Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum

Apps | Demo | Docs | Install

Admin Interface link

Scheduled Pinned Locked Moved Jirafeau
19 Posts 6 Posters 987 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F Offline
    F Offline
    fjonker
    wrote on last edited by
    #1

    It would be helpful to users to include the link to the Admin Interface in the First Time Setup or Documentation page.

    For those that didn't locate it, the admin link is [domain]/admin.php

    Also you can use the following tool to generate an admin password hash...
    https://passwordsgenerator.net/sha256-hash-generator/

    jdaviescoatesJ 1 Reply Last reply
    3
  • luckowL Offline
    luckowL Offline
    luckow translator
    wrote on last edited by luckow
    #2

    As an addition:
    add this to the config.php custom.php to disallow anonymous upload.

    $cfg['upload_password'] = array('PASSWORD');

    Pronouns: he/him | Primary language: German

    1 Reply Last reply
    2
  • subvenS Offline
    subvenS Offline
    subven
    wrote on last edited by subven
    #3

    I really like the current solution:

    2021-01-29 16_14_10-Ultratech.png

    @luckow said in Admin Interface link:

    As an addition:
    add this to the config.php to disallow anonymous upload.

    $cfg['upload_password'] = array('PASSWORD');

    This SHOULD be part of the documentation because I think not everybody is aware of what could happen if the service is publicly available.

    luckowL F 2 Replies Last reply
    2
  • luckowL Offline
    luckowL Offline
    luckow translator
    replied to subven on last edited by
    #4

    @subven wow. haven't seen that new icon. "tomatoes on eyes" πŸ™‚

    Pronouns: he/him | Primary language: German

    1 Reply Last reply
    1
  • jdaviescoatesJ Offline
    jdaviescoatesJ Offline
    jdaviescoates
    replied to fjonker on last edited by
    #5

    @fjonker said in Admin Interface link:

    Also you can use the following tool to generate an admin password hash...
    https://passwordsgenerator.net/sha256-hash-generator/

    Thanks!

    Although when I used this it didn't work... because you need to select the Lowercase hash(es) checkbox.

    I discovered this after doing:

    echo -n "newpassword" | sha256sum
    

    As indicated in the comments of custom.php file. And then noticing that it generates a lowercase hash.

    But this could be a lot clearer. At first I missed the fact I had to hash the pw. And then I didn't realise it had to be a lowercase hash.

    @luckow said in Admin Interface link:

    As an addition:
    add this to the config.php to disallow anonymous upload.
    $cfg['upload_password'] = array('PASSWORD');

    Do you mean in the <custom.php> file? (because I don't see a config.php in the file manager, at least not in the top level where custom.php and php.ini are)

    I use Cloudron with Gandi & Hetzner

    subvenS 1 Reply Last reply
    0
  • subvenS Offline
    subvenS Offline
    subven
    replied to jdaviescoates on last edited by subven
    #6

    @jdaviescoates please read the docs carefully. All configuration happens in custom.php. πŸ™‚

    EDIT: Okay it was missleading because of what @luckow said. Changes in custom.php will overwrite static config at /run/config.php (not writeable).

    necrevistonnezrN jdaviescoatesJ luckowL 3 Replies Last reply
    1
  • necrevistonnezrN Offline
    necrevistonnezrN Offline
    necrevistonnezr
    replied to subven on last edited by
    #7

    @subven said in Admin Interface link:

    @jdaviescoates please read the docs carefully. All configuration happens in custom.php. πŸ™‚

    Can I restrict usage of the upload functionality to members of the local network of the cloudron server somehow?

    $cfg['upload_ip'] = array();
    
    subvenS 1 Reply Last reply
    1
  • subvenS Offline
    subvenS Offline
    subven
    replied to necrevistonnezr on last edited by subven
    #8

    @necrevistonnezr yes. You can set a upload password and whitelist (with upload_ip_nopassword) your local network (range) to be able to upload without password. That should solve it πŸ™‚

    /* Upload password(s).
     * An empty array will disable the password authentification.
     * $cfg['upload_password'] = array();               // No password
     * $cfg['upload_password'] = array('psw1');         // One password
     * $cfg['upload_password'] = array('psw1', 'psw2'); // Two passwords
     */
    $cfg['upload_password'] = array();
    
