Feature Request: 🔥 Simple per-App WAF with Templates (KISS) 🏰

Thank you for posting this, I was looking to post something similar albeit with far less detail.

I want to sign up for Cloudron and pay to support the developers and have all the conveniences as I have run two free instances for years.

The bit I cannot get past for now is the openness of the apps on the platform. Like Immich is just out there on the web and the security of that instance comes down to the devs at Immich?

I currently use Pangolin for anything non Cloudron related and it gives me a sense of security because things like Immich just aren’t reachable unless you first authenticate to Pangolin. Pangolins job is to secure things and this is what they have built and focus on. Where as Immich works on how best to handle your photos.

Right now I find it scary that my Immich or Outline instances for example that contain personal data might be exposed to the web with little protection.

Maybe I am over thinking it or have my details wrong but it’s currently holding me back from using Cloudron for my personal use and trusting it with my data.

Hi all.

I have been a longtime user of Cloudron free but looking to move to the paid tier but I do not want to present all these apps to the public internet.
Is there anyone running Cloudron using Tailscale or using local DNS record/DNS challenge for serving the apps via SSL but only to the local network?

Failing that I might be able to put all the apps behind Pangolin.

Hi all.

Noticed this error whilst troubleshooting the container:

[NOTICE] You are using a plain text `ADMIN_TOKEN` which is insecure.

Is this something I can manually adjust to be more secure?

I don't have that setup currently but it's what I am looking for.
I feel that opening services like Immich to the web would be more secure if they had an extra step.

Hi all.

I’ve spent some time reading but either I can’t find the feature or it simply doesn’t exist.
I understand that Cloudron has a user system and can act as an SSO provider with apps that support it.

What I am wondering is, is there a way to add an extra auth step? For example like Authentik or Authelia where you must authenticate before you even see the app.

For example say I installed Immich and then enabled this feature, I would need to login/auth before I even saw the Immich login page?

Is this possible/available?

@jk said in IPv6 only Cloudron:

@dimtar To clarify: the VM can make connections to IPv4, but is not accessible inboud from IPv4, only from IPv6?

That's correct, this is just at home with a VM that has IPv4 connection to the internet but is behind a NAT as per standard residential connections. IPv6 is open on the inbound yes.

Spun up a new VM, Cloudron was happy to get the certs but it didn't set any AAAA records only the A record which for NAT reasons isn't correct.
So far its letting me proceed so I will see what I can do. Thank you

So I spun up a local virtual machine at my home which has an IPv4 (NAT) and an IPv6 address too. The firewall is set to allow traffic via port 80 and 443 to this box but only for IPv6 because I have no public IPv4 available.

The install was going well until it got to the section where it creates a certificate, it seems like this only works via IPv4 as the log showed the ACME challenge (or whatever its called) failing over and over again.

Also looking at setting up a few ipv6 only instances, keen to hear if anyone has this working 100%