buying dodgy themes and plugins ;D What's your experience? Why do you want OLS?

On DigitalOcean, hostname is automatically set to the name of the Droplet.