RE: Change "You found a Cloudron out in the wild!" page?

I once added an wildcard A Record for *.mydomain that pointed to my box. It would show the message You found a Cloudron out in the wild! message whenever I tried to open a non-existent subdomain, like foobarbaz.mydomain.

Non-existent app:

• File /home/yellowtent/box/dashboard/dist/splash.html
• Message: You found a Cloudron out in the wild!
• To test, point foobarbaz.yourdomain to the box and visit the url.

Non-responding app:

• File /home/yellowtent/boxdata/custom_pages/app_not_responding.html
• Message: ...app is not responding...
• To test, stop the app and visit the url.

I am not sure if those files will be replaced during upgrade, but I have the following content in both of those files.

<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
<!-- no such app / app not working -->
</body>
</html>

It would be cool to be able to add a custom file app_not_installed.html alongside app_not_responding.html.

Re: I am missing (real) SSO

I onboarded my entire team to Cloudron; signed up, mailboxes set up, 2FA enabled, and more. Then I realized that the 2FA setting enabled on Cloudron is useless for other apps. Some apps don't have a 2FA option yet; for example, Taiga, which we use to manage all the projects. Also, Bookstack, where all our internal docs go, supports 2FA.

I have understood how Cloudron works, and that this topic has already been discussed in the forum. I started looking for ways to leverage 2FA settings of Cloudron to protect access to other apps. I have thought of a possible solution.

After researching for a while I discovered a solution. Cloudron itself has an active directory server. We could have the users append/prepend the 2FA token with their password every time they log in; the Cloudron LDAP server would see if 2FA is enabled on the account, and if enabled, it will extract the password & 2FA code from the password input and perform authentication. This is pretty trivial because the Cloudron login page has an optional 2FA token field, and the token is only looked required if the user has enabled 2FA.

One of the service offerings I came across has a simple but complete description of this method of using 2FA with LDAP with a dynamic password. https://www.protectimus.com/blog/active-directory-two-factor-authentication/.

This feature is absolutely necessary for me, and I believe there are other people like me. Do you think we could pull this off?

Re: Swagger Editor - define REST api

I have been using Postman with my team for developing and publishing APIs for our services, but the costs are adding up pretty quickly ($15/user/month), and still no support for SSO.

I am moving to Swagger Editor, Swagger Codegen & Swagger UI, but it would be great if I could install it inside my Cloudron instance instead of paying for another server.

I noticed that your documentation makes use of Swagger, so I am sure it would be fairly easy to add support for the same.

Please don't forget to upvote if you think it's a good idea.

The comment thread on this post seems to have diverted from the original topic. I would like to comment on @marcusquinn's request for 2FA for LDAP apps. As @girish has said, we have had a long discussion about it, and the team couldn't come up with a one-size-fits-all solution. I was expecting the PASSWORD;TOTP feature in version 6 too. Here's my understanding and proposed solution:

---

1. Apps that have their own 2FA system, like Gogs, Gitlab, Wiki.JS, etc.
NOTE: I have used this trick in quite a few apps to save myself from having dozens of 2FA secrets. I simply replace the app's mfa_secret value with the secret from Cloudron (Hint: while setting up 2FA on your Cloudron account, select to enter code manually, and write the displayed secret in a piece of paper so you can copy it elsewhere).

Cloudron has access to the database so Cloudron could automate this process:

• enabling 2FA for that user in the app by authenticating as that user.
• replacing the TOTP secret in the app with the TOTP secret from the Cloudron user account.

The 2FA code from Cloudron will also work on the app, so no need to have per-app 2FA codes. But this approach has downsides:

1. The maintainer of this feature needs to keep things updated when the app's database schema changes!
2. The apps usually create a new account when the user logs in using LDAP. For the above approach to work, Cloudron should make those changes before the user's account is created on the app.

I have only done this with my own account because it's quite time consuming to replace the TOTP Secret for all users of my Cloudron instance; a script would certainly help.

---

2. Apps that do note have native support for 2FA
Proposed solutions:

• Cloudron adds a feature to support PASSWORD;TOTP as password, and validate TOTP by extracting it from the input. For this to work, all users must be informed. I wish password managers and authenticator apps had a feature to make it easier to auto-fill 2FA codes as well...
• can't think of another way, will add if I can come up with something

---

Enabling 2FA for all apps is an important feature for some users like me, because of compliance reasons & a bit of paranoia. I can't trust everyone to not fall for phishing attacks, so I really wish Cloudron team kept this feature in priority. For the time being, I'm enabling 2FA in per-app basis, and avoiding apps that don't have 2FA built in.

After around a year of using Cloudron, I have installed many apps, and now the admin interface needs scrolling. I have a really wide screen but the layout won't adjust to fill the available space (4 cols only).

