For those unaware, Cloudron is a platform that makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server and keep them up-to-date and secure.

Cloudron 6.2 has major upgrades to all the internal databases, improved groups management, DNS records re-sync, DoT (DNS over TLS) support, Dry run restore & more!

Database upgrades

In Cloudron 6.0, we added support for Ubuntu 20.04 Focal. In 6.2, we have now upgraded the container images of all apps and the internal addons to Ubuntu 20.04 Focal as well. The process of automatically upgrading to this new base image (v3) is extremely complex because all the databases have to be upgraded to new major version. For this, we had to check if all the apps are compatible with the newer databases and language versions. The new database versions are:

• MySQL 8
• PostgreSQL 12.6
• MongoDB 4.2
• Redis 5.0.7
• Docker 20.10.3

Improved Groups

Groups provide a convenient way to group users and control what apps they have access to.

When editing a Group, you can now select what Apps they have access to.

With the new group filter, a Cloudron admin can easily see what apps a Group has access to in the dashboard.

In previous releases, when you install a new app, the default  was to give access to all users. This meant that all your users will see a new app being installed which you might simply be trying out for testing purposes. If you have one or more groups, you have to now explicitly select the User Management option. Notice how none of the radio buttons are selected below by default.

For apps that do not support integration with Cloudron user management, the Dashboard Visibilty can now be set at install time.

Re-sync DNS records

If you change the DNS provider of a domain, you can sync up the app and email DNS records into the new provider by using the new Sync DNS button in the Domainsview.

DNS Over TLS

Cloudron manages TLS certificates and apps do not have access to them. With the TLS addon, an app can request read-only access to the TLS certificate. This allows apps to implement non-HTTP protocols.

One app that takes advantage of this new addon is AdGuard Home. By having access to certificates, it can now support DNS Over TLS out of the box. To test, you can enter your AdGuard Home installation domain straight into the Private DNS feature on Android.

On Firefox, you can set a custom DNS over HTTPS server from Options/Preferences > General > Network Settings

Dry run restore

When you restore Cloudron, Cloudron will automatically update the DNS to point to the new server. Using the Dry run feature you can skip the DNS setup. This allows you to test the integrity of your backups or get a feel of how your apps might perform if you switch the server, without affecting your current installation.

When restoring a Cloudron, simple check the Dry run checkbox. See our docs for more information.

Misc

• Add ProfitBricks (IONOS) as backup storage backend.
• If a DMARC record already exists, Cloudron will not overwrite it. This allows you to setup a custom DMARC policy to receive email reports.
• Default Referrer-policy of apps is now 'same-origin'. This prevents leakage of internal URLs when clicking external links inside the app.
• rsync backend has been enhanced to preserve and restore symlinks.
• Clean up backups button now removes missing backups.

What's coming next

Head over to our forum to learn more about what's coming in our next release - 6.3.

Install or update Cloudron

New to Cloudron? Get started for free by running with 3 simple commands on your server.

To update an existing installation, simply click on the 'Update now' button on your dashboard.

Comments?

Comments/Suggestions/Feedback? Use our Forum or email us.

For those unaware, Cloudron is a platform that makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server and keep them up-to-date and secure.

Cloudron 6.1 includes support for Well-known URIs, multi-domain apps, improvements to File Manager, Netcup DNS & lots of bug fixes!

There is a virtual community meetup and release party on Friday Feb. 12 18:00 CET/UTC+1 (convert to your timezone) at https://play.workadventure.cloudron.io/. See this forum post for more details.

Well-known support

Well-Known URIs are a mechanism for web protocols to discover policy and information about a host. Apps like Mastodon, Matrix, Pixelfed require Well-Known documents to be setup for federation to work.

In Cloudron 6.1, you can easily setup these URIs in theDomains view. The matrix and mastodon server location can be set per domain and Cloudron will serve up the well-known docs required for those protocols to function.

Well-known docs are also used for auto-configuring the email settings of a domain via autoconfig.xml. Cloudron now automatically serves up this file when Cloudron Email is enabled for the domain. Auto detection in email clients like Thunderbird, K-9, KMail, Evolution, Kontact should work out of the box.

File Manager Improvements

Multi-select

Files can be multi-selected using Ctrl/Cmd + Click. All operations like delete, changing ownership work on multiple files now.

Cut, Copy & Paste

Files can also be be cut or copied into different directories. You can drop files into the breadcumb bar to move it to the correct location.

Upload progress

When uploading files, there is a progress bar which shows the current files upload size and the total size to be uploaded.

Multi-domain apps

Prior to Cloudron 6.1, each app can only have a single domain. With Domain Alias support, a single app can have the ability to be associated with multiple domains.

The alias feature is only enabled for select apps since it requires apps to support multiple domains. We have already enabled this feature for apps EspoCRM, Surfer, Kutt.

To add an additional domain for an app, add an Alias in the Location view.

For example, EspoCRM can now be used to host a customer portal in a custom domain like customer-portal.domain.com. See our docs on how to set this up.

With this feature, WordPress Multi-site can become a reality on Cloudron. We will release a new version of WordPress that enabled multi-domain support next week.

Netcup DNS

If your domain is registered with Netcup, you can use Cloudron's Netcup DNS backend to manage the DNS. To get started, create an API Key and API Password for the Netcup account in your Customer Control Panel and agree to the ToS. Then, create both an API Key and the API Password.

Misc

• Apps that use the proxyAuth addon now automatically have 2FA support.
• proxyAuth addon now supports excluding some paths
• New app store categories - media, translations and federated.
• App update status indicator is persisted across server restarts.
• Mailbox search UI also searches email aliases.
• Security: turn addon has been updated to fix CVE-2020-26262
• Memory/Swap ratio for apps is now dynamically determined based on system RAM/swap ratio (in previous releases, this split was always 50-50).

