Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Navigation

    Cloudron Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Security issue when installing/restore Cloudron on same VPS?

    Support
    security
    4
    7
    93
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • imc67
      imc67 last edited by girish

      Hi,

      I was thinking about the following scenario (i.e. whenever you want to have restore or a 'clean upgrade' to Ubuntu 20.04 on the same VPS/IP) but it might lead to a security issue?

      1. On a VPS you have a running Cloudron with traffic
      2. You have a very recent external backup to use for restore
      3. Wipe/format the SSD of your VPS and do a clean install of Ubuntu with or without Cloudron-image (if without, install Cloudron manually)
      4. After Cloudron install you have the situation that every visitor of every app (i.e. high traffic Wordpress sites) will end up in the Cloudron Domain Setup and can mess up whatever they want because DNS of all (sub-)domains are still present and resolves to IP

      What I would like to see is that after Cloudron install, the response on the IP-only is a decent "Coming soon" page (un-branded) and a special "hidden" URL (there is already the setupdns.html) where the admin can start configuring and restoring? It's also much nicer for "clean installs", it prevents "old" IP traffic or crawlers from running into setup?

      jimcavoli 1 Reply Last reply Reply Quote 2
      • jimcavoli
        jimcavoli App Dev @imc67 last edited by

        @imc67 I just migrated a Cloudron server between cloud providers with a restore, and my solution was to serve downtime / maintenance pages from the edge of the Cloudflare network. Worked flawlessly. Without Cloudflare in the mix (I know folks have very mixed opinions), you could just pull a new IP for the box (DNS will be auto-updated to the new one upon restore) so that the old one just 404s, or you could use firewall rules at the provider or box level to restrict inbound traffic to your management network temporarily.

        This is mostly just to lay out the current options - there may well be merit to the obscure URL trick as well, and that's worth considering in Feature Requests perhaps as well for further discussion.

        1 Reply Last reply Reply Quote 2
        • mehdi
          mehdi App Dev last edited by

          The cleanest solution, from a security standpoint, would be to display a random password in the terminal when installing Cloudron, that would be required by the server setup page.

          Pre-installed Cloudron images would need to have a set password, so be a bit less secure, but it still would be good.

          1 Reply Last reply Reply Quote 2
          • girish
            girish Staff last edited by

            For the aws marketplace, we already implement this with asking for the ec2 instance id during setup.

            I guess for a start, we can have an option in the setup script to generate a passphrase and then maybe make this the default in a future release?

            imc67 1 Reply Last reply Reply Quote 4
            • imc67
              imc67 @girish last edited by imc67

              @girish that would be great, but even better in combination with on bare IP a "coming soon" page and setup on a specific URL.

              girish 1 Reply Last reply Reply Quote 2
              • girish
                girish Staff @imc67 last edited by

                @imc67 The "coming soon" seems like a bug.

                I have opened https://git.cloudron.io/cloudron/box/-/issues/751 and https://git.cloudron.io/cloudron/box/-/issues/752 for next release.

                imc67 1 Reply Last reply Reply Quote 4
                • imc67
                  imc67 @girish last edited by

                  @girish thanks again for this!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post