ljm42 Posted March 14, 2021 Share Posted March 14, 2021 5 minutes ago, DevXen said: Aww i tried incognito mode it didnt let me login. I went back to ssl. But maybe I'll disable it and clear the cache and see if that works. But it had me freaking out cause i couldn't access my server. Luckily it was still logged in on another tab and i was able to enable the ssl and get back into it. OK I think the issue is that there were multiple tabs open. Because in one tab the browser "knew" that https worked and in another it "knew" that https was disabled. So the browser just got confused. If you want to try disabling it again, do it with a single tab open. 1 Link to comment
cgp990 Posted March 14, 2021 Share Posted March 14, 2021 6 hours ago, ljm42 said: wow. I don't see how the My Servers plugin could affect this, but let's leave it out of the picture until you can set a root password again. Deleting the files mentioned here from the flash and rebooting should get you a clean state with regards to passwords: https://wiki.unraid.net/Troubleshooting#Lost_root_Password As part of this, I'd recommend putting the flash drive in a Windows computer and letting it fix any problems it finds. After rebooting, go to Users (or Settings -> Users, depending how you are configured) and set a password for root. Be sure to press the "Change" button, not "Reset" At that point you should be prompted to login. If still having issues, try clearing your cache and/or using a different browser. Just some additional info regarding this, I ran into the same behavior as soon as I set the SSL-TLS to Auto (from "yes"), and I was booted out of the system. Tried to log into it, entered my credentials correctly and the page would simply "refresh" to the same login screen, rather than passing the credentials and logging into the UI. I launched another browser and then was able to log into the UI. After closing and re-opening the first browser I was able to log in. Potential bug, but I don't know if something like that would have been logged. If it is, let me know and I'll attach whatever you need. Link to comment
badnewsblair Posted March 14, 2021 Share Posted March 14, 2021 I'm experiencing similar issues by others in this thread. However, after uninstalling the My Servers plugin, when I try to access the web console it is unreachable and is still being routed through the hash.unraid.net address. The server and services are still running fine (local computers backup, Nginx Proxy Manager, Pihole Apps are still accessible), but the web console is unreachable (standard 404 error and the hash.unraid.net in the address bar). Appreciate the help! Link to comment
marshy919 Posted March 14, 2021 Share Posted March 14, 2021 Had the same issues about the password not working when logging in. Go back to the IP directly, and they worked. Also had to wait about a minute when it finally came up with the hash.unraid.net login for it to successfully take my credentials. Currently my server is port forwarded - open port check success. Allow remote access - yes Obviously signed in already When I go to https://forums.unraid.net/my-servers/ It shows access unavailable. Link to comment
AgentXXL Posted March 14, 2021 Share Posted March 14, 2021 (edited) 2 hours ago, ljm42 said: So you successfully setup local SSL and are accessing the server through https://yourpersonalhash.unraid.net , correct? And now you trying to enable Remote Access, but when you press "Check" it gives an error? This means either: 1) DNS for www.yourpersonalhash.unraid.net is not resolving (note the "www" up front, this should resolve to your external IP) 2) or your port forward is not working Reinstalling the plugin will not help, nor will restarting the api At one point you mentioned: I'm not sure what that means? I installed the plugin on both of my servers. When I went to Management Access under settings, my initial attempt to provision the Let's Encrypt certificates failed, indicating that it was likely my firewall's DNS rebinding protection. To resolve the DNS rebinding issue I went into my firewall config (pfSense) and under DNS Resolver I added the unraid.net domain to the 'Domain Overrides' section. One thing I'm not sure about is where pfSense asks me to provide the DNS 'Lookup Server IP Address' so I just set it to a Cloudflare one for now, as shown on the attached pic. Cloudflare resolves unraid.net so I suspect I'm correct. Then, with the DNS rebinding check corrected, I was able to provision the Let's Encrypt cert for both servers. I then enabled remote access and the flash backup. Flash backup is working for both servers. I also chose custom ports for each server and added port forwarding rules for them to the firewall. When I attempt the Check function, both servers respond with the 'Oops This Unraid Server was unreachable from the outside' message. When I go to the My Servers Dashboard, one server shows that it has Remote Access but choosing it ends up at a browser window/tab that eventually times out before displaying the unRAID webgui. The other unRAID server still shows with a red X and 'Access unavailable'. Not sure what to try next other than the full reset procedure, which unfortunately takes time to ensure reset of user account passwords. That and it's Saturday night so the Plex server is a little busy with users. Any other suggestions? Edited March 14, 2021 by AgentXXL Link to comment
