@tomw Apologies; I wasn't trying to suggest you shouldn't do this. I was only trying to emphasize that there is an entire system/chain that leads to your server. You might have: The nation-state working in tandem with local (or, are they state-owned?) ISPs to implement man-in-the-middle cert attacks, so that attempts to securely connect to your server are actually plain-text. The nation state, working with ISPs to compromise/log all traffic through DNS servers. ... https://www.cisa.gov/news-events/alerts/2015/04/30/securing-end-end-communications is an article that speaks to some of the kinds of things that you might have to do to begin securing end-to-end communications. Ultimately, I really don't know. I'm just suggesting---YMMV, etc.---that this sounds like something with high stakes. I wish you and your colleagues all the best of luck. PS. https://www.cjr.org/tow_center_reports/guide_to_securedrop.php looks interesting as well. Again, it doesn't apply directly to your case, but speaks to the broad spectrum of design considerations that go into architecting and delivering secure systems, where "systems" means "a combination of technology and people."

Thank you very much!

@Kubernetes Glad you like it, the eBPF stuff is a nice use case. (finally)

A month ago! Oh JOY! We love it when you surprise us @nebulon !

We don't have this feature yet to specify the healthcheck path in the app proxy. I will move this feature request. Thanks for the suggestion!

Can we revisit this? Allowing some code in the (html) header of all apps would be enough, I think (and awesome)

@girish You're right, I think not. Currently the app is NOT in a 'Running' state if any failures occur. An alternate method would be to bring up the app anyway (as long as the primary subdomain is up, and continue to resolve the failed API calls until some 'threshold' (then alert) or it succeeds and all is well. No need to ignore the failed ones, they just try again async as with your API rate backoff code, or at the next addition of a new sub if you want to be less proactive and more lazy. (The non working subs, if used will draw attention back to the app anyway.)

@DualOSWinWiz it's not there, no.

Regarding a helping hand for autodns: acme.sh does support dnsapi cert generation for autodns maybe this code can help developing. https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_autodns.sh Also acme.sh has MANY more dnsapi supports: https://github.com/acmesh-official/acme.sh/tree/master/dnsapi

Yeah, the access key is what is going to check if the domain is there. I think "Skip nameserver validation for custom Route53 NS names" would get me there And all of the DNS and Email stuff...I totally understand how difficult it is to give less technical users the ability to even USE this stuff, as well as support slightly more advanced users. You're doing a great job!

The filemanager has gotten no attention for mobile use, as I mostly saw that as a sysadmin tool and not something one would use on a phone. Generally mobile use of the dashboard as an admin is a bit rough

@BrutalBirdie said in Automatically sync DNS when enabling IPv6: Right now you either have to just wait for it to happen some time Actually, it never happens automatically (this might appear to be automatic if you had Dynamic DNS enabled).

@girish Awesome, thank you! I'll fork the changes and have some items as drafts and will submit a PR when I get them updated.

@jdaviescoates yes, that's my understanding. setting it all to 50% means you are not giving any app any "preference".

Of course, right after requesting this feature, the first post I browse to is this: https://forum.cloudron.io/topic/10517/oidc-migration Girish pointed out some technical pro's of using OIDC. @girish said in OIDC migration: What's the reason to get locked into LDAP auth ? At the platform level, we have decided to move all apps to OIDC whenever available. OIDC is more secure and does not expose raw password to apps. We can also implement much more security schemes with OIDC.

@necrevistonnezr maybe if it's a simple enough app, you can package it along with the Surfer app which can provide the basic auth w/ a nice config interface.