Jump to content

Web Gui https

sypack

By sypack
in General Support

Recommended Posts

Datapotomus Noob

Datapotomus

Posted
Posted

I guess I would add to the question with are there like a settings.xml or another configuration file you could set up https with? I agree with the VPN comment, because I wouldn't open up my NAS externally. I would still like my NAS to be configured for https. I could see small offices that might also like this functionality.

Link to comment
koshia Rookie

koshia

Posted
Posted

Hi,

 

i cannot find how to set the web gui to use https.

 

Can someone point me to the right direction please?

 

regards,

 

Olivier

 

This product requires a bit tinkering.  You could just load a linux VM and do a basic reverse proxy w/ SSL offloading to your storage server.  Just another thought.

Link to comment
danioj Community Regular

danioj

Posted
Posted

Hi,

 

i cannot find how to set the web gui to use https.

 

Can someone point me to the right direction please?

 

regards,

 

Olivier

 

This product requires a bit tinkering.  You could just load a linux VM and do a basic reverse proxy w/ SSL offloading to your storage server.  Just another thought.

 

Please don't expose you're unRAID GUI to the Internet.

 

unRAID is not hardened for such a use.

 

My view is that unRAID 6.1.9 would fail even a basic security audit. It has not been patched since its release. I would say that 6.2 RC4 is better but again it's not intended to be exposed to the Internet. Doing so will expose you to what I consider unacceptable risk.

 

Those risks are mitigated (somewhat) by the advice to keep it securely behind a firewall and not exposing the system or its GUI to the Internet.

 

A good source of information on the current state of unRAID security is here:

 

http://lime-technology.com/forum/index.php?topic=50643.0

 

I personally do expose one of my unRAID Server's to the Internet for the purpose of facilitating a VPN connection and also serving a basic web site via the Docker platform which is running on unRAID.

 

While it is not whiteout risk, I feel this risk is mitigated by the fact that both dockers I use for this are updated regularly (or in the case of Apache, daily) and as such I feel that security patches are applied in sufficient time to deal with known threats.

 

That doesn't mean however that there isn't a risk. As NAS points out deep into the thread I posted above, the risk I am managing through doing this can be described as:

 

The bad news is what happens if someone exploits vulnerability in your applications and gets root. At that point you are relying 100% on unRAID to protect you from attack escalation. The chances are you dont have a DMZ in this setup as current unRAID does not lend itself to this. Also this is where unRAID patching is critical. Docker/VM et all need to be up to date to reduce the risk of a known exploit being abused to breakout into the host. Currently there is no know exploit however there could be tomorrow and this is why it is critical you apply security patches.

 

The specific post in that above thread about doing what I do is here:

 

http://lime-technology.com/forum/index.php?topic=50643.msg488115#msg488115

 

Down to the help. If you're happy to accept the risk of exposing applications (hosted on a VM or the Docker Platform) running on unRAID to the Internet then I have a solution for you.

 

Before I do, it was previously noted that a reverse proxy could be used. While this is true I would advise against this for your unRAID GUI.

 

Many people use this method for accessing other applications on their LAN (usually GUI's of other Docker containers). These applications often have their own security system built in (which may or may not be that hardened themselves) and often with the addition of .htaccess password protection this can be reasonably ok. It's important to note though that these applications often don't provide you access to the functionality that the unRAID GUI does though.

 

For that reason I'd say stay away from reverse proxy for unRAID GUI access. In fact, I personally don't use reverse proxy for application access at all. I use a VPN connection.

 

For completeness sake here is a link to the linuxserver.io apache docker container:

 

https://lime-technology.com/forum/index.php?topic=43858.0

 

The following is an excellent guide we have posted on the website for setting up Apache to work as a reverse proxy:

 

https://www.linuxserver.io/index.php/overview-reverse-proxy-with-docker/installation-of-apacheweb-docker/

 

 

However, I will recommend OpenVPN-AS.

 

OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, and iOS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control.

 

https://openvpn.net/index.php/access-server/overview.html

 

Over at linuxserver.io we have a docker container running this application that you can use.

 

https://lime-technology.com/forum/index.php?topic=43317.0

 

The easiest way to install this (and other apps) is via the Community Applications plugin. Also a linuxserver.io creation.

 

This plugin will allow you to easily search for and add any of the unRaid docker or plugin applications, along with some related optional utilities (automatic updates of plugins, backup of appdata shares)

 

http://lime-technology.com/forum/index.php?topic=40262.0

 

The application as setup in the container almost works "straight out of the box". It's as simple as installing the container, configuring some basic options (well documented in the support thread), changing and creating a password, creating a port forward on your firewall and downloading the .ovpn profile file to your client.