ljm42 Posted March 14, 2021 Share Posted March 14, 2021 1 hour ago, badnewsblair said: I'm experiencing similar issues by others in this thread. However, after uninstalling the My Servers plugin, when I try to access the web console it is unreachable and is still being routed through the hash.unraid.net address. The server and services are still running fine (local computers backup, Nginx Proxy Manager, Pihole Apps are still accessible), but the web console is unreachable (standard 404 error and the hash.unraid.net in the address bar). Appreciate the help! SSL is enabled/disabled on the Settings -> Management Access page. This is independent of whether or not the My Servers plugin is installed Link to comment
ljm42 Posted March 14, 2021 Share Posted March 14, 2021 1 hour ago, marshy919 said: Currently my server is port forwarded - open port check success. Allow remote access - yes Obviously signed in already When I go to https://forums.unraid.net/my-servers/ It shows access unavailable. Click on your username in the upper right corner of the webgui, can you post a screenshot of what it shows? Link to comment
ljm42 Posted March 14, 2021 Share Posted March 14, 2021 1 hour ago, AgentXXL said: To resolve the DNS rebinding issue I went into my firewall config (pfSense) and under DNS Resolver I added the unraid.net domain to the 'Domain Overrides' section. One thing I'm not sure about is where pfSense asks me to provide the DNS 'Lookup Server IP Address' so I just set it to a Cloudflare one for now, as shown on the attached pic. Cloudflare resolves unraid.net so I suspect I'm correct. The help text in the webgui says: If you are using pfSense internal DNS resolver service, you can add these Custom Option lines: server: private-domain: "unraid.net" So I am not sure exactly what your screenshot is showing or what the DNS 'Lookup Server IP Address' Is. But, you are not being hit with the DNS Rebinding issue so if you are happy with the setup that is fine. 1 hour ago, AgentXXL said: When I attempt the Check function, both servers respond with the 'Oops This Unraid Server was unreachable from the outside' message. When I go to the My Servers Dashboard, one server shows that it has Remote Access but choosing it ends up at a browser window/tab that eventually times out before displaying the unRAID webgui. The other unRAID server still shows with a red X and 'Access unavailable'. Not sure what to try next other than the full reset procedure, which unfortunately takes time to ensure reset of user account passwords. That and it's Saturday night so the Plex server is a little busy with users. Any other suggestions? A reinstall is unlikely to help. There are two potential issues: 1) DNS. Look at your url to find yourpersonalhash.unraid.net. Put a "www." in front of that. Drop to a command line and type "ping www.yourpersonalhash.unraid.net". Does it resolve properly to external IP address? If not, you are have a DNS problem (or possibly something has gone wrong on the unraid.net side) 2) Your port forward is not setup properly. 1 Link to comment
ljm42 Posted March 14, 2021 Share Posted March 14, 2021 3 hours ago, cgp990 said: Just some additional info regarding this, I ran into the same behavior as soon as I set the SSL-TLS to Auto (from "yes"), and I was booted out of the system. Tried to log into it, entered my credentials correctly and the page would simply "refresh" to the same login screen, rather than passing the credentials and logging into the UI. I launched another browser and then was able to log into the UI. After closing and re-opening the first browser I was able to log in. Potential bug, but I don't know if something like that would have been logged. If it is, let me know and I'll attach whatever you need. So if you went from "yes" to "auto" I guess you previously had your own SSL cert and decided to switch to the unraid.net cert? I suspect that your browser has cached its knowledge of the previous SSL setup and was getting confused with the change. If you had multiple tabs open to the webgui then closing all but one should help. Clearing your cache or using an incognito window would also help. Link to comment