If only there was a way to fit more items on the screen it would be easier. For now, supporting upto 6 or 8 rows would do.

PS: The design of the App Store would do too.

Gitlab supports adding custom gitlab.yml file (add to the Home of File Manager in the Cloudron dashboard). I am sharing a few custom configurations which I think are really important.

1. Adding the IP address of the reverse proxy 172.18.0.1 will show the real IP address of the client in Gitlab's logs. The IP address set using X-Forwarded-For by the reverse proxy. For that purpose production/gitlab/trusted_proxies parameter can be set.

2. For compliance reasons, we cannot allow users to change their username in the Gitlab instance. A setting is not available in the Admin area to prevent users from changing their usernames, but a custom flag production/gitlab/username_changing_enabled can be set.

3. While configuring 2FA with current default Gitlab installation in gitlab.example.com, the account name in authenticator apps will be shown as localhost:someone@gilab.example.com. To fix this, we can add the production/gitlab/host parameter. After this fix, authenticator apps will show the gitlab instance's domain name instead of localhost.

4. Current default Gitlab installation wills show the git-clone URL as ssh://git@localhost:port/user/repo. To fix this, we should add a custom production/gitlab/ssh_host parameter.

5. I would like to have my brand name set on the Branding -> Cloudron Name from my dashboard on Gitlab's LDAP log-in page instead of Cloudron. Simply changing the LDAP server's label production/ldap/servers/main/label did not work. So I simply copied the entire production/ldap configuration block.

Here is my custom gitlab.yml file, that fixes all the above issues.

production:
  <<: *base

  gitlab:
    host: gitlab.mydomain
    ssh_host: gitlab.mydomain
    trusted_proxies:
      - 172.18.0.1
      
    username_changing_enabled: false


  ldap:
    enabled: true
    prevent_ldap_sign_in: false
    servers:
      main:
        label: 'My Domain Login'
        host: '172.18.0.1'
        port: 3002
        uid: 'username'
        bind_dn: 'cn=**************************,ou=apps,dc=cloudron'
        password: '****************************'
        encryption: 'plain'
        verify_certificates: false
        ca_file: ''
        ssl_version: ''
        timeout: 10
        smartcard_auth: false
        active_directory: false
        allow_username_or_email_login: false
        block_auto_created_users: false
        base: 'ou=users,dc=cloudron'
        user_filter: ''
        group_base: ''
        admin_group: ''
        external_groups: []
        sync_ssh_keys: false
        attributes:
          username: ['username']
          email:    ['mail']
          name:       'displayname'
          first_name: 'givenName'
          last_name:  'sn'
        lowercase_usernames: false
      

In my opinion, Gitlab Cloudron package could add the custom file gitlab.yml to the file manager home by default, and set the the above fields in that file instead of modifying the default config file.

I am starting a new topic to keep the discussion to the point. Previous discussions are linked at the bottom of this post. This is to request Cloudron to support inline TOTP code with LDAP Password in the form password;2FCODE.

;TLDR User Stories

Admin can choose to opt-in for password:2fcode feature from Settings.
During authentication, Cloudron checks for the setting, and if enabled, splits password and 2fcode.
Cloudron performs authentication based on password and the 2fa code.

The last discussion with @girish ended with him mentioning that there's some standardization going on in the field of 2FA in custom fields of LDAP. Out of curiosity, I looked at the roadmaps of many open source projects and found that very few have any plans to standardize or even support TOTP secret through LDAP fields. I have no hopes of any standardization in the near future that Cloudron can look forward to.

I am serious about security, and mandate everyone in my team to enable 2FA whenever possible. We're also using more and more new apps, and I'm seeing mandatory 2FA in individual apps a lot of trouble to go through.

I already have 13 different entries for individual apps' 2FA codes, and the list is growing. Then there are the recovery codes of all apps written on dozens of pieces of paper - The situation is the same across the team, and it's only going to be worse when we stop using apps.

Please do something about it! Pretty, please?

More discussion on this topic:
https://forum.cloudron.io/topic/3285/2fa-for-all-ldap-apps/39
https://forum.cloudron.io/topic/2433/the-real-sso-with/1
https://forum.cloudron.io/topic/1972/i-am-missing-real-sso/1

I'm in for this too. I haven't packaged an app yet, but only because of lack of confidence. It would be awesome to see someone do it, and later be able to help others do the same!

@girish after giving some more thoughts, I don't see a reason to go through all the apps to see if they support 2FA? This only makes stuff more complicated. Even if the app supports 2FA, the Cloudron 2FA will make it redundant; so we can skip that. If someone would like to skip Cloudron 2FA they're free to use the app's own 2FA if it supports.

There could be a choice of ["Use Cloudron 2FA / Let the app handle it"] just like the choice of user management. If the first option is selected, TOTP is checked, otherwise it is not.