    /* List of IP allowed to upload a file.
     * If the list is empty, then there is no upload restriction based on IP.
     * Elements of the list can be a single IP (e.g. "123.45.67.89") or
     * an IP range (e.g. "123.45.0.0/16").
     * Note that CIDR notation is available for IPv4 only for the moment.
     */
    $cfg['upload_ip'] = array();
    
    /* List of IP allowed to upload a file without password.
     * Elements of the list can be a single IP (e.g. "123.45.67.89") or
     * an IP range (e.g. "123.45.0.0/16").
     * Note that CIDR notation is available for IPv4 only for the moment.
     */
    $cfg['upload_ip_nopassword'] = array();
    
    
    1 Reply Last reply
    1
  • jdaviescoatesJ Offline
    jdaviescoatesJ Offline
    jdaviescoates
    replied to subven on last edited by
    #9

    @subven said in Admin Interface link:

    @jdaviescoates please read the docs carefully. All configuration happens in custom.php.
    EDIT: Okay it was missleading because of what @luckow said. Changes in custom.php will overwrite static config at /run/config.php (not writeable).

    Yeah, but also, neither the first time instructions nor the docs actually mention the need to have to use a lowercase hashed pw.

    Sure, that can be discovered by reading the comments in custom.php or the comments in https://gitlab.com/mojo42/Jirafeau/-/blob/master/lib/config.original.php as linked to from the docs, but those are easily missed.

    It could be a bit clearer, that's all. Like if was mentioned it in the first time set-up and docs πŸ™‚

    I use Cloudron with Gandi & Hetzner

    subvenS 1 Reply Last reply
    0
  • subvenS Offline
    subvenS Offline
    subven
    replied to jdaviescoates on last edited by subven
    #10

    @jdaviescoates sorry I was referring to the custom.php/config part. The hash lowercase stuff definitely has room for improvement.

    @necrevistonnezr can you please test what I said? I just uploaded a file and it seems that the uploader IP is not stored correctly. 2021-01-29 17_28_38-Jirafeau, dein Web-Speicher fΓΌr Dateien.png

    That IP is from the docker network. If this is true it could mean that the uploader IP policy will not work. We should take a look at:

    /* Proxy IP
     * If the installation is behind some reverse proxies, it is possible to set
     * the allowed proxy IP.
     * $cfg['proxy_ip'] = array('12.34.56.78');
     * Jirafeau will then get a visitor's IP from HTTP_X_FORWARDED_FOR
     * instead of REMOTE_ADDR.
     */
    $cfg['proxy_ip'] = array();
    
    jdaviescoatesJ 1 Reply Last reply
    1
  • jdaviescoatesJ Offline
    jdaviescoatesJ Offline
    jdaviescoates
    replied to subven on last edited by
    #11

    @subven said in Admin Interface link:

    $cfg['proxy_ip'] = array();

    Sounds promising.

    Do you know how we'd find out what IP(s) to put here? πŸ™‚

    I use Cloudron with Gandi & Hetzner

    subvenS 1 Reply Last reply
    0
  • subvenS Offline
    subvenS Offline
    subven
    replied to jdaviescoates on last edited by subven
    #12

    @jdaviescoates @necrevistonnezr I think I figured it out. You have to put your docker network gateway IP. I don't know if it's the same for all Cloudrons so better check yours first.

    root@yourhostname:~# docker network inspect cloudron | grep Gateway
                        "Gateway": "172.18.0.1"
    

    custom.php -->

    $cfg['proxy_ip'] = array('172.18.0.1');
    

    After that, the admin UI shows my real (external) IP address as uploader. If your Cloudron runs in a local network, it should display your client IP address πŸ™‚

    EDIT: Seems like the internal docker network IP is the same for all Cloudrons. You should be happy using 172.18.0.1 πŸ™‚
    @girish this could also be permanently added to the config to allow uploader IP storage πŸ™‚

    girishG necrevistonnezrN 2 Replies Last reply
    1
  • luckowL Offline
    luckowL Offline
    luckow translator
    replied to subven on last edited by
    #13

    @subven sorry for the wrong filename.

    Pronouns: he/him | Primary language: German

    1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to subven on last edited by
    #14

    I have put a doc section on securing uploads here - https://docs.cloudron.io/apps/jirafeau/#restricting-uploads

    @subven thanks, I pushed out a new package now with the trust proxy setting.

    1 Reply Last reply
    2
  • F Offline
    F Offline
    fjonker
    replied to subven on last edited by
    #15

    @subven Yes... so I totally missed the fact that there was an admin link icon for this (and other) apps! Thanks!

