App Proxy + OIDC. Does this make sense?

Hi, @james!

Yeah, I think you got it perfectly. Except I don't think the app-proxy would need to use OIDC instead of proxyAuth. Maybe It could be an option: You either use proxyAuth for authentication-only if your proxied app doesn't have auth capabilities, or you use OIDC and the proxied app would use cloudron as an OIDC provider.

I understand there are a few technical hurdles to jump, but I'm thinking they might be feasible. The main one, as you suggested, would be to have the OIDC-related configurations in the manifest dynamically configurable. This feels like it would demand some work, but as I understand it, there's already something along these lines in apps like gitea, where the SSH port is declared in the manifest, but customizable via the web ui.

IMO, this would make for a few more nice usecases for app-proxy, like testing apps, or even hosting them elsewhere (like a homelab in my case, or another machine), but accessing them through cloudron and benefiting from its user management. Also, I don't think it would "compete with" or "exploit" cloudron in any way, since these proxied apps would not benefit from cloudron's other great features like automatic updates, backups, external volumes, etc. All the management ease and just general peace of mind that cloudron brings us.

Would be a nice use case, though, I think.

Hi!

So I did some digging and found App Proxy does support ProxyAuth now, which is great! Is there anything that will act as an app proxy but with OIDC? Is this feasible?

I'll expand: I have cloudron's machine setup as a peer in a wireguard network I use for homelab stuff. This isn't fully supported, I know, but it's been working. So I can install an app in my home server and access it via a cloudron proxy, even having proxyAuth for the apps that have no built-in authentication.

I'd like to install something that DOES have authentication/authorization with OIDC, and it would be awesome if I could have cloudron users log into it via the proxy apps with OIDC support.

I know this entails more complexity, configuring OIDC secrets and ids and whatnot, so I understant the proxy app AS-IS wouldn't work. I guess my question is: Do you think this would be feasible? Stick a few more config options in the proxy app, and make it work with proxied apps via OIDC?

Thanks!

This would work beautifully with my cloudron proxy app behind a vpn setup.

Might give packaging this one a go.

@james I'm TERRIBLE at writeups, but I'll summarize it and maybe we can write something better together if you think it's interesting enough:

So I have a cloudron machine with a public IP, vanilla setup. I also have a raspberry pi in my home network running a few services, and an external VPS.

I use a "hub-and-spoke" wireguard architecture, which is pretty common and straightforward as well. It is set up like so:

• VPS has a public IP
• I installed and set up wireguard in it. Let's say it uses interface wg0, and its wg IP address is 10.0.0.1, network 10.0.0.0/24
• I had to set a few things to enable packet forwarding on the VPS so it would act as a "router" between my raspberry pi and other devices, but its pretty straightforward stuff
• I installed and set up wireguard in my raspberry pi, interface wg0, IP address 10.0.0.2; added the VPS added as a peer with its public key, allowed-ips 10.0.0.1/24, and the endpoint is its public IP and the port I had wireguard listen on

So now when I turn on wireguard on both VPS and pi, I can ping 10.0.0.1 from the pi, and I can ping 10.0.0.2 from the VPS. This is the simple hub-and-spoke setup, with the VPS acting as the hub (because it has a public IP address) and the raspberry pi and other devices (say my laptop or phone) are the "spokes".

So now for the cloudron part:

• installed wireguard on my cloudron machine and set it up as a peer to the wireguard network, same as I did on the pi. Added the VPS as the only peer, and on the VPS added one more peer which was the cloudron server. Say its IP is 10.0.0.100
• I can now ping 10.0.0.1 (vps) and 10.0.0.2 (pi) from the cloudron server, and I can also ping these IPs FROM ANY CLOUDRON APP as well!
• I had a service running on the raspberry pi on port 8080, so I installed a new app proxy on the cloudron from the app store, and the upstream address was http://10.0.0.2:8080, and it all worked.

Now, I COULD get rid of the VPS and use only cloudron, boith as the wireguard "hub" and reverse proxy. That would be great because it's one less machine I have to pay for and maintain (the VPS), and I would benefit from user management and stuff. Cloudron explicitly says it needs to be the sole service installed on the machine, though (which makes sense, not complaining), so I haven't done this yet.

Not sure this is a good enough description, but I'm here to answer any questions if needed.

Yeah, I did. I installed wireguard manually and my homelab computer was a peer. Used the proxy app from the App Store to point to its wireguard IP, and it worked well.

VPN as an external addon like databases and the like would be sweet. I've managed to have a proxy app to an internal (homelab) service by manually installing wireguard on the cloudron server, and routing just worked.

I'm not using it like this anymore, since cloudron doesn't support maintaining external tools on the server, but I think an addon might solve this.

