Traccar - Possible Improvements
-
Here are some possible traccar app configurations options for improving tracccar app handling in cloudron. Most import features is at the top.
-
Option for opening multiple ports for different hardware tracker. Ports cannot be changed on devices. The port determines the geo-information decoding. (quite important). I do not know if this could be security concern. As far as I know they do have a "secure" string encoding, also regarding this some history AppCheckArticle and Traccar Release 4.1 Note. Most devices do not support a secure connection.Therefore a man in the middle attack is still possible, but that depends on the used tracking hardware from the user and personally I don't think this something that is relevant for cloudron integration. I'm using emnify who support a OpenVPN connection for interacting with the devices. Maybe (just an idea) you could setup different vpn tunnels connections from and within between cloudron apps, this could maybe be useful for other apps, too. But I don't know.
-
A way to set "update-save" additional settings in traccar.xml (I don't know if this is actually possible right know), for example for
- Notifications - some can be done per user in the app, most (serverwide) only via the traccar.xml traccar notifications
- SMS Service
- Reverse Geocoding
-
Enable or disable internal authentication, this can be set using the LDAP Configuration of traccar: ldap.force=True/False - Disables internal authentication, only LDAP users can login
It is also available under admin panel server settings!
I've updated to 0.03 and did not loose any setting or data.
Thank you very much! -
-
Here are some possible traccar app configurations options for improving tracccar app handling in cloudron. Most import features is at the top.
-
Option for opening multiple ports for different hardware tracker. Ports cannot be changed on devices. The port determines the geo-information decoding. (quite important). I do not know if this could be security concern. As far as I know they do have a "secure" string encoding, also regarding this some history AppCheckArticle and Traccar Release 4.1 Note. Most devices do not support a secure connection.Therefore a man in the middle attack is still possible, but that depends on the used tracking hardware from the user and personally I don't think this something that is relevant for cloudron integration. I'm using emnify who support a OpenVPN connection for interacting with the devices. Maybe (just an idea) you could setup different vpn tunnels connections from and within between cloudron apps, this could maybe be useful for other apps, too. But I don't know.
-
A way to set "update-save" additional settings in traccar.xml (I don't know if this is actually possible right know), for example for
- Notifications - some can be done per user in the app, most (serverwide) only via the traccar.xml traccar notifications
- SMS Service
- Reverse Geocoding
-
Enable or disable internal authentication, this can be set using the LDAP Configuration of traccar: ldap.force=True/False - Disables internal authentication, only LDAP users can login
It is also available under admin panel server settings!
I've updated to 0.03 and did not loose any setting or data.
Thank you very much!@timka thanks for the detailed write up.
Custom config is possible - https://docs.cloudron.io/apps/traccar/#custom-config
I also enabled optional LDAP support in the latest package.
Unfortunately, I had to also switch from postgres to mysql since that appears to be better supported upstream. So, you have to start afresh with the latest package.
-
-
Here are some possible traccar app configurations options for improving tracccar app handling in cloudron. Most import features is at the top.
-
Option for opening multiple ports for different hardware tracker. Ports cannot be changed on devices. The port determines the geo-information decoding. (quite important). I do not know if this could be security concern. As far as I know they do have a "secure" string encoding, also regarding this some history AppCheckArticle and Traccar Release 4.1 Note. Most devices do not support a secure connection.Therefore a man in the middle attack is still possible, but that depends on the used tracking hardware from the user and personally I don't think this something that is relevant for cloudron integration. I'm using emnify who support a OpenVPN connection for interacting with the devices. Maybe (just an idea) you could setup different vpn tunnels connections from and within between cloudron apps, this could maybe be useful for other apps, too. But I don't know.
-
A way to set "update-save" additional settings in traccar.xml (I don't know if this is actually possible right know), for example for
- Notifications - some can be done per user in the app, most (serverwide) only via the traccar.xml traccar notifications
- SMS Service
- Reverse Geocoding
-
Enable or disable internal authentication, this can be set using the LDAP Configuration of traccar: ldap.force=True/False - Disables internal authentication, only LDAP users can login
It is also available under admin panel server settings!
I've updated to 0.03 and did not loose any setting or data.
Thank you very much!@timka said in Traccar - Possible Improvements:
Maybe (just an idea) you could setup different vpn tunnels connections from and within between cloudron apps, this could maybe be useful for other apps, too. But I don't know.
