I made this account specifically so I can describe a gaping Cloudron security hole without further endangering any refugees. Anyone assisting those fleeing a war zone is liable to receive attention from the intelligence services of their state of origin.
I installed Cloudron on a system and configured it to work behind Cloudflare. Cloudron gets Cloudflare API access and manages DNS. The firewall on the machine is set to only permit http/https from Cloudflare's known IP prefixes.
There are certain applications, WHM being the one I noticed, where Cloudron will configure Cloudflare for DNS only. There is no warning that you're about to expose the public IP of your system, it just does it. This is catastrophic exposure, even if the system does not respond.
Once the public IP is known the system is exposed to denial of service and intrusion attempts. An attacker can easily find all IP prefixes in use at the hosting facility and provide similar attention to every other system there. Even if the Cloudron host is secure, the attacker will find systems that are not secure, and use this to encourage the hosting firm to cancel the service of the intended victim.
If this is something that can be handle with a configuration within the system, it should be made MUCH more obvious. An alert should happen for any change that will expose the IP address of a system configured for Cloudflare. If there is no way to enforce a Cloudflare only policy, that reveals an astonishing poverty of imagination on the part of the developers.
I'm going to go look at some things, but I suspect that later today I'm going to have to inform the board that we had a dangerous leak, and that this forces us to change hosting providers.