snake382 Posted July 29, 2017 Share Posted July 29, 2017 (edited) I followed the tutorial entirely but I can not access from outside the Unraid main page.However I can access my Plex application from outside ...I changed the port 80 to 81 and leave the 443 as in the tutorial, I also opened the ports on my router but when I type as address http://subdomain.duckdns.org:81 my browser runs in the Empty and I never get to the main page of unraid ...On the other hand if I type https://subdomain.duckdns.org:443 I get a 502 Bad Gateway error message and I see that the address in my browser bar has changed to:https://subdomain.duckdns.org:443/htpc so normal I have this error message because I have not installed htpc and I can not access the main page of unraid I do not understand what is happening.Thanks for your info. Edited July 29, 2017 by snake382 Quote Link to comment
CHBMB Posted July 29, 2017 Share Posted July 29, 2017 Don't reverse proxy the Unraid webui, it's a huge security risk. 1 Quote Link to comment
snake382 Posted July 30, 2017 Share Posted July 30, 2017 OK what do you advise me to safely access Unraid webui? Then I still leave duckdns + let'sencrypt + Nginx to be able to access my applications by https? Thank you. Quote Link to comment
CHBMB Posted July 30, 2017 Share Posted July 30, 2017 1 hour ago, snake382 said: OK what do you advise me to safely access Unraid webui? Then I still leave duckdns + let'sencrypt + Nginx to be able to access my applications by https? Thank you. For the Unraid webui a VPN, for everthing else you're good with duckdns, LE, Nginx Quote Link to comment
snake382 Posted July 30, 2017 Share Posted July 30, 2017 OK I followed this tutorial : Tutorial openvpn but it seems to me that I do not need everything, I only seek to be able to access the webui of unraid by the outside. And then if I understand the tutorial it is necessary to install openvpn on each external post on which I wish to take control of unraid is that? Quote Link to comment
WexfordStyle Posted September 12, 2017 Share Posted September 12, 2017 On 7/30/2017 at 5:23 AM, CHBMB said: For the Unraid webui a VPN, for everthing else you're good with duckdns, LE, Nginx Why could you not use the reverse proxy with https and username/password for the Unraid WebUI? Would this not be just as secure as OpenVPN? Quote Link to comment
CHBMB Posted September 12, 2017 Share Posted September 12, 2017 Reverse proxy = password OpenVPN = Password and OpenVPN certs Quote Link to comment
WexfordStyle Posted September 13, 2017 Share Posted September 13, 2017 6 hours ago, CHBMB said: Reverse proxy = password OpenVPN = Password and OpenVPN certs Okay. But is using a reverse proxy with https and password protection actually a security risk!? I imagine it would be very secure as well, no? Quote Link to comment
aptalca Posted September 13, 2017 Share Posted September 13, 2017 8 minutes ago, WexfordStyle said: Okay. But is using a reverse proxy with https and password protection actually a security risk!? I imagine it would be very secure as well, no? Technically everything is a security risk. If a device is connected to others, there is always a security risk. Openvpn happens to be much more secure than https and a password, because the password can be brute forced. Unless you use a firewall like fail2ban (works great when properly configured). If a reverse proxied docker container gets hacked into, it would be like someone breaking into your car and stealing what's in the glove box. Not much. But getting the unraid gui hacked is like someone stealing your alarm code and getting into your home, where they can get all the valuables, and the car keys. That's why they recommend using a vpn for the unraid gui. Quote Link to comment
isvein Posted September 14, 2017 Share Posted September 14, 2017 I need to try this when I get home ? trying to get the minio docker behind ssl for remote client backups. Quote Link to comment
isvein Posted September 14, 2017 Share Posted September 14, 2017 (edited) have anyone tried this with the Minio docker and make it work? I get it to work from a browser, but when I try to connect a backup client to the proxy adress I get " cause="Signature does not match" source="[auth-handler.go:122:checkRequestAuthType()]" " Edit: I found the answer here: https://docs.minio.io/docs/setup-nginx-proxy-with-minio so I added this: server { listen 443 ssl default_server; server_name domain.name.; location / { # include /config/nginx/proxy.conf; proxy_set_header Host $http_host; proxy_pass http://192.168.0.2:50001; } I have not made it work with an /location Edited September 14, 2017 by isvein Quote Link to comment
NeoDude Posted September 25, 2017 Share Posted September 25, 2017 Personally I only use reverse proxy for anything that the public need to access, like my ADS-B server (radar.clanlawrence.co.uk) and for my Nextcloud. For everything else I use OpenVPN. Quote Link to comment
