Hello @potemkin_ai You can already configure each domain to not use wildcard. This is also documented here: https://docs.cloudron.io/domains#certificates go into your dashboard click Domains click the Edit button next to a domain click Advanced settings… Under Certificate provider select Let's Encrypt Prod or did I misunderstand what you are looking for? If this is indeed what you need, can we improve something to make this information more accessible?

@LoudLemur said: @IniBudi I am not sure, but according to Grok: "you've got a classic volumetric DDoS (the kind that floods bandwidth with junk traffic like UDP floods or SYN floods) that chewed through 1TB and knocked your server offline. Cloudflare free + Hetzner/Netcup anti-DDoS is a solid starter setup, but it's getting bypassed or overwhelmed because:Most attacks hit your VPS's real IP directly (bypassing Cloudflare unless everything is perfectly proxied). Hetzner's protection (Arbor/Juniper-based) is automated but often slow to kick in or just null-routes your IP (blackholes the whole server to protect their network). Netcup's 2 Tbps filter is better but still leaks big attacks or causes brief downtime. Cloudflare free is unmetered and excellent for web traffic routed through it (absorbs massive attacks at the edge), but it only helps if traffic never reaches your VPS. The 1TB bandwidth bill/spike proves the attack was hitting your origin directly.Immediate Effective Fixes (Do These Right Now — Mostly Free)Force everything through Cloudflare In Cloudflare DNS, make ALL records Proxied (orange cloud icon). No A/AAAA records pointing directly to your VPS IP. This routes attacks to Cloudflare's global network first. Lock your VPS firewall to Cloudflare IPs only (this is the #1 game-changer) Block everything except Cloudflare's published IP ranges. This stops 99% of direct IP attacks. Hetzner: Use their Cloud Firewall (or iptables). Netcup: Same with ufw/iptables. Cloudflare publishes the list here: cloudflare.com/ips (update it automatically via their API — there's a simple cron script for this). Result: Attack traffic dies at Cloudflare; your VPS barely sees clean traffic. Activate Cloudflare's emergency mode Turn on "I'm Under Attack" mode (Security → Overview). Enable Bot Fight Mode + managed WAF rules + rate limiting (free tier has these). Set Security Level to "High" or "I'm Under Attack". This challenges suspicious traffic with JS/captchas before it even reaches your server. Extra quick wins Use Cloudflare Tunnel (cloudflared) if possible — runs on your VPS and proxies traffic without exposing any ports publicly. Zero public IP exposure. On the server: iptables rate limiting + fail2ban for extra layers. Contact your VPS support immediately — they can sometimes manually tune mitigation. These steps alone usually stop the bandwidth massacre because Cloudflare absorbs the junk at their edge (they've mitigated 11+ Tbps attacks).The Strongest Solutions (Ranked by Effectiveness vs Cost)Here's what actually survives big attacks in 2026:Best affordable strong solution: Switch VPS to OVHcloud + keep Cloudflare free/Pro OVH has the strongest built-in, always-on DDoS protection in the budget VPS world (unlimited, multi-Tbps scrubbing centers, rarely null-routes, works great for L3/L4 volumetric). Users consistently report it handles attacks that destroy Hetzner/Netcup. Pair it with Cloudflare for L7 (web) protection and you're basically bulletproof for most attacks. Migration is straightforward (snapshot your server, spin up OVH VPS, point DNS). This is the combo I recommend for 90% of people in your spot. Specialized DDoS-protected hosting DDoS-Guard (or similar like PATH.net / Evolution Host): Purpose-built for heavy volumetric attacks. Offers protected VPS or proxy services with fixed pricing and excellent filtering. Great if you want to stay cheap but stronger than Hetzner/Netcup. BuyVM: Super cheap add-on protection (handles 700M+ pps). Upgrade Cloudflare only (if you love your current VPS) Go Pro ($20/mo) for advanced WAF, better rate limiting, and more rules. Still use the firewall lockdown above. For non-HTTP/UDP (games, APIs, etc.), you'll eventually need Cloudflare Spectrum (paid) or a dedicated L4 protector. Enterprise-level (if budget allows and attacks are constant) Cloudflare Magic Transit (BGP routing) + your VPS, or Akamai/Imperva. These are what big sites use — full network scrubbing. Quick Reality CheckIf your server is a website/API (HTTP/HTTPS), the Cloudflare + firewall lockdown + OVH combo will solve 95% of cases for very low cost. If it's a game server, UDP-heavy service, or Minecraft/etc., prioritize a host with native L4 protection (OVH or specialized like TCPShield) — Cloudflare free alone won't proxy those ports easily.The core principle for any strong solution: You need high-capacity upstream scrubbing so the 1TB flood never reaches your VPS bandwidth/CPU.Do the immediate firewall + proxy steps first — that often fixes it instantly without spending anything. If you tell me exactly what your server runs (website? game? API? ports?), attack type (from CF analytics), or your budget, I can give exact config commands/scripts or migration steps. " I already created inbound traffic firewall only accept Cloudflare IPs. Unfortunately, my server is still down. I don't know why the attacker is targeting my website, the content only talks about Digital Marketing, SEO, etc. Hmm, I am still searching alternative solution because I just use Cloudflare Free and cheap VPS. Thank you for sharing @loudlemur

@jdaviescoates

That’s a great point about the automated scrapes. Even if it's 'security by obscurity,' sometimes just not being an obvious target is half the battle! I’m really looking forward to the per-app IP whitelisting mentioned here - that seems like the most solid way to handle this without breaking the external webhooks. In the meantime, the OIDC workaround looks like a solid stopgap to at least add an extra layer.

@Jamie_Casper can you give us an example that's more specific?

Hello @jamie_casper and welcome to the Cloudron Forum

@robi said: @LoudLemur would it be more discoverable if it was published as a blog or docs site and then include llms.txt and llms-full.txt to make parsing easier for the agents? Thanks, @robi You can see the blog here: https://wanderingmonster.dev/blog/cloudron-packaging-assessment-toolkit/

Thanks for sharing the solution!

See https://forum.cloudron.io/post/121990

Dedup FTW

@jdaviescoates said: I presume that if I have this setting enabled on multiple backup sites then whenever an app updates it'll first back-up to both locations? yes, it will back up to multiple locations and then update.

@robi great find! will give it a try.

I like the idea of using unbound and I've set it up. If I see something more interesting or accurate with the backups, I may come here with new insight. Thanks,

Minio is back: https://blog.vonng.com/en/db/minio-resurrect/ I see on the HN conversation people are doubting the author, and some others also mention Chainguard will also keep a fork with CVE patched: https://github.com/chainguard-forks/minio Maybe it's worth waiting a bit to see which fork get consistent maintenance.

AI makes sense, will add.

@nebulon said in Czech Translation for Cloudron Now 100% Complete : This is great! We will ship the next Cloudron version then with Czech (internally 9.1 is released for new installs already, so will be added to the next patch release then) That’s great news, thank you!

@luckow thank you

That was just an intermediate release for pre-built images at cloud provider