October 1, 20169 yr I've read in a number of places that unraid is not secure enough to run an internet facing web server on the machine, and running things like nginx/apache reverse proxy are not advised. Could anyone explain why this is the case? I would like to be able to hook up a domain name and access some of my dockers while I'm away from my LAN On a related note...if it is insecure to run a webserver/reverse proxy on an unraid machine, is it also not advised to run an openvpn server on the machine for the same reason? If ovpn servers (in a container) is secure, what makes that different from running a webserver in a container?
October 2, 20169 yr OpenVPN requires a certificate that you generate so nobody else has it... so that's one reason it's more secure than a normal public facing open port. Plus, there is no HTTPS/SSL for unRAID's web GUI. If you are just passing a specific docker port like 3400 for Plex, that is fine as Plex has HTTPS/SSL support baked in. Just to be clear, you aren't talking about passing port 80 to unRAID from WAN, correct?
October 3, 20169 yr Author OpenVPN requires a certificate that you generate so nobody else has it... so that's one reason it's more secure than a normal public facing open port. Plus, there is no HTTPS/SSL for unRAID's web GUI. If you are just passing a specific docker port like 3400 for Plex, that is fine as Plex has HTTPS/SSL support baked in. Just to be clear, you aren't talking about passing port 80 to unRAID from WAN, correct? well I have nginx on port 80 and moved unraid to 88. So on my router I pass port 80 through to the nginx docker, which has an SSL certificate, so I'm guessing thats a secure setup?
October 3, 20169 yr OpenVPN requires a certificate that you generate so nobody else has it... so that's one reason it's more secure than a normal public facing open port. Plus, there is no HTTPS/SSL for unRAID's web GUI. If you are just passing a specific docker port like 3400 for Plex, that is fine as Plex has HTTPS/SSL support baked in. Just to be clear, you aren't talking about passing port 80 to unRAID from WAN, correct? well I have nginx on port 80 and moved unraid to 88. So on my router I pass port 80 through to the nginx docker, which has an SSL certificate, so I'm guessing thats a secure setup? Should be passing port 443 and using HTTPS:// port 80 is HTTP:// (not secure), double check the nginx documentation to make sure.
October 3, 20169 yr Author sorry - minor oversight when I was typing. I do pass 443 to nginx and use https. I also pass 80 to nginx but it forces a redirect to 443 if any traffic comes in on 80
October 3, 20169 yr Community Expert sorry - minor oversight when I was typing. I do pass 443 to nginx and use https. I also pass 80 to nginx but it forces a redirect to 443 if any traffic comes in on 80 You might be better of not letting port 80 through your firewall in the first place. There have also been some reports of unexpected behaviour at the unRAID GUI level if it is not running on port 80, so that is another reason to not use port 80 for nginx.
January 2, 20179 yr You might be better of not letting port 80 through your firewall in the first place. Why? As Nem said, http is redirected to https by the proxy. I do the same thing; seems to be widespread pattern.
January 2, 20179 yr You might be better of not letting port 80 through your firewall in the first place. Why? As Nem said, http is redirected to https by the proxy. I do the same thing; seems to be widespread pattern. Why do you want / need uninvited unknown traffic to your server? Since all legit access is on 443, there is no reason to allow external traffic to hit 80. If you mistype and forget the s at the end of http, just insert it. The widespread pattern of redirecting 80 to 443 is to allow publishing a http address and forcing all incoming traffic to 443. Unless you are inviting the world to visit your unraid server, I see no need for opening 80.
January 2, 20179 yr The widespread pattern of redirecting 80 to 443 is to allow publishing a http address and forcing all incoming traffic to 443. Unless you are inviting the world to visit your unraid server, I see no need for opening 80. Fair point; i'm only exposing seafile backend so files could be shared. No one's manually typing the address anyways.
Archived
This topic is now archived and is closed to further replies.