Can't access Unraid web GUI from outside my LAN (other services work fine)

[tj0]

Hi,

 

I am setting up a new Unraid server and need remote admin access. I understand it's not recommended to just forward port 443 and expose the admin UI to the outside world, so my plan is to use Tailscale. I deployed the Tailscale docker container and installed the Tailscale client on my laptop, and it works fine for services like ssh or eg the Prowlarr web UI, as run in a docker container in bridge mode (and without NATing anything on my router).

 

So everything works fine, except the Unraid GUI. When I try to access it from the outside (eg. https://100.XXX.XXX.XXX:443), it redirects my browser to tower.local (actually ur.local, which is my custom hostname) then logically fails to resolve DNS.

To rule out any issue with Tailgate, I got rid of it and tried to just forward ports on my router (for troubleshooting purposes only - again I understand this is not recommended), and I am still running into the exact same issue : http://xxx.xxx.xxx.xxx:9696 gets me into the prowlarr UI, I can ssh into the server just fine, but https://xxx.xxx.xxx.xxx:443 redirects to ur.local and the browser logically returns a DNS lookup error.

 

What am I missing ? Thanks in advance for your help.

 

TJ

[Hoopster]

6 minutes ago, tj0 said:

I am setting up a new Unraid server and need remote admin access

Why not use WireGuard which is built into unRAID or the My Servers plugin which offers, among other things, remote access.

[tj0]

21 minutes ago, Hoopster said:

Why not use WireGuard which is built into unRAID or the My Servers plugin which offers, among other things, remote access.

Well Tailscale sounded (and actually was) super easy to setup. And I strongly suspect I would have the same issue, which seems to have more to do with unraid's web server or nginx ?

[ljm42]

What version of Unraid is this?

 

On Settings -> Management Access, what is "Use SSL/TLS" set to?

 

Are you using a self-signed cert?

[tj0]

42 minutes ago, ljm42 said:

What version of Unraid is this?

 

On Settings -> Management Access, what is "Use SSL/TLS" set to?

 

Are you using a self-signed cert?

 

6.10-rc2

 

Use SSL/TLS -> Yes"

 

No self-signed cert (I am living with the Chrome security warning)

[ljm42]

3 hours ago, tj0 said:

No self-signed cert (I am living with the Chrome security warning)

Well actually... since SSL is enabled and your LocalTLD is "local" and you have a Chrome security warning, then this must be a self-signed cert and not an official cert.

 

 

In Unraid 6.10.0-rc2 with SSL enabled, the system will only respond to known, configured urls. So when you try to access it via http://ipaddress it will redirect to the known, configured SSL URL. In your case, that is https://ur.local

 

As you noticed, .local domains only work on the local subnet and not over VPN.  You might be able to hack your way around this by creating a hosts file on your local computer that points ur.local to the correct IP address. Lots could go wrong here, so not something I'll go into more detail on. I wouldn't consider that a supported solution.

 

The best way to access your server using SSL over VPN is to have an official SSL cert and a Fully Qualified Domain Name with DNS to back it up. The easiest way to do this is to provision an unraid.net certificate; we take care of all the details for you, see: https://wiki.unraid.net/Manual/Security#Securing_webGui_connections_.28SSL.29 

 

Or if you would rather buy your own cert and manage DNS yourself, you can do that too. Also see the url above.

 

If you don't want a real SSL cert for some reason, but you still need to access the webgui over VPN and can't get the hosts file hack to work, then you'll need to disable SSL so you can use random hostnames like http://ipaddress

[tj0]

Thank you so much for the detailed answer, this explains everything indeed ! I will definitely provision an official cert and report back here.

 

Side question : in the meantime, I looked into how nginx works and tried to fiddle with the config files to prevent the redirection behaviour you have explained, but I couldn't manage to make persistent changes to the files in /etc/nginx/conf.d - my edits were overridden when I restarted nginx. For my understanding, is there a way to change nginx settings otherwise ?

 

Thanks again for your help !

TJ

[ljm42]

Glad it helped! Provisioning a cert should solve all of your issues.

 

Regarding the side question... there are a lot of things in Unraid that are customizable, but tweaking the nginx config is not one of them. We take security very seriously, and from that perspective I can't help you potentially open your system up to threats or break the webgui. If you continue down this path please do not post any details in the forum, I would not want someone else to blindly follow them and end up getting hacked.

 

If this question was more about hosting other apps, it would be far better to install nginx in a docker container (take a look at "swag" in Community Apps). Customizations there will not break your Unraid webgui.