We are happy to announce the release of Cloudron 5.2!
For those unaware, Cloudron is a platform that makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server and keep them up-to-date and secure.
Cloudron 5.2 adds EC certs, Member only mailing lists, Inter-domain mail aliases, OVH storage backend, App graphs & more!
Internal or closed mailing lists can be marked as members only. This way an outsider cannot send mails to this list and will get a bounce. This feature is also useful in blocking spam from external email addresses.
We have enhanced the email alias functionality to allow aliases across domains.
The status of Redis is now available in the
Services view. Like other services like MySQL, one can view the logs
of Redis, adjust the memory limit and restart the service.
Note that unlike other services like MySQL which are shared across apps, each app gets it's own Redis (this is because redis does not support multi-tenancy).
A good backup policy is to thin out backups based on their age. Our current rentention policy used to simply prune backups based on their age. In 5.2, you can decide to keep a specific number of daily, weekly, monthly and yearly backups. For example, a backup policy of "3 daily, 4 weekly, 6 monthly" means to keep a single backup for each day for the last 3 days, single backup for each week for the last 4 weeks and single backup for each month for the last 6 months.
To restore Cloudron from a backup or to migrate an app to another instance, you have to make a note of the backup id, storage location, storage format and other details. We have noticed that this task is error-prone and awkward. To help this process, we have made the backup configuration downloadable as a JSON file. This file can be uploaded into the Cloudron Restore UI or the App Import UI and it will fill up all the form fields (except the backup passphrase and any secret access keys).
For example, let's see how to migrate an app to another Cloudron instance. First, download the backup configuration corresponding to the backup:
Then, upload the configuration into the app import UI of the other Cloudron instance:
OVH announced support for S3 API in it's Object Storage Clusters. We have added support for OVH Storage as a backup destination.
Per app memory and disk usage is now available in the Graphs section of each app:
Cloudron has 2 types of backups - app backups and box backups. App backups are listed in the Backups section of each app. Box backups are full server backups that include all the Cloudron configuration (users, apps, domains, mailboxes etc). Box backups also contain a "link" to all the app backups at that point in time.
You can view the list of all box backups in the new Backup listing UI:
Clicking on a backup will show the list of apps it contains:
There is also a 'Cleanup Backups' button that will remove old backups based on the retention policy. Note that this is done automatically but might be useful if you change the retention policy and want to run the cleanup immediately.
Elliptic Curve certificates (ECC) are those whose public key uses elliptic curve cryptography. They are step up from the RSA public keys because they are stronger, faster and use less power. ECC combined with cipher suites can provide perfect forward secrecy (PFS) - an assurance that even if the encrypted traffic was recorded, it cannot be decrypted even when the private key is compromised in a future date.
Cloudron now requests EC certs from Let's Encrypt by default. All existing installations will get updated to use EC certs at certificate renewal time.
If you inspect the certificate in Firefox, you will see:
The supported cipher suites (for PFS):
All Cloudron apps should get an A+ on Qualys SSL test:
Cloudron uses container technology (via Docker) to run apps
sandboxed from one another.
Further more, apps are provided access to the file system and databases in a fashion where they cannot
tamper with each other. In 5.2, we have hardened the sandboxing further by preventing apps from sniffing
any internal network traffic by droppping the
NET_RAW capability. Thanks to @will
for reporting this!
Cloudron supports encrypting backups using a password. This feature was written with a very simplistic approach - it's goal was merely to obfuscate than to be bullet proof. However, an important security concern was raised that given enough resources and access to all the encrypted backups, one could potentially find the key.
In 5.2, we worked with @mehdi to make our backup encryption much more secure. A quick summary of the changes:
You can read more details about the encryption file format and CLI tooling here.
When we make a new app package release, we do not immediately make it available to all users. We roll it out gradually over the course of the week. This approach lets us minimize the impact of a bad update. Cloudron's update model allows us to revoke existing packages or roll out new patch releases overriding the previous package.
If you wanted to update to the new app package instantly, the only way was to contact us so that you are part of next rollout. Several users have expressed interest in being able to update instantly without the overhead of contacting us.
Starting 5.2, if you click the 'Check for Updates' button, you will always get the latest update (app update or Cloudron update). We have changed our update model such that our roll out only applies to automatic updates.
Stopping an app will now also stop dependent services like redis. This change in behavior means that Cloudron cannot take a backup of a stopped app because the backup code relies on all services to be running. Instead, the code will simply re-use the last known good backup of the stopped app. For this reason, it is recommended to trigger a backup before stopping the app.
New to Cloudron? Get started for free by running with 3 simple commands on your server.
To update an existing installation, simply click on the 'Update now' button on your dashboard.