Networking
IPv4
Using the IPv4 configuration settings, you can configure the IPv4 address, Cloudron uses
to configure to the DNS A records.
Public IP
When using the Public IP provider, Cloudron will automatically detect the server's
public IP address by querying this url.
Network Interface
If the server has multiple IP addresses, you can configure the preferred IP address by specifying
the network interface. The interfaces can be listed using ip -f inet -br addr.
Static IPv4
Use this option to provide a static IPv4 address. This IP address can be public or private. Some use cases for using this provider are:
- Digital Ocean Floating Address
- AWS VPC IP address
- OVH Failover IP
IPv6
Using the IPv6 configuration settings, you can configure the IPv6 address, Cloudron uses
to configure to the DNS AAAA records.
Public IPv6
When using the Public IP provider, Cloudron will automatically detect the server's
public IPv6 address by querying this url.
Network Interface
If the server has multiple IPv6 interfaces, you can configure the preferred IPv6 address by specifying
the network interface. The interfaces can be listed using ip -f inet6 -br addr.
Static IPv6
Use this option to provide a static IPv6 address. It is common for servers to be allocated a /64
IPv6 block. In such situations, you can use this setting to assign a specific address from that block.
Disabled
To disable IPv6 support, choose Disabled in the provider drop down.
Existing AAAA records are not removed
Any existing AAAA records are not automatically removed from the DNS. Please remove them manually.
Private DNS
Cloudron uses the unbound DNS server internally to resolve all DNS queries across all the apps.
If Cloudron is setup inside an internal network, you can customize the unbound configuration to resolve internal hosts.
Adding static hosts
To add local network entries internal to your network, add a file named /etc/unbound/unbound.conf.d/custom.conf:
server:
local-zone: "example.com." static
local-data: "jim.example.com. IN A 1.2.3.4"
local-data: "doug.example.com. IN A 2.3.4.5"
To override specific DNS entries in an existing domain:
local-zone: "example.com." typetransparent
local-data: "some.example.com. A 10.9.0.30"
Be sure to restart the unbound service using sudo systemctl restart unbound and check it's status using
sudo systemctl status unbound.
Internal DNS server
To forward queries for a specific domain (say cloudron.lan) to an internal DNS server (say 10.0.0.2), add a file named /etc/unbound/unbound.conf.d/custom.conf:
server:
private-domain: "cloudron.lan"
domain-insecure: "cloudron.lan"
forward-zone:
name: "cloudron.lan"
forward-addr: 10.0.0.2
To forward all queries to the internal DNS server (say 10.0.0.2), add a file name /etc/unbound/unbound.conf.d/custom.conf:
# this disables DNSSEC
server:
val-permissive-mode: yes
# forward all queries to the internal DNS
forward-zone:
name: "."
forward-addr: 10.0.0.2
If your internal DNS server is not a forwarding server, use the stub-zone: and stub-addr: option instead.
Be sure to restart the unbound service using sudo systemctl restart unbound and check it's status using
sudo systemctl status unbound.
Dynamic DNS
Enable this option to keep all your DNS records in sync with a changing IP address. This is useful when Cloudron runs in a network with a frequently changing public IP address like a home connection.
Internal network
Cloudron runs all apps and services in an internal network (not reachable from outside the server). This network address is
hardcoded to 172.18.0.0/16. Some services like databases have static IPs to aid in connectivity from outside via a SSH
tunnel. App addresses are dynamic.
| Service | IP |
|---|---|
| MongoDB | 172.18.30.3 |
| MySQL | 172.18.30.1 |
| PostgreSQL | 172.18.30.2 |
Firewall
Blocklist
Using the blocklist configuration, one or more IP addresses and/or networks can be blocked from connecting to Cloudron.
You can download various country based blocklists from www.ipdeny.com: IPv4 and
IPv6.
You can also add in comments to the line items as needed, but comments must remain on their own line, something similar to:
# spammy IP
111.111.111.111
Do not lock yourself out
Be careful about what IP addresses you block. If you lock yourself out, you must get Console access to the server,
remove the file /home/yellowtent/platformdata/firewall/blocklist.txt and reboot the server.
Whitelist ports
Cloudron does not support installing additional packages or running other services on the server. With that warning out
of the way, you can configure the firewall to permit additional (incoming) TCP and UDP ports. For this, edit the the file
/home/yellowtent/platformdata/firewall/ports.json (create this file if it does not exist and change the owner to the user
yellowtent).
{
"allowed_tcp_ports": [ 2140, 3540 ],
"allowed_udp_ports": [ ]
}
Restart the firewall to apply the configuration:
systemctl restart cloudron-firewall
Trusted IPs
When Cloudron is behind a HTTP(S) proxy, you can set the IP address(es) of the proxy as trusted. Doing so will
make sure Cloudron trusts the values of various HTTP headers in the request. For example, it can pick up the
original client IP address from X-Forwarded-For header and use it in logs and email notifications.
Cloudflare
When Cloudron is behind Cloudflare, you can use the IP list from here.