Admin Interface link
-
@subven said in Admin Interface link:
@jdaviescoates please read the docs carefully. All configuration happens in custom.php.
Can I restrict usage of the upload functionality to members of the local network of the cloudron server somehow?
$cfg['upload_ip'] = array();@necrevistonnezr yes. You can set a upload password and whitelist (with upload_ip_nopassword) your local network (range) to be able to upload without password. That should solve it
/* Upload password(s). * An empty array will disable the password authentification. * $cfg['upload_password'] = array(); // No password * $cfg['upload_password'] = array('psw1'); // One password * $cfg['upload_password'] = array('psw1', 'psw2'); // Two passwords */ $cfg['upload_password'] = array(); /* List of IP allowed to upload a file. * If the list is empty, then there is no upload restriction based on IP. * Elements of the list can be a single IP (e.g. "123.45.67.89") or * an IP range (e.g. "123.45.0.0/16"). * Note that CIDR notation is available for IPv4 only for the moment. */ $cfg['upload_ip'] = array(); /* List of IP allowed to upload a file without password. * Elements of the list can be a single IP (e.g. "123.45.67.89") or * an IP range (e.g. "123.45.0.0/16"). * Note that CIDR notation is available for IPv4 only for the moment. */ $cfg['upload_ip_nopassword'] = array(); -
@jdaviescoates please read the docs carefully. All configuration happens in custom.php.
EDIT: Okay it was missleading because of what @luckow said. Changes in custom.php will overwrite static config at /run/config.php (not writeable).
@subven said in Admin Interface link:
@jdaviescoates please read the docs carefully. All configuration happens in custom.php.
EDIT: Okay it was missleading because of what @luckow said. Changes in custom.php will overwrite static config at /run/config.php (not writeable).Yeah, but also, neither the first time instructions nor the docs actually mention the need to have to use a lowercase hashed pw.
Sure, that can be discovered by reading the comments in custom.php or the comments in https://gitlab.com/mojo42/Jirafeau/-/blob/master/lib/config.original.php as linked to from the docs, but those are easily missed.
It could be a bit clearer, that's all. Like if was mentioned it in the first time set-up and docs
-
@subven said in Admin Interface link:
@jdaviescoates please read the docs carefully. All configuration happens in custom.php.
EDIT: Okay it was missleading because of what @luckow said. Changes in custom.php will overwrite static config at /run/config.php (not writeable).Yeah, but also, neither the first time instructions nor the docs actually mention the need to have to use a lowercase hashed pw.
Sure, that can be discovered by reading the comments in custom.php or the comments in https://gitlab.com/mojo42/Jirafeau/-/blob/master/lib/config.original.php as linked to from the docs, but those are easily missed.
It could be a bit clearer, that's all. Like if was mentioned it in the first time set-up and docs
@jdaviescoates sorry I was referring to the custom.php/config part. The hash lowercase stuff definitely has room for improvement.
@necrevistonnezr can you please test what I said? I just uploaded a file and it seems that the uploader IP is not stored correctly.
That IP is from the docker network. If this is true it could mean that the uploader IP policy will not work. We should take a look at:
/* Proxy IP * If the installation is behind some reverse proxies, it is possible to set * the allowed proxy IP. * $cfg['proxy_ip'] = array('12.34.56.78'); * Jirafeau will then get a visitor's IP from HTTP_X_FORWARDED_FOR * instead of REMOTE_ADDR. */ $cfg['proxy_ip'] = array(); -
@jdaviescoates sorry I was referring to the custom.php/config part. The hash lowercase stuff definitely has room for improvement.
@necrevistonnezr can you please test what I said? I just uploaded a file and it seems that the uploader IP is not stored correctly.
That IP is from the docker network. If this is true it could mean that the uploader IP policy will not work. We should take a look at:
/* Proxy IP * If the installation is behind some reverse proxies, it is possible to set * the allowed proxy IP. * $cfg['proxy_ip'] = array('12.34.56.78'); * Jirafeau will then get a visitor's IP from HTTP_X_FORWARDED_FOR * instead of REMOTE_ADDR. */ $cfg['proxy_ip'] = array();@subven said in Admin Interface link:
$cfg['proxy_ip'] = array();
Sounds promising.
Do you know how we'd find out what IP(s) to put here?
-
@subven said in Admin Interface link:
$cfg['proxy_ip'] = array();
Sounds promising.
Do you know how we'd find out what IP(s) to put here?
