Admin Interface link

fjonker

It would be helpful to users to include the link to the Admin Interface in the First Time Setup or Documentation page.

For those that didn't locate it, the admin link is [domain]/admin.php

Also you can use the following tool to generate an admin password hash...
https://passwordsgenerator.net/sha256-hash-generator/

luckow

As an addition:
add this to the ~~config.php~~ custom.php to disallow anonymous upload.

$cfg['upload_password'] = array('PASSWORD');

subven

I really like the current solution:

2021-01-29 16_14_10-Ultratech.png

@luckow said in Admin Interface link:

As an addition:
add this to the config.php to disallow anonymous upload.

$cfg['upload_password'] = array('PASSWORD');

This SHOULD be part of the documentation because I think not everybody is aware of what could happen if the service is publicly available.

luckow

@subven wow. haven't seen that new icon. "tomatoes on eyes"

jdaviescoates

@fjonker said in Admin Interface link:

Also you can use the following tool to generate an admin password hash...
https://passwordsgenerator.net/sha256-hash-generator/

Thanks!

Although when I used this it didn't work... because you need to select the Lowercase hash(es) checkbox.

I discovered this after doing:

echo -n "newpassword" | sha256sum

As indicated in the comments of custom.php file. And then noticing that it generates a lowercase hash.

But this could be a lot clearer. At first I missed the fact I had to hash the pw. And then I didn't realise it had to be a lowercase hash.

@luckow said in Admin Interface link:

As an addition:
add this to the config.php to disallow anonymous upload.
$cfg['upload_password'] = array('PASSWORD');

Do you mean in the <custom.php> file? (because I don't see a config.php in the file manager, at least not in the top level where custom.php and php.ini are)

subven

@jdaviescoates please read the docs carefully. All configuration happens in custom.php.

EDIT: Okay it was missleading because of what @luckow said. Changes in custom.php will overwrite static config at /run/config.php (not writeable).

necrevistonnezr

@subven said in Admin Interface link:

@jdaviescoates please read the docs carefully. All configuration happens in custom.php.

Can I restrict usage of the upload functionality to members of the local network of the cloudron server somehow?

$cfg['upload_ip'] = array();

subven

@necrevistonnezr yes. You can set a upload password and whitelist (with upload_ip_nopassword) your local network (range) to be able to upload without password. That should solve it

/* Upload password(s).
 * An empty array will disable the password authentification.
 * $cfg['upload_password'] = array();               // No password
 * $cfg['upload_password'] = array('psw1');         // One password
 * $cfg['upload_password'] = array('psw1', 'psw2'); // Two passwords
 */
$cfg['upload_password'] = array();

/* List of IP allowed to upload a file.
 * If the list is empty, then there is no upload restriction based on IP.
 * Elements of the list can be a single IP (e.g. "123.45.67.89") or
 * an IP range (e.g. "123.45.0.0/16").
 * Note that CIDR notation is available for IPv4 only for the moment.
 */
$cfg['upload_ip'] = array();

/* List of IP allowed to upload a file without password.
 * Elements of the list can be a single IP (e.g. "123.45.67.89") or
 * an IP range (e.g. "123.45.0.0/16").
 * Note that CIDR notation is available for IPv4 only for the moment.
 */
$cfg['upload_ip_nopassword'] = array();

jdaviescoates

@subven said in Admin Interface link:

@jdaviescoates please read the docs carefully. All configuration happens in custom.php.
EDIT: Okay it was missleading because of what @luckow said. Changes in custom.php will overwrite static config at /run/config.php (not writeable).

Yeah, but also, neither the first time instructions nor the docs actually mention the need to have to use a lowercase hashed pw.

Sure, that can be discovered by reading the comments in custom.php or the comments in https://gitlab.com/mojo42/Jirafeau/-/blob/master/lib/config.original.php as linked to from the docs, but those are easily missed.

It could be a bit clearer, that's all. Like if was mentioned it in the first time set-up and docs

subven

@jdaviescoates sorry I was referring to the custom.php/config part. The hash lowercase stuff definitely has room for improvement.

@necrevistonnezr can you please test what I said? I just uploaded a file and it seems that the uploader IP is not stored correctly. 2021-01-29 17_28_38-Jirafeau, dein Web-Speicher für Dateien.png

That IP is from the docker network. If this is true it could mean that the uploader IP policy will not work. We should take a look at:

/* Proxy IP
 * If the installation is behind some reverse proxies, it is possible to set
 * the allowed proxy IP.
 * $cfg['proxy_ip'] = array('12.34.56.78');
 * Jirafeau will then get a visitor's IP from HTTP_X_FORWARDED_FOR
 * instead of REMOTE_ADDR.
 */
$cfg['proxy_ip'] = array();

jdaviescoates

@subven said in Admin Interface link:

$cfg['proxy_ip'] = array();

Sounds promising.

