assassinmunky Posted June 1, 2017 Share Posted June 1, 2017 Hi all, Is there a way to get the default unraid webui behind a reverse proxy? I have the following config location /Dashboard { proxy_pass http://192.168.1.100/Dashboard; add_header X-Frame-Options SAMEORIGIN; } and it almost works, But I'm still missing some elements on the page, and fastcgi php seems to be broken... 2017/06/01 11:49:33 [error] 335#335: *10 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 20x.xx.xx.38, server: _, request: "POST /webGui/include/Notify.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "myhostname.com", referrer: "https://myhostname.com/Main" any ideas? Quote Link to comment
JonathanM Posted June 1, 2017 Share Posted June 1, 2017 Yeah, don't do it. Set up a VPN for remote management. When 6.4 beta comes out, then it may be more feasible, but for 6.3.x and earlier, it's not recommended. Quote Link to comment
ljm42 Posted June 1, 2017 Share Posted June 1, 2017 Yes it is possible. Some ideas here: I haven't seen any specific objections to this, as long as you use SSL and let nginx (with fail2ban) handle the authentication. 1 Quote Link to comment
JonathanM Posted June 1, 2017 Share Posted June 1, 2017 36 minutes ago, ljm42 said: I haven't seen any specific objections to this, as long as you use SSL and let nginx (with fail2ban) handle the authentication. If it's done right, it should be ok. The problem is, many people either don't know enough or don't care enough to secure it properly. Simply exposing emhttp to passthrough with reverse proxy is not OK. A VPN is hard to get wrong. Quote Link to comment
CHBMB Posted June 1, 2017 Share Posted June 1, 2017 54 minutes ago, jonathanm said: If it's done right, it should be ok. The problem is, many people either don't know enough or don't care enough to secure it properly. Simply exposing emhttp to passthrough with reverse proxy is not OK. A VPN is hard to get wrong. Agreed. No way would I consider this, and I can secure nginx pretty well, but the stakes are too high imho. Quote Link to comment
ljm42 Posted June 2, 2017 Share Posted June 2, 2017 5 hours ago, jonathanm said: Simply exposing emhttp to passthrough with reverse proxy is not OK. This I definitely agree with. 4 hours ago, CHBMB said: No way would I consider this, and I can secure nginx pretty well, but the stakes are too high imho. This surprises me a bit. Not sure if you're over-paranoid or I'm missing out on something big Quote Link to comment
JonathanM Posted June 2, 2017 Share Posted June 2, 2017 9 minutes ago, ljm42 said: This surprises me a bit. Not sure if you're over-paranoid or I'm missing out on something big The big issue is that emhttp is AFAIK closed source and not easily analyzed for vulnerabilities. MANY issues have come up over the years and been fixed, who knows how many more are yet to be discovered. Given the level of control you have over the server with access to emhttp, I'd rather not risk exposing it, even through a secured proxy. Paranoid? Yep. Since there are good alternatives easily implemented, why risk it? Quote Link to comment
ljm42 Posted June 2, 2017 Share Posted June 2, 2017 22 minutes ago, jonathanm said: The big issue is that emhttp is AFAIK closed source and not easily analyzed for vulnerabilities. MANY issues have come up over the years and been fixed, who knows how many more are yet to be discovered. I'm having trouble seeing why that matters... unraid could have a great big "delete all" button and as long as nginx prevents the internet from accessing it, you'd be perfectly safe. Now if there was a misconfiguration or some sort of zero-day bug in nginx that allowed unauthorized people to access the site... the would definitely be a problem. But the same could be said for VPN. 25 minutes ago, jonathanm said: Since there are good alternatives easily implemented, why risk it? Because it is far easier to access an https site than it is to start a VPN client the main benefit of VPN is that you can also access smb, which we can all agree should never be exposed to the internet Quote Link to comment
assassinmunky Posted June 2, 2017 Author Share Posted June 2, 2017 21 hours ago, ljm42 said: Yes it is possible. Some ideas here: I haven't seen any specific objections to this, as long as you use SSL and let nginx (with fail2ban) handle the authentication. thanks, this works exactly as i needed. Like mentioned above, easy administration is far more valuable to me than the security of a vpn... fail2ban is plenty of security for my needs. thanks! Quote Link to comment
Snickers Posted January 26, 2019 Share Posted January 26, 2019 @all Use the Nginx Proxy Manager for a easy connect to the unraid ui with ssl Quote Link to comment
bonienl Posted January 27, 2019 Share Posted January 27, 2019 On 6/1/2017 at 11:22 PM, jonathanm said: Simply exposing emhttp to passthrough with reverse proxy is not OK. Since Unraid 6.4 emhttp talks to nginx using a local unix socket. emhttp is not reachable from outside nor is it possible to passthrough. Quote Link to comment
JonathanM Posted January 27, 2019 Share Posted January 27, 2019 4 hours ago, bonienl said: Since Unraid 6.4 emhttp talks to nginx using a local unix socket. emhttp is not reachable from outside nor is it possible to passthrough. I'm pretty sure that at the time of the post you quoted from 2017, nginx had not been implemented yet. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.