CCAI : Cloudron Custom App Installer

timconsidine

@nostrdev totally agree

The issue is I'm unsure about the approach strategically in terms of keeping the "hosted as a service" URL open and easy to make use of.

I can easily add http basic auth or use Cloudron proxyauth but communicating those creds has a raft of issues.

I can add proper user registration, but it kinda goes against the original principles of it being an anonymous utility. I don't really want to be maintaining user records or responsible for them, and it's a pain for users to create yet another username and password for this (because obviously they should not be using Cloudron login details).

Maybe I can add some kind of automated short duration one time code delivered by SMS or email. Doesn't help much but maybe one blocker to scripts without a person behind it.

Ideally auth would be handled best by the app being within the AppStore, but that's not in my hands.

Any clever ideas gratefully received.
Otherwise I might have to bite the bullet and implement a user registration system.

timconsidine

I have thought deeply about adding auth or anti-bot measures.

My current conclusion is that anything I add (captcha, Cloudflare Turnstile, user registration in-app or via Keycloak) is going to :

• reduce the utility of this as a hosted app for easy use by those who don't want to install it themselves
• impact anyone who chooses to deploy the app to their own Cloudron with extra dependencies.

So at this point "the juice is not worth the squeeze".
I have however :

• added some rate-limiting for catalogue entry deletions
• added static text to recommend using a dedicated cloudron user for use with this app

I will think about creating a locked-down version with auth for those who want to deploy it to their own Cloudron, while leaving the hosted version w/o auth (basically my risk on the catalogue, because the actual app installation process is secure already).

Hopefully once Cloudron 9 is out and settled down, the version with proper auth can make it suitable for App Store inclusion, and I will retire the open hosted-as-a- service version.

I will review this later, but leaving it here for now pending further ideas.

ruihildt

Serving this online seems incredibly risky and inviting users to enter their credentials on a random website seems setting a very wrong example.

If you don't want to deal with antibot measures etc, you could package it as a tauri app for example. But now you are a packaged app developer and distributor.

timconsidine

@ruihildt it’s not about not wanting to. It’s about how far to go and I’ve opened up that discussion.

I have already put some antibot measures in some places. Adding some additional rate-limiting this evening.

I am very open to discussing how much further to go.
If you have any specific suggestions, I will gladly implement them (working on a 1-time authorisation. But frankly 2FA handles that much better anyway).

I agree it’s not ideal, but I don’t feel it’s that risky.
It uses exactly the same security that Cloudron uses.
So if it is insecure, then by definition Cloudron is insecure.
As always, all Cloudron users should :

• have secure long passwords
• use 2FA
• ideally follow the recommendation to create a dedicated special purpose user and change its password after each use.

No login creds are stored - code is open for inspection to confirm that.

My clear preference is for this app to be in the AppStore so I can take down my site.
If the Cloudron community prefer this to be taken down or locked down further, I will happily do so.

The app and the site are just a response to the 100’s of requests for an easier way to add apps.

timconsidine

New version : v4.3.2 (git.cloudron.io updated)
Added optional Cloudflare Turnstile support.
Default : not enabled
Edit /app/data/.env to enable and add your config keys

The 'hosted-as-a-service` ccai.appx.uk is now running with Turnstile for anti-bot protection.
If you install this to your own Cloudron, you can choose to run without Turnstile or to enable it.

Why Cloudflare Turnstile ?

• easiest / best non-google captcha type anti-bot
• free account with generous free-tier usage
• minimal code dependencies to simplify app building

Beyond this, it would need a user registration or failed login rate limiter.

LoudLemur

@timconsidine said in CCAI : Cloudron Custom App Installer:

Cloudflare Turnstile

We had a thread here about CAPTCHA alternatives quite a while ago. One issue with Cloudflare is that it is unfortunately rapidly becoming a single choke-point for the whole internet. I ran a quick AI search for Free Software alternatives to proprietary Turnstile. This is what was suggested:

Several open source alternatives to Cloudflare Turnstile exist, focusing on privacy-friendly bot protection, spam prevention, and user verification without relying on proprietary services. These often use proof-of-work (PoW) mechanisms to verify legitimacy invisibly or with minimal user friction, similar to Turnstile's approach. They are typically self-hostable, allowing full control and avoiding central choke points. Below is a list of notable options, including key features and implementation details.

