maciekish
-
Posts
45 -
Joined
-
Last visited
Content Type
Profiles
Forums
Downloads
Store
Gallery
Bug Reports
Documentation
Landing
Posts posted by maciekish
-
-
On 7/31/2018 at 7:15 PM, JonathanM said:
Correct, if a reverse proxy is done right and maintained correctly, it's just as secure as a VPN. To do it right is more work than just setting up the VPN, and has more chances of going wrong.
Really? Generate a CA cert and add this to Caddy. Done.
(defaults) { @exclude-paths { not path /plugins/* not path */plugins/* not path /logging.htm } encode @exclude-paths { gzip 7 zstd } log { output file /var/log/caddy/access.log { roll_size 20MiB roll_keep 5 roll_keep_for 720h } } } (client-auth) { tls { client_auth { mode require_and_verify trusted_ca_cert_file /mnt/user/appdata/caddy2/ca.crt } } } domain.name { import defaults import client-auth reverse_proxy * http://10.0.1.0 }
VPNs require explicit connecting, and even stateless protocols like Wireguard have issues when you roam between unstable connections. Suddenly it just doesn't work when it still shows connected. With Caddy and split DNS i can just type in the same URL on any of my devices from anywhere in the world and access anything on my home network. Been running this exact config for over 5 years with zero issues. Can't say the same about VPNs.
-
Hi can you please add WD160EDGZ?
-
I can confirm the new setting to allow custom networks to communicate with host fixes the issue.
-
Any news on this please? I need it also.
-
8 hours ago, saarg said:
I would advice you to use a VPN instead for accessing the unraid webui.
Thank you. Can we please go back on topic now?
-
Dear devs, thanks for adding a nice new login page. Also dear devs, thanks for breaking my certificate authentication with my reverse proxy. Can you please make basic auth an option in the settings?
-
For future reference the issue is due to "buffering" in gzip in Caddy. Workaround:
gzip { not /plugins }
- 5
- 2
-
16 hours ago, jonathanm said:
Apps tab, show previous apps, check off the ones you want and select install all. No reconfiguration necessary. Only takes a couple clicks and you are done, automated download and set up exactly as they were.
Interesting, i thought you would have to reenter all shared folders, ip adresses and so on. Either way, moving back the original file with COW disabled won't hurt will it?
-
16 minutes ago, jonathanm said:
If there is data stored in your docker image file, you are doing it wrong. A properly set up system can automatically recreate a working docker image file from nothing in a matter of a few minutes, depending on the speed of your internet connection.
Won’t recreating the image remove all dockers and force you to redownload the images and reconfigure them? Sure appdata wont be lost but if you have 20+ dockers this takes a lot longer than just copying the file twice?
Also my method doesn't introduce any issues does it?
-
It is - in fact checking for the C or NOCOW flag. The problem is that you can't set the NOCOW flag for a file larger than 0 bytes. That is - already containing data. You can only set it for newly created 0 byte files which have not yet been written to. There is a workaround though:
1) Move your docker.img to a safe location on a different device.
2) Make sure the "live" image /mnt/cache/system/docker/docker.img is removed and that you only have an empty docker folder.
2) chattr +C /mnt/cache/system/docker (Yes, the folder, not the file). By setting the C or NOCOW flag on the folder, it will apply to all files inside of it!
3) Move your docker.img back to the btrfs filesystem. It will now have the C or NOCOW flag set because the flag is set on the folder, and you didn't lose any data!
- 1
-
15 minutes ago, pwm said:
You got the answer "No" to that question. And instead got workaround solutions. That made you angry - the attitude you blamed on others.
As a matter of fact, i never got the answer "no". And even if you would said no, you cannot answer for everybody. Maybe someone else would be able to help. You made your suggestion and i wasn't interested. Why continue forcing it on me?
-
24 minutes ago, jonathanm said:
Correct, if a reverse proxy is done right and maintained correctly, it's just as secure as a VPN. To do it right is more work than just setting up the VPN, and has more chances of going wrong. There is no witch hunt on reverse proxies here. Most of us use them on a daily basis to access the web GUI's of the dockers we run, or other services in VM's.