Do you know how we'd find out what IP(s) to put here?

subven

@jdaviescoates @necrevistonnezr I think I figured it out. You have to put your docker network gateway IP. I don't know if it's the same for all Cloudrons so better check yours first.

root@yourhostname:~# docker network inspect cloudron | grep Gateway
                    "Gateway": "172.18.0.1"

custom.php -->

$cfg['proxy_ip'] = array('172.18.0.1');

After that, the admin UI shows my real (external) IP address as uploader. If your Cloudron runs in a local network, it should display your client IP address

EDIT: Seems like the internal docker network IP is the same for all Cloudrons. You should be happy using 172.18.0.1
@girish this could also be permanently added to the config to allow uploader IP storage

luckow

@subven sorry for the wrong filename.

girish

I have put a doc section on securing uploads here - https://docs.cloudron.io/apps/jirafeau/#restricting-uploads

@subven thanks, I pushed out a new package now with the trust proxy setting.

fjonker

@subven Yes... so I totally missed the fact that there was an admin link icon for this (and other) apps! Thanks!

necrevistonnezr

@subven said in Admin Interface link:

@jdaviescoates @necrevistonnezr I think I figured it out. You have to put your docker network gateway IP. I don't know if it's the same for all Cloudrons so better check yours first.
root@yourhostname:~# docker network inspect cloudron | grep Gateway
                    "Gateway": "172.18.0.1"
custom.php -->
$cfg['proxy_ip'] = array('172.18.0.1');
After that, the admin UI shows my real (external) IP address as uploader. If your Cloudron runs in a local network, it should display your client IP address

EDIT: Seems like the internal docker network IP is the same for all Cloudrons. You should be happy using 172.18.0.1
@girish this could also be permanently added to the config to allow uploader IP storage

Not the right setting yet, I think.
$cfg['proxy_ip'] = array('172.18.0.1'); alone does not deny access to clients from other IPs.
When I add $cfg['upload_ip'] = array('172.18.0.1');all IPs are blocked again, even for clients on the same network as the Cloudron server.

EDIT: Using $cfg['upload_ip'] = array('192.168.1.0/24'); doesn't work either.

girish

@necrevistonnezr If you update to the latest package (1.0.0), the logs will tell you what the IP it is being access as.

subven

@necrevistonnezr said in Admin Interface link:

Not the right setting yet, I think.
$cfg['proxy_ip'] = array('172.18.0.1'); alone does not deny access to clients from other IPs.
When I add $cfg['upload_ip'] = array('172.18.0.1');all IPs are blocked again, even for clients on the same network as the Cloudron server.

EDIT: Using $cfg['upload_ip'] = array('192.168.1.0/24'); doesn't work either.

We're talking about two different things here. You do not care about 172.18.0.1 since it's for the Docker network only and not related to clients. Setting $cfg['proxy_ip'] = array('172.18.0.1'); allows the app to get the clients real IP address through HTTP_X_FORWARDED_FOR. The changes made to the default config are fine.

$cfg['upload_ip'] = array('172.18.0.1'); = makes no sense at all
$cfg['upload_ip'] = array('192.168.1.0/24'); = tells the app to only allow uploads from this network
$cfg['upload_ip_nopassword'] = array('192.168.1.0/24'); = tells the app to do not ask for a password from this network

In short: Please use only $cfg['upload_ip_nopassword'] = array('192.168.1.0/24'); as additional setting if you want your local network to be able to upload without password. If you want to prevent others from uploading (even with password) please add $cfg['upload_ip'] = array('192.168.1.0/24');

EDIT: I just tested it and everything works as it should.

necrevistonnezr

@subven said in Admin Interface link:

$cfg['upload_ip_nopassword'] = array('192.168.1.0/24');

Thanks for the detailed explanation! I'm not yet very versed network topics but I'm here to learn.

But: After setting $cfg['upload_ip'] = array('192.168.1.0/24'); I get an access denied to the site in my local network (Cloudron is in my local network at home at 192.168.1.27, my Mac has the IP 192.168.1.33, even if I set $cfg['upload_ip_nopassword'] = array('192.168.1.0/24');

My current config is

$cfg['admin_password'] = '#######';
$cfg['proxy_ip'] = array('172.18.0.1');
$cfg['upload_password'] = #######');
$cfg['upload_ip_nopassword'] = array('192.168.1.0/24');
$cfg['upload_ip'] = array('192.168.1.0/24');

Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.

Admin Interface link