ALTCHA

Description: A privacy-first CAPTCHA alternative that uses PoW to protect websites, APIs, and forms from spam and bots without tracking users. It's designed for seamless integration and escalates to code challenges only for high-risk cases.
Key Features: Frictionless verification, WCAG 2.2 AA accessibility compliance, support for 50+ languages, no cookies or fingerprinting, and optional Sentinel for advanced threat detection (e.g., rate limiting, ML-based analysis).
How it Works: The widget runs a PoW challenge in the background; if solved, it generates a token for server validation. Self-hostable via Docker, AWS, Azure, or Kubernetes.
Licensing and Cost: MIT license for the core (fully open source and free); Sentinel is commercial for enterprise needs.
Advantages over Turnstile: Smaller bundle size (30 kB vs. 85+ kB), faster load times (0 ms when bundled), and stricter privacy compliance (GDPR, HIPAA, etc.) with no data leakage.

mCaptcha

Description: A no-nonsense, PoW-based CAPTCHA system emphasizing user experience and privacy, acting as a drop-in replacement for traditional CAPTCHAs like reCAPTCHA.
Key Features: Seamless UX without image puzzles, robust against NAT users (no IP reliance), API-compatible with reCAPTCHA/hCaptcha, and focused on making bot attacks computationally expensive.
How it Works: Clients solve adjustable PoW challenges; the backend verifies them. It's fully automated and doesn't contribute to third-party ML training.
Licensing and Cost: AGPL for the core, with client libraries under permissive free software licenses; entirely free and open source.
Advantages over Turnstile: Fully self-hosted with no external dependencies, stronger emphasis on not profiling users, and libre software ethos.

Cap

Description: A lightweight, modern PoW CAPTCHA using SHA-256 hashes, designed for speed and simplicity as a direct alternative to Turnstile.
Key Features: Invisible and floating modes, standalone REST API for any language/framework, customizable difficulty, and WASM solvers for web/Node.js.
How it Works: The widget generates and solves challenges via Web Workers; the server validates them. Supports checkpoints for progressive verification.
Licensing and Cost: Apache 2.0 license; fully open source and free.
Advantages over Turnstile: Tiny size (12 kB widget), no tracking/fingerprinting, lower error rates, and higher customizability (full backend/frontend tweaks).

Anubis

Description: A Web AI Firewall utility that weighs connections with PoW challenges to block scrapers, bots, and DDoS attacks before they reach your site.
Key Features: Heuristic-based bot detection, customizable rules/policies, non-JS challenge support, and integration as a reverse proxy.
How it Works: Responds to requests with a JS (or non-JS) PoW program; only solved challenges grant access. Tunable difficulty makes scraping unprofitable.
Licensing and Cost: Open source (repository on GitHub); free to use and self-host.
Advantages over Turnstile: Explicitly targets AI scrapers and bots, supports broader heuristics beyond PoW, and has been used to mitigate real DDoS incidents.

mosparo

Description: A rule-based spam protection tool for online forms, functioning like an email spam filter rather than a traditional CAPTCHA.
Key Features: Checks form data against custom rules, honeypot fields for bot detection, accessibility compliance, and multi-language support.
How it Works: Integrates into forms to validate submissions server-side based on patterns/rules; blocks spam without user-visible challenges.
Licensing and Cost: Open source under a permissive license; free and self-hostable via Docker.
Advantages over Turnstile: Less intrusive (no challenges for legitimate users), focuses on content analysis over behavior, and fully accessible for screen readers/keyboards.

