Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

emhttp webui reverse proxy in nginx

Featured Replies

Hi all,

 

Is there a way to get the default unraid webui behind a reverse proxy?  I have the following config

  location /Dashboard {
        proxy_pass http://192.168.1.100/Dashboard;
        add_header X-Frame-Options SAMEORIGIN;
  }

and it almost works, But I'm still missing some elements on the page, and fastcgi php seems to be broken...

2017/06/01 11:49:33 [error] 335#335: *10 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 20x.xx.xx.38, server: _, request: "POST /webGui/include/Notify.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "myhostname.com", referrer: "https://myhostname.com/Main"

any ideas?

Yeah, don't do it. Set up a VPN for remote management.

 

When 6.4 beta comes out, then it may be more feasible, but for 6.3.x and earlier, it's not recommended.

Yes it is possible. Some ideas here:  

I haven't seen any specific objections to this, as long as you use SSL and let nginx (with fail2ban) handle the authentication.

36 minutes ago, ljm42 said:

I haven't seen any specific objections to this, as long as you use SSL and let nginx (with fail2ban) handle the authentication.

If it's done right, it should be ok. The problem is, many people either don't know enough or don't care enough to secure it properly. Simply exposing emhttp to passthrough with reverse proxy is not OK.

 

A VPN is hard to get wrong.

54 minutes ago, jonathanm said:

If it's done right, it should be ok. The problem is, many people either don't know enough or don't care enough to secure it properly. Simply exposing emhttp to passthrough with reverse proxy is not OK.

 

A VPN is hard to get wrong.

 

Agreed.  No way would I consider this, and I can secure nginx pretty well, but the stakes are too high imho.

5 hours ago, jonathanm said:

Simply exposing emhttp to passthrough with reverse proxy is not OK.

 

This I definitely agree with.

 

4 hours ago, CHBMB said:

No way would I consider this, and I can secure nginx pretty well, but the stakes are too high imho.

 

This surprises me a bit. Not sure if you're over-paranoid or I'm missing out on something big :)

9 minutes ago, ljm42 said:

This surprises me a bit. Not sure if you're over-paranoid or I'm missing out on something big

The big issue is that emhttp is AFAIK closed source and not easily analyzed for vulnerabilities. MANY issues have come up over the years and been fixed, who knows how many more are yet to be discovered. Given the level of control you have over the server with access to emhttp, I'd rather not risk exposing it, even through a secured proxy. Paranoid? Yep.

 

Since there are good alternatives easily implemented, why risk it?

22 minutes ago, jonathanm said:

The big issue is that emhttp is AFAIK closed source and not easily analyzed for vulnerabilities. MANY issues have come up over the years and been fixed, who knows how many more are yet to be discovered.

 

I'm having trouble seeing why that matters... unraid could have a great big "delete all" button and as long as nginx prevents the internet from accessing it, you'd be perfectly safe. 

 

Now if there was a misconfiguration or some sort of zero-day bug in nginx that allowed unauthorized people to access the site... the would definitely be a problem. But the same could be said for VPN.

 

25 minutes ago, jonathanm said:

Since there are good alternatives easily implemented, why risk it?

 

Because it is far easier to access an https site than it is to start a VPN client :) the main benefit of VPN is that you can also access smb, which we can all agree should never be exposed to the internet

 

  • Author
21 hours ago, ljm42 said:

Yes it is possible. Some ideas here:  

I haven't seen any specific objections to this, as long as you use SSL and let nginx (with fail2ban) handle the authentication.

 

 

thanks, this works exactly as i needed.  Like mentioned above, easy administration is far more valuable to me than the security of a vpn... fail2ban  is plenty of security for my needs.  

 

thanks!

 

  • 1 year later...

@all Use the Nginx Proxy Manager for a easy connect to the unraid ui with ssl

On 6/1/2017 at 11:22 PM, jonathanm said:

Simply exposing emhttp to passthrough with reverse proxy is not OK.

Since Unraid 6.4 emhttp talks to nginx using a local unix socket. emhttp is not reachable from outside nor is it possible to passthrough.

4 hours ago, bonienl said:

Since Unraid 6.4 emhttp talks to nginx using a local unix socket. emhttp is not reachable from outside nor is it possible to passthrough.

I'm pretty sure that at the time of the post you quoted from 2017, nginx had not been implemented yet.

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.