Install or update Cloudron

New to Cloudron? Get started for free by running with 3 simple commands on your server.

To update an existing installation, simply click on the 'Update now' button on your dashboard.

Comments?

Comments/Suggestions/Feedback? Use our Forum or email us.

For those unaware, Cloudron is a platform that makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server and keep them up-to-date and secure.

Cloudron 6 includes support for Ubuntu 20.04 LTS (Focal), i18n, Volumes, Mailbox Sharing, Group Mailboxes, Mailbox Full Text Search, File manager improvements, Ad blocker apps & lots of bug fixes!

Ubuntu 20.04 LTS (Focal)

Cloudron 6 supports Ubuntu 20.04. We recommend using Ubuntu 20.04 for new Cloudron installations.

For existing installations. the upgrade to Ubuntu 20.04 is not automatic and you have to follow this guide to upgrade.

Please note that Canonical will continue to support Ubuntu 18.04 till 2022 and there is no rush to upgrade to Ubuntu 20.04 as such. Cloudron has the same feature set across all the versions of Ubuntu and it makes no difference what version of Ubuntu you run.

i18n

Cloudron Dashboard is now fully translatable! Transactional emails like the Welcome email and Password reset are translated as well. Please note that while the code has been translatable, the work of providing translations is on-going. As of this writing, German is 100% complete. French, Dutch, Spanish translations are under way. If you would like to contribute, please read about our translation workflow and sign up on our Weblate instance. Please also join our fellow translators in this forum thread.

Cloudron admins can set the default language in the Settings view. Users can also select a different language in their profile.

Volumes

Often, it is needed to give apps access to files like photos, music, movies in the server's file system. However, since apps on Cloudron are containerized, they do not have access to the server's file system. In Cloudron 6, we have added Volumes feature to allow mounting a path on the server into one or more apps.

First, create a volume from the new Volumes view. For example below, we have created a volume named music which maps to the server path /mnt/songs

Once added, the volume can be mounted on to one or more apps. In the example below, we have mounted the music volume on to the Koel music player app.

Mailbox Sharing

Users can share mailboxes with each other using IMAP ACLs. SOGo and Roundcube are per-configured to use this feature.

For example, a user can share a folder of their mail account with another user (this screenshot is from Roundcube):

The other user, can see the shared folder in their account:

Please note that Cloudron installations before 6.0 require some manual steps to make mailbox sharing work. Follow this guide to migrate.

Group Mailboxes

The mailbox owner can now be set to a Cloudron Group. When set, any member of the group can access the mailbox with their password.

Mail Full Text Search

By default, every email text search involves scanning mails over and over. With a small number of emails (< 5GB), the search performance is usually acceptable. If there are a large number of emails, the emails can be indexed to make search faster.

To enable the search index, enable Full Text Search from the Email settings:

File Manager

We have made many improvements to the File Manager.

New File

You can create an new file from the New drop down button.

Extract

zip and tar files can be extracted after uploading using the new Extract action in the context menu.

Download Directory

An entire directory can be downloaded as a zip file.

Ad Blocker

We have reworked Cloudron's internal DNS system so that apps can run DNS servers. The main use case for this is to run Ad blocker apps like Pi-Hole and AdGuard Home. For a start, we have already released AdGuard Home. Be sure to secure your installation, when using this app.

Misc

• Branding: footer can have template variables like %YEAR% and %VERSION%
• SFTP access is disabled for non-admins by default. This is a breaking change.
• Postgresql: whitelist pgcrypto extension for loomio.
• Linode DNS is now enabled in the Cloudron setup wizard.
• Log file names are more descriptive on download.
• The proxyAuth addon can be used to setup an authentication wall in front of the app. See docs for more information.
• Elasticemail is a cost-effective email relay option. You can choose Elasticemail as a relay provider in the outbound settings.
• AWS S3: Add China region
• Security: fix issue where apps could send with any username (but valid password)

Install or update Cloudron

New to Cloudron? Get started for free by running with 3 simple commands on your server.

To update an existing installation, simply click on the 'Update now' button on your dashboard.

Comments?

Comments/Suggestions/Feedback? Use our Forum or email us.

For those unaware, Cloudron is a platform that makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server and keep them up-to-date and secure.

Cloudron 5.6.3 is a bug fix release and we recommend updating at the earliest.

Services view

The Services view is now it's own top level view.

App state filter

You can filter apps by the current running state using the State filter.

Cloudron Version Display

The current version of Cloudron has now moved from the footer to the Settings view.

Important bug fixes

• Update docker to 19.03.12
• Fix sorting of user listing in the UI
• namecheap: fix crash when server returns invalid response
• Unlink ghost file automatically on successful login
• Bump mysql addon connection limit to 200
• Fix install issue with apps that use VAAPI addon where /dev/dri may not be present
• import: when importing filesystem backups, the input box is a path
• firewall: fix race condition where block list was not added in correct position in the FORWARD chain
• services: fix issue where services where scaled up/down too fast
• turn: realm variable was not updated properly on dashboard change
• nginx: add splash pages for IP based browser access
• gcs: copy concurrency was not used
• Mention why an app update cannot be applied and provide shortcut to start the app if stopped
• postgresql: set collation order explicitly when creating database to C.UTF-8 (for confluence)
• rsync: fix error when a file goes missing during syncing
• Automatically select the app domain by default in the redirection drop down
• robots: preserve leading and trailing white spaces/newlines

For those unaware, Cloudron is a platform that makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server and keep them up-to-date and secure.

