My Servers Early Access Plugin


jonp

Recommended Posts

5 minutes ago, DevXen said:

Aww i tried incognito mode it didnt let me login. I went back to ssl. But maybe I'll disable it and clear the cache and see if that works. But it had me freaking out cause i couldn't access my server. Luckily it was still logged in on another tab and i was able to enable the ssl and get back into it. 

 

OK I think the issue is that there were multiple tabs open. Because in one tab the browser "knew" that https worked and in another it "knew" that https was disabled. So the browser just got confused.

 

If you want to try disabling it again, do it with a single tab open.

  • Thanks 1
Link to comment
6 hours ago, ljm42 said:

 

wow. I don't see how the My Servers plugin could affect this, but let's leave it out of the picture until you can set a root password again.

 

Deleting the files mentioned here from the flash and rebooting should get you a clean state with regards to passwords:

  https://wiki.unraid.net/Troubleshooting#Lost_root_Password

As part of this, I'd recommend putting the flash drive in a Windows computer and letting it fix any problems it finds.

 

After rebooting, go to Users (or Settings -> Users, depending how you are configured) and set a password for root. Be sure to press the "Change" button, not "Reset" :)

 

At that point you should be prompted to login. If still having issues, try clearing your cache and/or using a different browser.

Just some additional info regarding this, I ran into the same behavior as soon as I set the SSL-TLS to Auto (from "yes"), and I was booted out of the system. Tried to log into it, entered my credentials correctly and the page would simply "refresh" to the same login screen, rather than passing the credentials and logging into the UI.

 

I launched another browser and then was able to log into the UI. After closing and re-opening the first browser I was able to log in.

 

Potential bug, but I don't know if something like that would have been logged. If it is, let me know and I'll attach whatever you need.

Link to comment

I'm experiencing similar issues by others in this thread. However, after uninstalling the My Servers plugin, when I try to access the web console it is unreachable and is still being routed through the hash.unraid.net address. The server and services are still running fine (local computers backup, Nginx Proxy Manager, Pihole Apps are still accessible), but the web console is unreachable (standard 404 error and the hash.unraid.net in the address bar).

 

Appreciate the help!

Link to comment

Had the same issues about the password not working when logging in.

Go back to the IP directly, and they worked. 

Also had to wait about a minute when it finally came up with the hash.unraid.net login for it to successfully take my credentials.

 

Currently my server is port forwarded - open port check success.

Allow remote access - yes

Obviously signed in already

 

 

When I go to https://forums.unraid.net/my-servers/

It shows access unavailable.

 

Link to comment
2 hours ago, ljm42 said:

 

So you successfully setup local SSL and are accessing the server through https://yourpersonalhash.unraid.net , correct?

 

And now you trying to enable Remote Access, but when you press "Check" it gives an error? 

 

This means either:

1) DNS for www.yourpersonalhash.unraid.net is not resolving (note the "www" up front, this should resolve to your external IP)

2) or your port forward is not working

 

Reinstalling the plugin will not help, nor will restarting the api :) 

 

At one point you mentioned:

I'm not sure what that means?

 

 

I installed the plugin on both of my servers. When I went to Management Access under settings, my initial attempt to provision the Let's Encrypt certificates failed, indicating that it was likely my firewall's DNS rebinding protection.

 

To resolve the DNS rebinding issue I went into my firewall config (pfSense) and under DNS Resolver I added the unraid.net domain to the 'Domain Overrides' section. One thing I'm not sure about is where pfSense asks me to provide the DNS 'Lookup Server IP Address' so I just set it to a Cloudflare one for now, as shown on the attached pic. Cloudflare resolves unraid.net so I suspect I'm correct.

 

unRAID_net.Domain.Override.thumb.jpg.6d7b9a6983901a8a5a24eb712f3b17ed.jpg

 

Then, with the DNS rebinding check corrected, I was able to provision the Let's Encrypt cert for both servers. I then enabled remote access and the flash backup. Flash backup is working for both servers. I also chose custom ports for each server and added port forwarding rules for them to the firewall.

 

When I attempt the Check function, both servers respond with the 'Oops This Unraid Server was unreachable from the outside' message. When I go to the My Servers Dashboard, one server shows that it has Remote Access but choosing it ends up at a browser window/tab that eventually times out before displaying the unRAID webgui. The other unRAID server still shows with a red X and 'Access unavailable'.

 

Not sure what to try next other than the full reset procedure, which unfortunately takes time to ensure reset of user account passwords. That and it's Saturday night so the Plex server is a little busy with users. Any other suggestions?

 

 

Edited by AgentXXL
Link to comment
1 hour ago, badnewsblair said:

I'm experiencing similar issues by others in this thread. However, after uninstalling the My Servers plugin, when I try to access the web console it is unreachable and is still being routed through the hash.unraid.net address. The server and services are still running fine (local computers backup, Nginx Proxy Manager, Pihole Apps are still accessible), but the web console is unreachable (standard 404 error and the hash.unraid.net in the address bar).

