Feature Request: 🔥 Simple per-App WAF with Templates (KISS) 🏰
-
Feature Request: Simple per-App WAF with Templates (KISS=Keep It Stupid Simple)
Cloudron is often used to host multiple web applications with very different exposure levels (e.g. public websites, WordPress instances, admin-only tools).
At the moment, most protection is instance-wide, which makes it hard to apply different security policies per app without external tooling.Community Precedent – Cloudron Forum discussions
Users have repeatedly discussed the need for more granular access control / WAF-like features in Cloudron:
-
In “Is there a way to rate limit connections to a site for certain user agent strings?”, users talk about using Bunkerweb as a workaround for the lack of built-in request filtering and mention that “Cloudron doesn’t have anything like WAF” and the desire to move away from Cloudflare WAF because Cloudron currently lacks native solutions.
https://forum.cloudron.io/topic/14343/is-there-a-way-to-rate-limit-connections-to-a-site-for-certain-user-agent-strings -
Users have explicitly asked about limiting web-based access to individual Cloudron apps (e.g., basic auth, IP-based restrictions), indicating demand for app-level access controls.
https://forum.cloudron.io/topic/8804/limiting-web-based-access-to-cloudron-apps -
In “What’s coming in Cloudron 6.3”, I suggested features inspired by Wordfence including blocking by IP/location and geo-blocking, and specifically calls out the idea of geo-blocking of countries as a desirable security improvement.
https://forum.cloudron.io/topic/4723/what-s-coming-in-cloudron-6-3/4 -
Related support threads show users trying to restrict access to the Cloudron login page by IP while keeping other apps public, again highlighting demand for more granular access controls.
(See posts by user hiyukoim in support category)
I would like to propose a simple, KISS-oriented Web Application Firewall (WAF) on app level, tightly integrated into Cloudron.
Problem
- Not all apps should be equally reachable from the internet
- Admins often want basic access control (countries, IPs, paths) without deploying a full external WAF
- Instance-wide rules are often too coarse
Goals
- Per-app access control
- Very simple and predictable behavior
- No security expertise required
- Reusable defaults for admins managing many apps
Proposed Solution
1. Per-app WAF
Each web app can optionally enable its own WAF.
2. App-level rules
Within an app WAF, an admin can configure:
- IP whitelist / blacklist
- Geo allow / block (noise reduction, not “hard security”)
- Path-based rules (extra layer), for example:
/wp-login.php/wp-admin/*/api/*
Rules should be path-based only (no complex regex).
3. Instance-level WAF templates
At Cloudron instance level, admins can define WAF templates (profiles), such as:
- Public website
- WordPress hardened
- Admin-only app
- Internal / trusted IPs only
For each app:
- Select a template
- Optionally extend or override it locally
This avoids repetitive configuration and keeps policies consistent.
4. Clear precedence (important for predictability)
Suggested order:
- IP whitelist
- Geo allow
- IP blacklist
- Geo block
- Path rules
Whitelist rules always take precedence.
Optional (still KISS)
- Per-app blocked requests log (read-only)
- Timestamp
- Source IP / country
- Rule type (IP / Geo / Path)
- Report-only / dry-run mode for new rules
- Temporary disable WAF for this app (emergency switch)
Non-goals (explicitly out of scope)
- Full ModSecurity / OWASP CRS
- Regex-heavy rules
- Deep request inspection (headers, body, users, roles)
- Replacing a dedicated enterprise WAF
This feature is intended to cover the 80% use case in a Cloudron-native, admin-friendly way, while keeping configuration minimal and understandable.
-
-
I imc67 referenced this topic on
-
Thank you for posting this, I was looking to post something similar albeit with far less detail.
I want to sign up for Cloudron and pay to support the developers and have all the conveniences as I have run two free instances for years.
The bit I cannot get past for now is the openness of the apps on the platform. Like Immich is just out there on the web and the security of that instance comes down to the devs at Immich?
I currently use Pangolin for anything non Cloudron related and it gives me a sense of security because things like Immich just aren’t reachable unless you first authenticate to Pangolin. Pangolins job is to secure things and this is what they have built and focus on. Where as Immich works on how best to handle your photos.
Right now I find it scary that my Immich or Outline instances for example that contain personal data might be exposed to the web with little protection.
Maybe I am over thinking it or have my details wrong but it’s currently holding me back from using Cloudron for my personal use and trusting it with my data.
-
Thank you for posting this, I was looking to post something similar albeit with far less detail.
I want to sign up for Cloudron and pay to support the developers and have all the conveniences as I have run two free instances for years.
The bit I cannot get past for now is the openness of the apps on the platform. Like Immich is just out there on the web and the security of that instance comes down to the devs at Immich?