I respectfully disagree. It is a arguably easier to set up a password-only PPTP VPN than a reverse proxy as this is built-into for example Windows-Server and provides a point-and-click UI to do it.
Incorrectly configured VPN and reverse proxy will both be equally insecure. Correctly configured VPN and reverse proxy will both be equally secure.
I was asking if anyone knows why a small part of the web ui doesn't work and instead i'm being lectured on security... Gee, thanks.
- 1
-
I don't understand this witch hunt on reverse proxies. They can be made to require client certificates as well just like a VPN has a private key or a certificate, encrypt their traffic like a VPN and don't pass anything through to unRAID until authentication has been satisified. And im not the only one to want this
-
Admin, please delete/lock this thread. This conversation is absolutely useless.
-
24 minutes ago, pwm said:
A: I can't get my car to run faster than 300 km/h - it only does 220 km/h.
B: Get a bigger motor and possibly update the gear ratio for the transmission.
A: I don't want suggestions of a bigger motor - I want it to run faster than 300 km/h.
Anyway - I think the first step is to look for Caddy support, since it would most probably be log files created by Caddy that might tell what isn't working as expected.
What is with the attitude on this forum? I asked a simple question which could even be a well known issue. I don't mind suggestions. I politely refused because it is not suitable for me, yet it was forced upon me in the next post, that is my problem with all this.
-
1 minute ago, jonathanm said:
I'm doing my best to help you, but you don't want to hear the answer.
I didnt ask what the most secure solution is. Please leave the security to me. I want to know why it doesnt work over a reverse proxy and how to fix it.
-
5 minutes ago, jonathanm said:
Yes. Anyone can attempt to login, including chinese and russian botnets.
You are not helping. I have reported these posts.
- 1
-
1 minute ago, jonathanm said:
Yes. Anyone can attempt to login.
The webGUI isnt exposed until you login. Anyone can attempt to login to your VPN as well.
-
2 minutes ago, jonathanm said:
It's the most secure solution. Unraid's webGUI isn't meant to be publicly exposed.
I disagree. The most secure solution is to disable the webGUI. Can we focus on solving the issue instead of discussing this please?
-
19 minutes ago, jonathanm said:
Access the GUI via VPN hosted on your router or unraid instead of using a reverse proxy.
Sorry but that doesn't really fix the problem. A VPN is not practical in my situation.
-
Hi, i am acessing the web ui via Caddy reverse proxy. It is transparent and passing websockets as well. When i update a docker or run a script from User Scripts and the white popover window supposed to minitor the status appears, it is empty but updates once the task finishes. If i access the server without the proxy it works and refreshes as docker images download. Edit: I am using the azure theme if that makes any difference.
What can i do to fix this?
-
Hi how do i disable the continuous flash logging of syslog and diagnostics? I enabled it a couple days ago and cant find how to disable it any more.
-
On 6/24/2018 at 9:20 AM, DZMM said:
Ok, I've been using this for a few days - can I use a few questions please.
I've created a 32GB swapfile as I've added an extra unassigned SSD that has spare space. It's been live for around 1.5 days and it's using 8GB so far, but I've got free memory. When does it move data to the swap? I thought it only did it when the physical ram was getting low? What controls it? If the swap data is accessed, is it moved back to ram?
Thanks
It is controlled by swappiness. I guess you could create a userscript on startup that sets the swappiness. https://askubuntu.com/questions/103915/how-do-i-configure-swappiness
I suggest the plugin author adds an option for this in the plugin.
sysctl vm.swappiness=[value]
- 1
-
I have a discrete GTX 980M not integrated graphics but it sounds like one GPU doesnt cut it. Thanks for the explanation.
Progress UI not working through reverse proxy
in General Support
Posted
Very little chance of exposing something by accident? Last time i checked, a VPN exposes the entire network. Unless you configure it for specific hosts only. Which also requires configuration and knowledge, just like a reverse proxy. A reverse proxy on the other hand, only exposes a single http service. Both don't let any traffic through to the target service until you authenticate with a client certificate.