Cloudron 5.6 includes hardware accelerated transcoding support, setting a IP blocklist, server side mail signatures, changing mail server location, configurable email spam filters & lots of bug fixes!

Hardware Accelerated Transcoding

Media apps like Emby, Jellyfin can take advantage of the GPU to transcode videos. Starting Cloudron 5.6, apps can request the vaapi capability in the app package manifest to get access to hardware that supports VAAPI or QuickSync.

Emby has already been updated to make use of this new feature and updates to Jellyfin are under way. You can see the transcoding in action in Emby's dashboard. Note that you might have to install additional drivers to get transcoding to work. See our docs for debugging help.

IP Block List

Using the blocklist configuration, one or more IP addresses and/or networks can be blocked from connecting to Cloudron. You can download various country based blocklists from here and copy/paste those lists as-is into the UI.

Mail Server

In 5.6, we have added many aspects of the mail server configurable.

Mail Server Location

The location of the email server defaults to the Cloudron dashboard location my.domain.com. Starting 5.6, this can be changed in the Mail view. Cloudron will automatically setup the required DNS records (MX, SPF) for all the domains when you change the mail server location.

Email Signature

Disclaimers, confidentiality information or legalese can be appended to every outbound email via the new Signature setting. This setting can be set on a per-domain basis.

Spam Filter

Email addresses can be explicitly marked as spam in the Email view. This is a global setting that applies to all incoming mail. Beyond listing addresses, it is also possible to write custom spamassassin rules that inspect the email contents. For example, you can write a rule to filter all emails with some offending word in the email subject or body. See our docs for more information.

Mail Size

The maximum size of emails that can be sent can be set using the Maximum Mail Size setting.

Scheduler redesign

Cloudron apps use the scheduler addon to run cron jobs. In previous versions, the scheduler used to spin up a new container for each task run. This resulted in a lot of container networking churn and depending on the kernel version was causing much instability. In 5.6, we have reworked the scheduler to create the task container just once and re-use it for every subsequent run. Task containers are still completely isolated from the main app container as one would expect i.e /tmp, /run etc are totally separate.

Misc

• Dashboard: Search filter looks matches app title as well
• After activation, https://IP will not redirect to the dashboard anymore for privacy and security reasons.
• Fix issue where the long MongoDB database names was causing app indices of rocket.chat to overflow
• Backups: make upload part size configurable
• Postgres: enable uuid-ossp extension
• Linode object storage: Add singapore region
• OVH object storage: add sydney region
• S3: multi-part copies are now done in parallel. This increases upload speed by 5x.
• HTTP URLs now redirect directly to the HTTPS of the final domain

Install or update Cloudron

New to Cloudron? Get started for free by running with 3 simple commands on your server.

To update an existing installation, simply click on the 'Update now' button on your dashboard.

Comments?

Comments/Suggestions/Feedback? Use our Forum or email us.

For those unaware, Cloudron is a platform that makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server and keep them up-to-date and secure.

Cloudron 5.5 includes major database upgrades to PostgreSQL and MongoDB, configurable schedules for backup and updates, faster backups, option to delete mailbox data, improved handling of fallback certs & lots of bug fixes!

Database upgrades

We have updated PostgreSQL 10 to PostgreSQL 11. A number of extensions are now enabled by default - citext, btree_gist, postgres_fdw, pg_stat_statements, plpgsql.

MongoDB has been updated from 3.6 to 4.0. In the next release, we will do another upgrade to MongoDB 4.2.

This release shows one of the major strengths of using Cloudron for self-hosting apps. In the past, system administrators spent hours ensuring they had proper backups and updating databases. In contrast with Cloudron, databases upgrades are seamless and require no user intervention. Should the update fail, you can revert back with a click of a button.

Backup & Update Schedule

You can now configure the exact times at which Cloudron should perform backups and apply automatic updates.

Backup schedule is configurable from the Backups view. In the screenshot below, Cloudron is configured to do a complete backup everyday at 1AM in your Cloudron's timezone.

Updates can similarly be configured in the Settings page:

Delete Mailbox data

When deleting a mailbox, there is now an option to delete all the mails and filters inside the mailbox permanently. You can also decide to just delete the mailbox but keep the emails inside it on the server for archival purposes. Note that once you delete a mailbox, any mails sent to the address will immediately bounce (unless you have a catch all address set).

Fine tune backups

A lot of work has gone into optimizing backups and making them faster. Backups to any of the S3 providers (DigitalOcean Spaces, Scaleway Objects, AWS S3 etc) are almost 3x faster.

Backups is a complicated task and each setup requires fine tuning for optimal results depending on the amount of data being backed up and the S3 service. With this in mind, we have exposed some settings that you can use to fine tune your setup under Configure Backups -> Advanced.

A word of caution. It's best to be conservative with these settings since higher values don't necessary mean faster. Values also change dramatically between different providers. For example, DO spaces cannot handle more than 20 concurrent copies and you will hit the rate limit very quickly. AWS S3 on the other hand can handle 500 concurrent copies easily.

Misc

• The task system has been reworked. In previous releases, tasks shared the same cgroup and memory/CPU limitations of the box code. By spinning tasks now in cgroups of their own, we can configure the memory/CPU required for each individual task separately.
• The systemd target cloudron.target has been removed. To restart the box code, just use systemctl restart box now.
• SFTP and File manager now work correctly with apps that use an external data directory.
• File manager now shows directories first.
• Groups are now alphabetically sorted.
• Dark mode contrast issues in various views like Email view  has been fixed.
• Route53: fix issue where validation failed when account has more than 100 zones.
• We have updated our GPG signing keys (the old ones were expiring).

