Kasm - Virtual Desktop / Browser Isolation

1. Install Kasm. (I have it running on a dedicated VM and followed the single server installation instructions: https://kasmweb.com/docs/latest/install/single_server_install.html)

2. Once installed, log into the Kasm host using the admin credentials and then configure the reverse proxy by going to Infrastructure > Zones in the left hand side panel and following the instructions here: https://kasmweb.com/docs/latest/how_to/reverse_proxy.html#update-zones
   (Note: in my case, the default parameters worked fine)

3. Install the Cloudron App proxy and point it to your Kasm host e.g. https://[IP-ADDRESS]:443. Now you should be able to access the Kasm login page via the domain you set in the app proxy. e.g. kasm.yourdomain.tld

4. To use OpenID authentication, first we need to add Kasm as an OIDC client in Cloudron. Go to Cloudron > User Director > OpenID Connect Provider > New Client, and enter the following:
   Name: kasm
   Login callback URL: https://kasm.yourdomain.tld/api/oidc_callback
   Signing Algorithm: RS256

Copy the resulting Client ID and Client Secret for use in step 5.

5. Now in Kasm, go to Access Management > Authentication > OpenID and follow the instructions here: https://kasmweb.com/docs/latest/guide/oidc.html
   Main parameters to be set are:
   Display Name: Can be anything e.g. Login with Cloudron
   Hostname: kasm.yourdomain.tld
   Client ID: paste from step 4
   Client Secret: paste from step 4
   Authorization URL: https://my.yourdomain.tld/openid/auth
   Token URL: https://my.yourdomain.tld/openid/token
   User Info URL: https://my.yourdomain.tld/openid/me
   Scope (One Per Line): openid profile email
   Username Attribute: sub
   Redirect URL: this should be automatically populated and should match what you entered as the callback url in step 4 i.e. https://kasm.yourdomain.tld/api/oidc_callback

I believe that should be it! Give it a shot and let me know if you run into any issues. There could be a possibility that I forgot to document something in the above steps. Once it is confirmed to be working, I will polish it up and submit it as a community guide.

@james , yes both those volumes are connecting to my primary NAS via NFS. To test your theory, I created a new NFS share on my secondary NAS and mounted it as a volume on my Cloudron server, but same result - disk usage only shows a single volume. (the first volume that was mounted)

I have two NFS shares mounted as Volumes on my Cloudron server and the apps using them (Nextcloud, Immich) can read/write to them without any issues, folders are accessible via Cloudron's file manager. However only one of them shows up under Disk Usage in the system info page.

Maybe this is a bug? Either way, it isn't causing any issues on my server.

Inspired by the recent discussion surrounding beszel, I think Scrutiny would be an awesome addition to the app catalog for those that are running there Cloudron on a server with several disks. I already use Scrutiny on my TrueNAS server and it has helped me more readily see the S.M.A.R.T. data and identify drives that are at risk of failure.

@girish thank you for the explanation. With that in mind, are there any plans to include similar functionality natively in a future Cloudron release? i.e. an easy way to see the CPU, RAM, storage, network usage of each of the apps installed on your Cloudron instance, receive notifications/alerts when usage is above a certain user-defined threshold etc.

Currently we can sort of do some of this in Cloudron 8 but one needs to go to each app individually which is abit cumbersome and app resource alerting functionality does not presently exist to my knowledge. Like if my CPU is overheating, Cloudron currently will not reporting anything.

If the concern from the Cloudron team is that the beszel agent theoretically introduces security risk as the upstream codebase has not been reviewed in its entirety, would it be possible to take advantage of the wonderful work already done for the beszel agent and fork it into something that you review once and then natively integrate into cloudron? (I'm asking this as a non-developer)

Out of curiousity, why is it not possible to include the beszel agent in the same app package as the beszel hub?

@joseph ok will do

@visamp the youtube video that I linked in the original post is a good place to start, if you haven't already watched it.

@james the developer has released v5.1.1 which is supposed to have fixed the issue, however I am still experiencing the same behavior when I try to sign into the iOS app using OpenID. Can you please test on your iPhone and advise if it is the same for you as well?

@james , the Traccar developer has asked "Has the native app URL been registered?"

I assume the answer is yes, but how would I go about to check the change that was made in Cloudron package update that was published yesterday?

I have Kasm running behind a Cloudron reverse proxy and connected to Cloudron's OIDC directory for user authentication. It was pretty straightforward to set up, but if anyone wants/needs a written guide, I am happy to do so.

@james , thanks for your feedback. I have gone ahead and created a new issue for it: https://github.com/traccar/traccar-manager/issues/8

Okay just tested with the new version of the Cloudron app as well as the Traccar manager app but it unforunately still isn't working.

When you click on the "Login with OpenID" in the mobile app, Safari pops up with "Open this page in Traccar Manager -- Cancel/Open?"
If you select "Cancel" and go back to the mobile app, you get the "Frame load interrupted" error message.
If you select "Open", the Traccar webpage opens up in Safari while the mobile app still shows "Frame load interrupted".

So at this point there no longer is a "OpenID Connect Error - redirect_uri did not match any of the client's registered redirect_uris", however you still are unable to log into the Traccar Manager mobile app (atleast on iOS) using OpenID.

Maybe one of you folks can test it on Android?

Great teamwork all ! Good to also see the Traccar developer being so prompt to act on this. Traccar Manager v5.1 has not yet been released to the Apple App Store. Will test the OIDC login again once it is available and revert.

Noted, kindly share a link to the github issue once you've created it. Cheers!

@james that is great to hear! Yes that is fine by me. I have temporarily created a local user in my traccar instance and use it to log into the app. So as long as it is on your radar to include the fix in an upcoming cloudron release, I am good.

@nebulon I believe it should be: traccar://manager/api/session/openid/callback

Glad to hear that you got it working! By the way, have you had any luck logging into the HomeAssistant companion app (iOS in my case) using the proxied domain?

Correct, I have no issues logging in on my desktop or even in Safari on my iPhone. The issue only presents itself when trying to log in via the iOS app. Once you click on the option to sign in using OpenID, you are redirected to the Cloudron login page where you'd ordinarily enter your credentials, but that is when the OpenID Connect Error surfaces.

I have Traccar installed with Cloudron OpenID integration. If I try to log into the official Traccar iOS app, I receive the following error message in Safari after entering my Cloudron creditials: OpenID Connect Error - redirect_uri did not match any of the client's registered redirect_uris

In the Traccar app, the message "Frame load interrupted" is displayed.