I have been using CapRover for about half a year now on my personal server running multiple projects.
It does what you'd expect and the configuration format is pretty easy to use, using any docker image directly works without any extra steps, just enter the image name and it'll do the rest. I'm pretty happy with it and will probably stay with it for the time being.
It's not the best for hosting many static pages, as you'll need a HTTP server for each site anyway.
But my main gripe is that there is only single factor authentication and you can't easily secure it more other than using a strong password and a hidden subdomain. (because of webhooks, acme, etc. I guess)
Single factor is more than fine in the case where you know the admin (yourself) is going to use a 30 char random password and use a password manager that won’t autofill it on phishing domains.
Hi sneak, I left a comment explaining my journey with CapRover in this HN thread. In there I explained one thing which concerned me was "netdata image in use is spyware #553" which you raised last year.
I haven't yet gone through the discussion but would you mind letting me know if you're satisfied with the outcome? You appeared to be fighting for increased privacy, so thank you.
Also you'll see that in my comment, I raised another issue RE: lack of two factor auth. I'm curious, why do you think single factor auth is fine? Simply because brute force for a 30 char password is not practical on todays hardware? Or is there something I'm missing?
Kasra here from CapRover.
Regarding "netdata image":
- sneak and I have fundamental differences in what we call spyware. The issue that was brought up in that thread is standard analytics events - nothing like stealing passwords or etc.
- Regardless, CapRover uses NetData 1.8 [1] . According to NetData's github page, they added analytics in NetData 1.12 [2] , so even if you're concern with analytics events, this issue won't apply to you anymore.
Regarding two factor auth:
CapRover blocks brute-force attacks by limiting number of wrong passwords per minute.
Thanks Kasra, yes it seemed 'spyware' was disputed and I didn't want to jump to any conclusions. But it's good to know it's a non issue.
RE: 2fa. Brute force protection is a step in the right direction, but passwords can leak in various ways, brute force isn't the only attack vector. I'll comment in the actual two factor auth discussion on the CapRover GitHub issue though.
The version of NetData included in CapRover is a version from before when NetData became spyware, so it’s fine. (Note that I haven’t audited it, that’s just what I’ve been told.) NetData is also optional; I use CapRover and do not opt to install it.
Brute forcing a 30 char (or even 20 char) password over the network is infeasible. Do the math. Regardless, as the CapRover developer pointed out in a sibling comment, it rate limits attempts, but in the case where you are using a long, random password, it would be fine even if it didn’t.
CapRover creates virtual hosts for each "app" which is then proxy_pass'ed to the container for said app.
You could try and mount the static site's container files to the local filesystem and serve from there I suppose, but there's currently no easy way to do so.
It's not the best for hosting many static pages, as you'll need a HTTP server for each site anyway.
But my main gripe is that there is only single factor authentication and you can't easily secure it more other than using a strong password and a hidden subdomain. (because of webhooks, acme, etc. I guess)