Install or update Cloudron

New to Cloudron? Get started for free by running with 3 simple commands on your server.

To update an existing installation, simply click on the 'Update now' button on your dashboard.

Comments?

Comments/Suggestions/Feedback? Use our Forum or email us.

Johannes: Please introduce yourself

Meike: I am a consultant and co-founder of the Company Without an Interesting Name (CoWAIN). We are designing and creating web applications with a strong focus on open source software, combined with data security and safety.

Meike, please tell us which products you used before you came to Cloudron

Related to Cloudron apps, we've been using self-hosted software like RocketChat, NextCloud, LibreOffice, GitLab, OpenProject - to name just the major ones. Sometimes customers or partners invited us to Google Docs, Jira, or their Slack channel. We are so focused on free and open source that in those moments it somehow feels awkward to consent to that.

What was your reason for using Cloudron?

Besides reducing the maintenance effort for our self-hosted solutions: the possibility to easily try out other FOSS tools like a shared password storage, a newsletter tool, or CRM.

Conformance to GDPR is a unique selling proposition for us, therefore we only use web services that are under our own control. The campaign of the Free Software Foundation Europe is so true: "There is no cloud, just other people's computers". It gives me pains to see how carelessly many web agencies use free-of-charge web applications in their teams and with their customers although they have signed non-disclosure agreements. They might have had their reasons (software administration) back then. But having heard of Cloudron, this is no excuse any more.

What do you like most about Cloudron?

Clearly: "admin inside". The discussions about introducing a new team tool and maintenance capacities are gone for good. Plus the Cloudron team is very friendly and responsive. Truly "community people".

Which apps do you use on Cloudron?

• Rocket.chat for team communication
• Nextcloud for archiving files and sharing folders with our customers
• OnlyOffice integration in NextCloud for collaborative usage of text documents and spreadsheets
• GitLab for development versioning and issue management
• CodiMD for quick collaborative text drafts
• PrivateBin mainly for one-time password reveals
• Kimai for time tracking
• BookStack for documentation management
• OpenVPN for virtual private networks
• Rainloop Webmail to avoid port restrictions in some places

Maybe more to come.

Thank you, Meike

Thank you, Cloudron team :-)

For those unaware, Cloudron is a platform that makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server and keep them up-to-date and secure.

Cloudron 5.4 adds a dark mode, file manager, Mandatory 2FA, Backblaze B2 support & lots of bug fixes!

Features

Dark Mode

The new Dark Mode brings a beautiful dark color scheme for the Cloudron Dashboard. This new look is easier on the eyes and helps reduce eye strain. The dashboard automatically uses this new look when the OS switchesto dark mode. You can also turn on dark mode per-site using a browser extension like Dark Reader.

File Manager

File Manager allows you to create and modify application files straight from the browser. The File Manager can be access from the Console section of any app.

Clicking on the File Manager button will open a new window:

File Manager supports the following actions:

• Creating new files and folders
• Uploading new files and folders
• Edit files (just click on the file). There is also basic syntax highlighting for the file
• Basic operations like download/rename/delete file (right click on file name)
• Change ownership of file (right click on filename)

Mandatory 2FA

Admins can now require all users to set up two factor authentication. When enabled, all new users will be forced to setup a 2FA during sign up. Existing users will be forced to setup 2FA when they login or reload the dashboard page.

When users login, they will see a modal dialog like below:

Lock user profiles

Admins can now disallow users from changing their email and full name. When locked, the user's profile becomes readonly like below (the edit buttons are missing):

Backblaze B2

Backblaze B2 recently announced support for S3 compatible APIs. Thanks to this new feature, we have added Backblaze B2 as a backup destination.

Enhancements

Univention Directory

We have added support for synchronizing users and groups from a Univention Directory server. To configure, go to the Users view and select Univention in the external LDAP configuration.

Ping capability

In Cloudron 5.2, we dropped NET_RAW caps from containers to prevent them from sniffing internal network traffic. This, however, prevented apps from making ICMP requests as well. We have added a new ping capability in the manifest to allow apps like Statping to make ICMP requests.

Security

Nginx

The nginx packages in Ubuntu 18 are lagging behind. For this reason, we now use the latest stable packages from the nginx project directly. We have updated nginx to 1.8 for various security related fixes in this release.

In addition, we have started hiding the version of nginx in HTTP responses.

Misc

• Fix bug where aliases were displayed incorrectly in SOGo
• Bump max_connection for postgres addon to 200
• The mailbox and the mailing list views now have pagination and search support.

Install or update Cloudron

New to Cloudron? Get started for free by running with 3 simple commands on your server.

To update an existing installation, simply click on the 'Update now' button on your dashboard.

Comments?

Comments/Suggestions/Feedback? Use our Forum or email us.

If you like running apps using Cloudron, please share your experience on social networks, youtube and other sites to earn account credit.

How it works

When someone subscribes to Cloudron using your referral code, you will get a $30 service credit. The referred person will get a $30 credit as well.

Your referral code

To get your referral code, login to cloudron.io and go to the 'Referral' section. Here's a direct link.

Using your code

When a customer sets up a subscription, they can fill in your referral code and the credits will be immediately applied.

Install or update Cloudron

New to Cloudron? Get started for free by running with 3 simple commands on your server.

Comments?

Comments/Suggestions/Feedback? Use our Forum or email us.

Girish: Please introduce yourself.

Tobias: My name is Tobias Bähr and I'm working for the Gesellschaft zur Entwicklung von Dingen (Company for the Development of Things) as a software developer. We are a Berlin-based company with 6 employees and a lot of freelancers and partner companies.

We are strong in technology consulting and planning, especially in free and open source software. But we also develop a lot of web applications for customers (and for ourselves).