    1 Reply Last reply
    1
  • necrevistonnezrN Offline
    necrevistonnezrN Offline
    necrevistonnezr
    replied to subven on last edited by necrevistonnezr
    #16

    @subven said in Admin Interface link:

    @jdaviescoates @necrevistonnezr I think I figured it out. You have to put your docker network gateway IP. I don't know if it's the same for all Cloudrons so better check yours first.

    root@yourhostname:~# docker network inspect cloudron | grep Gateway
                        "Gateway": "172.18.0.1"
    

    custom.php -->

    $cfg['proxy_ip'] = array('172.18.0.1');
    

    After that, the admin UI shows my real (external) IP address as uploader. If your Cloudron runs in a local network, it should display your client IP address πŸ™‚

    EDIT: Seems like the internal docker network IP is the same for all Cloudrons. You should be happy using 172.18.0.1 πŸ™‚
    @girish this could also be permanently added to the config to allow uploader IP storage πŸ™‚

    Not the right setting yet, I think.
    $cfg['proxy_ip'] = array('172.18.0.1'); alone does not deny access to clients from other IPs.
    When I add $cfg['upload_ip'] = array('172.18.0.1');all IPs are blocked again, even for clients on the same network as the Cloudron server.

    EDIT: Using $cfg['upload_ip'] = array('192.168.1.0/24'); doesn't work either.

    girishG subvenS 2 Replies Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to necrevistonnezr on last edited by
    #17

    @necrevistonnezr If you update to the latest package (1.0.0), the logs will tell you what the IP it is being access as.

    1 Reply Last reply
    1
  • subvenS Offline
    subvenS Offline
    subven
    replied to necrevistonnezr on last edited by subven
    #18

    @necrevistonnezr said in Admin Interface link:

    Not the right setting yet, I think.
    $cfg['proxy_ip'] = array('172.18.0.1'); alone does not deny access to clients from other IPs.
    When I add $cfg['upload_ip'] = array('172.18.0.1');all IPs are blocked again, even for clients on the same network as the Cloudron server.

    EDIT: Using $cfg['upload_ip'] = array('192.168.1.0/24'); doesn't work either.

    We're talking about two different things here. You do not care about 172.18.0.1 since it's for the Docker network only and not related to clients. Setting $cfg['proxy_ip'] = array('172.18.0.1'); allows the app to get the clients real IP address through HTTP_X_FORWARDED_FOR. The changes made to the default config are fine.

    $cfg['upload_ip'] = array('172.18.0.1'); = makes no sense at all
    $cfg['upload_ip'] = array('192.168.1.0/24'); = tells the app to only allow uploads from this network
    $cfg['upload_ip_nopassword'] = array('192.168.1.0/24'); = tells the app to do not ask for a password from this network

    In short: Please use only $cfg['upload_ip_nopassword'] = array('192.168.1.0/24'); as additional setting if you want your local network to be able to upload without password. If you want to prevent others from uploading (even with password) please add $cfg['upload_ip'] = array('192.168.1.0/24'); πŸ™‚

    EDIT: I just tested it and everything works as it should.

    necrevistonnezrN 1 Reply Last reply
    2
  • necrevistonnezrN Offline
    necrevistonnezrN Offline
    necrevistonnezr
    replied to subven on last edited by necrevistonnezr
    #19

    @subven said in Admin Interface link:

    $cfg['upload_ip_nopassword'] = array('192.168.1.0/24');

    Thanks for the detailed explanation! I'm not yet very versed network topics but I'm here to learn.

    But: After setting $cfg['upload_ip'] = array('192.168.1.0/24'); I get an access denied to the site in my local network (Cloudron is in my local network at home at 192.168.1.27, my Mac has the IP 192.168.1.33, even if I set $cfg['upload_ip_nopassword'] = array('192.168.1.0/24');

    My current config is

    $cfg['admin_password'] = '#######';
    $cfg['proxy_ip'] = array('172.18.0.1');
    $cfg['upload_password'] = #######');
    $cfg['upload_ip_nopassword'] = array('192.168.1.0/24');
    $cfg['upload_ip'] = array('192.168.1.0/24');
    
    1 Reply Last reply
    0

  • Login

  • Don't have an account? Register

  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login

  • Don't have an account? Register

  • Login or register to search.