Plugins possible?

As mentioned here https://forum.cloudron.io/topic/14208/extra-algorithms-needed/ I discovered the gem SFTPGo for a very useful purpose, thanks @BrutalBirdie for the app, I think it is your credit for packaging it!

SFTPGo has plugins (https://docs.sftpgo.com/2.6/plugins/) which you can find here https://github.com/sftpgo/

I really would like to use the plugin sftp-plugin-geoipfilter (https://github.com/sftpgo/sftpgo-plugin-geoipfilter) for reasonable purposes, however I really don't know how?

of the "needed" algorithms only ECDSA (ecdsa-sha2-nistp256/384/521) is still allowed but considered less robust than modern alternatives, Ed25519 is strongly recommended instead, RFC 8420 – Ed25519 for SSH.

So I did this:

# P-256
ssh-keygen -t ecdsa -b 256 -f /app/data/sftpgo_host_ecdsa_256 -N ""

# P-384
ssh-keygen -t ecdsa -b 384 -f /app/data/sftpgo_host_ecdsa_384 -N ""

# P-521
ssh-keygen -t ecdsa -b 521 -f /app/data/sftpgo_host_ecdsa_521 -N ""

and added these to the config: Now it works!!!

Are these changes I did persistent?

... almost, this is the error when trying to login:

ssh: no common algorithm for host key; client offered: [ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521], server offered: [ssh-ed25519 rsa-sha2-256 rsa-sha2-512]"}

Status: active

Address ":2022"

PROXY protocol enabled

Host key "/app/data/sftpgo_host_key"

Fingerprint "SHA256:******"

Algorithms "ssh-ed25519"

Host key "/app/data/sftpgo_host_rsa_key"

Fingerprint "SHA256:******"

Algorithms "rsa-sha2-256, rsa-sha2-512"

Accepted commands "md5sum, sha1sum, sha256sum, cd, pwd, scp"

Authentication methods "password, publickey, keyboard-interactive, publickey+password, publickey+keyboard-interactive"

Public key authentication algorithms "ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, rsa-sha2-512, rsa-sha2-256, ssh-ed25519, sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com"

Message authentication code (MAC) algorithms "hmac-sha2-256-etm@openssh.com, hmac-sha2-256"

Key exchange (KEX) algorithms "curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group-exchange-sha256"

Ciphers "aes128-gcm@openssh.com, aes256-gcm@openssh.com, chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr"

SFTPGO is really handy! I use it as a central location for "IOT" devices to make backups to. The very good thing is that you can create a (manual) account for every device. From Admin view I created one "backups" directory with for each IOT account a subdirectory, this subdirectory is attached as a virtual directory to a specific account. This way the IOT accounts cannot see each others files and from Admin view there is only one main- with subdirectories. Handy!

However ....

One "IOT" device (Omada software controller) gets an error during connection:

client offered [ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521], server offered: [ssh-ed25519]

According to the docs: https://docs.sftpgo.com/enterprise/config-file/#sshsftp-server you should be able to add algorithms, and I did like this:

    "host_key_algorithms": [
      "rsa-sha2-512",
      "rsa-sha2-256",
      "ecdsa-sha2-nistp256",
      "ecdsa-sha2-nistp384",
      "ecdsa-sha2-nistp521",
      "ssh-ed25519"
    ],
    "kex_algorithms": [
      "curve25519-sha256",
      "ecdh-sha2-nistp256",
      "ecdh-sha2-nistp384",
      "ecdh-sha2-nistp521",
      "diffie-hellman-group14-sha256",
      "diffie-hellman-group-exchange-sha256"
    ],
    "min_dh_group_exchange_key_size": 2048,
    "ciphers": [
      "aes128-gcm@openssh.com",
      "aes256-gcm@openssh.com",
      "chacha20-poly1305@openssh.com",
      "aes128-ctr",
      "aes192-ctr",
      "aes256-ctr"
    ],
    "macs": [],
    "public_key_algorithms": [
      "ecdsa-sha2-nistp256",
      "ecdsa-sha2-nistp384",
      "ecdsa-sha2-nistp521",
      "rsa-sha2-512",
      "rsa-sha2-256",
      "ssh-ed25519",
      "sk-ssh-ed25519@openssh.com",
      "sk-ecdsa-sha2-nistp256@openssh.com"
    ],

In the WebAdmin is says this:

SSH/SFTP server
Status: active

Address ":2022"

PROXY protocol enabled

Host key "/app/data/sftpgo_host_key"

Fingerprint "SHA256:*********redacted*********"

Algorithms "ssh-ed25519"

Accepted commands "md5sum, sha1sum, sha256sum, cd, pwd, scp"

Authentication methods "password, publickey, keyboard-interactive, publickey+password, publickey+keyboard-interactive"

Public key authentication algorithms "ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, rsa-sha2-512, rsa-sha2-256, ssh-ed25519, sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com"

Message authentication code (MAC) algorithms "hmac-sha2-256-etm@openssh.com, hmac-sha2-256"

Key exchange (KEX) algorithms "curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group-exchange-sha256"

Ciphers "aes128-gcm@openssh.com, aes256-gcm@openssh.com, chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr"

But the error keeps coming and the connection is not possible.