I currently use Pangolin for anything non Cloudron related and it gives me a sense of security because things like Immich just aren’t reachable unless you first authenticate to Pangolin. Pangolins job is to secure things and this is what they have built and focus on. Where as Immich works on how best to handle your photos.
Right now I find it scary that my Immich or Outline instances for example that contain personal data might be exposed to the web with little protection.
Maybe I am over thinking it or have my details wrong but it’s currently holding me back from using Cloudron for my personal use and trusting it with my data.
The bit I cannot get past for now is the openness of the apps on the platform. Like Immich is just out there on the web and the security of that instance comes down to the devs at Immich?
Well, that is part of their job as developers as they offer a product that‘s meant to be accessible on the web. The same way you have to trust the Pangolin developers.
In any event, I fully support better and more granular security features. And Pangolin looks interesting!
-
Feature Request: Simple per-App WAF with Templates (KISS=Keep It Stupid Simple)
Cloudron is often used to host multiple web applications with very different exposure levels (e.g. public websites, WordPress instances, admin-only tools).
At the moment, most protection is instance-wide, which makes it hard to apply different security policies per app without external tooling.Community Precedent – Cloudron Forum discussions
Users have repeatedly discussed the need for more granular access control / WAF-like features in Cloudron:
-
In “Is there a way to rate limit connections to a site for certain user agent strings?”, users talk about using Bunkerweb as a workaround for the lack of built-in request filtering and mention that “Cloudron doesn’t have anything like WAF” and the desire to move away from Cloudflare WAF because Cloudron currently lacks native solutions.
https://forum.cloudron.io/topic/14343/is-there-a-way-to-rate-limit-connections-to-a-site-for-certain-user-agent-strings -
Users have explicitly asked about limiting web-based access to individual Cloudron apps (e.g., basic auth, IP-based restrictions), indicating demand for app-level access controls.
https://forum.cloudron.io/topic/8804/limiting-web-based-access-to-cloudron-apps -
In “What’s coming in Cloudron 6.3”, I suggested features inspired by Wordfence including blocking by IP/location and geo-blocking, and specifically calls out the idea of geo-blocking of countries as a desirable security improvement.
https://forum.cloudron.io/topic/4723/what-s-coming-in-cloudron-6-3/4 -
Related support threads show users trying to restrict access to the Cloudron login page by IP while keeping other apps public, again highlighting demand for more granular access controls.
(See posts by user hiyukoim in support category)
I would like to propose a simple, KISS-oriented Web Application Firewall (WAF) on app level, tightly integrated into Cloudron.
Problem
- Not all apps should be equally reachable from the internet
- Admins often want basic access control (countries, IPs, paths) without deploying a full external WAF
- Instance-wide rules are often too coarse
Goals
- Per-app access control
- Very simple and predictable behavior
- No security expertise required
- Reusable defaults for admins managing many apps
Proposed Solution
1. Per-app WAF
Each web app can optionally enable its own WAF.
2. App-level rules
Within an app WAF, an admin can configure:
- IP whitelist / blacklist
- Geo allow / block (noise reduction, not “hard security”)
- Path-based rules (extra layer), for example:
/wp-login.php/wp-admin/*/api/*
Rules should be path-based only (no complex regex).
3. Instance-level WAF templates
At Cloudron instance level, admins can define WAF templates (profiles), such as:
- Public website
- WordPress hardened
- Admin-only app
- Internal / trusted IPs only
For each app:
- Select a template
- Optionally extend or override it locally
This avoids repetitive configuration and keeps policies consistent.
4. Clear precedence (important for predictability)
Suggested order:
- IP whitelist
- Geo allow
- IP blacklist
- Geo block
- Path rules
Whitelist rules always take precedence.
Optional (still KISS)
- Per-app blocked requests log (read-only)
- Timestamp
- Source IP / country
- Rule type (IP / Geo / Path)
- Report-only / dry-run mode for new rules
- Temporary disable WAF for this app (emergency switch)
Non-goals (explicitly out of scope)
- Full ModSecurity / OWASP CRS
- Regex-heavy rules
- Deep request inspection (headers, body, users, roles)
- Replacing a dedicated enterprise WAF
This feature is intended to cover the 80% use case in a Cloudron-native, admin-friendly way, while keeping configuration minimal and understandable.
- In “What’s coming in Cloudron 6.3”, I suggested features inspired by Wordfence including blocking by IP/location and geo-blocking, and specifically calls out the idea of geo-blocking of countries as a desirable security improvement.
https://forum.cloudron.io/topic/4723/what-s-coming-in-cloudron-6-3/4
You got an upvote for me in any event, but for this feature: https://docs.cloudron.io/guides/community/blocklist-updates
-
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login