Wordpress Gutenberg Era: To cache or no cache plugin?

WP-Rocket on every site: https://wp-rocket.me/

@girish said in Server security update reboot: SFTPGo doesn't start:

A package cannot change the port ranges (just like it cannot change the installated domain names) . But for new installation, it will recommend 20000 instead

Maybe you can explicitly mention in the update notes the default / advised ports? Existing installs will not be moved to the "new" ports and thus keep having issues?

@girish and @James I just updated SFTPGo to 1.1.0, don't see differences, portrange is still 41000 but I also can't change it to ie. 70000, the field becomes RED.

EDIT: I can change it to 61000

@girish good founds! It's also the same issue with MiroTalk (what I know of and experienced) but maybe more apps?

https://forum.cloudron.io/search?term=bind%3A address already in use&in=titlesposts

said in Server security update reboot: SFTPGo doesn't start:

Thanks for the hint, I investigated further:
The left IPv6 is my Cloudron server, from there is had an active connection (ssh outside of Docker) to the right IPv6 my storage box!

I only use 1 Volume to a Storagebox and 1 Backup location. Could it be that one of those 2 uses the same port-range (41000+100)? @girish

BTW: @James please redact my ip's in your message (I just corrected mine)

@girish is this a bug? There are more topics with the same kind of error message

Thanks for the hint, I investigated further:
The left IPv6 is my Cloudron server, from there is had an active connection (ssh outside of Docker) to the right IPv6 my storage box!

I only use 1 Volume to a Storagebox and 1 Backup location. Could it be that one of those 2 uses the same port-range (41000+100)? @girish

BTW: @James please redact my ip's in your message (I just corrected mine)

Thanks to ChatGPT I could solve it:

"Something" outside Docker was claiming this port

sudo kill 940

Killed this connection, now the restore worked and the app started.

BTW: I also restarted Docker via the GUI but it also didn't solved it.

@james said in Server security update reboot: SFTPGo doesn't start:

You can also run the following on your root:

lsof -i :41090 -S
to see if really anything is using that port.

yes:

~# lsof -i :41090 -S
COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
ssh     940 root    3u  IPv6  25971      0t0  TCP [2a03:****:5f:dc5:48ba:****:fe45:61f0]:41090->[2a01:4f8:****:1635::2]:telnet (ESTABLISHED)

What could it be? I already stopped MiroTalk and Nextcloud

This morning I needed to perform a security update reboot and after that SFTPGo doesn't start.

Docker Error: (HTTP code 500) server error - driver failed programming external connectivity on endpoint 98d1b4c0-********-729c3077a061 (cec35e817f384c6cd2***1608926aff5ce2d176a64da69d4f): failed to bind port 0.0.0.0:41090/tcp: listen tcp4 0.0.0.0:41090: bind: address already in use

I tried to restart the task many many times (MiroTalk also has sometimes this issue), tried to restore a backup, etc. etc. .... it doesn't start.

Is there somehow a way to force this? My use of SFTPGo is critical as it is a central backup location for many "IOT appliances".

@umnz said in Per-application access rules:

@imc67 I'm not sure what you mean, Cloudron does have a Trusted / Blacklisted IPs and Fail2Ban support.

https://docs.cloudron.io/security/

You are answering your own question: look at the subject of this future request and then the docs. What you mentioned is on server level .... not app level

As mentioned here https://forum.cloudron.io/topic/14208/extra-algorithms-needed/ I discovered the gem SFTPGo for a very useful purpose, thanks @BrutalBirdie for the app, I think it is your credit for packaging it!

SFTPGo has plugins (https://docs.sftpgo.com/2.6/plugins/) which you can find here https://github.com/sftpgo/

I really would like to use the plugin sftp-plugin-geoipfilter (https://github.com/sftpgo/sftpgo-plugin-geoipfilter) for reasonable purposes, however I really don't know how?

of the "needed" algorithms only ECDSA (ecdsa-sha2-nistp256/384/521) is still allowed but considered less robust than modern alternatives, Ed25519 is strongly recommended instead, RFC 8420 – Ed25519 for SSH.

So I did this:

# P-256
ssh-keygen -t ecdsa -b 256 -f /app/data/sftpgo_host_ecdsa_256 -N ""

# P-384
ssh-keygen -t ecdsa -b 384 -f /app/data/sftpgo_host_ecdsa_384 -N ""

# P-521
ssh-keygen -t ecdsa -b 521 -f /app/data/sftpgo_host_ecdsa_521 -N ""

and added these to the config: Now it works!!!

Are these changes I did persistent?

