Admin Interface link

necrevistonnezr

@jdaviescoates please read the docs carefully. All configuration happens in custom.php.

Can I restrict usage of the upload functionality to members of the local network of the cloudron server somehow?

$cfg['upload_ip'] = array();

subven

@necrevistonnezr yes. You can set a upload password and whitelist (with upload_ip_nopassword) your local network (range) to be able to upload without password. That should solve it

/* Upload password(s).
 * An empty array will disable the password authentification.
 * $cfg['upload_password'] = array();               // No password
 * $cfg['upload_password'] = array('psw1');         // One password
 * $cfg['upload_password'] = array('psw1', 'psw2'); // Two passwords
 */
$cfg['upload_password'] = array();

/* List of IP allowed to upload a file.
 * If the list is empty, then there is no upload restriction based on IP.
 * Elements of the list can be a single IP (e.g. "123.45.67.89") or
 * an IP range (e.g. "123.45.0.0/16").
 * Note that CIDR notation is available for IPv4 only for the moment.
 */
$cfg['upload_ip'] = array();

/* List of IP allowed to upload a file without password.
 * Elements of the list can be a single IP (e.g. "123.45.67.89") or
 * an IP range (e.g. "123.45.0.0/16").
 * Note that CIDR notation is available for IPv4 only for the moment.
 */
$cfg['upload_ip_nopassword'] = array();

jdaviescoates

@subven said in Admin Interface link:

@jdaviescoates please read the docs carefully. All configuration happens in custom.php.
EDIT: Okay it was missleading because of what @luckow said. Changes in custom.php will overwrite static config at /run/config.php (not writeable).

Yeah, but also, neither the first time instructions nor the docs actually mention the need to have to use a lowercase hashed pw.

Sure, that can be discovered by reading the comments in custom.php or the comments in https://gitlab.com/mojo42/Jirafeau/-/blob/master/lib/config.original.php as linked to from the docs, but those are easily missed.

It could be a bit clearer, that's all. Like if was mentioned it in the first time set-up and docs

subven

@jdaviescoates sorry I was referring to the custom.php/config part. The hash lowercase stuff definitely has room for improvement.

@necrevistonnezr can you please test what I said? I just uploaded a file and it seems that the uploader IP is not stored correctly. 2021-01-29 17_28_38-Jirafeau, dein Web-Speicher für Dateien.png

That IP is from the docker network. If this is true it could mean that the uploader IP policy will not work. We should take a look at:

/* Proxy IP
 * If the installation is behind some reverse proxies, it is possible to set
 * the allowed proxy IP.
 * $cfg['proxy_ip'] = array('12.34.56.78');
 * Jirafeau will then get a visitor's IP from HTTP_X_FORWARDED_FOR
 * instead of REMOTE_ADDR.
 */
$cfg['proxy_ip'] = array();

jdaviescoates

@subven said in Admin Interface link:

$cfg['proxy_ip'] = array();

Sounds promising.

Do you know how we'd find out what IP(s) to put here?

subven

@jdaviescoates @necrevistonnezr I think I figured it out. You have to put your docker network gateway IP. I don't know if it's the same for all Cloudrons so better check yours first.

root@yourhostname:~# docker network inspect cloudron | grep Gateway
                    "Gateway": "172.18.0.1"

custom.php -->

$cfg['proxy_ip'] = array('172.18.0.1');

After that, the admin UI shows my real (external) IP address as uploader. If your Cloudron runs in a local network, it should display your client IP address

EDIT: Seems like the internal docker network IP is the same for all Cloudrons. You should be happy using 172.18.0.1
@girish this could also be permanently added to the config to allow uploader IP storage

luckow

@subven sorry for the wrong filename.

girish

I have put a doc section on securing uploads here - https://docs.cloudron.io/apps/jirafeau/#restricting-uploads

@subven thanks, I pushed out a new package now with the trust proxy setting.

fjonker

@subven Yes... so I totally missed the fact that there was an admin link icon for this (and other) apps! Thanks!

necrevistonnezr

@subven said in Admin Interface link:

@jdaviescoates @necrevistonnezr I think I figured it out. You have to put your docker network gateway IP. I don't know if it's the same for all Cloudrons so better check yours first.
root@yourhostname:~# docker network inspect cloudron | grep Gateway
                    "Gateway": "172.18.0.1"
custom.php -->
$cfg['proxy_ip'] = array('172.18.0.1');
After that, the admin UI shows my real (external) IP address as uploader. If your Cloudron runs in a local network, it should display your client IP address

EDIT: Seems like the internal docker network IP is the same for all Cloudrons. You should be happy using 172.18.0.1
@girish this could also be permanently added to the config to allow uploader IP storage

Not the right setting yet, I think.
$cfg['proxy_ip'] = array('172.18.0.1'); alone does not deny access to clients from other IPs.
When I add $cfg['upload_ip'] = array('172.18.0.1');all IPs are blocked again, even for clients on the same network as the Cloudron server.

EDIT: Using $cfg['upload_ip'] = array('192.168.1.0/24'); doesn't work either.

girish · EDIT: Using `$cfg['upload_ip'] = array('192.168.1.0/24');` doesn't work either.

@necrevistonnezr If you update to the latest package (1.0.0), the logs will tell you what the IP it is being access as.

subven · EDIT: Using `$cfg['upload_ip'] = array('192.168.1.0/24');` doesn't work either.

@necrevistonnezr said in Admin Interface link:

Not the right setting yet, I think.
$cfg['proxy_ip'] = array('172.18.0.1'); alone does not deny access to clients from other IPs.
When I add $cfg['upload_ip'] = array('172.18.0.1');all IPs are blocked again, even for clients on the same network as the Cloudron server.

EDIT: Using $cfg['upload_ip'] = array('192.168.1.0/24'); doesn't work either.

We're talking about two different things here. You do not care about 172.18.0.1 since it's for the Docker network only and not related to clients. Setting $cfg['proxy_ip'] = array('172.18.0.1'); allows the app to get the clients real IP address through HTTP_X_FORWARDED_FOR. The changes made to the default config are fine.

$cfg['upload_ip'] = array('172.18.0.1'); = makes no sense at all
$cfg['upload_ip'] = array('192.168.1.0/24'); = tells the app to only allow uploads from this network
$cfg['upload_ip_nopassword'] = array('192.168.1.0/24'); = tells the app to do not ask for a password from this network

In short: Please use only $cfg['upload_ip_nopassword'] = array('192.168.1.0/24'); as additional setting if you want your local network to be able to upload without password. If you want to prevent others from uploading (even with password) please add $cfg['upload_ip'] = array('192.168.1.0/24');

EDIT: I just tested it and everything works as it should.

necrevistonnezr · EDIT: Using `$cfg['upload_ip'] = array('192.168.1.0/24');` doesn't work either.

@subven said in Admin Interface link:

$cfg['upload_ip_nopassword'] = array('192.168.1.0/24');

Thanks for the detailed explanation! I'm not yet very versed network topics but I'm here to learn.

But: After setting $cfg['upload_ip'] = array('192.168.1.0/24'); I get an access denied to the site in my local network (Cloudron is in my local network at home at 192.168.1.27, my Mac has the IP 192.168.1.33, even if I set $cfg['upload_ip_nopassword'] = array('192.168.1.0/24');

My current config is

$cfg['admin_password'] = '#######';
$cfg['proxy_ip'] = array('172.18.0.1');
$cfg['upload_password'] = #######');
$cfg['upload_ip_nopassword'] = array('192.168.1.0/24');
$cfg['upload_ip'] = array('192.168.1.0/24');

Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.

Cloudron Forum

Admin Interface link