@girish yep, separate things indeed. That said, it'll be pretty useful for me, that's why I packaged it.

About being open, yeah, I don't like that as well, but I'll try to make it work either with basic auth as they suggest (insecure, but better than nothing), or with cloudron's own ProxyAuth, not sure if it would work.

Now that I read this thread properly, I don't think the packaged app will work as people are asking for here, which is for cloudron to use it for it's own notifications. Maybe if cloudron ran it as an internal container and add-on for other apps...

I still think it is a useful app to have packaged for Cloudron, so I'll keep working on the packaging effort.

Hi, @girish! So, there's apprise the lib, and Apprise API, a lightweight REST API that is essentially a wrapper around apprise.

Here:
This is apprise the lib: https://github.com/caronc/apprise
And this is apprise API: https://github.com/caronc/apprise-api

The cloudron app is my attempt at packaging it, which is working fine, although it's completely open to the internet, need to think about it a bit better.

Maybe on the next days I can open a proper app wishlist post, to get more visibility and see what people think about it.

Hi, everyone!

Is there still interest in this? I took a stab at packaging it just for personal use it and got it to work. And when I say "got it to work" I mean literally just got it to work:

• initialized a new cloudron app
• looked at apprise-api's code and other packaged apps for inspiration
• bashed everything into submission until it worked

I paid no attention whatsoever to documentation, production settings and the like. Also, the way it works now, there's no authentication or anything, it's just open on the internet. If anyone wanna take a look, give feedback and maybe help out ou the packaging, it's here:

https://github.com/malvim/apprise-api-cloudron-app

No sure what to do about authentication, maybe just use the proxyAuth addon, and keep open just the needed URLs for POSTing notifications? Have to think about that.

Thanks!

@andreasdueren Yes, this is the way. I've done it with a few apps I wrote, and it works great. Plus, you get backups, which is great!

Put everyone’s name in, choose the “captains” and have they draft names for their teams? Is that what you have in mind?

Oh, nice. I'll try dry-run, then, thanks.

Integrity checks sound like a great feature, looking forward to it.

Thanks!

@necrevistonnezr how have you been testing backups? I have a raspberry pi at home, set up with restic/rclone backups as well. Once in a while I mount one of the latest snapshots and check a bit randomly if things "look ok". I'd like to have a better system to check if backups are okay, so any pointers would be appreciated.

On a more cloudron-related note, @girish, is there a way people test restoring backups on their cloudrons? How would one go about tesing if restore will run okay when needed?

It sure is a lot of testing for stuff that is not supported by nextcloud itself...

I myself use the nextcloud mobile app for some things. No idea how it works with OIDC...

@girish that would be nice, and it seems to me to be more "natural" to a user, like @d19dotca mentioned. Thanks for taking a look at this!

Thanks for your help, @nebulon, but it seems that's not how it works. At least not on my cloudron.
I'm using a LAMP app, and the "Cron" item on its config page.

This is how it looks:

# +------------------------ minute (0 - 59)
# |    +------------------- hour (0 - 23)
# |    |    +-------------- day of month (1 - 31)
# |    |    |    +--------- month (1 - 12)
# |    |    |    |    +---- day of week (0 - 6) (Sunday=0 or 7)
# |    |    |    |    |
# *    *    *    *    * command to be executed
# * 7,8 * * 1-5  /app/data/latest/main.sh >> /app/data/app.log

It should fire at 7am and then again at 8am, on weekdays. And it's working, but it's 7 and 8am UTC, not on my timezone. And I've changed cloudron's system timezone to my local time.

Yeah, I understand and that makes sense. Scheduled jobs are the only case in which this is kind of annoying, right? Since the container should still run in UTC, but then we should account for it when scheduling our jobs.

Maybe I'll just find another way to schedule the jobs, since a few of them need to be run in a specific time of day (on my TZ). I guess this would be the preferred approach? Because even if I account for the difference in hours and schedule them in UTC time, there's all kinds of specifics like daylight savings and the like that would make it kind of a nightmare...

Thanks anyway for the answers

Yeah, I looked into that, but that's for the cloudron system itself. Backup and update tasks. Host machine and app containers still use UTC.

Hey, guys. Happy holidays!

So I installed a basic LAMP app in order to run a few small jobs and services I have for personal use.

I use the scheduler for the jobs, but my server is not in my timezone, and I understand it's cloudron's policy to have everything outside applications in GMT, which makes sense. But that leads to me having to schedule stuff with GMT in mind, which is not ideal.

Is there a way to set timezone for a specific app container, or is that done on an app-by-app basis? I'd like to not have to package and publish a cloudron app just for that, but am failing to see how easily do this.

Is there a "default" way of injecting environment variables? Does cloudron's base image support some set of env vars it loads from somewhere?

Thanks!