@jdaviescoates @necrevistonnezr I think I figured it out. You have to put your docker network gateway IP. I don't know if it's the same for all Cloudrons so better check yours first.
root@yourhostname:~# docker network inspect cloudron | grep Gateway "Gateway": "172.18.0.1"custom.php -->
$cfg['proxy_ip'] = array('172.18.0.1');After that, the admin UI shows my real (external) IP address as uploader. If your Cloudron runs in a local network, it should display your client IP address
EDIT: Seems like the internal docker network IP is the same for all Cloudrons. You should be happy using 172.18.0.1
@girish this could also be permanently added to the config to allow uploader IP storage -
@jdaviescoates please read the docs carefully. All configuration happens in custom.php.
EDIT: Okay it was missleading because of what @luckow said. Changes in custom.php will overwrite static config at /run/config.php (not writeable).
-
@jdaviescoates @necrevistonnezr I think I figured it out. You have to put your docker network gateway IP. I don't know if it's the same for all Cloudrons so better check yours first.
root@yourhostname:~# docker network inspect cloudron | grep Gateway "Gateway": "172.18.0.1"custom.php -->
$cfg['proxy_ip'] = array('172.18.0.1');After that, the admin UI shows my real (external) IP address as uploader. If your Cloudron runs in a local network, it should display your client IP address
EDIT: Seems like the internal docker network IP is the same for all Cloudrons. You should be happy using 172.18.0.1
@girish this could also be permanently added to the config to allow uploader IP storage -
I really like the current solution:
@luckow said in Admin Interface link:
As an addition:
add this to the config.php to disallow anonymous upload.$cfg['upload_password'] = array('PASSWORD');
This SHOULD be part of the documentation because I think not everybody is aware of what could happen if the service is publicly available.
-
@jdaviescoates @necrevistonnezr I think I figured it out. You have to put your docker network gateway IP. I don't know if it's the same for all Cloudrons so better check yours first.
root@yourhostname:~# docker network inspect cloudron | grep Gateway "Gateway": "172.18.0.1"custom.php -->
$cfg['proxy_ip'] = array('172.18.0.1');After that, the admin UI shows my real (external) IP address as uploader. If your Cloudron runs in a local network, it should display your client IP address
EDIT: Seems like the internal docker network IP is the same for all Cloudrons. You should be happy using 172.18.0.1
@girish this could also be permanently added to the config to allow uploader IP storage@subven said in Admin Interface link:
@jdaviescoates @necrevistonnezr I think I figured it out. You have to put your docker network gateway IP. I don't know if it's the same for all Cloudrons so better check yours first.
root@yourhostname:~# docker network inspect cloudron | grep Gateway "Gateway": "172.18.0.1"custom.php -->
$cfg['proxy_ip'] = array('172.18.0.1');After that, the admin UI shows my real (external) IP address as uploader. If your Cloudron runs in a local network, it should display your client IP address
EDIT: Seems like the internal docker network IP is the same for all Cloudrons. You should be happy using 172.18.0.1
@girish this could also be permanently added to the config to allow uploader IP storageNot the right setting yet, I think.
$cfg['proxy_ip'] = array('172.18.0.1');alone does not deny access to clients from other IPs.
When I add$cfg['upload_ip'] = array('172.18.0.1');all IPs are blocked again, even for clients on the same network as the Cloudron server.EDIT: Using
$cfg['upload_ip'] = array('192.168.1.0/24');doesn't work either. -
@subven said in Admin Interface link:
@jdaviescoates @necrevistonnezr I think I figured it out. You have to put your docker network gateway IP. I don't know if it's the same for all Cloudrons so better check yours first.
root@yourhostname:~# docker network inspect cloudron | grep Gateway "Gateway": "172.18.0.1"custom.php -->
$cfg['proxy_ip'] = array('172.18.0.1');After that, the admin UI shows my real (external) IP address as uploader. If your Cloudron runs in a local network, it should display your client IP address
EDIT: Seems like the internal docker network IP is the same for all Cloudrons. You should be happy using 172.18.0.1
@girish this could also be permanently added to the config to allow uploader IP storageNot the right setting yet, I think.
$cfg['proxy_ip'] = array('172.18.0.1');alone does not deny access to clients from other IPs.
