/ security

Securing and Customizing Filecloud Server and Clients

Update 2017-06-15: The configuration parameters below still work with the latest Sync Clients in v15.x (tested on macOS and Windows). Sadly, the default is still TLSv1 and not configurable in the UI or even better chosen automatically upon the first connection attempt to the server.

This is more or less a collection of security and customization tips for your Filecloud server and clients. I've collected them over a period of about 3 years now and tested them up to the latest Version 14 of Filecloud Server and Client.

A small note for Linux users: Since we only have Windows and macOS clients in our environment i cannot tell much about Linux but the paths should be almost identical to macOS and most of the changes also apply to Linux in the same way.

Force Filecloud Client to TLS 1.2

When you run the latest Filecloud client and all versions before, the client is using TLS 1.0 by default which is not very secure nowadays, especially when your client is connecting to your server from the internet.

Even if your server supports TLS 1.2 the client never uses this one. But there is a way to force the client to use TLS 1.2 at least with the Filecloud Sync clients starting with version 13.

To force the client you have to edit the syncclientconfig.xml configuration file. The default file on Windows clients can be found in the user directory after the client has been started up once. The exact location on Windows is C:\Users\MyName\AppData\Roaming\FileCloudSync\syncclientconfig.xml. On macOS this is /Users/MyName/syncclientconfig.xml.

The content of the default config looks like this for the latest v14 client on both environmens (in case you messed up something):

<?xml version="1.0" encoding="UTF-8" ?>
<variantrow>
<rowentry>
	<name>syncclientlocation</name>
	<type>string</type>
	<value>DEFAULT</value>
</rowentry>
<rowentry>
	<name>syncfolderlocation</name>
	<type>string</type>
	<value>DEFAULT</value>
</rowentry>
</variantrow>

To force the client to TLS 1.2 you just have to add a bit of configuration before the last </variantrow> line:

<?xml version="1.0" encoding="UTF-8" ?>
<variantrow>
<rowentry>
	<name>syncclientlocation</name>
	<type>string</type>
	<value>DEFAULT</value>
</rowentry>
<rowentry>
	<name>syncfolderlocation</name>
	<type>string</type>
	<value>DEFAULT</value>
</rowentry>
<rowentry>
	<name>ssllevel</name>
	<type>string</type>
	<value>TLSV1_2_CLIENT_USE</value>
</rowentry>
</variantrow>

That's it. This config has been tested on Windows and macOS clients successfully. I've asked CodeLathe - the creator of Filecloud - some time ago about making the TLS negotiation dynamic like you know it from OpenSSL or any browser but obviously this hasn't been done until now. I hope they'll ship this feature with a future version.

Changing the default Cache and Sync Location

This is especially useful on Windows Systems where there is a natural OS path length limitation of 256 chars. I haven't tested this one on macOS but it should work the same there. To change the default cache* and sync location you just have to change both occurences of DEFAULT in the default config to their new locations like below. This config runs quite good on our Windows clients, so feel free to adapt this:

<?xml version="1.0" encoding="UTF-8" ?>
<variantrow>
<rowentry>
	<name>syncclientlocation</name>
	<type>string</type>
	<value>c:\fccache</value>
</rowentry>
<rowentry>
	<name>syncfolderlocation</name>
	<type>string</type>
	<value>c:\FileCloud</value>
</rowentry>
</variantrow>

Please keep in mind that saving your FC files on C:\ directly other users can access them as well. This is not a problem on our computers since only a single user is using them over the entire lifespan.

The default location on Windows is C:\Users\MyName\Documents\FileCloud. So you save full 23 characters in your path.

Here's what CodeLathe told me about the 256 char limit on Windows:

The sync client already uses these APIs to create paths greater than 256 chars. The problem is with Windows, if you have a really long path even if sync app creates the path, you cannot navigate and open the documents using other apps like Word etc.

In early releases of FC, we didn't use these APIs so the file and folder creation itself would fail if it exceeded 256 chars, now it doesn't.

I don't know exactly for which Windows/FC combinations this still is a problem but i change the paths on any colleagues computer just to be safe and to have a uniform location throughout the company.

More information about the limits can be found here.

*Cache Location: The Filecloud client uses a so called cache location for it's sync. This means when you start a new sync for a shared folder with the size of several hundred MB or GB the full share is once synced to the cache location before it's moved to the Sync location - where you normally work on - for consistency.

Let's Encrypt Integration

If you don't want to pay for TLS certificates you can just use Let's Encrypt for your server if you run it on the Internet and your LAN.

We do so but we want to be safe, so we only allow TLS 1.2 on the server - see above on how clients can be forced to TLS 1.2 - and it's running on HTTPS only and is separated into it's own VLAN internally and behind a Firewall.

I expect you to run Filecloud server behind an Apache2 proxy. You have to forward both port 80 and 443 to the Filecloud server and configure the VHost to redirect to 443 except for Let's Encrypt requests. I don't want to guide you through the Let's Encrypt client setup step by step but i'll show you my Apache2 configuration and the certbot calls i use for issuing/renewing certificates.

Here is my Apach2 configuration for Port 80:

<VirtualHost *:80>
    ServerAdmin [email protected]
    ServerName fcserver.example.com

    RewriteEngine On

    # Redirect all hits except for Let's Encrypt's ACME Challenge verification to fcserver.example.com
    RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge
    RewriteRule ^(.*) https://fcserver.example.com/$1 [R=301,L]

    DocumentRoot /var/letsencrypt
    <Directory /var/letsencrypt/>
        Options -Indexes -FollowSymLinks -MultiViews
        Order allow,deny
        allow from all
        AllowOverride None
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/letsencrypt_error.log
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/letsencrypt_access.log combined
</VirtualHost>

And here is the Apache2 config for Port 443:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin [email protected]
    ServerName fcserver.example.com

    DocumentRoot /var/www
    <Directory /var/www/>
        Options -Indexes +FollowSymLinks -MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

    SSLEngine on

    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    SSLHonorCipherOrder     on

    # HSTS
    Header add Strict-Transport-Security "max-age=31536000"

    SSLCertificateFile    /etc/letsencrypt/live/fcserver.example.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/fcserver.example.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/fcserver.example.com/chain.pem

</VirtualHost>
</IfModule>

As you can see on Port 80 i've defined a dedicated Let's Encrypt folder for the ACME challenge and all other requests are being redirected to HTTPS. All future calls to fcserver.example.com will go to HTTPS directly due to the use of HSTS.

The Certbot call to initially get a certificate is as easy as:

/opt/letsencrypt/certbot-auto certonly --webroot -w /var/letsencrypt -d fcserver.example.com

For renewal i just use:

/opt/letsencrypt/certbot-auto renew -q --post-hook "apachectl -k graceful"

The renew command will check if a renewal is due and if it has renewed the certificate it will gracefully restart Apache2.

Various other (official) Filecloud customizations

You can find more - and official - customizations in the documentation. Feel free to surf around.

Conclusions

With those modifications you can really enhance your FileCloud experience and security. Feel free to contact me with specific questions. I'am not a CodeLathe staff member, so all hints should be taken with caution.