Tobias, please tell us which products you used before you came to Cloudron.

One of our last technology stacks was based on a private cloud. We used OpenNebula, Rancher, and a hell of a lot of automation scripts. Parts of that stack we are still using today for custom projects.

Ah I see. What was your reason for using Cloudron?

For our consultance business it's necessary to know a lot of FOSS apps, therefore we always install a lot of those. However, security issues are a concern for us. We would not want to have abandoned installations around.

We stumbled upon Cloudron and started with a small trial. What was most appealing to us was the prompt updates. Obviously because of that, Cloudron now is our first choice.

What do you like most about Cloudron?

A few weeks after our initial try, I realized that Cloudron is the missing piece in our stack.

In our development workflow it's important for us to show customers the results from a feature branch. But before Cloudron, it was difficult to create a stage environment for customers to empower their quality assurance. Especially when we have several parallel feature branches.

Today our workflow looks like this:

• Add the code base of the project into a prepared Cloudron base image
• Push it into our private docker registry (Gitlab)
• Use the Cloudron-CLI to start the app or remove it, after the branch was merged or deleted

All done via the CI of Gitlab

Tasks like obtaining a certificate, binding it to LDAP user directory, and supporting non-technical staff through the Cloudron dashboard are all done by Cloudron magic. We love it.

Which apps do you use on Cloudron?

We have several instances of Cloudron. As I said before, one instance serves our staging environment, another instance is more a playground for new apps and a third one is used by our company for collaborative work. On those we use the following apps:

• Rocket.chat: for our internal company communication.
• Nextcloud: for sharing documents in our company and with customers
• ONLYOFFICE & Collabora: to replace Office 365
• Bookstack: as our internal wiki
• Wekan: as our Kanban board
• OpenProject: as our project management tool
• Kimai: for timetracking
• EspoCRM: for contacts
• InvoiceNinja: for invoices
• CodiMD: a wonderful piece of software for notes and meeting minutes
• Surfer: for some websites
• Commento: for some static website content
• Matomo: to replace google analytics

Thank you, Tobias!

Comments?

Comments/Suggestions/Feedback? Use our Forum or email us.

For those unaware, Cloudron is a platform that makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server and keep them up-to-date and secure.

Cloudron 5.3 adds new NFS/SSHFS/CIFS storage backends, LDAP groups synchonization, Dashboard optimizations & lots of bug fixes!

Features

NFS/SSHFS/CIFS

We have added three specialized file systems backends for backups - NFS, SSHFS and CIFS. These backends check that the backup path is mounted properly with the correct flags before performing the backup. This prevents issues where Cloudron might inadvertently backup to the local file system when the external storage is not mounted.

See the docs for detailed information on how to mount these filesystems on the server.

LDAP Groups Synchronization

The LDAP connector allows users from your existing LDAP or active directory to authenticate with Cloudron.

In 5.3, you can optionally sync LDAP groups as Cloudron groups. LDAP group membership will be carried over to Cloudron users as well.

Unaccent extension in PostgreSQL

unaccent is a text search dictionary that removes accents (diacritic signs) from lexemes. We have enabled the unaccent extension in the PostgreSQL addon. Apps like Peertubecan take advantage of this extension to provide accent-insensitive processing for full text search.

Enhancements

Dashboard

In previous versions, Cloudron Dashboard would load excruciatingly slowly if you had a large number of apps. In addition, it would poll a lot to get the status of the apps. We have done a lot of optimizations this release to ensure the Dashboard not only loads fast but also downloads much lesser.

We have re-designed the App Store view to be more compact and load faster as well. You can now search for popular SaaS and find alternate apps (for example, try 'github' or 'slack').

Backup cleanup policy

The backup cleaner removed old backups based on the backup policy. This cleaner has undergone various changes.

The following are some of the important rules that are followed by the backup cleaner:

For installed apps and box backups, the latest backup is always retained regardless of the policy. This ensures that even if all the backups are outside of the retention policy, there is still atleast one backup preserved. This change also ensure that the latest backup of stopped apps is preserved when not referenced by any box backup.

For uninstalled apps, the latest backup is cleaned up as per the policy.

Finally, if the latest backup is already part of the policy, it is not counted twice.

Errored and partial backups are cleaned up immediately.

nginx

nginx logs are available in the services view.

We have also updated the nginx config to support higher loads. Specifically, we have optimized worker_rlimit_nofile, worker_processes and worker_connections configuration in nginx.

S3 API

Amazon S3 will no longer support path-style API requests starting September 30th, 2020. As a result of this deprecation, we have moved all S3 compatible providers to now use vhost style API requests. This includes Digital Ocean Spaces, Exoscale SOS, Linode Object Storage, OVH Object Storage, Scaleway Object Storage & Wasabi.

Minio backups will continue to use the path-style API requests since the typical setup here is to not have a subdomain for each bucket.

We have also added a Region field to S3 API Compatible providers. This is required for providers like Yandex Object Storage.

cloudron-setup

The cloudron-setup script does not require the --provider argument anymore. You can now install Cloudron on a Ubuntu Bionic 18.04 x64 server and run the setup script without arguments like this:

wget https://cloudron.io/cloudron-setup
chmod +x ./cloudron-setup
./cloudron-setup

Note that the --provider flag is still required if you want to install older versions of Cloudron.

Misc

• Cloudron mail server now sets the Auto-Submitted header for bounce emails. This feature allows apps like FreeScout to skip sending an auto-reply.
• Fix issue where PostgreSQL and MySQL addons would timeout when restoring very large backups.
• Fix crash when redis config was set
• Update schedule was unselected in the UI
• mail: make authentication case insensitive
• Do not count stopped apps for memory use

Install or update Cloudron

New to Cloudron? Get started for free by running with 3 simple commands on your server.