 

15 mins of tinkering and you can connect to your LAN securely (noting what I have already said above) from a remote location as if you were local.

 

That's how I would (and do) deal with your access issue.

 

 

 

Sent from my iPhone using Tapatalk

Link to comment
ezhik Enthusiast

ezhik

Posted
Posted

Add an nginx docker container with mapping port 443 to 443.

 

Use openssl to generate certs.

https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04

 

Create a config for reverse proxy:

site-confs/www.conf

 

---

server {

 

    listen 443 ssl;

    server_name unraid-ssl;

 

    ssl_certificate          /certs/unraid.crt;

    ssl_certificate_key      /certs/unraid.key;

 

    location / {

        proxy_set_header X-Real-IP  $remote_addr;

        proxy_set_header X-Forwarded-For $remote_addr;

        proxy_set_header Host $host;

        proxy_pass http://your_unraid_ipv4:80;

    }

}

---

Link to comment
danioj Community Regular

danioj

Posted
Posted

Add an nginx docker container with mapping port 443 to 443.

 

Use openssl to generate certs.

https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04

 

Create a config for reverse proxy:

site-confs/www.conf

 

---

server {

 

    listen 443 ssl;

    server_name unraid-ssl;

 

    ssl_certificate          /certs/unraid.crt;

    ssl_certificate_key      /certs/unraid.key;

 

    location / {

        proxy_set_header X-Real-IP  $remote_addr;

        proxy_set_header X-Forwarded-For $remote_addr;

        proxy_set_header Host $host;

        proxy_pass http://your_unraid_ipv4:80;

    }

}

---

 

I advise strongly against this if it is to be then exposed to the Internet.

 

If it is on the LAN then it's fine. I guess there are use cases where HTTPS is required on your LAN too.

Link to comment
ezhik Enthusiast

ezhik

Posted
Posted

Add an nginx docker container with mapping port 443 to 443.

 

Use openssl to generate certs.

https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04

 

Create a config for reverse proxy:

site-confs/www.conf

 

---

server {

 

    listen 443 ssl;

    server_name unraid-ssl;

 

    ssl_certificate          /certs/unraid.crt;

    ssl_certificate_key      /certs/unraid.key;

 

    location / {

        proxy_set_header X-Real-IP  $remote_addr;

        proxy_set_header X-Forwarded-For $remote_addr;

        proxy_set_header Host $host;

        proxy_pass http://your_unraid_ipv4:80;

    }

}

---

 

I advise strongly against this if it is to be then exposed to the Internet.

 

If it is on the LAN then it's fine. I guess there are use cases where HTTPS is required on your LAN too.

 

No doubt. This can also be easily brute-forced. The user id is always the same (root) and I don't know of a way to change that.

Link to comment
koshia Rookie

koshia

Posted
Posted

While i wholeheartedly agree with the fact that you shouldn't expose your server to the public domain-i respectfully disagree that using openVpn is any more safer than a reverse-proxy server with a proper tls certificate handling encryption of authentication and traffic. As i understand it - you have 2 methods of encryption with openVPN, a preshared  secret or a tls/ssl-vpn method. The tls/ssl method is much like the reverse proxy with a proper tls/ssl certificate. There is specific uses for each of these types and I use both. I plan on having many web servers/services so it would be in my interest to use the latter. I won't get into it more than this as it is beyond the scope of the OPs question. I would not recommend doing either if you are unclear on the security risks or methods for mitigation .

 

 

Sent from my iPhone using Tapatalk.

Link to comment
danioj Community Regular

danioj

Posted
Posted

While i wholeheartedly agree with the fact that you shouldn't expose your server to the public domain-i respectfully disagree that using openVpn is any more safer than a reverse-proxy server with a proper tls certificate handling encryption of authentication and traffic. As i understand it - you have 2 methods of encryption with openVPN, a preshared  secret or a tls/ssl-vpn method. The tls/ssl method is much like the reverse proxy with a proper tls/ssl certificate. There is specific uses for each of these types and I use both. I plan on having many web servers/services so it would be in my interest to use the latter. I won't get into it more than this as it is beyond the scope of the OPs question. I would not recommend doing either if you are unclear on the security risks or methods for mitigation .

 

 

Sent from my iPhone using Tapatalk.

 

Sorry, I have to disagree.

 

A reverse proxy acts as an intermediary between the client and the web application you're accessing. It adds an additional layer between the client and the web application.

