Nem Posted October 1, 2016 Share Posted October 1, 2016 I've read in a number of places that unraid is not secure enough to run an internet facing web server on the machine, and running things like nginx/apache reverse proxy are not advised. Could anyone explain why this is the case? I would like to be able to hook up a domain name and access some of my dockers while I'm away from my LAN On a related note...if it is insecure to run a webserver/reverse proxy on an unraid machine, is it also not advised to run an openvpn server on the machine for the same reason? If ovpn servers (in a container) is secure, what makes that different from running a webserver in a container? Quote Link to comment
METDeath Posted October 2, 2016 Share Posted October 2, 2016 OpenVPN requires a certificate that you generate so nobody else has it... so that's one reason it's more secure than a normal public facing open port. Plus, there is no HTTPS/SSL for unRAID's web GUI. If you are just passing a specific docker port like 3400 for Plex, that is fine as Plex has HTTPS/SSL support baked in. Just to be clear, you aren't talking about passing port 80 to unRAID from WAN, correct? Quote Link to comment
Nem Posted October 3, 2016 Author Share Posted October 3, 2016 OpenVPN requires a certificate that you generate so nobody else has it... so that's one reason it's more secure than a normal public facing open port. Plus, there is no HTTPS/SSL for unRAID's web GUI. If you are just passing a specific docker port like 3400 for Plex, that is fine as Plex has HTTPS/SSL support baked in. Just to be clear, you aren't talking about passing port 80 to unRAID from WAN, correct? well I have nginx on port 80 and moved unraid to 88. So on my router I pass port 80 through to the nginx docker, which has an SSL certificate, so I'm guessing thats a secure setup? Quote Link to comment
METDeath Posted October 3, 2016 Share Posted October 3, 2016 OpenVPN requires a certificate that you generate so nobody else has it... so that's one reason it's more secure than a normal public facing open port. Plus, there is no HTTPS/SSL for unRAID's web GUI. If you are just passing a specific docker port like 3400 for Plex, that is fine as Plex has HTTPS/SSL support baked in. Just to be clear, you aren't talking about passing port 80 to unRAID from WAN, correct? well I have nginx on port 80 and moved unraid to 88. So on my router I pass port 80 through to the nginx docker, which has an SSL certificate, so I'm guessing thats a secure setup? Should be passing port 443 and using HTTPS:// port 80 is HTTP:// (not secure), double check the nginx documentation to make sure. Quote Link to comment
Nem Posted October 3, 2016 Author Share Posted October 3, 2016 sorry - minor oversight when I was typing. I do pass 443 to nginx and use https. I also pass 80 to nginx but it forces a redirect to 443 if any traffic comes in on 80 Quote Link to comment
itimpi Posted October 3, 2016 Share Posted October 3, 2016 sorry - minor oversight when I was typing. I do pass 443 to nginx and use https. I also pass 80 to nginx but it forces a redirect to 443 if any traffic comes in on 80 You might be better of not letting port 80 through your firewall in the first place. There have also been some reports of unexpected behaviour at the unRAID GUI level if it is not running on port 80, so that is another reason to not use port 80 for nginx. Quote Link to comment
tuxbass Posted January 2, 2017 Share Posted January 2, 2017 You might be better of not letting port 80 through your firewall in the first place. Why? As Nem said, http is redirected to https by the proxy. I do the same thing; seems to be widespread pattern. Quote Link to comment
JonathanM Posted January 2, 2017 Share Posted January 2, 2017 You might be better of not letting port 80 through your firewall in the first place. Why? As Nem said, http is redirected to https by the proxy. I do the same thing; seems to be widespread pattern. Why do you want / need uninvited unknown traffic to your server? Since all legit access is on 443, there is no reason to allow external traffic to hit 80. If you mistype and forget the s at the end of http, just insert it. The widespread pattern of redirecting 80 to 443 is to allow publishing a http address and forcing all incoming traffic to 443. Unless you are inviting the world to visit your unraid server, I see no need for opening 80. Quote Link to comment
tuxbass Posted January 2, 2017 Share Posted January 2, 2017 The widespread pattern of redirecting 80 to 443 is to allow publishing a http address and forcing all incoming traffic to 443. Unless you are inviting the world to visit your unraid server, I see no need for opening 80. Fair point; i'm only exposing seafile backend so files could be shared. No one's manually typing the address anyways. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.