 

Appreciate the help!

 

SSL is enabled/disabled on the Settings -> Management Access page. This is independent of whether or not the My Servers plugin is installed

Link to comment
1 hour ago, AgentXXL said:

To resolve the DNS rebinding issue I went into my firewall config (pfSense) and under DNS Resolver I added the unraid.net domain to the 'Domain Overrides' section. One thing I'm not sure about is where pfSense asks me to provide the DNS 'Lookup Server IP Address' so I just set it to a Cloudflare one for now, as shown on the attached pic. Cloudflare resolves unraid.net so I suspect I'm correct.

The help text in the webgui says:

If you are using pfSense internal DNS resolver service, you can add these Custom Option lines:

server:
private-domain: "unraid.net"

 

So I am not sure exactly what your screenshot is showing or what the DNS 'Lookup Server IP Address' Is. 

 

But, you are not being hit with the DNS Rebinding issue so if you are happy with the setup that is fine.

 

1 hour ago, AgentXXL said:

When I attempt the Check function, both servers respond with the 'Oops This Unraid Server was unreachable from the outside' message. When I go to the My Servers Dashboard, one server shows that it has Remote Access but choosing it ends up at a browser window/tab that eventually times out before displaying the unRAID webgui. The other unRAID server still shows with a red X and 'Access unavailable'.

 

Not sure what to try next other than the full reset procedure, which unfortunately takes time to ensure reset of user account passwords. That and it's Saturday night so the Plex server is a little busy with users. Any other suggestions?

 

A reinstall is unlikely to help.  There are two potential issues:

 

1) DNS.  Look at your url to find yourpersonalhash.unraid.net.  Put a "www." in front of that. Drop to a command line and type "ping www.yourpersonalhash.unraid.net".  Does it resolve properly to external IP address? If not, you are have a DNS problem (or possibly something has gone wrong on the unraid.net side)

 

2) Your port forward is not setup properly.

 

 

 

 

  • Like 1
Link to comment
3 hours ago, cgp990 said:

Just some additional info regarding this, I ran into the same behavior as soon as I set the SSL-TLS to Auto (from "yes"), and I was booted out of the system. Tried to log into it, entered my credentials correctly and the page would simply "refresh" to the same login screen, rather than passing the credentials and logging into the UI.

 

I launched another browser and then was able to log into the UI. After closing and re-opening the first browser I was able to log in.

 

Potential bug, but I don't know if something like that would have been logged. If it is, let me know and I'll attach whatever you need.

 

So if you went from "yes" to "auto" I guess you previously had your own SSL cert and decided to switch to the unraid.net cert?

 

I suspect that your browser has cached its knowledge of the previous SSL setup and was getting confused with the change.  If you had multiple tabs open to the webgui then closing all but one should help. Clearing your cache or using an incognito window would also help.

Link to comment
3 minutes ago, DevXen said:

Just a heads up. I couldn't get it to provision on my server. I went into my router and changed the dns room static to dynamic and then it worked. So maybe that will help someone else. 

I'm glad you got it! But I'm not sure what static vs dynamic dns is, can you post a screenshot? Also, what kind of router?

Link to comment
6 minutes ago, ljm42 said:

I'm glad you got it! But I'm not sure what static vs dynamic dns is, can you post a screenshot? Also, what kind of router?

It's a crappy actiontec c1900a modem/router from centurylink.

Screenshot_20210313-222554_Chrome.jpg

Edited by DevXen
Autocorrect issue.
Link to comment
3 minutes ago, marshy919 said:

It's like it's saying the guest user doesn't have access.

I don't have a user called guest though.

Untitled.png

 

Sorry you got "lucky" and hit a bug :) This is on the top of our list to track down.

 

Please open a terminal window and type this:

unraid-api restart

 

When the API restarts it will hopefully make a connection and then from the My Servers Dashboard you should have options for "Local access" or "Remote access" instead of "Access unavailable"

 

  • Like 3
Link to comment
8 minutes ago, ljm42 said:

 

Sorry you got "lucky" and hit a bug :) This is on the top of our list to track down.

 

Please open a terminal window and type this:


unraid-api restart

 

When the API restarts it will hopefully make a connection and then from the My Servers Dashboard you should have options for "Local access" or "Remote access" instead of "Access unavailable"

 

Brilliant - that fixed it.

  • Like 2
Link to comment
20 minutes ago, ljm42 said:

 

Is this talking about DHCP? I'm honestly quite confused how this solved your DNS rebinding issues :)  But I'm glad you got past it!

 

It's not DHCP i am not sure but i think the issue waa my router won't let me loopback to it. So like i have swag setup i can't access it from my local network if i use the domain i setup. No i have to use my internal ip. And that's true for any Internet facing service that runs on my server. But again my router sucks. So i assumed that was the dns binding issue and saw i could change my dns to dynamic and hey it worked.