blurb2m Posted November 15, 2017 Share Posted November 15, 2017 @NeoDude I'm using LE, duckdns, nginx with my nextcloud docker. I can access from https://<server>.duckdns.org/nextcloud but internally I cannot access NextCloud. Driving me nuts! https://192.168.1.224/nextcloud/ brings me to a blank page within my unRAID webUI?? https://192.168.1.224:444/nextcloud/ redirects me to https://server.duckdns.org/nextcloud Anyone's help would be greatly appreciated! Quote Link to comment
aptalca Posted November 15, 2017 Share Posted November 15, 2017 15 minutes ago, blurb2m said: @NeoDude I'm using LE, duckdns, nginx with my nextcloud docker. I can access from https://<server>.duckdns.org/nextcloud but internally I cannot access NextCloud. Driving me nuts! https://192.168.1.224/nextcloud/ brings me to a blank page within my unRAID webUI?? https://192.168.1.224:444/nextcloud/ redirects me to https://server.duckdns.org/nextcloud Anyone's help would be greatly appreciated! Your issue is likely due to your router not allowing nat loopback. Depending on what the router is, there are different solutions Quote Link to comment
blurb2m Posted November 15, 2017 Share Posted November 15, 2017 @aptalca it is a ubiquiti edge router lite. Every other one (radarr, sonarr, unifi, plexrequests) that I have setup through reverse proxy is accessible through IP:port I have hairpin NAT enabled "Nat loopback" Who know what madness I have done to my default file in nginx/site-confs. Quote Link to comment
steve1977 Posted November 24, 2017 Share Posted November 24, 2017 First of all big thanks to @Fma965 for the great write-up. This is very heplful. As a first step I'd just like to get Nextcloud to work, but I like to have the options of adding sabnzbd (not specified in write-up?) and other dockers at later stage. Unfortunately, I am failing with some of the very basic, so will need some advice: 1) I cannot specify port 443 as it is used by something else. I don't know by what and "deployed host ports" within the docker settings does not show any docker using 443. Any idea how to find out what is using this port? 2) After setting up the docker, I cannot access unraid with my-IP:81 from my home networK. Any idea why not working. Related to (1)? Below some error messages from the log: certbot: error: argument --cert-path: No such file or directory Failed authorization procedure. myname.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused 3) I have not forwarded the ports in my router yet. I have not tried in recent times, but I am not sure whether my ISP allows me to forward ports 443. If so, can I use a different port? Is there some app for Unraid or others that allows me to learn what ports can be forwarded and which ones are blocked by my ISP? 4) I actually "own" a domain and may want to use this eventually. Do I still need duckerdns in this case or how would I set it up directly? It is a domain hosted by strato.de 5) Any reason why sabnzbd is not part of the tutorial? More difficult to do or not suggested for security? 6) This thread includes something alarming. I hadn't thought about what I am doing with reverse proxy would impact what I do in my home network. Can required changes for the respective dockers to still work in the home network after setting up reverse proxies be added to the tutorial? Thanks again for your help! Quote Link to comment
hypergolic Posted November 30, 2017 Share Posted November 30, 2017 I am using the sample files from the tutorial and I am getting a 401 error in the chrome console with a blank page, any suggestions? "GET https://mydomain.duckdns.org/sonarr 401 (Unauthorized)" Here is the part of my config: location /sonarr { include /config/nginx/proxy.conf; proxy_pass http://192.168.1.10:8989/sonarr; } Quote Link to comment
blurb2m Posted November 30, 2017 Share Posted November 30, 2017 (edited) location /sonarr { include /config/nginx/proxy.conf; proxy_pass http://192.168.1.224:8989; this is mine Edited November 30, 2017 by blurb2m checked my config Quote Link to comment
deadnote Posted January 9, 2018 Share Posted January 9, 2018 Hi I follow the tutorial to set reverse proxy for my dockers images but I have some issues : Sickrage doesn't load css and shows You have reached this page by accident, please check the url. (I check the box Reverse proxy headers in the general configuration tab) Headphones displays The path '/headphones' was not found. Traceback (most recent call last): File "/app/headphones/lib/cherrypy/_cprequest.py", line 670, in respond response.body = self.handler() File "/app/headphones/lib/cherrypy/lib/encoding.py", line 217, in __call__ self.body = self.oldhandler(*args, **kwargs) File "/app/headphones/lib/cherrypy/_cperror.py", line 411, in __call__ raise self NotFound: (404, "The path '/headphones' was not found.") TT-rss shows 404 not found Can someone can give me his configuration or help ? Thanks ! Quote Link to comment