@humptydumpty Cloudron asks for the TOTP code on the same page, no?

Some websites show two steps in the UI, but actually send the username, password and code in a single request. Some websites ask for your username first, then display the password field, such as Google and Apple ID web. Some companies use the most common method of asking username and password at once, such as Facebook and Apple ID mobile app interface.

I don't think there's more security risk in one method than the other. If that was the case, all of them would be using the most secure way. That's exactly the same case for the TOTP code. Personally I prefer the username+password+totp in a single page because it "feels" more secure.

@girish I don't remember creating any folder myself, so I can't tell how it got created there. None of my other Cloudron instances had this issue so it might have happened somehow. I don't have any custom nginx config.

Maybe removing the tmp folder could have solved the issue without the -r flag. The error cp: -r not specified; omitting directory '/home/yellowtent/boxdata/certs/tmp' meant it couldn't copy the tmp folder because -r flag was missing. Also, I added -r because the error message hinted me to do so and it fixed the issue.

Finally, I fixed the issue by modifying the migration file. Adding -r to the cp command, and then manually restarting Cloudron /home/yellowtent/box/setup/start.sh fixed the issue for me. I'm surprised that no other Cloudron instances had this issue.

File: /home/yellowtent/box/migrations/20210505223829-blobs-migrate-certs.js Line 43:

child_process.execSync(`cp -r ${OLD_CERTS_DIR}/* ${NEW_CERTS_DIR}`); // this way we copy the non-migrated ones like .host, .user etc as well

This thread is a copy of the emails I sent to the support statff. I posted here so it might help someone else in this situation.

I am 100% sure the culprit is this file: 20210505223829-blobs-migrate-certs.js because looking at the logs, it failed to run the cp command to copy certs from /home/yellowtent/boxdata/certs/* to /home/yellowtent/platformdata/nginx/cert and failed because of the missing -r flag.

I cannot restore from backup because automatic backups were failing for the last few days, (no apps were backed up) so I will lose the last three days' worth of data. Surprisingly, all apps were working till now, but when I restarted the system the apps lost their certificates.

It seems the latest update 6.3.4 completely broke my system. This is the log that shows that the update script was broken. Currently, no user can log in (says password incorrect, even if it's correct because I use a password manager)

None of the installed apps have had a valid certificate; all apps have Self-Signed certificates. I cannot do a password reset because the email isn't working.

My Cloudron dashboard is offline, and returns an app not responding message. It seems the Cloudron app wasn't running. I tried to restart it manually, but the script got stuck. Here's the log, please assist.
PS: All other apps are running fine; only the dashboard is inaccessible.

Now all apps show an INVALID CERTIFICATE (Self Signed) error after a reboot;

root@myserver:~# /home/yellowtent/box/setup/start.sh
2021-07-09T05:17:02 ==> start: Cloudron Start
media:x:500:
2021-07-09T05:17:02 ==> start: Configuring docker
Synchronizing state of apparmor.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable apparmor
Error response from daemon: network with name cloudron already exists
2021-07-09T05:17:03 ==> start: Ensuring directories
2021-07-09T05:17:03 ==> start: Configuring journald
2021-07-09T05:17:03 ==> start: Setting up unbound
2021-07-09T05:17:04 ==> start: Adding systemd services
Synchronizing state of unbound.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable unbound
Synchronizing state of cron.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable cron
2021-07-09T05:17:07 ==> start: Configuring sudoers
2021-07-09T05:17:07 ==> start: Configuring collectd
2021-07-09T05:17:07 ==> start: Configuring logrotate
2021-07-09T05:17:07 ==> start: Adding motd message for admins
2021-07-09T05:17:07 ==> start: Configuring nginx
2021-07-09T05:17:08 ==> start: Starting mysql
mysqladmin: [Warning] Using a password on the command line interface can be insecure.
Warning: Since password will be sent to server in plain text, use ssl connection to ensure password safety.
mysql: [Warning] Using a password on the command line interface can be insecure.
mysql: [Warning] Using a password on the command line interface can be insecure.
2021-07-09T05:17:08 ==> start: Migrating data
cp: -r not specified; omitting directory '/home/yellowtent/boxdata/certs/tmp'
[ERROR] Error: Command failed: cp /home/yellowtent/boxdata/certs/* /home/yellowtent/platformdata/nginx/cert
cp: -r not specified; omitting directory '/home/yellowtent/boxdata/certs/tmp'