 

Link to comment

Have ran into an issue. Installed this plugin yesterday to just use it locally. 

Now this morning I cannot access the web interface .. just get a "404", I don't know what has happened.

Is there a way to "remove" this plugin now so I get back access to my server again? thanks

 

The API seem to have contact and all my apps work perfectly

 

image.png.6f9998f1120e37f442f71c204e489eb0.png

Link to comment

Sure lets expose €%*@!*/# root to the internet. What could possible go wrong?

Everyone advises against root login and not using key-pairs via SSH, and you want to allow your users — which by your own implications are incompetent sysadmins — to access root over https?

 

You should at least use better defaults and apply the "Principle of least privilege" with layered security, before even considering rolling out remote access en masse. –  Let alone using €%*@!*/# root passwords.

 

As a reference take a look at the effort put in to secure cockpit-project by their engineers.  

 

I really can't fathom this nonchalant security mindset, hence the frustration.

Edited by unRate
  • Like 1
Link to comment
10 hours ago, ljm42 said:

 

SSL is enabled/disabled on the Settings -> Management Access page. This is independent of whether or not the My Servers plugin is installed

I hate to continue this since it is not relevant to My Servers, but is there a method (perhaps terminal) to disable/disable SSL without the webgui since mine is inaccessible now?

Link to comment
3 hours ago, unRate said:

Sure lets expose €%*@!*/# root to the internet. What could possible go wrong?

Everyone advises against root login and not using key-pairs via SSH, and you want to allow your users — which by your own implications are incompetent sysadmins — to access root over https?

 

You should at least use better defaults and apply the "Principle of least privilege" with layered security, before even considering rolling out remote access en masse. –  Let alone using €%*@!*/# root passwords.

 

As a reference take a look at the effort put in to secure cockpit-project by their engineers.

 

Let's clear up a few things.  First Unraid OS is an appliance like your router.  There are no "users" in the traditional sense, there is only an admin login.  In our case instead of using 'admin' username we just left it as 'root'.  We could create an 'admin' alias for this login but it would still be 'root'.  Hence enabling Remote Access is similar to enabling remote management on your home router.  In both cases you are advised to create a strong password.

 

Unlike your home router however, with Unraid you can examine the code that handles authentication.  At present we implement rate limiting in nginx to mitigate brute force attacks.  You can also select a non-standard port for SSL traffic.

 

Another mitigation would be to implement a failed password count and back-off timer, e.g., you can configure up to N times to enter password, after that it's locked out for X minutes (this is not implemented yet).

 

Another mitigation would be to implement 2FA on the Unraid login.

 

Let's suppose we have these additional mitigations in place. If your server reboots for some reason while you are away (perhaps power failure/restore), here's what you would do to get things going again:

  1. login to forum: specify username, password, enter 2FA code from your phone.
  2. click server remote access link: specify password, enter different 2FA code from your phone (once implemented)
  3. enter encryption password, click Start to bring up array
  4. enter flash backup encryption password, re-enable automatic flash backup (once implemented)
  5. start any services which are not set to autostart

To me this seems fairly onerous but in the interest of maximum security, is probably what has to be done.

 

Of course you don't have to use Remote Access feature.

 

3 hours ago, unRate said:

I really can't fathom this nonchalant security mindset, hence the frustration.

 

Being nonchalant is absolutely not the case.  Security feedback is very much appreciated and the reason we have released this "early access" feature as a plugin, so that we can easily make changes and so that everything is visible.

  • Like 5
  • Thanks 1
Link to comment

I've set the local TLD to "fritz.box" on all Unraid servers.

 

If I click on local access for a <servername> on the MyServer dashboard "<servername>.fritz.box" is called and this works.

 

Clicking on the same <servername> in the drop down on the server (top right) "<servername>.local" is called and refused.

 

Looks inconsistent.

 

 

 

Edited by hawihoney
Link to comment
10 minutes ago, hawihoney said:

I've set the local TLD to "fritz.box" on all Unraid servers.

 

If I click on local access for a <servername> on the MyServer dashboard "<servername>.fritz.box" is called and this works.

 

Clicking on the same <servername> in the drop down on the server (top right) "<servername>.local" is called and refused.

 

Looks inconsistent.

 

 

 

That's a bug, thank you for the report.

Link to comment
2 hours ago, badnewsblair said:

I hate to continue this since it is not relevant to My Servers, but is there a method (perhaps terminal) to disable/disable SSL without the webgui since mine is inaccessible now?

 

I solved my own problem (just to close the loop).

 

Since Nginx Proxy Manager was still functioning, I set a Proxy to Unraid and then used a different browser (to make sure cached routes weren't still be used) and bingo! Accessed the webgui, turned off SSL and all is back to normal.

Link to comment
Guest
This topic is now closed to further replies.