tessierp Posted November 17, 2021 Share Posted November 17, 2021 Hi everyone, I was wondering what is the best approach to securing my UNRAID server with SSL Certs. The way I usually proceed to automate this on my Debian servers is by using the ACME.sh script (ACME) which will automate the renewal every month. I am well aware that I could try and install this script by remoting into UNRAID and placing the certs at the right location but is that the way to do it? Perhaps there is an application (plugin) I can use that will do that for me already. It would be very nice to see UNRAID implement this feature as many servers have support for Let's Encrypt through HTTP01 and DNS01 methods. At the moment, there is no such functionality in UNRAID and so, what would be the best approach as far as UNRAID is concerned? Thanks 1 Quote Link to comment
JonathanM Posted November 17, 2021 Share Posted November 17, 2021 Personally I use the SWAG container to host sites and reverse proxy what I need to expose to the internet. It handles all the renewals and security internally. I don't like the idea of allowing the built in instance of nginx that hosts the webGUI to be on the front line exposed to the internet, if something crashes it things get difficult. I know Limetech is moving forward with properly securing it, but I'm still of the opinion that the management access for Unraid should be behind another layer of security, preferably VPN. Quote Link to comment
tessierp Posted November 17, 2021 Author Share Posted November 17, 2021 I see what you are saying. Instead of securing all your sites internally, you reverse proxy and handle all the https from the front, in my case that would be OPNSense through HAProxy or NGINX to terminate https and redirect to HTTP internally. I was also considering doing that since I don't really need security internally however I am still curious to know how to do this. I still think the UNRAID dev team should consider introducing an easy way to get Let's Encrypt certs through DNS01 and HTTP01 methods. Quote Link to comment
JonathanM Posted November 17, 2021 Share Posted November 17, 2021 Probably not going to happen, since they provide the https://(long random string) unraid domain access for people who don't have the knowledge to set up https properly. It's assumed if you are overriding the default Limetech provided https address that you know how to manually keep things working. 1 Quote Link to comment
ljm42 Posted November 17, 2021 Share Posted November 17, 2021 SSL functionality using Lets Encrypt is built into Unraid. We give you a unique host name on the unraid.net domain and manage the DNS for you. There are more details here: https://wiki.unraid.net/Manual/Security#Securing_webGui_connections_.28SSL.29 Additionally, if you would like Remote Access to the webgui see the My Servers plugin: https://wiki.unraid.net/My_Servers Remote Access is one of the optional features of My Servers. Quote Link to comment
tessierp Posted November 17, 2021 Author Share Posted November 17, 2021 8 minutes ago, ljm42 said: SSL functionality using Lets Encrypt is built into Unraid. We give you a unique host name on the unraid.net domain and manage the DNS for you. There are more details here: https://wiki.unraid.net/Manual/Security#Securing_webGui_connections_.28SSL.29 Additionally, if you would like Remote Access to the webgui see the My Servers plugin: https://wiki.unraid.net/My_Servers Remote Access is one of the optional features of My Servers. Yeah I noticed that, except I have my own domain. While it is nice you are provided one for me, and I will look into that, I have my own and using Cloudflare's DNS01 functionality to acquire my HTTPS certs. Now I my just remove HTTPS from all my systems anyway since I don't need security internally except for PROXMOX which forces HTTPS. Quote Link to comment
ljm42 Posted November 17, 2021 Share Posted November 17, 2021 That makes sense, just wanted to be sure you were aware of the built-in functionality Quote Link to comment
zachlovescoffee Posted February 29 Share Posted February 29 On 11/17/2021 at 9:36 AM, JonathanM said: Personally I use the SWAG container to host sites and reverse proxy what I need to expose to the internet. It handles all the renewals and security internally. I don't like the idea of allowing the built in instance of nginx that hosts the webGUI to be on the front line exposed to the internet, if something crashes it things get difficult. I know Limetech is moving forward with properly securing it, but I'm still of the opinion that the management access for Unraid should be behind another layer of security, preferably VPN. Sorry to necro this thread but when you say 'management of unraid should be behind ... vpn" can you tell me what you mean? like the only way to SSH into unraid is through a VPN connection? Are there any guides you could recommend for setting that up? Quote Link to comment
JonathanM Posted February 29 Share Posted February 29 7 minutes ago, zachlovescoffee said: Sorry to necro this thread but when you say 'management of unraid should be behind ... vpn" can you tell me what you mean? like the only way to SSH into unraid is through a VPN connection? Are there any guides you could recommend for setting that up? Exactly. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.