Yes, this is in our plans at a more generic app level. I think we have a whole bunch of internal apps which are now exposed to internet for no good reason. Would be nice if only "trusted" devices can connect to them via wireguard/openvpn.
-
-
Here are some possible traccar app configurations options for improving tracccar app handling in cloudron. Most import features is at the top.
-
Option for opening multiple ports for different hardware tracker. Ports cannot be changed on devices. The port determines the geo-information decoding. (quite important). I do not know if this could be security concern. As far as I know they do have a "secure" string encoding, also regarding this some history AppCheckArticle and Traccar Release 4.1 Note. Most devices do not support a secure connection.Therefore a man in the middle attack is still possible, but that depends on the used tracking hardware from the user and personally I don't think this something that is relevant for cloudron integration. I'm using emnify who support a OpenVPN connection for interacting with the devices. Maybe (just an idea) you could setup different vpn tunnels connections from and within between cloudron apps, this could maybe be useful for other apps, too. But I don't know.
-
A way to set "update-save" additional settings in traccar.xml (I don't know if this is actually possible right know), for example for
- Notifications - some can be done per user in the app, most (serverwide) only via the traccar.xml traccar notifications
- SMS Service
- Reverse Geocoding
-
Enable or disable internal authentication, this can be set using the LDAP Configuration of traccar: ldap.force=True/False - Disables internal authentication, only LDAP users can login
It is also available under admin panel server settings!
I've updated to 0.03 and did not loose any setting or data.
Thank you very much!@timka as you probably know about the ports, it seems there are gazillion devices/ports. I have found a way to secure port 5055 atleast and the android client works well with https.
What device do you use? For the moment, I can make the package open up just that port and we can open up more ports as people request more. It seems some are UDP and some are TCP, but the page is not clear.
Currently, because of docker using the userland proxy opening a large port range is very memory heavy (one has to then run a container in host mode, which we don't do) - this link has background on all this.
-
-
@timka as you probably know about the ports, it seems there are gazillion devices/ports. I have found a way to secure port 5055 atleast and the android client works well with https.
What device do you use? For the moment, I can make the package open up just that port and we can open up more ports as people request more. It seems some are UDP and some are TCP, but the page is not clear.
Currently, because of docker using the userland proxy opening a large port range is very memory heavy (one has to then run a container in host mode, which we don't do) - this link has background on all this.
@girish Ok I totally understand. I'm using 5013. Maybe provide 3 options and/or allow the most important ports?
I suggest to use the 4-10 most used ports based on the DeviceCount?
I just edited the port 5055 and it worked. I think, the devices might all just use TCP ports. But I let you know if I find out something about that.I can attach (but I'm not allowed) a unique_port_list and also the ProtocolCount in descending order based on the count of protocols.
Here are the first 20 items :
Protocol DeviceCount Port meiligao 62 5009 teltonika 61 5027 h02 58 5013 gt06 52 5023 gl200 36 5004 tlt2h 30 5030 eelink 26 5064 calamp 24 5082 xirgo 22 5081 tk103 21 5002 khd 20 5058 megastek 19 5024 t55 18 5005 meitrack 17 5020 castel 17 5086 envotech 17 5240 navtelecom 17 5221 huabao 16 5015 upro 15 5095 totem 15 5007 -
@timka said in Traccar - Possible Improvements:
Maybe (just an idea) you could setup different vpn tunnels connections from and within between cloudron apps, this could maybe be useful for other apps, too. But I don't know.
Yes, this is in our plans at a more generic app level. I think we have a whole bunch of internal apps which are now exposed to internet for no good reason. Would be nice if only "trusted" devices can connect to them via wireguard/openvpn.
@girish sounds wonderful! Probably you already know but maybe a MeshNetwork would be awesome, see a curated list for wireguard on github. I do like (Nebula)[https://github.com/slackhq/nebula], (netmaker-license?)[https://github.com/gravitl/netmaker] and (Netbird beta)[https://github.com/netbirdio/netbird] based on reading. Other variants are more a beta. But I don't have any experience with those!
-
@timka thanks for the detailed write up.
Custom config is possible - https://docs.cloudron.io/apps/traccar/#custom-config
I also enabled optional LDAP support in the latest package.
Unfortunately, I had to also switch from postgres to mysql since that appears to be better supported upstream. So, you have to start afresh with the latest package.
