Nem Posted May 11, 2016 Share Posted May 11, 2016 I'm currently using the Nginx-letsencrypt app, where the nginx server is used as a reverse proxy for all of my other applications. I have a domain name pointing at the server so everything can be accessed with www.example.com/couchpotato for example I also currently run my personal website on digital ocean, but my credit just expired and I'm looking for alternative ways to host it and thought that I could host is on my unraid server through a new docker container Is it possible to set up a second nginx container to host my website such that when people go to www.example.com they'll get taken to the Nginx-letsencrypt container and hit my server apps, but when they go to www.personalwebsite.com they'll be taken to my new second nginx container and be taken to my personal website instead? So both domains will point to my server IP, but traffic will be redirected to the appropriate container depending on the domain Ideally I'd like to do this with a second container rather than trying to do everything within Nginx-letsencrypt container so I can keep things separated Quote Link to comment
BRiT Posted May 12, 2016 Share Posted May 12, 2016 I would NEVER put an unraid server in it's current software state directly on the internet. It is not secure enough for it. I wouldn't even tunnel port 80 or 443 through to it. Quote Link to comment
NAS Posted May 12, 2016 Share Posted May 12, 2016 my +1 As a security guy one rule you should stand by is "dont put anything on an insecure network when you dont control the patching" Quote Link to comment
aptalca Posted May 12, 2016 Share Posted May 12, 2016 I personally don't see any issues about running a webserver on port 443 of unraid as long as it is secured for the known vulnerabilities. Op is not suggesting putting the unraid gui on the Internet, but only proxies for other containers (I'm assuming secured with passwords over ssl since he is using letsencrypt) Regarding op's question, Unfortunately the nginx-letsencrypt container can only handle one domain at the moment and that domain has to be accessible in port 443. So a second container would not work because it would need to be accessed at port 443 (on the router) as well. So unless your router has the ability to forward requests on port 443 to different local ip's based on the destination domain, it wouldn't work. However, if you handle the ssl certs manually on one of the containers, then it could work with nginx forwarding and different ports. Quote Link to comment
aptalca Posted May 12, 2016 Share Posted May 12, 2016 my +1 As a security guy one rule you should stand by is "dont put anything on an insecure network when you dont control the patching" In this case, isn't the patching controlled? The Internet requests are passed directly to an ubuntu docker container that is using the latest version of nginx with ssl It is essentially the same setup used for my company's website. The only difference is one is hosted on a vps and one hosted at home in a container. Both running on Ubuntu 14.04 Quote Link to comment
Bjonness406 Posted May 12, 2016 Share Posted May 12, 2016 So unless your router has the ability to forward requests on port 443 to different local ip's based on the destination domain, it wouldn't work. Then get a new router My old Asus router could do that (and ofc also my edgerouter Lite). Quote Link to comment
aptalca Posted May 12, 2016 Share Posted May 12, 2016 So unless your router has the ability to forward requests on port 443 to different local ip's based on the destination domain, it wouldn't work. Then get a new router My old Asus router could do that (and ofc also my edgerouter Lite). Which asus router was that? As far as I know, most consumer routers don't do domain forwarding, which I believe requires packet inspection (L7?) You might be thinking of forwarding different ports to different ip addresses. What I mentioned is forwarding the same port to different ip addresses based on the destination fqdn Quote Link to comment
Bjonness406 Posted May 12, 2016 Share Posted May 12, 2016 So unless your router has the ability to forward requests on port 443 to different local ip's based on the destination domain, it wouldn't work. Then get a new router My old Asus router could do that (and ofc also my edgerouter Lite). Which asus router was that? As far as I know, most consumer routers don't do domain forwarding, which I believe requires packet inspection (L7?) You might be thinking of forwarding different ports to different ip addresses. What I mentioned is forwarding the same port to different ip addresses based on the destination fqdn Woops, yes I was thinking on something else. I thought first you talked about forwarding a random port, to a specific external one (443 in this case). Quote Link to comment
Nem Posted May 12, 2016 Author Share Posted May 12, 2016 I personally don't see any issues about running a webserver on port 443 of unraid as long as it is secured for the known vulnerabilities. Op is not suggesting putting the unraid gui on the Internet, but only proxies for other containers (I'm assuming secured with passwords over ssl since he is using letsencrypt) Regarding op's question, Unfortunately the nginx-letsencrypt container can only handle one domain at the moment and that domain has to be accessible in port 443. So a second container would not work because it would need to be accessed at port 443 (on the router) as well. So unless your router has the ability to forward requests on port 443 to different local ip's based on the destination domain, it wouldn't work. However, if you handle the ssl certs manually on one of the containers, then it could work with nginx forwarding and different ports. So nginx-letsencrypt is running on 443, but for my personal website I dont actually need 443 and can run it without SSL. The site is entirely static and doesnt require the user to send/receive any personal data to the server. In other words I dont actually need a SSL cert for the personal site. Does this change things at all? Quote Link to comment
aptalca Posted May 12, 2016 Share Posted May 12, 2016 I personally don't see any issues about running a webserver on port 443 of unraid as long as it is secured for the known vulnerabilities. Op is not suggesting putting the unraid gui on the Internet, but only proxies for other containers (I'm assuming secured with passwords over ssl since he is using letsencrypt) Regarding op's question, Unfortunately the nginx-letsencrypt container can only handle one domain at the moment and that domain has to be accessible in port 443. So a second container would not work because it would need to be accessed at port 443 (on the router) as well. So unless your router has the ability to forward requests on port 443 to different local ip's based on the destination domain, it wouldn't work. However, if you handle the ssl certs manually on one of the containers, then it could work with nginx forwarding and different ports. So nginx-letsencrypt is running on 443, but for my personal website I dont actually need 443 and can run it without SSL. The site is entirely static and doesnt require the user to send/receive any personal data to the server. In other words I dont actually need a SSL cert for the personal site. Does this change things at all? Well, in that case, you can install the regular nginx container and set your personal site with that. Pick any random port, just not 80 because unraid uses it. And on your router, forward port 80 to the new container's port. When you go to http://yourpersonalweburl it will be redirected to the second nginx container Quote Link to comment