ipreferpie Posted January 10, 2018 Share Posted January 10, 2018 (edited) I set up DuckDNS but am having troubles with Letsencrypt. In my logs, it just keeps repeating -- Quote No renewals were attempted.No hooks were run.-------------------------------------------------------------------------------[cont-init.d] 50-config: exited 0.[cont-init.d] done.[services.d] starting services[services.d] done.nginx: [emerg] location "/sonarr" cannot be inside the exact location "/" in /config/nginx/site-confs/default:25Server readynginx: [emerg] location "/sonarr" cannot be inside the exact location "/" in /config/nginx/site-confs/default:25nginx: [emerg] location "/sonarr" cannot be inside the exact location "/" in /config/nginx/site-confs/default:25 In my site-confs/default file, this is what I have for sonarr: Quote upstream backend { server 192.168.1.2:19999; keepalive 64; } server { listen 443 ssl default_server; listen 81 default_server; root /config/www; index index.html index.htm index.php; server_name _; ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ssl_dhparam /config/nginx/dhparams.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:...'; ssl_prefer_server_ciphers on; client_max_body_size 0; location = / { return 301 /sabnzbd; location /sonarr { include /config/nginx/proxy.conf; proxy_pass http://192.168.1.2:8989/sonarr; } Did I do something wrong? Any help would be great! Thanks so much! Edited January 10, 2018 by ipreferpie Quote Link to comment
NotYetRated Posted January 10, 2018 Share Posted January 10, 2018 Awesome write up, thanks! Dumb question, is this more secure than my current method of Firewall blocking all but certain IP's? I feel like my method is more secure, but less accessible, that sound accurate? Quote Link to comment
Fma965 Posted January 10, 2018 Author Share Posted January 10, 2018 (edited) On 09/01/2018 at 9:13 PM, deadnote said: Hi I follow the tutorial to set reverse proxy for my dockers images but I have some issues : Sickrage doesn't load css and shows You have reached this page by accident, please check the url. (I check the box Reverse proxy headers in the general configuration tab) Headphones displays The path '/headphones' was not found. Traceback (most recent call last): File "/app/headphones/lib/cherrypy/_cprequest.py", line 670, in respond response.body = self.handler() File "/app/headphones/lib/cherrypy/lib/encoding.py", line 217, in __call__ self.body = self.oldhandler(*args, **kwargs) File "/app/headphones/lib/cherrypy/_cperror.py", line 411, in __call__ raise self NotFound: (404, "The path '/headphones' was not found.") TT-rss shows 404 not found Can someone can give me his configuration or help ? Thanks ! Sounds like you aren't setting the base url's correctly 5 hours ago, ipreferpie said: I set up DuckDNS but am having troubles with Letsencrypt. In my logs, it just keeps repeating -- In my site-confs/default file, this is what I have for sonarr: Did I do something wrong? Any help would be great! Thanks so much! this location = / { return 301 /sabnzbd; location /sonarr { include /config/nginx/proxy.conf; proxy_pass http://192.168.1.2:8989/sonarr; } should be (always close a location block off with a } before doing another) location = / { return 301 /sabnzbd; } location /sonarr { include /config/nginx/proxy.conf; proxy_pass http://192.168.1.2:8989/sonarr; } 32 minutes ago, NotYetRated said: Awesome write up, thanks! Dumb question, is this more secure than my current method of Firewall blocking all but certain IP's? I feel like my method is more secure, but less accessible, that sound accurate? so with this you have 2 ports accessible to the internet 80 and 443, with your way you would have to forward many ports (one for each service) in order to access them from outside your LAN (internet) --- @all here is the config i currently use. https://gist.github.com/Fma965/540219ade8133e65542e9ec15651fe82 Edited January 10, 2018 by Fma965 Quote Link to comment
RichardU Posted January 16, 2018 Share Posted January 16, 2018 Quick comment. Some of us might only add a docker every year or two. Such a person might be completely literal, and spend a lot of time looking for the Add button shown under the logo for the dockers in your wonderful tutorial. After much gnashing of teeth, such person might eventually figure out the interface has changed since your tutorial was made, and one needs to hover over the logo in order to see a window with a much more cryptic "add" button. Possibly. Quote Link to comment
ipreferpie Posted January 19, 2018 Share Posted January 19, 2018 @Fma965, thanks so much! forgot that one little thing and now it works well Quote Link to comment
unRaide Posted January 26, 2018 Share Posted January 26, 2018 Hi @Fma965! I’m looking to take a stab at setting this up based on your guide and I’m wondering if anything’s change with the latest 6.4 release? Do we still need to install the LE docker? Should we use the Unraid UI to provision th SSL certificate? Still trying to figure this all out Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.