When I add$cfg['upload_ip'] = array('172.18.0.1');all IPs are blocked again, even for clients on the same network as the Cloudron server.EDIT: Using
$cfg['upload_ip'] = array('192.168.1.0/24');doesn't work either. -
@subven said in Admin Interface link:
@jdaviescoates @necrevistonnezr I think I figured it out. You have to put your docker network gateway IP. I don't know if it's the same for all Cloudrons so better check yours first.
root@yourhostname:~# docker network inspect cloudron | grep Gateway "Gateway": "172.18.0.1"custom.php -->
$cfg['proxy_ip'] = array('172.18.0.1');After that, the admin UI shows my real (external) IP address as uploader. If your Cloudron runs in a local network, it should display your client IP address
EDIT: Seems like the internal docker network IP is the same for all Cloudrons. You should be happy using 172.18.0.1
@girish this could also be permanently added to the config to allow uploader IP storageNot the right setting yet, I think.
$cfg['proxy_ip'] = array('172.18.0.1');alone does not deny access to clients from other IPs.
When I add$cfg['upload_ip'] = array('172.18.0.1');all IPs are blocked again, even for clients on the same network as the Cloudron server.EDIT: Using
$cfg['upload_ip'] = array('192.168.1.0/24');doesn't work either.@necrevistonnezr said in Admin Interface link:
Not the right setting yet, I think.
$cfg['proxy_ip'] = array('172.18.0.1');alone does not deny access to clients from other IPs.
When I add$cfg['upload_ip'] = array('172.18.0.1');all IPs are blocked again, even for clients on the same network as the Cloudron server.EDIT: Using
$cfg['upload_ip'] = array('192.168.1.0/24');doesn't work either.We're talking about two different things here. You do not care about 172.18.0.1 since it's for the Docker network only and not related to clients. Setting
$cfg['proxy_ip'] = array('172.18.0.1');allows the app to get the clients real IP address throughHTTP_X_FORWARDED_FOR. The changes made to the default config are fine.$cfg['upload_ip'] = array('172.18.0.1');= makes no sense at all
$cfg['upload_ip'] = array('192.168.1.0/24');= tells the app to only allow uploads from this network
$cfg['upload_ip_nopassword'] = array('192.168.1.0/24');= tells the app to do not ask for a password from this networkIn short: Please use only
$cfg['upload_ip_nopassword'] = array('192.168.1.0/24');as additional setting if you want your local network to be able to upload without password. If you want to prevent others from uploading (even with password) please add$cfg['upload_ip'] = array('192.168.1.0/24');EDIT: I just tested it and everything works as it should.
-
@necrevistonnezr said in Admin Interface link:
Not the right setting yet, I think.
$cfg['proxy_ip'] = array('172.18.0.1');alone does not deny access to clients from other IPs.
When I add$cfg['upload_ip'] = array('172.18.0.1');all IPs are blocked again, even for clients on the same network as the Cloudron server.EDIT: Using
$cfg['upload_ip'] = array('192.168.1.0/24');doesn't work either.We're talking about two different things here. You do not care about 172.18.0.1 since it's for the Docker network only and not related to clients. Setting
$cfg['proxy_ip'] = array('172.18.0.1');allows the app to get the clients real IP address throughHTTP_X_FORWARDED_FOR. The changes made to the default config are fine.$cfg['upload_ip'] = array('172.18.0.1');= makes no sense at all
$cfg['upload_ip'] = array('192.168.1.0/24');= tells the app to only allow uploads from this network
$cfg['upload_ip_nopassword'] = array('192.168.1.0/24');= tells the app to do not ask for a password from this networkIn short: Please use only
$cfg['upload_ip_nopassword'] = array('192.168.1.0/24');as additional setting if you want your local network to be able to upload without password. If you want to prevent others from uploading (even with password) please add$cfg['upload_ip'] = array('192.168.1.0/24');EDIT: I just tested it and everything works as it should.
@subven said in Admin Interface link:
$cfg['upload_ip_nopassword'] = array('192.168.1.0/24');
Thanks for the detailed explanation! I'm not yet very versed network topics but I'm here to learn.
But: After setting
$cfg['upload_ip'] = array('192.168.1.0/24');I get anaccess deniedto the site in my local network (Cloudron is in my local network at home at192.168.1.27, my Mac has the IP192.168.1.33, even if I set$cfg['upload_ip_nopassword'] = array('192.168.1.0/24');My current config is
$cfg['admin_password'] = '#######'; $cfg['proxy_ip'] = array('172.18.0.1'); $cfg['upload_password'] = #######'); $cfg['upload_ip_nopassword'] = array('192.168.1.0/24'); $cfg['upload_ip'] = array('192.168.1.0/24');