Nem Posted May 12, 2016 Author Share Posted May 12, 2016 I thought about doing something like that, but the way I have nginx-letsencrypt set up is all port 80 traffic it receives gets automatically redirected to 443 Furthermore, a splitting traffic by protocol alone would lead to problems. lets say on my router I forward 80 to nginx (personalsite.com) and 443 to nginx-letsencrypt (proxysite.com). Both domains will point to the same IP. So if someone goes to https://personalsite.com, they will be incorrectly taken to the proxy site, and if someone goes to http://proxysite.com they will be taken to personal site because of how the ports are forwarded...unless theres a way in nginx config to redirect the user back to the "other" site or something? Quote Link to comment
NAS Posted May 12, 2016 Share Posted May 12, 2016 my +1 As a security guy one rule you should stand by is "dont put anything on an insecure network when you dont control the patching" In this case, isn't the patching controlled? The Internet requests are passed directly to an ubuntu docker container that is using the latest version of nginx with ssl It is essentially the same setup used for my company's website. The only difference is one is hosted on a vps and one hosted at home in a container. Both running on Ubuntu 14.04 There is a bit of reality versus theory at play here. Sure if your a competent sysadmin and understand about patching up and down the whole application and protocol stack ythen ou understand risk and how to mitigate it. That however is a tiny percentage of users. Containerization reduces risk by its very nature but think about all the patching delays even here that are completely outwith most users control. Docker spent 9 months + unpatched last year and we are fast approaching 3 months this year. What about the container itself....if a massive security hole is found how does a user know about this in a timely fashion and then patch it. What about monitoring for attacks how do users do this (important when a rooted box is you home NAS when compared to a hosted VPS or $2 web host). There is lattitude in here to be really insecure IN THEORY but it is my experience most users wont patch even if oyu make it easy for them. YMMV but I err on the side of caution, you cant teach users to be secure you have to keep it secure for them and thats not currently 100% possible on unRAID Quote Link to comment
BRiT Posted May 12, 2016 Share Posted May 12, 2016 Yeah, even with all the caveats listed by aptalca, there is no way I'd ever let inbound internet touches to a web server on unraid, regardless of it being in a Docker or a VM. I've seen far too many escalation and escapes happen to know that it is an absolutely horrible idea to do so with unraid, especially given the declarations by LimeTech. Quote Link to comment
drdobsg Posted May 12, 2016 Share Posted May 12, 2016 So nginx-letsencrypt is running on 443, but for my personal website I dont actually need 443 and can run it without SSL. The site is entirely static and doesnt require the user to send/receive any personal data to the server. In other words I dont actually need a SSL cert for the personal site. Does this change things at all? Yes that does change things. You would set both DNS aliases (example.com and personalwebsite.com) to point to your public IP address. Then you forward port 80 on your router to whatever port your nginx server is listening to (it most likely isn't 80 as that is what unraid uses by default) Forward port 443 on your router to whatever SSL port your nginx server is listening to (might be 443, but is configurable) In the nginx configuration nginx\sites-conf\ folder create a configuration for personalwebsite.com that looks something like this ... server { listen 80; #listen 443 ssl; server_name *.personalwebsite.com; root /config/www/personalwebsite.com; location / { try_files $uri $uri/ /index.html /index.php?$args =404; } } The website will be placed in /config/www/personalwebsite.com/ in this scenario. Nginx will examine web requests for personalwebsite.com and if it matches then it will server those files. The limitation in this setup is that a single IP can only host one SSL certificate. And your lets-encrypt cert will most likely have the example.com certs on it. So if you do happen to go to https://personalwebsite.com you will get a certificate error in your web browser about names not matching. There are lines you can add to the config file that will force https back to http for all personalwebsite.com connections. What may be a better option for you would be to get the lets-encrytp cert for personalwebsite.com and let the mismatch name occur on example.com, only because I am assuming you will be the only one going to example.com so you will know to ignore the certificate error and go on your way. however if you really have no need for SSL on your personalwebsite.com then continue using the cert from example.com. Another option, instead of serving the site via an unraid docker is to just have the docker act as a reverse proxy and forward the request to a real server or a VM where you have more control over things. As far as the security concerns of having an nginx docker on the public internet. In my opinion, using nginx solely as a reverse proxy or static html server it is a risk I am willing to live with. I probably wouldn't host PHP or some other dynamic site on it though. Quote Link to comment
aptalca Posted May 12, 2016 Share Posted May 12, 2016 BRiT and NAS, I appreciate your comments and insight. How do you guys feel about a vpn server running on unraid (or on a router)? Quote Link to comment
NAS Posted May 13, 2016 Share Posted May 13, 2016 The gold solution is always a VPN running on your edge firewall/router. The is secure, far more flexible and maintainable as a long term solution with minimal sysadmin workload to keep it secure. I dont often recommend spending money but this one is worth it. The feeling of being able to plug into any random network and know you are secure is more than a nice added benefit. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.