maciekish

Very little chance of exposing something by accident? Last time i checked, a VPN exposes the entire network. Unless you configure it for specific hosts only. Which also requires configuration and knowledge, just like a reverse proxy. A reverse proxy on the other hand, only exposes a single http service. Both don't let any traffic through to the target service until you authenticate with a client certificate.

Really? Generate a CA cert and add this to Caddy. Done. (defaults) { @exclude-paths { not path /plugins/* not path */plugins/* not path /logging.htm } encode @exclude-paths { gzip 7 zstd } log { output file /var/log/caddy/access.log { roll_size 20MiB roll_keep 5 roll_keep_for 720h } } } (client-auth) { tls { client_auth { mode require_and_verify trusted_ca_cert_file /mnt/user/appdata/caddy2/ca.crt } } } domain.name { import defaults import client-auth reverse_proxy * http://10.0.1.0 } VPNs require explicit connecting, and even stateless protocols like Wireguard have issues when you roam between unstable connections. Suddenly it just doesn't work when it still shows connected. With Caddy and split DNS i can just type in the same URL on any of my devices from anywhere in the world and access anything on my home network. Been running this exact config for over 5 years with zero issues. Can't say the same about VPNs.

Hi can you please add WD160EDGZ?

I can confirm the new setting to allow custom networks to communicate with host fixes the issue.

Any news on this please? I need it also.

Thank you. Can we please go back on topic now?

Dear devs, thanks for adding a nice new login page. Also dear devs, thanks for breaking my certificate authentication with my reverse proxy. Can you please make basic auth an option in the settings?

So anything writing in a docker or VM could show up as shfs activity? Pardon me but i have no idea what shfs is. Any way to tell more precisely what is happening other than iotop?

Can anyone figure out what is going on here please? Mover is not running (anyway it should read not write if anything). Mechanical disks are completely idle, both SSDs in cache have writes of 300Mb/s.

For future reference the issue is due to "buffering" in gzip in Caddy. Workaround: gzip { not /plugins }

Interesting, i thought you would have to reenter all shared folders, ip adresses and so on. Either way, moving back the original file with COW disabled won't hurt will it?

Won’t recreating the image remove all dockers and force you to redownload the images and reconfigure them? Sure appdata wont be lost but if you have 20+ dockers this takes a lot longer than just copying the file twice? Also my method doesn't introduce any issues does it?

It is - in fact checking for the C or NOCOW flag. The problem is that you can't set the NOCOW flag for a file larger than 0 bytes. That is - already containing data. You can only set it for newly created 0 byte files which have not yet been written to. There is a workaround though: 1) Move your docker.img to a safe location on a different device. 2) Make sure the "live" image /mnt/cache/system/docker/docker.img is removed and that you only have an empty docker folder. 2) chattr +C /mnt/cache/system/docker (Yes, the folder, not the file). By setting the C or NOCOW flag on the folder, it will apply to all files inside of it! 3) Move your docker.img back to the btrfs filesystem. It will now have the C or NOCOW flag set because the flag is set on the folder, and you didn't lose any data!

As a matter of fact, i never got the answer "no". And even if you would said no, you cannot answer for everybody. Maybe someone else would be able to help. You made your suggestion and i wasn't interested. Why continue forcing it on me?

I respectfully disagree. It is a arguably easier to set up a password-only PPTP VPN than a reverse proxy as this is built-into for example Windows-Server and provides a point-and-click UI to do it. Incorrectly configured VPN and reverse proxy will both be equally insecure. Correctly configured VPN and reverse proxy will both be equally secure. I was asking if anyone knows why a small part of the web ui doesn't work and instead i'm being lectured on security... Gee, thanks.

I don't understand this witch hunt on reverse proxies. They can be made to require client certificates as well just like a VPN has a private key or a certificate, encrypt their traffic like a VPN and don't pass anything through to unRAID until authentication has been satisified. And im not the only one to want this

Admin, please delete/lock this thread. This conversation is absolutely useless.

What is with the attitude on this forum? I asked a simple question which could even be a well known issue. I don't mind suggestions. I politely refused because it is not suitable for me, yet it was forced upon me in the next post, that is my problem with all this.

I didnt ask what the most secure solution is. Please leave the security to me. I want to know why it doesnt work over a reverse proxy and how to fix it.

You are not helping. I have reported these posts.

The webGUI isnt exposed until you login. Anyone can attempt to login to your VPN as well.

I disagree. The most secure solution is to disable the webGUI. Can we focus on solving the issue instead of discussing this please?

Sorry but that doesn't really fix the problem. A VPN is not practical in my situation.

Hi, i am acessing the web ui via Caddy reverse proxy. It is transparent and passing websockets as well. When i update a docker or run a script from User Scripts and the white popover window supposed to minitor the status appears, it is empty but updates once the task finishes. If i access the server without the proxy it works and refreshes as docker images download. Edit: I am using the azure theme if that makes any difference. What can i do to fix this?