Cannot install apps from docker-registry because authentication fails

Thanks a lot!

Hi, I have encountered this bug once more, with the following user agents:

• Podman: libpod/<version>
• Skopeo: skopeo/<version>

@girish Would it be possible to add those as well? That would be much appreciated.

In src/proxyAuth.js

// someday this can be more sophisticated and check for a real browser
function isBrowser(req) {
    const userAgent = req.get('user-agent');
    if (!userAgent) return false;

    // https://github.com/docker/engine/blob/master/dockerversion/useragent.go#L18
    return !userAgent.toLowerCase().includes('docker') && !userAgent.toLowerCase().includes('container') && !userAgent.toLowerCase().includes('libpod') && !userAgent.toLowerCase().includes('skopeo');
}

In src/nginxconfig.ejs

    location @proxy-auth-login {
        if ($http_user_agent ~* "docker") {
            return 401;
        }
        if ($http_user_agent ~* "container") {
            return 401;
        }
        if ($http_user_agent ~* "libpod") {
            return 401;
        }
        if ($http_user_agent ~* "skopeo") {
            return 401;
        }

        return 302 /login?redirect=$request_uri;
    }

@girish Minor thing, but the links to the "Full Changelog" entries for the last releases seem to go to random Github user profiles.

Also, if this gets more development, I'd be quite happy to help test it.

I have tried this a few months ago as well.

The next blocker is that the setup code does some domain IP validation, and refuses to continue of there are no IPv4 addresses available. I worked around it in the setup code of the box project on my machine, but that is of course highly discouraged . Sadly, I lost that code (it wasn't too bad). I'm not entirely sure whether it works with a private IPv4. I haven't tested that. I don't think so though.

Once the box supports primary IPv6, then the rest will more or less work. Because it support IPv6 mostly fine after setup. Thinks like the web front-end, and mail all work with IPv6.

Individual apps may or may not work if they do something other than standard HTTP(S). The OpenVPN app for example does not work correctly yet. At least it does not route IPv6 through the tunnel, possibly because the Docker containers are all IPv4-only.

Sure, I just did.

Hi,

Last night's automatic update of FreshRSS (package version 1.20.0-1) has broken my setup, due to a TypeError from PHP. Version 1.20.0 worked fine.

Here is an excerpt from the logs:

2023-12-27T03:02:58.000Z FreshRSS starting feeds actualization at 2023-12-27T03:02:58+00:00
2023-12-27T03:02:58.000Z PHP Fatal error:  Uncaught TypeError: Minz_ExtensionManager::enable(): Argument #1 ($ext_name) must be of type string, int given, called in /app/code/lib/Minz/ExtensionManager.php on line 279 and defined in /app/code/lib/Minz/ExtensionManager.php:248
2023-12-27T03:02:58.000Z Results:
2023-12-27T03:02:58.000Z Stack trace:
2023-12-27T03:02:58.000Z thrown in /app/code/lib/Minz/ExtensionManager.php on line 248
2023-12-27T03:03:00.000Z - - - [27/Dec/2023:03:03:00 +0000] "GET / HTTP/1.1" 302 - "-" "Mozilla (CloudronHealth)"
2023-12-27T03:03:10.000Z - - - [27/Dec/2023:03:03:10 +0000] "GET / HTTP/1.1" 302 - "-" "Mozilla (CloudronHealth)"
2023-12-27T03:03:20.000Z - - - [27/Dec/2023:03:03:20 +0000] "GET / HTTP/1.1" 302 - "-" "Mozilla (CloudronHealth)"
2023-12-27T03:03:30.000Z - - - [27/Dec/2023:03:03:30 +0000] "GET / HTTP/1.1" 302 - "-" "Mozilla (CloudronHealth)"
2023-12-27T03:03:40.000Z - - - [27/Dec/2023:03:03:40 +0000] "GET / HTTP/1.1" 302 - "-" "Mozilla (CloudronHealth)"
2023-12-27T03:03:50.000Z - - - [27/Dec/2023:03:03:50 +0000] "GET / HTTP/1.1" 302 - "-" "Mozilla (CloudronHealth)"
2023-12-27T03:03:58.000Z #0 /app/code/lib/Minz/ExtensionManager.php(279): Minz_ExtensionManager::enable()
2023-12-27T03:03:58.000Z #1 /app/code/app/FreshRSS.php(63): Minz_ExtensionManager::enableByList()
2023-12-27T03:03:58.000Z #2 /app/code/app/actualize_script.php(97): FreshRSS->init()
2023-12-27T03:03:58.000Z #3 {main}
2023-12-27T03:03:58.000Z ==> Run actualize script
2023-12-27T03:03:58.000Z FreshRSS starting feeds actualization at 2023-12-27T03:03:58+00:00
2023-12-27T03:03:58.000Z PHP Fatal error:  Uncaught TypeError: Minz_ExtensionManager::enable(): Argument #1 ($ext_name) must be of type string, int given, called in /app/code/lib/Minz/ExtensionManager.php on line 279 and defined in /app/code/lib/Minz/ExtensionManager.php:248
2023-12-27T03:03:58.000Z Results:
2023-12-27T03:03:58.000Z Stack trace:
2023-12-27T03:03:58.000Z thrown in /app/code/lib/Minz/ExtensionManager.php on line 248

