Cloudron Forum

@girish Gotcha but as long as I don't do that, I should be gtg. Im just thinking of a script that does 3 things.

Grabs all the IP's from emerging threats block list Grabs all the 403/404's from access logs sends them to greynoise to check if they are known "noise" and then Add both of these IP groups to that file and restart the service.

NVM I found a thread that answer this. Based on my current understanding, the cloudron dashboard shows cloudron package updates. For wordpress core in developer edition we have to control that update.

@Mastadamus a good starting point is to visit one of the many WordCamps -> https://central.wordcamp.org/

@Mastadamus not yet, no. I think it's quite low priority, it needs a lot of testing/changes to support http. Cloudron is designed everywhere to be secure (https) by default, making this complicated.

I haven't had a chance to finish the overall guide for the cloudron specific part but I completed a guide for installing OpenCTI with Traefik, Elasticsearch, and lots of plugins. I also have a complete docker-compose for OpenCTI, Elasticsearch cluster with X-Pack security, and multiple plugins as well as LDAP integration. you can find it here

OpenCTI install guide
https://dev.azure.com/Mastadamus/OpenCTI/_wiki/wikis/OpenCTI.wiki/3/OpenCTI-with-Traefik-Reverse-Proxy

OpenCTI GIT that contains my templates
https://dev.azure.com/Mastadamus/_git/OpenCTI

If you just want to skip to how you integrate LDAP with OpenCTI docker-compose I will paste examples below

- PROVIDERS__LDAP__STRATEGY=LdapStrategy - PROVIDERS__LDAP__CONFIG__URL=ldaps://Your.Domain.Name:636 - PROVIDERS__LDAP__CONFIG__BIND_DN={{`cn=admin,ou=system,dc=YourLDAPserverName`}} - PROVIDERS__LDAP__CONFIG__BIND_CREDENTIALS=XXXXXXXXXX - PROVIDERS__LDAP__CONFIG__SEARCH_BASE={{`ou=users,dc=YourLDAPserverName`}} - PROVIDERS__LDAP__CONFIG__SEARCH_FILTER={{`(cn={{username}})`}} - PROVIDERS__LDAP__CONFIG__MAIL_ATTRIBUTE=mail - PROVIDERS__LDAP__CONFIG__ACCOUNT_ATTRIBUTE=givenName - PROVIDERS__LDAP__CONFIG__ALLOW_SELF_SIGNED=true - PROVIDERS__LOCAL__STRATEGY=LocalStrategy

@jk yeah I saw that. I just wanted to put it formally in app wishlist

@Mastadamus yes, reverse proxy is implemented in next release (7.3) - https://forum.cloudron.io/topic/6655/what-s-coming-in-7-3/21

@Mastadamus From the earlier screenshot you posted, the issue seems to be "Could not establish chain of trust". So, I would investigate that angle (which is DNSSEC related)

@girish I'm not. I'm self hosting. It's running on a Ubuntu 20.04 Server install on a Synology 1517+ with Intel Processor. It's got 4 Cores and 6GB of memory for now.

This happened to me to, and I had to do a full reboot to get the apps back up.

@wind-gmbh FWIW, we don't use the upstream distro packages. We use the packages straight from nginx.org since they provide better security fixes - https://nginx.org/packages/ubuntu/pool/nginx/n/nginx/ . Looks like https://nginx.org/packages/ubuntu/pool/nginx/n/ is the pre-built modules they have.

@robi good point, I have put a warning up front.

@mastadamus thanks so much for investigating. I have removed it for next release (7.1) - https://git.cloudron.io/cloudron/box/-/commit/6492c9b71f80120413ff4ae7eefa2f03dc96ea0f

@girish ah i didnt even notice bevause of all the 4j notices my eyes where too open 🐶

thx for looking at this anyway

@mastadamus Can you add that as a feature request and mention this thread?

@nebulon said in Add Modsecurity NGINX WAF:

@mastadamus I don't know much about this plugin/addon for nginx, but it kinda seems to be only part of Nginx Plus, which we are not using in Cloudron. Also if that matters here, the main nginx is only used as a reverse proxy.

I understand. Thank you for your answer.

@d19dotca I agree. Would be lovely!

@mastadamus right, the spamlists won't work if those lookups get blocked. Currently, if the lookups fail, the mail server will simply go ahead and try to detect spam via spamassassin. It's just one of the metrics for spam detection. I guess it's fine if it's working OK for you without it .