 

A reverse proxy (in the scenario of using it to expose applications to the Internet) is available on the internet so generally anyone (unless you are going to set some really tight firewall rules) who knows the url will have access to that application. Although setting additional security like SSL (which just encrypts client to server) it is still directly connected to the web.

 

In this case you are also going to be relying on the security system of each application for access. Much of the applications we all use (in a home server scenario) have different levels of maturity when it comes to their vulnerability to attack. In addition many of these applications authors advise (such as unRAID) not to expose their interfaces directly to the Internet.

 

In contrast, a VPN has an additional layer of security as a client has to first authenticate itself with a server before a user has access to the VPN. If you therefore trust users of your LAN (which most people I know who use unRAID in a home setting would) you can even leave the applications unsecured by userids and passwords) as the security is managed by the VPN server.

 

I would also add that if there are vulnerabilities I would be more confident of the ongoing security of OpenVPN (being a widely used enterprise technology) and exploits being patched than the exploits being found, patched etc in many of these applications we all use.

 

 

Sent from my iPhone using Tapatalk

Link to comment
koshia Rookie

koshia

Posted
Posted

While i wholeheartedly agree with the fact that you shouldn't expose your server to the public domain-i respectfully disagree that using openVpn is any more safer than a reverse-proxy server with a proper tls certificate handling encryption of authentication and traffic. As i understand it - you have 2 methods of encryption with openVPN, a preshared  secret or a tls/ssl-vpn method. The tls/ssl method is much like the reverse proxy with a proper tls/ssl certificate. There is specific uses for each of these types and I use both. I plan on having many web servers/services so it would be in my interest to use the latter. I won't get into it more than this as it is beyond the scope of the OPs question. I would not recommend doing either if you are unclear on the security risks or methods for mitigation .

 

 

Sent from my iPhone using Tapatalk.

 

Sorry, I have to disagree.

 

A reverse proxy acts as an intermediary between the client and the web application you're accessing. It adds an additional layer between the client and the web application.

 

A reverse proxy (in the scenario of using it to expose applications to the Internet) is available on the internet so generally anyone (unless you are going to set some really tight firewall rules) who knows the url will have access to that application. Although setting additional security like SSL (which just encrypts client to server) it is still directly connected to the web.

 

In this case you are also going to be relying on the security system of each application for access. Much of the applications we all use (in a home server scenario) have different levels of maturity when it comes to their vulnerability to attack. In addition many of these applications authors advise (such as unRAID) not to expose their interfaces directly to the Internet.

 

In contrast, a VPN has an additional layer of security as a client has to first authenticate itself with a server before a user has access to the VPN. If you therefore trust users of your LAN (which most people I know who use unRAID in a home setting would) you can even leave the applications unsecured by userids and passwords) as the security is managed by the VPN server.

 

I would also add that if there are vulnerabilities I would be more confident of the ongoing security of OpenVPN (being a widely used enterprise technology) and exploits being patched than the exploits being found, patched etc in many of these applications we all use.

 

 

Sent from my iPhone using Tapatalk

I am not in disagreement with what you are telling users as we both acknowledge that the weakest link here are the applications security controls of each application-in this case UnRAID.

 

For the intent of the OP's request for https; it is possible. If the need was for just accessing ones server-vpn would be better for end to end.

 

With that said I recant what I typed about openvpn not being safer than RP. For clarity: my previous statement about openvpn being any more safer; the post was concentrated on the subject of encryption. Strong traffic encryption could be had with both vpn and ssl offloading because they both can use the same type of encryption. The problem then exists after the handshake (in rp-ssl offload), in which case vpn is the better choice if you do not have the need for it to be public facing.

 

 

 

 

Sent from my iPhone using Tapatalk.

Link to comment
BRiT Mentor

BRiT

Posted
Posted

Would this work?

 

Install teamviewer on a VM. Use TeamViewer from a remote computer to control said VM. Run browser remotely through TeamViewer and access the GUI.

 

;D

 

Has TeamViewer ever figured out how thousands of their users were hacked or breached? Last time I heard of TeamViewer was not good news and made it seem like it was completely insecure.

Link to comment
  • 7 years later...
frakman1 Apprentice

frakman1

Posted
Posted
On 8/24/2016 at 4:02 AM, sypack said:

Hi,

 

i cannot find how to set the web gui to use https.

 

Can someone point me to the right direction please?

 

regards,

 

Olivier

 

SSL/TLS is now supported in Unraid but is off by default. You can turn it on by going to Settings > Management Access and changing Use SSL/TLS to Yes. See screenshot for more details:

 

image.thumb.png.057a0b75231600ec8e1f4db6cf433942.png

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...