Admin Interface link

subven

@jdaviescoates sorry I was referring to the custom.php/config part. The hash lowercase stuff definitely has room for improvement.

@necrevistonnezr can you please test what I said? I just uploaded a file and it seems that the uploader IP is not stored correctly.

That IP is from the docker network. If this is true it could mean that the uploader IP policy will not work. We should take a look at:

/* Proxy IP
 * If the installation is behind some reverse proxies, it is possible to set
 * the allowed proxy IP.
 * $cfg['proxy_ip'] = array('12.34.56.78');
 * Jirafeau will then get a visitor's IP from HTTP_X_FORWARDED_FOR
 * instead of REMOTE_ADDR.
 */
$cfg['proxy_ip'] = array();

jdaviescoates

@subven said in Admin Interface link:

$cfg['proxy_ip'] = array();

Sounds promising.

Do you know how we'd find out what IP(s) to put here?

subven

@jdaviescoates @necrevistonnezr I think I figured it out. You have to put your docker network gateway IP. I don't know if it's the same for all Cloudrons so better check yours first.

root@yourhostname:~# docker network inspect cloudron | grep Gateway
                    "Gateway": "172.18.0.1"

custom.php -->

$cfg['proxy_ip'] = array('172.18.0.1');

After that, the admin UI shows my real (external) IP address as uploader. If your Cloudron runs in a local network, it should display your client IP address

EDIT: Seems like the internal docker network IP is the same for all Cloudrons. You should be happy using 172.18.0.1
@girish this could also be permanently added to the config to allow uploader IP storage

luckow

@subven sorry for the wrong filename.

girish

I have put a doc section on securing uploads here - https://docs.cloudron.io/apps/jirafeau/#restricting-uploads

@subven thanks, I pushed out a new package now with the trust proxy setting.

fjonker

@subven Yes... so I totally missed the fact that there was an admin link icon for this (and other) apps! Thanks!

necrevistonnezr

@subven said in Admin Interface link:

@jdaviescoates @necrevistonnezr I think I figured it out. You have to put your docker network gateway IP. I don't know if it's the same for all Cloudrons so better check yours first.

root@yourhostname:~# docker network inspect cloudron | grep Gateway
                    "Gateway": "172.18.0.1"

custom.php -->

$cfg['proxy_ip'] = array('172.18.0.1');

After that, the admin UI shows my real (external) IP address as uploader. If your Cloudron runs in a local network, it should display your client IP address

EDIT: Seems like the internal docker network IP is the same for all Cloudrons. You should be happy using 172.18.0.1
@girish this could also be permanently added to the config to allow uploader IP storage

Not the right setting yet, I think.
$cfg['proxy_ip'] = array('172.18.0.1'); alone does not deny access to clients from other IPs.
When I add $cfg['upload_ip'] = array('172.18.0.1');all IPs are blocked again, even for clients on the same network as the Cloudron server.

EDIT: Using $cfg['upload_ip'] = array('192.168.1.0/24'); doesn't work either.

girish

@necrevistonnezr If you update to the latest package (1.0.0), the logs will tell you what the IP it is being access as.

subven

@necrevistonnezr said in Admin Interface link:

Not the right setting yet, I think.
$cfg['proxy_ip'] = array('172.18.0.1'); alone does not deny access to clients from other IPs.
When I add $cfg['upload_ip'] = array('172.18.0.1');all IPs are blocked again, even for clients on the same network as the Cloudron server.

EDIT: Using $cfg['upload_ip'] = array('192.168.1.0/24'); doesn't work either.

We're talking about two different things here. You do not care about 172.18.0.1 since it's for the Docker network only and not related to clients. Setting $cfg['proxy_ip'] = array('172.18.0.1'); allows the app to get the clients real IP address through HTTP_X_FORWARDED_FOR. The changes made to the default config are fine.

$cfg['upload_ip'] = array('172.18.0.1'); = makes no sense at all
$cfg['upload_ip'] = array('192.168.1.0/24'); = tells the app to only allow uploads from this network
$cfg['upload_ip_nopassword'] = array('192.168.1.0/24'); = tells the app to do not ask for a password from this network

In short: Please use only $cfg['upload_ip_nopassword'] = array('192.168.1.0/24'); as additional setting if you want your local network to be able to upload without password. If you want to prevent others from uploading (even with password) please add $cfg['upload_ip'] = array('192.168.1.0/24');

EDIT: I just tested it and everything works as it should.

necrevistonnezr

@subven said in Admin Interface link:

$cfg['upload_ip_nopassword'] = array('192.168.1.0/24');

Thanks for the detailed explanation! I'm not yet very versed network topics but I'm here to learn.

But: After setting $cfg['upload_ip'] = array('192.168.1.0/24'); I get an access denied to the site in my local network (Cloudron is in my local network at home at 192.168.1.27, my Mac has the IP 192.168.1.33, even if I set $cfg['upload_ip_nopassword'] = array('192.168.1.0/24');

My current config is

$cfg['admin_password'] = '#######';
$cfg['proxy_ip'] = array('172.18.0.1');
$cfg['upload_password'] = #######');
$cfg['upload_ip_nopassword'] = array('192.168.1.0/24');
$cfg['upload_ip'] = array('192.168.1.0/24');