DevXen Posted March 14, 2021 Share Posted March 14, 2021 Just a heads up. I couldn't get it to provision on my server. I went into my router and changed the dns room static to dynamic and then it worked. So maybe that will help someone else. Link to comment
ljm42 Posted March 14, 2021 Share Posted March 14, 2021 3 minutes ago, DevXen said: Just a heads up. I couldn't get it to provision on my server. I went into my router and changed the dns room static to dynamic and then it worked. So maybe that will help someone else. I'm glad you got it! But I'm not sure what static vs dynamic dns is, can you post a screenshot? Also, what kind of router? Link to comment
marshy919 Posted March 14, 2021 Share Posted March 14, 2021 20 minutes ago, ljm42 said: Click on your username in the upper right corner of the webgui, can you post a screenshot of what it shows? It's like it's saying the guest user doesn't have access. I don't have a user called guest though. Link to comment
DevXen Posted March 14, 2021 Share Posted March 14, 2021 (edited) 6 minutes ago, ljm42 said: I'm glad you got it! But I'm not sure what static vs dynamic dns is, can you post a screenshot? Also, what kind of router? It's a crappy actiontec c1900a modem/router from centurylink. Edited March 14, 2021 by DevXen Autocorrect issue. Link to comment
ljm42 Posted March 14, 2021 Share Posted March 14, 2021 3 minutes ago, marshy919 said: It's like it's saying the guest user doesn't have access. I don't have a user called guest though. Sorry you got "lucky" and hit a bug This is on the top of our list to track down. Please open a terminal window and type this: unraid-api restart When the API restarts it will hopefully make a connection and then from the My Servers Dashboard you should have options for "Local access" or "Remote access" instead of "Access unavailable" 3 Link to comment
ljm42 Posted March 14, 2021 Share Posted March 14, 2021 6 minutes ago, DevXen said: It's a crappy actiontec c1900a modem/router fronlm centurylink. Is this talking about DHCP? I'm honestly quite confused how this solved your DNS rebinding issues But I'm glad you got past it! Link to comment
marshy919 Posted March 14, 2021 Share Posted March 14, 2021 8 minutes ago, ljm42 said: Sorry you got "lucky" and hit a bug This is on the top of our list to track down. Please open a terminal window and type this: unraid-api restart When the API restarts it will hopefully make a connection and then from the My Servers Dashboard you should have options for "Local access" or "Remote access" instead of "Access unavailable" Brilliant - that fixed it. 2 Link to comment
DevXen Posted March 14, 2021 Share Posted March 14, 2021 20 minutes ago, ljm42 said: Is this talking about DHCP? I'm honestly quite confused how this solved your DNS rebinding issues But I'm glad you got past it! It's not DHCP i am not sure but i think the issue waa my router won't let me loopback to it. So like i have swag setup i can't access it from my local network if i use the domain i setup. No i have to use my internal ip. And that's true for any Internet facing service that runs on my server. But again my router sucks. So i assumed that was the dns binding issue and saw i could change my dns to dynamic and hey it worked. Link to comment
Amigaz Posted March 14, 2021 Share Posted March 14, 2021 Have ran into an issue. Installed this plugin yesterday to just use it locally. Now this morning I cannot access the web interface .. just get a "404", I don't know what has happened. Is there a way to "remove" this plugin now so I get back access to my server again? thanks The API seem to have contact and all my apps work perfectly Link to comment
Arragon Posted March 14, 2021 Share Posted March 14, 2021 Does Remote Access require you to have have Port 443 accessible via IPv4? I can't get it to work with IPv6 even thought that can be reached from the internet. Link to comment
unRate Posted March 14, 2021 Share Posted March 14, 2021 (edited) Sure lets expose €%*@!*/# root to the internet. What could possible go wrong? Everyone advises against root login and not using key-pairs via SSH, and you want to allow your users — which by your own implications are incompetent sysadmins — to access root over https? You should at least use better defaults and apply the "Principle of least privilege" with layered security, before even considering rolling out remote access en masse. – Let alone using €%*@!*/# root passwords. As a reference take a look at the effort put in to secure cockpit-project by their engineers. I really can't fathom this nonchalant security mindset, hence the frustration. Edited March 14, 2021 by unRate 1 Link to comment
