Installing and Configuring Sandstorm on Nethserver

Hello everyone.

Has anyone had a look or heard of sandstorm.

It is an open source platform for self hosted web application

More like what portainer is, but its for collaborative applications
here is the link for the demo

here is the documentation regarding setting up ldap

The installation instructions is on their web-page. Under

Incase you are doubting support for Centos since they mostly mention Ubuntu
here is official
Could we make a simple effective way to install the solution on Nethserver, while also making use of the Ldap server offered.

Seems really easy to install:

curl | bash

The setup questions could be answered with default values or “none”.
After this you get a link to connect like http://testserver.domain.local:6080/setup/token/7c4d41c8482da0ae44e10c2bd2887…
but you have to setup firewall first, better way would be to use some reverse proxy but for now just open the port and apply the config:

config set fw_sandstorm service status enabled TCPPort 6080 access green
signal-event firewall-adjust

That’s it, now you may setup sandstorm (including ldap connector) via web browser…


Working settings for local LDAP server (you may get the settings with account-provider-test dump)

Hm, the apps are not working, maybe you need a resolvable hostname or certificate…


thats the challenge now

You need a wildcard dns entry, dynu for example provides free wildcard dns:

Open port 6080 for red and green:

config set fw_sandstorm service status enabled TCPPort 6080 access red,green
signal-event firewall-adjust

Edit BASE_URL and WILDCARD_HOST in /opt/sandstorm.conf:


Restart service:

systemctl restart sandstorm

Browse to

Looks really nice but some improvements still need to be made:

  • reverse proxy
  • HTTPS with certificate


sandstorm HTTPS needs a wildcard ssl cert, we may use acme-dns provided by @danb35

They recommend nginx, with apache reverse proxy I had no success.

Pretty much everyone who does static DNS will let you do wildcards. If you need dynamic DNS, I don’t know–it’s been decades since I’ve used dynamic DNS. But if you don’t need dynamic DNS, just pick a DNS host with a supported API and use to get your cert. Or, as you suggest, use acme-dns instead.

1 Like

In this case a wildcard SSL certificate is needed and I thought the cheapest way to accomplish this is acme-dns.

acme-dns is free, and you definitely can’t beat the price of that. But unless dynamic DNS is needed, there are also other free options (Cloudflare is one) that don’t require installing anything other than a simple script (can’t say there aren’t free alternatives if you do need dynamic DNS; I just don’t know that field well enough).

acme-dns is more secure, in that it doesn’t carry the risk of exposing credentials that could let an attacker steal your domain. OTOH, it requires running a new server process on your server, which no doubt introduces other (as-yet-unknown) vulnerabilities.

As is often the case, lots of ways to skin this cat.