Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Safe Web Access for unRAID?

Featured Replies

If I'm using NAT and port forwarding to point to an unRAID server, and the server is password protected (root and shares), is there something still inherently unsafe about it?  Is the password system robust enough for this? 

IMO I'd be very wary of doing that. I'm not sure the unRAID interface was ever pen tested to a level where I'd be willing to expose it to the 'net and the potential results if someone got in aren't pretty. Is there any reason why you cannot place it behind a VPN?

  • Author

My challenge is simply this...

 

On the unRAID are image/video files that I'm planning to sell (No, not porn - think royalty free content). 

 

My site and shopping cart will display the samples, handle the watermarks, coordinate the sale, etc. and then provide the user with a download link.  This link only links to the same site and initializes a subroutine that, hidden from view, grabs the file from my file server located "somewhere" and delivers it to the user.

 

The site is not on my local network - hosted by GoDaddy.  The unRAID server IS on my local network to facilitate file management (as well as perform other duties).  The user would never "see" the unRAID servers IP/file location, but I suppose if my WAN IP were 'sniffed', a port would be found(?).    I don't have the access (AFAIK) to VPN between the GoDaddy site and the server.

I think you can be pretty much assured that any IP exposed to the 'net will be scanned, it probably already has been. Any port that responds will garner interest and if it looks like SMB or HTTP it will be of great interest....

  • Author

Is it really all that different from opening ports for remote desktop, viewing security cameras, access to a Windows Home Server, access to a Media Center, etc?  I must be missing something fundamental because while all of these things are "risks" to a degree, they are also somewhat commonplace and just part of daily life for many people.  Is a password protected unRAID server more susceptible for some reason?

All of those apps get attacked regularly, unRAID's web interface hasn't had the same level of scrutiny that most of those apps have. Web cameras are a good example, depending upon manufacturer there's plenty of exploits against those!

 

I'm surprised no one else has an opinion about this...

If I'm using NAT and port forwarding to point to an unRAID server, and the server is password protected (root and shares), is there something still inherently unsafe about it?  Is the password system robust enough for this?

 

Yes. That is very unsecure and you should not use it in that way... The password system is absolutely not designed to work in an internetfacing environment...

If I read that right your website is making the request from your unRaid. In that case place a restriction on your local routers port forwarding to only allow connections from your website IP address.

I do this (albeit with RDS on Amazons AWS) with great success, knocks out all the hack attempts. Before setting the rule the Chinese were attempting RDS access 3 times a second and it only took them and 1.5 hours to find the server after it was turned on. No, they didn't get in, but it was resource buster while responding to all the requests.

if your router supports it - setup VPN or the hamanchi plugin - then your unraid is not directly exposed to the net

 

Myk

 

IP Addresses can be faked... But a restriction on IP will take care of automated hacking attempts.. VPN is a better solution.

  • Author

Thanks for all the input.  VPN is not an option - GoDaddy requires I have a dedicated server for that. I'm wondering if PogoPlug or some other similar solution would solve this, as UnRAID would not then have to be the portal.  IP address will work if the sites IP does not change (and it shouldn't).

 

Thanks again!

 

Ted

... links to the same site and initializes a subroutine that, hidden from view, grabs the file from my file server located "somewhere" and delivers it to the user...

 

What does this actually mean?  A script on your website reads the files from your Unraid server,  pipes it through GoDaddy and then ultimately to the customer?

Thanks for all the input.  VPN is not an option - GoDaddy requires I have a dedicated server for that. I'm wondering if PogoPlug or some other similar solution would solve this, as UnRAID would not then have to be the portal.  IP address will work if the sites IP does not change (and it shouldn't).

 

Thanks again!

 

Ted

 

If you have an old router lying somewhere consider running dd-wrt on it, it will give you vpn server..

  • Author

... links to the same site and initializes a subroutine that, hidden from view, grabs the file from my file server located "somewhere" and delivers it to the user...

 

What does this actually mean?  A script on your website reads the files from your Unraid server,  pipes it through GoDaddy and then ultimately to the customer?

 

Yes, that's it.  Files are managed by the site running MySQL and Joomla, Joomla provides customer a "dummy" link that grabs the file from unRAID and serves it to customer.

  • Author

 

If you have an old router lying somewhere consider running dd-wrt on it, it will give you vpn server..

 

While that would enable a VPN on this end, the site resides on a shared server at GoDaddy and VPN is not available for that end.

Yes, that's it.  Files are managed by the site running MySQL and Joomla, Joomla provides customer a "dummy" link that grabs the file from unRAID and serves it to customer.

The simplest way would probably be to install a web server on Unraid, ensure it is hardened as much as possible and run it on some high port number which you port forward from your router. You can then use htaccess to lock down access to only your hosting server.  This isn't perfect - anybody else on the shared server could potentially still access it and you'd have to reconfigure if the IP address changes.

In that case I would advice trying to run some kind of virtualisation on your hardware and running that webserver in a seperate instance.. unraid is not meant to be "hardened", and although it might be possible I do not believe there are examples lying around telling you how to do it...

 

 

  • Author

I've decided to build a 2nd box - one that handles the incoming web requests (using port forwarding and password protection) from WAN to LAN.  This box will have access to a share on the unRAID.

 

So, off to build a 2nd box...

 

Any Windows recommendations for a simple web front end?

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.