Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved Improve security and ciphers

    Support
    security
    3
    8
    687
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      saglagla last edited by girish

      Hello,

      Regarding to :

      • https://securityheaders.io
      • https://observatory.mozilla.org/analyze/
      • https://tls.imirhil.fr/smtp/
      • https://tls.imirhil.fr/https/

      There is a way to improve security (ciphers, like Content-Security-Policy in https headers by example).
      Also, I've notice that each application have his own score which means that reverse-proxy configuration is not iso for each app ? Is it normal ?

      1 Reply Last reply Reply Quote 2
      • girish
        girish Staff last edited by

        @saglagla It should be the same for all apps since Cloudron uses a reverse proxy internally.

        I checked my.cloudron.io (cloudron), git.cloudron.io (gitlab), chat.cloudron.io (rocketchat) and forum.cloudron.io (nodebb), files.cloudron.io (nextcloud). I get A for all the domains. The CSP headers have to be ideally set by the upstream app, most of them do not set it (but nextcloud does).

        S 1 Reply Last reply Reply Quote 0
        • S
          saglagla @girish last edited by

          @girish said in Improve security and ciphers:

          my.cloudron.io

          If you check on the mozilla observatory https://observatory.mozilla.org/analyze/my.cloudron.io get a B due to CSP.

          Also, if you're using :https://tls.imirhil.fr/ with http test, you'll get a C

          0_1523344438832_c78276d9-f238-45ac-aedb-12d400d71a5c-image.png

          1 Reply Last reply Reply Quote 0
          • girish
            girish Staff last edited by

            @saglagla I see, thanks. The low score seems of https://observatory.mozilla.org/analyze/my.cloudron.io is because of the lack of CSP headers (a big -25!). We used to have CSP but I think @nebulon disabled it. @nebulon do you know why we disabled it?

            1 Reply Last reply Reply Quote 0
            • nebulon
              nebulon Staff last edited by

              I pushed some CSP changes with https://git.cloudron.io/cloudron/box/commit/573d0e993ea519630aead4880605cd2a985cde82
              This is the minimal set of restrictions, which still work for the dashboard code currently.

              1 Reply Last reply Reply Quote 0
              • S
                saglagla last edited by saglagla

                Okay, okay.

                Ans, So, each app get his OWN web server ? Okay so it's complicated to uniform the security policy easily...
                Also, by example why allowing 3DES ? like DES-CBC3-SHA in all TLS version ?

                EDIT : I think every app need to be at a A or A+ grade in order to be validated for cloudron.
                Paperwork / Wallabag allow unsecure cookies by exemple :
                Session cookie set without the Secure flag, but transmission over HTTP prevented by HSTS

                EDIT 2 : Sorry for the twin-post
                Also, I'm just trying to follow up all the public recommandation from the french IT Sec agency

                1 Reply Last reply Reply Quote 0
                • S
                  saglagla last edited by

                  This post is deleted!
                  1 Reply Last reply Reply Quote 0
                  • nebulon
                    nebulon Staff last edited by

                    I have updated the ciphers now according to mozilla's config generator. The commit is https://git.cloudron.io/cloudron/box/commit/ddaa52163bf3844b36d6c29fdffb5db3e0b3f5d0

                    For the CSP settings, this indeed cannot properly be done on a platform level, as apps require differently strict settings there and have to provide this on their own, so this should ideally be fixed in each app upstream.

                    1 Reply Last reply Reply Quote 1
                    • First post
                      Last post
                    Powered by NodeBB