Enabling HTTPS


jsn0327

Recommended Posts

I'm also curious: what attack vector are you trying to protect against with HTTPS?

 

For the context of my question, I'm working under the assumption that you are running unraid on an internal network, behind a router, and that you trust the other people on your internal network not to attempt sniffing your traffic.

Link to comment

I'm also curious: what attack vector are you trying to protect against with HTTPS?

 

For the context of my question, I'm working under the assumption that you are running unraid on an internal network, behind a router, and that you trust the other people on your internal network not to attempt sniffing your traffic.

I work in the field of Cyber Security and you don't have to open your network up to the world for there to be risks of intrusion through vulnerabilities of many other avenues. As I mentioned previously, I use unraid as my primary NAS and store a lot of important documents on it. In the event that my network is compromised, I'd rather not make it even easier for the attacker by sending my login credentials to him in the clear. I find it hard to believe that with all of the cyber crime going on throughout the world, simple SSL security is an afterthought on a product that we pay for. I could kind of see that being the case for an open source/free product.

Link to comment

Well I won't presume to know more than you, but I do know that in the world of security there are always trade-offs and you should put effort on the largest and highest risk attack surfaces.

 

And you still didn't answer the question: what is the attack vector for unencrypted http streams on an internal network? I ask because if my network is compromised I have bigger worries than unencrypted http streams. Like yuo know, the fact that they have unhindered access to my network, they probably have access to my router (that's how they likely got in) and they have access to any and all devices attached to my network for which I have decided to open (like smb or nfs shares). So how is an encrypted https call going to protect me.

 

so you got to the end of that and probably think I'm poking you in the eye with a stick. I am holding the stick, true, but not poking yet. I'm really honestly asking to be educated. Because if you can articulate the actual risk, and that it is a higher risk than the fact that the network has already been owned, then it goes a long way to justifying the level of effort required on both LT's part and the users to implement robust https with all the effort required to establish certificates as well.

Link to comment

That's a ridiculous approach if u ask me.  I mean, it's only holding ALL of our confidential documents.

 

It was designed, and marketed, as a MEDIA server.

 

This. Even in the wiki it states

unRAID is by no means a secure operating system and should NOT be connected directly to the Internet under any circumstances.

 

http://lime-technology.com/wiki/index.php/Configuration_Tutorial#Security

Link to comment
  • 1 year later...
Is there seriously no HTTPS? now I have to implement VPN to remote in to manage my NAS rather than port forward. If a media server why no media server out of the box without having to install flex docker or a plugin?

Unraid is not a media server. It's a NAS intended for LAN access.

If you turn it into a media server by installing services through docker or VMs, you can also install a reverse proxy in docker to provide access to those guis securely. You can try the linuxserver letsencrypt container which gets and maintains free 3rd party validated certs automatically.

For remote smb or ssh access to unraid, you can set up vpn through docker as well
Link to comment
3 hours ago, johner said:

Is there seriously no HTTPS? now I have to implement VPN to remote in to manage my NAS rather than port forward. If a media server why no media server out of the box without having to install flex docker or a plugin?

Yes, VPN is the recommended approach.  Even if unRAID supported HTTPS I suspect it would still be the recommended approach (see the " unRAID is by no means a secure operating system " comments above).

Link to comment

I happen to agree that the unRAID Admin UI should support HTTPS, but comments from posters like @johner make it sound like all we need it HTTPS on the UI and suddenly unRAID is secure.  That's not true, and I suspect VPN will continue to be the recommended remote management solution even after Limetech implements HTTPS at some point (just my POV).

Link to comment
  • 3 months later...

Hey, I know this post is old and new to unraid but not sure they got https yet. if so, excuse my ignorance and can someone please show me where this setting is.

 

Reason i am asking is because I ran into a situation this week where i setup openvpn into my network. I am using my mac to connect through vpn. Once connected i bring up my unraid box through safari. Anyways I run snort and it showed that when logged in through VPN  and accessing my unraid box from my mac that the password I sent to login to the unraid box was unencrypted. Not sure why this is happening as I am forcing all traffic through the VPN. 

 

I would say that this is a good case as to why we need unraid to have https if it doesn't already. 

Link to comment
1 hour ago, kjoconis said:

Hey, I know this post is old and new to unraid but not sure they got https yet. if so, excuse my ignorance and can someone please show me where this setting is.

 

Reason i am asking is because I ran into a situation this week where i setup openvpn into my network. I am using my mac to connect through vpn. Once connected i bring up my unraid box through safari. Anyways I run snort and it showed that when logged in through VPN  and accessing my unraid box from my mac that the password I sent to login to the unraid box was unencrypted. Not sure why this is happening as I am forcing all traffic through the VPN. 

 

I would say that this is a good case as to why we need unraid to have https if it doesn't already. 

 

It has been in the version 6.4.0-rc3 and higher.  See here:

  

 

Link to comment
  • 2 years later...
On 12/9/2015 at 1:36 PM, StevenD said:

 

It was designed, and marketed, as a MEDIA server.

A digression of topic:

What a nonsense excuse. Obviously it supposed to have https  with self-signed cert as default. I hate this way o thinking to postpone the responsibility. It is very convenient these days. I was born in days where companies were asking users for their opinion and using it to improve their product. It seams that now we live in world where companies are ignoring user feedback, with bunch of “system happy “ users complementing this system.

 

To the topic:

There is stunnel package that can wrap http connection over ssl, so there if someone knows how to make plugins it can be done easily. Maybe it already is?

 

Link to comment
  • 9 months later...
4 hours ago, SLNetworks said:

I think the best reason to implement HTTPS support is because most browsers default to HTTPS.. even if you do manually type it in as HTTP.

 

Bloody annoying.

Once again, this thread is originally 6 years old.  HTTPS is already implemented.  @SLNetworks look at thread dates before bumping for no reason.

Edited by Energen
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.