featmap

Build products users really need.
Featmap is an open source user story mapping tool for product people to build, plan and communicate product backlogs.

https://www.featmap.com/
https://github.com/amborle/featmap

First of all: Thank you for this thread. I like it

My name is Stephan Luckow and before I did "something with computers" I made a bet that I would be successful as a musician (playing bass guitar). But that was a dream in the mid 90s. Btw: this was our contribution to the European song contest in 1994 -> https://peertube.luckow.org/videos/watch/53b4c661-a308-44ab-9491-de6f14daa90b

In 1995 I founded my first Internet full-service agency in Berlin, and my whole business was based on open source software. Part of the proprietary software was downloaded from news servers. In 2006 I realized that giving back to the OSS communities is not only a return in software development. I'm not a developer, so I decided to help with other topics as well. In 2010 I took the position of president of the German Drupal association and in 2013 some people and I founded CMS Garden e. V. as an umbrella organization for the most active Open Source Content Management Systems.

Today I'm the managing director of the company for the development of things. A Berlin-based consulting & development company that supports clients in making decisions for their digital transformation and sovereignty.
We have learned in a customer project that there is Cloudron. In terms of content, we wanted to find out whether it is possible to address the SME market with software in which the system administrator is built-in. And because Cloudron exists, we decided to stop our own investments in the product, to change the process to promote the growth of Cloudron.

I've installed adguard on the upcoming Cloudron v6. It is installed on a public available VPS. I know the "normal" intended use is for local networks. But because it's possible, I've clicked on install the app

I've added the public ip of the Cloudron instance as DNS in my local home router in order to use the adguard functions in my entire local network. BTW: It works perfect.

One week later I got an email from the german Federal Office for Information Security (BSI)

Dear Sir or Madam,

open DNS resolvers are abused for conducting DDoS reflection / amplification attacks against third parties on a daily basis. [...]

The moment I checked the dashboard of adguard, I realized that DDoS had already happened.

All top clients in the figure above have made a DNS query for the same domain.

So my question is: is there any chance to configure the Cloudron firewall/ proxy / whatever to use adguard in the way I want to use it (as a openDNS) without having a tool for attackers out in the wild?

If not, I like to see a big red warning sign: do not use adguard on a public infrastructure without having a firewall rule in front of the Cloudron instance. IMHO we as Cloudron users have to be responsible not to have "weapons" for attackers out in the wild.

Just for fun (and for education). Make a screenshot of your my.Dashboard and if you wish, explain why you use these apps.

I start with my backup-server. A cloudron full of minio apps. Wonderful.

One of my associations. A complete different view.
Rocket.chat for fluid communication, nextcloud - you know it - sharing files and calendars, sufer for a boring landing page, memo only for testing. greenlight for our web video conferences, redmine for project planning, two codiMDs because we can, lamp for framadate, kanban and wekan for different use cases in organizing work, matomo for analytics, peertube as a youtube replacement, bitwarden for password sharing and grav as a landing page cms.

@avatar1024 Sorry for beeing a little bit verbose

CMS Garden held a (virtual) Unconference two weeks ago. One of our biggest issues was self registering attendees into our LDAP. Thanks to the external LDAP connector to Univention Corporate Server (UCS) in Cloudron we used the following setup:

UCS as our central user management (LDAP) with self registration.
Cloudron as our primary solution for our apps. The Cloudron instance was connected through the external LDAP connector.

We had some other cool apps lying around
BBBatscale is a loadbalancer for BigBlueButton instances and capable of connecting against a LDAP server. Yep - users in UCS are authorized users in BBBatscale.

Openstreamingplatform as our twich alternative to embed the streams from different BBB rooms. (But without any knowledge of LDAP users).

In a slightly different setup we use UCS to be the central user management to different Cloudron instances. But in this setup without self registration.

Good news: there is a possibility today to have a central LDAP user management with many Cloudrons. And if you need it, with a self registration kind of "portal".

Read more

https://www.univention.com/downloads/download-ucs/
https://www.univention.com/blog-en/2020/05/register-your-own-account-new-self-service-for-suse-and-ucs/

Today I was informed on one of my daily news websites about a security problem in rocket.chat.
https://www.heise.de/news/Rocket-Chat-Luecke-erlaubte-Remote-Code-Execution-durch-praeparierte-Nachrichten-4873678.html (in german)
https://blog.redteam.pl/2020/08/rocket-chat-xss-rce-cve-2020-15926.html (in english)

Since rocket.chat is part of the critical communication infrastructure in my company, I had a brief moment of "Oh, wait. This is important and I must react now".

I opened the dashboard of Cloudron and took a quick look at the version number of the rocket.chat app and ...

Many thanks to the Cloudron team. I'm safe because of the "built-in" admin

Charming participants at the first (virtual) Cloudron meetup

Thank you for the packaging of dolibarr.
My first 2 cents: let us define, that first language has to be english. It took me around 5 minutes to find out where I can switch from french to english

Form.io is a revolutionary combined Form and API platform for Serverless applications. This repository serves as the core Form and API engine for https://form.io. This system allows you to build "serverless" data management applications using a simple drag-and-drop form builder interface. These forms can then easily be embedded within your Angular.js and React applications using the <formio> HTML element.

https://github.com/formio/formio
http://codepen.io/travist/full/xVyMjo/ <- Demo

On Tuesday I had some trouble with customers who were unable to join a BigBlueButton conference due to a limited government network.
The typical solution for this type of network is a STUN/TURN server constellation, which can be used by these clients to join the meeting via the TURN server.

