mikeyrad Posted October 3, 2016 Share Posted October 3, 2016 Hey guys - I just started using unraid and so far I love it! I got it pretty much all set up - a few VMs and a bunch of dockers - everything is working great. I'm trying to figure out the best way of allowing external access to internal sites using a reverse proxy with authentication prior to seeing the target servers landing page. I kind of have it set up like this now using nginx-letsencryt reverse proxy with basic auth - so if you go to some of the sites it'll throw a little pop up, if you auth it will take you to the page. Which is what I want - but it's definitely not pretty. I rather have some page to auth against which will bring up a site with bookmarks to links you're authorized to see - an SSL VPN portal is probably the way to go for that, but wondering what you guys have used if anything other than the edge firewall (I have an ASA but the url bookmarks in the portal redirects don't work particularly well)...openvpn-sa maybe? Quote Link to comment
CHBMB Posted October 20, 2016 Share Posted October 20, 2016 I think you're getting a bit confused with what services you use for what. OpenVPN-AS which is a VPN is the best way of securing your sites against outside access other than those authorised. But it requires clients to be setup to use it. Reverse proxy using authentication (And SSL) is the second best, and the main benefit being no requirement to configure clients. Personally I just use SSL auth as you do, but in the past I have configured a Wordpress site on my reverse proxy container, password protected that and also created menus to my apps from within Wordpress. Quote Link to comment
Loch Posted October 22, 2016 Share Posted October 22, 2016 I have been looking to do the same thing. Do either of you have any links for walk throughs, especially for the let's-encrypt one? I tried a while ago using the apache reverse proxy and couldn't get it working. Quote Link to comment
mikeyrad Posted October 24, 2016 Author Share Posted October 24, 2016 I'm not confused - I'm just looking for an easy elegant solution. I have a Cisco ASA firewall that I've set up SSL clientless VPN on - brings you to a landing page and I have bookmarks set up that give you encrypted access to internal resources that I give your account access to. It then proxies your connection to those resources - problem is, unless the web page is very basic the ASA always has a difficult time with it. I was hoping openvpn-as had something similar but it doesn't (requires a client) so was hoping there was some openvpn-webvpn alternative or something. So far I've just been using nginx reverse proxy with basic auth for the sites I want auth for and now that it's been running for a while it's fine....but I still have to tell people which URLs I want them to hit and they have to type them in manually. The wordpress idea isn't a bad one, but it'll still require direct connections from the clients (and probably a re-auth) instead of tunneling them for you. Quote Link to comment
CHBMB Posted October 24, 2016 Share Posted October 24, 2016 What about a VPS? Trying to get my head around how it'd work exactly..... Quote Link to comment
aptalca Posted October 24, 2016 Share Posted October 24, 2016 Since you guys already seem to have the nginx reverse proxy set up, why don't you just modify the home page to include links to the various proxied services? Make sure you password protect the home page and all the proxies with the same htpasswd For just web traffic, nginx reverse proxy is great. Vpn is only needed for non web traffic like ssh connections, etc. Quote Link to comment
01111000 Posted October 28, 2016 Share Posted October 28, 2016 Is there a guide floating around on how to get this all setup on Unraid? I currently have a domain name setup with DDClient that allows me to reach one or two local applications but would love a more secure way to get this done. From what I understand, you're running a web server locally that you can connect to using the reverse proxy. You have a splash page of sorts setup to access local applications, but before you can access anything (the splash page and/or apps) you must authenticate yourself. This is the ideal setup for me. EDIT: Found this, I forgot what forum I was on...: https://lime-technology.com/forum/index.php?topic=38875.0 Quote Link to comment
Shamalamadindong Posted October 28, 2016 Share Posted October 28, 2016 I rather have some page to auth against which will bring up a site with bookmarks to links you're authorized to see https://github.com/causefx/iDashboard-PHP Crude but effective if you just need a difference between yourself and everyone else. Not at all secure probably though. Edit: on the topic of reverse proxy authentication, has any of you seen this? https://github.com/bitly/oauth2_proxy Some further reading, http://developers.canal-plus.com/blog/install-nginx-reverse-proxy-with-github-oauth2/ https://jasonbarto.com/authenticate-your-services-with-google-nginx-and-oauth2/ (ignore the ssl warning, hes still using a Startcom cert) Quote Link to comment
mikeyrad Posted October 30, 2016 Author Share Posted October 30, 2016 oath looks kind of interesting, but it's just auth - definitely an improvement over nginx basic auth though. I might give it a shot and set it up...thanks!. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.