@girish All these years and it’s still a pain >_< Edit: I’m referring to Linux distros ofc, not Cloudron.

@girish I second this

@necrevistonnezr this was the one https://forum.cloudron.io/topic/1971/urgent-security-issue-in-nginx-php-fpm

@necrevistonnezr Thanks, good to know. Will keep an eye for the ubuntu update. Cloudron is not at risk because we only use it internally (it is not exposed via public port). We also don't use NOTIFY query (this is a zone change notification across dns servers) as we use unbound as a recursive resolver and nothing more.

I guess this should come in as an nginx update via ubuntu at some point. We don't package nginx ourselves.

@Miggi I love the idea, however - One issue I see with this is the claim of being better than OpenVPN, but no certification by a reputable security firm like OpenVPN. I have tried Wireguard though - amazing how fast and easy it was to configure. But just not old enough to be considered stable - yet.

@ahkg the reason for whitelisting 172.18.0.1 give access to all requests, is that this is the ip of the Cloudron internal gateway into the subnet where all apps are running. Unfortunately for your case the cloudron healtcheck also comes via this gateway. I think your htaccess file needs to check for the X-Forwarded-For header to check against the correct inbound address.

I have updated the ciphers now according to mozilla's config generator. The commit is https://git.cloudron.io/cloudron/box/commit/ddaa52163bf3844b36d6c29fdffb5db3e0b3f5d0 For the CSP settings, this indeed cannot properly be done on a platform level, as apps require differently strict settings there and have to provide this on their own, so this should ideally be fixed in each app upstream.