To update an existing installation, simply click on the 'Update now' button on your dashboard.

Comments?

Comments/Suggestions/Feedback? Use our Forum or email us.

For those unaware, Cloudron is a platform that makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server and keep them up-to-date and secure.

Cloudron 5.2 adds EC certs, Member only mailing lists, Inter-domain mail aliases, OVH storage backend, App graphs & more!

Features

Members only mailing list

Internal or closed mailing lists can be marked as members only. This way an outsider cannot send mails to this list and will get a bounce. This feature is also useful in blocking spam from external email addresses.

Inter-domain aliases

We have enhanced the email alias functionality to allow aliases across domains.

Redis status

The status of Redis is now available in the Services view. Like other services like MySQL, one can view the logs of Redis, adjust the memory limit and restart the service.

Note that unlike other services like MySQL which are shared across apps, each app gets it's own Redis (this is because redis does not support multi-tenancy).

Backup retention policy

A good backup policy is to thin out backups based on their age. Our current rentention policy used to simply prune backups based on their age. In 5.2, you can decide to keep a specific number of daily, weekly, monthly and yearly backups. For example, a backup policy of "3 daily, 4 weekly, 6 monthly" means to keep a single backup for each day for the last 3 days, single backup for each week for the last 4 weeks and single backup for each month for the last 6 months.

Enhancements

Backup config

To restore Cloudron from a backup or to migrate an app to another instance, you have to make a note of the backup id, storage location, storage format and other details. We have noticed that this task is error-prone and awkward. To help this process, we have made the backup configuration downloadable as a JSON file. This file can be uploaded into the Cloudron Restore UI or the App Import UI and it will fill up all the form fields (except the backup passphrase and any secret access keys).

For example, let's see how to migrate an app to another Cloudron instance. First, download the backup configuration corresponding to the backup:

Then, upload the configuration into the app import UI of the other Cloudron instance:

OVH Storage Backend

OVH announced support for S3 API in it's Object Storage Clusters. We have added support for OVH Storage as a backup destination.

App graphs

Per app memory and disk usage is now available in the Graphs section of each app:

Box Backup listing

Cloudron has 2 types of backups - app backups and box backups. App backups are listed in the Backups section of each app. Box backups are full server backups that include all the Cloudron configuration (users, apps, domains, mailboxes etc). Box backups also contain a "link" to all the app backups at that point in time.

You can view the list of all box backups in the new Backup listing UI:

Clicking on a backup will show the list of apps it contains:

There is also a 'Cleanup Backups' button that will remove old backups based on the retention policy. Note that this is done automatically but might be useful if you change the retention policy and want to run the cleanup immediately.

Security

EC Certs

Elliptic Curve certificates (ECC) are those whose public key uses elliptic curve cryptography. They are step up from the RSA public keys because they are stronger, faster and use less power. ECC combined with cipher suites can provide perfect forward secrecy (PFS) - an assurance that even if the encrypted traffic was recorded, it cannot be decrypted even when the private key is compromised in a future date.

Cloudron now requests EC certs from Let's Encrypt by default. All existing installations will get updated to use EC certs at certificate renewal time.

If you inspect the certificate in Firefox, you will see:

The supported cipher suites (for PFS):

All Cloudron apps should get an A+ on Qualys SSL test:

Sandboxing

Cloudron uses container technology (via Docker) to run apps sandboxed from one another. Further more, apps are provided access to the file system and databases in a fashion where they cannot tamper with each other. In 5.2, we have hardened the sandboxing further by preventing apps from sniffing any internal network traffic by droppping the NET_RAW capability. Thanks to @willfor reporting this!

Backup encryption

Cloudron supports encrypting backups using a password. This feature was written with a very simplistic approach - it's goal was merely to obfuscate than to be bullet proof. However, an important security concern was raised that given enough resources and access to all the encrypted backups, one could potentially find the key.

In 5.2, we worked with @mehdi to make our backup encryption much more secure. A quick summary of the changes:

• Backups are encrypted using AES-256-CBC.
• Backup Password is not stored in the database anymore. We derive keys using scrypt from the passphrase.
• Per-file and per-filename IV.
• Per-file HMAC digest to authenticate the encryption.
• Most importantly, old backups are not compatible with the newer format. If you want to restore an app from a backup that uses the old format, you can follow this guide.

You can read more details about the encryption file format and CLI tooling here.

Misc

Changes to Update Strategy

When we make a new app package release, we do not immediately make it available to all users. We roll it out gradually over the course of the week. This approach lets us minimize the impact of a bad update. Cloudron's update model allows us to revoke existing packages or roll out new patch releases overriding the previous package.

If you wanted to update to the new app package instantly, the only way was to contact us so that you are part of next rollout. Several users have expressed interest in being able to update instantly without the overhead of contacting us.

Starting 5.2, if you click the 'Check for Updates' button, you will always get the latest update (app update or Cloudron update). We have changed our update model such that our roll out only applies to automatic updates.

Stopped apps

Stopping an app will now also stop dependent services like redis. This change in behavior means that Cloudron cannot take a backup of a stopped app because the backup code relies on all services to be running. Instead, the code will simply re-use the last known good backup of the stopped app. For this reason, it is recommended to trigger a backup before stopping the app.

Other notable changes

• Fix bug in disk usage sorting
• Mail: allow an external MX to be set
• Ensure stopped apps are getting backed up
• Spam: large emails were not scanned
• Graphs: fix issue where large number of apps would crash the box code
• Add new wasabi s3 storage region us-east-2
• Mail: Fix bug where SRS translation was done on the main domain instead of mailing list domain

Install or update Cloudron

New to Cloudron? Get started for free by running with 3 simple commands on your server.