Procaptcha

Description: A privacy-focused verification tool redefining CAPTCHA with unique security approaches, often listed as an open source option for bot protection.
Key Features: Emphasizes privacy and security without conventional puzzles; details are limited but include freemium elements for scaling.
How it Works: Uses alternative verification methods (potentially PoW or similar); self-hostable with open components.
Licensing and Cost: Open source with freemium model (free tier available).
Advantages over Turnstile: Open source core allows modifications, though less detailed comparisons are available.

nostrdev

Agreed that we should not use cloudflare, not just from the single-point-of-failure perspective, but also to protect user privacy

timconsidine

I’m not a fan of Cloudflare - just put it in as fastest way to address a possible vulnerability.
But proof of work is often a pain for users.
I feel there are only 2 good solutions :
Cloudron re-write as an official utility (resolves authentication much more neatly)
CCAI adds user registration
I’m thinking what direction to take it in if not adopted/rewritten

robi

Found 2 bugs with latest CCAI

1. After install of one app, still being logged in, it's impossible to click on another app to proceed with installation. Starting over of course requires re-logging in.

2. I was upgrading to 9.0.12 while attempting this so got this:
   [9:05:52 PM] [2025-11-26 03:05:51] Failed to install app: 400 message: Box version exceeds Apps maxBoxVersion

timconsidine

@robi thank you for the report.
I will investigate.
I'm hoping that Cloudron will bring out their own version of this - the app would be so much easier for everyone if logging in was not needed (it was in the dashboard somewhere)

I've not updated to 9.0.x yet - waiting for a later release

robi

@timconsidine you are welcome.

You can always test on the demo server.

And at least the second issue is easily solved via an expected version bump or just take out the check. Not sure why it's needed. Is it?

humptydumpty

revive! and...

Thanks @timconsidine for this. I kept coming across CCAI but never looked into it until now. Brilliant approach. I have a few questions.

• Is there a doc/faq page on how to use this in case I want to add an app that isn't listed in the catalog?
• I noticed zoneminder (alpha) in the list - Is it safe enough to install on a production server? (just want to take a peek at it)
• If I install CCAI on my own server - is it pass protected or can anyone access/use it then?
• Q more for @staff what's your opinion on CCAI - will you deploy something similar to it?

timconsidine

@humptydumpty thank you.
I am travelling today but will improve documentation when I get back.

In the interim :

• there is a button on front screen to add an app by yourself into the catalogue. It’s just filling in some basic details, so quite easy. But I will document it.
• if you don’t want it to go into the catalogue, you can scroll down, login and then populate the form manually with details for a one-off deployment
• if you deploy CCAI, it will currently be open front page just like CCAI.appx.uk is now (and you can import the master catalogue to your instance). I wasn’t sure that CCAI would have an ongoing usefulness so I didn’t add a login screen and wanted to leave it open for users. But with Cloudron team being always busy, I think there is a case for a private version, and will make a parallel app with login.
• a chunk of the app is handling the authentication needed to install an app (login to the Cloudron instance). If Cloudron were to implement something similar, most/all of this could go because the user’s instance would be already authenticated. So easier and more secure. I will have a go at building such an approach, behind a login screen. It could produce some efficiencies and also be more suited to a login protected and “private” installation.

Reminder for anyone looking at CCAI.
Cloudron authentication details are NEVER stored in this open version. They persist in memory for 15 minutes, then expire. And the user can logout before then if they wish.
It was critical for me that CCAI is secure to use, but I understand people won’t be 100% convinced without checking the source. But it’s there for people to do so if they want.

I paused work on CCAI pending a direction, so some polishing is needed for longer term usefulness, and I will look at doing this.

timconsidine

@humptydumpty oh, about zoneminder ….

Yes it is safe to install in a production server.
The app installs and loads and some essential configuration can be done, like adding a camera.
But it’s not currently loading a stream from the camera.

The reason it is ALPHA with warnings is that Zoneminder has some complex runtime internal links for streaming feed which does not fall easily into Cloudron’s separation of /app/code and /app/data. I have been trying to find a solution to this but paused to consider how.