I had no clue how to try out to be part of that kind of limited network / to simulate it and why the STUN/TURN server does not work for them.

I found only two interesting links for testing. Maybe they are helpful for your own debugging too.

• https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/
• https://test.webrtc.org/

Additionally there is a setting in firefox:

about:config
media.peerconnection.ice.relay_only set to true

At the end, the easiest solution is really simple.
The typical government network firewall looks like:

iptables -P OUTPUT DROP
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p upd -m upp --dport 53 -j ACCEPT

Only port 80/443/53 are allowed. Rest is blocked

For this reason WebRTC BigBlueButton meetings without TURN server do not work for them. If you have little snitch on your mac, you can easily simulate this kind of network.

@atrilahiji does not work on my side too.

Build products users really need.
Featmap is an open source user story mapping tool for product people to build, plan and communicate product backlogs.

https://www.featmap.com/
https://github.com/amborle/featmap

BTW: kind of same behaviour for nextcloud.
There is a UID in the user settings, which you can only see with /app/code/occ user:setting in the terminal.

And because I switched from internal Cloudron LDAP to an external LDAP I got a new UID for all my users. The strange behavior from nextcloud is:
Login with user:pass works. (the schema is firstname.lastname as username).
But internally nextcloud adds a _RANDOMNUMBER to it.
In my case a stephan.luckow is internally changed to stephan.luckow_3096

Problem is: all my calendar entries are based on stephan.luckow_3096 and not on stephan.luckow.

Thank's for releasing an updated version of bookstack. Will try it out next week.

I've started with some users created wiki pages in bookstack. Yesterday I've switched to an external LDAP server, deleted the Cloudron LDAP users and added them with the exact same username to the external LDAP server. Most of the installed apps had no problem with the "new" user from the external LDAP server and served the content created from the "old" Cloudron LDAP user to the new external LDAP user. But not bookstack.
Bockstack uses a UID as an identifier for the user.

Because of switching to a new LDAP server, the uid for the user switched. But because the username was the same, bookstack denied the new user (reason: same user with a different uid). Instead of reading the manual at https://www.bookstackapp.com/docs/admin/ldap-auth/ I've deleted the "old" user in bookstack and "created" a new one through a login to bookstack with the "new/old" username. Haha.The uid changed and all my former created content does not more belong to me. (Now it's labeled as: Deleted User updated page).

The correct workflow has to be:

• get the new uid from the "new/old" username
• add the new uid to the user account in bookstack
• every created content belongs to the "new" user

The only question is: how to get the uid from the "new" user?
The only place I know of is the UID form in Bookstack. But that is for the workflow the wrong place

Any hints where to find that kind of information?

@erics top. It looks functional

@erics the two form fields Administrator DN and Administrator password on global parameters are not prefilled with the values from the env.
That's why you get a

 TCP connect to LDAP server successful (Server=172.18.0.1, Port=3002)
 No administrator or password provided. LDAP access will be anonymous and in read only mode.
 LDAP server configured for version 3

instead of a

TCP connect to LDAP server successful (Server=172.18.0.1, Port=3002)
Connect/Authenticate to LDAP server successful (Server=172.18.0.1, Port=3002, Admin=cn=LONGID,ou=apps,dc=cloudron, Password=*****)
LDAP server configured for version 3

if you fill in the values manually. But to be fair, I do not know if this is really necessary

On the Groups tab, there is a wrong value in Groups' DN. The current value is

ou=groups,dc=example,dc=com

the correct value has to be

ou=groups,dc=cloudron

Same with above. I don't know if Cloudron LDAP promotes the groups to Dolibarr. IMHO not.

Ups. In the tab Users in the LDAP Mapping you put in a wrong mapping at the Name. It's not displayName it has to be sn That why last name is the value of first and last name in one field.

On Tuesday I had some trouble with customers who were unable to join a BigBlueButton conference due to a limited government network.
The typical solution for this type of network is a STUN/TURN server constellation, which can be used by these clients to join the meeting via the TURN server.

I had no clue how to try out to be part of that kind of limited network / to simulate it and why the STUN/TURN server does not work for them.

I found only two interesting links for testing. Maybe they are helpful for your own debugging too.

• https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/
• https://test.webrtc.org/

Additionally there is a setting in firefox:

about:config
media.peerconnection.ice.relay_only set to true

At the end, the easiest solution is really simple.
The typical government network firewall looks like:

iptables -P OUTPUT DROP
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p upd -m upp --dport 53 -j ACCEPT

Only port 80/443/53 are allowed. Rest is blocked

For this reason WebRTC BigBlueButton meetings without TURN server do not work for them. If you have little snitch on your mac, you can easily simulate this kind of network.

@mehdi thanks for the clarification In that case there is no easy solution for that problem. IMHO we only have a chance to use adguard on cloudron in a public infrastructure, if we only allow the use of adguard from inside the openvpn-app. That is my understanding of @imc67 pi-hole / wireguard vpn solution.

A background article on the DDoS problem can be found on the BSI website itself.

https://www.bsi.bund.de/EN/Topics/IT-Crisis-Management/CERT-Bund/CERT-Reports/HOWTOs/DNS-Open-Resolver/DNS-Open-Resolver_node.html

I have no idea what happens if we follow the

Solution
Disable recursion or limit recursion to trusted clients in the DNS server's configuration.

But maybe it's a/the solution