To update an existing installation, simply click on the 'Update now' button on your dashboard.

Comments?

Comments/Suggestions/Feedback? Use our Forum or email us.

While native support for OAuth has recently been removed from Cloudron users can still utilise OAuth 2 and OpenID Connect (oidc) to authorize users thanks to the built in OpenID Provider of the Kopano Meet app.

Under the hood Kopano Meet uses OpenID Connect to sign users into the application and this functionality is provided through Kopano Konnect, which is bundled inside of the app and pre-configured to allow Cloudron users to login. This article will show how to extend the configuration of Kopano Konnect to allow other apps to make use of OpenID Connect.

Requirements:

• Cloudron 5.1
• Installation of the latest version of Kopano Meet
• Nextcloud app
• "Social Login" app installed within Nextcloud

Nextcloud only serves as an example most users will probably already be familiar with, any other app allowing login through oidc can be configured in a similar way.

In the below configuration snippets I am going to use the domain meet.9wd.eu for my Kopano Meet installation and cloud.9wd.eu for my Nextcloud installation. Make sure to use your actual domain names during the configuration.

Extending the configuration of Kopano Konnect

To modify the configuration of Konnect you need to login at your Cloudron dashboard (which is usually available at https://my.your-comain.com) and open the terminal view of the Meet app (Look for "Console Access" in the settings of Meet). Here you need to open /app/data/konnectd-identifier-registration.yaml in an editor and add the following text to the end of the file:

- id: cloud.9wd.eu
  application_type: web
  name: Nextcloud Cloudron
  trusted: true
  redirect_uris:
  - https://cloud.9wd.eu/index.php/apps/sociallogin/custom_oidc/CloudronMeet

Important: the redirect url must match the "internal name" specified during the social login configuration later on

After the file has been modified restart Konnect by running supervisorctl restart kopano-konnectd (alternatively the whole  meet app could be restarted, but this is faster).

The rest of the configuration is done inside of Nextcloud.

Configuring Nextcloud for SSO with OpenID Connect

To configure Nextcloud for oidc you first need to login with an admin level user and install the "social login" app inside of Nextcloud. After the app has been installed you have go into its settings (which are located at https://cloud.9wd.eu/settings/admin/sociallogin) to configure it.

I recommend to have the following general configuration settings set in the app:

• Disable auto create new users
• Allow users to connect social logins with their account

This will mean that new users will first need to login through the "traditional" Nextcloud login and then from within their user settings link their oidc login to Nextcloud. This will be further explained once oidc is generally setup in Nextcloud.

Further down in the settings add your own "custom OpenID Connect" provider. You need to fill in the following values:

• Internal name: CloudronMeet
• users won't see this name, but it needs to match with the redirect_uris in konnectd-identifier-registration.yaml
• Title: Kopano Konnect (Cloudron)
• This is what the end user will see. The name should be something the user can relate to
• Authorize url: https://meet.9wd.eu/signin/v1/identifier/_/authorize
• Needs to match the domain the Meet app was installed on. Values can be retrieved from https://meet.9wd.eu/.well-known/openid-configuration
• Token url: https://meet.9wd.eu/konnect/v1/token
• User info URL (optional): https://meet.9wd.eu/konnect/v1/userinfo
• Logout URL (optional): not required to be filled out
• Client Id: cloud.9wd.eu
• Client Secret: some-password
• this value is not verified in the OpenID provider configuration, but needs to be specified anyways
• Scope: openid profile email konnect/hashed_sub
• Groups claim (optional): I have left this empty
• Button style: OpenID
• Default group: None

Once this is setup log out with your admin user account and you will see another login button on the Nextcloud login page titled "Kopano Konnect (Cloudron)".

Linking your Nextcloud user to oidc

Before the user can use oidc to log into Nextcloud, he need to link his existing Cloudron user to it. For this log into Nextcloud like you have done in the past and afterwards go into the settings of the user. Here you will now find an option called "social login" (the url will be similar to https://cloud.9wd.eu/settings/user/sociallogin).

Users need to manually connect their existing Nextcloud account with the oidc identity.

At this menu item you will find a section called "Available providers" with a button underneath that will read "Kopano Konnect (Cloudron)". Click this button once to link your Nextcloud account to your new OpenID identity. In case you have previously not been logged into Meet you will be asked for your credentials for this (which are your normal Cloudron credentials).

Once your Nextcloud account has been linked you can easily switch between Nextcloud and Kopano Meet without having to login again.

For those unaware, Cloudron is a platform that makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server and keep them up-to-date and secure.

Cloudron 5.1 adds a TURN service that makes it possible to have completely private peer-to-peer (P2P) voice and video calls. We have added support for running decentralized federation apps like Mastodon & Matrix Synapse. This release also has graph improvements, support for ECC certs, mail eventlog filter, security enhancements & more.

TURN Service

One of our primary goals with the 5.1 release was to support voice and video apps on Cloudron. Modern conferencing apps use WebRTC to transfer voice, video and data between peers. A necessary component to provide completely private P2P is to have a self-hosted STUN/TURN service. In layman terms, a TURN service helps two parties make a connection with each other. When a direct connection cannot be made (due to firewalls), it acts as a relay between those two parties.

Cloudron 5.1 has a built-in TURN service implemented with coturn. Apps implementing WebRTC can use the turn addonto configure themselves.