Anyone knows how to solve this?

O, I see, this is where I found it: https://docs.sftpgo.com/enterprise/changelog/

There are / were many updates since the initial version of this app, last one is:

Update July 26, 2025 - v2.7.20250726

When can we expect an updated app?

btw: thanks for this GEM ! It takes some time to understand and explore but it's great!

I voted for this excellent idea long time ago but now I wished it was here:

I (need to) use Cloudflare WAF to protect acces to my NextCloud on Cloudron . I also want a local/external application to make backups via WebDAV to NextCloud .... here it gets stuck .... Cloudflare has a 500MB limit on their free proxy.

Isn't it very '80s to have no build-in WAF/IP restriction to Cloudron in the current 2025 mad world of zero days, hackers, .........

This is a pearl for convenient and user friendly client (PC/Mac) to server (Cloudron-app) smart backup without BigTech. I think it deserves more votes and an app

Could this be an alternative?

https://github.com/rustfs/rustfs

@girish said in VERP on Cloudron:

@imc67 this should already work . Support for sending emails with '+' (subaddress) format and sending emails as aliases was added a while ago. If the use case is with Espo, you have to make sure it scans the IMAP mailbox as well .

Also: https://forum.espocrm.com/forum/general/58060-verp https://github.com/espocrm/espocrm/issues/1536 https://github.com/espocrm/espocrm/issues/1560 and

Thanks!! I’ll give it a try!

@MiroTalk said in Room link gets lost after OIDC login:

@imc67 said in Room link gets lost after OIDC login:

@mirotalk-57bab571 indeed 1.8.81 solved the issue!! Many many thanks for that!

Good! You're welcome.

Just one more thing: can you make the (button)texts on the WhoAreYou page configurable via .env just like the main page?

Sure, I like the idea, it will be available in the next release!

You’ll then be able to configure WhoAreYou as needed with the following options in the env:

# Who Are You
WHO_ARE_YOU_TITLE="Who are you?"                  # Title
WHO_ARE_YOU_DESCRIPTION="If you're the presenter, please log in now.<br />Otherwise, kindly wait for the presenter to join." # Description
WHO_ARE_YOU_BUTTON_LOGIN_LABEL="LOGIN"            # Login button label
WHO_ARE_YOU_JOIN_LABEL="JOIN ROOM"                # Join button label

This is ABSOLUTELY amazing, again thank you very much!!!

after 4 years I'm still curious if the build-in mailserver can handle VERP in the meanwhile?

https://en.wikipedia.org/wiki/Variable_envelope_return_path

@MiroTalk said in Room link gets lost after OIDC login:

OIDC support for WhoAreYou (waiting room) is now available in MiroTalk SFU v1.8.81!

@mirotalk-57bab571 indeed 1.8.81 solved the issue!! Many many thanks for that!

Just one more thing: can you make the (button)texts on the WhoAreYou page configurable via .env just like the main page?

When you receive a direct link to a room, click that, get redirected via OIDC to login, then .... you are redirected to the main page and NOT the original room link.

This confuses users, they "just" click on "Join meeting" but then are in a wrong room ....

Can this be solved?

@timconsidine and also Immich API support to enrich your journeys or even create them based on that.

https://forum.cloudron.io/post/108131 Not here yet but seems much better! ️

I agree with @micmc ’s option 2: default plugin for Developer version

Especially because of their promise: Most importantly, this plugin is free and will always be free.
Read why it’s 100% free (always)

It seems they are very actively developing this!

@james said in Is this pip install persistent for app updates?:

Hello @imc67
You can use venv or uv to create virtual environments.
Here is a quick cheatsheet for venv => https://aaronlelevier.github.io/virtualenv-cheatsheet/
Many prefer uv these days, see => https://github.com/astral-sh/uv

thanks again! I used venv and it works very well!

@james said in Is this pip install persistent for app updates?:

What you want to do is create a virtual environment with pip in /app/data/ and use that environment.
That will be included in the backup.

Thanks for your feedback! Can you advise on what command to use to create this?