Thankfully, restoring a backup made everything work again.

@dimtar To clarify: the VM can make connections to IPv4, but is not accessible inboud from IPv4, only from IPv6?

Could you post the logs regarding ACME? I remember having had issues with that and IPv6 as well (not on Cloudron, but that shouldn't matter...).

@nebulon said in What's coming in 7.5:

yes this was mentioned a few times now (...)

I must have missed that then. I'm glad you're aware and are changing this.

@girish, I noticed when using OIDC that on the authorize page there is no possibility to switch the user account. In other words: once logged in with a specific user, one is always logged in with that user, unless one manually figures out the logout endpoint for OIDC.

Would it be possible to add a logout or switch user button the the OIDC authorization page?

@girish, I have access again. Thank you!

Hello,

In the past I used to be able to access the cloudron box project, but it seems that that access has been revoked for some reason.
That's a pity, because I have moved to self-hosted DNS and wanted to experiment with a backend to manage PowerDNS using their authoritative server API.

Would it be possible to restore that access?

And also: assuming I get it working, would you be interested in having such a backend contributed?

Thanks in advance!

I had a similar issue: the certificate was actually renewed (as evidenced by crt.sh), but the old one expired today, causing certificate errors on my website.

Restarting the app fixed that, but that should happen automatically after renewal, I think.

In case it matters, I was using the Surfer app (io.cloudron.surfer@5.17.8), on Cloudron v7.3.4 (Ubuntu 18.04.4 LTS)

I wasn't aware of this feature, but it works perfectly. Thank you!

Hi!

I'm trying to use WebDAV to publish things on Surfer. I noticed that I can't log in to it with the access token. Would it be possible to change it so that the access token can be used with WebDAV as well?

Thank you for considering,

Ok, thanks.

It seems that Firefly III is stuck on v3.0.1 on my cloudron. Even when I manually check for updates, it is not listing any.

While here it says that the package should have been updated to v3.1.1.

Any ideas?

There has been a long discussion about Keycloak in the Keycloak & Cloudron topic.

From a quick scan, it seems that at least someone got it working: https://forum.cloudron.io/post/44783.

Hi,

I just came across these two posts:

• https://github.com/AgainstTheWest/NginxDay
• https://www.nginx.com/blog/addressing-security-weaknesses-nginx-ldap-reference-implementation/

Apparently, there is a flaw in the nginx-ldap-auth module.

I know that Cloudron uses nginx a lot, and LDAP as well, so I wanted to make you aware of this.

I lack the knowledge to determine whether Cloudron is vulnerable.

Could you please investigate and remediate if necessary?

Thanks!

@girish I have tested this (just the HTTPS applications though, but that's the majority), and that works fine.

Not sure about the non-HTTPS applications though, like VPN, AdGuard and so on.