Remote Access to CP/Sonarr/NZBGet/Deluge

[smdion]

We need to deal with this properly going forward.

 

The old mantra of uNRAID is not internet facing is too black and white in the post v6 docker age.

 

I've heard from everyone still, do not open up the unRAID WebGUI to the internet.

[NAS]

We need to deal with this properly going forward.

 

The old mantra of uNRAID is not internet facing is too black and white in the post v6 docker age.

 

I've heard from everyone still, do not open up the unRAID WebGUI to the internet.

 

Oh absolutely but the forum is littered with docker container apps that people do want to run on the internet.

[BRiT]

We need to deal with this properly going forward.

 

The old mantra of uNRAID is not internet facing is too black and white in the post v6 docker age.

Absolutely agree that this is indeed a priority issue that LimeTech needs to take care of. Unfortunately they are the only ones able to do so because they're responsible for the base OS and emHttp.

[CHBMB]

I personally use an Apache reverse proxy with only SSL access and .htaccess.

 

I know that using a VPN is more secure but I'm happy with this compromise.

 

Having said that, it's not a small job setting up Apache and it's taken me a long time to get to grips with it.

 

smdion was invaluable with his guide and gave me a real good start.

 

I also have VPN access so I can tinker with my Unraid machine.  I don't and never will reverse proxy my Unraid webui

[korpo53]

Certainly a  reverse proxy if far more secure that presenting random daemons to the internet but it is not in the same league as a VPN both in terms of security and functionality.

 

The correct way to do this is via a VPN and then you have access to you entire network as if you are sitting at home ad nausium.

 

In terms of functionality, if you're at a location where you can't use a VPN for one reason or another (can't install a client, ports blocked, DPI blocks it even over normal ports, etc.) then you've left yourself zero functionality. On the other hand, I've yet to see a place that blocks outgoing https and I've worked at everything from screwdriver shops to multinational banks and the DOE. To put it another way, the number of places I've been that allow VPN of any kind out is far, far less than the number of places that allow https out.

 

In terms of security, sure, you could say that a cert-based VPN is more secure than a RP with password-based access... but we're talking about securing access to your torrent client, not Iranian nuclear secrets. I'm sure the NSA could defeat the fancy AES whatever encryption my RP is talking on, but I'm not super concerned about them trying to get in. I am concerned that some Korean script kiddie will try to exploit a known vulnerability in something like CouchPotato, so I put my SSL-only, authenticating, RP in as a roadblock. If that KSK finds a hole in my RP and gets through and exploits something in my CP docker? More power to him, he should go work for the NSA.

 

Further, the principle of least access would dictate that if you only need access to a small list of services from the outside, then you should only give access to those services from the outside. I don't need to access my other machines, my printer, my ancient switch with an ancient and unpatched and insecure management interface, my webcams, SNMP, my router's management page, etc. on the outside. Exposing them in any way does me no good, so why would I do it via a VPN? Is the risk associated with the slightly lower security of a password-based RP vs. a cert-based VPN worth the higher risk of exposing all kinds of potentially unpatched crap to the internet?

 

VPNs have their place, but a RP is a better way to allow secure access to potentially insecure pages from outside the LAN. That's why things like Netscalers, BIG-IPs, and TMGs exist and cost a lot of money.

Is an Apache-based docker RP in the same class? No.

Is my RP hiding my torrent client likely to get attacked as often as the web servers at my bank that are protected by BIG-IPs? No.