We have already updated 4 apps to use this new functionality:

• Kopano Meet - P2P voice and video calls. Thanks to Felix of Kopano's team for helping us out!
• Nextcloud Talk - P2P voice and video calls
• Matrix Synapse - Decentralized communication
• FilePizza - P2P file transfer

Note that the current apps are best suited for small groups of 3-5 users. We are working on packaging apps like Jitsi and Big Blue Button for larger groups.

Mail Eventlog

The mail eventlog now has search and filter options.

Disk Graphs

Disk graphs are now sorted by usage.

Further, apps that have automatic backups disabled are now listed in the Backups view:

Thanks to @d19dotca for these suggestions!

Security improvements

We have various security related improvements:

We have dropped support for TLSv1 and TLSv1.1. Qualys recently starting capping these insecure protocols to B grade.

Elliptic Curve Cryptography or ECC certs provide greater security and perfect forward secrecy with a smaller key size. You can now upload custom ECC certs for each domain in the Domains view. Recently, Let's Encrypt has also started issuing ECC certs. In the next release, Cloudron will start installing ECC certs from Let's Encrypt automatically. Thanks to @zerononcense for reporting and testing this functionality.

The docker addon allows apps to create containers by accessing the docker daemon. With an incorrectly packaged app, it is possible for a normal Cloudron user to break out of Cloudron's app sandbox and become a Cloudron admin. For this reason, apps that use the docker addon can only be installed/updated/exec'ed by the Cloudron owner. In addition, we have implemented a docker proxy service that restricts the container operations that the app can do. Thanks to @iamthefij for bringing this up.

Password reset and new user invite tokens are now only valid for a day.

Custom .well-known URLs

We have recently released new apps like Mastodon and Matrix. These apps require well-known URIs to be setup for federation to work. This release allows you to setup .well-known documents for apps hosted on Cloudron. See the docs for more information.

Other notable changes

• mail: fix bug with listing of >25 mailboxes and aliases
• branding: make the login page title show cloudron name
• mail: fix incorrect eventlog db perms

Install or update Cloudron

New to Cloudron? Get started for free by running with 3 simple commands on your server.

To update an existing installation, simply click on the 'Update now' button on your dashboard.

Comments?

Comments/Suggestions/Feedback? Use our Forum or email us.

For those unaware, Cloudron is a platform that makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server and keep them up-to-date and secure.

Cloudron 5 adds User roles, App passwords, Mail Eventlog & usage, Import UI for apps, Linode integrations, Branding UI & more.

User Roles

In Cloudron 4, there were only two kinds of users - admin & normal user. In Cloudron 5, we have added roles to restrict the permissions of a user.

There are four roles: Owner, Admin, User Manager & User.

An Owner is the person who set up the Cloudron and is in charge of server administration and subscription management. An Owner has the sole permission to configure backups, and the branding.

An Admin can install apps and invite users.

A User Manager can add & remove users and groups.

Finally, a normal user can login to the dashboard and use the apps that they have access to.

The role can be assigned from the Users page.

Important: This release marks the first created admin user as the sole owner. This owner can grant owner permissions to other users. Please see this forum post for more information.

Branding UI

An Owner can configure the look and feel of the Cloudron dashboard. For a start, the following bits can be customized from the new Branding view.

• Cloudron Name
• Cloudron Logo
• Footer
• App not responding page

We will add support for providing a custom color scheme/css in a future release.

App Passwords

Cloudron Apps are packaged and maintained by the Cloudron team & community. We ensure that the apps are packaged securely and do not leak sensitive information.

However, many of the apps are accessed using Mobile & desktop clients that require a password to login. Using the password in a 3rd party app is a potential security risk. A password leak by the client will end up compromising Cloudron because other apps use the same password as well.

We have implemented the App Passwords functionality for this reason. If you are trying out a new mobile or desktop app from an untrusted vendor, you can generate a password that provides access to a specific app. This way your main password does not get compromised.

Another use case for App Passwords is to create SFTP credentials for non-cloudron users (this requires Cloudron 5.0.6).

App passwords can be managed in the Profile view.

Linode

Linode is a popular VPS provider for installing Cloudron. You can now store backups on Linode’s Object Storage.

We have also integrated Linode DNS Managerfor automated domain setup.

As of this writing, Linode DNS average propagation time is 30 minutes. Installing apps & getting a Let's Encrypt certificate will thus take a while. We are working with the Linode team to get this sorted out.

Import UI

It is now incredibly simple to move an app from one Cloudron to another. First, take an app snapshot in the source Cloudron. Make note of the backup id (click the copy to clipboard icon). Then, install a new app in the target Cloudron. Make sure the package version matches with the original one. After installation, go to it's Backup section and use the Import button.

Mail Eventlog

Mail server activity can now be monitored using the Eventlog UI in the Email page.

Mailbox Usage

Per domain disk usage information is now available in the Email UI.

Per mailbox disk usage information is also available.

Spam Training

Cloudron mail server maintains a per-user spam database. It automatically trains this database when user marks an email as spam (or not). However, an important component that was missing was re-inforced learning where the spam filter is periodically (re)fed spam and ham emails from the user's mailbox. There is now a daily cron job that trains the spam filter using emails from the user's mailbox. No configuration is required, it's completely automatic.

Other notable changes

• Show backup disk usage in graphs
• Display timestamps in browser timezone in the UI
• mail: Add X-Envelope-To and X-Envelope-From headers for incoming mails
• Fix potential previlige escalation because of ghost file (thanks to @iamthefij for reporting this)
• Add app start/stop/restart events in event log
• Use the primary email for LE account

Install or update Cloudron

New to Cloudron? Get started for free by running with 3 simple commands on your server.

To update an existing installation, simply click on the 'Update now' button on your dashboard.

Comments?

Comments/Suggestions/Feedback? Use our Forum or email us.