Skip to content

Networking

IPv4

Using the IPv4 configuration settings, you can configure the IPv4 address, Cloudron uses to configure to the DNS A records.

Public IP

When using the Public IP provider, Cloudron will automatically detect the server's public IP address by querying this url.

Network Interface

If the server has multiple IP addresses, you can configure the preferred IP address by specifying the network interface. The interfaces can be listed using ip -f inet -br addr.

Static IPv4

Use this option to provide a static IPv4 address. This IP address can be public or private. Some use cases for using this provider are:

IPv6

Using the IPv6 configuration settings, you can configure the IPv6 address, Cloudron uses to configure to the DNS AAAA records.

Public IPv6

When using the Public IP provider, Cloudron will automatically detect the server's public IPv6 address by querying this url.

Network Interface

If the server has multiple IPv6 interfaces, you can configure the preferred IPv6 address by specifying the network interface. The interfaces can be listed using ip -f inet6 -br addr.

Static IPv6

Use this option to provide a static IPv6 address. It is common for servers to be allocated a /64 IPv6 block. In such situations, you can use this setting to assign a specific address from that block.

Disabled

To disable IPv6 support, choose Disabled in the provider drop down.

Existing AAAA records are not removed

Any existing AAAA records are not automatically removed from the DNS. Please remove them manually.

Private DNS

Cloudron uses the unbound DNS server internally to resolve all DNS queries across all the apps.

If Cloudron is setup inside an internal network, you can customize the unbound configuration to resolve internal hosts.

Adding static hosts

To add local network entries internal to your network, add a file named /etc/unbound/unbound.conf.d/custom.conf:

server:

local-zone: "example.com." static
local-data: "jim.example.com. IN A 1.2.3.4"
local-data: "doug.example.com. IN A 2.3.4.5"

To override specific DNS entries in an existing domain:

local-zone: "example.com." typetransparent
local-data: "some.example.com. A 10.9.0.30"

Be sure to restart the unbound service using sudo systemctl restart unbound and check it's status using sudo systemctl status unbound.

Internal DNS server

To forward queries for a specific domain (say cloudron.lan) to an internal DNS server (say 10.0.0.2), add a file named /etc/unbound/unbound.conf.d/custom.conf:

server:
    private-domain: "cloudron.lan"
    domain-insecure: "cloudron.lan"

forward-zone: 
    name: "cloudron.lan"
    forward-addr: 10.0.0.2

To forward all queries to the internal DNS server (say 10.0.0.2), add a file name /etc/unbound/unbound.conf.d/custom.conf:

# this disables DNSSEC
server:
  val-permissive-mode: yes

# forward all queries to the internal DNS
forward-zone:
  name: "."
  forward-addr: 10.0.0.2

If your internal DNS server is not a forwarding server, use the stub-zone: and stub-addr: option instead.

Be sure to restart the unbound service using sudo systemctl restart unbound and check it's status using sudo systemctl status unbound.

Dynamic DNS

Enable this option to keep all your DNS records in sync with a changing IP address. This is useful when Cloudron runs in a network with a frequently changing public IP address like a home connection.

Internal network

Cloudron runs all apps and services in an internal network (not reachable from outside the server). This network address is hardcoded to 172.18.0.0/16. Some services like databases have static IPs to aid in connectivity from outside via a SSH tunnel. App addresses are dynamic.

Service IP
MongoDB 172.18.30.3
MySQL 172.18.30.1
PostgreSQL 172.18.30.2

Firewall

Blocklist

Using the blocklist configuration, one or more IP addresses and/or networks can be blocked from connecting to Cloudron. You can download various country based blocklists from www.ipdeny.com: IPv4 and IPv6.

You can also add in comments to the line items as needed, but comments must remain on their own line, something similar to:

# spammy IP
111.111.111.111

Do not lock yourself out

Be careful about what IP addresses you block. If you lock yourself out, you must get Console access to the server, remove the file /home/yellowtent/platformdata/firewall/blocklist.txt and reboot the server.

Whitelist ports

Cloudron does not support installing additional packages or running other services on the server. With that warning out of the way, you can configure the firewall to permit additional (incoming) TCP and UDP ports. For this, edit the the file /home/yellowtent/platformdata/firewall/ports.json (create this file if it does not exist and change the owner to the user yellowtent).

{
    "allowed_tcp_ports": [ 2140, 3540 ],
    "allowed_udp_ports": [ ]
}

Restart the firewall to apply the configuration:

systemctl restart cloudron-firewall

Trusted IPs

When Cloudron is behind a HTTP(S) proxy, you can set the IP address(es) of the proxy as trusted. Doing so will make sure Cloudron trusts the values of various HTTP headers in the request. For example, it can pick up the original client IP address from X-Forwarded-For header and use it in logs and email notifications.

Cloudflare

When Cloudron is behind Cloudflare, you can use the IP list from here.