badnewsblair Posted March 14, 2021 Share Posted March 14, 2021 10 hours ago, ljm42 said: SSL is enabled/disabled on the Settings -> Management Access page. This is independent of whether or not the My Servers plugin is installed I hate to continue this since it is not relevant to My Servers, but is there a method (perhaps terminal) to disable/disable SSL without the webgui since mine is inaccessible now? Link to comment
limetech Posted March 14, 2021 Share Posted March 14, 2021 3 hours ago, unRate said: Sure lets expose €%*@!*/# root to the internet. What could possible go wrong? Everyone advises against root login and not using key-pairs via SSH, and you want to allow your users — which by your own implications are incompetent sysadmins — to access root over https? You should at least use better defaults and apply the "Principle of least privilege" with layered security, before even considering rolling out remote access en masse. – Let alone using €%*@!*/# root passwords. As a reference take a look at the effort put in to secure cockpit-project by their engineers. Let's clear up a few things. First Unraid OS is an appliance like your router. There are no "users" in the traditional sense, there is only an admin login. In our case instead of using 'admin' username we just left it as 'root'. We could create an 'admin' alias for this login but it would still be 'root'. Hence enabling Remote Access is similar to enabling remote management on your home router. In both cases you are advised to create a strong password. Unlike your home router however, with Unraid you can examine the code that handles authentication. At present we implement rate limiting in nginx to mitigate brute force attacks. You can also select a non-standard port for SSL traffic. Another mitigation would be to implement a failed password count and back-off timer, e.g., you can configure up to N times to enter password, after that it's locked out for X minutes (this is not implemented yet). Another mitigation would be to implement 2FA on the Unraid login. Let's suppose we have these additional mitigations in place. If your server reboots for some reason while you are away (perhaps power failure/restore), here's what you would do to get things going again: login to forum: specify username, password, enter 2FA code from your phone. click server remote access link: specify password, enter different 2FA code from your phone (once implemented) enter encryption password, click Start to bring up array enter flash backup encryption password, re-enable automatic flash backup (once implemented) start any services which are not set to autostart To me this seems fairly onerous but in the interest of maximum security, is probably what has to be done. Of course you don't have to use Remote Access feature. 3 hours ago, unRate said: I really can't fathom this nonchalant security mindset, hence the frustration. Being nonchalant is absolutely not the case. Security feedback is very much appreciated and the reason we have released this "early access" feature as a plugin, so that we can easily make changes and so that everything is visible. 5 1 Link to comment
hawihoney Posted March 14, 2021 Share Posted March 14, 2021 (edited) I've set the local TLD to "fritz.box" on all Unraid servers. If I click on local access for a <servername> on the MyServer dashboard "<servername>.fritz.box" is called and this works. Clicking on the same <servername> in the drop down on the server (top right) "<servername>.local" is called and refused. Looks inconsistent. Edited March 14, 2021 by hawihoney Link to comment
limetech Posted March 14, 2021 Share Posted March 14, 2021 10 minutes ago, hawihoney said: I've set the local TLD to "fritz.box" on all Unraid servers. If I click on local access for a <servername> on the MyServer dashboard "<servername>.fritz.box" is called and this works. Clicking on the same <servername> in the drop down on the server (top right) "<servername>.local" is called and refused. Looks inconsistent. That's a bug, thank you for the report. Link to comment
badnewsblair Posted March 14, 2021 Share Posted March 14, 2021 2 hours ago, badnewsblair said: I hate to continue this since it is not relevant to My Servers, but is there a method (perhaps terminal) to disable/disable SSL without the webgui since mine is inaccessible now? I solved my own problem (just to close the loop). Since Nginx Proxy Manager was still functioning, I set a Proxy to Unraid and then used a different browser (to make sure cached routes weren't still be used) and bingo! Accessed the webgui, turned off SSL and all is back to normal. Link to comment
Recommended Posts