I might need to do some code tweaks during deployment to handle the runtime link generation.
It’s not ideal but might be possible to do in a way which can produce a stable maintainable app.

I want Zoneminder for my own use, so not giving up yet.
You can install to take a peek, just don’t expect the camera feed to show … or let me know if it does !!

timconsidine

I have no doubt that Cloudron team would do a much better job of implementing a custom app installer. Technically not difficult and they have the benefit of working it into and inside the platform.

But I acknowledge that a decision to do so is not technically driven, but strategic. Making it easier to install custom apps to Cloudron will, in my opinion, support strong Cloudron growth.

But it comes with the risk of low-quality custom apps harming Cloudron reputation and increasing support loads.
If it’s an official platform-based installer, it could be difficult to push back against support tickets, even if the app is marked UNSTABLE or CUSTOM.

Maybe some community based app ranking or scoring could help, but I acknowledge these are not robust answers to the issue.

girish

Yes, I want to able to support this natively in Cloudron itself. I think we will put this in 9.1 roadmap. But before we implement, we will make a proposal here just to make sure it is what everyone is expecting . Probably only after new years though since most of the team is off and on given holidays.

timconsidine

Announcing ...

CCAI-P : Cloudron CustomApp Installer Personal Edition

Recognising that many users are reluctant to enter their cloudron credentials on an open url, I have adapted the current "open" CCAI custom app installer, into a "closed" app using cloudron ProxyAuth for authentication, and a token for installations.

While a one-time install of the Personal CustomApp Installer is needed, manually or using the hosted CCAI, after that, the user is secure with their own app deployment, and credentials do not need to be entered on a 3rd party site.

The Personal Edition has a button to import the master app catalogue when needed.

The Personal Edition feels a lot faster as no login code / 2FA is needed.

---

My Git Repo : https://git.cloudron.io/timconsidine/cloudron-customapp-installer-personal

Built Docker Image : tcmbp132021/cloudron-customapp-installer-personal:v1.0.0

Available on the open CCAI site https://ccai.appx.uk

---

timconsidine

Update 20/01/2026 :

• I am deprecating installation of the open version of CCAI, as I don't really see that anyone would want to host their own open version.
  It's still available, but you will have to hunt for it or ask me.
  Basically I've removed it from the catalogue.

• I've updated CCAI-P which is the preferred self-host app.
  Runs on your own instance, credentials are stored in the app on your server

• timeouts removed from CCAI-P : you're logged in or you're not : logout button for security, but you can leave it running if it's only you have access to it

• added 3 new descriptors :

  • packageAuthor : previously implied, now explicit
  • appNote : extended explanation of the catalogue entry
  • appHomepage : clickable link to the app's Homepage so you can read about it

• it will take a little while for me to populate the new fields for all apps, but will get on with it.

@staff : can I modify the AppWishlist to the effect :

• please DO NOT add CCAI to the AppStore
• please DO add CCAI-P to the AppStore
• or please make your own version (which I am sure will be more lovely)

There are clear pain points in installing custom apps.
This is eminently resolvable.
The problem is without an official way to get CCAI-P, users still have to go through those pain points. Maybe only once, but that's enough to deter them.

The growing catalogue of custom apps (and there are many more that I am not aware of) shows that relying on the App Store only, and relying on approval of items into the App Store, is a clear bottle neck to maximum use and efficiency of a user's Cloudron instance.

EDIT : at the risk of over-selling the point, can Cloudron staff imagine this ? A daily workload where they never ever have to think about adding apps to the Cloudron AppStore, unless they really want to. No more user pressure.

humptydumpty

@timconsidine said in CCAI : Cloudron Custom App Installer:

The problem is without an official way to get CCAI-P, users still have to go through those pain points. Maybe only once, but that's enough to deter them.

Not in a million years would I have been able to install a custom app on my own. CCAI-P makes it stupidly easy. Thank you Tim!

timconsidine

@humptydumpty and I am working on another non-Cloudron way to get over the blockage of getting CCAI-P into the AppStore. One simple download.

But ssssh, don’t tell anyone yet