Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

use DUO 2FA on Unraid login page

Featured Replies

Hello, 

 

  I am totally new to unraid. I currently have it on my local pc and loved it. I am planning to use it on my dell server. However, I would like to have a 2FA on login page. DUO provides free account up to 10 users and love it. I use with my RDP. It also supports webSDK. Can any one help where to start to use DUO 2FA on login page? DUO website: http://duo.com

 

Thanks

JK

seen ppl ask for 2fa a few times before, don't think there's any option. You should not expose login page directly to the internet. just use it local or with a vpn. (wireguard is built in) 

 

21 hours ago, JK252 said:

DUO provides free account up to 10 users and love it.

You can use it in combination with Authelia, SWAG and Redis and simply Reverse Proxy the WebGUI if you really want to so that you have Authelia (with DUO 2FA) in front of the unRAID WebGUI.

  • Author

Thanks ich. This sound like an option. However I am trying to keep it simple..like edit UnRAID login page and use duo websdk in that page.

Edited by JK252

  • 2 weeks later...
On 1/31/2022 at 6:17 PM, JK252 said:

Thanks ich. This sound like an option. However I am trying to keep it simple..like edit UnRAID login page and use duo websdk in that page.

I don't know if DUO is the way to go, for some users it might be too complicated to setup.

Also keep in mind if you've set it once in SWAG you can use it for every app that you reverse proxy through SWAG and even for unRAID itself. ;)

  • 2 weeks later...
On 2/1/2022 at 1:57 AM, ich777 said:

You can use it in combination with Authelia, SWAG and Redis and simply Reverse Proxy the WebGUI if you really want to so that you have Authelia (with DUO 2FA) in front of the unRAID WebGUI.


While “do-able” I think this is really poor advice.

 

To the @JK252 please see the formal security recommendations from @limetech

 

https://unraid.net/blog/unraid-server-security-best-practices

 

TLDR: don’t expose your unRAID server to the internet. ESPECIALLY the maintenance GUI. Someone gets access and a web based command prompt with root permissions is a click away. 

46 minutes ago, danioj said:

To the @JK252 please see the formal security recommendations from @limetech

Only double checking but it's actually not mentioned that you shouldn't expose your WebGUI on this page or am I wrong? Basically the My Servers plugin does the same...

 

I think with Authelia in front of the Unraid WebGUI you are pretty secure because it gives you another layer of security before you even can reach the WebGUI itself.

 

50 minutes ago, danioj said:

While “do-able” I think this is really poor advice.

At least from my perspective this is way better than use just the password for Authentication to the WebGUI because you will be redirected to Authelia where you have 2FA with a user and password and additionally a OTP or Push message (depends on how you set it up).

  • Author

Even if we don’t want to expose UnRAID to internet, 2FA is some thing that can make it more secure .  I use RDP only from local..still have DUO 2FA setup.

Edited by JK252

  • 3 months later...

Humor me, with a reverse proxy (NGINX and cloudflare) and a long complex password generated from a password manager, how much trouble would a hacker go through just to get access through my exposed WebGUI to my humble server? 

Is Authelia or other 2FA possible with NGINX? 
I need to be able to access from my company computer and I have no possibility to connect through VPN from here.

On 5/29/2022 at 10:57 PM, Dreeas said:

Is Authelia or other 2FA possible with NGINX? 

Sure thing, look at the SWAG Docker container from @linuxserver.io it ticks all your boxes and is also prepared for Authelia and can be enabled pretty quick.

  • 1 month later...

I'd like to see general TOTP support. Duo supports TOTP, so users can opt to use Duo if they want, or use any TOTP app they prefer.

Hello,

 

I have Nginx Proxy Manager with services that I open externally with Authelia 2FA.

When I call a service, npm points to Authelia which I configured to work with Duo.

I receive a notification and I can say Yes or No and the service launches On Air :)

 

I really like Duo, it brings a professional vision.

Unfortunately as on each application there is always a login / password to enter.

It's a double protection but I dream of a unique and global solution for all applications in order to enter directly into it once past Authelia.

 

This would require that the applications are all compatible with everything.

Very complicated because often the app has its own 2FA (Authy and more)

  • 4 months later...

If you have your domain from CloudFlare you can use ZeroTrust to send you an email and there is a one-time code inside. And when you go to your sub-domain or domain then you will be forced to authenticate.

  • 3 weeks later...
On 5/29/2022 at 3:57 PM, Dreeas said:

Humor me, with a reverse proxy (NGINX and cloudflare) and a long complex password generated from a password manager, how much trouble would a hacker go through just to get access through my exposed WebGUI to my humble server? 


This is worth replying to, and I noticed that nobody had yet. The concern isn't exactly that your password would be insecure against an attacker; but rather that the Unraid WebUI does not undergo regular penetration testing and security auditing, and as such should not be considered hardened against other attacks. These attacks could bypass the need for a password entirely, which is a much bigger concern. 2FA systems, when implemented correctly, would prevent this type of attack, but still would not make it safe to expose the WebUI directly to the internet.

Since it isn't audited and hardened, and has endpoints that directly interact with the OS, it's likely that an attacker could easily find a surface that allows them read/write access to the filesystem as the root user, and the ability to remotely execute arbitrary code, including opening a reverse SSH tunnel to their local machine giving them full terminal access to your server without ever having to know a username or password.

As far as the effort required - it's going to vary greatly, but many of these types of vulnerabilities hackers have written automated toolkits that scan and exploit these vulnerabilities for them with no interaction required on their part.

TL;DR:

Don't expose your WebUI to the internet. This has been stressed heavily by both Limetech and knowledgeable members of the community for a reason. Extend this further to NEVER expose a system with ONLY an administrator or system level account to the internet.


P.S. If I am wrong on the regular security auditing, please do let me know and I will remove that claim from this post, but as far as I am aware and Limetech has made public knowledge there is no such testing done, which is fine for a system that does not get exposed to the internet.

Edited by Xaero

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.