... almost, this is the error when trying to login:

ssh: no common algorithm for host key; client offered: [ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521], server offered: [ssh-ed25519 rsa-sha2-256 rsa-sha2-512]"}

Status: active

Address ":2022"

PROXY protocol enabled

Host key "/app/data/sftpgo_host_key"

Fingerprint "SHA256:******"

Algorithms "ssh-ed25519"

Host key "/app/data/sftpgo_host_rsa_key"

Fingerprint "SHA256:******"

Algorithms "rsa-sha2-256, rsa-sha2-512"

Accepted commands "md5sum, sha1sum, sha256sum, cd, pwd, scp"

Authentication methods "password, publickey, keyboard-interactive, publickey+password, publickey+keyboard-interactive"

Public key authentication algorithms "ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, rsa-sha2-512, rsa-sha2-256, ssh-ed25519, sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com"

Message authentication code (MAC) algorithms "hmac-sha2-256-etm@openssh.com, hmac-sha2-256"

Key exchange (KEX) algorithms "curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group-exchange-sha256"

Ciphers "aes128-gcm@openssh.com, aes256-gcm@openssh.com, chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr"

SFTPGO is really handy! I use it as a central location for "IOT" devices to make backups to. The very good thing is that you can create a (manual) account for every device. From Admin view I created one "backups" directory with for each IOT account a subdirectory, this subdirectory is attached as a virtual directory to a specific account. This way the IOT accounts cannot see each others files and from Admin view there is only one main- with subdirectories. Handy!

However ....

One "IOT" device (Omada software controller) gets an error during connection:

client offered [ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521], server offered: [ssh-ed25519]

According to the docs: https://docs.sftpgo.com/enterprise/config-file/#sshsftp-server you should be able to add algorithms, and I did like this:

    "host_key_algorithms": [
      "rsa-sha2-512",
      "rsa-sha2-256",
      "ecdsa-sha2-nistp256",
      "ecdsa-sha2-nistp384",
      "ecdsa-sha2-nistp521",
      "ssh-ed25519"
    ],
    "kex_algorithms": [
      "curve25519-sha256",
      "ecdh-sha2-nistp256",
      "ecdh-sha2-nistp384",
      "ecdh-sha2-nistp521",
      "diffie-hellman-group14-sha256",
      "diffie-hellman-group-exchange-sha256"
    ],
    "min_dh_group_exchange_key_size": 2048,
    "ciphers": [
      "aes128-gcm@openssh.com",
      "aes256-gcm@openssh.com",
      "chacha20-poly1305@openssh.com",
      "aes128-ctr",
      "aes192-ctr",
      "aes256-ctr"
    ],
    "macs": [],
    "public_key_algorithms": [
      "ecdsa-sha2-nistp256",
      "ecdsa-sha2-nistp384",
      "ecdsa-sha2-nistp521",
      "rsa-sha2-512",
      "rsa-sha2-256",
      "ssh-ed25519",
      "sk-ssh-ed25519@openssh.com",
      "sk-ecdsa-sha2-nistp256@openssh.com"
    ],

In the WebAdmin is says this:

SSH/SFTP server
Status: active

Address ":2022"

PROXY protocol enabled

Host key "/app/data/sftpgo_host_key"

Fingerprint "SHA256:*********redacted*********"

Algorithms "ssh-ed25519"

Accepted commands "md5sum, sha1sum, sha256sum, cd, pwd, scp"

Authentication methods "password, publickey, keyboard-interactive, publickey+password, publickey+keyboard-interactive"

Public key authentication algorithms "ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, rsa-sha2-512, rsa-sha2-256, ssh-ed25519, sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com"

Message authentication code (MAC) algorithms "hmac-sha2-256-etm@openssh.com, hmac-sha2-256"

Key exchange (KEX) algorithms "curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group-exchange-sha256"

Ciphers "aes128-gcm@openssh.com, aes256-gcm@openssh.com, chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr"

But the error keeps coming and the connection is not possible.

Anyone knows how to solve this?

O, I see, this is where I found it: https://docs.sftpgo.com/enterprise/changelog/

There are / were many updates since the initial version of this app, last one is:

Update July 26, 2025 - v2.7.20250726

When can we expect an updated app?

btw: thanks for this GEM ! It takes some time to understand and explore but it's great!

I voted for this excellent idea long time ago but now I wished it was here:

I (need to) use Cloudflare WAF to protect acces to my NextCloud on Cloudron . I also want a local/external application to make backups via WebDAV to NextCloud .... here it gets stuck .... Cloudflare has a 500MB limit on their free proxy.

Isn't it very '80s to have no build-in WAF/IP restriction to Cloudron in the current 2025 mad world of zero days, hackers, .........

This is a pearl for convenient and user friendly client (PC/Mac) to server (Cloudron-app) smart backup without BigTech. I think it deserves more votes and an app

Could this be an alternative?

https://github.com/rustfs/rustfs