August 28, 20178 yr Hi, just would like to ask if i understand this correctly, as soon as i setup an docker with an sep IP adress its not able to communicate with other dockers or the host anymore ? example (unraid is 192.168.1.2) apache (mainly as reverse proxy for) plex tvheadend guacamole unraid webgui ... as soon as i put apache for example on an sep IP (192.168.1.12) i would have to put all on sep IP adresses so they can communicate with each other ? one thing i would loose for sure then would be to have unraid webgui behind my reverse proxy cause there seems to be no way to reach the host anymore ? the rest could be solved by putting them all on sep ip adresses (in the same netmask 192.168.1.x). thanks ahead for an info if i see this correctly ? Edited August 28, 20178 yr by alturismo
August 28, 20178 yr Don't put Unraid on a reverse proxy. It's a big security risk. Unraid webui if you need to access it from outside your LAN should be via a VPNSent from my LG-H815 using Tapatalk
August 28, 20178 yr Author i know but its nice and from work i can only use port 80 and 443 ... so i use apache reverse ... makes live alot easier, and it is listening on its own domain name only ... but i am right ? no way to bypass docker restriction when assigned to a sep ip ?
August 28, 20178 yr Let me repeat that: 5 hours ago, CHBMB said: Don't put Unraid on a reverse proxy. It's a big security risk. Unraid webui if you need to access it from outside your LAN should be via a VPN That said, if you don't have VLAN support, you'll need a second NIC. the underlying technology used by Dockers is macvlan with explicitly prohibits access to the host on the same NIC. There might be workarounds if your router supports either VLANs or multiple subnets in the same LAN.
August 28, 20178 yr 2 hours ago, alturismo said: i know but its nice and from work i can only use port 80 and 443 ... so i use apache reverse ... makes live alot easier, and it is listening on its own domain name only ... but i am right ? no way to bypass docker restriction when assigned to a sep ip ? It doesn't matter what domain name it's listening on. Use a VPN client on your mobile phone or something, but this really isn't a great idea at all.
August 28, 20178 yr 10 hours ago, CHBMB said: Don't put Unraid on a reverse proxy. It's a big security risk. I'm sorry to push you on this, but I'm still looking for a reason not to trust that nginx is capable of securely reverse proxying a website. We talked about it for a bit here: https://forums.lime-technology.com/topic/57730-emhttp-webui-reverse-proxy-in-nginx/ but I don't see anything that would justify a "don't do this. ever." type of response. If you let nginx handle the authentication like this: https://forums.lime-technology.com/topic/42003-requestdone-lets-encrypt-container/?page=7#comment-461739 then fail2ban will help handle the hack attempts. Of course, you still need a rock-solid nginx password and/or client certs, but VPN would have the same caveat. The biggest risk to me is with zero-day attacks against nginx. In that case, the less it is reverse proxying the better. But then you should also be worried about zero-day attacks on openvpn, which would open access to your entire network. I suppose another issue could be that the ease of use of a reverse proxy might make you complacent. You should still only access it from a computer that you trust. For instance, if you login from a computer with a keylogger installed, then the bad guys would get your password and be able to login as well. 12 hours ago, alturismo said: just would like to ask if i understand this correctly, as soon as i setup an docker with an sep IP adress its not able to communicate with other dockers or the host anymore ? This was a huge disappointment for me too. When I upgrade my main system to 6.4 I plan to run LetsEncrypt on the main IP on port 443. Then I will either run the WebUI without https (so port 80) or on a custom https port, either way there will be no conflict with the port used by LetsEncrypt. In other words, I don't plan to use the new feature that lets you put a docker on its own IP. 5 hours ago, ken-ji said: That said, if you don't have VLAN support, you'll need a second NIC. Would you be willing to do a little write-up on how to solve this with two NICs?
August 28, 20178 yr I think for me the distinction is in what access would give someone. I'm a fan of reverse proxying things, don't get me wrong, but if there is a zero day exploit in nginx, then I can live with someone getting access to my ebook library. But access to my Unraid server, root access at that, is just too big a risk to take. I also think you got to ask who is planning to do so, you're clearly well versed in nginx and config and more than capable of firstly understanding and analysing the risks and secondly responding to the dynamic configuration of the nginx web server as those risks change. I'm willing to bet that most people who are asking how to proxy the Unraid server, are not, if they were, they wouldn't be asking, they'd just get on and do it, instead it will be set up, and left, I don't think any good can come from that situation, yes OpenVPN may be exploited by a zero day as well, but you have that extra layer of security with client keys that most nginx configs don't provide. It's easier to just say "Don't do it" than to say, well it can be done, but these are the issues you need to be aware of....... I think the approach is the right one for most people.....
August 28, 20178 yr 12 hours ago, alturismo said: as soon as i setup an docker with an sep IP adress its not able to communicate with other dockers or the host anymore ? Docker has built-in security which prevents a macvlan network to communicate directly with the host IP address. Any other containers configured with a host or bridge network are bound to that same host IP address and hence become unreachable. Most containers however don't need to communicate with each other, they operate in a standalone fashion. If you do need one or more containers to communicate directly then assign each of them with a custom (macvlan) network, each container will get a unique address within the same subnet as assigned to your host, e.g. 192.168.1.xx. IP addresses can be assigned statically or dynamically. I have all of my containers running on a custom network, except unifi which is configured as host network. I need plexpy (10.0.1.82) to talk to plex (10.0.1.81), which is no problem (make sure plexpy is configured properly). Edited August 28, 20178 yr by bonienl
August 28, 20178 yr Author 18 minutes ago, bonienl said: Docker has built-in security which prevents a macvlan network to communicate directly with the host IP address. Any other containers configured with a host or bridge network are bound to that same host IP address and hence become unreachable. Most containers however don't need to communicate with each other, they operate in a standalone fashion. If you do need one or more containers to communicate directly then assign each of them with a custom (macvlan) network, each container will get a unique address within the same subnet as assigned to your host, e.g. 192.168.1.xx. IP addresses can be assigned statically or dynamically. ok, thats how i testwise had it setup ... then i have to decide what todo with unraid web access port 80 as direct access ... then i really would prefer reverse proxy with own domain like now , but nevermind, thats then my decission, just would be unsafer then now. May i ask why reverse proxy should be so unsecure ? when i use a own domain for each site, example, server.mydomain.com to access only the server GUI, then media.mydomain.com to access plex for example, still both needs its own user / pass also to access them anyway ... i guess more secure then just use http://ip and bruteforce my server ... may i missunderstand something but like this reverse proxy is personally more safe then open ports to direct access cause 1st u need the right domain ... to even come to the login page. im not talking about pro hacking, but im no company or so ... so the effort for hacking my pc would be ... and VPN, if someone hacking my openVPN it would be worse cause then my full network would be open ... but that should be more secure anyway due needed certs. i use openVPN already for proxying my traffic if im outside in holidays to route my traffic for streaming prime or netflix thanks bonienl again for the final words, so there is and will be no way to use both together, thanks. Edited August 28, 20178 yr by alturismo
August 28, 20178 yr With Unraid webui access they can install plugins, get root terminal access, that's pretty much access to your LAN.
August 28, 20178 yr Author With Unraid webui access they can install plugins, get root terminal access, that's pretty much access to your LAN.Definately true ... Some Points to think about here ... Thanks for pointingGesendet von meinem SM-G950F mit Tapatalk
August 28, 20178 yr 3 hours ago, ljm42 said: Would you be willing to do a little write-up on how to solve this with two NICs? I've updated the details in this post
Archived
This topic is now archived and is closed to further replies.