eightball/all-in-one
1
0
Fork 0
mirror of https://github.com/nextcloud/all-in-one.git synced 2026-02-08 14:57:58 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

Merge pull request #4883 from Surfict/caddy_external_dns_challenges

Browse source 
readme: Add section `Securing the AIO interface from unauthorized ACME challenges`
This commit is contained in:
Simon L 2024-06-24 13:01:48 +02:00 committed by GitHub
commit 9aefde320b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 3 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
readme.md
View file

@ -824,3 +824,6 @@ Afterwards apply the correct permissions with `sudo chown root:root /root/automa
1. Open the cronjob with `sudo crontab -u root -e` (and choose your editor of choice if not already done. I'd recommend nano).
1. Add the following new line to the crontab if not already present: `0 5 * * * /root/automatic-updates.sh` which will run the script at 05:00 each day.
1. save and close the crontab (when using nano the shortcuts for this are `Ctrl + o` then `Enter` to save, and close the editor with `Ctrl + x`).
### Securing the AIO interface from unauthorized ACME challenges
(By design)[https://github.com/nextcloud/all-in-one/discussions/4882#discussioncomment-9858384], Caddy that runs inside the mastercontainer, which handles automatic SSL certificate generation for the AIO interface, is vulnerable to receiving DNS challenges for arbitrary hostnames from anyone on the internet. While this does not compromise your server's security, it can result in cluttered logs and rejected certificate renewal attempts due to rate limit abuse. To mitigate this issue, it is recommended to place the AIO interface behind a VPN and/or limit its public exposure.