unraid.net plugin (beta)


Recommended Posts

im very pleased with this plugin as i can "safely" manage my environment outside my own network.

 

But with safety in mind I see that im able to activate the 2fa for the forums/unraid.net website part, but  i would like to have the option to use 2fa while accesing my server. if i use the http://xxxxxxxxx.unraid.net the only thing i need are my credentials and one of the 2 is already known ( the root part) for the world.

 

Or am i missing an option somewhere withiun unraid itself.

Cheers,

 

Dre

Link to comment
  • 1 month later...

I decided to uninstall this plugin. However, now anytime I go to tower.local or the IP addres, it always redirects to the xxx.unraid.net URL which requires a functioning internet and DNS which isn't always true when I reboot the server. 

This seems like a bug. When I uninstall this plugin and reboot the server, I don't expect any remnants of the xxx.unraid.net to exist.

How do I completely remove this redirection and go back to using my IP address directly?

 

Update, well I looked at the /etc/nginx/conf.d/emhttp-servers.conf file and found the offending line here:

 

server {
    #
    # Redirect http requests to https
    #
    listen *:80 default_server;
    listen [::]:80 default_server;
    return 302 https://xxxxx.unraid.net:443$request_uri;
}

 

However commenting it out just breaks the webUI and reverting the whole file to a backup and rebooting results in it being regenerated again. I can't find where to turn it off.

I've already uninstalled the plugin so I can't go into any settings and turn things off.

I even tried re-installing the plugin, turning off the remote access etc and then uninstalling but still have the same problem.

 

Also, it is still using the WebUI SSL certificate that it installed for use with the unraid.net plugin. How do I remove that too? I just want it to go back to the way it was without any of the unraid.net stuff.

 

I was able to locate the certificate here: /boot/config/ssl/certs/certificate_bundle.pem

and the original one is in the same folder here: /boot/config/ssl/certs/Tower_unraid_bundle.pem

but not sure what to do with them.

_____________________________

Final Update -> Solved

 

Under Settings -> Management Access -> Use SSL/TLS. When I hit the ? symbol, I saw this useful help page:

 

Quote

The nginx startup script looks for a SSL certificate on the USB boot flash in this order:
config/ssl/certs/certificate_bundle.pem
config/ssl/certs/<server-name>_unraid_bundle.pem

If neither file exists, a self-signed SSL certificate is automatically created and stored in
config/ssl/certs/<server-name>_unraid_bundle.pem

 

The path is actually /boot/config/ssl/certs. In there I found the offending certificate, certificate_bundle.pem.

I moved it somewhere else for safekeeping and rebooted the server and then it finally went back to normal.

 

🔍 Mystery solved.

 

 

Edited by frakman1
  • Like 1
Link to comment
2 hours ago, ljm42 said:

Local SSL is not a feature of the plugin, it is built into the main Unraid OS. That is why it does not get disabled when you uninstall the plugin.

 

If you would like to disable local SSL simply go to Settings -> Management Access and set "Use SSL/TLS" to "No".

Yes, but local access redirects to the unraid.net SSL URL.  It should use SSL for remote connections, but it shouldn't redirect local connections.

Link to comment
7 hours ago, Squid said:

it doesn't redirect if you use https://ipAddress, only if you use http

 

Thank you.

I tried that solution but that wasn't satisfactory either. It was still using the new Unraid certificate. Uninstalling the plugin should really remove everything that it added.

Link to comment
4 hours ago, ljm42 said:

Local SSL is not a feature of the plugin, it is built into the main Unraid OS. That is why it does not get disabled when you uninstall the plugin.

 

If you would like to disable local SSL simply go to Settings -> Management Access and set "Use SSL/TLS" to "No".

 

I'm not 100% sure what the original state of the "Use SSL/TLS" setting was but I think it was originally No and that installing the Unraid.net plugin enabled it.

If I'm wrong and it was set to Yes already, then removing the plugin should remove the new Unraid.net certificate so that it would continue using the self-signed hostname certificate.

Link to comment

It would be nice to walk back this plugin a little bit.  I originally installed it because of the automated USB key backup.  It seems like that feature should be isolated from the SSL/redirect feature.  You should be able to use one without the other.

Link to comment
20 hours ago, Kaveh said:

Yes, but local access redirects to the unraid.net SSL URL.  It should use SSL for remote connections, but it shouldn't redirect local connections.

 

Our Remote Access solution currently requires you to enable SSL for Local Access.

 

Local access uses  https://yourpersonalhash.unraid.net:port

Remote access uses https://www.yourpersonalhash.unraid.net:WANport

Link to comment
17 hours ago, frakman1 said:

 

I'm not 100% sure what the original state of the "Use SSL/TLS" setting was but I think it was originally No and that installing the Unraid.net plugin enabled it.

If I'm wrong and it was set to Yes already, then removing the plugin should remove the new Unraid.net certificate so that it would continue using the self-signed hostname certificate.

 

The original setting for "Use SSL/TLS" was Auto, but there was no certificate so that is the same as "no". When you provisioned the certificate that made "Auto" behave the same as "yes". auto = automatic

 

Once the certificate exists if you want to turn it off, set "Use SSL/TLS" to No.

Link to comment
3 hours ago, Kaveh said:

It would be nice to walk back this plugin a little bit.  I originally installed it because of the automated USB key backup.  It seems like that feature should be isolated from the SSL/redirect feature.  You should be able to use one without the other.

 

Remote Access and Flash Backup are both optional features, feel free to enable neither, one, or both.

 

Local SSL is ONLY a requirement if you use our Remote Access solution. If you don't use Remote Access then you don't have to setup Local SSL either. To disable Local SSL go to Settings -> Management Access and set "Use SSL/TLS" to "no"

  • Like 1
Link to comment
4 minutes ago, tech_rkn said:

Hello,

 

the real question about this "feature" is, is it safer than a wireguard or openvpn tunnel ??

 

The optional Remote Access feature is a convenient and secure way to access your webgui remotely.

 

WireGuard is arguably less convenient (takes more than a browser to use, doesn't work on some networks) but more secure (uses public/private keys rather than a password). WireGuard can also give access to more than just the webgui.

 

So it depends on what you need. But again, Remote Access is one of the optional features of this plugin and is in no way required.

Link to comment
On 4/29/2021 at 6:44 PM, Kaveh said:

Yes, but does it need to? Why can’t local access remain unredirected?

 

Because the Remote Access solution leverages the existing DDNS and SSL certificate process that is already built in to Unraid. Might this change in the future? Possibly. But in terms of what is available today, the optional Remote Access solution requires that you enable SSL for Local Access.

 

 

Edit: in Unraid 6.10 you can enable SSL/https for Remote Access while keeping http for local access. See https://wiki.unraid.net/Manual/Security#Securing_webGui_connections_.28SSL.29

 

Link to comment
11 hours ago, ljm42 said:

 

The optional Remote Access feature is a convenient and secure way to access your webgui remotely.

 

WireGuard is arguably less convenient (takes more than a browser to use, doesn't work on some networks) but more secure (uses public/private keys rather than a password). WireGuard can also give access to more than just the webgui.

 

So it depends on what you need. But again, Remote Access is one of the optional features of this plugin and is in no way required.

Thank you

 

I might just stick to wireguard as I used it to access my lan too.

Link to comment
  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.