    at checkExecSyncError (child_process.js:616:11)
    at Object.execSync (child_process.js:652:15)
    at /home/yellowtent/box/migrations/20210505223829-blobs-migrate-certs.js:43:27
    at wrapper (/home/yellowtent/box/node_modules/async/dist/async.js:268:20)
    at replenish (/home/yellowtent/box/node_modules/async/dist/async.js:435:29)
    at iterateeCallback (/home/yellowtent/box/node_modules/async/dist/async.js:424:21)
    at /home/yellowtent/box/node_modules/async/dist/async.js:321:20
    at /home/yellowtent/box/node_modules/async/dist/async.js:2955:19
    at wrapper (/home/yellowtent/box/node_modules/async/dist/async.js:268:20)
    at replenish (/home/yellowtent/box/node_modules/async/dist/async.js:435:29)
    at iterateeCallback (/home/yellowtent/box/node_modules/async/dist/async.js:424:21)
    at /home/yellowtent/box/node_modules/async/dist/async.js:321:20
    at /home/yellowtent/box/node_modules/async/dist/async.js:2953:17
    at tryCatcher (/home/yellowtent/box/node_modules/bluebird/js/release/util.js:16:23)
    at Promise.successAdapter [as _fulfillmentHandler0] (/home/yellowtent/box/node_modules/bluebird/js/release/nodeify.js:23:30)
    at Promise._settlePromise (/home/yellowtent/box/node_modules/bluebird/js/release/promise.js:601:21)
2021-07-09T05:17:08 ==> start: DB migration failed

@timconsidine you can simply use the copy-recursive command to transfer files. If it succeeds delete it from the source. Simply SSH into your box ssh root@my.yourbox.com.

cp -R \
 /home/yellowtent/appsdata/<home-app-id>/data/* \
 /home/yellowtent/appsdata/<emby-app-id>/data 

# then later use the file manager to delete data from home automation, or run
rm -rf /home/yellowtent/appsdata/<home-app-id>/data/*

Below is a sample log from LAMP app. Notice the IP address, which should have been the remote IP of the user-agent. Also when the app is configured to have multiple hostnames (aliases), there's no way to distinguish which service received the request. Please fix this. Thanks!

May 10 23:22:23 172.18.0.1 - - [10/May/2021:17:37:23 +0000] "GET /path-redacted" HTTP/1.1" 301 1532 "-" "User-Agent redacted"
May 10 23:22:25 172.18.0.1 - - [10/May/2021:17:37:25 +0000] "GET /path-redacted" HTTP/1.1" 301 532 "-" "Mozilla (CloudronHealth)"
May 10 23:22:26 172.18.0.1 - - [10/May/2021:17:37:26 +0000] "GET /path-redacted" HTTP/1.1" 301 65332 "-" "User-Agent redacted"
May 10 23:22:26 172.18.0.1 - - [10/May/2021:17:37:26 +0000] "GET /path-redacted" HTTP/1.1" 301 5932 "-" "User-Agent redacted"
May 10 23:22:26 172.18.0.1 - - [10/May/2021:17:37:26 +0000] "GET /path-redacted" HTTP/1.1" 301 7532 "-" "User-Agent redacted"
May 10 23:22:28 172.18.0.1 - - [10/May/2021:17:37:28 +0000] "GET /path-redacted" HTTP/1.1" 301 5032 "-" "User-Agent redacted"
May 10 23:22:28 172.18.0.1 - - [10/May/2021:17:37:28 +0000] "GET /path-redacted" HTTP/1.1" 301 1532 "-" "User-Agent redacted"
May 10 23:22:28 172.18.0.1 - - [10/May/2021:17:37:28 +0000] "GET /path-redacted" HTTP/1.1" 301 2532 "-" "User-Agent redacted"
May 10 23:22:28 172.18.0.1 - - [10/May/2021:17:37:28 +0000] "GET /path-redacted" HTTP/1.1" 301 532 "-" "Mozilla (CloudronHealth)"
May 10 23:22:30 172.18.0.1 - - [10/May/2021:17:37:30 +0000] "GET /path-redacted" HTTP/1.1" 301 1532 "-" "User-Agent redacted"
May 10 23:22:41 172.18.0.1 - - [10/May/2021:17:37:41 +0000] "GET /path-redacted" HTTP/1.1" 301 1532 "-" "User-Agent redacted"

@murgero Thanks! That was the best option among all.. but I'm afraid it might break something because Cloudron doesn't recommend installing updates or new packages in the system.

I am trying to migrate my self-hosted email from Mail In A Box to Cloudron because I don't want to pay for a separate VPS only for mail when Cloudron has first-class email system and backup support. There are at least several GBs worth of email from ~5 years so can't lose them.

Mailinabox is configured to use RoundCube as the email client. Cloudron also has RoundCube available for installation so I'm not worried about client-level stuff like signatures, auto-replies, forwarding, filtering and stuff.

I'm asking this question because Cloudron doesn't recommend installing/upgrading the Ubuntu system. How do you recommend I move all my email accounts, or say mailboxes to Cloudron? I don't need a completely automatic system; I can re-create accounts and aliases if needed.